Quick Tips

Published on Wednesday, October 27, 2010 in , ,

Today some quick tips regarding FIM:

Usage Keywords

In the portal configuration here and there Usage Keywords have to be configured. They can be used on Navigation Bar Resources and Home Page Configurations. If you use them there you can choose them as you like them. All you have to do is use those same keywords in the appropriate set creation (condition: Usage Keyword contains keywordOfChoice) and then apply MPR’s so users  can see those items on the Portal. In other words these Usage Keywords are used to control permissions.

Search Scopes however also use Usage Keywords, although in a slightly different way: these keywords determine if the Search Scope will appear in the Search within: drop down list for the resource page that the Keyword relates to. Explained in other words: if you want a Search Scope to appear whenever your showing a page which contains set, the correct Usage Keyword will be Set. If on the other hand you create a new object like “Computer”, then your Search Scopes will have to use the Usage Keyword “Computer”. This might be obvious, but it took me a while to figure out.

Search Scope based on the members of a set

If you want a given Search Scope to only return the members of set, you can use the following filter, watch out: filters are case sensitive. I used the ObjectID of the set so it would survive renames.


Modification in portal fails, but is actually executed

Sometimes when configuring creating items in FIM like a Synchronization Rule, an MPR or just a simple Set, after submitting an error is shown. You click the error away, the page refreshes and there is your object… Huh? Is the Portal going nuts? Not at all, it’s just a timeout which might be to edgy, Darryl Russi has a nice post about it: Extending FIM Timeouts and it seems that his advice has been added to the FIM troubleshooting tips section on TechNet (Troubleshooting FIM 2010) as well.

And completely unrelated to FIM:

Since Windows 2008 the network connections, the overview of the network adapters, was put deeper away. Well the Network and Sharing Center came in between to be more precise. If you want to change or verify a network adapter its settings, it’s a lot more easier doing Start – Run – ncpa.cpl.


Creation of trust fails: cannot continue

Published on in

I recently had to create some trusts between some domains in a lab environment. After creating a few trusts, suddenly I received the following error in the New Trust Wizard:

The operation failed. The error is: cannot create a file when that file already exists.


One could think what the hell do I need a file for when creating trusts…A quick google lead me to the suspicion that some of my domains had the same domain SID… Besides using adsiedit, ADUC or other tools, here is an easy way to determine the domain SID with a small vbsctipt, make sure to replace the user and domain with correct values. The user can be any existing user you like.

strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set objAccount = objWMIService.Get("Win32_UserAccount.Name='user',Domain=domain")
Wscript.Echo objAccount.SID

Run this by double clicking, which will give you a popup or just execute it from the commandline: cscript getsid.vbs to be able to get the SID in a copy pasteable format.

The impact of having two domains with the same SID is big. They can never have a trust between them:


Or can never have a trust with a common partner:


How do you wind up in this situation? By being to lazy to perform a sysprep… If you clone a server image, and perform a dcpromo of both the base and the clone, you will have identical Domain SIDs…


The case of the attributes that didn’t wanted to be exported, or at least, very slowly

Published on Thursday, October 14, 2010 in ,

Today I had a rather unpleasant experience with my FIM setup. I had to do an update for one specific attribute for approximately 4000 objects in the portal. The FIM Synchronization Service did its magic stuff and was ready to start the exports. When I started the export I saw the fist 100-200 objects being exported rather fast, but then the export was painfully slow. I know the FIM Service MA is the slowest child in the FIM MA family, but past exports (updates to attributes) had been way faster. To be precise, I had now exported 700 updates in approximately 15 minutes.

Again, with my partner in crime Jeroen, we started investigating the SQL side of stuff. Below is how we got to the root cause using SQL Server Profiler:

To start the SQL Server Profiler: Start –> All Programs –> SQL 2008 –> Performance Tools –> SQL Server Profiler
To start a new trace: File –> New Trace
Connect to SQL Server hosting the FIM Service database
The first tab of the trace is less important, however on the second tab we select the following options:

  • Show all events
  • Check TextData for RPC:Completed
  • Check SP:Completed
  • Check Showplan XML (below the Performance section)

It should look like this:


And the showplan xml below performance:


Click Run and you’re set to go! If you want you can toggle the live scrolling. Using ctrl-f (find) you can search for a string which is very likely to show up in the actual query. Because we selected textdata in the event selection of the trace, we can actually search the content of the queries! So in my case I searched for “title” as I was updating the “job title” attribute.


Besides the actual query, what’s import here is the duration column. It’s expressed in milliseconds, and I was seeing values of 5000 and going up badly. So basically it took SQL 5 seconds to toggle an attribute from string a to string b. Now that’s a SQL which is really tired or being fed with poor queries. The screenshot shows a value of 999 which means less than 1 second. This is how it was when I fixed the situation. Now that we have the query, we can start examining which part of the query is bullying the SQL service by viewing the showplan above the query (the first showplan you come by above the query). Select it, where the query was displayed seconds ago, we now have a graphical overview which gives an estimation of several steps in the query:


Dixit my colleague, there are steps like tablescan (very bad if the table is big) or sorts, where you can’t do much optimization from our point of view. However the other operations in this query, which cost quit some CPU time according to the estimates, are index seeks. In the above screenshot I highlighted the indexes being accessed. They belong to the objectvalueidentifier table and the objectvaluereference table. Using the SQL management studio you can look them up, the database:


The table with the Indexes below:


To see the actual fragmentation there are some options: you can click the indexes one by one, choose properties and check the fragmentation tab or you can click rebuild all and see the current state for all indexes at once:


This is how it looks after the rebuild. Before the rebuild I had one index which had 16% fragmentation. It’s very likely that this index was slowing the SQL down.


The alternative way of viewing the fragmentation:


And of course real men use a query. Well I don’t have it… yet Smile

After performing a rebuild and continuing the export profile, I got about 1000 updates in 5 minutes. So there was really a big difference there. What did I learn? Oh so cool SQL troubleshooting, again Smile And besides that: database management is really not to be ignored when you are working with FIM. I actually had rebuilt the indexes two days ago, but when you’re changing data frequently, I guess it’s advised to monitor the fragmentation even closer.

Again, thanks Jeroen for sharing your knowledge and providing me a solution for my problem.

Thomas, I’ll bing for that query asap, Vuylsteke


FIM: Send Password Expiration Notifications

Published on Sunday, October 10, 2010 in ,

Recently someone asked on the TechNet forums if FIM was capable of sending notifications when someone’s password was about to expire. Brian Desmond replied with a short overview of the necessary steps, and I thought Id just try it out. Below is a step by step guide, feel free to comment and suggest improvements.

[Update2] Brad took the time to write a nice wiki article regarding this topic. I definitely advise you to read it as it’s way more complete and explained very thoroughly.

[Update] Jorge responded in the thread on the TechNet forums and made a good remark: this scenario is only 100% reliable when the DFL is 2003 are lower. It will work in a 2008 or higher DFL, but then you’re potentially facing Fine-Grained Password policies, which make this stuff more complex, but not undoable. Stay tuned for a solution to tackle this problem!

  1. Create a new MV attribute for the Person object
    • Attribute name: pwdLastSet
    • Atttribute type: String (indexable)
  2. Create a new attribute in the FIM Portal Schema
    • Administration –> Schema Management –> All Attributes –> New
    • System name: pwdLastSet
    • Display name: Password Last Set Date
    • Data type: Datetime
    • Finish –> Submit
  3. Create a new binding for the attribute
    • Administration –> Schema Management –> All Bindings –> New
    • Resource Type: User
    • Attribute Type: Password Last Set Date
    • Finish –> Submit
  4. Update Synchronization Engine MPR
    • Management Policy Rules –> Search for “Synchronization: Synchronization account controls users it synchronizes
    • Click it –> choose Target resources tab
    • Click the browse button next to the “Select Specific Attributes”
    • Search for “Password Last Set Date” and select it
    • Ok –> Ok –> Submit
  5. Update the Administrator MPR
    • Management Policy Rules –> Search for “Administration: Administrators can read and update Users
    • Click it –> choose Target resources tab
    • Click the browse button next to the “Select Specific Attributes”
    • Search for “Password Last Set Date” and select it
    • Ok –> Ok –> Submit
  6. Update Administrator filter permissions
    • Administration –> Filter Permissions –> Administrator filter permissions
    • Permitted filter permissions
    • Click the browse button next to the Allowed Attributes
    • Search for “Password Last Set Date” and select it
    • Ok –> Ok –> Submit
  7. Refresh the FIM Service MA schema
    • In the Synchronization Manager: right click the FIM MA and choose refresh schema
  8. Configure the FIM Service MA to flow pwdLastSet
    • Double click the FIM MA and choose Select Attributes
    • Select pwdLastSet
    • Now choose Configure Attribute Flow
    • Create an export flow for the Person Object Type: pwdLastSet (FIM)– pwdLastSet (MV) (Export, allow null)
  9. Create a rules extension (custom Import Attribute Flow) for the AD MA:
    • The code:

      Public Sub MapAttributesForImport(ByVal FlowRuleName As String, ByVal csentry As CSEntry, ByVal mventry As MVEntry) Implements IMASynchronization.MapAttributesForImport
              Select Case FlowRuleName
                  Case "IAFupdatePwdLastSet"
                      If (csentry("pwdLastSet").IsPresent) Then               
                      If (csentry("pwdLastSet").Value <> "0") Then
                          Dim dtFileTimeUTC As DateTime = DateTime.FromFileTimeUtc(csentry("pwdLastSet").IntegerValue)
                          mventry("pwdLastSet").Value = dtFileTimeUTC.ToUniversalTime().ToString("yyyy'-'MM'-'dd'T'HH':'mm':'ss'.000'")
                      End If
                    End If
                   Case Else
                      Throw New EntryPointNotImplementedException()
              End Select
          End Sub

    • A screenshot: 
  10. Configure the AD MA to flow pwdLastSet
    • Double click the AD MA and choose Select Attributes
    • Select pwdLastSet
    • Now choose Configure Attribute Flow
    • Create an advanced import flow for the Person Object Type: pwdLastSet (AD) – pwdLastSet (MV), extension: IAFupdatePwdLastSet
  11. Create a set in the Portal which will hold all accounts having a password which will expire in 5 days
    • Sets –> New
    • Name: Demo Password Expires in 5 days
    • Enable criteria-based membership in current set
    • Select user that match all of the following conditions:
    • Password Last Set Date prior to 55 days ago
      (in my example passwords must be changed every 60 days, and I want to warn them 5 days ahead, it’s just an example)
    • Finish –> Submit
  12. Create an email template for the notification
    • Administration –> Email Template –> New
    • Name: Password Expiration Notification
    • Subject: Password for [//Target/AccountName] will expire in 5 days
    • Body:

      The password for your Account ([//Target/Domain]\[//Target/AccountName]) will expire in 5 days.
      You can reset the password in the option panel of the webmail (https://webmail.demo.local)

  13. Create a workflow to send the notification
    • Workflows –> New
    • Workflow Name: Demo Password Expiration Notification
    • Workflow Type: Action
    • Activities: select notification
    • Recipients: click lookup, select target and click ok. It should fill in [//Target] for you
    • Email Template: Password Expiration Notification
    • Save –> Finish –> Submit
  14. Create an MPR to trigger the notification
    • Management Policy Rules –> New
    • Display Name: DEMO Password Expiration Notification
    • Type: Set Transition
    • Transition Definition:
    • Transition Set: Demo Password Expires in 5 days
    • Transition Type: Transition In
    • Select the workflow we just created (Demo Password Expiration Notification)

Whenever the password will expire in 5 days, the user should get an email like the example below:


About the datetime data type in the FIM Portal: Contributing datetime values to the FIM Portal


Updating a server’s security group membership without rebooting

Published on Friday, October 8, 2010 in ,

At TEC I had a conversation with someone asking me how they could flush the Kerberos tickets of a computer account without rebooting. In the past they used some trick which launched a task in the Local System context and executed “klist –purge” but that didn’t seem to work no longer for 2008 (R2?).

There is actually something which is much easier: you can execute “klist –li 0x3e7” to target the logon session of the computer account.


And if you want to purge them, just execute “klist –li 0x3e7 purge”.


This will work on any system, client or server, regardless the OS version. The 0x3e7 is an identifier which always points to the computer account logon session. Using logonsessions.exe from the Sysinternals tools, you can actually try to find out id’s for other active sessions. You could use this to get the session id of a service account, and then retrieve it’s current Kerberos tickets. Cool eh! Besides using logonsessions.exe, you can also try to find these IDs in the security event log.

Flushing the Kerberos tickets of a computer can be useful if you want to force the computer having the latest group membership in its token. This way your newly configured GPO’s (with security filtering based on a group) will be applied immediately (after running gpupdate).


Avoiding an AD schema extension: extensionAttributes1-15 a good choice?

Published on in ,

This week I attended “Designing and Planning AD Schema Extensions”, a session given by Brian Desmond at TEC Europe. During the session someone in the audience gave the remark that besides the “physicalDeliveryOffice” and “drink” attributes, the extensionAttribute1-15 are also often used to store company data. These extensionAttributes are in fact contributed by a schema extension from Exchange. They are there to use, but some Exchange actions do impact the content of these attributes!

Below are some screenshots of the timestamps which show which attributes were touched after doing a certain action, In the first one I created a new user and using ADUC I’ve set a value for each extensionAttribute. The user was created at 15:52, the attributes were set at 15:55.


After using the Exchange 2010 Management Tools  to create a mailbox for this user, the timestamps look like the screenshot below, you can see a lot of attributes got added at 15:58, but the extensionAttributes didn’t got touched. So no problems so far.


After Disabling the mailbox using the Exchange 2010 Management Tools things look differently, besides the expected Exchange related attributes, also all of the extensionAttributes are touched at the exact same time: 16:01. In fact, using ADUC you can verify that all extensionAttributes are empty.


This doesn’t have to be a problem, as long as you take it into account. Perhaps if you have FIM in your environment, things get automagically corrected afterwards. Perhaps emptying the attributes is part of your deprovisioning process anyhow. But on the other hand, this might also be the explanation why some users have lost the content for these attributes. Besides the impact of Exchange, using the extensionAttributes however is tricky, you never know what third party application is going to store its data there. As Brian said during his session, don’t be afraid to extend the schema, just think/plan it thoroughly.


FIM SSPR Unlock Delegation UI Configuration

Published on Saturday, October 2, 2010 in ,

Whilst the SSPR Unlock Delegation configuration is explained quit accurate in the TechNet article I referenced in my previous post, the UI configuration is completely left aside. Out of the box the Helpdesk group in this scenario is not part of the administrator set. Why else would you delegate then? Hence they don’t have the “Unlock Users” links. This post will explain how to create the necessary sets and Management Policy Rules (MPRs) so that people who are in the Helpdesk set can unlock users from SSPR.

  1. All UI elements, like Home Page configurations and Navigation Bar resources, can be combined in a set by adding a specific keyword to these resources. This keyword is called the “Usage Keyword”. Out of the box you have several UI resources. By adding you keyword of choice to a subset of these resources, you can create a dynamic set which contain the resources of these subset.

    • Usage Keyword of choice: helpdeskUI

  2. Now it’s time to configure the necessary Home Page configurations with the chosen Usage Keyword. In the Administration section of the portal you can find the Home Page Configurations section, for each of the referenced configurations, add the keyword helpdeskUI to the Usage Keyword (first tab of the properties) .

    1. Administration
    2. Unlock Users
  3. The previous step will show the Unlock Users shortcut below the Administration in the right hand side of the Portal homepage. If you want to add this shortcut to the navigation bar on the left side, follow the following steps:

    1. Go to Administration
    2. Choose Navigation Bar Resources
    3. Click New to Create a new Navigation Bar Resource and use the following parameters:
      • Display Name: Unlock Users
      • Usage Keyword: helpdeskUI
      • Parent Order: 3 (So it’s shown below the Users Navigation resource)
      • Order: 4
      • Navigation Url: ~/IdentityManagement/aspx/authnadmin/AllAuthNUsers.aspx
      • Localization: if you got Language Packs installed, you can copy these values from the Home Page Configuration “Unlock Users”
  4. Create the necessary sets: to be able to see something in the portal, you have to be granted permissions to the UI elements. To be able to grant permissions, you need sets: one to define who you are granting permissions to, and one to define who/which the permissions will apply for.

    • Helpdesk
      • Manually managed, contains users which are part of the Helpdesk team
    • All Helpdesk Home Page Configurations
      • Criteria-based membership
      • All Home Page Configurations that match All of the following :
      • Usage Keyword contains helpdeskUI
    • All Helpdesk Navigation Bar Configurations
      • Criteria-based membership
      • All Navigation Bar Resources that match All of the following :
      • Usage Keyword contains helpdeskUI
    • All Helpdesk Configuration Objects:
      • Criteria-based membership
      • All Resources that match Any of the following:
      • Resource ID in All Helpdesk Home Page Configurations
      • Resource ID in All Helpdesk Navigation Bar Configurations
    • These sets are constructed just like the FIM out of the box UI for regular users: image
  5. Now we have created the base elements for configuring the UI elements and the MPRs. Although the sets are populated, we still have to configure the actual granting of permissions:

    • Go to Management Policy Rules
    • Choose New and use the following parameters:
    • Type: request
    • Specific Set of Requestors: Helpdesk
    • Operation:Read resource
    • Permissions: Grants permission
    • Target Resource Definition After Request: All Helpdesk Configuration Objects
    • Resource attributes: All attributes
  6. Execute IISRESET on your portal server

If we want to test the above scenario, all we have to do is add a user to the set Helpdesk. After logging on to the portal this user will have the required UI elements to search for users and unlock them if necessary.