2010.11.16 02:50:04

FIM 2010 self service portal has its own Schema. FIM 2010 schema includes a Resource of type Group. FIM Group objects include several attributes. While some of these attributes are optional; others are mandatory. In my previous blog (Handling Mandatory Attributes), I provided a framework to address some of these attribute translation. In this post, I am going got focus on two Groups' attributes:  Type & Scope.  

In FIM 2010 Group's Type attribute identifies group type. A Group in FIM can have three types:  Security, MailEnabledSecurity, or Distribution. In Active Directory (AD) a Group can be either Security or Distribution Group. Security Groups in AD can have e-mail which provide a way for a third type (MailEnabledSecurity).

In FIM Group Scope attribute is a little bit tricky. While Security groups can have one of the followings three scopes: (Universal, Global, or Domain Local), Distribution's Groups can only be Universal. n addition, while FIM 2010 portal provides two string attributes (Scope and Type) to identify Groups, AD provide just one integer type attribute called groupType that reference group's type and scope.  

The table below shows all possible values for groupType and how they correspond to FIM Scope and Type attributes.
 

If your goal is to have two- way synchronization between FIM and AD, you need to provide continues translation between these attributes. There are several ways that you can achieve such translation. You can use the traditional MA extension code or FIM custom expressions. Regardless of the method you use, such translation must be done during both mapping for import and mapping for export operations.

If you want to use FIM custom expressions, below are the expressions you need to write for both flows:

       AD => FIM flow

ACtive Directory | MIIS | ILM | Group Management | FIM 2010 | FIM Group Management | FIM 2010 Service | FIM experts

2010.11.03 21:56:34

FIM 2010 self service portal has its own Schema. FIM 2010 schema includes a Resource of type Group. FIM Group objects include several attributes. While some of these attributes are optional; others are mandatory. You can use FIM advance search capability to have a list of Groups mandatory attributes.


Some of these mandatory attributes are automatically calculated such as the Created Time and the Resource Type. Others are required during group creation. When you create a group from within the FIM portal, Group creation wizard requires you to provide values for these attributes. In the other hand, if you are bringing already created groups to FIM portal, you will have to face the challenge of providing values for these mandatory attributes. Usually such mandatory attributes either does not exist or does not have a value where the group exist. So to further analyze the complexity of bringing Active Directory (AD) groups from AD to FIM portal, let's look at each one of these attributes and compare it against AD.

Created Time: This attribute will be calculated by FIM 2010 upon group creation and thus does not require you to do anything
Domain: Domain is a required attribute of string type. If you are dealing with a single domain you can enter this value as a constant value. For multiple domain scenarios, you need to innumerate existing Group DN to extract the Domain value and feed it during group account synchronization
Membership Add Workflow: this mandatory attribute in FIM controls the group behavior upon group membership adjustments. Acceptable values in FIM are:  Owner Approval, None, or Custom.
Membership Locked: this mandatory attribute in FIM identifies if the group is a manual group or a criteria based group.  Criteria based group is a dynamic group that its membership is calculated based on specific set of conditions.

The above three attributes: Domain, Membership Add Workflow, and Membership Locked are only attributes defined within FIM. AD does not have any corresponding attributes. Thus upon group creation you need to provide values for these attributes to prevent web service creation error. In many cases you only need to provide an initial value to allow changes to take place later.
Active Directory groups are always manual thus you should have default initial value for Membership Locked to False. As for Membership Add Workflow you can default to none or Owner Approval. Remember this is just an initial value as you may want to be allowing selective groups to adjust behavior and create criteria.
To accomplish such task, you will need to flag processed groups. The easiest way to provide such capability is through picking unused groups attribute and adds a predefined value as you process the group. For example you can use extensionAttribute1 and as you process the group add the value "FIM" into extensionAttribute1 thus allowing you to distinguish new groups from already processed group.

So your logic becomes something similar to:

If (extensionAttribute1 !="FIM")
{ } else [use direct mapping]   
 
Scope and Type attributes are handled in my next blog.

MembershipLocked | MembershipAddWorkflow | Creteria based group | Group Management | FIM 2010

2010.10.15 20:35:07

1. Dynamic group capability through a role based or business policies.
2. Self service request center that must contains at least
   • A dynamic way to map groups to something that an end user can relate to such as applications or access requests
   •  A flexible and reliable workflow engine
   • Dynamic proxy service where a user's managers, department's representatives, or help desk personnel can submit a request on user's behalf with a different set of policies
3. Provide policy conflict resolution: enterprises usually have different policies for different roles which can easily produce conflicts
4. Capability to mitigate or prevent user's mistakes
5. Address existing groups and provide a gradual way for migration and deployment

TEC 2010 | Dynamic Group | Group Management | ILM 2007 | FIM 2010

2010.02.11 02:51:52

FIM 2010 | Group Management

2010.01.05 19:07:36

In preparation for the Forefront Identity Manager (FIM) 2010 release in March 2010, Zeva Inc. in collaboration with Microsoft, is glad to offer you a free proof of concept (POC) workshop. We will start by conducting a twenty minute phone conversation to gather your requirements and expectations. This will help us build an environment that mimics yours and develop a customized solution that addresses your needs. After implementing the solution in our virtual lab, we will meet with you for about two hours to demonstrate our implementation. We can conduct the meeting face to face or over Live Meeting.

For more information or to request our free POC workshop, please visit our POC site located at http://www.zevainc.com/FIM2010 .


Issam Andoni, Chief Technology Architect

FIM 2010

2009.04.27 17:01:14

database | Best Match | compare protocol

2008.09.20 00:13:44

Schema | LDIFDE | ACtive Directory | AD | Custom Attribute

2008.09.12 23:24:41

1. Create an exact copy of production in an isolated environment
2. Maintain Active Directory (AD) accounts synchronization. Such synchronization ensures that any adjustments to source accounts (production) are replicated to destinations (development and testing). Synchronization Engine monitors the following types of accounts: Users, Groups, and Organization.
3. Ensure that adjustments to Group Policy Objects are replicated from source to destinations. This includes:
   1. Adding new Group Policy Object
   2. Changes in any GPOs settings
   3. Adjustments on the GPOs linkage
4. Ensure any security delegation flows from source to destinations
5. Ensure adjustments to domain SYSVOL flows from source to destination

dev environment | test environment | SYSVOL | syncronization | GPO | ILM

2008.09.05 18:47:16

KeyName: Software\Policies\Microsoft\Windows NT\CurrentVersion\EFS
ValueName: EfsConfiguration
ValueType: REG_DWORD
Value: 0x00000000


Issam Andoni, Chief Technology Architect

 

Disable EFS | Enable EFS | Domain GPO

2008.09.03 00:02:46

1.	Click Start, click Run, type regedt32 or type regedit, and then click OK.
2.	In Registry Editor, locate the following registry key: HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 2.0\Server
3.	On the Edit menu, click Add Value.
4.	In the Data Type list, click DWORD.
5.	In the Value Name box, type Enabled, and then click OK. Note If this value is present, double-click the value to edit its current value.
6.	Type 00000000 in Binary Editor to set the value of the new key equal to "0".
7.	Click OK.

CVE-2004-0120 | SSL v2 | TLS | Windows

2008.08.29 23:59:20

SACL | DACL | SID | MIIS | ILM

2008.08.22 23:37:39

AD ForestPrep | Custom Attribute | ACtive Directory | LDIFDE

2008.08.20 22:26:37

I worked on an interesting project called Domain Isolation. In this forum, I will publish several posts. First I will provide a high level description for the objectives and design strategy. Then I will describe the issues we encountered throughout the project.

Project Background
The customer is a division of one of the largest US government agencies. Currently their network runs on the same WAN links as their parent agent. Their offices are located with their parent's agency and host up to a few thousand of users. They are spread all over the world with over a thousand offices. Since this division deals with sensitive data, the division runs routers/firewalls on every office no matter how big or small. As for their network, the division uses Microsoft Active Directory(AD) and would like to achieve AD domain isolation and eliminate internal routers/firewalls.

Design Strategy
With the Microsoft Windows operating system, you can logically isolate your domain to limit access to authenticated and authorized computers by using the IPsec protocol in transport mode to authenticate, sign, and optionally encrypt network connections.By using IPsec, a logical network can be created consisting of computers that share a common Windows-based security framework and a set of requirements for secure communication. Each computer, on the logically isolated network, provides authentication credentials to the other computers on the isolated network to prove its membership. Requests for communication that originate from computers that are not part of the isolated network are thus ignored. IPsec can use the computer account credentials in AD by using Kerberos protocol, digital certificates or both methods, in any order of precedence, to assert the identity of the computers in the solution. In CI case, the solution will use both digital certificates and Kerberos for IPsec authentication.

Windows-based network isolation occurs at the Network layer of the OSI model. Therefore, the isolated network can span hubs, switches, and routers across the physical and geographical boundaries of IRS/CI network. By leveraging the authentication features on Windows IPsec, an isolated network can be created that does not depend on a separate cabling system or on the features of your switching or routing fabric. Additionally, IPsec isolated networks do not require ongoing maintenance based on changes in network topology or computers moving to different switch ports. The result is an isolated network that leverages the existing Windows infrastructure with no additional costs associated with network reconfiguration or hardware upgrades.

The proposed solution consists of several components that work together to address domain isolation requirements. A list of Trusted Subnets that include all IP Subnets is defined as an un-enforced Subnets List. All traffic within the un-enforced Subnets List will not be encrypted and uses normal IP traffic. Any subnets that are not on the un-enforced list is part of the enforce list and thus requires IPSec communication. Any machine that is on the enforced subnets list must use IPSec protocol. All domain computers on the enforced Subnets list can use their Kerberos Tickets or their issued enterprise IPSec Digital Certificate to authenticate themselves and thus establish an encrypted IPSec security association with peers. Machines within the enforced Subnets list that fail to establish security association will not be allowed to communicate with any other domain computer.


Issam Andoni, Chief Technology Architect

Domain Isolation | IP Security protocol