Archive for August, 2010

BPOS PCNS Extension

Lately I have been involved in a lot of internal Microsoft BPOS activity. For people who have not heard of BPOS it is: Business Productivity Online Suite. Basically it is Microsoft servers such as Exchange, SharePoint, Communication Server, etc. that are hosted by Microsoft in Microsoft’s data-center and sold to business as a service vs. as a software/product. No need for hardware, no need for upgrades and maintenance.
Schakra has embraced ‘the cloud’ and bravely moved all our internal mailboxes to BPOS. As a Microsoft partner that offers BPOS deployments to customers this was a necessary move. Now we can experience what our customers are experiencing and gain valuable first-hand expertise.
The very first thing that I have noticed after the migration was completed is that now I’ve got two passwords to worry about. One for my local AD and another for BPOS cloud resources. BPOS comes with rich SSO client with attempts to manage your credentials and re-configures your rich applications such as Outlook and Communicator, however when you are going to web resource – you are on your own. You got to type your login and password assigned to you. Out IT guys were not exactly a happy bunch, when users began to ask to reset local and cloud passwords. Technically almost all time they have saved on not managing local exchange server they were losing on ad-hoc password resets. We have plenty of users that are working remotely, some are VPNing, some are joined to client’s domains… so as you can imagine adding another variable to password management is no an ideal place to be in.
Being an IdM guy I could not live with that. My researched indicated that there is no products that would employ standard PCNS (Password Change Notification Service) that would synchronize on-premise AD passwords with the cloud BPOS. What else could I do, but to write one!
For several days Schakra’s internal population is happily using BPOS PCNS extension; we would be happy to help any BPOS customer with your password synchronization issues.
BPOS PCNS extension installs onto your existing BPOS directory synchronization box and does not require any custom code on your domain controllers, nor a web-service of any kind or a separate physical or virtual host. It simply augments your existing BPOS installation and synchronizes your AD passwords to BPOS passwords 1 to 1

Live@edu OLSync on FIM 2010

This week I have completed yet another Live@edu engagement with FIM 2010. It appears that here in Schakra we are receiving more and more requests form Live@edu customers who are wanting to use FIM 2010 as a platform for Live@edu instead of ILM 2007.

Why FIM 2010 is not offered yet to Live@edu folks?

I have been asked by end-customers why Microsoft is not offering Forefront Identity Manager 2010 within Live@edu program.
The answer is rather simple. Live@edu is a marketing program that is offering variety of Microsoft products to educational sector for free. Most notable that is hosted Exchange 2010 solution; however there is plethora of other products that Microsoft is packaging under Live@edu umbrella. SharePoint Server, Online version of Office 2010, SkyDrive, Spaces, etc. As you can guess Live@edu team is NOT the owner of all those technologies. Each technology belongs to a team that develops and supports it; Exchange 2010 is naturally belonging to Exchange team, SkyDrive and Spaces are Windows Live team, and so on.

So why is it still ILM 2007? Answer is that when Exchange team started development of ELMA (thereafter OLMA) then GALSync and finally OLSync (finally for summer 2010 that is) when there was no FIM 2010 in site. Back two years ago when ELMA 1.0 was on the design board (I was part of the ELMA 1.0 team) the name of “Forefront Identity Manager” was not even conceived yet; it was ‘ILM 2’ at the time with no defined released date and no clear upgrade path available in writing. On top of that, as you know, Microsoft offers full-fledged Premier Support for all Live@edu customers (which is rather amazing, considering that this is free offer); So for “mother-ship” to offer something like that, it would take a lot of confidence in the product, and therefore offered solution got be tested and over-tested and tested again… hence the lag with the offer of FIM 2010 to Live@edu customers.

In the meanwhile, you can rely of Microsoft partners such as my company Schakra. Deconstructing OLSync and reconstructing it on FIM 2010 is something we certanly can offer. If you need/want your Live@edu or custom OLMA (Outlook Live Management Agent) solution running on Microsoft Forefront Identity Manager 2010, give us a call, we’ll be happy to help you setting things up and supporting it.

Auxiliary MA alternative

Auxiliary MA alternative

Recently I have published a Metaverse Router project on CodePlex. This project allows MIIS/ILM/FIM Synchronization engine to operate with discrete provisioning modules vs. monolithic provisioning DLL that would serve dissimilar connected directories.

As one of the benefits of Metaverse Router you can enable/disable ‘scripted’ provisioning in your Sync Engine without actually modifying server configuration. It is also possible to enable and disable provisioning of individual modules, if you wish.

During work with one client of mine it dawned on me that this provisioning disablement could be performed in mid-run of the synchronization cycle. Why is this important?

If you are familiar with a concept of Auxiliary MA you know that Sync Engine could have a configuration challenge preventing object to be provisioned into one of the systems due to an existing object with an identical distinguished name being present in that system. The proposed solution is called Auxiliary Management Agent. Auxiliary MA is a basic text (or any other default type) management agent, which depends on the sequence of synchronization execution and allows provisioning code to execute successfully by provisioning an "auxiliary" object first, which would allow (pre)existing object to join to the Metaverse; thereafter auxiliary CSEntry ‘self-destroys’ when it is no longer needed. I encourage digging MSDN for more information. Auxiliary MA can be conceptually ‘dry’…

Nevertheless, having an additional MA and introducing additional provisioning code is not something I would like to do, when it can be avoided. So to resolve mentioned above provisioning issue without introduction of an additional MA we can simply disable provisioning in the Metaverse Router with the script during the run of the Sync Engine. Disabled provisioning will allow for projection and joining processess to happen without provisioning code being executed at first, which in return will solve the "auxiliary" problem. Thereafter your script could re-enable provisioning and voila – no Auxiliary MA needed.

I will be working on VB and PowerShell scripts to complement Metaverse Router on CodePlex

Happy coding!