Apollo Jack

FIM PCNS And A Lack of Trust

2012-03-31T20:09:00.001-07:00

If you read through the FIM documentation for setting up PCNS, you will find that either FIM and PCNS need to be in the same forest or be part of a forest trust. From http://technet.microsoft.com/en-us/library/cc720594(v=ws.10).aspx:

Forest trusts are only required if PCNS and ILM 2007 are located in different forests. If this is the case, a forest-level trust must be established. This is required for Kerberos mutual authentication for the ILM 2007 server to accept the request from a remote forest host.

This can become extremely limiting, especially if both forests do not have the proper forest and domain levels. Theoretically, however, it’s possible to make Kerberos work over an External Trust (http://blogs.technet.com/b/activedirectoryua/archive/2010/08/04/conditions-for-kerberos-to-be-used-over-an-external-trust.aspx). With an External Trust, we don’t have any of the same forest functional level restrictions, opening up PCNS as a viable option for more customers. I would love to know if anyone has been able to get PCNS working in this configuration. In the mean time, I will have to set up a lab and try it out. I will report back on the results and let you know!

The Last FIM Workflow You Will Ever Need

2012-02-24T13:19:00.000-08:00

Okay, probably not, but its still pretty cool. I recently built a Workflow in FIM that will allow a user to define the code they want executed at run time. The Workflow will compile the code and run it in a separate app domain when its initiated (http://www.west-wind.com/presentations/dynamicCode/DynamicCode.htm). The UI will allow you to specify the input parameters and where the result of the code execution will go. Here is a simple example, I am passing in the first and last name from the target of the request, I am also passing the the mail host that I have calculated in a previous step and saved to WorkflowData. I am then using the code to calculate the user’s email address and save it to the email parameter on the target:

You can add and remove input parameters as needed during design time and then refer to them in the code using their specified index. I expect in future releases to be allow the user to specify additional namespaces and code references to import. It currently won’t do any syntax checking or formatting at design time, but otherwise its extremely versatile and flexible!

Sun One Boolean Attributes

2012-01-13T09:34:00.002-08:00

Recently while working with the Sun One MA, I came across a problem caused by how FIM interprets boolean data coming from the directory. In this case, the Sun One directory stores its boolean data as “YES” or “NO”, however when imported by FIM, this data always gets converted to False in the connector space. (http://social.technet.microsoft.com/Forums/en-US/identitylifecyclemanager/thread/8ffc112e-d945-4916-83b3-78fbba716705)

Now we can’t use an advance import flow to correctly convert the data as it comes into the Metaverse because we have already lost data integrity. The data that’s in the connector space is basically useless. This only leaves us with a couple of options, we can write an XMA to correctly handle the data, but this can be fairly complicated. We can also update the directory schema and use a string instead of a boolean, however, this could cause other downstream issues with other systems that might be consuming this data. There is one other option, but its completely unsupported. You could update the FIM database to make the system think this attribute is a string.

Begin by running the following SQL Statement using the SQL Server Management Studio against your FIM database:

SELECT CAST(ma_schema_xml AS XML)
FROM FIMSynchronizationService.dbo.mms_management_agent
WHERE ma_name = '<Sun One MA Name Here>'

In the results window you will get a single record that can be clicked on to open an xml document containing the schema for your Sun MA. Each attribute in the directory will appear using this syntax:

<attribute-type id="system_assigned_id" single-value="true/false">
<name>attribute_name</name>
<syntax>LDAPv3_syntax_oid</syntax>
</attribute-type>

If you do a quick search (Ctrl+F) for your attribute, you can manually update the LDAP Syntax OID from a boolean (1.3.6.1.4.1.1466.115.121.1.7) to a string (1.3.6.1.4.1.1466.115.121.1.15). In my case, the new XML looked like:

<attribute-type id="Ah" single-value="true">
<name>isManager</name>
<syntax>1.3.6.1.4.1.1466.115.121.1.15</syntax>
</attribute-type>

I then used an update statement to write this information back to the database. After performing a full import on this MA the connector space now reflected this data as a string of “YES” or “NO” just as it appears in the directory. Now that the connector space had data I could work with, I wrote a quick advanced import flow rule to transform this value to a boolean:

case "isManager":

   //perform conversion for isManager from yes/no to boolean value
   if (csentry["isManager"].IsPresent)
   {
      if (csentry["isManager"].Value.Equals("yes", StringComparison.InvariantCultureIgnoreCase))
      {
         mventry["isManager"].BooleanValue = true;
      }
      else
      {
         mventry["isManager"].BooleanValue = false;
      }
   }
   break;

This approach does have its risks. It will need to be re-done after performing a schema refresh in FIM and there is no guarantee it will keep working after an upgrade/patch. The following SQL query could be used to script out this update, just replace the attributeName and SunOneMA variables and you should be good to go:

DECLARE @attributeName AS Varchar(255) = '<Attribute Name Here>'
DECLARE @SunOneMA AS Varchar(255) = '<Sun One MA Name Here>'
DECLARE @newSchemaOID AS Varchar(255) = '1.3.6.1.4.1.1466.115.121.1.15' --Directory String

-- get schema data
DECLARE @schema AS XML

SELECT @schema = CAST(ma_schema_xml as xml)
FROM FIMSynchronizationService.dbo.mms_management_agent
WHERE ma_name = @SunOneMA

-- update schema type
SET @schema.modify('
   declare default element namespace http://www.dsml.org/DSML;
   replace value of
      (dsml/directory-schema/attribute-type[name=sql:variable("@attributeName")]/syntax/text())[1]
   with
      sql:variable("@newSchemaOID")
   ')

-- save back to table
UPDATE FIMSynchronizationService.dbo.mms_management_agent
   SET ma_schema_xml = CONVERT(nvarchar(MAX), @schema)
WHERE ma_name = @SunOneMA

Ensynch Joins Insight!

2011-09-20T11:16:00.001-07:00

We are very excited about the union of Insight and Ensynch and the benefits that it will bring to our clients. Both companies are focused on helping our clients find innovative, cost effective solutions to address business needs. Bringing Ensynch into the Insight organization will offer clients more robust software services, particularly around Microsoft Enterprise Agreements, as well as improved services delivery, enhanced virtualization and cloud capabilities and solution-focused approach to software sales. This acquisition will further simplify our clients’ ability to acquire, procure, implement and manage IT solutions across their technology environment.

For more information, read the press release here, visit www.insight.com or www.ensynch.com, or contact me with any questions.

FIM 2010 and Language Types

2011-07-27T12:47:00.001-07:00

Recently, while working with James we had to support synchronization of identity data that used language types/codes. Here’s a little background…

Directories that support RFC 3866 (in this case Sun One) allow you to specify the language of an attribute’s value. Here’s a simple example, say your company has a presence in the States and in Germany and you want to be able to store the user’s title “Software products” in both English and German, you can do that like this:

title;lang-en: Software products
title;lang-de: Softwareprodukte

Now, FIM will support reading these attributes out of the directory and storing them into the CS, up to a point. If you were to import this attribute, what you would get is a single multi-valued title attribute with both values, at which point you have lost all of the language information:

In order to preserve this information, we ended up writing our own XMA to bring in the attribute with its language type as an attribute in its own right. So using the DirectoryServices (or DirectoryServices.Protocols, if you prefer) namespace we were able to access the directory and retrieve the full name of the attribute, we then wrote this out to our file so that FIM would see them as different items. (If you end up writing your XMA using the LDIF file format, like we did, you will have to actually transform the attribute name on the way out to the file to remove/replace the “;” or you will continue to have the issue above!)

We can now flow these attributes with the language information intact to other downstream systems.

XMA Creation Feature

2011-07-26T15:49:00.001-07:00

So recently while creating some XMAs for FIM 2010 I noticed that while the initial creation page looked like this:

When I opened the XMA after it was created I got:

“One of these things is not like the others….” Even though I didn’t select the checkbox for the “Run this management agent in a separate process” option, the FIM Sync Engine created it that way. It will remember the setting from this point in, but if you forget, this can make attaching the debugger and stepping into your code a little more difficult. (Just as any FYI, I usually do turn this feature on when I am running the XMA in a QA/Production environment to minimize the chance that I could bring done the main sync miiserver process). This only appears to be an issue the XMA, I haven’t noticed this issue with any of the other MA types.

Exchange Room Resources

2011-06-15T12:13:00.001-07:00

Recently while trying to provision Room Resource Mailboxes via FIM, or more specifically I was setting their Access Booking Policies via the Set-CalendarProcessing command in a PowerShell Workflow, I received the following error:

The values for ResourceMake, ResourceModel, and ResourceType must be included in the ResourceProperties collection.

You may also see this error if you try to open the object in the Exchange Management Console and try to save it.

Upon further inspection, the issue appeared because the msExchResourceSearchProperties attribute didn’t contain the resource type, in this case “Room”, anywhere in the multi-valued list. After manually adding this value to the existing list, this issue was resolved. Since we are getting this list from user input in the portal, a more permanent solution will involve adding a Workflow to ensure that “Room” appears in this list when we add/update it in the portal.

TEC 2011

2011-05-26T09:29:00.001-07:00

For those of you who were able to make it to my presentation at TEC 2011 (State side), I promised a blog entry going into some more technical detail on the Ensynch Accelerated SQL XMA (coming soon). If you are interested in the slides I presented you can get them here. Jeremy also had another suggestion that I will be trying out, so keep an eye out, I will let you know how it goes!

Custom Attributes in a Function Evaluator Workflow Activity (or lack there of)

2011-05-25T17:15:00.001-07:00

Okay, so as some of you have found out if you bind a custom attribute to a custom resource in FIM, those attributes don’t show up in the Function Evaluator Workflow Activity drop-downs here:

or here:

There are two ways to go about fixing this, you can bind the custom property to a “known” resource type, like user. Or you can skip the lookup and go ahead and reference them anyway using the CustomExpression option. This will mean hand typing the attribute name into the Destination and Custom Expression fields, but it will keep your bindings cleaner:

File Based Management Agents In MIIS/ILM/FIM

2011-04-22T17:01:00.001-07:00

I had a recent need to really compare the capabilities of each of the file based Management Agents in FIM. Can you name all five? Don't worry, I won't leave you hanging, they are:

Attribute-value pair text file
Delimited text file
Directory Services Markup Language (DSML) 2.0
Fixed-width text file
LDAP Data Interchange Format (LDIF)

Here are some of the things that they can and can't do (this is for you Joe) and just for kicks, I also added in the SQL MA. If you are using one of these file types in an Extensible Management Agent (XMA), the following still applies:

	Multi-valued Attributes	Attribute Level Updates ¹	Multi-valued Level Attribute Updates ²
Attribute-value pair	YES	NO	NO
Delimited	YES ³	NO	NO
DSML	YES	NO ⁴	NO
Fixed-width	YES ³	NO	NO
LDIF	YES	YES	ON IMPORT ONLY⁵
SQL MA	YES	YES	NO ⁶

Okay, now for the caveats (can’t get away without some of those):

An Attribute Level Update implies that a delta import can contain only the attribute that has changed (along with the other required columns, like the type of change and the anchor)

So, here’s what that might look like. Suppose I have a user with the following attributes:

	ID:	12345
	Name:	Sarah
	Status:	Active
	Phone:	555-123-4567

If Sarah’s phone number changes to 555-987-6543, I can simply tell FIM something like:

	ID:	12345
	Type Of Change:	Update
	Phone:	555-987-6543

This has the advantage of giving FIM less work to do to determine what has changed on the records being imported and greatly speeds up delta imports.

A Multi-valued Level Attribute Update supports adding and deleting specific values from a multi-valued attribute

Let’s take another look at Sara’s record:

	ID:	12345
	Name:	Sarah
	Status:	Active
	Phone:	555-123-4567
	Phone:	555-456-7890

Now, Sarah has two Phone numbers, or a single attribute with multiple values. With multi-value level attribute update support, we can do things like add a new phone number to the list, delete a phone number from the list or update a phone number (in essence by doing an add of the new value and then a delete of the old one):

	ID:	12345
	Type Of Change:	Add
	Phone:	555-987-6543

Without this support, the source system would be required to do a “replace” action and provide FIM with all of the current values at the time of import which FIM will use to override all the values that it has for that attribute. So if we start with Sarah’s record as listed just above and add the phone number 555-987-6543 and remove the phone number 555-123-4567, we would have to pass:

	ID:	12345
	Type Of Change:	Replace
	Phone:	555-987-6543
	Phone:	555-4567-7890

As with attribute level updates, multi-valued level attribute update can greatly reduce the amount of work that FIM needs to accomplish. To illustrate, just imagine applying this scenario to attributes like member on an AD group that can have thousands of values.

Using a multi-valued attribute in a delimited or fixed-width file requires the use of a header on the import file

So for a comma delimited file this would look like:
ID, NAME, PHONE, PHONE, PHONE
12345, Sarah, 555-123-4567, 555-987-6543, 555-456-7890

This would import a record for Sarah with three attributes - ID, NAME and PHONE, the last of which will have three values. A fixed width file would work the same way.
While the DSML specifications themselves can actually handle attribute level updates using the addRequest, delRequest and modifyRequest operations, FIM only implements the ability to import a SearchResultEntry element which must contain all of the attributes on the object

Just a side note for those that might be curious, you can actually place the addRequest, delRequest and modifyRequest nodes in the DSML file. FIM will be able to parse the file and it wont cause any errors, however these elements are completely ignored and aren’t processed by FIM. I also tried sending a DSML delta to FIM with just the attribute that changed and a change type of “modify”, and I suppose not surprisingly, the object in the connector space was updated so that it only had the one attribute I specified, all the other attributes originally on the object were removed. Had any of these attributes been defined as required, this update would have failed.
While you can import an update to a specific value in a multi-valued attribute, if you were to export this same change to an LDIF file, it will come through as a replace operation containing all values now present on the attribute
While the SQL MA does not support updates to a specific value on a multi-valued attribute out of the box, I hear rumor that some customizations can be done to make this happen

Small Bug Found in MIIS/ILM/FIM Identity Manager UI….

2011-04-22T16:22:00.001-07:00

Okay, so it’s so small its hardly worth mentioning. However, if you happen to run into the error “no-start-file-open” when running an import/export step or see the following message when trying to browse to your files while configuring the import step, you may be a victim of this issue.

The problem occurs when you have given your MA a name that ends in one or more periods (“.”). While this is considered legal by the Identity Manager UI (FYI - Identity Manager will not allow periods at the beginning of the MA Name), the periods will get stripped off of the MaData folder automatically by Windows. In my test case I named my MA “ma ,, test – with __special ,, characters – ..”, a bit excessive I know, but hey, I was testing. However, my MaData folder actually turned out like:

You can see why ILM could then have a problem finding the files specified in the run profile since its using the MA Name to determine the file path (i.e. its looking for it in D:\Program Files\Microsoft Identity Integration Server\MAData\ma ,, test – with __special ,, characters – ..\). Further proof that this is the case can be found in the Event Viewer:

The fix? Simply open the MA properties in Identity Manager, remove any periods from the end of the MA name and it should begin working as expected.

Using Maexport To Import a Management Agent

2011-04-21T20:31:00.000-07:00

Ever happen to see this little tidbit in the documentation for Identity Manager:

You can find it under the heading Import a Management Agent from a File, and well, don’t believe it for a second! Its currently not possible to import a Management Agent into Identity Manager using a command line tool. For now, you will have to continue to use the UI.

XPath in FIM Sets

2010-04-11T12:25:00.001-07:00

Recently, while working with Brad on a FIM implementation, he told me about some issues he was having with the restrictions placed on the XPath used when building a new Set. Specifically, he wanted to be able to find people that were missing a specific attribute. This was a little tricky, but I finally came up with a solution for strings and another one for dates:

/Person[not(starts-with(<AttributeNameOfTypeString>, ''))]

/Person[not(<AttributeNameOfTypeDateTime> > '1900-01-01T00:00:00Z')]

So, if you wanted to find everyone who was missing an AD Distinguished Name (ADDN) you would use the following filter to define the Set:

/Person[not(starts-with(ADDN, ''))]

And if you wanted all of the Person objects missing a Termination Date (EmployeeEndDate):

/Person[not(EmployeeEndDate > '1900-01-01T00:00:00Z')]

These examples are specific for the Person resource object, but this same logic could be used for any resource type in the FIM Portal.

UPDATE: In certain instances, the above XPath will actually return more items than you would expect. Check out David’s blog post to find out why and what really works.

The Missing ILM Extension

2009-11-16T09:21:00.000-08:00

While recently browsing the Microsoft.Metadirectory services namespace for ILM I discovered a new extension that I had not seen before. In addition to the 6 that I was familiar with:

IMAExtensibleCallExport
IMAExtensibleFileExport
IMAExtensibleFileImport
IMAPasswordManagement
IMASynchronization
IMVSynchronization

There was a 7th that I had never hear of, the IMACalloutExtension. Curious, I began to investigate. The Extension implements the following methods:

public void BeginExportToCd(string connectTo, string user, string domain, string password)
{
}

public void EndExportToCd()
{
}

public void BeforeExportEntryToCd(string deltaEntryXml, string[] changedAttributes)
{
}

public void AfterExportEntryToCd(byte[] origAnchor, string origDN, string origDeltaEntryXml, byte[] newAnchor, string newDN, string failedDeltaEntryXml, string errorMessage)
{
}

The only documentation that I could find was within the interface definition itself. It appears that this extension was to be implemented using a new Management Agent of type "Callout" (or something similar) and gives the developer the ability to take action both before and after each entry export action, which could be extremely helpful. I haven't been able to find a roadmap for this feature, but it appears to be something we can look forward to in the future!

.NET Google SSO Part 2 of 2

2009-07-30T12:08:00.000-07:00

This is the second in a series of articles discussing the implementation of an SSO application for Google Apps. The first .NET Google SSO Part 1 of 2 began the discussion by laying out the steps needed to handle the initial Authentication Request made by Google. This final piece will complete the package by illustrating the generation of the Authentication Response.

Google will expect the Authentication Response to come back as a form posted to the AssertionConsumerServiceURL provided by Google in the inital request. The form needs to have at least two elements on it, a <textarea> named SAMLResponse and an <input> named RelayState. The RelayState element is the url to redirect the user to at Google once the response has been sent. This is usually the same as the RelayState that Google provided to you via the RelayState url parameter.

Building the SAMLResponse is a little bit more involved. The SAMLResponse will contain the xml body of the AuthnResponse, which has the following format:

<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response ID="RESPONSE_ID" IssueInstant="ISSUE_INSTANT" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
        xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
            <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
            <Reference URI="">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                <DigestValue>DIGEST_VALUE</DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>SIGNATURE_VALUE</SignatureValue>
        <KeyInfo>
            <KeyValue>
                <RSAKeyValue>
                    <Modulus>RSA_KEY_MODULUS</Modulus>
                    <Exponent>RSA_KEY_EXPONENT</Exponent>
                </RSAKeyValue>
            </KeyValue>
        </KeyInfo>
    </Signature>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
    <Assertion ID="ASSERTION_ID" IssueInstant="ISSUE_INSTANT" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
        <Issuer>https://www.opensaml.org/IDP</Issuer>
        <Subject>
            <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress">
                USERNAME_STRING
            </NameID>
            <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <SubjectConfirmationData Recipient="ACS_URL" />
            </SubjectConfirmation>
        </Subject>
        <Conditions NotBefore="NOT_BEFORE" NotOnOrAfter="NOT_ON_OR_AFTER">
        </Conditions>
        <AuthnStatement AuthnInstant="AUTHN_INSTANT">
            <AuthnContext>
                <AuthnContextClassRef>
                    urn:oasis:names:tc:SAML:2.0:ac:classes:Password
                </AuthnContextClassRef>
            </AuthnContext>
        </AuthnStatement>
    </Assertion>
</samlp:Response>

Where the items in red will need to be replaced with actual values before sending the response to Google. Here are some specs for those items:

Attribute	Description	Examples
ASSERTION_ID	A 160-bit string made up of randomly generated lower case alpha characters from a through p	dfpccklacbmnmioodokleambcplpmfghahihdmna
ISSUE_INSTANT	Should be the current date and time in the format: yyyy-mm-ddThh:mm:ssZ	2000-01-01T23:01:01Z 2008-10-02T05:55:23Z
AUTHN_INSTANT	Should be the current date and time in the format: yyyy-mm-ddThh:mm:ssZ	2000-01-01T23:01:01Z 2008-10-02T05:55:23Z
NOT_BEFORE	This defines the beginning timeframe for which the authentication is valid. Should be the current date and time in the format: yyyy-mm-ddThh:mm:ssZ	2000-01-01T23:01:01Z 2008-10-02T05:55:23Z
NOT_ON_OR_AFTER	This defines the ending timeframe for which the authentication is valid. Should be the current date and time in the format: yyyy-mm-ddThh:mm:ssZ	2000-01-01T23:01:01Z 2008-10-02T05:55:23Z
ACS_URL	The URL to send the authentication result	https://www.google.com/a/yourCompany.com/acs
USERNAME_STRING	The username of the person validated	jsmith jon.smith
DIGEST_VALUE	The value of the digest of the Reference URI calculated using the algorithm listed in the DigestMethod	Qo9gKjwBgNtt6P07aIZmIPXP+uQ=
SIGNATURE_VALUE	The value of the digest of the SignedInfo Element calculated using the algorithm listed in the SignatureMethod	55khyrdDp0SgPmlu5dH49CAfASW2psDLhgjaB+Yl06pfxLJWnIctb7pX0K3k/vhNU8sUMY6Ps582CS6+YUPJps45U0i VDK/+PPZvFREOwDR54XSzXAPd7GZyk+jBdQZv6D/g5IgccIGiw3Zi9Qpfe64iewSFoRukvVUD0yGOfszA=
RSA_KEY_MODULUS	For use in the RSA encryption algorithm	K88ntfSyp1JU9Nu1KJwk+KKOuunT9G1RLwJXm6WrDb2klVGXLNKcP72lu5AlyGgYoZXO2bY2d610LE7kGol3Hu PKfOMLoKqO/m1etjBBhQnuc2aVL1vJjQiLV/KsCsgwocNIoGOF01ndlgJiazFUFf6IwFltNg/A1pz9I05kkj0=
RSA_KEY_EXPONENT	For use in the RSA encryption algorithm	AQAB

Here are the basic steps we need to take to create the AuthnResponse:

Authenticate the user
Generate an xmlDocument object using the AuthnResponse Template
Fill in the AuthnResponse parameters
Create a new signedXml object based on the xmlDocument
Submit an html form with the InnerXml of the signedXml object and the RelayState

If we continue with the project created using the first blog post, we currently have one item on our form, a label called lblError. You will need to add two text boxes, txtUser and txtPwd to allow the user to enter their credentials and a button, btnSubmit. Format the form to your liking, and then add some code to authenticate the user, this can be done against a directory, a database, etc. This example will authenticate a user against ADAM.

// Class level vars
string googleUserName = "";

///<summary>
/// Authenticate user and return the result
///</summary>
protected bool AuthenticateUser()
{
    // User parameters from the form
    bool authenticated = false;

    // User parameters from the form
    string user = Request.Params["txtUser"];
    string password = Request.Params["txtPwd"];

    // Variables
    SearchResult srPerson = null;
    DirectorySearcher dSearch = null;
    DirectoryEntry de = null;
    DirectoryEntry deAdmin = null;
    string dn = "";

    // Clear out our class level variable, googleUserName
    googleUserName = "";

    try
    {
        if (!string.IsNullOrEmpty(user) && !string.IsNullOrEmpty(password))
        {
            // All required params were not entered, throw an error
            // could also use some field validators to avoid this
            throw new Exception("Logon failure: unknown user name or bad password");
        }

        // Get the users dn based on the user name used the form, so
        // that we can use it later with our bind test
        dSearch = new DirectorySearcher();
        dSearch.SearchScope = SearchScope.Subtree;
        dSearch.PropertiesToLoad.Add("distinguishedName");
        dSearch.SearchRoot = new DirectoryEntry("LDAP://YourServer:389/C=YourRootPath", "AdamAdminUser", "AdamAdminPswd",
AuthenticationTypes.Secure | AuthenticationTypes.ServerBind);
        dSearch.Filter = "(userName=" + user + ")";
        srPerson = dSearch.FindOne();
        dn = srPerson == null ? null : srPerson.Properties["distinguishedName"][0].ToString();

        if (!string.IsNullOrEmpty(dn))
        {
            // Get the directory entry, using the users credentials to bind
            de = new DirectoryEntry("LDAP://YourServer:389/C=YourRootPath", dn, password,
AuthenticationTypes.ServerBind | AuthenticationTypes.FastBind);

            // Get the native object to force authentication, an error will be throw here
            // if the wrong credentials were given, this will be captured below and the user will be notified
            object bind = de.NativeObject;

            // They have authenticated okay, we are now assuming that their google user name
            // is different than their ADAM login name, we need to get it for use later
            // we cant use the above object to get the data because we had to issue our connection
            // using the fast bind option, get a new handle on the object using
            // admin credentials and the secure auth type
            deAdmin = new DirectoryEntry("LDAP://YourServer:389/" + dn, "AdamAdminUser", "AdamAdminPswd",
AuthenticationTypes.ServerBind | AuthenticationTypes.Secure);
            deAdmin.RefreshCache(new string[] { "googleUserName" });

            // If googleUserName is an email address, we just want what comes before the @ symbol
            googleUserName = deAdmin.Properties.Contains("googleUserName") ?
deAdmin.Properties["googleUserName"][0].ToString() : "";
            googleUserName = googleUserName.IndexOf("@") > 0 ?
googleUserName.Substring(0, googleUserName.IndexOf("@")) : googleUserName;

            // We didn't get what we expected throw an error
            if (googleUserName == "")
            {
                throw new Exception("Logon failure: unable to retrieve your Google username");
            }
            else
            {
                authenticated = true;
            }
        }
        else
        {
            // We cant continue without a dn
            throw new Exception("Logon failure: unknown user name or bad password");
        }

    }
    catch(Exception ex)
    {
        // Let user know there was a problem
        lblError.Text = ex.Message;
    }
    finally
    {
        // Clean up
        if (dSearch!= null)
        {
            dSearch.Dispose();
        }

        if (de != null)
        {
            de.Dispose();
        }

        if (deAdmin != null)
        {
            deAdmin.Dispose();
        }
    }
}

Now that our user is authenticated and we have their Google UserName, the next step is to generate an xmlDocument object using the AuthnResponse template. The template that we need is similar to the AuthnResponse shown above, with one very important difference; we don't want the <Signature> element or its children. We will be adding this using the signedXml object later. Create an xml file named AuthnResponseTemplate in your project directory. Copy in the AuthnResponse xml below and save the document.

We will now add code to consume this new file and replace the elements in red with proper values:

///<summary>
/// Create our xml SAML Response base on the template
///</summary>
private string CreateSamlResponse()
{
    // Grab our response template
    string filepath = Request.PhysicalApplicationPath + ("AuthnResponseTemplate.xml");
    XmlDocument doc = new XmlDocument();
    doc.PreserveWhitespace = true;
    doc.Load(filepath);
    string samlResponse = doc.InnerXml;

    // Get our IDs and make sure that they arent the same (timing)
    string responseID = CreateID();
    string assertionID = CreateID();

    while (responseID == assertionID)
    {
        assertionID = CreateID();
    }

    // Fill out out our template
    samlResponse = samlResponse.Replace("USERNAME_STRING", googleUserName);
    samlResponse = samlResponse.Replace("RESPONSE_ID", responseID);
    samlResponse = samlResponse.Replace("ISSUE_INSTANT", GetDateAndTime(0, 0));
    samlResponse = samlResponse.Replace("AUTHN_INSTANT", GetDateAndTime(0, 1));
    samlResponse = samlResponse.Replace("NOT_BEFORE", GetRequestAttributes(requestXmlString, "IssueInstant"));
    samlResponse = samlResponse.Replace("NOT_ON_OR_AFTER", GetDateAndTime(1, 0););
    samlResponse = samlResponse.Replace("ASSERTION_ID", assertionID);
    samlResponse = samlResponse.Replace("ACS_URL", GetRequestAttributes(requestXmlString, "AssertionConsumerServiceURL"));

    return samlResponse;
}

///<summary>
/// Generate a random set of alpha characters
/// appropriate for our SAML IDs
///</summary>
public static string CreateID()
{
    Random random = new Random();
    char[] charMapping = {'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p'};
    byte[] bytes = new byte[20]; // 160 bits
    random.NextBytes(bytes);

    char[] chars = new char[40];

    for (int i = 0; i < bytes.Length; i++)
    {
        int left = (bytes[i] >> 4) & 0x0f;
        int right = bytes[i] & 0x0f;
        chars[i * 2] = charMapping[left];
        chars[i * 2 + 1] = charMapping[right];
    }

    string id = new string(chars);

    return id;
}

///<summary>
/// Create a datetime string in the appropriate SAML format
///</summary>
public static string GetDateAndTime(int days, int minutes)
{
    DateTime dt = DateTime.Now;

    if (days > 0)
    {
        dt = dt.AddDays(days);
    }

    if (minutes > 0)
    {
        dt = dt.AddMinutes(minutes);
    }

    return dt.ToString("yyyy-MM-dd") + 'T' + dt.ToString("HH:mm:ss") + 'Z';
}

///<summary>
/// Get the specified attribute value from the SAMLRequest
///</summary>
private string GetRequestAttributes(string xmlString, string attribute)
{
    XmlDocument doc = new XmlDocument();
    doc.LoadXml(xmlString);

    if (doc != null)
    {
        return doc.DocumentElement.GetAttribute(attribute).ToString();
    }
    else
    {
        throw new Exception("Error parsing AuthnRequest XML: Null document");
    }
}

Next, we will be adding the xml signature. Be sure to update the file path to the x509 cert used for signing the xml. This certificate must contain the private key:

///<summary>
/// Sign the AuthnResponse xml adding the Signature element
///</summary>
private string SignResponse(string xmlDocString)
{
    // Get our pfx cert w/private and public keys
    // we have the document on the file system, but you could also
    // get it from the certificate store
    // this is the same cert (with public keys only) that was provided
    // to Google during the SSO set-up
    X509Certificate2 x509 = new X509Certificate2();
    x509.Import("C:\FilePathToGoogleCert\Cert.pfx");

    // Create a new RSA signing key
    RSACryptoServiceProvider rsaKey = new RSACryptoServiceProvider();
    rsaKey = (RSACryptoServiceProvider) x509.PrivateKey;

    // Load our xml into a doc
    XmlDocument doc = new XmlDocument();
    doc.PreserveWhitespace = true;
    doc.LoadXml(xmlDocString);

    // Sign the XML document.
    // Create a SignedXml object.
    SignedXml signedXml = new SignedXml(doc);

    // Add the key to the SignedXml document.
    signedXml.SigningKey = rsaKey;

    // Add KeyInfo
    KeyInfo keyInfo = new KeyInfo();
    keyInfo.AddClause(new RSAKeyValue(rsaKey));
    signedXml.KeyInfo = keyInfo;

    // Create a reference to be signed.
    Reference reference = new Reference();
    reference.Uri = "";

    // Add an enveloped transformation to the reference.
    XmlDsigEnvelopedSignatureTransform env = new XmlDsigEnvelopedSignatureTransform();
    reference.AddTransform(env);

    // Add the reference to the SignedXml object.
    signedXml.AddReference(reference);

    // Compute the signature.
    signedXml.ComputeSignature();

    // Get the XML representation of the signature and save
    // it to an XmlElement object.
    XmlElement xmlDigitalSignature = signedXml.GetXml();

    // Append the element to the XML document.
    doc.DocumentElement.InsertBefore(doc.ImportNode(xmlDigitalSignature, true), doc.DocumentElement.FirstChild);

    return doc.InnerXml.Trim();
}

Finally, we will bring it all together in the submit button on_click event handler and generate the html form with the SAMLResponse and RelayState and send it on to Google:

///<summary>
/// Handle the submit button click event, authenticate the user,
/// then create the response and submit it to Google
///</summary>
protected void btnSubmit_Click(object sender, System.EventArgs e)
{
    // Authenticate user
    if (AuthenticateUser())
    {
        // Get our SAMLResponse and sign it
        string samlResponse = CreateSamlResponse();
        string signedResponse = SignResponse(samlResponse);

        string formName = "authnResponse";
        string acsUrl = GetRequestAttributes(requestXmlString, "AssertionConsumerServiceURL");

        // Write the http response in such a way that the html document
        // will submit a form with our data on it to the requestor
        System.Web.HttpContext.Current.Response.Clear();
        System.Web.HttpContext.Current.Response.Write("<html><head/>");
        System.Web.HttpContext.Current.Response.Write(string.Format("<body onload='document.{0}.submit()'>",
formName));
        System.Web.HttpContext.Current.Response.Write(string.Format("<form name='{0}' method='post' action='{1}'>",
formName, acsUrl));
        System.Web.HttpContext.Current.Response.Write(string.Format("<textarea name=\"{0}\" style='visibility:hidden'>{1}</textarea>",
"SAMLResponse", signedResponse));
        System.Web.HttpContext.Current.Response.Write(string.Format("<input name=\"{0}\" type=\"hidden\" value=\"{1}\">",
"RelayState", Request.Params["RelayState"]));
        System.Web.HttpContext.Current.Response.Write("</form>");
        System.Web.HttpContext.Current.Response.Write("</body></html>");
        System.Web.HttpContext.Current.Response.End();
    }
}

That should do it! The user will then be allowed into their Google account.

Invalid provider type specified

2009-06-18T11:03:00.001-07:00

I recently had the need to encrypt some items in an application configuration file to secure some account passwords that were being stored there. After consulting with Brad Turner, we decided to use an x509 certificate to provide the public and private keys needed for RSA encryption. He requested one from our local certificate authority for this purpose and placed it in the machine store. I was able to easily retrieve the cert and encrypt the data, however, I ran into some issues attempting to use it for decryption. While trying to do an explicit conversion from the x509Certificate2.PrivateKey property to an RSACryptoServiceProvider object:

RSACryptoServiceProvider rsa = (RSACryptoServiceProvider)x509.PrivateKey;

I received an "Invalid provider type specified" error. I was unable to find anything related to this specific problem online, however, we were able to surmize that the error was refering to the cryptographic provider type used to create the certificate. Based on some previous experience, Brad knew that the new v3 template for certificates on Windows 2008 server can cause some issues for older technologies. After creating a new certificate using an older template (v2), this error was no longer an issue. This may be fixed with the 4.0 Framework, but be aware, if you are using 3.5 or older, you may run into this problem.

Cannot connect to MMS WMI Service

2009-04-19T16:31:00.001-07:00

Having trouble with the WMI service for MIIS/ILM? Try running the following commands at a command prompt:

regsvr32 "C:\Program Files\Microsoft Identity Integration Server\Bin\mmswmi.dll"
mofcomp -N:root\MicrosoftIdentityIntegrationServer "C:\Program Files\Microsoft Identity Integration Server\Bin\mmswmi.mof"

This will re-register the libraries with the OS. Give the WMI call another try, if you continue to have problems with an Access Denied error…

Open the Component Services Console in the Administrative Tools Folder.
Navigate to Console Root, Computers, My Computer, DCOM Config and then Microsoft Metadirectory Services.
Right click on the application entry and select Properties.
Go to the security tab and alter any security necessary.
Click OK on the Application Properties page and close out the Component Services and Computer Management Consoles.

A Small MIIStake

2009-04-05T13:54:00.001-07:00

Okay, so to be fair the issue is actually with ILM (Version 3.3.118.0). In the previous version, MIIS 3.2.559.0, I would frequently run MAs from the Operations tab, like so... From the Operations tab, right click on the MA run of interest, and select the Run… option:

The resulting Run Management Agent window would then pre-populate the Management agent drop-down box and the Run profile list box with the same values as the original operation selected. Simply click OK and the selected run would be restarted (which makes it really easy to re-run a particular profile):

Now if you attempt to do follow this same procedure in ILM…

The drop down menu is not automatically set to the MA selected. If you are used to being able to simply click the OK button from this dialog, you may inadvertently run the wrong MA. In fact you can see where I ran an ADAM MA by accident in the middle of the test MA series of runs:

So the bad news, for those of you using the current version of ILM, get use to using the drop-down menu to select the MA you want to run. The good news… this is a planned fix in a future hotfix! Not sure which one, or when. Anyone out there know?

.NET Google SSO Part 1 of 2

2009-03-27T20:56:00.001-07:00

Creating an SSO for Google can be a bit of a challenge. There are quite a few good examples for doing this in Java, but not as many for .NET. Here is my attempt to resolve that issue. This article will be broken up into two parts, the first of these is handling the authentication request from Google, the second of these will illustrate the response generation.

Let's start by getting a good overview of the design. The entire process will begin when the end-user tries to access their Google Account. If the Google Apps service has been configured to use SSO, Google will generate an Authentication Request and send it on for you to handle in your SSO. It is then up to you to perform user authentication and generate a signed Authentication Response to send back to Google.

Okay, now the details. When you receive an AuthenticationRequest from Google, it will make an http request to the URL you have specified in your Google Apps account with two additional query string parameters: SAMLRequest and RelayState. The SAMLRequest will look like a series of random letters and numbers that is in actuality a base64 encoded string containing the AuthnRequest. RelayState is the RFC 1783 encoded URL that the user is ultimately trying to get to, in this case probably their Google email account. So this would look something like:

http://www.yourCompany.com/pathToPage/yourSSOPage.aspx?SAMLRequest=eJxdkN1uwjAMRl8lyn1%2f6NCEIgpim7YhsQlB2cXuQuK2KW2cxSni8Sk%2fk6bd2v7s4zOdn7qWHcGTQZvzUZxyBlahNrbK%2ba54jSZ8PpuS7FonFn2o7QZ%2beqDAhpwlcW3kvPdWoCRDwsoOSAQltouPlcjiVDiPARW2nC1fcl6rpqnLWtkDqIPU7tA4BftS1pVrGq1LpVF1pQbOvn6hsgvUkqiHpaUgbRhKaTqJRmmUTYrRo3jIxHj8zdn6funJ2Bv%2fP6z4L9b%2bNkTivSjW0Qa08aDCdcnRaPCfQyLnFWLVQqyw42xBBD4MSM9oqe%2fAb8EfjYLdZjX8FYITSdKikm2NFJK3a7IYVCUXb3dtsSR34iyZnQGwVYL1&RelayState=http%3a%2f%2fmail.google.com%2fa%2fyourCompany.com

Before we go much further, let's talk about the AuthnRequest. The AuthnRequest is an XML document that has the following format:

<?xml version="1.0" encoding="UTF-8" ?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    ID="AUTHN_ID"
    Version="2.0"
    IssueInstant="ISSUE_INSTANT"
    ProtocolBinding="urn:oasis:names.tc:SAML:2.0:bindings:HTTP-Redirect"
    ProviderName="PROVIDER_NAME"
    AssertionConsumerServiceURL="ACS_URL" />

Where the items in red will be replace with actual values by Google at the time of generation. Here are some specs for those items:

Attribute	Description	Examples
AUTHN_ID	A 160-bit string made up of randomly generated lower case alpha characters from a through p	dfpccklacbmnmioodokleambcplpmfghahihdmna
ISSUE_INSTANT	Should be the current date and time in the format: yyyy-mm-ddThh:mm:ssZ	2000-01-01T23:01:01Z 2008-10-02T05:55:23Z
PROVIDER_NAME	This is the domain name of the calling application	google.com
ACS_URL	The URL to send the authentication result to	https://www.google.com/a/yourCompany.com/acs

Your first task will be determining the values of the two query parameters mentioned above and decoding them. In order to perform some of the decoding you will need to use a compression utility, I use a nice open source one available from ic#code at http://www.icsharpcode.net/OpenSource/SharpZipLib/.

So let's begin! Start a new web project and then make sure you add the following references: ICSharpCode.SharpZipLib and System.Security. Edit the default.aspx page, adding the following using statements…

using System;
using System.Collections;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Web;
using System.Web.SessionState;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.HtmlControls;
using System.Xml;
using System.Text;
using System.IO;
using ICSharpCode.SharpZipLib.Zip;
using ICSharpCode.SharpZipLib.Zip.Compression;
using ICSharpCode.SharpZipLib.Zip.Compression.Streams;
using System.Security;
using System.Security.Cryptography;
using System.Security.Cryptography.Xml;
using System.DirectoryServices;
using System.Security.Permissions;
using System.Security.Cryptography.X509Certificates;

Next, are the basic steps we need to take to decode the AuthnRequest:

Retrieve data from the query string
Decode the base64 string to a byte array
Decompress (inflate) the array
UTF8 Encode the array back into a string

So here's what the code looks like to do all of that, however, you will first need to add a label to your form called lblError to communicate any issues back to the user:

///<summary>
/// Converts the SAMLRequest query string parameter back to
/// its native, user readable XML format
///</summary>
private string decodeAuthnRequestXML()
{
    try
    {
        // Get the SAMLRequest parameter
        string encodedRequestXmlString = Request.Params["SAMLRequest"];

        if (encodedRequestXmlString != null && encodedRequestXmlString != "")
        {
            // Base64 decode it
            byte[] base64DecodedByteArray = Convert.FromBase64String(encodedRequestXmlString);

            // Uncompress the AuthnRequest data
            // First attempt to unzip the byte array according
            // to DEFLATE (rfc 1951)
            try
            {

                Inflater inflater = new Inflater(true);
                inflater.SetInput(base64DecodedByteArray);

                // since we are decompressing, we dont
                // know how much space we might need
                // hopefully this number is suitably big
                byte[] xmlMessageBytes = new byte[2048];
                int resultLength = inflater.Inflate(xmlMessageBytes);

                if (!inflater.IsFinished)
                {
                    lblError.Text = "Error decoding AuthnRequest: " +
                        "Decompression data overflow";
                    return null;
                }

                // UTF8 encode the result and return it
                UTF8Encoding utf8 = new UTF8Encoding();
                return utf8.GetString(xmlMessageBytes, 0, resultLength);

            }
            catch (Exception e)
            {

                // if DEFLATE fails, then attempt to unzip
                // the byte array according to zlib (rfc 1950)
                MemoryStream msIn = new MemoryStream(base64DecodedByteArray);
                MemoryStream msOut = new MemoryStream();
                InflaterInputStream iis = new InflaterInputStream(msIn);
                byte[] buf = new byte[2048];
                int count = iis.Read(buf, 0, buf.Length);
                while (count != 0)
                {
                    msOut.Write(buf, 0, count);
                    count = iis.Read(buf, 0, buf.Length);
                }

                iis.Close();
                byte[] retVal = new byte[msOut.Length];
                msOut.Position = 0;
                msOut.Read(retVal, 0, (int) msOut.Length);

                // UTF8 encode the result and return it
                return utf8.GetString(retVal);

            }
        }
        else
        {
                lblError.Text = "Error decoding AuthnRequest: " +
                        "Unable to read SAMLRequest";
                return null;
        }
    }
    catch (Exception e)
    {
        throw new Exception("Error decoding AuthnRequest: " +
                    "Check decoding scheme - " + e.Message);
    }
}

This code can be called from the Page_Load method to validate the request before prompting the user for their credentials. Be sure to check the Page.IsPostBack property to only call decodeAuthnRequestXML function on the initial page load.

// Class level vars
string requestXmlString = null;

///<summary>
/// Handles the page onload event
/// Begins Authentication Request decoding
///</summary>
private void Page_Load()
{
    if (!IsPostBack)
    {
        // Validate initially to force asterisks
        // to appear before the first roundtrip.
        requestXmlString = decodeAuthnRequestXML();
    }
}

The string you get back from the decodeAuthnRequestXML function should be user readable XML with the AuthnRequest format mentioned above. It should look something like:

<?xml version="1.0" encoding="UTF-8" ?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    ID="hcjjhfhcnkeckadpkjpcebfahgpjjddfcdocmfde"
    Version="2.0"
    IssueInstant="2009-03-26T16:32:44Z"
    ProtocolBinding="urn:oasis:names.tc:SAML:2.0:bindings:HTTP-Redirect"
    ProviderName="google.com"
    AssertionConsumerServiceURL="https://www.google.com/a/yourcompany.com/acs" />

Once you have that, you can parse the XMLDocument and begin building your response. Look for Part 2 of the SSO series to demonstrate the building of the AuthnResponse.

Anyone know where I can find a good Locksmith?

2009-01-25T09:21:00.000-08:00

I recently had the need to develop a WebPart for a client that needed to be able to "unlock" a site collection. For any of you that have tried this from within a WebPart running on the SharePoint platform, you know there are quite a few issues that can come up.

There are four different types of locks that can be set, here is a quick mapping of how those locks match up with the SPSite locking properties:

Not locked / none site.writeLocked = false
site.readOnly = false
site.readLocked = false
Adding content prevented / noadditions site.writeLocked = true
site.readOnly = false
site.readLocked = false
Read-only / readonly site.writeLocked = false
site.readOnly = true
site.readLocked = false
No access / noaccess site.writeLocked = false
site.readOnly = false
site.readLocked = true

Additionally, when a site is locked using any one of the lock options, the site.LockIssue is used to describe the reason for the lock. If the site was locked using the Central Administraion console, the Additional lock information (LockIssue) field is required when locking the site. However, this parameter is not set when locking a site using the command line interface stsadm.

Here are just a few of the error messages I ran into while trying to set the lock options outright in my WebPart:

Updates are currently disallowed on GET requests. To allow updates on a GET, set the 'AllowUnsafeUpdates' property on SPWeb.
The security validation for this page is invalid. Click Back in your Web browser, refresh the page, and try your operation again.
Access to this Web site has been blocked.
Attempted to perform an unauthorized operation.
Access denied.

With the exception of the first error, the remainder of the messages all center around permissions and access. With that in mind, I went about trying to build some solutions using the typical SharePoint methods to elevate the privileges of the code being executed. The first of these is the SPSecurity.RunWithElevatedPrivileges. With impersonation turned on in our web.config file, the code is running under the context of the SharePoint user. This method appears to elevate the code to run under the service account on the application pool.

SPSecurity.RunWithElevatedPrivileges(delegate()
{
   using (SPSite site = new SPSite(siteUrl))
   {
      site.AllowUnsafeUpdates = true;
      site.ReadLocked = false;
      site.ReadOnly = false;
      site.WriteLocked = false;
      site.LockIssue = "";
   }
});

Next, with no more luck, I tried to initialize a instance of the site class running under the context of my administration account.

using (SPSite site = new SPSite(siteUrl, SPContext.Current.Web.AllUsers["domain\\adminUsername"].UserToken))
{
   site.AllowUnsafeUpdates = true;
   site.ReadLocked = false;
   site.ReadOnly = false;
   site.WriteLocked = false;
   site.LockIssue = "";
}

After a little bit more investigating, I discovered that in order to perform the unlock procedures that I needed, full blown code impersonation was needed. With a little bit of additional code, I had the access that I needed.

//get global admin access to perform the work
ImpersonateValidUser("domain", "adminUsername", "password");
 
using (SPSite site = new SPSite(siteUrl))
{
   site.WebApplication.FormDigestSettings.Enabled = false;
   site.AllowUnsafeUpdates = true;
   site.ReadLocked = false;
   site.ReadOnly = false;
   site.WriteLocked = false;
   site.LockIssue = "";
}
 
UndoImpersonation();

The code to implement the ImpersonateValidUser and UndoImpersonation functions can be found here: http://www.codeproject.com/KB/cs/zetaimpersonator.aspx, a wonderful bit of code from Uwe Keim.

By adding the line site.WebApplication.FormDigestSettings.Enabled = false to the code, we are able circumvent error #2. All of the remaining errors should be taken care of by our code impersonation. However, be warned that if the site has either readOnly or readLocked set to true, you will still have issues accessing values of various site properties. You will need to unlock the site to get the values that you need. If desired, you can then set the locks back to their previous state (assuming you have saved the state somewhere). And yes, you will even run into errors simply trying to save off this state for later use. The specific type of error that gets thrown will tell you everything you need to know about which of the three locks has been set.

When implementing the code, be sure that it is not executing when the page initially loads, otherwise you will run into error #1. Rather run the code during a page post back (i.e. in an event handler to manage the WebPart form submittal).

Site Navigator Released

2008-12-11T09:26:00.000-08:00

Ensynch has just released a new SharePoint WebPart that will display a tree view of all of the sites in your SharePoint environment. Props to Joe Zamora and Jerry Camel for all of their development efforts, designing and creating this WebPart.

There are two versions of the Site Navigator, the Lite Version and the Professional Version. The Lite Version, is available at no cost and will allow you to select a starting point for the tree and additionally will allow you to "trim the tree" based on user permissions. The Professional version, which is available for a small fee, adds some additional functionality to set the automatic expansion depth, show site collections only, and adds an option to select which web applications to show instead of setting a URL starting point.

If you are interested in either the Lite or Pro version, simply drop a line to SharePointSolutions@Ensynch.com and we will get you hooked up. And in case you just want to know how we did it, here are some of the details, with a few minor changes to simplify the illustration...

After you create a Class Library project, make sure you add a reference to the Microsoft.SharePoint namespace and have all of the following using commands:

using System;
using System.Collections;
using System.Collections.Generic;
using System.Runtime.InteropServices;
using System.Security.Principal;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Xml.Serialization;
using Microsoft.SharePoint;
using Microsoft.SharePoint.WebControls;
using Microsoft.SharePoint.WebPartPages;
using Microsoft.SharePoint.Administration;

Also, you will need to add two classes to your .cs file. One of these classes will be used to build and render the WebPart Tree and the other will be implementing the EditorPart class to build the property modification pane. There are a couple of methods that must be implemented in both classes:

public class SPSiteCollectionNav : System.Web.UI.WebControls.WebParts.WebPart, IWebEditable
{

public SPSiteCollectionNav()
{

}

//
//IWebEditable Members
//
EditorPartCollection IWebEditable.CreateEditorParts()
{

List editors = new List();
return new EditorPartCollection(editors);

}

object IWebEditable.WebBrowsableObject
{

get { return this; }

}

//
//WebPart override methods
//
protected override void CreateChildControls()
{

base.CreateChildControls();
this.ChildControlsCreated = true;

}

protected override void Render(HtmlTextWriter writer)
{

RenderChildren(writer);

}

}

public class TreeViewEditor : EditorPart, ICallbackEventHandler
{

public TreeViewEditor()
{

}

//
//EditorPart override methods
//
protected override void CreateChildControls()
{

}

public override bool ApplyChanges()
{

EnsureChildControls();

return true;

}

public override void SyncChanges()
{

EnsureChildControls();

}

//
//ICallbackEventHandler Members
//
private string _argument = string.Empty;

public void RaiseCallbackEvent(string eventArgument)
{

//store the argument in a local variable so we can use it in the "GetCallbackResult" method
//later on if necessary.
_argument = eventArgument;

}

public string GetCallbackResult()
{

return string.Empty;

}

}

We are going to discuss building the SPSiteCollectionNav class first. Now that we have implemented all of the necessary functions, we can begin customizing our code. We are going to use the CreateChildControls() method to initiate the creation our tree and add it to the WebPart Controls Collection. We are also going to add a new property that we can set with our EditorPart to dynamically change properties of our tree display. Here is enough to get you started.

private TreeView tree;

public SPSiteCollectionNav()
{
tree = new TreeView();
}

//lets add a property to turn on and off a create date tag
//appended to the tree node text, for EditorPart demonstration
private bool showCreateDate;

[WebBrowsable(false), Personalizable(PersonalizationScope.Shared)]
public bool ShowCreateDate
{
get { return showCreateDate; }
set { showCreateDate = value; }
}

EditorPartCollection IWebEditable.CreateEditorParts()
{
List editors = new List();

//add our EditorPart to the editors collection
TreeViewEditor editor = new TreeViewEditor();
editors.Add(editor);

return new EditorPartCollection(editors);
}

protected override void CreateChildControls()
{

base.CreateChildControls();
Controls.Clear();

//Elevate our privs so that we can get access to the Server Farm
SPSecurity.CodeToRunElevated myCodeToRun = new SPSecurity.CodeToRunElevated(PopulateTreeControl);
SPSecurity.RunWithElevatedPrivileges(myCodeToRun);

//Create the tree and add it to the page
Controls.Add(tree);

this.ChildControlsCreated = true;

}

private void PopulateTreeControl()
{

//clear out the tree so we can start fresh
tree.Nodes.Clear();

//get the servers in the local farm
SPFarm farm = SPFarm.Local;
SPWebService service = farm.Services.GetValue("");

//enumerate the servers and add them to the tree
foreach (SPWebApplication webApp in service.WebApplications)
{
TreeNode webAppNode = new TreeNode();
webAppNode.Text = webApp.Name;

if (showCreateDate)
{
webAppNode.Text += " Created On: " + webApp.Created.ToString();
}

webAppNode.NavigateUrl = null;
tree.Nodes.Add(webAppNode);

//TODO: add code to enumerate the sites under
//the web app and add them to the tree
}

}

Next, we will work on adding some customizable properties to our WebPart. This is done with the EditorPart.

private CheckBox showCreateDateCheckBox;

public TreeViewEditor()
{

//instantiate our create date checkbox
showCreateDateCheckBox = new CheckBox();

}

protected override void CreateChildControls()
{

//add the create date checkbox to our properties pane
showCreateDateCheckBox.Text = " Show Create Date with Site Title";
Controls.Add(showCreateDateCheckBox);
Controls.Add(new LiteralControl("<div style='width:100%' class='UserDottedLine'></div>"));

}

public override bool ApplyChanges()
{

EnsureChildControls();

SPSiteCollectionNav part = WebPartToEdit as SPSiteCollectionNav;

if (part != null)
{
//save the checkbox value back to the WebPart
part.ShowCreateDate = showCreateDateCheckBox.Checked;
}
else
{
return false;
}

return true;

}

public override void SyncChanges()
{

EnsureChildControls();

SPSiteCollectionNav part = WebPartToEdit as SPSiteCollectionNav;

if (part != null)
{
//sync any changes to the web part back to its properties
showCreateDateCheckBox.Checked = part.ShowCreateDate;
}

}

And there you have it. The Create Date checkbox will appear in the properties pane of the WebPart and can be used to turn on and off the display of the Site Create Date in the Site Node text of our Navigation WebPart.

Hit or MIIS

2008-10-20T10:02:00.000-07:00

While working out at a client site on their MIIS implementation, occasionally during a sync on one of their MAs, the Identity Manager Application would become almost completely unresponsive. I couldn't start or stop the running of an MA, execute a Preview, complete an MV Search, perform any manual Joins or Disconnections. It was all very frustrating, I would have to wait a few minutes until MIIS came back from the abyss to continue my work. The only other information that I had was from performing a SQL Profiler Trace. MIIS was definitely working on something, but what and why? <spoiler>The Answer: it has to do with the Joining activity that MIIS does while sync'ing an object.</spoiler> So, here's a little more background...

While configuring a Management Agent, you are given the ability to define rules that MIIS can use to determine if the object that its currently looking at should be linked to user data that it already has from other systems. This can be done by simply going to the Configure Join and Projection Rules in the Metaverse Designer and clicking on the New Join Rule button at the bottom:

In its simplest form, a Join Rule can be designed that directly correlates data in the source with data in MIIS. For example, if the First and Last Name are the same, join the identities together:

On the backend, MIIS is executing a query against the Metaverse table to get all of the object_ids of user's with data matching the join criteria:

select distinct [mms_metaverse].object_id from [mms_metaverse] with (holdlock) where (([<MVAttributeName>] =N'<CSAttributeValue>'))

So if we are sync'ing an individual named Joe Smith, we get a query like (and, yes, there really are both sets of parentheses around each expression):

select distinct [mms_metaverse].object_id from [mms_metaverse] with (holdlock) where (([givenName] =N'Joe')) and (([sn] =N'Smith))

It will then run the following series of queries to build a portfolio about every object_id returned:

exec mms_getmvsvall_xlock @mvobjid = '<object_id>';
exec mms_getmvmulti @mvobjid = '<object_id>';
exec mms_getmvrefasobjid @mvobjid = '<object_id>';

Once MIIS has all of this data, it can join with an existing identity for Joe Smith, if one is found. In this scenario, if more than one Joe Smith is found, MIIS will consider this a Non-match and move onto the next join rule. It will continue to execute the join rules one after the other, in turn, until either a join is made or it reaches the end of the list. If no join is made, MIIS will then move onto projection, if this option has been defined.

Now, In an actual deployment these join scenarios are usually a little more complicated. To resolve a more complicated search/match, we usually have to go out to our rules extension code. There are two places you can inject code during the join procedure. The first of these is done by using the Rules extension mapping type. This will allow you to add some additional logic around the attribute equivalency search. Here is what I mean... you are trying to join based on Social Security Number and the source system has SSNs stored as 123-456-789 but MIIS has it stored as 123456789, while these two are not technically equivalent if doing a direct evaluation, we can add code to ensure that evaluation is done "correctly" via code executed in the MapAttributesForJoin Method.

The second place we can inject code is to pick the proper join out of the X number of candidates found by the Join search. So continuing from our example above, if we have defined a join based on SSN, but our data tends to be pretty dirty and multiple people have the same SSN. We have ensured that our SSN matching is performed properly above in the MapAttributesForJoin by reformatting the data, but the match/search logic finds 5 people that could potentially match my source SSN of 123-456-789. We can add additional code in the ResolveJoinSearch method to determine, based on other data elements, say last name, that number 3 of the 5 people found is the right individual to join with.

So, here is a more real world example. What if we want to join people base on their birth date with a last name or previous last name match? In this case we will have to go out to code to determine whether a join candidate can be found. We would start by creating a join rule based on birth date:

We have decided to use a Mapping Type of Rules extension to allow us to go out to code to reformat the birth date to ensure that it matches the format in MIIS. In our rules extension, MIIS would be looking for an entry point of "cd.person#1:mccdDOB->mccdDOB" in the MapAttributesForJoinMethod:

switch (FlowRuleName)
{

case "cd.person#1:mccdDOB->mccdDOB":

   if ( csentry["mccdDOB"].IsPresent )
   {

      //reformat the dob with style used in the MV
      values.Add( System.Convert.ToDateTime(csentry["mccdDOB"].StringValue).ToString("yyyy-MM-dd") );

   }

   break;

default:
   throw new EntryPointNotImplementedException();

}

We have also selected the Use rules extension to resolve option. This will allow us to add code to check current and previous last names against those individuals found with the same birth date. This is done using the following code in the ResolveJoinSearch Method:

//set index of final join candidate to -1 to indicate no join found
imventry = -1;

//create a variable to keep our place in the loop
int curIndex = 0;

switch (joinCriteriaName)
{

case "cd.student#1":

   //loop through each person to check current/prev last name
   foreach (MVEntry mventry in rgmventry)
   {

      if ( csentry["sn"].IsPresent && mventry["sn"].IsPresent)
      {

         //try to join on last name
         if ( csentry["sn"].StringValue == mventry["sn"].StringValue )
         {

            //its a match, return the index of this individual
            imventry = curIndex;

         }

      }
      else if ( csentry["prevSn"].IsPresent && mventry["sn"].IsPresent)
      {

         //try to join on previous last name
         if ( csentry["prevSn"].StringValue == mventry["sn"].StringValue )
         {

            //its a match, return the index of this individual
            imventry = curIndex;

         }

      }

      //we are moving to the next object, increment the counter
      curIndex++;

   }

   break;

default:
   throw new EntryPointNotImplementedException();

}

//return index of individual found
return imventry;

So, now that we have all of the basics of joining down, we can get back to the problem. Did you catch it? When MIIS is performing the join search, it executes a set of stored procedures to get all of the data about the matching Metaverse objects using an exclusive lock, locking up our Metaverse table from any other reads or updates until the search is complete. This usually isn't a problem because this process happens so quickly you usually won't notice it. With that said, be very careful not to create inefficient join rules that return more than a few results. If more than a few records need to be returned and evaluated, not only will being to see a degradation in the UI response of Identity Manager, it will also take exponentially longer for the MA to complete.

Creating a Scrolling List Gadget

2008-10-16T18:29:00.000-07:00

One of the most important distractions for me as I develop is my music, it helps to keep me focused. In an effort to share that, I added a widget to the right of my blog that shows a list of the music that I am "currently" listening to. Not finding a good alternative, I simply used a link list widget and inserted a couple of the songs from my current playlist. Well.... not being satisfied with the geek factor, what I really wanted was something more dynamic, a kind of scrolling list, a music reel or marquee, if you will. So I set out to find out how to make my own Blogger Widget....

I started with the Blogger help files:

However, I found these a little limiting. I expanded my search and found that, as many others have done, the easiest way to do this to create a new Google Gadget. And better yet, once our Gadget is ready, Google will even host it for us on their GGE (or for those of us looking for more features at Google Code).

A Gadget consists of a xml file with three basic elements:

ModulePrefs
UserPref
Content

And looks something like this...

<?xml version="1.0" encoding="UTF-8" ?>
<Module>
<ModulePrefs title="" description="" height="" width="" thumbnail="" screenshot="" author_email="" author="" title_url="">
   
   <Locale lang="" language_direction="" messages="" country="" />
   <Link rel="" href="" method="" />
   <Require feature="">
      <Param name="">
   </Require>
   <Optional feature="">
      <Param name="">
   </Optional>
   <Preload href="" authz="none(default),signed,oauth" />
   <Icon mode="" type="">
      
      
   </Icon>
</ModulePrefs>
<UserPref name="userPref1" display_name="Example" datatype="string(default),bool,enum,hidden,list,location" urlparam=""
required="true,false(default)" default_Value="" />
<UserPref name="UserPref2" display_name="stringExample" />
<UserPref name="userPref3" display_name="enumExample" datatype="enum" default_value="A">
   <EnumValue value="A" display_value="Alpha">
   <EnumValue value="B" display_value="Beta">
   <EnumValue value="G" display_value="Gamma">
</UserPref >
<Content type="html,url" href="" />
   <![CDATA[
      
      
   ]]>
</Content>
</Module>

A couple of things to keep in mind before you begin. Blogger will provide a user setting for Height and Title by default. List Items can only be Added and Removed, in other words no Edit functionality. To change an entry, it will have to be removed and recreated. Further, it will host your Gadget inside of an iframe, so you will lose any styles applied to the blog. I have tried to compensate for this in my design below. Also, a <div> tag will be added with a class of widget-content and a black border. It will also add scroll bars, if necessary.

I wanted consumer's of my Gadget to be able to set the following options:

Number of Items to Show - integer from 1 to 99,999
Time to wait before Scrolling (in seconds) - integer from 1 to 99,999
Content Font Style Definition
List of Items

Arriving at a simple UserPrefs section that looks like...

<UserPref name="myNumItems" display_name="Items to Show" />
<UserPref name="myTimer" display_name="Time to Scroll" />
<UserPref name="myStyle" display_name="Content Font Style" default_value="8pt Georgia" />
<UserPref name="myList" display_name="List of Items" datatype="list" />

You could add additional style items to give user's more display flexibility, things like color, line size, padding, etc. Finally, I took a stab at the CDATA portion of the Content element. After several rounds of modifications, saves, publishing and testing on my iGoogle page, I arrived at the following code:

<div id="content_div"> </div>

<script type="text/javascript">

// Get UserPrefs Options
var prefs = new _IG_Prefs(); //new gadgets.Prefs();

// Get Details of UserPrefs
var items = prefs.getArray("myList");
var style = prefs.getString("myStyle");
var numToShow = 99999;
var timer = 99999;

//validate entries
if (!isNaN(prefs.getString("myNumItems")))
{
numToShow = new Number(prefs.getString("myNumItems"));
}

if (numToShow > 99999)
{
numToShow = 99999
}

if (!isNaN(prefs.getString("myTimer")))
{
timer = new Number(prefs.getString("myTimer"));
}

if (timer > 99999)
{
timer = 99999;
}

// keep track of where we are in our loop
var curIndex = 0;

// load list once for initial display
displayList();

// reload list after delay
setInterval("displayList()", timer * 1000);

function displayList()
{

// Build HTML to show the user
var html = "<table id='content-table' cellPadding='1px' border='0'>";

// Loop through and display items
if (items.length > 0)
{
   var loopUntil = numToShow;
   var itemToShow = new Number(curIndex);

   // if user has set the number to show greater than the number of items we
   // have in our list, only loop through the number in the list
   if (items.length < loopUntil)
   {
      loopUntil = items.length;
   }

   //loop through our items, keeping track of where we are and what needs to be shown
   for (var i = 0; i < loopUntil; i++)
   {
      //if we have moved past the end of the list start back at the beginning
      if (itemToShow >= items.length)
      {
         itemToShow = 0;
      }

      html += "<tr><td>" + items[itemToShow] + "</td></tr>";
      itemToShow++;
   }

   // Start loop at the next one in the list
   curIndex++;

   if (curIndex >= items.length)
   {
      curIndex = 0;
   }
}

html += "</table>"

document.getElementById("content_div").innerHTML = html;

//load in our style element
var cells=document.getElementsByTagName("td");
for (var i=0; i < cells.length; i++)
{
   cells[i].style.font = style;
}
}

</script>

Don't be surprised if Google warns you about missing elements, like thumbnail and width, when you publish your Gadet. I was able to accept the warning and still publish successfully.

I then went to import this Gadget to my blog using the url that Google gave me during publishing, http://hosting.gmodules.com/ig/gadgets/file/102621166658384583871/scrolling-list.xml. Next, using the Edit HTML tab in the Layout section of my blog, I was able to remove the border around my Gadget and change the padding to the left of the Gadget by checking the Expand Widget Definitions and locating the <div> tag just before my Gadget. I also set the scrolling attribute on the iFrame to no. While changing the Font Style in user settings, I will sometimes get JavaScript errors, however, in my mind, the benefits here outweigh the issue.

You can see the fruits of my labor over to the right, titled "Currently Developing To...".....Wait for it.....

Let me know what you think and feel free to add the Gadget to your own site! Happy blogging!

Welcome!

2008-10-16T10:31:00.000-07:00

I have been a developer for over 10 years, spending the last 6 of those as a consultant working for the world-class IT provider, Ensynch. While working for Ensynch, I have had the privilege of being exposed to an extensive portfolio of technologies. Its my objective to begin a blog about my adventures. And I have some very big shoes to fill here, following in the footsteps of those folks you see to the right. Getting into the blogging game a little late, my first (second?) post will be, not coincidentally, about creating this blog.

Based out of Tempe, Ensynch has both a professional services and a talent solutions arm. Ensynch has been awarded with such prestigious awards as Microsoft's West Region Partner of the Year and The Business Journal's #1 Phoenix Computer Consultant company. Ensynch provides expertise in several core areas, including, Identity Management, Portals and Collaboration, Systems Management, Infrastructure Optimization, Unified Communications and Application Development/Lifecycle Management.

So without further ado, here goes.....

Not locked / none	site.writeLocked = false site.readOnly = false site.readLocked = false
Adding content prevented / noadditions	site.writeLocked = true site.readOnly = false site.readLocked = false
Read-only / readonly	site.writeLocked = false site.readOnly = true site.readLocked = false
No access / noaccess	site.writeLocked = false site.readOnly = false site.readLocked = true