Identity Lifecycle Manager “2” (aka ILM 2) is going to change yet again the way you manage identities with in your organization. ILM 2 builds on the existing functionality in ILM providing a portal with turnkey solutions for credential, access, user, and policy management. Additionally, ILM 2 has Web Service APIs that can be used to create clients that interact with the ILM 2 platform.

To learn about ILM 2 you can download the latest build via the link below.

Evaluate Microsoft Identity Lifecycle Manager “2” RC

Many directory services create a unique identifier for each object that is created. Active Directory and ADAM have an attribute named objectGUID. In most cases, using the objectGUID for a primary join key is preferred, because it will never change, unless the object is deleted and recreated.

The advantage to using an attribute such as the objectGUID as the primary key is that it allows for other unique values to change without causing a disconnect / reconnect due to the primary key being removed from the connector space.

A good example is using the mail attribute as a unique anchor. Email addresses can change over time and when it does the connector space object will become disconnected from the metaverse. And, depending on your ILM configuration you probably don’t want that to happen (object deletion rules!). That is why I prefer using the objectGUID as the unique anchor.

Since the objectGUID is an octet string you will probably want to convert it to a more useable format, such as a text string. One of the easiest ways I have found to convert a GUID to a string is with the following code:

public static string ConvertGUIDtoString(byte[] _guid)
{
    Guid guid = new Guid(_guid);
    return guid.ToString();
}

Once converted to a string value, you can easily flow the guid to any destination, and provide an excellent key for relinking directories, should the metaverse ever need to be rebuilt from scratch.

If you prefer to use the objectSID the following code will convert a SID to a string value. But, if you choose to go the way of the SID, you will need to include a reference to the System.Security.Principal library.

public static string ConvertSIDtoString(byte[] _sid)
{
    SecurityIdentifier oSid = new SecurityIdentifier(_sid, 0);
    return oSid.ToString();
}

There has been a bit of traffic on the various MIIS forums lately about just how to create Exchange 2007 Mailbox-Enabled users. Well, fortunately ILM 2007 makes this task much easier, but it can also be done with just a bit more effort with MIIS and IIFP. Regardless of the platform you are running make sure you have the latest updates applied for your version of the ILM engine (IIFP, MIIS, or ILM).

In addition to installing the latest products updates for you version of the Identity Management tool you will also need to install the following:

• Windows Powershell 1.0
• Microsoft Exchange Server 2007 Management Tools (32 bit)
• Microsoft Exchange Server 2007 SP1

Why do I need Powershell and the Exchange Management Tools?

Powershell and the Exchange Management Tools are required by ILM to allow the “Enable Exchange 2007 Provisioning” option. Checking this option causes ILM to run the Exchange2007Extension.dll after each export to Active Directory. In short the Exchange2007Extension.dll runs the “Update-Recipient” Powershell command for each mail-enabled object that is created or modified during the export. You could simulate the same process by running the “Update-Recipient” command manually too.

With Exchange 2000 and 2003 you either called the ExchangeUtils api to create the mail-enabled object or you provisioned the object and then stamped the appropriate mail related attributes. After exporting the changes to Active Directory the Recipient Update Service (RUS) would detect the changes and mail-enable the object. Exchange 2007 did away with the RUS and now we use the “Update-Recipient” command.

Now for the good stuff…

If you are running ILM 2007 you can now provision mail-enabled objects like you did with MIIS and IIFP using the ExchangeUtils apis. For example, provisioning a mailbox-enabled user would look something like the following (in C#):

ConnectedMA ma = mventry.ConnectedMAs[ILMConfiguration.HostedMAName];
ReferenceValue dn;
CSEntry csentry;

dn = ma.EscapeDNComponent("CN=" + mventry["cn"].Value).Concat(mventry["container"].Value));
csentry = ExchangeUtils.CreateMailbox(ma, dn, mventry["mailNickname"].Value, homeMDB);
csentry["description"].Value = "Account created by MIIS on " + DateTime.Now.ToString();

After the export runs ILM will automatically run the “Update-Recipient” command and enable the user for Exchange.

Now this is great if you are running ILM 2007, but what if you aren’t?

How do you enable objects for Exchange 2007 with MIIS and IIFP?

This task is a bit easier than it would seem. I have come up with two options that are quite simple to implement depending on your coding skills. The good part is you should not need to change your provisioning code.

Step 1 – create an export log file

Modify your export run profile to create a log file. When you choose this option the file name you specify will be created in the C:\Program Files\Microsoft Identity Integration Server\MaData\MA-NAME directory, where MA-NAME is the name of your MA.

The log file is written in XML format and should be pretty straightforward to understand. Each object will start with an entry like below, with additional XML tags for each attribute that is being written to AD.

<delta operation="add" dn="CN=John Doe,OU=Users,OU=Accounts,DC=Company,DC=com">

Step 2 – process the log file

I have experimented with two methods for processing entries in the log file. The first method I used was to write a script to parse the log file and write all the dn values to a delimited file. The resulting csv file would look something like:

dn
"CN=DL2,OU=Groups,OU=Accounts,DC=Company,DC=com"
"CN=John Doe,OU=Contacts,OU=Accounts,DC=Company,DC=com"
"CN=Sally Smith,OU=Users,OU=Accounts,DC=Company,DC=com"

After the csv file is created just the following Powershell command and Exchange will do the rest.

import-csv c:\powershell\process-recipients.csv | foreach {update-recipient -identity $_.DN}

The next method I came up with does basically the same thing, except it doesn’t require creating a csv file or creating a Powershell script. By doing a little digging I discovered that Powershell commands can be invoked directly from a .Net application. So, I ended up creating a .Net program to process the XML log file and run the Powershell Update-Recipient command. Less moving parts makes life easier. Below is a snippet of the code I came up with (written in C#). You will find more information on invoking Powershell from .Net here.

namespace My.Library
{
    public class Powershell
    {
        private static RunspaceConfiguration rsc;
        private static Pipeline pipeline;
        private static PSSnapInException warning;

        public static void Execute(string cmd)
        {
            try
            {
                rsc = RunspaceConfiguration.Create();
                rsc.AddPSSnapIn("Microsoft.Exchange.Management.Powershell.Admin", out warning);
                Runspace rs = RunspaceFactory.CreateRunspace(rsc);
                rs.Open();
                pipeline = rs.CreatePipeline(cmd);
                pipeline.Invoke();
                rs.Close();
            }
            catch (Exception ex)
            {
                throw new Exception(ex.Message);
            }
        }

        public static void UpdateRecipient(string identity)
        {
            Execute("Update-Recipient -Identity \"" + identity + "\"");
            return;
        }

    }
}

On a recent customer engagement I ran into an unusual problem where the MIIS service was stopping. The problem was discovered soon after we turned on password synchronization between the customer's Active Directory and Lotus Notes environments.

Through extensive testing we discovered there is a hard limit to the number of password synchronization operations that MIIS can perform before the service terminates.

The customer is running MIIS 2003 SP2 (version 3.2.1008.0) and Lotus Notes 7.0.1. MIIS is configured to push password changes from the Active Directory management agent to Lotus Notes. During testing everything performed nicely, but password change volume was relatively low. Once in full production, the password change volume increased significantly. After extensive testing we were able to determine the failure occurs after approximately 200 password change operations.

The actual Event Log error is:

Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1000
Date:  3/4/2008
Time:  5:13:12 PM
User:  N/A
Computer: MIIS01
Description:
Faulting application miiserver.exe, version 3.2.1008.0, faulting module nnotes.dll, version 7.0.10.6017, fault address 0x00001467.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74   Applicat
0008: 69 6f 6e 20 46 61 69 6c   ion Fail
0010: 75 72 65 20 20 6d 69 69   ure  mii
0018: 73 65 72 76 65 72 2e 65   server.e
0020: 78 65 20 33 2e 32 2e 31   xe 3.2.1
0028: 30 30 38 2e 30 20 69 6e   008.0 in
0030: 20 6e 6e 6f 74 65 73 2e    nnotes.
0038: 64 6c 6c 20 37 2e 30 2e   dll 7.0.
0040: 31 30 2e 36 30 31 37 20   10.6017
0048: 61 74 20 6f 66 66 73 65   at offse
0050: 74 20 30 30 30 30 31 34   t 000014
0058: 36 37                     67

After significant testing Microsoft escalated the problem to IBM - Lotus Notes team. About six months have passed now and I just received word that a memory leak was identified in nnotes.dll. A fix should be available soon.