book

Microsoft Forefront Identity Manager 2010 R2 Handbook

Name: Microsoft Forefront Identity Manager 2010 R2 Handbook
Author: Kent Nordstrom
ISBN: 9781849685368

by Kent Nordstrom

August 2012

Intermediate to advanced

446 pages

9h 22m

English

Packt Publishing

Read now

Unlock full access

Microsoft Forefront Identity Manager 2010 R2 Handbook
Table of Contents
Microsoft Forefront Identity Manager 2010 R2 Handbook
Credits
About the Author
About the Reviewers
www.PacktPub.com
Support files, eBooks, discount offers and moreWhy Subscribe?Free Access for Packt account holdersInstant Updates on New Packt Books
Preface
What this book covers
What you need for this book
Who this book is for

Conventions
Reader feedback
Customer support
Downloading the example codeErrataPiracyQuestions
1. The Story in this Book
The Company
The challenges
Provisioning of usersIdentity lifecycle proceduresHighly Privileged Accounts (HPA)Password managementTraceability
The solutions
Implement FIM 2010 R2Start using smart cardsImplement federation
The environment
Moving forward
Summary 
2. Overview of FIM 2010 R2
The history of FIM 2010 R2
FIM Synchronization Service (FIM Sync)
Management AgentsNon-declarative vs. declarative synchronizationPassword synchronizationFIM Service Management Agent
FIM Service
Request pipelineFIM Service Management AgentManagement Policy Rules (MPRs)
FIM Portal
Self Service Password Reset (SSPR)
FIM Reporting
FIM Certificate Management (FIM CM)
Certificate Management portal
Licensing
Summary
3. Installation
Development versus production
Capacity planning
Separating roles
DatabasesFIM features
Hardware
Installation order
Prerequisites
DatabasesCollation and languagesSQL aliasesFIM-DevSQLSCSMWeb serversFIM PortalFIM Password ResetFIM Certificate ManagementService accountsKerberos configurationSETSPNDelegationSystem Center Service Manager Console
Installation
FIM Synchronization ServiceFIM Service and FIM PortalFIM Password Reset portalFIM Certificate ManagementSCSM managementSCSM Data Warehouse
Post-installation configuration
Granting FIM Service access to FIM SyncSecuring the FIM Service mailboxDisabling indexing in SharePointRedirecting to IdentityManagementEnforcing KerberosEditing binding in IIS for FIM Password sitesRegistering SCSM Manager in Data WarehouseFIM post-install scripts for Data Warehouse
Summary
4. Basic Configuration
Creating Management AgentsActive DirectoryLeast privilegedDirectory replicationPassword resetCreating AD MAHR (SQL Server)Creating SQL MARun profilesSingle or Multi step
Schema management
FIM Sync versus FIM Service schemaObject deletion in MVModifying FIM Service schema
FIM Service MA
Creating the FIM Service MACreating run profilesFirst importFiltering accounts
Initial load versus scheduled runs
Moving configuration from development to production
Maintenance mode for productionDisabling maintenance modeExporting FIM Synchronization Service settingsExporting FIM Service settingsExporting the FIM Service schemaExporting the FIM Service policyGenerating the difference filesGenerating the schema differenceGenerating the policy differenceImporting to productionImporting custom codeImporting the Service schema differenceImporting the Synchronization Service settingsImporting the FIM Service policyPowerShell scripts
Summary
5. User Management
Modifying MPRs for user management
Configuring sets for user management
Inbound synchronization rules
Outbound synchronization rules
Outbound synchronization policyOutbound system scoping filterDetected rule entry
Provisioning
Non-declarative provisioning
Managing users in a phone system
Managing users in Active Directory
userAccountControlProvision users to Active DirectorySynchronization ruleSetWorkflowMPRInbound synchronization from AD
Temporal Sets
Self-service using the FIM portal
Managers can see direct reportsUsers can manage their own attributes
Managing Exchange
Exchange 2007Exchange 2010Synchronization rule for ExchangeMailbox usersMail-enabled users
Summary
6. Group Management
Group scope and typesActive DirectoryFIMTypeScopeMember SelectionManualManager-basedCriteria-based
Installing client add-ins
Add-ins and extensions
Modifying MPRs for group management
Creating and managing distribution groups
Importing groups from HR
FIM Service and Metaverse
Managing groups in AD
Security groupsDistribution groupsSynchronization ruleSetWorkflowMPR
Summary
7. Self-service Password Reset
Anonymous requestQA versus OTP
Enabling password management in AD
Allowing FIM Service to set passwords
Configuring FIM Service
Security contextPassword Reset Users SetPassword Reset AuthN workflowConfiguring the QA gateThe OTP gateRequire re-registrationSSPR MPRs
The user experience
Summary
8. Using FIM to Manage Office 365 and Other Cloud Identities
Overview of Office 365DirSyncFederationPowerShell or Custom MAUsing UAG and FIM to get OTP for Office 365
Summary
9. Reporting
Verifying the SCSM setupSynchronizing data from FIM to SCSM
Default reports
The SCSM ETL process
Looking at reports
Allowing users to read reports
Modifying the reports
Summary
10. FIM Portal Customization
Components of the UI
Portal Configuration
Navigation Bar Resource
Search scopes
Usage KeywordSearch DefinitionResultsCreating your own search scope
Filter Permissions
RCDC
Summary
11. Customizing Data Transformations
Our optionsPowerShellClassic rules extensionsSSISWorkflow activitiesExtensible Connectivity Management Agent
Managing Lync
Provision Lync UsersManaging multivalued attributes
Selective deprovisioning
The case with the strange roles
Summary
12. Issuing Smart Cards
Our scenarioAssurance level
Extending the schema
The configuration wizard
Create service accountsCreate certificate templates for FIM CM service accountsFIM CM User Agent certificate templateFIM CM Enrollment Agent certificate templateFIM CM Key Recovery Agent certificate templateEnable the templatesRequire SSL on the CM portalKerberos again!Install SQL Client Tools ConnectivityRun the wizardBackup certificatesRerunning the wizardThe accountsThe database
Configuring the FIM CM Update Service
Database permissions
Configuring the CA
Installing FIM CM CA filesConfiguring Policy Module
Installing the FIM CM client
FIM CM permissions
Service Connection PointUsers and groupsCertificate TemplateProfile Template objectProfile Template settings
Allowing managers to issue certificates for consultants
Creating a Profile Template for consultant Smart CardsConfiguring permissions for consultant Smart CardsJohn enrolls a Smart Card
RDP using Smart Cards
CM Management Agent
Summary
13. Troubleshooting
Reminder
Troubleshooting
KerberosConnected Data SourcesFIM SyncFIM ServiceRequest errorsSync errorsReportingFIM CMAgent certificatesCAFIM clients
Backup and restore
FIM SyncFIM Service and PortalFIM CMSource code
Summary
A. Afterword
Index

Content preview from Microsoft Forefront Identity Manager 2010 R2 Handbook

FIM CM permissions

Permissions for FIM CM are set in five different places, sometimes making it hard to troubleshoot permission errors. On the other hand, the granular permission model makes it possible for a granular policy to be defined.

If, for example, you have a policy that managers in the USA should only be able to issue Smart Cards for consultants in the USA but not in Europe, you can do so.

Service Connection Point

The Service Connection Point , SCP, permissions determine whether a user is assigned a management role in the FIM CM deployment.

When you run the configuration wizard, the SCP is decided but the default is the one shown in the following figure:

If a user is assigned any of the FIM CM permissions available on the SCP, the administrative ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781849685368Other

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Microsoft Forefront Identity Manager 2010 R2 Handbook

by Kent Nordstrom

FIM CM permissions

Service Connection Point

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.