ERP MA bug in ILM 2007 FP1

Apparently there is a known bug in the ERP MA for SAP that comes with ILM 2007 FP1. This bug prevents you from configuring the outbound flow of an anchor attribute. When mapping an attribute to csobject.anchor, this prevents you from setting the flag which defines this attribute as an identity for the object and prevents you from exporting when invoking a BAPI that needs the reference.

Microsoft is aware of the bug which might be fixed next week; however the expectation should be assumed for mid-January.

So far, I’ve still using the version of the MA downloadable from the following link which is working fine.

Setting Terminal Service Properties in .NET

I recently had the requirement of managing Terminal Service properties in AD by means of MIIS. If you've ever been tasked with this, you may have noticed there are many VBScript and C++ snippets online with very few .NET examples. Therefore, I've decided to post how to accomplish this in .NET for those interested.

Initially, you'd think this is pretty easy...why couldn't I just flow any value through to AD using an advanced attribute flow within an MA rule extension? Well, not in this case. If you look into a user objectClass in AD through ADSIEdit, you'll notice these attributes are not directly exposed. Although I was able to populate some of the values through System.DirectoryServices, not all were accessible. Further research uncovered you can manage Terminal Service properties using the ADSI Extension for Terminal Services User Configuration. This extension is an assembly that allows you to manage Terminal Server user properties though the IADsTSUserEx Property Method. Below is sample code I used to test the functionality.

using TSUSEREXLib;
using System.DirectoryServices;
using System;
using System.Collections.Generic;
using System.Text;

namespace Set_Terminal_Service_Properties
{
class Program
{
static void Main(string[] args)
{
string acctName = "chrisca";
string tsHomeDrive = "H:";
string tsHomeDirectory = "\\\\servername\\tshomedirectory\\";
string tsProfilePath = "\\\\servername\\tsprofilepath\\";
int enableLogon = 1; // enable terminal service logins

DirectoryEntry entry = new DirectoryEntry
("LDAP://CN=Chris Calderon,CN=Users,DC=corp,DC=contoso,DC=com");
ADsTSUserEx oUser = (ADsTSUserEx)entry.NativeObject;
oUser.AllowLogon = enableLogon;
oUser.TerminalServicesHomeDirectory = tsHomeDirectory + acctName;
oUser.TerminalServicesHomeDrive = tsHomeDrive;
oUser.TerminalServicesProfilePath = tsProfilePath + acctName;
entry.CommitChanges();
entry.Close();
}
}
}

As you can see, you use the extension in the same manner as you would any ADSI statements. A key item to consider is, the properties that the Terminal Service User component exposes is not directly mapping individual AD attributes. Common with ADSI, when calling these methods to load the property values of the ADSI object, it stores this information into the property cache of the directory store. Only until the IADs::SetInfo method is called (or something equivalent), the property value changes are saved.

This component consists of one DLL (TSUSEREX.DLL), located within the %SystemRoot%\System32 directory. In order to use the IADsTSUserEx interface, you must reference this assembly within your project. The link below provides a table that lists the property methods of the IADsTSUserEx interface.

IADsTSUserEx Property Methods Details

My original goal is to eventually build an XMA for auxiliary attributes; however the core requirement to do that is to identify a method to access (read/write) these attributes.

Limitations of Office Integration in a Federated SharePoint Configuration

For the past year, I've worked on a few ADFS projects that have incorporated SharePoint 2007 and the number one issue that seems to always come up are the limitations in Office integration. This isn't something new; we actually experienced it in ADFSv1 and there is even a KB Article which describes which features are lost.

KB 912492 - Windows SharePoint Services and SharePoint Portal Server 2003 Support boundaries for Active Directory Federation Services

With ADFSv2, yes this KB article still applies; however you still get many of the features which operate exclusively through a web browser. Users can still download and upload files, search, and view or edit lists, etc. The problem is not within ADFS nor SharePoint; it's within the Office client which cannot process authentication cookies.

I guess the point I'm trying to make is, you have to re-evaluate the original initiative for exposing SharePoint 2007 as an Internet facing application; partner/customer integration.

From a business perspective, federating applications is much cheaper than managing VPN connections or external (partners) users not even under your domain. In many aspects, it can also be more secure. I mean, all the traffic is being communicated over SSL, right. In my experience, many ADFS customers are able to utilize SharePoint effectively just using the browser with Web SSO.

Believe it or not, this does provide benefits. First of all, IT is able to maintain strict control over what parts of their network can be accessed by partners, therefore eliminating significant problems caused by common practices of managing local accounts/passwords for partners within the DMZ. Just that reason alone reduces the attack surface for Internet facing applications. More reasons would be to,

• Reduce or prevent IT overhead for password management of external users/partners.
• To prevent a bad user experience when they forget their password and call their local helpdesk for help instead of the partner site they are trying to access.
• Prevent the loss of user productivity when they have to request and wait for remote accounts to be created before they can start working with a federated partner.
• Severe security vulnerabilities when external users are terminated by their enterprise/organization and partners do not receive notification to remove their accounts.

At the end of the day, Information Security must measure what options are readily available to keep their customers productive while still honoring security.

Learning Microsoft Identity Management

The world of identity management (IdM) is very broad with many angles for misinterpretation. For those who know me, I frequently refer to identity management NOT as a product but a framework. For the past 3 years, the world of identity has been my home which has allowed me to work on some very challenging projects and do some very cool things with a variety of clients across all industries. As with many like me that enjoy the intoxication for managing the digital identity, my journey started with learning Microsoft Identity Integration Server 2003 (MIIS 2003). To this day, I get asked and I still see many questions on the forums looking for guidance on where to start researching….although there is much more documentation and resources out now, it is still kind of all scattered which can definitely frustrate the new comers. I'm going to attempt to list the key documents that provide the best details for starting off an identity and access management career. BTW – If you find this article of interest and find other documents which should be included that I may have missed, please email me and let me know.

The first step is to get a generalization of what identity management is. There are many web casts out now which may ignite the curiosity, however many are in the mists of identity chaos without even realizing it. A very good 15 page document which provides a quick and neutral introduction to IdM is, Spencer Lee's "An introduction to Identity Management."

Additionally, there are many key sites that speak on MIIS and Identity Management. Just googling "MIIS 2003," you're bound to come up on MIISExperts.org which can be considered the "Holy Grail" of MIIS sites. This site probably provides the most information next to MSDN.

The FAQs on MIISExperts.org answers the question of how do I learn IdM by doing 3 things:

1. Take the time to get trained.
   
2. Read the FAQs
   
3. Join the newsgroups and start lurking, or jump right in and start posting questions.
   

In the old days, all we had was the MMSUG newsgroup and a few technical documents; today the online resources unlock a treasure of information and it's just a matter of investing the time in learning the technology and understanding how and where to apply it. For many, the best way is attending the official course provided the by the boys from OCG. These courses are worth every penny because not only do you learn from experts in the field of IdM; they are the authors of the official curriculum and active implementers in the field. There are more course offered, however the

• Designing and Deploying MIIS 2003
  
• MIIS 2003 Advanced Implementer and Developer Course
  

For on-line resources, obviously you can look to the product's homepage; however most of the key documentation probably of value to you would be in the Microsoft Identity Integration Server Technical Library. Here you'll find guidance in properly planning, designing, deploying and maintaining an MIIS implementation.

• Planning and Architecture (Use this documentation set as you plan your MIIS 2003 deployment to help you design the most secure and optimal MIIS solution for your needs, initiate your project, design the system data flow, plan synchronization rules, and address configuration settings.)
  
• Deployment (Includes information about recommended deployment scenarios for MIIS 2003 including how to upgrade from the previous versions and also solution guides that provide deployment information for uncommon scenarios)
  
• Operations (This documentation set includes "How To" guides and other documents that provide discussions and recommended solutions for specific challenges that you encounter when using MIIS 2003.)
  
• Technical Reference (This documentation set provides in-depth information about MIIS 2003 components, architecture, identity management process, synchronization rules, run profiles, and details about event-based and state-based identity management architectures.)
  
• Development (Administrators and developers can create rules extensions that use the Microsoft .NET Framework. To understand the information in this Developer Reference, you must be well familiar with MIIS 2003. )
  

Once the foundation is set, you'll probably be extremely anxious to get this thing running to cure all your pains from the sickness of identity chaos. Well, the best way is to use the walk-troughs. This collection of documents is really good because it allows you to install and configure each function of MIIS from general identity synchronization to password management topic. After completing the scenario walkthroughs, you can proceed with the more advanced Microsoft Identity and Access Management Series 1.4. This collection provides a very true configuration for and enterprise implementation of MIIS. Additionally the sample code can be used as a reference to build your own solutions.

MIIS 2003 Scenario Walkthroughs (Download from source)

Microsoft Identity and Access Management Series 1.4

Note: For a more technical collection of documents for techniques, you should review the following functional and design documentation. This set details the essential concepts of event- and state-based architectures and the core components, architecture, identity management process, synchronization rules, and run profiles featured in MIIS 2003

Microsoft Identity Integration Server 2003 Functional and Operational Reference

MIIS 2003 Design Concepts

A summary of the design concepts typical in any MIIS implementation is addressed in these documents.

• MIIS 2003 Design Concepts for Reference Attributes
  
  This document explains how reference attributes are processed by MIIS 2003 for direct attribute mapping scenarios and provides a conceptual explanation of a custom solution for advanced mapped reference attributes. It also includes design recommendations for both direct and advanced mapped attributes.
  
• MIIS 2003 Design Concepts for Correlating Digital Identities
  
  This document discusses considerations for mapping attributes across different identities and configuring joins based on your business requirements. It introduces the concept of Correlation ID and explains how you can deploy a Correlation ID to establish strong object relationships in your identity integration solution.
  
• MIIS 2003 Design Concepts for Implementing IFunctions
  
  This document introduces the concept of object-level identity functions (IFunctions) in an identity integration scenario, discusses possible implementation options, and also provides implementation recommendations.
  
• MIIS 2003 Design Concepts for Implementing Reverse Joins
  
  This document discusses some of the common reverse join implementation approaches for synchronizing identity objects in MIIS 2003. It provides two solutions for implementing reverse joins- reverse joins based on Transient management agents and reverse joins based on Auxiliary management agents.
  
• MIIS 2003 Design Concepts for Advanced Solution Components
  
  In this document, you will learn about "process-level attributes" and "conditional metaverse objects" to improve the convergence efficiency of the identity integration process, and how you can use "operational management agents" to isolate metaverse objects requiring special attention. The "auxiliary management agents" section discusses how you can implement a custom reprocessing solution.
  

Once you've become proficient in MIIS, of course there's a learning path for this profession. It's always been my belief that although Identity Management is typically used to support application authentication and authorization, it's heavily influences and complements the security of any infrastructure. Microsoft recently published the learning paths for each practice as seen in the attached link. Additionally, this link contains all the on-demand web casts published for Identity and Access Management.

• Learning Paths for Security (Identity and Access Management)
  
• Identity and Access Management Learning Resources
  

Now that you're a pro at identity management, join the newsgroups and start contributing to the communities!

• [Forum] Yahoo MIIS Users Group
  
• [Forum] TechNet Forums – MIIS
  
• [News Group] Discussions in microsoft.public.metadirectory
  

Because the identity management is still evolving, there is still a lot of information to learn. This technology is like a living creature that grows as fast as innovations permits it. The upcoming versions ILM 2007 and ILM"2" are the future. Jump on board and train of evolution and hang on, because you're going to be in for a ride!

Evolving further into Identity Lifecycle Management (Automated Identity and Access Management)

Identity Lifecycle Management Information Protection Federated Identity Strong Authentication Directory Services