Introduction to Identity Management and Forefront Identity Manager 2010 R2 SP1

This article provides you with a foundation on which to understand the importance of identity management and begins to introduce you to FIM 2010 R2 SP1.

Even in 2013, many organizations continue to struggle with ongoing identity management needs. If you’re unfamiliar with the term, identity management in the world of IT refers to the “management of individual identities, their authentication, authorization, roles, and privileges within or across system and enterprise boundaries with the goal of increasing security and productivity while decreasing cost, downtime, and repetitive tasks.” In layman’s terms, identity management is the overarching process by which organizations answer the following questions:

• Who? Who is allowed to access particularly systems or services in the organization?
• What? What level of access is allowed to individual systems and services?
• How? By what methods is a user allowed to access these systems and services?

For many, identity management simply boils down to user account creation and password management. While this is one element of identity management, these are important aspects of the service. However, a comprehensive identity management solution should be able to do much more, including:

• Automatic creation of a user’s Active Directory account based on information gleaned from a database considered an authoritative source. In many cases, this is the human resources or payroll database.
• Automatic creation of a user’s Exchange or Office 365 mailbox.
• Automatic creation of a user’s home directory on a file server.
• Automatic inclusion of a user’s account in any security groups that are appropriate for his job. Again, whether or not access to a particular group is appropriate would be dictated by information in the authoritative source database.
• Self-service management of a user’s password. A user should be able to reset his password on demand and be provided with a mechanism by which to reset his password in the event that it is forgotten.

Note that everything in the list above implies that IT takes a mostly hands off stance with regard to ongoing identity management. Since this activity can fully consume people, particularly in organizations that see a lot of turnover, automation and self-services shifts the burden of the process away from personnel and turns it in just another IT service. Personally, I see identity management in many organizations as “low hanging fruit” that can save IT a lot of time and help the department focus more on bottom line-driven needs.

Moreover, robust identity management provides organizations with an additional layer of security. For example, IT may not be informed right away that a high level person has been fired, but you can bet that payroll has been notified. A rule could be created to deactivate an account when payroll performs a termination action in their system. This can help the organization ensure that only those that are authorized have access to the system.

Identity management can also become a compliance issue, particularly if it’s done poorly.

There are many, many ways to attack the identity management gorilla, but I’ll be focused in this series on Microsoft Forefront Identity Manager 2010 R2 SP1. With this product, administrators overseeing Microsoft-centric environments can automate and distribute significant identity and rights-related tasks. With FIM, for example, an administrator can automate the provisioning of an Active Directory account and distribute to an administrative assistant the ability to manage the permissions in distribution and security groups in that person’s division.

That’s another way by which IT can return to the users some carefully controlled keys to the kingdom, thus further reducing IT’s need to be involved in every account-related activity in the organization. With a fully realized identity management solution, IT’s involvement moves to one of oversight and exception handling only. IT still retains responsibility for the automated systems, but is able to easily delegate some of the operational tasks.

Before I jump into Forefront, it’s important that you understand some prerequisites that must be in place before you jump into identity management in your organization:

• You must have a rock solid understanding of the workflow that is involved in creating accounts in your organization, right down to the field level. You can’t automate what you don’t understand.
• You must understand what triggers various activities in the identity lifecycle. For example, what action initiates the creation of a new credential in a particular system? What actions deactivate a particular access level or credential?
• You must have a complete systems inventory and an understanding of the authentication mechanisms for each.
• Your “authoritative systems” must be clean. For example, if you intend to use the Human Resources system as the source repository for employee identity, you must ensure that the data in the system is valid and complete. For example, are you capturing the name of a new employee’s manager? If not, you’re eliminating FIM’s ability to automatically email new user credentials to an new hire’s supervisor.

Once you understand your organization’s existing landscape, you can start doing some terraforming with Forefront Identity Manager.

Feature set

Forefront Identity Manager 2010 R2 brings to IT a host of features that can ease the identity management burden. I won’t say that getting to a fully realized identity management system is an easy undertaking; it isn’t. However, once an organization commits to and see it through, the product feature show a clear benefit.

Self-service portal

An identity management system isn’t complete unless a user can perform some self-service functions on his own. Again, this helps IT focus on what’s important rather than on the mundane. FIM 2010 R2 brings such a portal, which is based on SharePoint. Included in the portal is the ability to:

• Manage personal information.
• Manage group memberships.
• Manage password, including self-service password reset.

FIM’s self-service password reset capability is quite good. It works by requiring that a user first register with the password reset service. Just like you do with your bank, you’re asked a series of personal questions and your answers are stored in a database. If you happen to forget your password, you can browse to a web site to reset it or, if you’re not able to log in to your machine, you can take advantage of FIM’s ability to integrate with the Windows login screen, as shown below. When you click the Reset Password link, you’re provided just enough of a computing environment to reset your password after which you can log in as normal.

Figure 1: FIM integrates with the Windows login screen

Some help desks spend more than ½ of their time managing user password issues. What if that particular class of call went away or, at the very least, was reduced to a trickle? That can mean vast savings for the IT department and the ability to redirect staff resources at higher priority projects.

With FIM, you can grant users as many or as few of the rights that I’ve described above using FIM’s built in capability to granularly manage roles and role assignments.

Codeless user management

For relatively straightforward deployments, FIM 2010 includes the ability to prevision and deprovision users without having to write a bunch of code. Of course, this isn’t supported in every scenario, but is supported for such items as Active Directory and can make the product a bit easier to deploy.

Ongoing data synchronization

Organizations are not static creations. They change every day. People change, departments change and even whole companies change. With FIM, if you make a change to authoritative data, you can configure the product to automatically reflect that change across all systems. For example, if you change the name of a department, any users in that department can have their Active Directory accounts updated to reflect the change.

Workflow

While automation is wonderful, sometimes a human has to be involved for approvals. For example, if a user makes an attempt to use the self-service portal to change their nickname, HR can create a policy that forbids that change without HR’s approval.

Summary

This article provided you with a foundation on which to understand the importance of identity management and began to introduce you to FIM 2010 R2 SP1. In the next part of this series, we will continue exploring the product.

+++++++++++++++++++++

(Part 2)

+++++++++++++++++++++

In this part of this series, I will introduce to you Microsoft’s answer to identity management.

Introduction

When we last met, we had just wrapped up a 1,300 word discussion regarding the importance of identity management in the enterprise and outlined some of its benefits. We also discussed some foundational items you need to consider before embarking on an identity management journey in your organization. In this part of this series, I will introduce to you Microsoft’s answer to identity management. Entitled Forefront Identity Manager 2010 R2, Microsoft’s product provides organizations with a comprehensive set of identity management features.

Buying FIM 2010 R2

Before we jump into the product feature set, let’s take a look at how it’s licensed. As is usually the case with Microsoft products, licensing for FIM 2010 R2 is messy and complex.

Servers

First of all, for each server to which you deploy a FIM component, you must buy a server license to run the software.

Database

FIM requires a SQL Server database to operate. Frankly, I’m stunned that Microsoft doesn’t grant a runtime instance of SQL for FIM, but according to the full licensing document, FIM implementers must also buy a SQL Server license.

Users

For each user that you manage through FIM, you need a Windows Server Client Access License (CAL). If you’re a Microsoft shop, you probably already have these licenses.

Additionally, for each user that you manage through FIM, you need a FIM CAL is required. Administrators that manage users through FIM also require a CAL.

If you have external users that you need to include in your FIM environment, you also need an external connectorlicense as well as a CAL for each external user.

Reporting

FIM 2010 R2 leverages the reporting functionality from System Center Service Manager. With the purchase of FIM, you are granted an SCSM license designed strictly to enable reporting.

FIM 2010 R2 components

In small environments, you might deploy most of the FIM environment to a single server, but as the environment grows, you will probably find it easier to deploy FIM to multiple servers. This allows you to more easily grow those aspects of the environment that experience the most usage. The table below describes FIM’s major components.

Component	Description
FIM Synchronization Service	The synchronization service is one of FIM’s core services. It handles “metaverse”-wide synchronization of identities between data sources. This service creates and maintains identities in other systems.
FIM Service	The FIM service is a web service component that provides connecting functionality behind the scenes in FIM.
FIM Portal	The FIM portal is a user and administrator-facing component that exposes much of FIM’s functionality to users, including password reset capability, group management tasks, and administrative options. The portal runs on SharePoint.
FIM Certificate Management	The certificate management component is generally used in conjunction with smart cards and isn’t deeply integrated into the rest of the suite. Many FIM deployments don’t even include this component.
FIM Reporting	FIM leverages System Center Service Manager’s reporting engine. Reporting in FIM is handled through this special SCSM service. Users of FIM are granted a runtime license for SCSM’s reporting component to enable this functionality.
FIM Password Registration Portal	One of FIM’s best features is the ability to provide users with the ability to establish security questions and answers that they can use to reset their passwords on their own in the event that they’re forgotten.
FIM Password Reset Portal	Once a user establishes security questions, if he forgets his password, he can visit the password reset portal and reset it without having to contact the IT help desk. In R2, the password reset portal is fully web based, so it can be used across any platform. There are no longer any ActiveX controls. The password reset tool can also integrate with the Windows login screen so that users can reset their passwords even if they’re unable to log in to their PCs.
SQL (FIM service database database)	The FIM database stores all of the information for the environment and is used for certain transformations that take place.
BHOLD	BHOLD is a relatively new addition to FIM that enables organizations to delegate role management to users. This can further streamline the identity management experience in the organization.
FIM Outlook Client	A number of FIM actions require authorization through built-in workflows. Through the FIM Outlook client add-in, users and administrators can approve or deny actions right from Outlook without having to open a separate application.

Table 1

In this article series, you will learn about the identity management and password reset parts of FIM, but I will not be discussing certificate management.

Some additional terminology

As you may have guessed, FIM is a relatively complex software platform and there is a lot of supporting knowledge that goes into deploying the product. As such, there is quite a bit of terminology that’s important to understand.

• Metaverse. According to Microsoft, the metaverse is “…a set of tables in the SQL Server database that contains the combined identity information for a person or resource. Management agents update and modify the metaverse from multiple connected data sources, and in turn, management agents use the data in the metaverse to update and modify the connected data sources. The metaverse contains its own schema, which defines which object types and attributes the metaverse can contain.” In other words, the metaverse is the universe in which the various FIM objects reside.
• Connector space. This is an area where objects are written before being synchronized with the metaverse or a connected data source.
• Connector. In FIM, a connector is an object is the connector space that is connected to an object in the metaverse.
• Explicit Connector. A specialized type of connector that can only be created manually and that remains connected even when filters are in place.
• Management agent. In FIM, a management agent is responsible for connectivity to a specific data source.

Data source options

FIM can connect to a variety of data source data. The list below described which data sources Microsoft Forefront Identity Manager (FIM) 2010 R2 supports:

• Active Directory Domain Services 2000, 2003, 2003 R2, 2008

• Active Directory Lightweight Directory Services (ADLDS)

• Active Directory global address list (GAL) 

• Attribute-value pair text files 

• FIM Certificate Management

• Delimited text files 

• Directory Services Markup Language (DSML) 2.0 

• Microsoft Exchange Server 2007 and 2010 (use the management agent for Active Directory)

• Microsoft SQL Server 2000, SQL Server 2005, SQL Server 2008

• Fixed-width text files 

• IBM DB2 Universal Database 9.1 or 9.5

• IBM Directory Server 6.0 or 6.2

• LDAP Data Interchange Format (LDIF) 

• Lotus Notes release 6.5 or 7.0

• Novell eDirectory 8.7.3 or 8.8

• Oracle10g Database 

• AP R/3 Enterprise (4.7), mySAP 2004 (ECC 5.0)

• Sun ONE and Netscape Directory Server 5.1 and 5.2

• SAP HCM
• Oracle eBusiness Suite
• Oracle PeopleSoft

There are also some additional management agents available for certain online services, such as Office 365. Using these data sources, you can manage identities across just about any system.

High level deployment overview

Bearing in mind that I won’t be covering the certificate management parts of FIM in this series, it’s possible to deploy FIM in a number of different scenarios. Here are some things to keep in mind:

• Most roles can coexist on a single server. This is generally suitable only in very small or lab environments.
• The SCSM data warehouse service must run separately from the other services.
• For scalability, administrators often place each role on a separate server. In the world of virtualization, this is a pretty easy feat to accomplish and provides the opportunity to granularly scale components as needed.
• A best practice is to install the FIM portal and the FIM service together.

On the issue of scale, not all FIM services can load balance or use multiple servers. Only a single server of the role type is supported.

Summary

With more foundational elements in place, in the next part of this series, we’ll walk through the beginnings of a FIM deployment.

Windows Server 2012 R2 - Storage Spaces

In this article we'll go through steps to create a storage pool and begin the process of creating a virtual disk.

Introduction

Microsoft first introduced Storage Spaces in Windows Server 2012 and it’s an impressive technology, which, once it’s a truly trusted teammate in the Windows Server family, administrators may warm up to its use, particularly as Microsoft continues to add new features to the service.

Preamble

Before I get started discussing the creation of a storage space in Windows Server 2012 R2, bear in mind that I’m using the Preview version of the operating system that Microsoft made available. Further, I wanted to comment on the overall installation experience for the new operating system. I’ve installed Windows Server 2012 R2 as a virtual machine. I carry a spare solid state drive and I use that drive to store all of my “mobile lab” virtual machines. I still have other virtual machines running in my more complete home lab, my mobile lab was more than sufficient.

I’m extremely impressed as just how fast the overall install process performed. While I didn’t expect it to be slow since I’m using all solid state storage on my system, I was still surprised that the time from the beginning of the installation to first login was only seven minutes. Microsoft has made good progress on making the installation experience a lot faster than it used to be!

Create a Storage Space

You may already know a bit about Storage Spaces. It was introduced in Windows Server 2012 as a new way of thinking about how to pool and manage storage using just Windows. Storage Spaces is basically a storage virtualization technology that aggregates all supported storage into a pool of storage that can be managed as a single entity. Once storage is aggregated, an administrator can create volumes that leverage the space. With Storage Spaces, Microsoft seems to be pushing into the world of the storage array a bit more aggressively than they have in the past. While it remains to be seen whether or not enterprise customers will accept Storage Spaces, for lab and development use, Storage Spaces is a clear choice.

With Windows Server 2012 R2, Microsoft is doubling down on Storage Spaces and has added an impressive array of features, including:

• Storage tiering. A common method by which data is stored on different kinds of drives to meet performance targets.
• Deduplication. An enterprise-grade feature that eliminates copies of data and saves disk space.
• Write-back cache. Helps to control random spikes in I/O.

You may not be replacing your SAN quite yet with Storage Spaces, but the growing feature set may make it an eventual contender in the storage decision.

At this point, I’ve installed a brand new Windows Server 2012 R2 Preview system and I’ve added two additional virtual disks – one 30 GB in size and one 20 GB in size – to this virtual machine, but I have not yet performed any configuration against these disks. You can see these disks in Figure 1. Note that one of the disks – Disk 0 -

The high level process goes like this:

• Create a storage pool. This consists of physical disks or physical arrays.
• Create a virtual disk.
• Create a volume and choose your file system.

Figure 1: The disks present inside my virtual machine

To get started with the overall process, from the Tasks menu shown in Figure 2, choose New Storage Pool. The “primordial” storage space listed simply refers to disks that are present on a physical server but that have not yet been added to a storage space. Note also that no virtual disks have been created yet.

Figure 2: Create a new storage pool

Next up, provide a name for your new storage pool and, if you like, provide a description. Further, choose the primordial storage pool from which you’d like to choose physical disks to include in your new storage space.

Figure 3: Name your storage pool and choose the set of primordial disks

Now, choose the physical disks you’d like to include in the new storage pool. In the Allocation column, you can choose from one of three options:

• Automatic. This is a disk that will play an active role in the Storage Space.
• Hot spare. A hot spare idles quietly in the background and then jumps into action in the event that a storage space suffers a disk failure. Hot spares are a very common element in the world of storage.
• Manual. If you specify a drive as manual at the creation of a storage space, it is used. Otherwise, it can be used for specific storage spaces.

You can see that I’ve selected my two spare disks and the wizard presents back to me the total aggregated raw capacity for those disks. Take a look at Figure 4.

Note that there are certain kinds of devices that can’t be included in your pool, including existing RAID arrays and iSCSI targets.

Figure 4: Select the disks that you'd like to include in your new storage pool

Once you’ve made all of your choices, it’s time to review those choices to make sure that you haven’t overlooking something. When you’re ready, click the Create button.

Figure 5: Review your selections

There are multiple steps that the wizard performs to accomplish your administrative goals. You can track their progress on the results screen shown in Figure 6. This process typically goes pretty quickly.

Figure 6: Make sure everything goes well:

Create a Virtual Disk

Creating the storage space is just part one of a three part process. You have now aggregated together a bunch of physical storage, but now you have to create a virtual disk upon which you can then create disk volumes. That’s the step we’ll discuss now.

To get started, right-click your newly created storage space and, from the shortcut menu, choose New Virtual Disk. Take a look at Figure 7 if you need a pointer.

Figure 7: It's time to create a new virtual disk!

The first question you’re asked in this phase is to choose the storage pool on which you’d like to create the new virtual disk. As you can see in Figure 8, I’m using the Test Pool that I created in the previous section.

Figure 8: Choose the storage pool you'd like to work with

Like pretty much everything else, your new virtual disk needs a name. I’ve opted to use the crazy original name of Test vdisk for this article.

In Figure 9, take note of the checkbox that is grayed on in my environment. Entitled Create storage tiers on this virtual disk, this option requires that at least one solid state disk and one hard disk drive exist. In my installation, the drives I’ve created are not passed through to my virtual machine as SSDs, but they are passed through as hard drives, hence the unavailability of this option.

Figure 9: Name your new virtual disk

Summary

At this point, you’ve created a storage pool and begun the process of creating a virtual disk. In part two, you will complete the virtual disk creation process and learn about the various options at your disposal when you create a volume.

Thanks to Scott D. Lowe sharing this document.