1dent1ty cHa0s

FIM Sync Installation fails with Invalid object name 'mms_management_agent'. Access is denied

2012-05-16T17:53:00.001-07:00

Found this error today while installing the FIM Synchronization Service:

Error 25009.The Forefront Identity Manager Synchronization Service setup wizard cannot configure the specified database. Invalid object name 'mms_management_agent'. Access is denied.

This turned up an old post of mine that matched the error:

http://www.identitychaos.com/2009/09/issues-with-sql-server-in-windows-2008.html

…but that wasn’t the cause. This is probably an edge case, but in this particular situation it was due to the image not having been SysPrep’d. This error turned up in the System Log which led us to the resolution:

Event ID: 5516
The computer or domain FOO trusts domain BAR. (This may be an indirect trust.) However, FOO and BAR have the same machine security identifier (SID). NT should be re-installed on either FOO or BAR

Refer to Brian Desmond’s blog here for proper SysPrep techniques:

http://briandesmond.com/blog/how-to-sysprep-in-windows-2008/

FIM Security–The management agent failed to validate against the application store with the specified credentials

2012-04-30T15:26:00.001-07:00

Last week I ran into the follow event log error after applying some GPO lockdown policies:

Log Name: Application

Source: FIMSynchronizationService

Date: 4/25/2012 10:52:34 AM

Event ID: 6309

Task Category: Server

Level: Error

Keywords: Classic

User: N/A

Computer: fimsync.contoso.com

Description:

The server encountered an unexpected error while performing an operation for a management agent.

"BAIL: MMS(5612): manhost.cpp(713): 0x80230709 (The extension operation aborted due to an internal error in FIM Synchronization Service.)

BAIL: MMS(5612): nathost.cpp(198): 0x80231317 (The management agent failed to validate against the application store with the specified credentials.)

BAIL: MMS(5612): cntrler.cpp(543): 0x80231317 (The management agent failed to validate against the application store with the specified credentials.)

BAIL: MMS(5612): ma.cpp(3668): 0x80231317 (The management agent failed to validate against the application store with the specified credentials.)

Forefront Identity Manager 4.0.3606.2"

This can manifest itself in the following ways:

The event log error above
Run Profile failures on the FIM MA with the same error text

This can happen if you’ve inadvertently denied access to the FIM MA account while applying group policy. There are two policies where you need to ensure you aren’t clobbering this account:

Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Allow log on locally – if you take a restrictive approach and only specify “Administrators” then you will see this
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Deny log on locally – if you specify a group containing the FIM MA account then you’ll see this

This is consistent with the following TechNet article – Before You Begin, as part of the Installation Guide.

Update Rollup 2 (build 4.0.3606.2) is available for Forefront Identity Manager 2010

2012-02-28T12:00:00.000-07:00

Update Rollup 2 is available now and there are lots of goodies available including:

Extensible Connectivity Management Agent 2 Framework (ECMA 2) - this is the new XMA framework which removes many of the previous limitations on writing your own MA (now just called Connectors!
NOTE: If you are upgrading from the RC version of ECMA2 then you will have some manual steps; please see the KB article for more info
Password Reset (via FIM Sync) obeys the UserCannotChangePassword flag in AD – self-service resets will now obey this setting
Rules extensions now support .NET 4.0 – compile your projects targeted for .NET 4
SQL Wildcard update in build 4.0.3594.2 has been reversed – support for underscore, percent and square bracket are back in same as the previous 4.0.3576.2 build
Set Partitioning and Tabular Functions – this feature fixes some scalability issues with large complex “OR” filters in dynamic groups and sets;
NOTE: You will need to execute a stored procedure to enable this, refer to the KB article for more information

Update Rollup 2 (build 4.0.3606.2) is available for Forefront Identity Manager 2010

Forefront Identity Manager 2010 R2 Release Candidate Now Available

2011-11-23T14:54:00.001-07:00

Cross-posting from the Server and Cloud blog:

Microsoft is pleased to announce the availability of Forefront Identity Manager 2010 R2 release candidate. It is available for download from Microsoft Connect, as described below.

This release candidate includes new and updated features for FIM 2010 R2:

Historical reporting using integration to the System Center Service Manager data warehouse
Web-based Self-Service Password Reset
Scale and performance improvements
Outlook® 2010 support for the FIM add-ins and extensions and SharePoint® 2010 support for the FIM Portal

In particular, this release candidate introduces numerous functional improvements, including:

New authentication gates for self-service password reset
Additional reports
Extensible Connectivity Management Agent 2

For complete information, see the Release Notes and feature-specific documents.

If you have already joined the FIM 2010 Community Evaluation Program or downloaded the beta, you can obtain FIM 2010 R2 RC from the FIM 2010 Connect web site. The downloads link is in the left column.

To join the program and download the software, click here. Once you answer the survey questions, the Connect site will auto-approve your access.

Thanks,

Mark Wahl

Principal Program Manager

Forefront Identity Manager 2010 R2 Release Candidate Now Available - Microsoft Server and Cloud Platform Blog - Site Home - TechNet Blogs

UAG “Activation will start soon” stuck when joining a node to the array

2011-11-22T16:22:00.001-07:00

This one terrorized me all day and just wouldn’t go away no matter what I did:

As it turns out, this is a symptom of having your nodes on different patch levels of UAG. The first node was SP1 with Update 1 while the second node only had SP1 applied. After applying Update 1 to the second node the array converged once I activated the configuration again.

I borrowed the following list from Ben Ari’s blog:

Here are some links that are related to these released:

Download UAG SP1
Information about UAG SP1 Rollup 1
Download UAG SP1 Update 1
Download TMG SP2
Instructions for installing UAG SP1 Update 1 (this is important especially if you are installing on an Array!)
Updated list of clients supported by UAG SP1 Update 1
What’s new in UAG SP1 Update 1
Release notes for UAG SP1 Update 1
What’s new in TMG SP2
Release notes for TMG SP2

FIM 2010 R2 Beta Feedback Requested

2011-08-23T14:04:00.001-07:00

If you aren’t already working with the R2 Beta release of FIM 2010, please download and check it out and then provide feedback in the public forums as to what you like and what you don’t like. Given that this is still the beta release, there is time to get your feature requests heard!

To access the R2 Beta you will need to sign-in to Connect, Microsoft’s site for evaluating and providing feedback on early or pre-released software. You just need a Windows Live ID to sign-in and create your profile. Once you sign-in to the site you’ll be able to browse a list of products accepting feedback or bugs and add those products to your dashboard by clicking Join.

Step-by-Step

(Lifted from Peter Geelen’s post)

You can access the site one of two ways:

By following this link: https://connect.microsoft.com/site433/SelfNomination.aspx?ProgramID=6639&pageType=1, OR
Logging into Connect
1. Browse the Directory for Forefront Identity Manager.
2. Click on the Join link on the topics you wish to join
3. Answer the survey questions and then click Submit; this auto-approves you for the Beta connection
4. Click the Downloads link in the left column

At the download section, you’ll find the following items:

As you are evaluating the products, we encourage you to discuss feedback in the forum, but to take the time to open bugs in the Feedback Center of the FIM Connect site. These bugs are triaged directly by the FIM Product Group so it’s important to file them. Use the forum to ask clarifying questions around configuration and experience and please share your positive and negative feedback about your experiences with the betas there.

SaaS and Identity Silos–the new Wolf in Sheep’s Clothing

2011-08-03T08:00:00.001-07:00

To borrow another metaphor, the old phrase:

“Beware of Greeks bearing gifts”

…is reborn now as:

“Beware of SasS vendors bearing identity”

In this age of pushing our solutions to the cloud we need to be careful in adopting solutions that involve standing up another identity silo. Having another username and password is a time honored solution to most new applications but in this day and age is no longer acceptable. Stress to your SasS vendors that you need flexibility to:

Federate with an external Identity Provider (i.e. your enterprise identity)
Federate with a consumer Identity Provider (i.e. your Facebook/Yahoo/Google/Live identity)

There are certainly cases where SaaS vendors will need to provide both a solution for local username and password (small businesses for example) yet need the forethought to support extended federation scenarios for larger customers.

Another item that SaaS vendors are not immune to is the challenge of profile synchronization. Whenever an application must maintain preference or demographic data (name, title, menu preferences, etc) about you it must either keep that in a local store or rely on all of that data to arrive each time as part of the incoming claim set. In some cases, it’s simply not practical to do everything in the claim as it’s not the Identity Provider’s job to remember preferences for individual applications. The thing to remember here is that the profile data in the cloud must be created and maintained through some process. Look for options other than the manual ones to automate this.

True Single Sign-On

2011-06-30T12:54:00.001-07:00

My customer really liked something I had said the other day while discussing strategy around Identity and Access Management. The concept of SSO kept coming up, in dialog as well as in industry briefs on the topic, which we were reviewing, and I basically said,

“SSO isn’t a product you buy, it’s the by-product of a well architected Identity and Access Management strategy.”

That statement has begun to resonate and for good reason. While even I cannot deny that SSO products have their place, I disagree that it should be the first stop in your decision making process. Use an SSO product when you simply have no other choice. There are other options that can reduce complexity as well as the number of logon prompts.

Federating FIM 2010 using UAG/ADFS and KCD - Identity.Junkie() - Site Home - TechNet Blogs

2011-06-07T11:49:00.001-07:00

Identity Junkie is back on the air with it’s first post, check it out! It covers the concepts of using UAG to publish the FIM portal using a Federated model. To be clear, this isn’t “how do I authenticate to FIM without an AD account”, it’s “how do I authenticate to the FIM portal when my request is originating from an extranet”. To quote Chris:

Where is this applicable? Say you have a resource forest where FIM resides so how do you provide access to the portal from autonomous security realms without having to create a bunch of NT trusts or maintaining secondary credentials. Because shadow accounts exist within the resource forest as security principals for dependent services (for example BPOS or O365), you can leverage UAG, ADFS, and KCD together to provide secure access. UAG is claims-aware and supports Kerberos protocol extensions for (1) protocol transitioning and (2) constrained delegation.

Federating FIM 2010 using UAG/ADFS and KCD - Identity.Junkie() - Site Home - TechNet Blogs

Announcing the WIF Extension for SAML 2.0 Protocol Community Technology Preview! - Claims-Based Identity Blog - Site Home - MSDN Blogs

2011-05-17T15:55:00.001-07:00

Uh yes, very big step, especially for us in the public sector space. Nice job team!

Announcing the WIF Extension for SAML 2.0 Protocol Community Technology Preview! - Claims-Based Identity Blog - Site Home - MSDN Blogs

AD FS 2.0 Content Map - TechNet Articles - Home - TechNet Wiki

2011-04-21T12:30:00.001-07:00

Here is an excellent content map to the wealth of online ADFS 2.0 documentation and training materials. There is a LOT of content here including links to videos, troubleshooting guides, solutions and integration with other products. Check it out!

AD FS 2.0 Content Map - TechNet Articles - Home - TechNet Wiki

Download details: Forefront Identity Manager 2010 Monitoring Management Pack

2011-04-01T15:18:00.000-07:00

The FIM 2010 Management Pack for Operations Manager 2007 has been released, among the features are:

End-User Availability
Synchronization Service Availability
FIM Service and Portal Availability
FIM Portal Errors Shown to End Users
FIM Portal Configuration Errors
FIM Service Internal State
FIM Service Set Corrections
FIM Service Connectivity with Exchange
FIM Synchronization Service Configuration Errors

Download details: Forefront Identity Manager 2010 Monitoring Management Pack

FIM 2010: Adding the Approval tab to your Group RCDC

2011-03-17T20:06:00.001-07:00

So, as it turns out it's incredibly helpful to be able to see all of the workflow approvals relative to a specific object; I call this "simple" reporting and it's quite easy to setup. While my example shows how to do this for a Group object, you can really apply this tab to any object that you are collecting approvals on because the query is not object type specific. Here are some items of note before we look at the code:

The example shows how to query both the Approval object and the ApprovalResponse
The example shows the control binding RightsLevel to the SIDHistory attribute
The example also shows how to use the ListFIlter Property of a UoCListView control

Anatomy

There are four objects at play when we're talking about the typical Owner Approved Group scenario:

Object Type	Description
Request	This is the original Request object created when the request to join/leave a group was submitted
Approval	When your Approval activity fires it will generate an Approval object for each of the Owners you configured
ApprovalResponse	For each person that either Approves or Rejects the request, an ApprovalResponse object is created
Group	Once all of your approvals are completed and the threshold is met, you get the Group object

Again, I'm using a typical Owner Approved Group scenario here to illustrate, but this could just as easily be your own custom object which you've linked an Approval activity to. While you cannot yet use the Outlook Add-ins to join a custom object, the approval process works on any object type. For the purposes of reporting, we will go after the Approval and ApprovalResponse objects.

Security

Approvals can be sensitive in nature so you may decide that not everyone should be able to see who approved, or rejected, any given approval. If you don't care, then you can bind the control to any attribute that all users can see, say for instance: DisplayName. If you do care, then you will want to bind this to an attribute that is restricted and then apply your rights granting MPR's accordingly. You apply either situation by modifying the bolded following line in the code:

<my:Control my:Name="ApprovalView" my:TypeName="UocListView" my:Caption="All Approval Requests" my:ExpandArea="true" my:RightsLevel="{Binding Source=rights, Path=SIDHistory}">

Whichever attribute you bind to will control whether or not the control itself will appear. If a user cannot see any controls on a Group, the RCDC will not display the tab at all. In my case, I had a situation where only administrators should be able to see the data and SIDHistory is an attribute that is not explicitly granted any rights in any default MPR's, so only members of the Administrators Set would be able to see it anyway.

NOTE: Keep in mind that being able to see the attribute you are binding the RightsLevel to is only half of the equation. If you want non-administrators to be able to see the items in the report, you will also have to grant them rights to Read the relevant attributes on both the Approval and ApprovalResponse objects.

Filter

I mentioned that we make use the ListFilter property in the control, that's this line of the code:

<my:Property my:Name="ListFilter" my:Value="/Approval[Request = /Request[Target='%ObjectID%']]" />

…and this one:

<my:Property my:Name="ListFilter" my:Value="/ApprovalResponse[Approval = /Approval[Request = /Request[Target='%ObjectID%']]]" />

In the first filter we are looking for all Approval objects filtered by the Request attribute which contains a reference to a Request object whose Target is the object we are viewing. Much like the first filter, in the second filter we are looking for all ApprovalResponse objects filtered by the Approval attributes which contains a reference to a Request object whose Target is the object we are viewing. The difference here is that we're looking at the relationship between the Approval and the ApprovalResponse.

In either case, I'm illustrating how we use two separate controls to show the Approval and ApprovalResponse objects relative to the object we're viewing (say a Group). But as you can see, there is nothing object specific in the query so it can be applied to any object type.

To apply this grouping, you will need to edit the View and/or Edit RCDC's for your object and insert the code block peer to the other <my:Grouping headers. Hope this helps, for more information on editing your RCDC, please refer to the FIM 2010 RCDC XML Reference.

Oh, and always back up your RCDC's before you start editing them in case you need to fall back!

Code

<my:Grouping my:Name="GroupingApprovals" my:Caption="Approvals" my:Description="This page displays two controls: 1) Approval Requests - These are requests to modify the membership of this group, the Approval Status reflects the final outcome of the request. 2) Approval Responses - These are the responses filed by the approvers. Note, however, that there may be multiple responses for a single request and an Approval does not indicate that the request itself was approved.">
      <!--Approval Reporting Grouping by Brad Turner, bst2k@hotmail.com-->
      <!--http://www.identitychaos.com-->
      <my:Control my:Name="ApprovalView" my:TypeName="UocListView" my:Caption="All Approval Requests" my:ExpandArea="true" my:RightsLevel="{Binding Source=rights, Path=SIDHistory}">
        <my:Properties>
          <my:Property my:Name="ColumnsToDisplay" my:Value="DisplayName,CreatedTime,Requestor,Approver,ApprovalStatus" />
          <my:Property my:Name="ResultObjectType" my:Value="Approval"/>
          <my:Property my:Name="EmptyResultText" my:Value="There are no approvals for this group." />
          <my:Property my:Name="PageSize" my:Value="7" />
          <my:Property my:Name="SearchControlAutoPostback" my:Value="false" />
          <my:Property my:Name="SearchOnLoad" my:Value="true" />
          <my:Property my:Name="ShowTitleBar" my:Value="true" />
          <my:Property my:Name="ShowActionBar" my:Value="false" />
          <my:Property my:Name="ShowPreview" my:Value="false" />
          <my:Property my:Name="ShowSearchControl" my:Value="false" />
          <my:Property my:Name="EnableSelection" my:Value="false" />
          <my:Property my:Name="SingleSelection" my:Value="false" />
          <my:Property my:Name="ItemClickBehavior" my:Value="ModelessDialog" />
          <my:Property my:Name="ListFilter" my:Value="/Approval[Request = /Request[Target='%ObjectID%']]" />
        </my:Properties>
      </my:Control>
      <my:Control my:Name="ApprovalResponseView" my:TypeName="UocListView" my:Caption="All Approval Responses" my:ExpandArea="true" my:RightsLevel="{Binding Source=rights, Path=SIDHistory}">
        <my:Properties>
          <my:Property my:Name="ColumnsToDisplay" my:Value="CreatedTime,Requestor,ComputedActor,Decision,Reason" />
          <my:Property my:Name="ResultObjectType" my:Value="ApprovalResponse"/>
          <my:Property my:Name="EmptyResultText" my:Value="There are no approval responses for this group." />
          <my:Property my:Name="PageSize" my:Value="7" />
          <my:Property my:Name="SearchControlAutoPostback" my:Value="false" />
          <my:Property my:Name="SearchOnLoad" my:Value="true" />
          <my:Property my:Name="ShowTitleBar" my:Value="true" />
          <my:Property my:Name="ShowActionBar" my:Value="false" />
          <my:Property my:Name="ShowPreview" my:Value="false" />
          <my:Property my:Name="ShowSearchControl" my:Value="false" />
          <my:Property my:Name="EnableSelection" my:Value="false" />
          <my:Property my:Name="SingleSelection" my:Value="false" />
          <my:Property my:Name="ItemClickBehavior" my:Value="ModelessDialog" />
          <my:Property my:Name="ListFilter" my:Value="/ApprovalResponse[Approval = /Approval[Request = /Request[Target='%ObjectID%']]]" />
        </my:Properties>
      </my:Control>
</my:Grouping>

Using DFS and GPO in FIM High Availability Scenarios PowerPoint

2011-02-21T15:27:00.001-07:00

FIM 2010: Build 4.0.3573.2 Performance Improvements, part 3

2011-02-21T10:07:00.001-07:00

In our previous two installments:

FIM 2010- Build 4.0.3573.2 Performance Improvements, part 1 – I documented the base configuration of the Hyper-V environment
FIM 2010- Build 4.0.3573.2 Performance Improvements, part 2 – I documented the configuration of the VM's, the two disk configurations and baseline results in build 4.0.3531.2 (RTM w/Update 1) to use as our comparison for the new hotfix build 4.0.3573.2

In this installment I'll show you how new features can be enabled in this build to improve your initial load times by a factor of 3.

Installation

To download the new hotfix, follow the link and file the request:

http://support.microsoft.com/kb/2417774

All of the features get a boost here and FIM CM gets a bunch of fixes that you can read about in the hotfix article (sorry Brian). The two we will focus on here are:

FIMService_x64_KB2417774
FIMSyncService_x64_KB2417774

Don't forget that there are updates to PCNS and the FIM Add-ins to deploy as well! As always, remember to take a good backup of your databases in case you need to roll these back. I didn't encounter any issues during the installation other than the fact you must manually stop the service before the installer can continue.

Case Bug Fixed

One of the significant, yet minor fixes resolves an issue where updates to string attributes would be marked as completed but fail to update. This happened whenever you were just changing the case of the string, and not the full value itself:

Case-only changes that are made to existing attributes are not applied to the FIM service database even though the Requests are marked as Completed.

I've tested this and it works, no more exported-change-not-reimported errors due to case updates!

Initial Load Performance Improvements

The new hotfix provides an asynchronous export mode from the FIM MA to the FIM Service. While in some configurations this could lead to a slow down in portal usability, if you have deployed your Service Partitions correctly then you should be pointing your FIM Sync to either a dedicated Admin Portal instance of the FIM Service, or a dedicated instance for FIM Sync as I do. However, I should note, that even in these situations, if you completely load up the SQL Server that is hosting the FIMService database, you will experience a slow down on all service partitions regardless.

There are two additions you can make to the configuration files in order to enable the new 'async' mode:

Microsoft.ResourceManagement.Service.exe.config

The resourceManagementService section has three new settings:

synchronizationExportThrottle="Single" – Default mode, do nothing and you have the existing behavior of ~0.6 Exports/sec
synchronizationExportThrottle="Unlimited" – New mode where each export is confirmed immediately allowing the next export to export right away. The exports to the FIM Service are cached and evaluated asynchronously
synchronizationExportThrottle="Limited" requestRecoveryMaxPerMinute="60" – New mode allowing you to use the capabilities of the async mode but in a responsible manner so as not to degrade portal performance; use the second parameter to help gate this

There is an excellent note here I'll reiterate:

We expect that customers will have to optimize this setting to for their environment, and to accommodate their hardware capabilities and portal load. To tune this setting, monitor the FIM database SQL CPU usage and the Windows Workflow Foundation Workflows In Memory performance counters. Adjust the throttle up or down until you obtain a maximum throughput state. Example target metrics include SQL CPU usage of about 70% and Windows Workflow Foundation not building up a large queue in the Workflows in Memory performance counter.

This setting can be changed dynamically You do not have to re-start the FIM service.

It's nice that you don't have to bounce the service to get this change to go into effect, but I agree with Craig's Connect suggestion that these should have been Run Profile options which would allow us to call a predetermined configuration whenever we needed without resorting to changing the configuration file between runs.

miiserver.exe.config

In the FIM Sync configuration file we have two new lines you need to insert, but only if you wish to change the default behavior once either the "Unlimited" or "Limited" modes are enabled.

<section name="resourceSynchronizationClient" type="MIIS.ManagementAgent.ResourceSynchronizationClientSection, mmsmafim"/>

I didn't notice this line initially and I ended up with a nasty BAIL error when running any of the FIM MA run profiles, so make sure you insert this under the <configSections> first.

In the main body of the configuration file you can insert a resourceSynchronizationClient tag now, the default of which is:

<resourceSynchronizationClient exportFetchResultsPollingTimerInSeconds="5" exportRequestsInProcessMaximum="50" exportWaitingForRequestsToProcessTimeoutInSeconds="600" />

This allows you to tune the three parameters if you have a high-performance disk array:

Property Name	Default Value	Description
exportFetchResultsPollingTimerInSeconds	5	When the Synchronization service is exporting objects in asynchronous mode, this property controls the frequency of polling results that are returned from the FIM service by the FIM MA. Changing this value may give a higher processing rate, depending on your system configuration.
exportRequestsInProcessMaximum	50	When the Synchronization service is exporting objects in asynchronous mode, this property controls how many requests can be queued up in the FIM service for processing. If this limit is met, FIM MA will wait until asynchronous results are sent back before resuming additional exports. Setting this value higher may provide additional processing throughput during export. However, during system failures, these objects may have to be re-exported from the synchronization engine when the FIM-Export process restarts.
exportWaitingForRequestsToProcessTimeoutInSeconds	600	This is the time-out value that FIM MA will use to wait for the FIM service to process a request. If no response is received from the FIM service within this time, FIM MA will end the export with a “cd-error” error.

Now, with these settings you must restart the FIM Sync service in order to get them to apply.

Performance Tuning Results

I ran two tests, both with the new "Unlimited" switch enabled – the first was with the default Sync settings and the second I increased the values to see if I could eek out any additional performance; here are the results:

	4.0.3573.2 Disk Configuration 2 synchronizationExportThrottle=" Unlimited"	4.03573.2 Disk Configuration 2 exportFetchResultsPollingTimerInSeconds="15" exportRequestsInProcessMaximum="100" exportWaitingForRequestsToProcessTimeoutInSeconds="600"
Records (8 attributes/record)	11,251	11,251
FIM MA Export Only Elapsed Time (mins)	92	103
FIM MA Objects Exported/sec	2.031	1.818
Processor Time - miiserver	2.071	1.901
Processor Time - fimservice	2.13	1.89
Processor Time – SQL	66.231	60.545
Logical Disk (SQL) - Average Disk Queue Length	0.986	1.594
Logical Disk (SQL) - Average Disk sec/Transfer (ms)	7	11
Objects Exported/sec Improvement Factor over Previous configuration	2.97	0.90
Elapsed Time improvement over previous configuration (mins)	122	-11

In the first test we can see a huge improvement – 3x over our best run with the previous build breaking 2 Objects Exported/sec and we came in 122 minutes under our prior time! Note that our disk latency and queue are now beginning to show the signs of another bottleneck. In both tests the CPU on the SQL Server was above 60% indicating there was still room to push the system but disk got in the way.

In the second test, I increased the default settings and we ran 11 minutes over reducing our Objects Exported/sec to 1.818 exposing disk as our bottleneck again with an Average Disk Queue Length of 1.594 and latency up to 11ms. Again, this is a home Hyper-V setting with desktop components, so a good Enterprise class deployment should be able to exceed these numbers. It's encouraging that the new asynchronous mode will let us stress the disk a bit more which seems to indicate that the caching can further expand performance on well tuned systems.

I would encourage everyone to start with the defaults and get a good grasp on what your overall disk performance is like so that you know when to back off of some of these settings. If you can keep your queue lengths to 1 or below then you should be at the right mark. In future tests, I hope to move some of the VHD's onto the SSD and see if I can eek out any more performance on this system.

FIM 2010: Build 4.0.3573.2 Performance Improvements, part 2

2011-02-20T13:38:00.001-07:00

In the previous installment, FIM 2010: Build 4.0.3573.2 Performance Improvements, part 1, I documented the base configuration of my Hyper-V test machine and now I'll document the configuration of the virtual machines themselves and share the results of the initial disk tuning for the patched RTM release, build 4.0.3531.2.

Virtual Machine Configuration

Dedicated AD DC (2008 R2)
Dedicated SQL Server (2008 R2 10.50.1600) w/Dual Processors and 4GB RAM

Separate OS (4k), DB (64k), Logs (64k), and TempDB (64k) drives within the VM, but all VHD’s on a single RAID 4-drive set
All VHD files were dedicated (fully expanded), not dynamic

FIM Sync/Service Server (2008 R2) w/Dual Processors and 2GB RAM
FIMService and FIMSynchronization databases set to Simple recovery and pre-grown to 4GB (DB and Logs)
No autogrowth observed throughout the load on either DB
All NIC's (virtual and physical) have Large Send offload disabled

Initial Load Scenario

In my initial load scenario testing I have the FIM Service loaded bare, with no additional sets, policies or workflow added, the same as you'd expect prior to migrating any policy over. In my personal testing, I've see 44% faster load times simply by not loading your policy first and importing all of your objects into a pristine system.

So, we have all of the FIM Services running on a single VM and all of the databases hosted on a single SQL Server, both joined to a domain hosted by a dedicated AD Domain Controller. Next, I will illustrate the disk configuration.

In the first example we have a poor disk I/O configuration, no caching and RAID 5 – this configuration leads to high disk queue length and disk latency making the disk configuration a clear bottleneck. In Configuration 2 we have a somewhat tuned configuration where we've added disk caching, moved the System partition to an SSD and moved to a more efficient RAID 10; from the results below we can see that the disk is no longer a bottleneck.

	4.0.3531.2 Disk Configuration 1	4.0.3531.2 Disk Configuration 2
Records (8 attributes/record)	11,251	11,251
FIM MA Export Only Elapsed Time (mins)	585	214
FIM MA Objects Exported/sec	0.319	0.684
Processor Time - miiserver	0.40%	0.72%
Processor Time - fimservice	14.35%	0.63%
Logical Disk (SQL) - Average Disk Queue Length	2.256	0.001
Logical Disk (SQL) - Average Disk sec/Transfer (ms)	108	3
Objects Exported/sec Improvement Factor over Previous configuration	n/a	2.14
Elapsed Time improvement over previous configuration (mins)		371

Baseline Results

The results from the baseline tests clearly show that the disk subsystem can have adverse effects on the state of your FIM performance, especially when it comes to the initial load scenario. With some simple disk tuning we were able to reduce the run time by 371 mins and achieve a 2.14x improvement over the elapsed running time to export the same records. Average disk queue lengths <1 should not indicate a bottleneck and the fact that our overall latency dropped from 108 ms to 3 ms backs this up. We generally want to keep the latency under 10 ms, and no more than 20 ms. I would like to point out that while the SQL Server disk is broken down into separate volumes, all of the VHD's from all of the VM's are on the same RAID volume in both configurations which would be typical of SAN deployments that split LUN's across all spindles.

In your deployments you should be dealing with at least workgroup class hardware with real servers and performance class SAS/SCSI drives in the 10k-15k RPM range with caching RAID array controllers and should be able to achieve similar results in your initial baseline. In fact, the improved numbers I see here match very closely what I've obtained running on IBM production class hardware and fibre attached SAN (NetApp). I have not been able to personally break 0.7 Objects Exported/sec for an initial load scenario on any configuration running 4.0.3531.2 (RTM with Update 1). I believe these results indicate that now the FIM Service becomes the clear bottleneck as there are no other counters indicating a processor, memory, or network bottleneck.

In the next installment I'll look at how loading the new 4.0.3573.2 hotfix improves times on the same disk configuration 2.

FIM 2010: Build 4.0.3573.2 Performance Improvements, part 1

2011-02-19T12:12:00.001-07:00

I've had some time recently to setup a test rig at home and begin performing some baseline performance tests of our biggest performance problem, the initial load experience with the FIM MA. Here is some information on my test system:

Windows Server 2008 R2 Datacenter running Hyper-V
Intel Core i5-760 2.8GHz Quad Core
16GB RAM (4 4GB DDR3 1333)
EVGA P55V (120-LF-E651-TR) – Intel P55 1156 motherboard with onboard RAID (non-caching)
4 Seagate Barracuda 7200 RPM 1.5TB SATA II (3Gb/s) in RAID 5 array hosting the OS and VM’s
1 Samsung Spinpoint 5400 RPM 2TB SATA II (3Gb/s) as dedicated backup (Volume Shadow Copy) volume

Now, for a point of reference, this is probably the worst disk configuration you can have when it comes to SQL Server and FIM performance metrics. As we'll see the low disk I/O, RAID level and lack of RAID cache will really cause the numbers to fall on my initial test. Shortly after performing my initial test, I upgraded my test rig with the following components:

LSI MegaRAID SAS 9260-4i 512MB Caching RAID controller
OCZ Vertex 2 60GB SATA II SSD

The disk configuration for the subsequent tests is as follows:

1 OCZ Vertex 2 60GB SATA II SSD (3Gb/s) hosting the Hyper-V Host OS (AHCI with TRIM)
4 Seagate Barracuda 7200 RPM 1.5TB SATA II (3Gb/s) in RAID 10 array hosting the VM’s
1 Samsung Spinpoint 5400 RPM 2TB SATA II (3Gb/s) as dedicated backup (Volume Shadow Copy) volume

Hosting the Hyper-V host on the SSD really screams and the addition of the caching array controller running in RAID 10 mode made a measurable difference to the performance of all of the guest VM's. In future tests I'll try moving the database VHD's to the SSD.

The subsequent posts will focus on performance improvements through disk upgrades as well as the ones introduced in the new 4.0.3573.2 hotfix rollup.

SOAP security negotiation with 'http://fim:5725/ResourceManagementService/Resource'

2011-02-18T15:46:00.001-07:00

We finally got to the bottom of a problem we were having with the Public Client with regards to this odd SOAP security negotiation error. The inner exception might look something like this:

Inner Exception: Security Support Provider Interface (SSPI) authentication failed. The server may not be running in an account with identity 'FIMService/fim.test.com. If the server is running in a service account (Network Service for example), specify the account's ServicePrincipalName as the identity in the EndpointAddress for the server. If the server is running in a user account, specify the account's UserPrincipalName as the identity in the EndpointAddress for the server.

Oddly enough, our error contained the SPN reference of 'host/' and not 'FIMService', but the real problem here as to do with the way your Kerberos delegation is setup for your FIM Service account – the account that is running the FIM Service itself. The 'Before You Begin' section of the Install Guide correctly instructs you to configure the Service Principal Names for this account, however it leaves out one bit of clarifying information when instructing you how to configure the Constrained Delegation. The instructions are:

Turn on Kerberos delegation for the FIM Service service account in AD DS. You can turn on delegation for all services either by selecting Trust this user for delegation to any service (not recommended) or by using constrained delegation (recommended) by selecting Trust this user for delegation to the specified services only. If you use constrained delegation, search for the FIM Service service account, and then select the entry that you added in the previous step.

Now, here is how we had our FIM Service account configured:

Note the setting "Use Kerberos only" – using this configuration will restrict the delegated service from delegating to a service using any other protocol other than Kerberos. In this configuration, FIM itself works just fine and the first time I saw this create an issue was when testing Henrik Nilsson's FIM Attribute Store for ADFS. I kept getting errors and I was assured they were Kerberos issues, of which I stubbornly pointed out that everything was configured properly and working on my side.

So, three are three types of delegation with respect to Kerberos:

Unconstrained delegation – the "old" way
Constrained delegation – the "new recommended" way
Constrained delegation with Protocol Transition – for when the initial authN is not Kerberos based

When you configure constrained delegation in this manner using the Use Kerberos Only setting, you are preventing protocol transition from occurring. For reasons I don't completely understand, the FIM Public Client leverages protocol transition and the internal FIM classes do not.

So, how do I fix this thing? Easy, set the account to the "Use any authentication protocol" setting and then restart your FIM Services.

Password Expiration Notifications in FIM 2010

2011-01-25T16:11:00.001-07:00

What started out as a blarticle turned into a TechNet wiki post instead:

Password Expiration Notifications with FIM 2010

In this post I discuss patterns around constructing Sets within FIM to send notifications on impending password expiration. The article doesn't focus on wiring up the notification itself, something I think is rather straightforward, but instead focuses on the gritty details of modeling your Set transitions. I think modeling your Set transitions are really the heart of issue here. I discuss one base pattern which becomes part of each of the subsequent patterns and then detail the three general patterns:

The All-inclusive Pattern
The Short Staggered Pattern
The Skip Pattern

These present three separate, but complementary, approaches on how to model the transitions. If you are interested in sending email notifications to your users when their passwords are about to expire and want to do so in descending timeframes (14, 7, 1) then this is for you.

Please track any comments or suggestions on the wiki.

FIM / ILM Best Practices (Forefront Identity Manager): Get FIM Training from Author of FIM Best Practices Volume 1

2011-01-13T13:26:00.001-07:00

Classes are filling up fast, if you are in town, in the region, or just want to travel to sunny Phoenix in our mild winter, check out David's class on FIM being held Feb 8th to Feb 11th here in downtown Phoenix.

FIM / ILM Best Practices (Forefront Identity Manager): Get FIM Training from Author of FIM Best Practices Volume 1

FIM Email Templates – Fun looking through references

2010-11-01T10:17:00.001-07:00

Chalk this up to one of those things I didn't expect to work but it did – the email template will chase a reference attribute and allow you to resolve attributes of the referenced object. Allow me to explain: say, for instance, you want to include a hyperlink to a referenced object in an email notification. The target object contains a reference to the object you'd like to link to like so:

[//Target/Assigned]

In this example, "Assigned" is single-valued reference type in the portal and happens to point to a Person object, but it could point to any object type. Using this information we can embed this into the body or table within a FIM email template and hyperlink it like so:

<a href=http://fim/identitymanagement/aspx/Users/EditPerson.aspx?id=[//Target/Assigned/ObjectID]&_p=1>[//Target/Assigned]</a>

NOTE: You need FIM Update 1 applied for this to work.

This will resolve the ObjectID (Resource ID) of the person assigned and build our hyperlink while displaying that persons name. We can also use the same capability to drill right down into the manager of this person like so:

<a href=http://fim/identitymanagement/aspx/Users/EditPerson.aspx?id=[//Target/Assigned/Manager/ObjectID]&_p=1>[//Target/Assigned/Manager]</a>

So here we're looking at an object with an assigned person object and we've resolved the assigned person's manager; that's two references we've resolved in a single statement. Let's step it up and add another layer plus additional information:

<p><a href=http://fim/identitymanagement/aspx/Users/EditPerson.aspx?id=[//Target/Assigned/Manager/Manager/ObjectID]&_p=1>[//Target/Assigned/Manager/Manager] [//Target/Assigned/Manager/Manager/JobTitle]</a></p>

Aside from adding some additional processing overhead, these are all completely legal XPath queries and the internal grammar resolvers are thankfully employed within the Email Template which I somehow assumed wasn't the case. I've been using these tricks when building Sets for sometime now but just recently tried it within the Email template. The one issue here is that you cannot use this on multi-valued reference types. I can only guess that the grammar resolver is not wired up to automatically spit out the properly formatted HTML required to link each item in the list properly and it does throw an error if you try. The only item that I'm aware of that outputs a multi-valued HTML table is the AllChangesAuthorizationTable.

[//RequestParameter/AllChangesAuthorizationTable]

This is an internally generated request parameter and already wrapped in HTML. You could create your own by writing a custom WF activity that dynamically generated the HTML and links required for any multi-valued list and just write it back to an attribute (or WorkflowData) on the object just prior to sending the notification.

Our professional replacement version of the Function Evaluator, which we call the Change Attribute Activity, is wired up to automatically iterate through a multi-valued attribute if it's passed in as the destination attribute allowing us to use the same logic you see above to apply a transform to any referenced object. The built-in Function Evaluator will not allow you to do this.

FIM Best Practices Volume 1: Introduction, Architecture and Installation of FIM 2010

2010-08-30T09:02:00.001-07:00

Thanks in large part to the efforts by my esteemed colleague David Lundell, the first volume of the FIM Best Practices series is now available for purchase online via print-on-demand here:

To purchase a copy of the book please follow this link

Download details: Forefront Identity Manager 2010 (FIM 2010) SDK Documentation

2010-08-26T13:38:00.001-07:00

I'm a few weeks late but I'm sure I will need to find this again myself in the near future, so here it is – the FIM 2010 SDK! The link at the bottom contains the CHM files, or follow this link for the same content on MSDN:

http://msdn.microsoft.com/en-us/library/ee652263.aspx

Thanks Megan!

Download details: Forefront Identity Manager 2010 (FIM 2010) SDK Documentation

FIM 2010 – Adding and Removing Columns in FIM List views

2010-08-10T16:10:00.001-07:00

Back in the RC0 timeframe the list view columns were fixed despite your best efforts to change the list of attributes that your Search Scopes returned. I was pleasantly surprised to see today that it was fixed (in RC1 actually) which allows you to change the columns entirely. For instance:

Here I've added EmployeeID, EmployeeStatus and a custom field I'm contributing from AD – the last logon timestamp. Better yet, we can customize the view we see in Search Requests:

It's a little cluttered but you get the idea, some of the information you're used to digging into the request to get you can surface in the default view.

How to Customize the Column Listing Using Search Scopes

This is all about changing the attributes that are returned as part of the Search Scope being applied. Whenever you see the "Search within:" box you'll see a list of options to choose from – those are Search Scope objects that you can customize. You can do this with any Search Scope potentially, but I'll demonstrate how to customize the "All Users" scope which is displayed by default when you hit the Users page.

Navigate to Administration/Search Scopes
Find the "All Users" scope and select it (edit)
Select the Results tab

The one I'm using in my example (sans the last logon timestamp custom attribute) is:

DisplayName;EmployeeID;EmployeeStatus;AccountName;OfficeLocation;OfficePhone;Email

Finish and Submit your changes
IISRESET each of your frontend web servers or wait 24 hours for the cache to timeout

FIM 2010 – Well-known GUIDS

2010-08-05T21:17:00.001-07:00

Within the FIM Service there are a few "well-known" GUID's that are used. Being "well-known" they are the same on every installation and I thought I'd document them here quickly:

Name	GUID
Built-in Synchronization Account	fb89aefa-5ea1-47f1-8890-abe7797d6497
FIM Service Account	e05d1f1b-3d5e-4014-baa6-94dee7d68c89
Anonymous	b0b36673-d43b-4cfa-a7a2-aff14fd90522

You should also be able to use these to override the Actor ID property in your custom WF in order to "run as" another identity. For instance, the built-in Function Evaluator executes as the FIM Service Account.