1dent1ty cHa0s

Here's an easy one, not in the Pacific Time zone? Tired of seeing your requests in GMT –8?

How to Change the Default Portal Time Zone

1. From the Identity Management Home Page, click the link for Administration
2. From the Administration page, click the link for Portal Configuration
3. In the Portal Configuration dialog, click the Extended Attributes tab
4. Scroll down to the bottom to the Time Zone property – see figure below.
5. Click the Browse button

In RC1 there is no Search Scope (although you could create one, but that's another post) for Time Zone configuration objects, so you need to:

1. From the Select an Object browse dialog, click the Search within drop down and select All Resources
2. In the Search for text box, type in (GMT and then click the search button
3. Select the Time Zone object from the list and click OK

To complete the configuration you'll either need to wait for the cache to refresh or run an iisreset if you're impatient.

So, ran into several issues trying to get the Portal installed – keep in mind I'm exercising installation options that few use but ones I tend to prefer when deploying our solutions. Let's start with host headers.

Back in RC0 I posted a bug where the installer would fail if a host header was used in WSS. While it was closed "as fixed", it still seems to be an issue if you try and install the portal when the default site collection is running under a host header:

Taking a look at the installation log reveals what looks like hardcoded addresses still:

Error 1722. There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor. Action CheckSharepointWebApporSiteExisting, location: C:\Users\bturner\AppData\Local\Temp\2\MSI3F65.tmp, command: action=IsDefaultWebApplicationOrSiteExisted absoluteURL="http://localhost"

 

MSI (c) (C4:E8) [15:19:58:400]: Product: Forefront Identity Manager Service and Portal -- Error 1722. There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor. Action CheckSharepointWebApporSiteExisting, location: C:\Users\bturner\AppData\Local\Temp\2\MSI3F65.tmp, command: action=IsDefaultWebApplicationOrSiteExisted absoluteURL=http://localhost

I've done my best to override everything both in the GUI and using the MSI parameters so I know I'm not passing "localhost" anywhere. Backtracking further and removing all of the host headers I can get a bit further now but then run into this one next:

This appears to be linked to an inability to validate the FIM Service account during the installation, resetting the password seems to have resolved this issue for me. I was able to eventually complete the install, and like I said, I chalk much of this up to my incessant tinkering. There was one other error I'd like to see corrected where the installer detects that the WSP solution file has already been deployed and it instructs you to go remove it while it waits for you – not a great experience.

• RC1 - System.InvalidOperationException occurred in Microsoft.IdentityManagement.FindPrivateKey.exe [3124] – [Closed, as Fixed] this turned out to be a bug fixed post RC1, so while valid it's not entirely new you may still encounter this if you attempt to use your own certificates. For the time being, use the auto-generated certificate.
• RC1 - Service and Portal install does not allow for SQL Alias – [Closed, by design] this turned out to be a user configuration issue. Steps to use an SQL Alias on an x64 system are below.

How to Create a Named Pipes SQL Server Alias for use with FIM 2010

1. Open SQL Server Configuration Manager

1. Expand SQL Native Client 10.0 Configuration (32bit)
2. Select Client Protocols, right click and take the Properties

1. If Named Pipes is under the Disabled Protocols section, select Named Pipes and click the > button to move it over, and use the up arrow button to move it to the top; click OK to continue
2. Repeat these steps for SQL Native Client 10.0 Configuration
3. NOTE: "The SQL Native Client 10.0 Configuration" entry is the x64 client
4. Return to the SQL Native Client 10.0 Configuration (32bit), select Aliases, right click and select New Alias

1. Use the pull-down for Protocol to select Named Pipes, set the Alias Name to "fim", and the server to "." or "localhost" whichever you prefer; click OK to continue

1. Repeat these steps for SQL Native Client 10.0 Configuration

SELECT  login_name, program_name, host_name, auth_scheme, net_transport, net_packet_size

FROM sys.dm_exec_connections C INNER JOIN sys.dm_exec_sessions S

ON C.session_id=S.session_id

ORDER BY login_name, auth_scheme

I'm a stickler for installs and installation related issues, I will spend days working on it…this is day one.

FIM Synchronization Services Installation

No issues that I could see – everything seems to work like it did before and my RC0 install script worked.

FIM Service and Portal Installation

This is where I encountered my errors…but it starts out well enough. Let's start out with the good news first:

Love the fact that you can change the name, probably won't use it much myself, but customers are always asking for this. Also, note that you can re-use indicating an upgrade or re-install. I did expect to be able to specify a SQL Alias here; however, so I think I'm going to file this as a bug.

This interface needs some work, it would be better if it told you what was required on the certificate instead of having to select a certificate, and get an error after clicking Next.  From what I can tell you need a certificate with a valid Subject (not sure if it requires Subject Alternative Name) and the Server Authentication assertion (1.3.6.1.5.5.7.3.1), most commonly known as an SSL certificate.

In my case, I selected what I thought was a valid certificate but I did get an error later on into the installation that I think is because of this choice.

Very cool – offer the installer the ability to fix this during the install, excellent work! Now for the bad news…

• Sync Service still supports installation against a SQL Alias (to force Named Pipes access for instance) but the Services and Portal installation does not
• Questionable whether or not selecting an issued certificate works or not – I got the following error later on during the installation which invoked the JIT debugger:

System.InvalidOperationException occurred in Microsoft.IdentityManagement.FindPrivateKey.exe [3124]

• Still indications from my install logs that the installer is not so good about handling existing WSP solutions in SharePoint and recovering from them – these are difficult to clean up I admit

More later once I confirm the certificate issue and reinstall SharePoint on my test server.

The 3.3.1118.02 build is available; however, there is a caveat for those of you that have not kept current or are not at build 1087 or better.  Pre-1087 you will need to do full uninstall and then download and install the 3.3.1087.2 slipstreamed build before you can apply later patches. This has to do with an invalid system file that was in the original FP1 build (3.3.0118.2). You can get the 1087 build by calling the support line:

http://support.microsoft.com/contactus/?ws=support

This build has fixes for both the Certificate and Synchronization components. If you find the following error while attempting to patch your installation:

Error 25009.The Microsoft Identity Integration Server FP1 setup wizard cannot configure the specified database. Invalid object name 'mms_management_agent'. A required privilege is not held by the client.

…then see the following earlier post on how to fix this:

Issues with SQL Server in a Windows 2008 Domain

The link to hotfix is here:

A hotfix rollup package (build 3.3.1118.02) is available for Identity Lifecycle Manager 2007 Feature Pack 1

When:
Wednesday, October 14, 2009
10:30 to 11:30 (PST)
12:30 to 1:30 (CST)
1:30 to 2:30 (EST)

Where:
Web/Online
Live Meeting Information
will be sent to attendees

Presenters:
David Lundell, Identity Management
Practice Leader, Ensynch

Jonathan Sander
IAM and Security Analyst
Quest Software

Webinar: Accelerate Your Businesses for the Future with Microsoft Geneva (ADFS) and the Cloud
Has your organization been considering moving applications to the cloud or using Software as a Service (SaaS) providers? Have you already done it? Have you realized the cost savings?

Have you encountered the difficulties in managing the identities and passwords across the various identities?

Using Microsoft Geneva (ADFS) and Quest Java SSO, and Quest inTrust, you can lower the cost of moving applications to the cloud and to SaaS, which can remove a big hurdle to a key strategic initiative.

I would like to invite you to our latest exclusive "no frills" webinar: "How Microsoft Geneva Streamlines Business," the final part in a Identity Management Webinar Series from Ensynch's Identity Management Practice Director, Frequent Industry Speaker, and Microsoft Identity Management MVP, David Lundell, and Quest Software IAM and Security Analyst, Jonathan Sander. (Previous webinars are available for download here)

This webinar is designed for business leaders, and will present discuss the business value of Microsoft Geneva and the Cloud. Whether identity management within the Cloud and SaaS is a major concern for your organization or if you are simply curious about using Microsoft Geneva as an asset to help your business, this webinar is for you.
Webinar Agenda:
- The Cloud’s little secret: Multiplying identity stores

- High level discussion of The Cloud (Azure, Amazon, SaaS, etc)

- High Level discussion of Geneva (ADFS, WIF)

- The Value of the Cloud

- The hidden Costs of the Cloud

- How Geneva(ADFS) helps lower the cost of the Cloud

- Gaps of the Cloud

- Possible Solutions

- Gaps of Geneva with the cloud

- Possible Solutions from Quest

[Register Now]

It looks like our Portals and Collaboration (SharePoint) practice is booming and looking for new talent:

Ensynch’s SharePoint business has been booming recently and as such, we are in need of additional highly skilled SharePoint talent. We are looking for folks that have skills in look & feel, infrastructure architecture & design, web part and custom development, etc.

If you think you have what it takes drop me a line and I'll direct you to the people you'll need to talk to. At least one of our top guys is speaking with us on the SharePoint track next year at TEC 2010 as well as delivering a session with our own Chris Calderon entitled "Federated SSO Solutions Using SharePoint 2010".