The FIM 2010 RC1 client is unsupported sample source code and documentation that shows how you could build a client to communicate with the FIM Web Service.  This sample client was inspired by Joe Schulman’s public client last year and the documentation is based on the documentation Joe released in April.  Joe's client was written for RC0 and cannot be used with RC1. You may now  use this new client with FIM 2010 RC1. 

The DefaultClientScenario.cs test case shows basic usage including Create, Read, Update, Delete, and Enumerate operations.  This sample client does not include documentation on how to complete approvals or the password reset scenario.

Please be prepared to step into the code and make adjustments. The most common issue people have with the client is correctly configuring WCF to communicate with the FIM Web Service. Ensure that you are setting the client credentials correctly and that you’ve modified the app.config file to include the service’s account name.  See the readme for more information.

While we hope that the client is useful in evaluating FIM, there is no commitment from Microsoft or from The IDA Guys to address any issues uncovered in the client or the examples provided.

The long awaited RC1 release of Microsoft Forefront Identity Manager is finally here.  Yes, we've been waiting a long time but good things take time and when it comes to FIM 2010 there are a lot of good things.  FIM 2010, aka "ILM2", is the next iteration of Identity Management tools from Microsoft.  While it is technically the successor to ILM 2007, aka "ILM1", it is by no means simply an upgrade.  FIM 2010 dramatically improves enterprise identity management by delivering powerful self-service capabilities for Office end-users, rich administrative tools and enhanced automation for IT professionals, and .NET and WS-* based extensibility for developers. The final release is slated for the first quarter of 2010.

What’s new in FIM RC1:

· Significant performance and scalability improvements across the product.

· Key feature enhancements, such as the ability to show invalid security group members and to disable batch approve/reject of membership requests if needed. A System Center Operations Manager (SCOM) management pack and configuration migration tools are also new for RC1.

· The FIM 2010 user interface has enhanced usability and layout in many areas, resulting directly from RC0 customer feedback.

· The product is now rebranded as Forefront Identity Manager 2010, with a few exceptions, replacing the old “ILM 2” codename. 

New documentation will be published to Connect as well as TechNet and MSDN in the next few days. Keep an eye on the Technical Resources page for updates.

FIM is part of Microsoft’s continued, far-reaching commitment to enabling more secure, identity-based access to applications - on-premises and in the cloud, from virtually any location or device

To learn more about the IDA solution you can find a webcast on the Launch website:
www.thenewefficiency.com - browse to Business Ready Security – Identity and Access Management Solution

Download FIM 2010 RC1 from the Microsoft TechNET Evaluation Center:
 http://technet.microsoft.com/en-us/evalcenter/cc872861.aspx

Securing Transactions between ILM 2007 and eDirectory

I had a client that required that I connect securely between ILM and eDirectory for provisioning and synchronization of Active Directory to eDirectory user objects.   To use TLS there are two options.  First, certificate services can be utilized to provide the necessary security for making the connection.  Second, secure tunnel (stunnel) can be utilized from the ILM server to provide the encryption.  Because of its ease of use, and the fact that the customer did not want to mess with PKI, we went with the latter option.

But before we go down the securing path, we need to make sure the eDirectory Management Agent can connect to the eDirectory server.  The LDAP Server object for that server needs to be modified to support the connection.  The following steps will need to be performed from Novell ConsoleOne: 

1.       Double-Click on the LDAP Server object of the server that the eDirectory Management Agent will be connecting

2.       On the “General” tab, select the Enable old ADSI and Netscape schema output checkbox and click the Refresh NLDAP Server Now button

3.       Click OK

4.       Close ConsoleOne

Then it becomes time to install and configure Stunnel.  Quote from the website, they can tell you better than I can, what Stunnel is about.  “Stunnel is a program that allows you to encrypt arbitrary TCP connections inside SSL (Secure Sockets Layer) available on both Unix and Windows. Stunnel can allow you to secure non-SSL aware daemons and protocols (like POP, IMAP, LDAP, etc) by having Stunnel provide the encryption, requiring no changes to the daemon's code.”  Oh yea, it is open source under the GNU General Public License.

1.       Download the latest Stunnel binaries from http://www.stunnel.org/download/binaries.html to the ILM server

2.       Double-Click the installation executable.  For example, stunnel-4.27-installer.exe

3.       Click Run on the Security Warning

4.       Click I Agree, on the License Agreement

5.       Accept the defaults and click Next

6.       Accept the default installation folder and click Install

7.       Click Close when completed

8.       Edit c:\program files\stunnel\stunnel.conf by using only the following information.  Delete all other information:

*Note:  The connect = 192.168.1.18:636 will need to be changed to reflect the production eDirectory server.

9.       Close and save

10.   Click Start > stunnel > Service install

11.   Click OK on Service installed

12.   Start the stunnel service

this is a cross posting, the article is here: http://blogs.technet.com/architect_viewpoint/archive/2009/07/29/manageability-for-identity-and-access-management-solutions.aspx.

Hello All,

I have been working with a customer on application authentication project with AD LDS (Active Directory Lightweight Directory Services) and ADAM (Active Directory in Application Mode) and I thought it might be interested to share my experience on this blog.  There are many things to share but I will focus this blog entry on available authentication options and will try to break it down their usage depending on the scenario.

Since this entry explores only the authentication aspect of AD LDS or ADAM, this can apply to both products.  I will stick with AD LDS for the remainder of the blog for the sake of clarity.  If you are not familiar with AD LDS or ADAM, look at the Windows Server Tech Center page at http://technet.microsoft.com/en-us/library/cc731868.aspx.  Brian Puhl’s recorded session at http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=342  covers when to use AD LDS or AD DS.

You can use one of three authentication mechanisms available with AD LDS to authenticate:  AD LDS principal authentication, Windows principal authentication and AD LDS proxy authentication.

AD LDS principal authentication is the most common scenario that I have seen at customer implementations.  Customers who have legacy applications which require specific directory applications for simple LDAP authentication and they do not want to extend schema of their AD DS.  It is a simple LDAP authentication which allows users to bind with DN (distinguished name) of their AD LDS account in X.500 format and its password.  User account policies such as account locked out and password complexity are enforced by the local security policy of the machine that AD LDS instance is configured, if the server is in a workgroup.  Active Directroy Domain account polices are applied, if the server belongs to a domain.  The drawback in this authentication type is that users’ password are transmitted in clear text format so it requires additional step to configure LDAP over SSL.  The instructions on how to configure LDAP over SSL for AD LDS is at http://technet.microsoft.com/en-us/library/cc725767.aspx. 

Let’s look at Windows principal authentication (also known as SSPI authentication).  Customers are usually not aware of this authentication type.  This approach allows users to authenticate to AD LDS instance using their AD DS domain account or local user accounts on the server that AD LDS instance is hosted.  In order for users to authenticate using their domain account, the server that the AD LDS instance is hosted must be a member of the domain.  The authentication using the domain account leverages Kerberos protocol (although may fall back to NTLM depending on the AD domain policies) and thus more secure than using a local account which leverages NTLM.  This MSDN article http://msdn.microsoft.com/en-us/magazine/dvdarchive/cc300806.aspx explains the capabilities of different authentication protocols and explains why Kerberos protocol is more secured than using other Windows authentication type.  Using Windows principal authentication obviates the need to configure LDAP over SSL as it leverages Kerberos or NTLM Sign and Encrypt mechanism to encrypt the traffic.  It is also easier to manage domain accounts with domain policies and security groups.  If the Windows principal is leveraged to authenticate to an AD LDS instance, users must provide their windows credentials with user name and the domain.  The con of Windows principal authentication is that it cannot accommodate legacy and non-Windows applications which still require binding with an X.500 path.

The third option is ADAM proxy user authentication, also known as bind redirection, in which users authenticate with their AD LDS principals but can leverage their corresponding AD DS passwords.  Proxy authentication allows reduced sign on for users where users still need to leverage DN of AD LDS account to authenticate but can use the same password as their AD DS account.  This option simplifies the account management as account management can be done from AD DS.  This option requires the server the AD LDS instance is hosted to join to the AD DS domain or needs a trust relationship with the AD DS domain in which users’ AD DS account resides.  This option also requires additional synchronization tools like Identity Lifecycle Manager 2007 or Forefront Identity Manager 2010 (currently in Beta) to synchronize the objectSID of AD DS user account to the corresponding AD LDS account.  LDAP over SSL should be configured for users to authenticate with their AD LDS account in order to keep their domain account password secure.  This technet article http://technet.microsoft.com/en-us/magazine/2008.12.proxy.aspx provides more insight into proxy authentication.

This article http://technet.microsoft.com/en-us/library/cc784622.aspx explains how to set up each of the authentication available in AD LDS.  

My recommendation is to leverage Windows principal authentication leveraging users’ AD DS domain accounts when possible for the reasons mentioned above unless applications cannot support Windows authentication.  If your environment has synchronization product like ILM, Bi-directional proxy authentication should be explored to simplify the account management. 

Greetings All,

This is my first public blog post.   Like many of the other posters on this blog, I was at the Las Vegas 2009 TEC conference as a speaker.  I presented on ILM “2” Best Practices, which was largely a repeat of a presentation that Bahram Rushenas and I presented internally shortly before TEC based on our experiences working with Rapid Deployment Program (RDP) customers that have been working with pre-release versions of FIM.
We tried to focus on both the technical “gotchas” in ILM “2” / FIM 2010 RC0 as well as the deeper, longer-term concerns in implementing a system that touches on so many aspects of the business including system availability and security. 
Some of the technical gotchas we talked about were naming standards and MPR interactions.  Those are the easy, straight forward points. 

The other area is a bit of a passion of mine.  While there are reams of information on how many products work at the nuts and bolts level, there is rarely very good documentation on how to take a business problem from genesis through to a documented, supportable, long-term solution.  (A notable exception is the Identity and Access Management Series at http://technet.microsoft.com/en-us/library/cc162924.aspx.)   Implementation of an Identity Management System relies on the architect or design team to wear a number of hats.  Infrastructure expert, Development guru, and Process Analyst skills are all required to make a fully effective IdM system. 

In ILM 2007 there really wasn’t a need to be more that a basic developer for the technology side.  Everything processed on a per-object, serial manner and occurred in the back room out of sight.  If you had a problem, then you just tied in the debugger and stepped through an object or two.

In FIM 2010 (formerly ILM “2”), you now need to handle workflow, web-services and concurrency on the development side and security, availability and performance much more than before on the infrastructure side.  Placing a debugger on the production FIM Service will likely generate a lot of helpdesk tickets since it will inhibit requests from processing while you are stepping through the code (if you can figure out which transaction you are looking for).

The scope of scenarios that FIM can handle is very much larger and more complicated than the scenarios for which we typically used ILM 2007.

Also, we need to take into account that the solution needs to run long after the implementer has left the environment.  Preferably as something other than a “black box”.  More on that point in a later post.

You will find the presentation from TEC by clicking on this link:  ILM "2" Best Practices Deck.

Before I begin to explain this post heading, I wanted to say a few words about my contribution to the “IDA Guys” blog.  I was excited for the opportunity to participate in this blog.  One of the reasons I wanted to participate is that through the years I have received help from many, many people in the community via their blogs and forum posts.  They don’t know they’ve helped me because most of the time I ended up at their post via a search engine, looking for a specific answer to a question or problem.  It is hard to imagine how we ever lived without community support.  I really hope that through this blog others too will find some information that will be useful in getting their job done.  The content of this specific post is a completely different subject from the previous posts, and the one that follows this is likely to be different yet again.

Now, back to the subject at hand….

Never say it will only take five minutes. Why? Because you never know the issues that you are going to face. 

Yes, I am a consultant, so there is some suspicion when I’m asked “how long” and I hesitate and am reluctant to give an answer.  But the reluctance is born from experience.  I really need to think before I answer a question about the level of effort.   I know I’m getting old, my kids remind me of that with every additional strand of gray hair that I proudly accumulate.  I also know I’m getting old when I see younger IT professionals proudly and quickly saying, “That’s easy, it will only take a few minutes”.  Call me cynical, but my personal opinion is, “Nothing is easy”.  I prefer to think of myself as a realist.  Except when I forget my own advice, like I'm about to relate.

Given that backdrop, I want to share an experience I had recently where I was requested to do a fairly small item with an ILM 2007 implementation.  The customer wanted me to set up a simple SQL MA, which was not part of the original work plan.  I figured I could get this done very quickly, the proverbial five minutes.  The supposed five minute easy change, took almost a full day.  In relating this experience, I also hope to drop a few bread crumbs along the way so that if you hit this problem, you may remember this post, and your five minutes won’t grow into hours. 

The simple SQL Management Agent

How long should it take to create a simple Proof of Concept connection to a SQL database?  Five minutes?   You would think, but experience has taught me that things rarely go as planned. The company I’m working at is large and complex.  The SQL database was on a remote server and is controlled by the SQL team.  The developer I’m working with is six time zones away.  It is a development database, so the developer does have administrative access, so getting access to the database wasn’t a problem. 

Minor problem number 1 hits me when I go to setup the MA.  The account I gave the developer to give access to the SQL table is not going to work.  My development environment is in an untrusted domain from the target SQL server.  The account I had permissions granted to is in the forest of the SQL server, but “Integrated Authentication” won’t work from the ILM development environment in the untrusted domain.  I need a new SQL account provisioned, but just to be sure that was the problem I did a little research on the SQL authentication options.  All in all, my five minutes is up to an hour.

That though, didn’t turn out to be the biggest problem.  Once I received the SQL account, I still could not get connected, and repeatedly received the following dialog, “Failed to retrieve the schema.  Cannot open the database table you’ve specified”.

The first bit of troubleshooting was to verify the account had privileges.  I had no problem using that account through various other tools, including osql and SQL Server Management Studio. 

I could not figure out what was going on.  I was getting a bit frustrated at this point, so to completely eliminate permissions I got on the phone with the developer and we temporarily elevated the account privileges, but as expected, that didn’t work either.

I really needed to get things moving, so I decided I would just recreate the table on my local development SQL box.  So I auto-generated, via the SQL Server Management studio, the creation of the table that I would then develop against, and I’d worry about the real connectivity later.  Here is a snippet of the SQL generated to create the table, and see if you notice anything:

USE [Database1 ]

GO

CREATE TABLE [dbo].[TESTTABLENAME](

                   [USER_ID] [varchar](30) NOT NULL,

                   …)

Do you see the issue?  There is a trailing space in the database name.  I noticed it immediately when I looked at the script.  I didn’t bring it up at first, because using osql from the command line, I could add or strip the space on the command line and it would still work.  But when all else failed, I asked the developer owning the database to copy the table to another database on the server, and sure enough that was the issue.   After that, I confirmed with my colleagues on the ILM Product Team that this would be a problem.  They were able to review the code and validate that ILM trims the input from the Management Agent Setup UI.  This was what was causing the connection failure.

That is the bread crumb that I hope helps somebody else some day, in the unlikely event that their database name has a trailing space. 

The five minute MA creation took me the better part of the day, and the reality is we still need to come up with a solution to deal with this table in production as I was told that changing the database wasn’t going to be an option, but that is for another day.

Following on from Brian’s last post about The Experts Conference, I also wanted to share my experience with the conference and talk about a session that Markus Vilcinskas and I delivered. 

This year marked the 6th TEC event that I attended, and I firmly believe that if you work with Microsoft Identity and Access technology (and now Exchange) and you have to pick one conference a year to attend, TEC is the event to go to.  As a little backgrounder, the Directory Experts Conference (DEC) was conceived by NetPro’s Gil Kirkpatrick (CTO) and Christine McDermott (VP of Marketing) back in 2002 and was originally designed to be a “get together” of smart AD professionals that would discuss AD over pizza and beer (at least that was Gil’s plan).  Gil tells the story better than I could, so here’s a link to his account on the conception of the event.   Since the 2002 event in Arizona, NetPro continued the event, growing its constituency and technology focus year over year.  DEC 2005 in Vancouver was the first event I attended, and it was the first event to host a dedicated MIIS track.  We had a small out of the way room, and between 20 and 30 people in most of the sessions.  That year I presented with Andreas Luther, then GPM of the MIIS Product Team, on the changes introduced in MIIS 2003 SP1… man that was a long time ago.  For a flash back to that time, here’s the deck for that session.   Since 2005, I’ve presented at a few events in Las Vegas, once in Chicago and even once in Belgium (where I badly sprained my ankle on an excursion to Luxemburg and got to spend a lovely evening in the Brussels hospital and the rest of the conference on crutches).  As Brian pointed out in last week’s post, the conference has been renamed from DEC to TEC since Quest’s acquisition of NetPro.  This is in part to break the “D” for Directory out of the primary name of the conference since the event is branching out to include other technologies.  TEC now includes:

-          The Experts Conference for Directory and Identity

-          The Experts Conference for Exchange

What I love most about this conference are the people that I meet and the experiences that they have to share, both on stage and off.  Not only is the conference well attended by the Microsoft Product Teams that are building the technology the conference is focused on, but they are also well attended by our partner community, both ISVs and SIs, and as such is a great opportunity to get together with the people that do the same thing you do and share stories and experiences.  My friend Craig Martin talked about this a little during his “ILM 2 Migration Strategies” session this year and compared TEC to the place where the bumble-bee girl finds happiness in the Blind Mellon video for their song “No Rain”.  In the video, a little girl finds herself estranged from everyone else because she went around wearing a bumble-bee costume, but finally found her bliss in a place where everyone wears bumble-bee costumes.  This hit it on the head for me.  In my “normal life”, nobody really wants to hear about the trials and tribulations of Enterprise Identity and Access Management.  Of course they do ask, but the deer-in-the-headlights stare quickly makes it evident that they were hoping for a more generic answer.  However, at TEC, people do care and we all have stories to share with each other.  These experiences help us grow both in our professional and our personal lives, as the connections made at these events lead to friendships as well as a larger networking circle. 

While the conference is very serious in its purpose of providing highly technical content to its constituents, there is also a lot of fun to be had.  This year included a large chicken making its way around the conference, making for fun photo-ops.  Also, every year there is a challenge presented by Stuart Kwan called the Wook Lee Challenge (now called the Wook Lee Memorial Challenge as Wook has failed to make the past few events).  Each year, Stuart throws out some suggestions for how to incorporate Microsoft’s IDA technology into some humorous and artistic endeavor (poetry, music, art).  For some examples, check out these links:

2008 Winner (From Pam Dingle's Blog)

2009 Winner (From YouTube)

Well… enough about that and on to the session that Markus and I delivered.  Markus and I have presented together at the last 4 events and I’ve had a lot of fun in the process.  Markus is deeply technical, being one of the longest standing members of the ILM Product Team and he has a great sense of humor, which definitely comes through in his presentation style.  The session was a 300/400 level session on Declarative Provisioning (formerly called Codeless Provisioning) in Forefront Identity Manager 2010.  This session was a deep dive into how Declarative Provisioning works, which includes a bunch of new acronyms (we Micropeeps love our acronyms!).  In the session we explained in detail how the following work and interact with each other:

     o   Management Policy Rules (MPRs)

     o   Action Workflows (AWs)

     o   Synchronization Rule Objects (SROs)

     o   Inbound Sync Rules (ISRs)

     o   Outbound Sync Rules (OSRs)

     o   Expected Rules Lists (ERLs)

     o   Expected Rules Entries (EREs)

     o   Detected Rules Lists (DRLs)

     o   Detected Rules Entries (DREs)

In addition to giving a deep dive into how Declarative Provisioning works, we also introduced a problem space called “Object State Detection” (OSD). Object State Detection is a new feature in FIM 2010 that enables you to document and detect specific states of an object in a connected data source and to take action based on them, allowing rules to be processed based on confirmation of the detected state. In our presentation we used as an example the states of “Enabled AD User” and “Disabled AD User” and demonstrated how to configure the system to send email notifications to a user’s manager when their state was manually changed in the connected system (in this case AD).  This scenario implements something Markus and I termed an “Operational Outbound Sync Rule”, whose purpose is simply to define the state of the object, via an Existence Test, that you are looking to perform actions on.  Operational OSRs do not actually result in the flow of data to the connected data source because they are not linked to an Action Workflow; their only purpose is to define the Existence Test that will be evaluated during Inbound Synchronization in the FIM Synchronization Service.  Note: OSRs that are configured with Existence Tests are processed at the end of an Inbound Synchronization process (in the FIM Synchronization Service) for the purpose of generating DREs.  This concept can be applied to any type of state that can be detected via an FIM MA.  Some other examples of states that you might be interested in managing via OSD:

-          Account exists in system X (perhaps a finance application under SOX scrutiny?)

-          AD User is Mailbox Enabled

-          AD User is OCS Enabled

-          RACF User has TSO Access

-          Etc.

The session was well received and is available here for you to review.   This deck was not the deck used at TEC, but is a revised version that we used to present the content internally, and as such has a little more content. 

Thanks for taking the time to visit The IDA Guys blog.  If you have any questions, feel free to post them and I’ll do my best to get back to you shortly.

Have fun,

Mike

In the spirit of sharing a conference experience, I wanted to create this summary.  I returned recently from The Experts Conference (formally The Directory Experts Conference).  This conference was hosted by Netpro in the past, but is now hosted by Quest Software because they purchased Netpro last year.  This conference is focused on Microsoft’s directory, identity and messaging technologies and this year had tracks for ILM, Federation, AD, Exchange and Information Protection.  Personally I focused on the ILM and AD track.  Overall I will have to say this is one of the best conferences I have ever attended.  I think because it was so focused and it was small in size (~450 attendees).  The following is a quick summary of some of the breakouts that I attended:

Exchange Provisioning with ILM and ILM “2”

Avanade (Jeremy Palenchar & Andrew Weiss) provide a unique method of provisioning Exchange mailboxes that goes beyond what is capable from ILM out-of-the-box.  Only caveat is that it goes against the best practice of calling outside systems from provisioning or extension code.  Avanade have created a Web Service that performs .NET calls for Powershell and WMI to manage Exchange 2003/2007 environments.  If you are not aware, ILM will only provision a new mailbox / user.  If you want to mailbox enable an existing user, create a shared mailbox, move a mailbox or provision a mix of Exchange 2003 / 2007 on the same MA, you need to be creative.  This presentation showed how they did this using calls to a Web Service.

Human Behavior

This presentation was put on by our ILM product group (Andreas Kjellman and Mark Wahl) and for me was one of the best.  Within ILM 2 there are many interactions with the end user, from emails to a web portal.  They showed that we need to consider how we modify the existing defaults and templates to convey valuable communication to the users.  Here are few highlight of things to consider:

·         How will the users get to the portal?

·         Hide technical information from the user in the communications.  “Please contact your ILM administration.” Is not a good idea.

·         Install Clients silently (GINA extensions, Outlook Add-ins)

·         Password Reset questions:

o   Run the questions through HR and Legal

o   Check out goodsecurityquestions.com

o   Avoid Facebook or MySpace questions from surveys.  They make it easy to socially engineer your users password reset questions.

·         Customize the help links on the portal sites

·         Customize the email templates

Codeless Provisioning Deep Dive

This was a wonderful presentation by Microsoft Services (Mike Dube and Markus Vilcinskas).  They went into deep details to explain and demonstrate the provisioning process in ILM “2”.  Let me tell you that it was very deep and a good refresher for me.  What I found the most interesting was the use of what they call “Operational Synchronization Rules” (OSR).  This was a rule that was evaluated on the end of an inbound synchronization.  It would allow you to determine the current state of an attribute of an already created object.  For example, if you want to determine who has a disabled account.  It would return true for those accounts and based on that, you could generate a notification via email.  Great possibilities with using OSRs.

*Note: Keep your eye open for a more detail post from Mike Dube next week right here.

ILM “2” from an IT Pro’s Perspective

This was another presentation from our ILM Product Team (Andreas Kjellman).  This presentation provided a perspective for implementing ILM “2” by using steps for planning, identifying business processes, rules and roles and how to map the processes to those rules and roles.

Migration Scenarios – MMS\MIIS\ILM to ILM “2”

This was a useful presentation by Oxford Computing Group (Craig Martin) to show the simplicity of upgrading to ILM “2”.  The process is pretty straight forward if you are going from apples to apples.  But when it is time to utilize some of the improvements of ILM “2”,  it will require more work.

Managing Active Directory with AD Administrative Center

This was a presentation from our product group (Ivan Lam).  This presentation was about the Windows Server 2008 R2 Administration Center.  This new management console which is similar to Hyena, if you are familiar with it, does not use MMC.  It is built to use a web service that will need to be installed on a domain controller.  It uses Powershell on the back end to perform the necessary AD administrative activities.  It seems to be a really nice replacement/enhancement for ADUC.

Overseeing an IDA Project

This presentation was from Oxford Computing Group (Peter LaCrosse).  It was a good presentation on project management.  The processes he discussed can be geared toward any project.  The presentation talked about such things as learning the cultural differences for international projects and defining the frequency of communication.  It also pointed to Gartner’s latest communication that companies will start to need faster ROI.  The presenter stated that Gartner is saying the companies will expect to see ROI in less than twelve months.  This will be a difficult task for large projects that last beyond twelve months.

If you work in this field, I suggest you make it a point to attend one of these conferences in the future.  It is well worth the information and networking you will receive.

We are launching this blog to bring you "on-the-street news", experiences and ideas about the Identity Management products from Microsoft that we live and breathe every day.   The IDA Guys are made up of Identity Management experts from the Microsoft Technical Field. 

Let us start this out with some good news.  Identity Lifecycle Manager “2” has now been branded Forefront  Identity Manager 2010.   We will be releasing a new release candidate(RC1) in Q3 (approximately July).  The product group responsible for Forefront Identity Manager, based on customer feedback from early adopters both in the public and private sector and including our own internal Microsoft IT (MSIT), want to make sure that the next version is easier for customers to deploy and use.  They also wanted to fulfill requests made by current TAP and RDP customers that include tools and strong documentation available for the release of the product.  Believe us, these will be good things to have when it comes time to deploy the new product.  The current schedule for RTM is Q1 CY2010.

Again, welcome to this new blog.  We look forward to bringing you regular updates that will help you to deploy the various Identity Management products that Microsoft develops.