Wednesday, March 31, 2010

FIM 2010 – Registering FIMAutomation class on another system

So, you want to run FIM 2010 PowerShell cmdlets from another console? Here is what you need to do in order to register the FIMAutomation class.
  • Copy the FIM binaries to a local drive – if you attempt this from a mapped drive you will receive the following error:
Exception occurred while initializing the installation:
System.IO.FileLoadException: Could not load file or assembly 'Microsoft.ResourceManagement.Automation, Version=4.0.2592.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies. Failed to grant minimum permission requests. (Exception from HRESULT: 0x80131417).
  • Open your PSH prompt and change to the directory holding the FIM binaries


set-alias installutil $env:windir\Microsoft.NET\Framework64\v2.0.50727\installutil 
installutil .\Microsoft.ResourceManagement.Automation.dll


set-alias installutil $env:windir\Microsoft.NET\Framework\v2.0.50727\installutil 
installutil .\Microsoft.ResourceManagement.Automation.dll


get-PSsnapin -registered

At this point you should be able to add the FIMAutomation snap-in and execute your scripts!

Sunday, March 28, 2010

FIM 2010 – Using PowerShell to Fix an ObjectSID on a Portal object

My PowerShell script to fix the ObjectSID on an account in the portal has been posted to the FIM ScriptBox:

There are all sorts of scenarios where I've seen people hobble their implementation and the ObjectSID gets recalled from the Built-In Synchronization Account. Also, in cases where you are using custom workflows you will need to have the credentials for your web service account in the portal and in some cases you may not want to be "managing" your service accounts in the portal. In any case,  having a way to hack the ObjectSID back into the portal object is a real lifesaver. In order for most authentication scenarios to succeed against the portal you need to have the object populated with the ObjectSID of the account in AD. During the Authentication process, the FIM Service queries the database for an account with a matching ObjectSID to the person attempting to authenticate through IIS.  In other cases, you still need a matching AccountName and Domain value, but to be safe all authenticating accounts should have all three values populated to function in all scenarios.

Clever scripters will be able to modify this script to set any single value on any portal object. Thanks to Joe Schulman and Markus Vilcinskas for prior examples.

Be sure to check out the other excellent scripts in the FIM ScriptBox!

Monday, March 22, 2010

TEC 2010 – Ensynch Discount

Still haven't registered for TEC 2010 this year, as a Gold sponsor can pass along a discount when you register:

TEC 2010 Registration By Code

When prompted, enter the following code:


See you in Los Angeles!

Thursday, March 11, 2010

FIM 2010 – Email Notifications without Exchange 2007

FIM has some excellent integration with Office and Exchange 2007 that can really elevate your ROI story in large organizations, but not everyone out there is on Exchange or Exchange 2007. For those customers still on Exchange 2003 or a competing platform, I'm going to show you how to still take advantage of the notification capabilities of FIM 2010 with any old SMTP platform.

Without Exchange 2007, the approval and notification features are:

  • Approvals can be sent and received in any email client, but not approved within Outlook, even if you have Outlook 2007; you require both Outlook 2007 and Exchange 2007 for the entire process to work. The experience here will direct the recipient to go to the portal and complete the approval or rejection process.
  • The FIM Outlook 2007 plug-ins for Group Self-service will not function without Exchange 2007.
  • Notifications can always be sent regardless of email system. Notifications are "fire and forget" and do not require FIM to monitor for replies.

There are four keys I'd like to draw your attention to in the Microsoft.ResourceManagement.Service.exe.config file that define each instance of your FIM Service:

  • mailServer – you have two options here:
    • Exchange 2007 – this is the http path to the Exchange web services
    • Exchange 2003/Other SMTP – the smtp server address
  • isExchange – Only set this to 1 if this is Exchange 2007, even if it's Exchange 2003
  • sendAsAddress – the SMTP formatted address you are sending from, must correspond to the address assigned to you FIM WS account
  • synchronizationServerName – no effect on mail delivery, but this has to be set to the server or virtual server (in the case of cluster config) your sync service is installed on

Below is a typical configuration for a non-Exchange 2007 configuration:

<add key="mailServer" value="" />
<add key="isExchange" value="0" />
<add key="sendAsAddress" value="" />
<add key="synchronizationServerName" value="syncserver" />

Wednesday, March 10, 2010

Matias Woloski’s Blog » Claims-based Identity and Access Control Guide RTM!


Echoing Laura Hunter's comment here – awesome, get it!

Matias Woloski’s Blog » Claims-based Identity and Access Control Guide RTM!

Thursday, March 04, 2010

Ensynch Sponsors and Speaks at TEC 2010

I've been remiss in talking about TEC this year, but I'm happy to say that we're completing several FIM 2010 TAP engagements and starting a few more new FIM projects so it's a busy quarter for sure. is sponsoring the TEC 2010 conference for the 2nd year now and we have three new speakers to introduce as well:


Jeff Holliday
Solutions Architect, Ensynch

Jeff Holliday is the Solutions Architect for Ensynch and their SharePoint Consulting Practice. He oversees the technical solution designs for all SharePoint projects and managed Ensynch’s participation in the SharePoint 2010 Partner Technical Preview Program. He currently focuses on architecture design, branding customization, business process automation and web part development. Holliday has designed, built and deployed everything from single server, single site SharePoint installations to multi-continent/multi-farm global infrastructures.

Jeff and Chris Calderon are presenting a combined session:

Federated SSO Solutions Using SharePoint 2010
Chris Calderon and Jeff Holliday

In the world of on premise and hosted “cloud based” solutions, how can you best simplify your coexistence strategy? Attend this session presented by Ensynch’s Identity Management and SharePoint teams to see how the combined knowledge of each practice helped shape one of the most robust methods for you to enable Single Sign On for your on premise and cloud based apps.


Joe Zamora 
Senior Consultant, Ensynch

Joe Zamora is a senior consultant in the Identity Management practice at Ensynch. Joe has 10 years experience in development, is the author of the CShark blog: http://c–, and has published several projects on Codeplex for the FIM 2010 community.

Custom Workflow Development in FIM 2010
Joe Zamora

Get an in-depth look at the extensibility of Forefront Identity Manager 2010 through the use of custom workflow development. Although FIM 2010 includes a new “codeless provisioning” feature set, you’ll find that you can’t quite satisfy all real-world business requirements with codeless provisioning. Learn how to tap into the power of FIM’s new request framework that’s built on Windows Workflow Foundation. Overcome the first hurdle of custom development by demystifying the process and discovering what resources are available. Learn the tools of the trade, ins and outs, gotchas, and hidden gems of workflow development. Finally, bring it all together with a demonstration of a custom workflow that’s already available to the community.


Justin Hiedeman
MCTIP Enterprise Messaging Administrator, Ensynch

Justin Hiedeman, MCTIP Enterprise Messaging Administrator, has been working with Microsoft Exchange for nearly 10 years. The past 2 and half years have been spent as a senior consultant with Ensynch Incorporated designing and implementing Unified Communications solutions for customers across the Southwest. His certifications include: MCSE, MCITP: Enterprise Messaging Administrator and MCTS: Office Communications Server 2007 – UC Voice (Ensynch is also a select Microsoft UC Voice partner). As a Solutions Architect for Ensynch he has designed and led numerous Exchange migration/implementations from Groupwise, Lotus and Exchange, to Exchange/Exchange Online projects.

Exchange 2010 Migration to Microsoft Exchange Online: Hands-on Workshop
Justin Hiedeman

Microsoft Exchange 2010 is available both as on-premise software and as a hosted service, and you can now choose the right deployment option for your organization, whether you deploy Exchange Server on-premises, host your mailboxes with Exchange Online, or combine these two options in a hybrid deployment.

In this hands-on lab, you will configure an on premise Exchange Server 2010 environment for a mock enterprise. An existing Exchange Server 2007 environment will also be part of the lab from which we will migrate users to on premise Exchange 2010 servers as well as to Exchange Online. Administrators will experience the integration and complexities of managing on premise users and cloud users from the same tools. Lastly, administrators will learn the basics of managing users in a mixed on-premise/online-cloud environment.

David Lundell, Chris Calderon and myself will also be returning, so look for us there and be sure to check out our sessions! If you're attending the pre-conference training, be sure to check out Justin's Exchange 2010 workshop.

Tuesday, March 02, 2010

FIM 2010 Released To Manufacturing

It's finally here, FIM 2010 has been released to manufacturing and is now available to TAP and RDP customers while media will likely be available by the April timeframe. You can download the evaluation version here now:

The official announcement was made today at the 2010 RSA Conference in San Francisco during Scott Charney's keynote. I would also encourage you to sign-up for the upcoming TechNet webcasts on FIM.


What is now known as FIM 2010 had a long and challenging path to RTM – it started in concept as the successor to MIIS codenamed Gemini – originally scheduled to ship in the "Longhorn" wave, focused on process integration services, including rich workflow, centralized auditing and reporting, codeless provisioning, self-entitlement management and a self-service platform; this was the first time we saw the possibility of adding declarative provisioning, self-service password reset or workflow to the product but these things were on the drawing board as early as 2005. Later on, the efforts were crystallized under the Raven concept and emphasized self-service but both this and the Gemini names were eventually dropped for ILM "2" after MIIS was rebranded as Identity Lifecycle Manager 2007.

By the time the 2006 Directory Experts Conference had rolled around, the concepts had begun to take shape and for the first time I was treated to an architectural futures deck presented by Bobby Gill. Many of the key items conceptualized back in 2005 and 2006 are present in FIM 2010. While auditing features were cut, the plumbing is present in FIM allowing Microsoft Partners, ISV's and future efforts to begin taking advantage of the request and ERE/DRE data present in the system.

When the delay to ship ILM "2" until Q1 2010 was announced at the 2009 TEC Conference, it really hit hard but was ultimately the right decision. The delay gave the product group an entire year to nail down some challenging performance goals and opened up a wealth of opportunities for valuable feedback. Feedback from the TAP and RDP-Lite programs essentially allowed companies to deploy early on RC bits in order to test core functionality and yet delay official licensing until after the product RTM'd. All of the RC participants helped to make the FIM RTM a solid release.

So, for extra credit, who can tell me what the original acronym and term was for the engine theme inspired group management system? It later evolved into what we now know of as the Set->MPR->WF processing engine.

Newer Posts Older Posts Home