1dent1ty cHa0s

One of the things that has changed in the Release Candidate is that you no longer have to edit the Microsoft.IdentityManagement.Activities.arp file; in fact it is gone entirely. As of RC0 this file is replaced with the ActivityInformationConfiguration object and it performs the exact same role as before. So, after building your workflow, registering it in the GAC, and restarting the Microsoft Identity Lifecycle Manager Service, you will need to create one of these objects and then define your WF activity parameters. All of that will be covered in more detail in the next release of our workflow walkthrough document. For now, I wanted to concentrate on facilitating the object creation since RC0 didn’t ship with any OVC definitions to Create, Edit or View the new object type. I’ve created the definitions for you and you can download the OVC XML here:

• Create ActivityInformationConfiguration
• Edit ActivityInformationConfiguration
• View ActivityInformationConfiguration

Now you will need to create three new OVC definitions using the following figure as a template:

• Go to Administration, Object Visualization Configuration, and click on New
• Set the Display Names to:
• Configuration for Creating Activity Information Configuration
• Configuration for Editing Activity Information Configuration
• Configuration for Viewing Activity Information Configuration
• Set Target Object Type to ActivityInformationConfiguration
• For Configuration Data, click Browse and select the appropriate XML file you downloaded earlier
• Check the box that corresponds to the OVC you are configuration (Create, Edit or View)

In the end you’ll have three new OVC configurations; for example, the Edit one should look like so:

Once you are all done creating these objects, execute an IISRESET on the portal to refresh the configuration. Now you’re ready to add your custom WF activities to the portal:

• Go to Administration, All Resources, and click on Activity Information Configuration
• Click New, you should see the Create OVC:

You can also edit or view an existing entry:

That’s it, enjoy!

The fully installed VHD for ILM 2 is back and updated for the Release Candidate. Also different this time around is the dependency for Hyper-V; you can no longer run this as a Virtual Server 2005 or Virtual PC image. Also gone are all of the older 32-bit dependencies, the VHD is now 100% x64. You will require the following in order to run the new VHD:

• Windows Server 2008 with Hyper-V (running on Hyper-V capable hardware obviously)
• 8GB memory is recommended, 4GB minimum
• 60GB of disk space

If you are participating in TAP/RDP or just doing your own internal testing then you’ll want to have this VHD loaded and available. I don’t suggest doing your development or testing on this VM; however when you run into an issue in your own environment you will want to fire this puppy up and see if you can reproduce it here. Why, because once you’ve opened your bug on Connect you’ll want to give concise instructions on how to repro it and being able to repro it on the VM will make it much easier for the Dev’s to isolate the issue. Having to duplicate your environment will take time and may drop in priority.

Why don’t you want to use this as your testing environment? Well, the VM is a self-contained environment featuring all of the following roles installed on the same server:

• Active Directory Certificate Services
• Active Directory Domain Services
• DNS Server
• File Services
• Web Server (IIS)

Although not a role, the server is also a self-contained Exchange 2007 server with the Hub Transport, Client Access, and Mailbox roles installed. In addition, it’s also running SQL Server 2008 and since we’re on a DC, all of the service accounts are running with elevated privileges. For instance, the service account responsible for the ILM 2 Web Services (ILMService in the VM) is running as a Domain Admin which isn’t something you should be doing typically and will obscure errors that you might normally see in a restricted environment.

This is a DC/CA/Web/SQL/Exchange Server, thus the need for 4-8GB of memory. To top it off, this is Evaluation software folks, so parts of the image will expire in 90 days (Exchange) or 180 days (Server 2008 Enterprise) from its inception on 11/2/2008. You will get pestered by the Activation warnings as well – a challenging task considering the self-contained nature of the image. I would recommend changing the product key for the OS to one of your MSDN licenses (assuming you have an MSDN/TechNet subscription) to remove the OS time bomb. In order to do this, you will need to first configure the adapter within the VM to use a valid IP within your Hyper-V network, connect and activate – then reset the adapter configuration back to the required 192.168.1.100 settings specified in the PDF file.

Download details: ILM "2" RC Demo Hyper-V VHD

So, you’ve added some nifty new attributes to a new or existing object in the ILM Service Database and now you’re trying to add the attribute as part of a filter in perhaps a Dynamic Set definition, you hit submit and you get an Access Denied?

You can find out more information as to why this failed by checking Search Requests and opening up the failed request.

Notice the Filter validation failed for request message. Clicking the Applied Policy tab shows us which policies affected the operation:

If you click the hyperlink for Modify Filter Subject to Administrator Filter Scope you can follow the object all the way to the Workflow responsible for this behavior – Filter Validation Workflow for Administrators. You’ll notice there is an admin and a non-admin filter, and opening the admin version allows us to take a peak at what the filter is doing:

Hopefully the virtual light bulb has gone off now – when you extend the schema you will probably need to add the new attributes to various Filter Scopes so that they can be used in filters, otherwise you will get the Access Denied error.

So, you want to set the groupType attribute on an AD group but all you have to work with are the scope and type attributes on the ILM 2 group object. To make matters worse, they are both String types and the groupType attribute wants an Integer. To solve this problem you need to assemble the value based on the values present in scope and type. To understand what you need to assemble you should review the schema definition for groupType. We need to create a mapping in our Sync Rule that transforms the data on the fly, so let us see if Codeless Provisioning is up to the task.

Now this approach might seem like the logical way to approach this:

IIF(CustomExpression(Eq(scope,"Global")),2,0)
+
IIF(CustomExpression(Eq(scope,"DomainLocal")),4,0)
+
IIF(CustomExpression(Eq(scope,"Universal")),8,0)
+
IIF(CustomExpression(Eq(type,"Distribution")),0,2147483648)

…but it doesn’t work. When you concatenate values together they are always concatenated as strings. What we need to do then is to nest the IIF statement like so:

IIF(Eq(type,"Distribution"),IIF(Eq(scope,"Universal"),8,IIF(Eq(scope,"DomainLocal"),4,IIF(Eq(scope,"Global"),2,0))),IIF(Eq(scope,"Universal"),-2147483640,IIF(Eq(scope,"DomainLocal"),-2147483644,IIF(Eq(scope,"Global"),-2147483646,0))))
 

…but it’s not exactly intuitive. There are currently no arithmetic functions for adding two Number values, nor are there any functions to add date values; both of which are major oversights for the current release. Below is an example of the Outbound Sync Rule; however the groupType value is not displayed accurately. You should be able to copy and paste the above rule directly into the flow definition once you choose CustomExpression: Voila – now you no longer need two separate Sync Rules to flow one attribute. Thanks go to David Lundell and Andreas Kjellman for helping to puzzle this one out.

It's out, the docs are updated, now get to work!

• ILM Best Practices: ILM 2 RC 0 is here!
• ILM Best Practices: Other interesting changes in ILM RC0
• Bobby and Nima's ILM Blog: Announcing Identity Lifecycle Manager "2" Release Candidate

I am certainly glad to see the "managed:" moniker go away but the requirement for SQL Server 2008 has me concerned. Will adoption of ILM 2 be stalled because of this requirement?

The tech reviewers completed the reviews of the updated ILM chapter and I've put the finishing touches on it myself and submitted it to the publisher. I see now that you can pre-order the book through Amazon and even O'Reilly's site is listing it as an estimated publication date of December 2008.
In the updated chapter on ILM 2007 is a primer on how the synchronization engine works followed by the list of recipes. Among the list of recipes are the following new recipes available only in the 3rd edition:

• Extending object types to include a new attribute
• Previewing changes to the ILM configuration
• Committing changes to individual identities using the Commit Preview feature
• Passing data between rules extensions using transaction properties
• Using a single rules extension to affect multiple attribute flows
• Flowing a null value to a data source
• Contributing a UTCCodedTime attribute in Active Directory
• Importing and decoding the accountExpires attribute
• Exporting and encoding the accountExpires attribute

It's too bad the ILM 2 beta wasn't farther along (beta 2 was out when I completed my first draft) or else we might have squeezed in a chapter on some of the new features available in the ILM Service Database (aka the Portal app).