Brian Redmond's Weblog : Identity Management

Infocard mentioned on Infoworld

btrst4 — Thu, 22 Sep 2005 17:38:00 GMT

We're starting to see this show up more in the press after the PDC.

http://www.infoworld.com/article/05/09/21/HNinfocard_1.html

Excellent Web Cast on the Identity Management Solution Series

btrst4 — Wed, 14 Sep 2005 16:04:00 GMT

The Microsoft Identity and Access Management Solution Series is a set of prescriptive guidance, code samples, and architecture references that guide customers on building real life Identity Management solutions. This web cast will cover the upcoming release on Provisioning and Workflow as well as a roadmap.

I have tested this solution myself and it is quite impressive. It shows SAP provisioning, a group management portal, and a simple workflow app for approving and provisioning contractor accounts. Link to web cast on 9/14 here. I would assume it will be available after 9/14 in a recording.

Abstract:

"As organizations grow, they tend to accumulate multiple systems and standards for storing and using digital identities. These systems can include directory services, human resource databases, financial systems, custom applications, and Web sites. This session focuses on the most recent prescriptive guidance in the Microsoft Identity and Access Management Solution Series (I&AM Solution Series) for Password Management, Self-service Provisioning GUI, and the Administrative Group Management tool. The session will also offer a sneak peak at the roadmap for the I&AM Solution Series and the team's current activities."

http://www.microsoft.com/events/EventDetails.aspx?CMTYSvcSource=MSCOMMedia&Params=%7eCMTYDataSvcParams%5e%7earg+Name%3d%22ID%22+Value%3d%221032279715%22%2f%5e%7earg+Name%3d%22ProviderID%22+Value%3d%22A6B43178-497C-4225-BA42-DF595171F04C%22%2f%5e%7earg+Name%3d%22lang%22+Value%3d%22en%22%2f%5e%7earg+Name%3d%22cr%22+Value%3d%22US%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcParams%5e

Identity Management hurts

btrst4 — Tue, 19 Jul 2005 20:28:00 GMT

Seriously, this stuff is really hard. I work in the Identity Management space and most of my time has focused more on enterprise Idm solutions (things like metadirectories and provisioning). Recently, I have been studying this from a more wholistic internet identity management topic. Much of the discussion has started without me on Blogs like Kim Cameron's Identity Weblog (http://www.identityblog.com).

There are a lot of different aspects to the problem and many of these have been well discussed on Blogs across the internet. Kim Cameron (with the help of the Blogosphere) has created the "Laws of Identity" which help shape the kinds of things we need as a community to solve these problems. This is certainly a head start on the solution.

Why do I say this is hard? Well, I know that this is a technology problem, but the majority of the users are non-techie people. I think about my wife, my kids, my in-laws, and many of my friends who grew up in the internet age. In many cases, people ignore the information put in front of them and click whatever buttons they can to continue the transaction they are working on.

If we put an Infocard in front of them, will they pay attention? will they pick the appropriate identity or just the default (with all the extraneous claims in it)?

If the site they are browsing is a rouge site and the browser warns them, will it matter to them? We have all seen the message about the SSL cert not being trusted. Do you want to continue? Of course I do! Most people do.

If the Metasystem makes things more secure, but 10 times more difficult (for internet commerce), is it really going to work?

How do I use my Infocard when I am not on my personal machine?

The laws of identity talk about this kind of stuff, but solving the problems is still quite hard. It should be fun to watch.

New MS Press Group Policy Book

btrst4 — Wed, 06 Jul 2005 22:11:00 GMT

This book has some great details on Active Directory Group Policies. I can't wait to get a copy myself.

http://www.microsoft.com/MSPress/books/8763.asp

Microsoft and Sun Partnership Progress

btrst4 — Tue, 05 Jul 2005 17:15:00 GMT

This is somewhat old news by now, but I wanted to remind folks about the announcements in this press release. http://www.microsoft.com/presspass/press/2005/may05/05-13MSSunEventPR.mspx

Basically, Microsoft and Sun have really started to show some progress on partnerships that were annouced a year ago. The two items that are most interesting to me are:

1. WS-Federation Interop. Microsoft and Sun are working on interop protocols to allow WS-Federation and Liberty protocols to work together. This will be accomplished by 2 specifications: Web Single Sign-On Metadata Exchange (Web SSO MEX) Protocol and Web Single Sign-On Interoperability Profile (Web SSO Interop Profile).

2. WS-Management. This new specification will allow systems management technologies to communicate cross platform more easily. Today, we can use WMI to gather system data or send system commands to Windows systems. WS-Management will allow similar activities, but to various platforms and hardware technologies without being Windows specific.

Very exciting!

Interesting Performance Monitoring Tool - Download on microsoft.com

btrst4 — Sat, 05 Feb 2005 00:40:00 GMT

I recently found a tool that can help do performance analysis on servers in your environment. This tool gathers the data from the Performance Monitor and does some level of analysis to help diagnose issues. It is especially good at IIS 6.0 and Active Directory.

Link: http://www.microsoft.com/downloads/details.aspx?FamilyID=61a41d78-e4aa-47b9-901b-cf85da075a73&DisplayLang=en

From the Overview:

Service Performance Advisor is a server performance diagnostic tool developed to diagnose root causes of performance problems in a Microsoft® Windows Server™ 2003 operating system, particularly performance problems for Internet Information Services (IIS) 6.0 and the Active Directory® directory service. Server Performance Advisor measures the performance and use of resources by your computer to report on the parts that are stressed under workload.

MIIS Deprovisioning and using ShouldDeleteFromMV

btrst4 — Tue, 02 Nov 2004 17:23:00 GMT

In general, MIIS solutions have one connected data source that is authoritative for deletes and drives the deprovisioning process. A common MIIS configuration is to set the object deletion rule to delete the MV object when the connector is removed from this authoritative MA. This will cause a MV delete and trigger all other MA's deprovisioning action.

What if you want a MA to be authoritative for deletes, but you also want to use some logic to control the delete? The metaverse rules extension contains a function "ShouldDeleteFromMV" that will allow you to have more control of the object deletion rule. This object has the csentry as a parameter and allows you to look at the csentry or mventry attributes and make a decision on deletion. You do need to also make sure the csentry comes from the above mentioned authoritative MA. Otherwise, your deletes could even be triggered from clearing out some "innocent" connector space. The code below shows a possible implementation of this. Test out your code for this type of function to make sure you have it right.

Code

'If csentry is not coming from my authoritative MA, then I must not delete it (or some other logic could kick in)
If csentry.MA.Name = "Authoritative MA Name" Then
   'Check status attribute that is created by some MA
   If mventry("someStatusAttribute").IntegerValue = 5 Then
      'In my case, I am importing homeMDB into the metaverse and not deleting the value if a mailbox has been created.
      If Not mventry("homeMDB").IsPresent Then
         ShouldDeleteFromMV = True
      Else
         ShouldDeleteFromMV = False
      End If
   End If
Else
   ShouldDeleteFromMV = False
End If

Federation... Schmederation. Can't we all just get along?!?

btrst4 — Thu, 28 Oct 2004 16:04:00 GMT

The eWeek article below talks about Microsoft and the Liberty Alliance. I guess IBM recently decided to join the Liberty Alliance (along with already being a part of designing the ws-federation standards with Microsoft). Interesting article.

http://www.eweek.com/article2/0,1759,1681595,00.asp

This stuff is all very early in the development cycle, but I suspect it will all work itself out eventually. From a customer point of view, one just wants to be able to federate with various other customers and business partners regardless of the solution. In the end, many of the solutions that will support federation will support both ws-federation standards along with Liberty. If the demand is high for this type of solution, it will work out great for the customer. If not, I suspect it will be more difficult.

Consulting from home...

btrst4 — Tue, 26 Oct 2004 16:29:00 GMT

I have posted on this Blog recently about life in MCS. This probably holds true for consulting engagements in general. Setting a comfortable travel schedule is really important when you are on the road all the time. On the other hand, this travel schedule would need to be negotiated with the client. In my case, that negotiation is not done by me, so I have very little to say in that. Once things get rolling and you get acquainted with the client, you can probably figure out a good way to balance this.

Working from home is an interesting idea. On paper it seems to make sense. If you are writing documentation, why would you need to be at the client's location? Depending on your situation, you may get more interuptions at a client site than from little kids at home! For short periods this might work, but in the long run, I believe a big part of consulting is building relationships with the customer. Having face time to discuss the issues and iron out questions can go a long way in building a deeper level of trust. If you are at home all the time, they tend to forget about you and start to stop seeing the value. You could do this here and there, but not all the time.

Information about my current MIIS/Exchange project

btrst4 — Fri, 22 Oct 2004 17:59:00 GMT

My current project is using MIIS to assist with an Exchange Resource Forest. The company has decided to run Exchange in the headquarters and each sub-Company would maintain their own Active Directory for login and security. The Exchange forest has placeholder accounts (mailboxes) that the external accounts have rights to.

MIIS is responsible for two things:

Synchronize the GALs from each sub-company to the central Exchange Resource Forest.
Provision mailboxes when new accounts arrive on the sub-company Active Directories.

It is an interesting project with some intriguing problems.

Access to sub-company AD's: In most cases, the sub-companies do not want to give access to their AD from the central MIIS server. We could certainly refine the access to read-only at certain containers, but there are still firewalls and other political factors that override. In our case, we will likely ask the sub-company to export only the necessary data needed to an ADAM instance that can buffer some of the above issues.

Migration status: Initially, the primary data source for the user data is on the legacy side. Once the users are migrated, my data flow rules need to switch directions for certain attributes. We decided to add a "migration status" field that would be used in our MIIS logic to help customize the attribute flow presedence and direction.

External account IDs/SIDs: In order to permission the mailboxes, we obviously need a trust in place, but we also need the user account and/or the user SID from the sub-company AD. The can prove challenging depending on how you are permissioning. The permission process is also slightly different for a brand spanking new mailbox compared to one that already exists on the store.

Once the migration is over, the whole thing becomes a lot easier. With something this large, it could take a long time....

MIIS does not process deletes when there are import errors

btrst4 — Tue, 19 Oct 2004 22:47:00 GMT

This could be obvious to many, but this recently slowed me down one time when I did not realize it. When you run an import off of file, table, etc., MIIS will not process deletes if there are any import errors. This is by design and makes sense. If MIIS decides to delete records it does not get in the next import run and that particular records was an error, then we might delete something by accident.

In my case, I had 10,000 rows that were no longer in my import file. When I ran the full import, I saw 3 errors (for duplicate anchor) and no deletes. Once we corrected the duplicates, the 10,000 CS deletes were processed and my deprovisioning logic kicked in. I wasted a bunch of time troubleshooting this in the wrong areas before I figured it out.

Have fun deleting!

What it is like to work for MCS...

btrst4 — Sat, 16 Oct 2004 23:41:00 GMT

I got a question asking what it is like to work for Microsoft Consulting Services. This may very well be one of my friends messing with me, but regardless, I thought it might be worth telling some stories now and then.

The particular question was about work/life balance. There is no sugar coating here; there is very little balance a lot of the time. The key is that you find a way to catch up now and then. There are some time periods where you have to learn something new or you are developing something beyond your regular engagement. During these times, you work a full day with the client and a full day that night with everything else.

Sooner or later, it catches up with you and you need to find a way to slow things down. For the most part, the job asks for as much as you are willing to give. I really enjoy the work, but I could use a break now and then. I have a wife and two wonderful girls (4 and 6) who need me to be around. Luckily, we have a pretty flexible travel policy, so I am able to be home a good amount of time.

This is still the place for me and a great place to work.

AD uses different attirbute names from what shows up in ADUC

btrst4 — Thu, 14 Oct 2004 04:20:00 GMT

For the non-LDAP people, this cause quite a bit of confusion. First name is "givenName" and Last name is "sn." Street in ADUC is "streetAddress" in AD (of course, there is also a 'street' attribute to add to the confusion!).

There is a page on MSDN that explains the mapping; this link is your friend.

By the way, ADUC is now a word in my vocabulary. It is pronounced "a duck." I recommend using this pronunciation.

Just update the schema and quit worrying about it!!!

btrst4 — Thu, 14 Oct 2004 04:12:00 GMT

I am a little sick and tired about hearing that people are tentative about modifying the Active Directory schema! Maybe this is Microsoft's fault since we put so many warnings up about doing this. I say modify it like crazy. In fact, I think we should all add a schema attribute called "i-modified-the-AD-schema-try-and-stop-me" to our Active Directory.

Seriously, it is OK to extend the schema as long as you follow the best practices. Here are some important things to remember:

Even if you are only extending the schema for an internal application (something you are not selling), you should still follow proper practices like you are selling it. If you use attribute names or OIDs that end up appearing in future Microsoft products or 3rd party products, you could end up with conflict.
Do not store data in AD that is changing frequently. Frequently changing data belongs in a database.
Prefix your attributes with a lower case company name and a hyphen (e.g. - "fabrikam-shoeSizeEurope").
Obtain an registered OID for your schema changes. This can be done with various ISO Name Registration Authorities or from Microsoft. Info here.
Select a proper syntax (data type) for your attributes. If the item is true/false type data, use Boolean and not a text field. If the data is numeric, use Integer.
For simplicity, keep the cn and the ldapDisplayName of your attribute the same.

Update the schema using one of the following methods:

LDIF scripts. This is generally the best method.
Programatically. MSDN has some good samples.
Using the MMC schema mgmt. snap-in. Let's face it, you might only be adding a couple items and not need to distribute this beyond your company. This might be the easiest method in some cases. Keep in mind that you might need to register the "schmmgmt.dll" on the machine if the snap-in is not available.

Want to see your new attributes in ADUC? You might need to write some code, but it can be done. More info here.

Go for it!

...Of course, you should still test things properly and have a good backup. If you have a complex forest and you are highly concerned, you could isolate a DC schema master (it would have no replication partners) and test your extensions there. In case of failure, you could kill that DC and seize the schema master role back on the other DC's. Kind of a complex procedure and I would only attempt this if I was comfortable. In the end, if you follow best practices, extending the schema should be a safe procedure.

Sorry, but I have been busy

btrst4 — Thu, 14 Oct 2004 04:08:00 GMT

What ends up happening is that I start a new project and get horribly busy and have no time to post. I ended up making a bunch of notes of good things to post, so I have a little backlog of things. Expect a bunch here over the next couple days.