ADdict

Quick Tip: Change the Shift Lock Behavior

2012-01-26T08:39:00.001+01:00

One of the things I never really noticed is the change in the behavior of the Shift Lock keys over the years. Somewhere it seems to have changed. I use it very rarely, but some users do. The complaint we received was that in the past they could just tap shift and it would unlock the shift lock, whilst now they really had to touch the shift lock again. Well it seems it’s actually pretty easy modify this behavior:

Open the Region and Language section in the control panel, choose they Keyboards and Languages tab and then click Change keyboards

Now pick the Advanced Key Settings tab:

Source: How to turn off the CAPS LOCK key

ADFS: WebSSOlifetime vs TokenLifetime

2012-01-06T09:54:00.001+01:00

~~I’m currently facing an issue~~ I had some issues in the past with an ADFS deployment using ISA as an ADFS Proxy. We use ISA for the following reasons:

It allows us to do all kinds of authentication. For instance we are using BE-ID to authenticate users.
The customer already has ISA so we save out a server by not using the ADFS Proxy itself.
There’s no federation with other IDPs so we don’t have to do any fancy home realm discovery.

Now the problem we were seeing was that whenever the ISA session timed out, the user was presented with the ISA Forms Based Authentication (FBA) logon screen. If the users were to choose another identity, he would still appear as the original user towards the ADFS enabled application.

This makes totally sense as the client also got ADFS tokens and they have other timeouts than those configured on ISA. This post will try to explain some relevant parameters from the ADFS side. I’m not saying the defaults aren’t good, that’s something you’ve got to decide for yourself.

WebSSOLifetime (Default 480 = 8 hours)

This parameter is server-wide. Meaning if you configure it, it’s active for all of the ADFS relying parties. Whenever a user asks a token for a given RP he will have to authenticate to the ADFS service first. Upon communicating with the ADFS service he will receive two tokens: a token which proves who he is (let’s call that the ADFS Token) and a token for the RP (let’s say the RP Token). All in all this seems very much like the TGT and TGS tickets of Kerberos.

Now the WebSSOLifetime timeout determines how long the ADFS token can be used to request new RP Tokens without having to re-authenticate. In other words a user can ask new tokens for this RP, or for other RP’s, and he will not have to prove who he is until the WebSSOLifetime expires the ADFS token.

TokenLifetime (Default 0 (which is 10 hours))

The TokeLifetime is now easy to explain. This parameter is configurable for each RP. Whenever a user receives a RP Token, it will expire at some time. At that time the user will have to go to the ADFS server again an request a new RP token. Depending on whether or not the ADFS Token is still valid or not, he will not have to re-authenticate.

One argument to lower the TokenLifetime could be that you want the claims to be updated faster. With the default whenever some of the Attribute Store info is modified, it might potentially take 10 hours before this change reaches the user in its claims.

I wrote this post because I struggled with this myself and I found not that much information. There’s some information available in the SharePoint 2010 context, but I feel like these parameters aren’t explained enough. I have to admit that the above came clear once I saw one of the ADFS sessions at The Experts Conference of Laura E. Hunter and Brian Puhl. Thanks both for your great sessions!

Exchange ActiveSync and Owner Rights Permissions

2012-01-04T19:14:00.001+01:00

One of the problems with delegating permissions for a file system or Active Directory objects is the fact that the creator of the object is also the owner of an object.

Suppose you got someone who is a member of a group which grants him permission to create objects. This delegation would set the user who created the object as the owner of that object. Because he’s the owner he has full control regardless the delegation which is configured. Now suppose this person is removed from the group for one reason or another. In that case that person still has full control on the object he created because he is “owner”!...

This is where owner rights come in. You can restrict what permissions you get when you are the owner of the object. At my customers site this was configured to be just “read”. The owner rights principal is something from Windows 2008 and onwards. So when you are member of the group which got delegated permission you got: delegated to group permissions + owner right permissions = full control + read.
However once you are removed from the delegated group you have owner right permissions = read

Here’s some info from TechNet: http://technet.microsoft.com/en-us/library/dd125370(WS.10).aspx

How did we apply it in our environment?:

Added the “Owner Rights” entry with the following SACL on some top level OU’s: “Read (List Contents, Read all properties, Read permissions)” on “this object and all descendent objects”

So how does Exchange ActiveSync (EAS) comes into play? Well we seemed to have issues when user wanted to configure their device. They’d Always seem to end up with an error. On the CAS server we had the following error:

Log Name: Application

Source: MSExchange ActiveSync
EventID: 1053

Exchange ActiveSync doesn't have sufficient permissions to create the "<user object distinguished name>" container under Active Directory user "Active Directory operation failed on <Domain Controller FQDN>. This error is not retriable. Additional information: Access is denied. Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 ". Make sure the user has inherited permission granted to domain\Exchange Servers to allow List, Create child, Delete child of object type "msExchangeActiveSyncDevices" and doesn't have any deny permissions that block such operations

I don’t have the time right now to go deeper into the troubleshooting process and the solution. In short this is what we noticed and what we did:

Whenever a user tries to configured an ActiveSync device, an object is created in Active Directory below the user object. More specifically a msExchActiveSyncDevices container object. And below this one an object is created for each device configured with ActiveSync.

User [e.g. JohnDoe001]

msExchActiveSyncDevices [container]

msExchActiveSyncDevice [device#1]
msExchActiveSyncDevice [Device#2]

The problem here is that the security for a newly created msExchActiveSyncDevices object is not correct. The Exchange schema prep should add the Exchange Servers with some permissions. In an environment without the Owner Rights configured everything works as the Exchange Servers are also the owners of these objects and thus have full control permissions.

The following procedure was performed so that we could leave the Owner Rights in place

Right-click the domain root and choose properties. Open the security tab:
Advanced => Add
Select the “Exchange Servers” principal
Check the permissions as shown in the screenshot:

List contents
Read all properties
Write all properties
Read Permissoins
Modify Permissions
Modify Owner

Make sure to select “Descendant msExchActiveSyncDevices” in the Apply to section.

Windows 7: Configure RSAT Fails

2012-01-04T19:05:00.001+01:00

Recently we installed the KB (KB958830) which adds the Remote Server Administration Tools (RSAT) to a Windows 7 computer. Installing this KB is a two step process: first you install the bits, afterwards you enable the required tools in the Turn Windows features on or off section of the Windows Configuration Panel.

In our case adding tools like Active Directory Users & Computers (ADUC) went fine, but we were unable to add the Active Directory Administrative Center:

Clicking OK starts the configuration of the selected components:

Which finally result in:

In words: An error has occurred. Not all of the features were successfully changed.This is followed by a prompt to restart the computer. In my case I ignored this. After some googling I started suspected are favorite trouble-causer: Antivirus. So I started the McAfee console as an Administrator, unlocked the interface and disabled the On Access Scanner. Remark: in order to do so you first need to stop the Access Protection.

And now I could check the Active Directory Administrative Center and the configuration finishes gracefully… Probably some exclusion would fix this for good, however for now I lack time to dig deeper…

Also related, in the Event Log, below the Setup section, I found the following event entry:

Update RemoteServerAdministrationTools-Roles-AD-DS-AdministrativeCenter of package KB958830 failed to be turned on. Status: 0x80070643.

Perhaps this might help people finding this post faster.

SCDPM: Backup SQL and Truncate SQL Logs

2011-12-23T08:54:00.001+01:00

First off it’s been a while since I added a new post. I’ve been busy for work with non technical stuff… So less war stories to blog about :( Also I’ve got zero practical experience with SCDPM, all I found out below is from my google skills.

Lately one of my customers had a FIM Service service outage. Quickly we found out the SQL transaction log was completely filled up and had no more room to expand… Not really a healthy situation. They have System Center Data Protection Manager in place which is configured to take backups on a regular base. Now what we were seeing is that the SQL log was never releasing any space. So the free space within the file became smaller and smaller.

Now for the sake of clarity, in a typical scenario if you take a backup of a DB you are supposed to make sure the log is truncated. Do not confuse this with shrinking. Shrinking is making sure the log file itself is smaller in size. Shrinking is something which you don’t have to do on a scheduled based. Truncating on the other hand is making sure there's more free space within the file. If you fail to do this the file will keep on growing and growing regardless the size of your database.

As a side note, for this to work the database has to be in full recovery mode, if that’s not the case transaction logs aren’t stored anyhow. And you don’t need to do anything specific.

This is how the backup was configured before our changes:

This was obviously not good as we had a full log file. At first sight I didn’t found anything in the DPM GUI so I did some research and I came up the following statements:

Have you scheduled to take incremental backups for the SQL Server databases? Express full backups do not truncate logs. Incremental backups which are in fact log backups truncate logs. [http://msgroups.net/microsoft.public.dataprotectionmanager/DPM-transaction-logs-truncation-on-SQL-Server]

Ok, so we need Incremental backups, now where’s that checkbox…

SQL will truncate the logs files after each DPM Synchronization (incremental backup). However truncation is not the same as shrinking. Once a log file grows, you will need to shrink it manually. If the time between synchronizations is set for something like 12 or 24 hours, then the log file has already grown and you will need to shrink it manually, then reduce the synchronization period to keep it to a reasonable size. If the synchronization selection is ‘Just before a recovery point’ then incremental backups won’t get scheduled. This option is a way of telling DPM, that the user is interested only in express full backups and not incremental backups. [http://social.technet.microsoft.com/Forums/en-US/dpmsqlbackup/thread/f81f0ea7-cfd6-4e8f-a3e3-9ae4d207eabd]

So the following setting was modified:

Here’s a screenshot of the log file size before:

And here after one of the synchronization runs, you can clearly see that the log file has been truncated and thus the free space is nearly 100%. As expected! As we set the interval to 15’ this happened really fast.

Outlook: Cannot Send This Item

2011-10-25T20:53:00.001+02:00

A customer of mine was struggling with the following error in Outlook:

Microsoft Outlook: Cannot send this item

It started appearing after they introduced a new Exchange 2010 infrastructure and had migrated some pilot users from their Exchange 2003 environment. At first the repro we found was: start a new mail, type some random stuff in it and then wait. After some time (10 – 15’) hit send and see if you get the error. Now that was really lousy to reproduce…

On the internet we found a workaround: whenever the error would popup, you can choose the “Format Text” tab en switch between HTML and Rich Text. Then just hit send again.

We weren’t satisfied though, because of this formatting workaround we were suspecting a problem with the html of the signature in the mails. We found a hotfix regarding GIF images and outlook but that didn’t seemed to solve it. Besides that, our issue wasn’t always reproducible and time seemed to be a factor… So we shifted away from the formatting issues and looked further.

After some network tracing, lots of coffee and patience we seemed to have found the culprit. By clicking right on the outlook tray icon (while holding ctrl down) you can view some connection statistics:

And:

The picture is a bad example as I’m actually disconnected, but you get the idea. What we were seeing was that we had quit some failed requests. However this wasn’t really noticeable in the Outlook from the user point of view. Now we could reproduce our problem by opening several mails and just waiting until a failure popped up in the statistics. After such a failure we couldn’t send any of those mails we had open.

Once we learned this, we involved some networking guys to check all involved devices: firewalls, load balancers, … and they found out some device was malfunctioning (dropping packets).

Summary: if you are hitting the “outlook cannot send this item” error. Don’t go for the easy workaround by learning your users to change the format back and forth. In stead do some troubleshooting and check the health of your network, at least if you are seeing connection failures in the statistics…

Exchange 2010 SP1: Split Permissions

2011-10-24T22:07:00.001+02:00

This evening I was installing an Exchange 2010 SP1 in a Lab environment which didn’t had Exchange before, and when going through the installation wizard I came across a checkbox I hadn’t seen before:

If I read the documentation correct, this could be an answer for those environments where Exchange management tasks are performed by an other team than the typical AD user management tasks. Here’s some TechNet info on the subject:

This might come in handy whenever you are designing your delegation model for an Active Directory environment.

Win 8 Client (Dev Preview): Manage Wireless Networks, Where Art Thou?

2011-10-24T21:22:00.001+02:00

When I started using Windows 8 I wanted to manually define a Wireless Network to connect to. Win 8 really does it best to make this as dummy proof as possible. One of the options I was missing was an overview of all networks I had been connected to in the past. In fact this is what I was looking for:

I might be missing the obvious, or It might be hidden somewhere in the new shiny Metro UI, but I didn’t found it. Here’s how you can start it:

just copy paste “explorer.exe shell:::{1fa9085f-25a2-489b-85d4-86326eedcd87}” in your start – run or a command prompt.

If I ‘m correct, I believe in Windows 7 you can find a shortcut to this in the Network and Sharing Center.

Windows 8 (Dev Preview): Install A Domain Controller

2011-10-22T17:09:00.001+02:00

As I’m curious what might have changed in the Windows 8 Developer Preview I decided to promote a server to a Domain Controller. As I’ve done plenty times before I just did “start – run – dcpromo”:

However this time a message pops up that we can no longer do this and have to use the Server Manager experience. Fine by me.

So off we go: the Server Manager has been revamped and extended. Just click add roles.

There seems to be a scenario-based installation,but that’s just for Remote Desktop Services.

Some fancy server selection options.

Just Check AD DS

Required features to be added

Now this is convenient: you get the choice to add some additional features on your way out

Install

Tumdidum

Ready

Back in the server manager we will see a message saying we now need to execute the domain controller configuration part.

Click it, you’ll see an overview of pending tasks.

Scroll to the right and click “Promote this server to a domain controller”
Choose a name for your root domain

I just picked the new Windows Server 8 DFL/FFL

Defaults for my lab or just fine

Now we are presented with an overview of the settings. Read carefully, it says: “The NetBIOS name of the domain: automatically calculated”. Often this might be just fine, but whereas in the past you could specify it in the GUI when following the advanced route, now we will have to go command line.

And very nice: the view script button shows us the outcome of our clickings in the equivalent PowerShell script:

When clicking next some prerequisites are checked. The outcome was red, I didn’t saw that one coming. It seems to be complaining about the DFL I picked…

Back to the DFL selection I lowered it to Windows 2008 R2 and went forward again.

All is fine now.

However I backed out the GUI as I wanted to try to PowerShell script:

#
# Windows PowerShell Script for AD DS Deployment
#

Import-Module ADDSDeployment
Install-ADDSForest `
-DatabasePath "C:\Windows\NTDS" `
-DomainMode "Win2008R2" `
-DomainName "addict.local" `
-DomainNetBiosName "ADDICT" `
-ForestMode "Win2008R2" `
-InstallDNS:$true `
-LogPath "C:\Windows\NTDS" `
-RebootOnCompletion:$false `
-SafeModeAdministratorPassword (Read-Host -AsSecureString -Prompt "Enter Password") `
-SYSVOLPath "C:\Windows\SYSVOL"

I could have set "RebootOnCompletion”, but I wanted to see the result of the command.

After rebooting I decided to check the DFL/FFL raising again:

So I guess we will have to wait for that. In the near future I might be adding additional postings regarding Windows 8 Server. However this is all pretty early and stuff might be left out in the final version of course.

ISA 2006/TMG 2010 Link Translation: Replace Something With Nothing

2011-09-19T19:57:00.001+02:00

Recently I assisted a colleague in a case where they had to publish some web service using ISA 2006. Now the problem was in fact that their was a lot of legacy code/folder structure and for the publishing to work we had the following mapping configured:

external: /* –> internal: www.customer.com/*

Jep, that does include dots in the 2nd level folder… Basically if you retrieved an URL like http://www.publicurl.com/homepage.html it would contact the internal webserver at http://srvweb01.custdom.local/www.customer.com/homepage.html The problem we were seeing is that some of the returned HTML page still contained paths like <script=”/www.customer.com/scriptresource.axd?aze232LKJ22LJ”. So that problem is the explanation of this post. We wanted to replace /www.customer.com with nothing. ISA was configured to add that path to internal requests anyway…

The translation table on which ISA/TMG base their logic is built from the mappings specified by the publishing rule. But one can add as many custom translations as desired.

Now if you take the link translation tab, you can click the Mappings button. You’ll see all the mappings ISA is currently maintaining. They were all preceded by http://srvweb01.customer.local We wanted to add a mapping which replaced /www.customer.com with “” [nothing]. We really just wanted to get rid of it… However in the to field you are obliged to enter something… So TechNet to the rescue! I posted my question up on the forums and got some good tips really fast: ISA 2006:Link Translation: Replace Part of path with nothing

Tip #1: replace ="/folder with ="/

Tip #2: replace /folder with /.

I’m not sure which options my colleague tested, but he reported back that a small variation, namely “”/www.customer.com" with “””. Only use what’s between quotes, including the leading “.

Thanks Kai and f3rrix!

Provisioning Mail Enabled Users with FIM 2010

2011-09-10T16:03:00.001+02:00

Using FIM it’s easy to provision mailboxes for users. In my current project we also needed to provision mail enabled users. The difference between a mailbox enabled and mail enabled is that the latter only has an email address associated with it’s account. The mailbox is typically located at an external organization.

Here’s a table from Exchange Provisioning using ILM 2007 and FIM 2010

It shows which attributes to flow for each recipient type. As we are going to provision mail enabled users we only need to flow

mailNickname
targetAddress

I like to use the sAMAccountName for the mailNickname. The reason why we wanted to mail enable some users is that we’d want external users (like consultants) to appear in the GAL. The customer itself was using a (fictive) domain like @internalAD.local.

At first I had my rules configured as:

sAMAccountName –> mailNickname
TargetAddress –> targetAddress

Where TargetAddress has values like “thomas@setspn.com”.

The result:

While it looks ok at first sight, when you look for the user in the GAL, it will appear with an e-mail address of the customer his address space... Not exactly what we were looking for.

I did some testing using the Exchange Management Console, and the what I wanted to achieve seemed to be possible using the GUI, I must have done something wrong! It seems the targetAddress attribute in AD is supposed to contain “SMTP:emailaddress” and not merely “emailaddress”. So I changed the rules:

sAMAccountName –> mailNickname
TargetAddress –> “SMTP:”+targetAddress

And now my user looks like:

You can clearly see that the “primary” address is now the external address. And below you can see the difference in the GAL lookup. The first entry is bad, the second entry is OK.

FIM 2010: Config Migration: Import Attribute Flow Rules Update Failed

2011-08-30T07:41:00.001+02:00

One of the steps is to import the FIM Synchronization configuration when performing a FIM Configuration Migration. During my last migration I received the following error message nearly at the end of the process:

In words:

An error was encountered while trying to update the metaverse configurations The synchronization rule’s boolean constant flow must only use ‘true’ or ‘false’. Import attribute flow rules update FAILED.

So I opened up the Synchronization Service management console and started to look for an SR with a boolean in it’s flow.

Found!:

It seems we have “membershipLocked” being set to false for an ISR. This information (the attribute flow updates) are stored in the MV.XML file which are located in the directory you exported to/ are importing from.

When you search for that attribute you will see that the export replaced the “false” by “0”. Simply change it back to “false” and rerun the import.

FIM 2010 R2 [BETA]: FIM MA Dedicated Event Log

2011-08-02T18:36:00.001+02:00

I’m currently setting up a lab with FIM 2010 R2 (BETA) and I was struggling to get my FIM MA created…

I encountered some issues with time sync before, so I started looking for issues with my connection to the SQL Server/Database. Eventually I noticed a new Event Log on the FIM Server: Forefront Identity Manager Management Agent!

It was already populated with quit some errors:

In words:

System: System.UriFormatException: Invalid URI: The format of the URI could not be determined.
   at System.Uri.CreateThis(String uri, Boolean dontEscape, UriKind uriKind)
   at MIIS.ManagementAgent.RavenMA.InitializeConnection(XmlNode connectionInformationNode, XmlNode encryptedAttributeNode, Boolean runInitialization)
   at MIIS.ManagementAgent.RavenMA.UIInitialize(String pszInitString, Int32& pfValid, String& ppszResult)

When I saw this it immediately came clear that I didn’t used the http://***:5725 notation. Now when you install an all in one box, during the FIM Service and Portal installation wizard you are asked like 10 times for your FIM Service base address. During this wizard you just have to specify the URL. However in the FIM MA configuration you have to include the http and the port… Getting rusty ; )

Summary: FIM 2010 R2 seems to come with a new dedicated event log for FIM MA event log entries. This will be great help for troubleshooting FIM MA related issues for sure!

FIM 2010 R2 Beta / ECMA 2.0 Beta

2011-07-29T13:43:00.001+02:00

For those interested in trying out the new features of FIM 2010 R2 or jump in with the new extensible MA framework (ECMA) Wednesday the download links were added on the FIM 2010 R2 CEP Connect site. CEP stands for Community Evaluation Program so if you got feedback or find bugs definitely report on that!

The link: https://connect.microsoft.com/site433/fimcep

High-light of the new features:

Reporting
Web-based Self-Service Password Reset
Improved performance for the initial load of the FIM database
Scale and load performance improvements
Outlook® 2010 support for the FIM add-ins and extensions
SharePoint® 2010 support
Improved troubleshooting support

Microsoft Business Ready Security Trial Environment

2011-07-27T17:32:00.001+02:00

In the past year I’ve been looking for a downloadable Microsoft Virtual Lab demonstrating the Forefront suite. Never found anything. Seems my google/bing skills were a bit off: Microsoft Business Ready Security Trial Environment (4.0g) has been available since 1/13/2011

This page offers several scenario-based lab guides and several VM’s. Technologies covered:

Forefront Identity Manager
Forefront Unified Access Gateway
Forefront Threat Management Gateway
Forefront Protection Server Management Console
Forefront Protection 2010 for Exchange
Forefront Protection 2010 for SharePoint
Active Directory Rights Management Service
Active Directory Federation Services
Direct Access

By posting this I’m pretty sure I’ll be able to find it again whenever I got some spare time to play with this

FIM 2010: SSPR Client Error After Updating To Build 4.0.3576.2

2011-07-12T08:33:00.001+02:00

After updating our FIM Servers to the latest build, we also started upgrading the Password Reset Client software on the clients. After some tests we seemed to receive the following error in certain cases:

In words:

A service proxy exception was encountered while running the Password Reset application. Error Text: An unexpected error has occurred. Please contact helpdesk or your administrator. Error Code 40007.

In the trace log:

Microsoft.ResourceManagement: Microsoft.ResourceManagement.WebServices.Client.UnwillingToPerformException: The endpoint could not dispatch the request. ---> Microsoft.ResourceManagement.WebServices.Faults.ServiceFaultException: The endpoint could not dispatch the request.

We quickly saw that we only had this error when users logged on to a workstation where the user didn’t exist in the Portal. IF these people visit the Portal they should get the generic FIM Service unavailable error. However before updating to the last build, the Password Reset Client software just closed quietly when it couldn’t match a user. As it should. I discussed this with someone at Microsoft and it seems to be a known bug which is fixed in FIM 2010 R2 but which will not be fixed in 2010.

Luckily for us all our users are managed from within FIM, except in test where some managed to slip by the FIM processing...

Awarded MVP for Identity Lifecycle Manager!

2011-07-02T22:19:00.001+02:00

Wow! I had no idea it was the time of the year MVP’s were being (re)awarded. Somewhere in the past year I heard I was nominated for MVP and to support my candidature I filled in some docs but the mail I received yesterday came as a complete surprise.

Dear Thomas Vuylsteke,

Congratulations! We are pleased to present you with the 2011 Microsoft® MVP Award! This award is given to exceptional technical community leaders who actively share their high quality, real world expertise with others. We appreciate your outstanding contributions in Identity Lifecycle Manager technical communities during the past year.

The Microsoft MVP Award provides us the unique opportunity to celebrate and honor your significant contributions and say "Thank you for your technical leadership."

Toby Richards
General Manager
Community & Online Support

Special thanks to Markus for coaching and supporting me on the FIM TechNet Forum & Wiki. Thanks to Glenn Zuckerman & Anthony Ho for helping me out every once and while.

Thanks to the people of MCS Belgium for giving me opportunity to get to know FIM and be part of a great project/team. Thanks to my company RealDolmen for providing me with interesting projects again and again.

Thanks to everyone in the FIM community for all the knowledge sharing and troubleshooting help.

And of course, most of all thanks to my wife Stefanie for just letting me do what I do.

Let’s keep up the good work for another year!

FIM 2010: Warm Up Your Portal (IIS)

2011-06-20T21:48:00.001+02:00

One of the typical things of a webapp deployed on IIS is that everyday the first visitor has a very slow loading page. This is due to the application pool recycling. Every night, somewhere between 2 and 4 (for default installs) the application pools are recycled. After this when the first visitor arrives certain code is loaded again which takes some time. Consequent visitors don’t suffer this phenomena.

In the IIS world there’s a known solution for this: "IIS Warm Up scripts”. There even was a built-in module for this in IIS 7.5, however it was in beta state and currently has been removed from the web. With some PowerShell and Scheduled Task magic we can warm up IIS just as good. In my example the first user was experiencing a 15-20 seconds delay before the FIM Portal showed up. After applying the following solution that was more like 2 seconds.

Our script which will warm up the site will do this every time the application pool is recycled. The trigger for the scheduled task will be an event in the Application event log. Therefor we have to modify the default settings of the application pool so that it logs these events.

Open the IIS management console and locate the application pool responsible for the SharePoint site hosting your FIM portal

Righ-click and choose advanced settings, make sure to set “Specific Time” to True.

Every time the application pool is recycled by the schedule defined in the “Specific Times” array the following even will be logged:

A worker process with process id of '4420' serving application pool 'SharePoint - 80' has requested a recycle because it reached its scheduled recycle time.

Now the following script can be executed to warm up IIS. It will do this by visiting the page and performing a get. It’s very basic and probably can be improved or rewritten.

function get-webpageWithAuthN([string]$url,[System.Net.NetworkCredential]$cred=$null){
    write-host -foregroundcolor green "Warming up $url";
    $wc = new-object net.webclient;
    $wc.credentials = $cred;
    #$wc.Headers.Add("user-agent", "PowerShell");
    $html = $wc.DownloadString($url);
    #$html
}

#FIM
$website = http://FIM.setspn.blogspot.com/IdentityManagement
$credentials = [System.Net.CredentialCache]::DefaultCredentials;
get-webpageWithAuthN -url $website -cred $credentials

Now we can create the Scheduled Task. I choose to run it as “local system”. This seems enough to warm up the portal. I think because this way the FIM Service is queried to see if “Local System” (my FIM server itself) is known in the portal. Obviously this is not the case and I will probably see a “Service not available” error. But the point is that the Portal is warmed up!

We will add some triggers:

Type: On an event
Log: System
Source: WAS
Resource ID: 5076

Then we will specify an action:

Action: Start a program
Program/Script: PowerShell.exe
Add arguments: c:\yourfolder\script.ps1
Start in: c:\yourfolder

If we also want to trigger the script when we an administrator recycles an Application Pool we have to add a trigger for event 5079 (System –> WAS: 5079)

If we also want to trigger the script when we perform an IISreset we can add a trigger for the following event 3201 (System > IIS-IISREeset: 3201)

Obviously this way of working could be applied for other websites too.

Forefront TMG Array In Workgroup Managed By EMS: Firewall Ports

2011-06-13T20:36:00.001+02:00

Lately I helped a colleague setting up a TMG array. The TMG nodes were in a workgroup in the DMZ. In the LAN there was a domain-joined EMS server. As there was a firewall between DMZ-LAN we had to open up some ports. The TMG documentation is pretty good, but I couldn’t find any documentation regarding the firewall ports…

So here is a table I built by setting up a DC, EMS, TMG and a m0n0wall virtual firewall appliance in my personal lab. I like m0n0wall as it comes with an easy web interface. It also has logging which you can activate on a per rule base. Here are some screenshots:

Firewall rules:

Logging:

And finally the result of all my hard work:

From	To	TCP/UDP	Port	Remark
EMS	TMG	TCP	135	RPC endpoint mapper
EMS	TMG	TCP	10000-65535	RPC
EMS	TMG	TCP	445	Remote diagnostic logging
EMS	TMG	TCP	3847	MS Firewall Control

TMG	EMS	TCP	2171	MS Firewall Storage
TMG	EMS	TCP	2172	MS Firewall Secure Storage
TMG	EMS	TCP	3847	MS Firewall Control
~~TMG~~	~~EMS~~	~~TCP~~	~~135~~	~~RPC endpoint mapper~~
~~TMG~~	~~EMS~~	~~TCP~~	~~49152-65535~~	~~RPC~~

Some remarks:

RPC from TMG –> EMS doesn’t seems necessary. I was able to open the MMC on both the EMS and the TMG node.
RPC from EMS –> TMG starts off at port 10.000. All though windows 2008 (&R2) officially start off at 49152, there are some server products which modify this. Think TMG, Think Exchange. (The default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008)
EMS –> TMG port 445 was necessary for remote diagnostic logging. I’m still looking into as why I can’t view the logging remotely. I can enable/disable it though…

FIM Config Migration: Tips For A Successful Migration

2011-06-13T15:06:00.001+02:00

Performing a configuration migration is pretty straight forward. You just have to pay attention to some things. Besides the excellent guide (Configuration Migration Deployment Guide ) I also pay attention to the following points:

1. FIM MA health

This is a rather nasty one. However if you fail to detect it, and you happen to migrate your configuration to a FIM MA in this situation you’ll be doomed to a do a rollback using SQL backup-restore. The good news it’s easy to detect. Every time you perform modifications to your MA’s or MV configuration, this info get’s replicated to the FIM Service. You can see this info below administration > all resources:

Every time such an update occurs, requests are logged in the FIM requests log:

That’s also one of the reason why running a Full Synchronization profile on your FIM MA very often is a bad idea. This data gets replicated to the FIM Service every time you do a full sync on your FIM MA. This is the easiest way to make your FIM Service DB explode in size. But, back on track now. Using the following WMI trickery (discovered by Craig Martin): MSDN: MIIS_ManagementAgent Class

You can force this replication to occur by executing the following statements:

### Get the FIM MA
$fimMa = Get-WmiObject -Class MIIS_ManagementAgent -Namespace root/MicrosoftIdentityIntegrationServer -Filter ("Type='Forefront Identity Management (FIM)'")
### Call the WMI method to ReSync the Config Objects from miiserver.exe to microsoft.resourcemanagement.service.exe$fimMa.ResyncSyncConfigObjects()
$fimMa.ResyncSyncConfigObjects()

Now what should the outcome look like?

The ReturnValue Success is a good start. You also should see the requests being logged. However, if you see the following entry in your application log you got some work to do:

In words:

A update on the configuration of a MA or MV failed to replicate to a target connector directory that is capable of storing MA/MV configurations. As a result, the MA/MV configuration data in this connector directory is not up to date. Please correct the condition that causes the error, and triggers a resync by updating the password information of the target MA.
Additional information:
Error Code: 0x80230709
Error Message: (The extension operation aborted due to an internal error in FIM Synchronization Service.)
Operation: Clean up MAs
Name of the MA to replicate:
Guid of the MA to replicate:
Name of the target MA: FIM MA
Guid of the target MA: {35F6A1E2-CCF6-4C8A-91FF-2114625B144D}

I haven’t found a nice workaround just yet… What I’ve done successfully in the past:

delete the FIM MA (CS and MA itself)
wipe the MV
Reconfigure the FIM MA from scratch or by importing an earlier (healthy?) FIM MA xml.
Import, join and sync in the proper order

This might seem like a lot of pain, and it sure it. But I prefer avoiding even worse: having a setup which refuses to recognize it’s declarative SR’s.

2. MA Schema Up-to-dateness

Very short tip: before you start exporting/importing, make sure your schema’s of your MA’s are up to date. Doing an update schema on each MA is a quick & easy test. This way you can avoid some additional trickery. It shouldn’t break anything, but it might give you all sorts of weird issues.

3. Attribute Precedence

Make sure to double check your attribute precedence. If you have declarative rules and classic rules (which the FIM MA always does), you might have to toy around with the attribute precedence. As this might get scrambled due to the order the MV gets the contribution info.

FIM 2010: Understanding Kerberos Authentication Setup

2011-06-07T22:03:00.001+02:00

This is in fact a double post. I posted this article to the TechNet Wiki for which I originally wrote this article. Link: TechNet Wiki: FIM 2010: Understanding Kerberos Authentication Setup

The goal of this article is to provide some background information regarding the Kerberos related configuration steps of the FIM Portal and FIM Service. The article has been written in such a way so that most of the points can in fact be used for any application requiring Kerberos.

This article will not discuss the various possible FIM Topologies. All information should be valid regardless whether all roles are combined on a single server or split across multiple servers.

Throughout the article a demo domain will be used. The domain which will be referenced as an example is contoso.com (NetBIOS name: CONTOSO).

Table of Content:

Identify Services
Identify Service Identities
Name Services
Configure DNS
Configure Service Principal Names (SPN's)
Configure IIS for Kerberos
Identify Delegation Requirements
Configure Delegation
Enforce Kerberos (FIM Specific)

1. Identify Services top

Before we can start configuring SPN’s (Service Principal Names) we have to determine what services we want to enable for Kerberos authentication. A typical FIM Portal deployment has the following services:

Database for the FIM Service (SQL Service)
FIM Service
FIM Portal (Windows Sharepoint Services (WSS))

Note
In the above overview we’re leaving the FIM Synchronization Service and the databases for the WSS aside. They don’t bring any added value to this article.

The following picture provides an overview of these services.

2. Identify Service Identities top

Kerberos is all about authenticating principals to a service. Each principal is represented by an account in AD. This can either be a computer or a user account. Before Kerberos can take place, each service should be represented by an account in AD. Again this can either be a computer or a user account. Therefore it’s important to determine which account represents a given service.

Note
A typical Windows Service has its identity configured in the Services MMC. A website however has its identity configured in the IIS Management Console (below the Application Pools section)

The list below provides an overview of our services and their associated identities.

Database for the FIM Service: the user account running the sqlservr.exe process of the SQL Instance hosting that database
FIM Service: the user account running the FIM Service service
FIM Portal: Application Pool identity in IIS for the FIM Portal site

This information is displayed in the following picture.

3. Name Services top

Besides the principal representing a service, we also need to determine a name to access the service. Choosing names can be rather important when actual people are involved. Check the following examples:

The FIM Service is configured to access its database on SPRDL2FIMSQL01B.contoso.com
Users visit the FIM Portal by browsing to SPRDL3FIMPOR01.contoso.com

The first one is in fact not a problem at all. Nobody will mind that a name, for which IT probably has an explanation, is configured for a service to use. In the second example your users will by no means be able to remember the URL. Something like fimportal.contoso.com is way more feasible.

Important
Choose your service names carefully and always keep in mind whether end-users will use them.

In the picture above several client-server communication arrows have been pictured. In our example we will go with the following names to access the services:

Database for the FIM Service: fimsql.contoso.com
FIM Service: fimsvc.contoso.com
FIM Portal: fimportal.contoso.com

Note
There’s nothing wrong with choosing the actual server name of the SQL server to associate with your SQL service.

4. Configure DNS top

Clients have to be able to resolve the names for these services. We can register these records in DNS. It might seem convenient to use an alias (CNAME) record for some of the services. However this is a bad idea as explained in the following paragraph.

Using a CNAME record would ensure that updating the server its IP has no influence on the service name record. However CNAME records resolve in another way than A records. A client requesting a Kerberos ticket for a given service will ask AD a ticket for whatever the name resolves to. This is how a client will resolve those names:

fimsvc.contoso.com (CNAME) -> server01.contoso.com -> IP_of_FIM_Server
fimsvc.contoso.com (A) -> IP_of_FIM_Server

In bold the names are shown for which a Kerberos authentication attempt will be performed. In the first example you can clearly see that our client will request a Kerberos ticket for the wrong service as our service is coupled to fimsvc.contoso.com. So things will go wrong. For more information check Kerberos Basic Troubleshooting: Tip 3: SPNS and CNAME Records

Important
Register A records to ensure the correct service name is used in the Kerberos authentication attempt

5. Configure Service Principal Names (SPN's) top

So we got a name and an identity for our service. How do we tell AD that these belong together? Ahah! Now we get to the Service Principal Names (SPN's). Whenever someone wants to use Kerberos to authenticate to a given service, they contact the Key Distribution Centre (KDC) and ask for a service ticket. The KDC is running on each domain controller. It knows which ticket to hand out because the client specified the service it wants a ticket for. The service was in fact specified by its name. More particularly by using the Service Principal Name (SPN).

An SPN is based upon the following format <service>/<fqdn>:<port>

In our example we will execute the following commands:

Setspn –S MSSQLsvc/fimsql.contoso.com:1433 sa_sqlsvc
Setspn –S MSSQLsvc/fimsql:1433 sa_sqlsvc
Setspn –S FIMService/fimsvc.contoso.com sa_fimsvc
Setspn –S FIMService/fimsvc sa_fimsvc
Setspn –S HTTP/fimportal.contoso.com sa_wss
Setspn –S HTTP/fimportal sa_wss

Important
Never register a given service (<service>/<fqdn>:<port>) on multiple accounts. Whenever multiple accounts are responsible for the same service, AD cannot determine which account to use to hand out the Kerberos service ticket. As such Kerberos authentication breaks. This issue is called Duplicate SPNs. You can do a quick check in your domain for duplicate SPN's by executing Setspn -X.

Important
Always register both short and long (domain fqdn) for a service. This will ensure Kerberos is available at all times.

Important
SQL always requires an SPN of the format MSSQLsvc/<fqdn>:<port>, even when using the default (1433) port. If your port is dynamic you have to configure it to be static or give the SQL Server service account permissions to update its own SPN's.

Note
A lot of guides will tell you to use Setspn –A instead of setspn –S. The advantage of using the –S option is that it will check the domain prior to adding the SPN. This will avoid setting duplicate SPNs.

6. Configure IIS for Kerberos top

When the above steps have been implemented, both the FIM Service and SQL will start accepting Kerberos. However IIS is slightly different. In fact skipping this particular step will often break your configuration all together. One of the symptoms when having a bad Kerberos implementation is the following: you type the URL of your website, you get presented with an authentication prompt, and no matter how many times you correctly enter your credentials, you keep getting prompted over and over again.

This issue occurs because by default IIS uses the account of the server to validate service tickets instead of the Application Pool identity. We can force IIS to use the identity of the application pool by configuring this in the applicationHost.config configuration file.

Important
The applicationHost.config is typically located in c:\windows\system32\inetsrv\config\ Remember to take a backup when modifying this file.

The following steps are required to configure Kerberos Authentication to work with a custom Application Pool Identity.

Launch an elevated command prompt and execute the following commands:

cd c:\Windows\System32\inetsrv\config
copy applicationHost.config applicationHost.config.dateOfToday.bak
notepad applicationHost.config

Search for windowsAuthentication enabled="true" if you are below:

<location path="SharePoint - 80">

The above might actually be different in your environment. You need to locate the path of the IIS site which represent your FIM Portal WSS site.

Add useAppPoolCredentials="true" so the line looks like:

<windowsAuthentication enabled="true" useAppPoolCredentials="true">

Save the file and exit notepad

Execute the following command: iisreset

7. Identify Delegation Requirements top

Now that we got Kerberos authentication working for all of the involved services we have to determine whether additional configuration is required. Sometimes it’s obvious that Kerberos delegation has to be configured, sometimes it’s less obvious. Either way, it’s advised to check the product specific documentation to be sure. Kerberos delegation will allow a service to impersonate a visiting user and authenticate to another service as if it were the user himself who visits that service.

From the FIM Installation Guide we know that the following delegation scenarios are required:

FIM Portal to FIM Service
FIM Service to FIM Service

This is explained in the "Establish SPNs for FIM 2010" section of the installation guide.

8. Configure Delegation top

To allow a given service to delegate to an other service, we have to configure delegation on the service its service account to the delegated service its SPN. Delegation can be configured using Active Directory Users & Computers (ADUC). As explained in the previous section we have to configure the following delegation scenario's:

For the Portal to be able to delegate to the FIM Service we would have to:

Open ADUC and locate the service account for the Portal (sa_wss)
Open the properties of sa_wss and choose the delegation tab
Check Trust this user for delegation to the specified services only
Check Use Kerberos only
Click Add...
Click users or Computers...
Type the name of your FIM Service service account: sa_fimsvc
Click Check Names and Click Ok
Select the FIMService entry and Click Ok
Click Ok to close the account properties

Some screenshots to aid in the process: FIMService selection screen

And the resulting Delegation tab for the sa_wss acocunt:

For the FIM Service to be able to delegate to the FIM Service we would have to:

Open ADUC and locate the service account for the Portal (sa_fimsvc)
Open the properties of sa_fimsvc and choose the delegation tab
Check Trust this user for delegation to the specified services only
Check Use Kerberos only
Click Add...
Click users or Computers...
Type the name of your FIM Service service account: sa_fimsvc
Click Check Names and Click Ok
Select the FIMService entry and Click Ok
Click Ok to close the account properties

Note
The delegation tab on a user is only visible when an SPN has been registered for that account.

Note
The above procedure assumes your domain is in 2003 DFL or higher. Windows 2000 DFL only has unconstrained delegation available.

9. Enforce Kerberos (FIM Specific) top

Optionally you can configure the FIM Portal to only accept Kerberos. This is explained in the FIM Installation Guide > Installing The FIM 2010 Server Components > Activating The Kerberos Protocol Only (link)

The following steps are required to force Kerberos Authentication for the FIM Portal.

Launch an elevated command prompt and execute the following commands:

cd c:\inetpub\wwwroot\wss\VirtualDirectories\80
copy web.config web.config.dateOfToday.bak
notepad web.config

The above might actually be different in your environment. You need to locate the path of the IIS site which represent your FIM Portal WSS site.

Locate the element

<resourceManagementClient . . . />

Add requireKerberos=”true” so that it reads

<resourceManagementClient requireKerberos="true" . . . />

Save the file and exit notepad

Execute the following command: iisreset

Happy Kerberizing

Active Directory Topology Diagrammer Updated!

2011-06-07T09:01:00.001+02:00

Active Directory Topology Diagrammer (ADTD) has been updated! ADTD has been out there for ages and has proven to be useful many times. The UI is very similar to the original one. The DFS-R tab was added to allow DFS-R topologies to be discovered. Exchange 20xx support was added. I did a discover & draw and it seemed to discover everything just nice. Something they added (if I’m not mistaken, please correct me if I’m wrong) is the Exchange schema version on the domain Visio. The Exchange discovery works fine too, however in our environment it failed to draw the number of mailboxes. It seems to draw the amount of mailbox one Exchange 2007 fine (we have some left). But for 2010 it displays 0… The SMTP connectors were drawn perfectly. Definitely a must-have tool for documentation purposes or just to discover anomalies.

You can download ADTD from here: Microsoft Active Directory Topology Diagrammer

Thanks to Mark Parris for the tip at ActiveDir.org

The main dialog:

A small part of the domain visio:

FIM 2010: Hiding The SharePoint Welcome Button From The Portal

2011-06-06T21:51:00.001+02:00

I’m currently involved in a project where FIM will be used by end-users which will perform some limited management tasks in the portal. One of the remarks we got is that the “Welcome John Doe” button in the upper right corner is not good. To be more specific, if a user clicks it, they get redirected to pages which are irrelevant for FIM. This comes from the Windows Sharepoint Serivces framework which hosts the FIM Portal. In fact it has nothing to do with the FIM Portal experience.

In detail:

If you click it:

To modify (hide) this button we don’t have to “hack” standard WSS pages. Tampering with the .aspx pages which the SharePoint installer provides is probably not supported anyway. However we can simply modify the CSS code which is responsible for styling this part of the Portal. Quick Tip: using IE8/9 (and perhaps 7 too) you can press F12 when visiting the portal. By using the mouse button in the upper left corner you can then select a given part of a site and it will show you the CSS code which is active. You can even modify the CSS over there to test the possible outcome. Modifying the CSS is a supported way to brand the Portal according to your company image. Here’s an excellent guide on the subject: Introduction to Configuring and Customizing the FIM Portal

From the above we can clearly see that if we’d modify the “.ms-globalbreadcrumb” section, we could alter the behavior of the section containing the welcome button. It’s enough to add “display:none” in order to hide the upper item.

I think the default theme is located in c:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\TEMPLATE\THEMES\FIM. But I would definitely advise against editing these files. Or you keep the original ones in a safe place (copy/rename) or you create a copy of the FIM theme and start customizing the copy. After switching the theme on and off (by selecting an other temporary theme) , and by running an IISReset, the result will look like this:

Whilst the button is there, it should be hidden. Now try to click it! :p

P.S. If you want to change the theme afterwards, or other settings from SharePoint, it might be convenient to note down the following URL: http://yourportal.domain.tld/IdentityManagement/_layouts/settings.aspx This will bring you to the landing page of the “settings” button. As this button is also displayed on that upper item…

Update An Active/Passive FIM Synchronization Service Setup

2011-06-06T21:44:00.001+02:00

One of the challenges of applying hotfixes to a distributed application is the order in which you apply them. We have an Active FIM Synchronization Service, and a cold standby. I will leave out the FIM Portal/FIM Service instance. Today we did the upgrade of our lab from FIM 2010 build 4.0.3531.2 (Update 1) to the latest available build: 4.0.3576.2.

I would suspect the order to be something like this:

Stop Active FIM Synchronization Service
Update the Active FIM Synchronization Service bits
Stop Active FIM Synchronization Service (+ disable for safety)
Enable Passive FIM Synchronization Service
Run MIISActivate
Stop “Passive” FIM Synchronization Service
Update the “Passive” FIM Synchronization Service bits
Stop & Disable FIM Synchronization Service
Fall back using MIISActivate again

However when running step 5 we were confronted with two popups: one stating “everything is ok”, followed by one giving the following error code: 0x80230453. A quick google gave no results, and that’s why I’m putting this post here. It might make sense as to why the activation command does not run, after all it’s using old binaries against an updated database…

So here is the order which worked out fine for us:

Stop Active FIM Synchronization Service
Update the Active FIM Synchronization Service bits
Stop Active FIM Synchronization Service (+ disable for safety)
Enable Passive FIM Synchronization Service
Update the “Passive” FIM Synchronization Service bits
Run MIISActivate, test FIM Sync
Stop & Disable FIM Synchronization Service
Fall back using MIISActivate again

Technical Overview of Microsoft Forefront Identity Manager 2010 R2

2011-05-22T16:51:00.001+02:00

On Henrik Nilson’s blog I found a link to a session from Tech-Ed: Technical Overview of Microsoft Forefront Identity Manager 2010 R2 It’s definitely worth watching. If you’re in a hurry though, here’s a brief summary:

Support for Extranet Password Reset (other browsers/platforms, not domain-joined)
Reporting: group membership and object change history
Extensible MA framework
Performance improvements
Best Practices Analyzer
Add-in Support for Outlook 2010 x86 & x64
Support for SharePoint 2010

Password Reset

Very neat: support for password resets from PC’s which are not joined to the domain! So this means the extranet password reset scenario is added to FIM 2010 R2! And because no fancy ActiveX is used this should work just fine from other browsers/platforms as well.

This extranet scenario is made available through a new ASP.net password registration/reset portal. This portal is not based upon Sharepoint. They also added the option to add an additional Q/A gate for people resetting their password externally. You could see these as coming from an untrusted location and requiring to answer more questions than someone doing it from on your corporate LAN.

Reporting

This functionality will be made available through a custom FIM MP for SCSM. The SCSM data warehouse is a requirement. If you don’t have one, you’ll be allowed to use one without additional licensing costs.

Extensible MA Framework

Outlook 2010 & Sharepoint 2010 support

Running PowerShell Scripts From An UNC Path (Share)

2011-05-15T17:06:00.001+02:00

Introduction

Lately a colleague of mine was struggling with the following: he wanted a script to be ran from within a Startup Script GPO. Now the problem he was encountering was the following Security Warning from PowerShell:

In words:

Security Warning
Run only scripts that you trust. While scripts from the Internet can be useful, this script can potentially harm your
computer. Do you want to run \\file.setspn.com\scripts\script.ps1?
[D] Do not run [R] Run once [S] Suspend [?] Help (default is "D"):

Now if you have to run something like this occasionally, you can type R and get on it with it. However if this is a script which has to automatically run at startup, this will be a showstopper. So here is some additional information on how to avoid these warnings.

I didn’t tested this in the context of a computer starting up and executing such a script. I just tested this from the Administrator point of view: you run a PowerShell script from a share and you want to avoid that warning. Now what? I will briefly explain Execution Policies and Execution Policy Scopes before actually presenting a solution.

PowerShell Execution Policies

As most of us know by now, PowerShell comes with an execution policy. This policy define which scripts can ran and from which location. By default it’s configured to restricted:

In words:

File \\file.setspn.com\scripts\script.ps1 cannot be loaded because the execution of scripts is disabled on this system.
Please see "get-help about_signing" for more details.
At line:1 char:37
+ \\file.setspn.com\scripts\script.ps1 <<<<
+ CategoryInfo : NotSpecified: (:) [], PSSecurityException
+ FullyQualifiedErrorId : RuntimeException

However we can easily change the policy to one of the following options:

Restricted: no scripts
AllSigned: only signed scripts
RemoteSigned: local [+detected as local intranet] scripts and signed scripts remotely
Unrestricted: all scripts but comes with warnings when running from a share
Bypass: all scripts, no warnings

If you want a full explanation on each of these policies, check TechNet: about_Execution_Policies

PowerShell Execution Policy Scope

Now if you changed the above policy using the Set-ExecutionPolicy Policy command, you changed it for everyone running PowerShell scripts on the current machine. Did you know there is an alternative? You can actually specify a scope using the –scope parameter! This can come in very handy when you just want to open up PowerShell temporary for the installation of a product. The following scopes exist:

Process: affects only the current PowerShell session
CurrentUser: affects only the current user
LocalMachine: affects all users on the current computer

If you want a full explanation on each of these scopes, check TechNet: about_Execution_Policies There’s also additional info available if you want to control this by using GPO.

Determing The Active PowerShell Execution Policy

Using the Get-ExecutionPolicy command you can get the current policy, however if you add the –list parameter you can see where it’s coming from:

Now after running Set-ExecutionPolicy –Scope Process Unrestricted

Now the advantage is that whenever this PowerShell session is closed, the overall policy remains to what is was before my modification.

Getting Rid Of the Warning

All of the options below will explain how you can get rid of the warning when execution a script from an UNC path. Between [] I’ve added the PowerShell execution policies this is working with. The PowerShell script I’m running is located on \\file.setspn.com\scripts and it only contains one line: “write-host –forefgroundcolor green “script executed successfully””.

Option 1: use a shortname in the path [RemoteSigned/Unrestricted]

Why does this work?

By default IE7 and up are configured to automatically detect intranet network. This one checkbox actually is equivalent to checking the 3 options below it. Because we use a UNC path with a short name (\\file), it’s detected as an Intranet and hence no warning is displayed. However once you use a FQDN (\\file.setspn.com), this detection does not work. Reference: Enabling "Automatically Detect Intranet Network" on a domain member computer will enable all the three Intranet Options automatically.

Do we like this? I don’t. I hate NetBIOS names. On to the next option

Option 2: Specify Local Intranet Sites [RemoteSigned/Unrestricted]

The security warning only comes up when the script is ran from an untrusted location, we can add the UNC path to the local intranet. We can do this using one of the following formats:

The first 4 options will only affect files accessed from UNC paths, however option 5 & 6 will also involve HTTP/HTTPs traffic. Option 1 & 2 are in fact the same. The same goes for option 3 & 4. Whenever you enter an UNC path like \\location it will automatically be converted to file://location by IE. After adding \\*.setspn.com:

The script now runs just fine:

Option 3: Copy The Script Locally [RemoteSigned/Resctricted]

Obviously this is not applicable in certain scenario’s, but as a quick work around it’s a possibility.

Option 4: Sign your scripts [AllSigned/RemoteSigned/Resctricted]

Another possibility is to sign your scripts. A detailed guide is out of the scope of this post, a good description of the process can be found here: Scott Hanselman: Signing PowerShell Scripts

Option 5: Use The Bypass ExecutionPolicy [Resctricted/AllSigned/RemoteSigned/Resctricted]

All of the above options (beside #1) require you to do some modifications. There’s also a way to just suppress these warnings: the Bypass exeuction policy! I think you can apply it in one of the following ways:

Set-ExecutionPolicy Bypass
Set-ExecutionPolicy Bypass –Scope Process
Powershell.exe –ExecutionPolicy Bypass –file \\file.setspn.com\script.ps1

Option 1 just doesn’t feel right. I myself would definitely go for option 2 or 3. They are more or less equivalent. Option 3 is ideally for calling a PowerShell script from within a bat file. Option 2 is just neat as it’s only active temporarily.

Conclusion

I’m not favoring one of the above options. I think PowerShell execution policies should be part of the Workstation/Server design. A given policy should be decided upon and pushed through GPO. Once that baseline is established, I would choose one of the above options to make a certain script work in the given scenario.

Like if RemoteSigned would be active on workstations, I would consider adding the UNC path to the Local Intranet sites. On the other hand if I would be administering servers (RemoteSigned active) and I’d have a script which I have to run just once, I would consider changing the execution policy to Bypass just for this PowerShell.exe instance (-scope process).

Happy PowerShelling!

Windows 2008 R2: Accounts: Administrator Account Status Not Working

2011-04-04T19:32:00.001+02:00

One of the things a colleague of mine encountered in the past, and which I stumbled upon lately is the following. Sometimes people want to have the Local Administrator account disabled on their servers. There has been a GPO to do this for ages. It’s located below Computer Settings > Windows Settings > Security Settings > Local Policies > Security Options. The setting is “Accounts: Administrator Account Status”: Disabled.

The screenshot shown below is from the security policy on a server which has the policy (Administrator Status: disabled) applied. You can see that A group policy is setting the setting to enabled. Which is in fact the opposite of what I have configured through the GPO.

One could think I have another GPO being applied later. But using gpresult /H:report.html I can clearly see “my” GPO is winning and that the setting in fact should be set to disabled…

Also a regular Resultant Set Of Policy shows the setting as disabled…

But the account is Active and remains in this state…

So, Group Policy Preferences to the rescue! It’s not a real answer as to why things are going wrong, but it’s definitely a doable workaround. This policy works flawless.

You can’t always get to the bottom of things…

RCDC Not recognized After FIM Configuration Migration

2011-04-03T15:43:00.001+02:00

I’m not going to be explain something new today, but I’m just writing this article to explain how I established I was having this issue. Above that I want to make sure people find the explanation easier. This article references a PPT which has some great info on the issue.

It all started with a perfectly fine FIM deployment in a lab environment. One of the things we do from time to time is migrate the configuration to the Acceptance environment. To do this we use the FIM Configuration Migration scripts. After one of the migrations our User Edit RCDC in the Acceptance environment was broken. The RCDC defaulted to the Admin view and stated: There is an error in the synchronizationRule display configuration. Please contact your system administrator.

As I recently reviewed a RCDC troubleshooting article I knew what I had to do:

Troubleshooting RCDC Configuration Issues Using FIM Portal Tracing

Make sure to change the level from “Error” to “Verbose”. This will give you the following entry in the event log:

In words:

The Resource Management Portal detected an error using the Resource Control Display Configuration (RCDC). This prevented the portal from displaying the object as expected and the portal switched over to Admin View.

The failure is due to a incorrect configuration file. The file does not validate against the configuration file schema.

Verify that the configuration file is valid XML and matches the configuration file schema. Either upload a new file or modify the existing file in the Resource Management Portal directory. Afterward, reset IIS.

So now we get directed to an invalid RCDC XML. No worries: Craig Martin to the rescue: RCDC Troubleshooting He explains how you can use Visual Studio to validate the RCDC XML against the MS schema for RCDCs. The RCDC seemed fine. So eventually we logged a PSS case and got pointed to the following MS PPT:

FIM Portal Troubleshooting - Default RCDCs Not Recognized After Replacement through FIM Service Configuration Migration.

The PPT is a must read. It clearly states how you end up in this situation and what to do to avoid it. For a fix, without having to wipe your database you’ll have to log a PSS case. The PSS people can give you a SQL procedure which can fix the guid of a given RCDC.

FIM 2010: Language Pack Update 1 Install Issue

2011-03-13T19:42:00.001+01:00

Again I’m posting with some FIM 2010 Update 1 issue. I’m not trying to make a statement regarding the stability of the FIM software, I’m just active in an instable environment . This error I received when trying to update a FIM 2010 Service and Portal Language Pack installation to Update 1.

The installer for Update 1 is a next next finish, but somewhere in the middle an application error occurs and the rollback is performed.

The error:

In words:

Microsoft.ResourceManagement.Setup.LanguagePack.Resource has stopped working.

I had absolutely no clue what the cause could be. I was logged on using a FIM Installer Account, so permissions should have been fine. On the list of todo’s for this environment I also had a WSS security hotfix. This is the hotfix I mentioned in WSS Killer Security Update. I prefer to install it in a controlled way instead of receiving it through WSUS. However installing the update didn’t work out. The setup just failed. The log files pointed me to: KB939308: Error message when you try to modify or to delete an alternate access mapping in Windows SharePoint Services 3.0: "An update conflict has occurred, and you must re-try this action"

After following the actions in that KB article, I reran the installer of the hotfix and everything worked out fine.

And guess what: the Language Pack Update 1 installer finished just fine too! I have no proof that they are related, but I ran the update multiple times, every time resulting in a crash. Once I cleared the cache of WSS as described in the article the update ran fine.

Happy updating!

FIM 2010 Update 1 Installation Issue

2011-03-13T17:48:00.001+01:00

In the release notes of FIM 2010 Update 1 (KB978864), one of the things mentioned is that you have to make sure the Portal is reachable on http://localhost. Another known issue for things to go wrong seems to be the FIM Service Certificate. During the installation you get the following options:

From Microsoft PSS I heard that there’s a known issue to upgrade to FIM 2010 Update 1 if you choose a customized certificate. One of the requirements for the FIM Service certificate is, is that it has CN=ForefrontIdentityManager in it’s subject. My customer had generated a custom certificate from their internal CA, and of course the subject was different from the required one.

This caused the update to fail and rollback. The following errors were shown in the Application event log:

Entries from the event log, first line logged first:

Error : MicrosoftILMPortalCommonDlls.wsp already exists
An error occurred while deploying FIM portal solution packs.
Error : MicrosoftIdentityManagement.wsp already exists
An error occurred while deploying FIM portal solution packs.
Error : ILMPasswordPortal.wsp already exists
An error occurred while deploying FIM portal solution packs.

To resolve this situation you can run the RTM installer again, but now chose “change”. You’ll be prompted to fill in all setup questions again, but now you can choose “Generate a new self-signed certificate”. After running this successfully you can try to update again.

Some other items I found on my quest for a solution:

Installing update failed because sharepoint not installed on "localhost"?

In my opinion removing .WSP’s your self in WSS is not a great idea. The FIM Update installers really depend on the fact that they expect the .WSP’s to be in place. If you start messing with them you might break things completely. If you are having issues reaching your portal at http://localhost, verify the bindings for the SharePoint site in IIS. You could add:

127.0.0.1 80
::1 80

To ensure proper access to http://localhost. In case you don’t have “all available addresses 80” set as the binding.

Another possible solution: ILM 2 Beta 3 Premature Failure - ilmpasswordportal.wsp already exists Again, I would really advise against deleting .WSP’s yourself. Even if they are in error, try running the FIM Service & Portal setup in Change mode. You’ll see it will re-deploy the .WSP solutions.

P.S. If you want detailed information regarding a failure for an update, try running the update.msp file like this: msiexec /p update.msp /L*V c:\update.log

FIM MA Full Import Broken

2011-03-13T17:13:00.001+01:00

One of my customers had the following error when they ran a Full Import on the FIM MA: app-store-import-exception

In the application event log I found the following error which was occurring every time they ran a Full Import.

A copy paste of the error:

The description for Event ID 6500 from source FIMSynchronizationService cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

There is an error executing ILM MA full import.
Type: System.ArgumentNullException

Message: Value cannot be null.
Parameter name: key

Stack Trace:    at System.ThrowHelper.ThrowArgumentNullException(ExceptionArgument argument)
   at System.Collections.Generic.Dictionary`2.FindEntry(TKey key)
   at System.Collections.Generic.Dictionary`2.TryGetValue(TKey key, TValue& value)
   at Microsoft.ResourceManagement.Schema.ServerSchemaManager.GetAttributeSchema(String attributeName)
   at Microsoft.ResourceManagement.Query.QueryProcessor.ReadFragment(SqlDataReader reader, Int64& resultCount, Boolean& endOfSequence)
   at Microsoft.ResourceManagement.Query.QueryProcessor.ReadQueryResults(SqlDataReader reader, Int64& resultCount, Boolean& endOfSequence)
   at Microsoft.ResourceManagement.Query.QueryProcessor.ReadQueryResults(SqlDataReader reader)
   at Microsoft.ResourceManagement.Data.Sync.FullImportGetNext(Int64 beginObjectKey, Int64 maxObjectKey, Int32 batchSize)
   at MIIS.ManagementAgent.RavenMA.FullImportGetNextBatch(Int64 maxObjectKey, Int32 batchSize)

the message resource is present but the message is not found in the string/message table

A search on Google led me to the following TechNet forum post: App-Store-Import-Exception

And then I spent quit some time on SQL tracing and trying to find out which key was null. I found none… I don’t know how I got to it, but I figured refreshing the schema couldn’t hurt to perhaps get a more descriptive error. It seemed that someone had been modifying the schema!:

After the schema refresh imports started running again. It’s obvious to refresh the schema if you changed something to the schema in the Portal. However if you start from the given error it wasn’t as obvious to refresh the schema… Case Solved!

Active Directory Quick Tips

2011-03-01T22:53:00.001+01:00

1. Use GPMC GPO Backup Feature To Locate Unresolvable SIDs

Sometimes you might have GPO’s which reference SID’s which cannot be resolved. Their might be various reasons for that. Someone might have configured the GPO to reference a certain account in a setting whilst that account was deleted somewhere in time afterwards. Or like I encountered: you use GPO backups to import & export your GPO’s from a lab to an acceptance environment and you simply forget to translate some of the SIDs.

A neat trick which I found out by accident is the “Backup All…” GPO option from the Group Policy Management Console. This will try to resolve all accounts used in your GPO’s and throw a warning if there’s a problem. You could do this every now and then to keep your GPO’s squeaky clean.

2. Generate an HTML Report Of All Your GPO’s

Whenever you’re documenting your GPO’s, or you simply want to have a snapshot in time of the settings, versions, links, security, …. you can choose to create a GPO report from the GPMC. Using PowerShell however you can issue the following command to get a single-file HTML which will nicely give you all the required information. It would perhaps be a nice idea to run this monthly or even more frequently if you want to have some auditing trail as to what is changed. But if you really need this, I think AGPM will be a better fit.

Get-GPOReport -All -Domain contoso.com –Server dc01 -ReportType HTML -Path C:\Users\thomas.vuylsteke\Desktop\GPO_Report\GPO_Report.html

The following screenshot shows an example of the layout. By default everything, except the subsections of each GPO, is hidden. You can easily scroll from GPO to GPO, and I can imagine it’s very simple to edit the HTML file if you only want a subset of the policies in your report.

Forefront UAG 2010: Change Internal Network Range

2011-02-21T21:32:00.001+01:00

Very recently I started toying around with UAG (Unified Access Gateway) 2010. Right after installing and following step 1 of the wizard (select your Internal Network) I decided to change my subnets. Changing network adapters to another subnet is easy, however my UAG configuration fun was halted for some reason:

In words:

The UAG configuration cannot be retrieved from Forefront TMG storage. An error has occurred and UAG will close. Check that TMG services are running. If the UAG server is a domain member, verify connectivity to the domain controller.

Luckily I know TMG (Threat Management Gateway). The UAG manages this TMG instance for you by letting you complete various wizards. I couldn’t access the UAG console but the TMG console launched just fine. This allowed me to change the Internal Network definition:

After a reboot I was able to launch the UAG console. Promptly it presented me the following question:

In my opinion that should rather be an OK box than a yes/no prompt as the no option sounds rather unpleasant…

And now we’re off the discover what’s UAG all about!

Exchange: Move Mailbox Remote Credentials Format

2011-02-21T20:18:00.001+01:00

In the project I’m currently involved, my colleagues are planning to migrate several mailboxes to a new Exchange 2010 platform. This particular issue was encountered when migrating mailboxes from Exchange 2007 (cross-forest) to Exchange 2010. They are currently running several test migrations so we can get an estimate of the amount of mailboxes we can migrate in a given timeframe. Using the New-MoveRequest cmdlet and some PowerShell magic they were processing 100 mailboxes one by one. Oddly a lot of them failed with the following error:

In words:

Failed to reconnect to Active Directory server dc.domain.tld. Make sure the server is available, and that you have used the correct credentials.
+ CategoryInfo : NotSpecified: (0:Int32) [New-MoveRequest], RemoteTransientException
+ FullyQualifiedErrorId : A46C2901,Microsoft.Exchange.Management.RecipientTasks.NewMoveRequest

After trying the same New-MoveRequest command 5 or 6 times in a row all of a sudden the command finished successfully. Hmm that’s odd! As I’m sitting across my issue radar got activated and I launched google and stumbled upon the following topic: Not able to do a Cross forest Migration between E2k3-E2k7

The solution mentioned over there is to use the <FQDN of domain>\<username> format instead of the <NetBIOS domain name>\<username> when specifying the Remote Credentials. These credentials belong to a user which has permissions on the source mailboxes. Don’t ask for any logical explanation, but it sure did the trick.

For an overview of all supported logon credentials formats, see: KB929272: Interactive logon styles and Key Distribution Center account lookup in Windows Server 2003

Microsoft Community Contributor Award!

2011-02-17T23:12:00.001+01:00

When I opened my mail today I was glad to see I got awarded with the Microsoft Community Contributor Award for 2011. It’s great to be recognized for my blogging, TechNet forums & wiki efforts. Thanks Microsoft! Thanks Community! Participating in this community is about giving and taking. I’m more than glad to do my fair share of sharing information!

For those that don’t know the award: Microsoft Community Contributor FAQ

FIM 2010: Synchronization Service Crashes

2011-02-17T22:54:00.001+01:00

This post will be quick and dirty. I just want to lead people having the error message below to the correct KB article and fix. I myself was seeing the error below whilst running export run profiles on my AD MA. Nothing particular was being exported, just running scheduled runs. Every once in a while the Synchronization Service seemed to crash.

The error:

The description for Event ID 0 from source FIMSynchronizationService cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
Sync
If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

There is an error in Exch2010Extension BeginExportToCd() function.Type: System.Threading.ThreadAbortException

Message: Thread was being aborted.

Stack Trace:    at System.Threading.WaitHandle.WaitOneNative(SafeWaitHandle waitHandle, UInt32 millisecondsTimeout, Boolean hasThreadAffinity, Boolean exitContext)
   at System.Threading.WaitHandle.WaitOne(Int64 timeout, Boolean exitContext)
   at System.Management.Automation.Runspaces.AsyncResult.EndInvoke()
   at System.Management.Automation.Runspaces.Internal.RunspacePoolInternal.EndOpen(IAsyncResult asyncResult)
   at System.Management.Automation.Runspaces.RunspacePool.Open()
   at System.Management.Automation.RemoteRunspace.Open()
   at Exch2010Extension.Exch2010ExtensionClass.OpenConnection(String uri, PSCredential credential)
   at Exch2010Extension.Exch2010ExtensionClass.BeginExportToCd(String connectTo, String domain, String server, String user, String password)

This particular issue was solved in KB2028634 (FIM 2010 build 4.0.3547.2): check out Synchronization Engine issue 12: The Exchange Serer 2010 PowerShell cmdlets causes the FIM Sync Service to crash when the cmdlets time out.

FIM 2010: stopped-file-embedded-nulls

2011-01-25T21:30:00.001+01:00

I’ve been using CSV files with FIM File-based MA’s now and then and till now I never had any issues. This week I received a new CSV and I had issues getting the configuration of the MA right. To be more precise, whenever I ran a Full Import I got an error stating stopped-file-embedded-nulls. I asked the guys why they put those nulls in the CSV… They had no clue :). They did some PowerShell magic and used the import-csv and export-csv commandlets to generate the CSV.

The error in the Synchronization Manager:

In the event log:

In words: The management agent “MA NAME” failed on run profile “Run Profile Name” because null characters were embedded in the input file. User Action Verify the input file and the code page configuration for the management agent.

After some googling and reading about embedded nulls I opened the CSV using some binary file viewer:

At the begin of the file you can see FF FE which is definitely not supposed to be there. If we simply open the file with notepad, copy paste the contents into a new file, the FF FE values are gone in the resulting file and the import runs just fine. That’s a good workaround for once, but it’s not acceptable to do on a regular base. And it’s sure as hell isn’t a nice answer as to why these symbols are being added by PowerShell!

Some more googling led me to: PowerShell Byte Array And Hex Functions which says: The “0xFF,0xFE” bytes at the beginning of a Unicode text file are byte order marks to indicate the use of little-endian UTF-16. Now that ringed a bell!

My MA had “Western European” as Code page (default): This can be found on the Configure Attributes tab of the File MA configuration.

By clicking change we can choose “Unicode”, which I think is the equivalent of “little-endian UTF-16”.

Either way, running a full import now succeeds just fine!

[Update] As the comment system seems to have acted up both Brian Desmond and Carol Wapshere mailed me and pointed me to the fact that you can just append the “-encoding ASCII” to the export-csv commandlet to avoid the above issue in the first place. Thanks for the tip both of you!

A screenshot of the help section of the export-csv commandlet:

FIM 2010: ma-extension-error Provisioning To Exchange 2010

2011-01-25T20:25:00.001+01:00

In my current project I have an AD MA which is configured to provision for Exchange 2010. My customer has multiple Hub/CAS servers load balanced by a hardware solution. At first I provided a specific server in the Exchange 2010 RPS URI in the AD MA. Once the Exchange guys implemented the changes to Kerberos-enable the CAS array, I switched over to a virtual name. In our lab environment this worked just fine, however in the acceptance environment I kept receiving “ma-extension-error”:

This blocked all exports on the AD MA. In the application event log the following error is show:

In text:

The extensible extension returned an unsupported error.
The stack trace is:

"System.Management.Automation.Remoting.PSRemotingTransportException: Closing remote server shell instance failed with the following error message : The Windows Remote Shell cannot process the request; the selector value 896A7F1D-C68C-4B83-A1FC-904609908059 specified in the request was not found. For more information, see the about_Remote_Troubleshooting Help topic.
   at System.Management.Automation.Runspaces.AsyncResult.EndInvoke()
   at System.Management.Automation.Runspaces.Internal.RunspacePoolInternal.EndClose(IAsyncResult asyncResult)
   at System.Management.Automation.Runspaces.RunspacePool.EndClose(IAsyncResult asyncResult)
   at System.Management.Automation.RemoteRunspace.Close()
   at Exch2010Extension.Exch2010ExtensionClass.EndExportToCd()
Forefront Identity Manager 4.0.3531.2"

The most obvious thing to do at this time is to start googling. A very promising link is the Troubleshooting the Exchange Management Shell The above error could be caused by Release Candidate version PowerShell binaries. Well that’s definitely not the case. Using the following PowerShell commands I was able to reproduce the issue from the Synchronization Server:

$user = Get-Credential
$session = New-PSSession -configurationname microsoft.exchange -connectionuri http://virtualurl.demo.com/powershell -credential $user
Enter-PSSession $session

Which gave me the following output:

Enter-PSSession : Starting a command on remote server failed with the following error message : The Windows Remote Shell cannot process the request; the selector value 962F626B-6492-493B-BF42-772C7C6BAFBD specified in the request was not found. For more information, see the about_Remote_Troubleshooting Help topic.

At line:1 char:16

+ Enter-PSSession <<<< $session
+ CategoryInfo : ResourceUnavailable: (:) [Enter-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : System.Management.Automation.Remoting.PSRemotingDataStructureException,
Microsoft.PowerShell.Commands.EnterPSSessionCommand

So using netsh I started tracing and soon I saw the light, whereas we asked the networking guys to implement IP Affinity for the load balanced name, they seemed to have forgotten to actually do this… Hence the PowerShell session is being created with one server in the farm, whilst the actual command is probably being sent to another server… Not good!

Conclusion: Whenever you configure a load balancing solution for the Exchange 2010 CAS role, make sure you configure your solution to redirect sessions from the same IP to the same CAS node in the farm. This definitely seems to be a requirement for remote PowerShelling.

FIM New User Password Communication

2011-01-11T21:27:00.001+01:00

I’ve been working with FIM quit a bit, but I never got involved with workflows. Today I saw something passing the FIM forums which I thought is worth blogging about. If it’s no use for you, it will be for me to find it back afterwards anyhow. One of the things with user account creation is the password generation/communication process. Using the FIM declarative provisioning it’s quit straight forward to get a random password generated and flow that out to AD. On the other hand, it would be pretty neat if at the same time the manager for the new employee gets a mail with the username/password. In order to accomplish this you can follow the following steps:

The easiest way to solve this is by using one SR and three activities in an action workflow.

The SR: On the workflow tab on the SR designer, create a parameter called InitialPassword. On the outbound flow tab, map this parameter to the unicode password attribute. The use of a workflow parameter will tell the SR that this value will be calculated in a workflow and passed in by the SR activity.

Activity 1: Function activity to generate a random password
E.g.

Target: [//WorkflowData/Password]
Source: "Pass" + RandomNum(1000,9999) + "word" (This will generate a 12 char password)

Activity 2: SR activity
Select to add the SR. The InitialPassword parameter from the SR is visible. Set its value to [//WorkflowData/Password]

Activity 3: Email activity
Craft an email. Where you want the initial password to appear you enter [//WorkflowData/Password].
All you need now is an MPR and a set to trigger this workflow.

This is just a copy-paste of Andreas Kjellman in Sending user's details in mail

Thanks to Markus for bringing it up: Random password and FIM

Network Tracing Awesomeness

2011-01-06T21:04:00.001+01:00

This is going to be a short one: believe it or not, but there’s an alternative to installing Wireshark (or at least winpcap) on all your servers when troubleshooting network related issues. It actually has been out there ever since Windows 7 and Windows 2008 R2 came out. Using “netsh trace start capture=yes” you can start capturing network traffic. Simply execute “netsh trace stop” whenever you are ready. The result is an .etl file you can open using network monitor 3.2 or later. Awesome #1: no need to install anything!

But it doesn’t stops there: using “netsh trace start capture=yes persistent=yes” tracing will even continue after a reboot. So as soon as the network interface starts communicating, traffic will be captured! Awesome #2: capturing information during the boot process of a server!

Some screenshots:

Some additional information to get you started: http://blogs.technet.com/b/netmon/archive/2009/05/13/event-tracing-for-windows-and-network-monitor.aspx

But it doesn’t stops here! IE 9, currently in beta, has a new addition too: a built-in network trace utility! In fact it provides (some?) of the functionality Fiddler provides. I am not that experienced with Fiddler, so I don’t know how to compare them feature-wise, but It’s definitely useful having this built-in. Checking it out for sure!

To start using it: Press F12 –> Network –> Start Capturing

P.S. I am by no means saying you should ditch Wireshark/ Fiddler for Netsh Trace/ IE 9 network tracing. But I think they are great tools to have in your toolbox!

Happy Tracing, Happy New Year!
Thomas

Remote Desktop Session Disconnection Issue

2010-12-21T20:25:00.001+01:00

In the project I’m currently involved in, we have several virtual machines installed with Windows 7 as the operating system. These workstations are used as administration workstations to manage the server infrastructure. Every once and a while someone would get disconnected from their terminal server session. By simply reopening the session they could continue their work. We stumbled upon the following KB article: KB2083411 The article states:

When the policy is refreshed (by default, every 90 minutes, or manually through GPUPDATE), the policy settings are deleted and then reset. During this period, the configuration on the server is temporarily valid. Therefore, all sessions may be disconnected

Because we were enabling remote desktop through GPO, this was the exact issue we were having. We could reproduce it by executing gpupdate in a remote desktop session. The disconnection would not occur every time, but every once in a while. To be more precise when enabling remote desktop through group policies (Allow users to connect remotely using Terminal Services ), the following registry key is set:

The workaround suggested in the KB article is to set the registry key fDenyTSConnections below HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server to a value of 0. Basically this is just enabling remote desktop through the registry instead of through the GUI.

If you have to do this on a lot of workstations there are a few options. We first thought to just deploy this using our desktop deployment solution (SCCM). However a colleague of mine had the great idea to just try setting it using group policy preferences. Whenever group policies are being refreshed, everything below HKLM\SOFTWARE\Policies is erased and reset, but group policy preferences operate in an other way. Whenever you set something with group policy preferences, it’s set forever, unless you check the option “remove this item when it is no longer applied”. For some additional information on the differences between GP policy setting and GP preference settings.

Here are also some related topics on the TechNet forums: http://social.technet.microsoft.com/Forums/en/winserverGP/thread/10fb967c-c6c8-480b-8d30-70f0da15cdba and http://social.technet.microsoft.com/Forums/en/winserverGP/thread/cd94ea99-a843-4781-bbcf-7538182511c9

Error Selecting A Certificate When Configuring NPS

2010-12-20T21:23:00.001+01:00

A colleague of mine was trying to configure the NPS (Network Policy Server) role on two Windows 2008 R2 servers (domain controllers) in order to allow the wireless clients to be authenticated. One of the requirements for Protected EAP is a certificate on the server hosting the NPS role. He told me has was seeing a certificate in the personal store of the computer, but he kept receiving the following error: Cannot configure EAP: A certificate could not be found that can be used with this Extensible Authentication Protocol. when trying to select a certificate.

We found out that the NPS role doesn’t like the new Domain Controller Authentication certificate which is supposed to be more or less equivalent to the domain controller certificate from the past.

I’ve configured this a few times in the past, and whenever we were combining the NPS role with a DC I always used the “domain controller” certificate present on the DC. This works just fine. If nobody changed the default auto-enrollment settings in the domain, they should look like this:

A Windows 2008 R2, Enterprise Certificate Authority will have the following templates published by default, I highlighted the relevant ones for Active Directory: Domain Controller, Domain Controller Authentication and Directory Email Replication.

This was different for Standard SKU Windows 2008/2003 Enterprise CA’s, they only had the “domain controller” certificate listed. This was because standard SKU’s couldn’t use V2/V3 templates. You can see the difference in versioning between these templates in the template management mmc. Smaller than 100 means it’s a V1 template:

Here is how the local certificate store of a domain controllers looks like when no auto-enrollment options are configured:

As you can see there’s only one certificate available based on the Domain Controller template. Even without autoenrollment configured a domain controller will try to enroll for such a certificate. This is hardcoded in the domain controller. Just like an EFS client will try to retrieve an EFS certificate. My colleague wasn’t having one certificate though, he was seeing two:

The reason these were enrolled is because auto-enrollment was configured like this:

The checkbox “Update certificates that use certificate templates” enables autoenrollment for issuance of certificates that supersede issued certificates (TechNet: Configure Certificate Autoenrollment). Because both the Domain Controller Authentication and Directory Email Replication templates are configured to supersede the domain controller certificate, a domain controller will no longer have a certificate based on the domain controller template.

The requirements for an EAP certificate are specified in KB814394: Certificate requirements when you use EAP-TLS or PEAP with EAP-TLS. The reason the NPS console doesn’t seems to accept it, is because the Subject is left empty in the Domain Controller Authentication certificate:

I have no idea why they did this, my guess is that they duplicated the domain controller template and forgot to set it. It can be easily set to the domain controller name in a duplicated template:

My advise would be to create a custom template for the NPS servers. This way you can ensure your NPS configuration never becomes invalid because the domain controller certificate is replaced.

P.S. When testing auto enrollment, make sure to execute a gpupdate /force, a gpupdate without the /force doesn’t seem to trigger the auto enrollment process.

Thomas

FIM SSPR: Password History Enforcement Testing Trickiness

2010-12-15T07:40:00.001+01:00

As explained in FIM 2010 SSPR Enforces Password History FIM 2010 can now be configured to enforce the password policies configured in the domain. After implementing this, the first thing you want to do is grab a test account and start testing. You’ll be happy to see the following message after trying to perform a reset with a password which was used before:

It says: “The password you entered does not comply with the security policy. Please choose a new password or check with your system administrator for details on the password policy requirements”. So you go on and try a different password. One which hasn’t been used in the past of course. Still the above message appears. Now I’ll be damned, my SSPR is broken! But is it?

There seems to be a simple explanation: as stated in KB2386717 (The "Enforce password history" and "Minimum password age" Group Policy settings do not work when you reset the password for a Windows Server 2008 R2-based computer) not only the Password History is enforced, also the Minimum Password Age is enforced. Meaning you can only reset a password once a day for example. In the screenshot I altered this (temporarily) to 0 days so I could reset a password multiple times. But in our actually policy the Minimum Password Age is 1 day, in the screenshot below I temporarily disabled it by setting it to 0.

This is actually a pretty nasty setting when testing SSPR. Well if the error would say “you can only reset your password once a day, please contact an administrator” that would be a lot better. Of course FIM is not to blame here, this is Active Directory. Whenever you try to change your password at the ctrl-alt-del screen, you’ll get the same message popping up. I can imagine you don’t want to give to much information in your errors as to avoid malicious people being pointed in the good directions…

Access Denied Using An Alias

2010-12-13T21:53:00.001+01:00

To be completely honest this subject has been blogged a lot in the past. However just this Friday I helped a colleague which was having issues setting up DNS aliases for SQL. He seemed to have troubles connecting his Management Studio to SQL. And today I could use the information again when working at a customer which was having issues authenticating to his webserver. So I believe this is still solid information to spread.

So if you hit google with "disableloopbackcheck windows 2008 R2” you get quit some results. And if you search the official KB articles, this registry setting is referenced a lot when dealing with Access Denied errors locally on a machine. All these scenario’s have one thing in common: someone or some service is trying to access a service under an alias and this from on the machine itself.

Simple example scenario: you set up Active Directory Certifcate Services and you choose “pki.contoso.com” as an alias for your Certificate Authority server. After configuring this record in DNS, you try to access this website http://pki.contoso.com/certsrv on the CA itself in vain. After trying to provide correct credentials multiple times it just fails. You are getting that nasty “HTTP Error 401.1 – Unathorized You do not have permission to view this directory or page using the credentials that you supplied”. Accessing this from a remote workstation using the same credentials works just fine.

If this is your problem, are it sounds similar, then this is your solution:

And the list goes on. The workaround is very easy and active immediately: just create a REG_DWORD called DisableLoopbackCheck below HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa and give it a value of 1

One of the articles actually references the DisableStrictNameChecking registry key. I remember setting this one when accessing a share didn’t worked when using an alias. Must but it’s older brother. Here’s an explanation: kb281308: Connecting to SMB share on a Windows 2000-based computer or a Windows Server 2003-based computer may not work with an alias name The reason we’re probably hearing this one a lot less is because since SMB 2.0 (Windows 2008 and up) this is no longer required.

OCS 2007 R2 Client: Outlook Update Is Needed Notification

2010-12-09T12:20:00.001+01:00

At my company (RealDolmen) we use Microsoft OCS for internal communication. I’ve been using Office 2010 for a while now, and one of the things that bugged me is that the OCS client kept complaining about a required update (KB936864). This is a bit odd as this hotfix is for Outlook 2007 and is not applicable to Outlook 2010. After using my google skils I found the following TechNet thread:
http://social.technet.microsoft.com/Forums/en/ocsinterop/thread/1476cca6-5d30-4600-8ef7-80dca443d3ea

The above notification can be easily fixed with uninstalling the “Microsoft Office Access database engine 2007” software.

Windows 7 & Reverse Lookup DNS Registration

2010-12-02T23:04:00.001+01:00

In my current project we have an Active Directory domain where we use Windows DNS servers with domain integrated DNS zones. For the reverse lookup zones we configured secure only updates. As the DHCP servers in this environment are Linux based we would like the clients to update their PTR records themselves. Updating the PTR records means a client registers his name and IP in the reverse lookup zone.

As we noticed that only Windows 7 workstations with a static IP were being registered we started troubleshooting. As an AD guy I was 100% confident we could get this done using GPO’s. However in the past I have seen strange behavior with the GPO settings below Administrative Templates\Network\DNS client section, and today was just the same. Getting this done is not that obvious.

Below Computer Configuration > Policies > Administrative Templates > Network > DNS Client there is a setting called “Register PTR Records”. One could think that this is pretty easy to configure, enable, throw a gpupdate in and off we go. The setting with some additional info:

Although the policy came through just fine, even after a reboot, my client was not registering his PTR record… So I used my 24/7 available free of charge consultant-helpline called google. I stumbled upon the following topic (http://social.technet.microsoft.com/Forums/en/w7itpronetworking/thread/3a1c9334-54ba-4845-b7c0-ef8ce5454276) where L Ravie Kumar [MSFT] states:

The behavior of Client not registering PTR record by default is modified prior to Windows7 (mostly during Vista time) and is the intended behavior. The Dhcp Server is responsible for performing PTR record registration on behalf of client. Incase if dynamic DNS registration is not enabled on Server (because of which Server doesnot do PTR registration), Client can trigger registration,if "Use this connection's DNS suffix in DNS registration" is selected in adapter properties.

After checking “Use this connection’s DNS suffix in DNS registration” in the advanced TCP/IP settings all went fine. The record appeared in the reverse DNS zone as expected. Even without the above GPO setting configured. I do think you can use the GPO if you want to fine-tune the registration behavior as it contains 3 options.

So all we have to do is implement this in bulk. I haven’t found a way to do this by GPO, I might have missed it though. I thought GPO preferences would be the easiest way, but this setting is located below HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{GUID}\RegisterAdapterName and the GUID is different for each system… So no luck there.

The following command can be executed in order the check the required option:

netsh interface ipv4 set dnsservers name="Local Area Connection" source=dhcp register=both

In our environment we deploy all workstations using SCCM so the above is definitely a reasonable solution.

FIM: Updating Set Fails/ Timed Out

2010-11-29T21:23:00.001+01:00

What I will be describing has been explained before to be honest:

However I want to add some additional context information. The issue I was seeing is that with a FIM Portal setup, which has quit some objects in it’s database, certain actions failed. I got the generic FIM Service error when trying to add some conditions to a dynamic set. The errors you receive might differ. Perhaps it’s the generic “an error has occurred”, or you get “Access denied”, or like shown below: Timed out.

In the Event log some errors are displayed as well:

The Portal cannot connect to the middle tier using the web service interface. This failure prevents all portal scenarios from functioning correctly. The cause may be due to a missing or invalid server url, a downed server, or an invalid server firewall configuration. Ensure the portal configuration is present and points to the resource management service.

And in the Forefront Identity Manager log:

The description for Event ID 3 from source Microsoft.ResourceManagement cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

Requestor: urn:uuid:7fb2b853-24f0-4498-9534-4e10589723c4
Microsoft.ResourceManagement.Service: System.NullReferenceException: Object reference not set to an instance of an object.
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(CreateRequestDispatchParameter dispatchParameter)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(UniqueIdentifier requestor, UniqueIdentifier targetIdentifier, OperationType operation, String businessJustification, List`1 requestParameters, CultureInfo locale, Boolean isChildRequest, Guid cause, Boolean doEvaluation, Nullable`1 serviceId, Nullable`1 servicePartitionId)
   at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(UniqueIdentifier requestor, UniqueIdentifier targetIdentifier, OperationType operation, String businessJustification, List`1 requestParameters, CultureInfo locale, Boolean isChildRequest, Guid cause, Boolean doEvaluation)
   at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Put(Message request)

The handle is invalid

As Darryl explained, and this is has been added in the troubleshooting guide as well, you can extend certain timeouts. A general advice: take a backup copy of configuration files you edit. I tend to copy them and change the extension to .dateOfToday.bak or something like that.

For starters we have the web.config for the WSS site hosting the FIM Portal. Typically this is located below c:\inetpub\wwwroot\wss\VirtualDirectories\80\web.config but of course this might be environment specific. If you look for the following part in the web.config you can add “timeoutInMilliseconds” to the resourceManagementClient line.

</System.Workflow.ComponentModel.WorkflowCompiler>
<resourceManagementClient requireKerberos="true" resourceManagementServiceBaseAddress=http://fimsvc.contoso.com:5725 timeoutInMilliseconds="360000" />
<system.webServer>
<httpProtocol>

An other location where you can adjust timeouts is the FIM Service configuration file. This file is typically located in: "c:\Program Files\Microsoft Forefront Identity Manager\2010\Service\” and is called Microsoft.ResourceManagement.Service.exe.config. Look for the following lines:

</system.serviceModel>
<resourceManagementClient resourceManagementServiceBaseAddress="fimsvc.contoso.com" timeoutInMilliseconds="360000" />
<resourceManagementService externalHostName="fimsvc.contoso.com" dataReadTimeoutInSeconds="180" dataWriteTimeoutInSeconds="180" />
<system.diagnostics>
<sources>

In this example I added dataReadTimeoutInSeconds="180" dataWriteTimeoutInSeconds="180" to the resourceManagementService line as well as timeoutInMilliSeconds=”360000”. This will ensure the FIM Service waits long enough when writing or reading data from SQL. After changing the above configuratin files, make sure to perform an iisreset and a restart of the FIM Service!

Besides modifying these timeouts, it’s also advised to regularly update the statistics and rebuild the indexes of your FIM Service Database. To conclude: a TechNet article with addition information regarding the mentioned parameters: TechNet: Registry Keys and Configuration File Settings in FIM 2010

Waking Sleeping Beauty

2010-11-28T23:42:00.001+01:00

I wanted to test something involving Exchange so I opened my d:\Virtual Machines folder on my system and searched for something with exchange on it. I found MBX01 and booted the VM. Oddly I couldn’t log on using my domain admin. It got an error saying the password was wrong. So I logged on using the local administrator. In the event viewer we can see that the machine has been offline for a year + 7 days. However according to AskDS: Machine Account Password Process a machine which is offline for a long period of time should be able to connect to the domain without issues. Either way, if you got the following events in your event log:

NETLOGON, Event ID 3210

This computer could not authenticate with \\DC01.home.local, a Windows domain controller for domain HOME, and therefore this computer might deny logon requests. This inability to authenticate might be caused by another computer on the same network using the same name or the password for this computer account is not recognized. If this message appears again, contact your system administrator.

GroupPolicy, Event ID 1129

The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.

TerminalServices-RemoteConnectionManager, Event ID 1067

The terminal server cannot register 'TERMSRV' Service Principal Name to be used for server authentication. The following error occured: Access is denied.

Then I would suggest you reset the machine account password as a possible solution. KB325850: How to use Netdom.exe to reset machine account passwords of a Windows Server domain controller has a nice explanation on how to perform this procedure. The following command can be used:

netdom resetpwd /s:dc01.home.local /ud:home\tvl /pd:*

The command is run on the server which is having issues and the dc01.home.local is a reachable DC. home\tvl is a user with enough privileges in AD to reset the password for the given computer. /pd:* will ensure the command prompts for the password. To finalize the procedure, reboot the server.

As a possible alternative solution: you can re-join the server to the domain. I prefer the password reset though, seems cleaner. When rejoining a server to the domain I like using the following trick: instead of the traditional workgroup,reboot, domain & reboot again, I just change the FQDN of the domain into the NetBIOS name of the domain. Hence I only have to reboot the server once and the server never left the domain…

FIM: Troubleshooting Codeless Provisioning

2010-11-28T22:56:00.001+01:00

One of the coolest features in FIM 2010 is the declarative provisioning. It allows you to do a lot of things by simply clicking together the desired items from within the Portal. The alternative is the “classical rules extensions”. This requires writing .net code to extend the possibilities of an MA. I prefer the declarative provisioning. I’m not saying you should abandon classical all the way though. I’m using the following logic to decide between them:

Can it be done from within the Portal (using normal Synchronization Rules)
If not: can it be done by writing a rule extension to be used in the MA
If not: can it be done by writing a workflow to be used in the Portal

I’ve never done 3 to be honest. Most attribute flows and transformations I can manage by defining flows in the Portal. Creating a unique account name I do with a rules extension. I tend to take the best of two worlds. Some people, often seasoned MIIS/ILM folks, still prefer to use classical rules extensions because of the debugging options. I can’t blame them, with the declarative rules you’re sometimes left alone in the dark. So here are some checks to do when your MA of choice is just refusing to show those “provisioning adds” you desire.

This is how it looks when it’s not working, you run your import and synchronization profiles and no “provisioning adds” are being shown. All you see is some EAF’s back to FIM flowing “Not applied” for the “SynchronizationRuleStatus” attribute. And then you say: What, Not applied? Why? How? It sure as hell isn’t my fault, I did it all by the book!

So here is my list of things to check when it’s just not working. It’s not rocket science, but you might have that “Aaah” moment with one of these.

1. Did you check “Create resource in external system”

2. Do you have at least one “Initial Flow Only” flow configured? Even if you want to have all attributes flowed all the time, you should have at least one “Initial Flow Only” flow. Just add the same flow twice and check it once to have the desired effect if you want the attribute to be flowed always.

3. Is the Outbound Synchronization Rule being added to the object? If it’s not, it’s very likely something is wrong with the definition of the MPR. Or your object isn’t part of the correct set. Or it was already part of set before you created the MPR. Run on policy update might help you here. Verify the provisioning tab of the object:

No SR present:

SR pending:

4. Is the ERE present in the ExpectedRuleList attribute for the object in the Connector Space (CS) of the FIM MA? If it’s not, something is wrong with the import or the selected attributes of the FIM MA.

5. Is the ERE present in the ExpectedRuleList attribute for the object in the Metaverse? If it’s not, something is wrong with the synchronization or IAFs of the FIM MA.

6. Did you enable "Synchronization Rules Provisioning” in the Options for the Synchronization Manager. If it’s not checked, declarative provisioning will be disabled.

If you got all these covered, you should see the desired result:

And the update of the SynchronizationRuleStatus attribute:

This post was writing after providing all of the above as possible solutions for the following thread: http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/1aa13147-e16c-4e99-a7da-76e3c9e8c10d

FIM: Enforce Uniqueness For Attribute In Portal

2010-11-24T21:35:00.001+01:00

One of the problems you might have is that you want to restrict your Portal Users/Admins to enter the same value twice for a given attribute. Examples might be the account name or employee id. Jorge has a nice article on how to configure this: http://blogs.dirteam.com/blogs/jorge/archive/2009/12/10/checking-uniqueness-of-an-attribute-in-fim-2010-during-the-create-process.aspx

One of the remarks was that this only works for Resource Control Display Configurations (RCDC’s) in create mode. However on the forum (http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/cc51ca7a-908c-40bf-ae10-f47711dd321b) I read that it would also work in edit mode. So I went ahead and tested. After clicking a user and trying to alter the Account Status (a non-unique enforced attribute) I get the alert for the Account Name attribute (unique-enforced in the RCDC). So it seems that however when only changing one attribute in edit mode, all attributes are checked anyhow. I guess that’s the reason why using the “UniquenessValidationXPath” is not supported/does not work for RCDC’s in edit mode.

Conclusion: RCDC’s cannot enforce the uniqueness of an attribute in edit mode.

WSS Killer Security Update

2010-11-24T21:12:00.001+01:00

As I was toying with RCDC’s in my lab environment I was performing iisresets occasionally. Never had any issues. However when implementing my changes in the Acceptance environment one of the nodes of my FIM Portal servers failed to display the portal after an iisreset. Luckily Jorge blogged about this in June, and I remembered the article. The article of Jorge:
http://blogs.dirteam.com/blogs/jorge/archive/2010/06/29/windows-sharepoint-services-3-0-breaks-after-installing-update-ms-kbq983444.aspx

I went on and checked the installed hotfixes, and the one mentioned by Jorge (KB983444) wasn’t there:

However I saw that a new hotfix became active at the time (day) of my iisreset: KB2345304. It’s pretty clear this hotfix supersedes the previous one. It also mentions this exact issue in the KB article so the solution presented by Jorge still works. Just wanted to warn people out there, this hotfix sneaks in with WSUS/SCCM distributed updates and still seems to cause troubles like in June. My advise would be to install it during the build of your FIM Portal servers although I’m not sure whether a following hotfix won’t possibly break it again…

Thomas, who killed my WSS?!, Vuylsteke

P.S. Not 100% sure if it’s related, but the “SharePoint Services Search Refresh” time job was suddenly enabled again at the same time the hotfix came active… This caused an error and warning every 5 minutes in the event log… This can be disabled in the central administration: operations: timer job definitions section.

FIM SSPR: Password History Enforcement Implementation: SSL Error

2010-11-22T21:20:00.001+01:00

This post is intended for those stumbling upon this exact error. It’s not particular hard to troubleshoot if you watch the System Event log on the FIM Synchronization Server. There’s no AD integrated Certificate Authority in the lab environment where I’m implementing the enforcement of password history. Therefore trusting the root CA, which issued the certificate for the DC, has to be done manually. If you don’t add the certificate of the root CA to the trusted root certificates on the FIM Synchronization Server, the following errors will be shown:

In the Application Log: FIMSynchronizationService Event ID 6328

The server encountered an error while attempting to perform a set/change password operation.

"BAIL: MMS(2528): dnutils.cpp(1329): 0x800700b7 (Cannot create a file when that file already exists.): Cannot add partition DC=DomainDnsZones,DC=contoso,DC=com to the list because it already exists at position 15
BAIL: MMS(2528): dnutils.cpp(1329): 0x800700b7 (Cannot create a file when that file already exists.): Cannot add partition DC=ForestDnsZones,DC=contoso,DC=com to the list because it already exists at position 16
ERR: MMS(2528): utils.cpp(907): Failed getting registry value 'ADMADoNormalization', 0x2
BAIL: MMS(2528): utils.cpp(908): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2
BAIL: MMS(2528): utils.cpp(963): 0x80070002 (The system cannot find the file specified.)
ERR: MMS(2528): session.cpp(1502): ldap_connect (timeout= secs and usecs) failed
BAIL: MMS(2528): session.cpp(1504): 0x8007003a (The specified server cannot perform the requested operation.)
BAIL: MMS(2528): admaexport.cpp(2683): 0x80231109 (Cannot connect to the server you have specified.)
ERR: MMS(2528): admaexport.cpp(3160): Unable to set the password.
BAIL: MMS(2528): admaexport.cpp(3168): 0x80231109 (Cannot connect to the server you have specified.)
ERR: MMS(2528): ma.cpp(9099): ExportPasswordSet failed with 0x80231109
Forefront Identity Manager 4.0.3561.2"

Graphical:

And in the System Log: Schannel Event Id 36882

The certificate received from the remote server was issued by an untrusted certificate authority. Because of this, none of the data contained in the certificate can be validated. The SSL connection request has failed. The attached data contains the server certificate.

FIM Build Overview

2010-11-19T23:28:00.001+01:00

The FIM team did it’s best the past few days to put some KB articles out there making the hotfixes available and perhaps even more important explaining what was fixed and which features were added!

build 4.0.2592.0 (RTM)

build 4.0.3531.2 (Update 1): http://support.microsoft.com/kb/978864/

Support for recycle bin, there still is an issue though
Resume full sync capability
Exchange 2010 detection issue for AD MA
Two new MPR’s, make sure to read the post-installation steps
…

build 4.0.3547.2: http://support.microsoft.com/kb/2028634/

Several fixes
Alternative to DirSync permissions for AD MA account: “ADMAUseACLSecurity” registry key
Adds back a checkbox on the AD MA to enable an account to be unlocked when a password is synchronized
CPU usage remaining at 98% after AD MA doing exports
…

build 4.0.3558.2: http://support.microsoft.com/kb/2272389

Several fixes
SSPR QA gate can be extend with a link to the data policy of the organisation through the use of the “PrivacyLink” registry key
Attribute precedence/recall with the FIM MA now works as it should

~~build 4.0.3561.2:~~ ~~http://support.microsoft.com/kb/2417774~~

Several fixes
Support to apply the password history policy

build 4.0.3573.2: http://support.microsoft.com/kb/2417774

Several fixes
Support to apply the password history policy
Solved the export-change-not-reimported issue when the recycle bin is enabled
Asynchronous export for FIM MA

P.S. all rollups are cumulative so you don’t have to install them all. Just pick RTM and your build of choice.

~~I’m definitely awaiting for a fix for the group membership issue with the recycle bin turned on.~~

[Update 1/02/2011] Made some changes to include the latest build (4.0.3573.2)

[Update 27/03/2011] I will not be updating this blogpost any more. For the latest FIM 2010 build info check: TechNet Wiki Article: FIM 2010 Build Overview

FIM SSPR: QA Gate Policy URL

2010-11-18T11:56:00.001+01:00

As mentioned by Anthony in the following topic on the TechNet forums: FIM Password Client Branding? there is a new setting made available to customize the QA gate. When users are registering for SSPR they have to answers various questions, some might be bothered what will happen with the answers. By setting a registry key you can now explain your policy regarding the SSPR functionality or regarding their answers. I assume you need build ~~4.0.3561.2~~ or higher for this to work.

[Update] As stated by Anthony in the comments: build 4.0.3558.2 or higher is ok.

This is how the registration QA looks like without the key set:

This is how the registration QA looks like with the key set:

How to configure this? On each client which has the SSPR add-ins installed you have to create a registry value below the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Forefront Identity Manager\2010\Extensions\GatePlugins\45C4D8BB-D34C-453d-8346-C9061A2A1E4C
New String (Reg_SZ) with the following name: PrivacyLink
The value for the entry: http://yourwebserver/policylocation

You can easily achieve this with group policy preferences, or just use the FIM 2010 Group Policy Templates.

With thanks to Anthony Ho for the formation.

A security package specific error occurred(1825)

2010-11-17T15:57:00.001+01:00

A while ago I wanted to view the event log of a server. For this task there is no need to log in using remote desktop. However when I fired up the event log viewer and tried to connect to the NetBIOS name of my server I got the following error:

Using remote desktop I could connect just fine to the server. At least that’s what it looked like. Locally I could open the event log without issues. But I saw events which couldn’t possibly be logged on this server. And then it came clear, there was an IP conflict! To be honest it’s a lab environment so these things can happen occasionally.

The reason this fails is because my client (my administration pc) asks AD for a Kerberos Ticket for server x whilst when connecting I’m actually presenting this Kerberos Ticket to server y. This results in a server receiving a ticket encrypted with a password other than it’s own. Result: the above error.

Thomas, we should have updated the CMDB, Vuylsteke

Recovering or Installing an additional FIM Service instance when using Update 1

2010-11-09T18:53:00.001+01:00

One of the possible topologies for the FIM 2010 solution is having your FIM Portal and FIM Service load-balanced across two (or more) servers. In the backend the FIM Service uses the same database for both nodes. However since FIM 2010 Update 1 (KB978864) has been released, installing such a topology got a bit trickier. I will explain the scenario were one node is damaged, no backup exists (woopsie), so we have to re-install the server. In fact this can al be done without data loss as the data resides on the SQL server in the back. For this scenario I will use a single SQL server as it doesn’t matter. It could be a clustered SQL server as well. The topology to start from is the following:

We got two nodes with the FIM Service/Portal at version RTM + Update 1. This means the database is configured for RTM + Update 1. The version of the FIM Service DB can be found in the table called fim.version in the version column. Now suppose we want to reinstall the second node from scratch.

So we got the server team deploy a shiny new 2008 R2 VM and we take our FIM Service setup, go next, next, use existing database and start installing. And then the setup fails. Oh bloody hell. The error shown is not that obvious but if you dig deeper you’ll see it querying the aforementioned FIM.version table before stopping the install.

So what to do? One of the tips I got over at the TechNet forums, was to install the additional node using a temporary database and afterwards re-run the MSI but choosing the change option and pointing to the original DB. I assume this is the only supported way to change the DB. You could also start editing registry keys, but this is probably not supported. So you start the FIM Service setup and in stead of “using the existing database” you provide a name like “FIM Service TEMP”… Oi, Stop!

The FIM Service install for the initial setup added some jobs to the SQL Agent configuration which are run on a scheduled base. We wouldn’t want anything happen to them! Two of the four jobs are disabled, but these seem to be called from the other two jobs. In the screenshot below you can see them. Make sure to temporary rename them. I appended “REN”. As the jobs call each other by name (I think), this might temporary break those jobs. And then proceed with the installation to the FIM Service TEMP DB.

Now your good to go:

This is how the SQL jobs look like after installing a second FIM Service to the same SQL SERVER. You can can see that the same jobs are added again. I can tell you for sure if you don’t rename those jobs, the only remaining jobs will be those for the FIM Service TEMP DB we installed.

As these jobs have references to the actual database, this would break things for sure.

But we got it all covered and RTM is installed so we can continue updating the TEMP DB to the RTM + U1.

Almost there, just relaunch the FIM Service MSI and choose the change option. It’s now possible to point it to the original shared database and finish the setup without problems.

All we have to do now is deleted the temporary database, deleted the jobs added by installing the temporary FIM Service and rename the old jobs back to normal.

In fact the above scenario is almost identical to installing an additional node. As for installation from the ground up there’s an additional possibility: you can install both servers at RTM level with the same database, and then you’ll be able to upgrade them both to Update 1 without issues. The real issue is that you can’t install an RTM Service to a RTM + U1 database.

I can imagine someone having two FIM Service instances point to the same SQL for a lab and production FIM Service instance. When you want to have 2 FIM Service instances use the same SQL Server you’ll have to do some trickery. First you’ll have to rename the jobs, and afterwards you’ll have to make sure the renamed job reference each other with the new name. Upgrading this to newer versions might even be trickier. So the second issue is that you must pay attention to your SQL jobs when installing an additional FIM Service DB on a SQL Server which already hosts a FIM Service DB.

Note: as for the FIM Synchronization server I was able to install an active/standby (2 node) setup using the same database without the above problems. The FIM Synchronization Service seems to be capable of installing a RTM Sync Service to a RTM + U1 database.

Using Windows Explorer together with UAC

2010-11-07T15:11:00.001+01:00

Most Windows management tools behave pretty well with User Account Control (UAC), at least they prompt you for your credentials before actually launching. In the past I already described some of the naughtiness of UAC: Explaining UAC related behavior One of the things that has been bothering me ever since I first met UAC is how the file browser (Windows Explorer) handles UAC.

The problem(s)

One of the dirty things it does for you is adding your account to the ACL of files you normally have access if you are member of the local administrators. This is the prompt you can click continue o-so-easy:

At first sight you’ll be satisfied, after clicking continue and providing your credentials you will see the files & folders. But below the hood your account just got granted access. This doesn’t breaks things, but it’s not nice. The second issue I encounter a lot is when trying to edit a configuration file for an application or service. Or even a easier example: adding an entry to the hosts file. You browse to c:\windows\system32\drivers\etc double click hosts, make your modification and when trying to save…

And after clicking OK you are prompted for a filename and location. Now that’s a lot of hassle to add something to the hosts file.

The workaround:

UAC elevation allows you to start a given application (process) in an other context with your elevated token (where you do have administrator privileges). And that’s where things go wrong with Windows Explorer. Out of the box when a user logs on, one instance of explorer.exe is started and all subsequent instances are running from this instance. As the explorer starts with your limited token (non administrator privileges), all other instances are limited as well.

Below you see multiple explorers open, but only one explorer.exe is listed.

Now there is a modification we can do to alter the behavior of Windows Explorer. We can check “Launch folder windows in a separate process” in the Folder and Search Options.

Whenever we now start multiple Windows Explorer instances, they will all open below the second explorer.exe instance:

This is actually quit remarkable and very subtitle: after setting this option, the first Windows Explorer instance you open, determines under which token the following instances will run.

Automating the workaround:

The “Launch folder windows in a separate process” is a per user setting, and is stored in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced as the value SeparateProcess.

But since we have those almighty cool Group Policy Preferences, we can click this setting together in no time:

1. Create a GPO, or alter an existing one and create a new “Folder Options (Windows Vista) below User Configuration > Preferences > Control Panel Settings > Folder Options

2. At first all settings will be underlined in green, meaning all these will be pushed to the user as listed. We can actually alter this behavior with the F5-F6-F7-F8 keys.

3. Press F8 so all settings are underlined in red: none will be applied to the user

4. Check “Launch folder windows in a separate process” and press F6 to underline that specific setting in green so it will be pushed to the user.

Testing the workaround

The easiest way to start Windows Explorer in elevated mode is to locate in in your start menu below Accessories (or type a part of the name in your start menu) and right click and choose Run As Administrator.

After editing something like the hosts file, you’ll be able to save it without prompts:

Whether you set the setting by hand or by GPO, it’s immediately effective. But as the first instance determines the context, you’ll have to close all open Windows Explorer instances first before you can run Windows Explorer as Administrator. This does not include the explorer.exe process which is started immediately at logon. A lot of workarounds for UAC and Windows Explorer explain how to kill the explorer.exe process and relaunch it from an elevated task manager, but in this case there’s no need to do that.

In my opinion this a rather nice workaround. You still have to elevate the Windows Explorer application yourself. The disadvantage is that everything you launch from within that instance is instantly elevated which defeats the purpose of UAC a bit. But then again, this is nothing different from a command prompt you start as an administrator. In both cases administrators should be aware of the risks which launching items from within elevated processes, be it a command prompt or a Windows Explorer instance.

Some additional information: KB2273047 (User Account Control (UAC) and Windows Explorer)
And my UAC settings are those as described in the Enterprise Client security model ( http://technet.microsoft.com/nl-be/bb679962(en-us).aspx –> Table A30. Security Option Setting Recommendations - User Account Control)

Happy elevating,

Thomas.

FIM 2010 SSPR Enforces Password History

2010-11-06T12:41:00.001+01:00

One of the lacking features of the FIM Self Service Password Reset functionality was the enforcement of some of domain password policy settings. More in particular the password history was not enforced. Users could use SSPR to avoid the “maximum password age” policy setting so they can use the same password over and over again. Now we don’t want that huh!

As announced on the FIM TechNet forums: FIM 2010 Self-Service Password Reset Now Supports All Domain Password Policies we can now actually configure FIM to enforce the password history. There are several requirements though, check KB2443871 (FIM 2010 Self Service Password Reset now supports Enforcement of all domain password policies):

For the PDC domain controller

Hotfix KB2386717: The "Enforce password history" and "Minimum password age" Group Policy settings do not work when you reset the password for a Windows Server 2008 R2-based computer
Windows 2008 R2
Certificate to enable LDAP over SSL

These are only required for the PDC. But I would definitely make sure all my DC’s, or at least at the main site where the FIM solution resides, meet these requirements. After all the FSMO PDC role can be transferred for various reasons.

For the FIM solution components

FIM Update ?: KB2417774: the article is not there yet, but the hotfix can be downloaded at http://support.microsoft.com/hotfix/KBHotfix.aspx?kbnum=2417774

There seems to be an error in the explanation as mentioned by Steve on the forums:

Please note that there is an error in the document. The registry value name required for enabling this functionality is incorrect.

Incorrect Version: ADMAEnforcePasswordPolicyHistory

Correct Version: ADMAEnforcePasswordPolicy

Besides the SSPR enhancement, FIM Update ? (Build 4.0.3561.2) will be a very good one. I can confirm from tests in my FIM environments it fixes the following items:

FIM MA Attribute precedence issue: http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/1256bf10-3b91-4358-aa2f-32894964e1dc
Attribute recall issue: http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/941b44f2-de41-4ec3-9686-f78f1178ac69
Synchronization Service CPU usage: http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/0456bce2-7f5f-45eb-aa0a-c1945d2b7065
…

I think most people now that hotfixes should be installed in a test environment first. Do not let a manager force you to install/configure the enforcement of the password history ASAP. Knowing that FIM update 2 will fix the behavior of the FIM MA, that could alter how your implementation behaves. Especially the precedence change could “break” stuff for you. Test Test Test!

I’m referencing Build 4.0.3561.2 as FIM Update ? But odds are it will be FIM Update 2. Just like KB978864 was FIM Update 1.

Thomas, I want my old password!, Vuylsteke

When a printer needs color ink to print black…

2010-11-04T22:49:00.001+01:00

At home we have a simple Brother DCP-330C printer. It’s an inkjet based printer, has 4 ink cartridges (Black + CYM) and is able to scan a document. All in all a small printer for home usage. Every once in a while my wife wants to print something in gray scale and she starts cursing the color ink cartridges. This weekend we had another episode of this story. It’s Sunday, she wants to print something to use immediately and oh bloody hell, the yellow ink is out. One could think to print in gray scale you wouldn’t need color cartridges… Well not with this device, and it seems a lot of other printers out there have this feature present as well.

The device and next to it the subject of our frustration:

So what do you do when you really need to print, and stores are closed for the next two days? You take the empty cartridge out, you take some tape and start being creative. It seems that a lot of these printers use some optical eye to check through some see-through part in the cartridge whether enough ink is left over. Cover the see-through with some tape and you can fool the printer. It’s probably obvious that you shouldn’t use see-through tape…

After some googling I found someone applying the same workaround. Here is some graphical how to. You can see some black tape being applied to the green highlighted part.

Source: http://forum.gravure-news.com/brother-dcp-330c-refus-d-impression-vt30847.htm

And the original referenced topic: http://www.fixyourownprinter.com/forums/laser/39806 (amazing how long that is)

Thomas, don’t forget to replace that empty cartridge in the end, Vuylsteke

DFS and the OS SKU

2010-11-03T19:51:00.001+01:00

A question often asked when discussing an Active Directory design: “Don’t we need an enterprise OS for our domain controllers?”. This question is mostly asked when thinking about hosting one or more additional DFS namespaces on the domain controllers. The answer is fairly simple:

With a Windows 2008 R2 Standard SKU you can create the following namespaces:

1 standalone namespace (http://www.microsoft.com/windowsserver2008/en/us/r2-compare-roles.aspx)
Multiple domain based namespaces

With a Windows 2008 R2 Enterprise SKU on the other hand you can create:

Multiple standalone namespaces
Multiple domain based namespaces

An example on a Standard SKU, I created several domain based and one standalone:

After trying to create an other standalone namespace:

One of the differences between standalone and domain based namespaces is how you access them:

Standalone: \\server\dfsnamespaceofchoice
Domain: \\domain.tld\dfsnamespaceofchoice

In my opinion it doesn’t really make sense to create a standalone namespace on a domain controller. Creating such a namespace on of your domain controllers makes that DC “special”. I don’t like “special” –don’t reboot that DC – domain controllers. Above that if you want the standalone namespace to be high available you need to cluster it. Again domain controllers should not reside on cluster nodes.

An other point: domain based namespaces don’t have to be hosted on domain controllers. They can, but it’s not a must. All you have to keep in mind is that you have to add multiple name servers yourself. This won’t happen automagically.

In the past the above wasn’t always like that. Somewhere in the past this was changed for Windows 2003: http://support.microsoft.com/default.aspx?scid=kb;en-us;903651

So to conclude: if you aren’t going to host standalone namespaces on your DC’s, you do not need a enterprise OS for the DFS part.

Quick Tips

2010-10-27T22:31:00.001+02:00

Today some quick tips regarding FIM:

Usage Keywords

In the portal configuration here and there Usage Keywords have to be configured. They can be used on Navigation Bar Resources and Home Page Configurations. If you use them there you can choose them as you like them. All you have to do is use those same keywords in the appropriate set creation (condition: Usage Keyword contains keywordOfChoice) and then apply MPR’s so users can see those items on the Portal. In other words these Usage Keywords are used to control permissions.

Search Scopes however also use Usage Keywords, although in a slightly different way: these keywords determine if the Search Scope will appear in the Search within: drop down list for the resource page that the Keyword relates to. Explained in other words: if you want a Search Scope to appear whenever your showing a page which contains set, the correct Usage Keyword will be Set. If on the other hand you create a new object like “Computer”, then your Search Scopes will have to use the Usage Keyword “Computer”. This might be obvious, but it took me a while to figure out.

Search Scope based on the members of a set

If you want a given Search Scope to only return the members of set, you can use the following filter, watch out: filters are case sensitive. I used the ObjectID of the set so it would survive renames.

/Set[ObjectID='511dc29b-efa7-4c9f-9d77-f2f9b1e0480']/ComputedMember

Modification in portal fails, but is actually executed

Sometimes when configuring creating items in FIM like a Synchronization Rule, an MPR or just a simple Set, after submitting an error is shown. You click the error away, the page refreshes and there is your object… Huh? Is the Portal going nuts? Not at all, it’s just a timeout which might be to edgy, Darryl Russi has a nice post about it: Extending FIM Timeouts and it seems that his advice has been added to the FIM troubleshooting tips section on TechNet (Troubleshooting FIM 2010) as well.

And completely unrelated to FIM:

Since Windows 2008 the network connections, the overview of the network adapters, was put deeper away. Well the Network and Sharing Center came in between to be more precise. If you want to change or verify a network adapter its settings, it’s a lot more easier doing Start – Run – ncpa.cpl.

Creation of trust fails: cannot continue

2010-10-27T22:18:00.001+02:00

I recently had to create some trusts between some domains in a lab environment. After creating a few trusts, suddenly I received the following error in the New Trust Wizard:

The operation failed. The error is: cannot create a file when that file already exists.

One could think what the hell do I need a file for when creating trusts…A quick google lead me to the suspicion that some of my domains had the same domain SID… Besides using adsiedit, ADUC or other tools, here is an easy way to determine the domain SID with a small vbsctipt, make sure to replace the user and domain with correct values. The user can be any existing user you like.

strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set objAccount = objWMIService.Get("Win32_UserAccount.Name='user',Domain=domain")
Wscript.Echo objAccount.SID

Run this by double clicking, which will give you a popup or just execute it from the commandline: cscript getsid.vbs to be able to get the SID in a copy pasteable format.

The impact of having two domains with the same SID is big. They can never have a trust between them:

Or can never have a trust with a common partner:

How do you wind up in this situation? By being to lazy to perform a sysprep… If you clone a server image, and perform a dcpromo of both the base and the clone, you will have identical Domain SIDs…

The case of the attributes that didn’t wanted to be exported, or at least, very slowly

2010-10-14T21:55:00.001+02:00

Today I had a rather unpleasant experience with my FIM setup. I had to do an update for one specific attribute for approximately 4000 objects in the portal. The FIM Synchronization Service did its magic stuff and was ready to start the exports. When I started the export I saw the fist 100-200 objects being exported rather fast, but then the export was painfully slow. I know the FIM Service MA is the slowest child in the FIM MA family, but past exports (updates to attributes) had been way faster. To be precise, I had now exported 700 updates in approximately 15 minutes.

Again, with my partner in crime Jeroen, we started investigating the SQL side of stuff. Below is how we got to the root cause using SQL Server Profiler:

To start the SQL Server Profiler: Start –> All Programs –> SQL 2008 –> Performance Tools –> SQL Server Profiler
To start a new trace: File –> New Trace
Connect to SQL Server hosting the FIM Service database
The first tab of the trace is less important, however on the second tab we select the following options:

Show all events
Check TextData for RPC:Completed
Check SP:Completed
Check Showplan XML (below the Performance section)

It should look like this:

And the showplan xml below performance:

Click Run and you’re set to go! If you want you can toggle the live scrolling. Using ctrl-f (find) you can search for a string which is very likely to show up in the actual query. Because we selected textdata in the event selection of the trace, we can actually search the content of the queries! So in my case I searched for “title” as I was updating the “job title” attribute.

Besides the actual query, what’s import here is the duration column. It’s expressed in milliseconds, and I was seeing values of 5000 and going up badly. So basically it took SQL 5 seconds to toggle an attribute from string a to string b. Now that’s a SQL which is really tired or being fed with poor queries. The screenshot shows a value of 999 which means less than 1 second. This is how it was when I fixed the situation. Now that we have the query, we can start examining which part of the query is bullying the SQL service by viewing the showplan above the query (the first showplan you come by above the query). Select it, where the query was displayed seconds ago, we now have a graphical overview which gives an estimation of several steps in the query:

Dixit my colleague, there are steps like tablescan (very bad if the table is big) or sorts, where you can’t do much optimization from our point of view. However the other operations in this query, which cost quit some CPU time according to the estimates, are index seeks. In the above screenshot I highlighted the indexes being accessed. They belong to the objectvalueidentifier table and the objectvaluereference table. Using the SQL management studio you can look them up, the database:

The table with the Indexes below:

To see the actual fragmentation there are some options: you can click the indexes one by one, choose properties and check the fragmentation tab or you can click rebuild all and see the current state for all indexes at once:

This is how it looks after the rebuild. Before the rebuild I had one index which had 16% fragmentation. It’s very likely that this index was slowing the SQL down.

The alternative way of viewing the fragmentation:

And of course real men use a query. Well I don’t have it… yet

After performing a rebuild and continuing the export profile, I got about 1000 updates in 5 minutes. So there was really a big difference there. What did I learn? Oh so cool SQL troubleshooting, again And besides that: database management is really not to be ignored when you are working with FIM. I actually had rebuilt the indexes two days ago, but when you’re changing data frequently, I guess it’s advised to monitor the fragmentation even closer.

Again, thanks Jeroen for sharing your knowledge and providing me a solution for my problem.

Thomas, I’ll bing for that query asap, Vuylsteke

FIM: Send Password Expiration Notifications

2010-10-10T11:11:00.001+02:00

Recently someone asked on the TechNet forums if FIM was capable of sending notifications when someone’s password was about to expire. Brian Desmond replied with a short overview of the necessary steps, and I thought Id just try it out. Below is a step by step guide, feel free to comment and suggest improvements.

[Update2] Brad took the time to write a nice wiki article regarding this topic. I definitely advise you to read it as it’s way more complete and explained very thoroughly.

[Update] Jorge responded in the thread on the TechNet forums and made a good remark: this scenario is only 100% reliable when the DFL is 2003 are lower. It will work in a 2008 or higher DFL, but then you’re potentially facing Fine-Grained Password policies, which make this stuff more complex, but not undoable. Stay tuned for a solution to tackle this problem!

Create a new MV attribute for the Person object
- Attribute name: pwdLastSet
- Atttribute type: String (indexable)
Create a new attribute in the FIM Portal Schema
- Administration –> Schema Management –> All Attributes –> New
- System name: pwdLastSet
- Display name: Password Last Set Date
- Data type: Datetime
- Finish –> Submit
Create a new binding for the attribute
- Administration –> Schema Management –> All Bindings –> New
- Resource Type: User
- Attribute Type: Password Last Set Date
- Finish –> Submit
Update Synchronization Engine MPR
- Management Policy Rules –> Search for “Synchronization: Synchronization account controls users it synchronizes”
- Click it –> choose Target resources tab
- Click the browse button next to the “Select Specific Attributes”
- Search for “Password Last Set Date” and select it
- Ok –> Ok –> Submit
Update the Administrator MPR
- Management Policy Rules –> Search for “Administration: Administrators can read and update Users”
- Click it –> choose Target resources tab
- Click the browse button next to the “Select Specific Attributes”
- Search for “Password Last Set Date” and select it
- Ok –> Ok –> Submit
Update Administrator filter permissions
- Administration –> Filter Permissions –> Administrator filter permissions
- Permitted filter permissions
- Click the browse button next to the Allowed Attributes
- Search for “Password Last Set Date” and select it
- Ok –> Ok –> Submit
Refresh the FIM Service MA schema
- In the Synchronization Manager: right click the FIM MA and choose refresh schema
Configure the FIM Service MA to flow pwdLastSet
- Double click the FIM MA and choose Select Attributes
- Select pwdLastSet
- Now choose Configure Attribute Flow
- Create an export flow for the Person Object Type: pwdLastSet (FIM)– pwdLastSet (MV) (Export, allow null)
Create a rules extension (custom Import Attribute Flow) for the AD MA:
- The code:
  Public Sub MapAttributesForImport(ByVal FlowRuleName As String, ByVal csentry As CSEntry, ByVal mventry As MVEntry) Implements IMASynchronization.MapAttributesForImport
          Select Case FlowRuleName
              Case "IAFupdatePwdLastSet"
                  If (csentry("pwdLastSet").IsPresent) Then
                  If (csentry("pwdLastSet").Value <> "0") Then
                      Dim dtFileTimeUTC As DateTime = DateTime.FromFileTimeUtc(csentry("pwdLastSet").IntegerValue)
                      mventry("pwdLastSet").Value = dtFileTimeUTC.ToUniversalTime().ToString("yyyy'-'MM'-'dd'T'HH':'mm':'ss'.000'")
                  Else
                      mventry("pwdLastSet").Delete()
                  End If
                End If
               Case Else
                  Throw New EntryPointNotImplementedException()
          End Select
      End Sub
- A screenshot:
Configure the AD MA to flow pwdLastSet
- Double click the AD MA and choose Select Attributes
- Select pwdLastSet
- Now choose Configure Attribute Flow
- Create an advanced import flow for the Person Object Type: pwdLastSet (AD) – pwdLastSet (MV), extension: IAFupdatePwdLastSet
Create a set in the Portal which will hold all accounts having a password which will expire in 5 days
- Sets –> New
- Name: Demo Password Expires in 5 days
- Enable criteria-based membership in current set
- Select user that match all of the following conditions:
- Password Last Set Date prior to 55 days ago
  (in my example passwords must be changed every 60 days, and I want to warn them 5 days ahead, it’s just an example)
- Finish –> Submit
Create an email template for the notification
- Administration –> Email Template –> New
- Name: Password Expiration Notification
- Subject: Password for [//Target/AccountName] will expire in 5 days
- Body:
  Dear,
  <br>
  <br>
  The password for your Account ([//Target/Domain]\[//Target/AccountName]) will expire in 5 days.
  <br>
  <br>
  You can reset the password in the option panel of the webmail (https://webmail.demo.local)
Create a workflow to send the notification
- Workflows –> New
- Workflow Name: Demo Password Expiration Notification
- Workflow Type: Action
- Activities: select notification
- Recipients: click lookup, select target and click ok. It should fill in [//Target] for you
- Email Template: Password Expiration Notification
- Save –> Finish –> Submit
Create an MPR to trigger the notification
- Management Policy Rules –> New
- Display Name: DEMO Password Expiration Notification
- Type: Set Transition
- Transition Definition:
- Transition Set: Demo Password Expires in 5 days
- Transition Type: Transition In
- Select the workflow we just created (Demo Password Expiration Notification)

Whenever the password will expire in 5 days, the user should get an email like the example below:

About the datetime data type in the FIM Portal: Contributing datetime values to the FIM Portal

Updating a server’s security group membership without rebooting

2010-10-08T10:29:00.001+02:00

At TEC I had a conversation with someone asking me how they could flush the Kerberos tickets of a computer account without rebooting. In the past they used some trick which launched a task in the Local System context and executed “klist –purge” but that didn’t seem to work no longer for 2008 (R2?).

There is actually something which is much easier: you can execute “klist –li 0x3e7” to target the logon session of the computer account.

And if you want to purge them, just execute “klist –li 0x3e7 purge”.

This will work on any system, client or server, regardless the OS version. The 0x3e7 is an identifier which always points to the computer account logon session. Using logonsessions.exe from the Sysinternals tools, you can actually try to find out id’s for other active sessions. You could use this to get the session id of a service account, and then retrieve it’s current Kerberos tickets. Cool eh! Besides using logonsessions.exe, you can also try to find these IDs in the security event log.

Flushing the Kerberos tickets of a computer can be useful if you want to force the computer having the latest group membership in its token. This way your newly configured GPO’s (with security filtering based on a group) will be applied immediately (after running gpupdate).

Avoiding an AD schema extension: extensionAttributes1-15 a good choice?

2010-10-08T09:56:00.001+02:00

This week I attended “Designing and Planning AD Schema Extensions”, a session given by Brian Desmond at TEC Europe. During the session someone in the audience gave the remark that besides the “physicalDeliveryOffice” and “drink” attributes, the extensionAttribute1-15 are also often used to store company data. These extensionAttributes are in fact contributed by a schema extension from Exchange. They are there to use, but some Exchange actions do impact the content of these attributes!

Below are some screenshots of the timestamps which show which attributes were touched after doing a certain action, In the first one I created a new user and using ADUC I’ve set a value for each extensionAttribute. The user was created at 15:52, the attributes were set at 15:55.

After using the Exchange 2010 Management Tools to create a mailbox for this user, the timestamps look like the screenshot below, you can see a lot of attributes got added at 15:58, but the extensionAttributes didn’t got touched. So no problems so far.

After Disabling the mailbox using the Exchange 2010 Management Tools things look differently, besides the expected Exchange related attributes, also all of the extensionAttributes are touched at the exact same time: 16:01. In fact, using ADUC you can verify that all extensionAttributes are empty.

This doesn’t have to be a problem, as long as you take it into account. Perhaps if you have FIM in your environment, things get automagically corrected afterwards. Perhaps emptying the attributes is part of your deprovisioning process anyhow. But on the other hand, this might also be the explanation why some users have lost the content for these attributes. Besides the impact of Exchange, using the extensionAttributes however is tricky, you never know what third party application is going to store its data there. As Brian said during his session, don’t be afraid to extend the schema, just think/plan it thoroughly.

FIM SSPR Unlock Delegation UI Configuration

2010-10-02T13:33:00.001+02:00

Whilst the SSPR Unlock Delegation configuration is explained quit accurate in the TechNet article I referenced in my previous post, the UI configuration is completely left aside. Out of the box the Helpdesk group in this scenario is not part of the administrator set. Why else would you delegate then? Hence they don’t have the “Unlock Users” links. This post will explain how to create the necessary sets and Management Policy Rules (MPRs) so that people who are in the Helpdesk set can unlock users from SSPR.

All UI elements, like Home Page configurations and Navigation Bar resources, can be combined in a set by adding a specific keyword to these resources. This keyword is called the “Usage Keyword”. Out of the box you have several UI resources. By adding you keyword of choice to a subset of these resources, you can create a dynamic set which contain the resources of these subset.
- Usage Keyword of choice: helpdeskUI
Now it’s time to configure the necessary Home Page configurations with the chosen Usage Keyword. In the Administration section of the portal you can find the Home Page Configurations section, for each of the referenced configurations, add the keyword helpdeskUI to the Usage Keyword (first tab of the properties) .
1. Administration
2. Unlock Users
The previous step will show the Unlock Users shortcut below the Administration in the right hand side of the Portal homepage. If you want to add this shortcut to the navigation bar on the left side, follow the following steps:
1. Go to Administration
2. Choose Navigation Bar Resources
3. Click New to Create a new Navigation Bar Resource and use the following parameters:
  - Display Name: Unlock Users
  - Usage Keyword: helpdeskUI
  - Parent Order: 3 (So it’s shown below the Users Navigation resource)
  - Order: 4
  - Navigation Url: ~/IdentityManagement/aspx/authnadmin/AllAuthNUsers.aspx
  - Localization: if you got Language Packs installed, you can copy these values from the Home Page Configuration “Unlock Users”
Create the necessary sets: to be able to see something in the portal, you have to be granted permissions to the UI elements. To be able to grant permissions, you need sets: one to define who you are granting permissions to, and one to define who/which the permissions will apply for.
- Helpdesk
  - Manually managed, contains users which are part of the Helpdesk team
- All Helpdesk Home Page Configurations
  - Criteria-based membership
  - All Home Page Configurations that match All of the following :
  - Usage Keyword contains helpdeskUI
- All Helpdesk Navigation Bar Configurations
  - Criteria-based membership
  - All Navigation Bar Resources that match All of the following :
  - Usage Keyword contains helpdeskUI
- All Helpdesk Configuration Objects:
  - Criteria-based membership
  - All Resources that match Any of the following:
  - Resource ID in All Helpdesk Home Page Configurations
  - Resource ID in All Helpdesk Navigation Bar Configurations
- These sets are constructed just like the FIM out of the box UI for regular users:
Now we have created the base elements for configuring the UI elements and the MPRs. Although the sets are populated, we still have to configure the actual granting of permissions:

Go to Management Policy Rules
Choose New and use the following parameters:
Type: request
Specific Set of Requestors: Helpdesk
Operation:Read resource
Permissions: Grants permission
Target Resource Definition After Request: All Helpdesk Configuration Objects
Resource attributes: All attributes

Execute IISRESET on your portal server

If we want to test the above scenario, all we have to do is add a user to the set Helpdesk. After logging on to the portal this user will have the required UI elements to search for users and unlock them if necessary.