Wednesday, May 19, 2010

FIM 2010 – Documentation Roadmap

 

FIM 2010 Documentation Summary

Documentation Roadmap

Guidance for how to use the Microsoft® Forefront™ Identity Manager 2010 2010 and Microsoft® Forefront Identity Manager Certificate Management (FIM CM) documentation.

FIM 2010 Technical Overview

This document is an overview of FIM and how it provides solutions in the identity technology problem space.

Release Notes

This document provides information about the latest changes to FIM and FIM CM.

Planning and Architecture

  • Capacity Planning Guide 
    • This guide describes how different hardware configuration options affect the performance of a server hosting FIM. The configuration options discussed are processors (quantity and speed), database location, memory, disks and network.
  • Preinstallation and Topology Configuration
    • This document provides recommendations for deploying the FIM components in various physical topologies, and setting up for high availability.

Technical Concepts

  • Designing Business Policy Rules
    • This document explains how management policy rules (MPRs), resources and sets, workflows, and requests work together to define business policies that control entitlements of people, applications, or other services to critical resources.
  • Understanding Configuring and Customizing the FIM Portal
    • This document describes the elements and components of the FIM Portal, and how it can be configured and customized for your environment.
  • Understanding Custom Resource and Attributes
    • This document discusses the components and structure of the FIM schema: resource types, attributes, and bindings.
  • Understanding Data Synchronization with External Systems
    • The ability to manage distributed identity information from a central point is key component of the FIM architecture. This process is governed by a well-defined and customizable set of synchronization rules.
    • The objective of this document is to explain how you can use the FIM Synchronization Service to synchronize data with external systems.
  • Understanding Expected State Detection
    • With expected state detection (ESD), you can detect the custom states of objects in your managed external systems in FIM and configure a response to them.
    • The objective of this document is to give you an overview of ESD, to explain how ESD works, and to discuss advanced ESD solutions.

Getting Started

Deployment

  • Migrating from ILM 2007 to FIM 2010
    • This document outlines the steps and processes involved in migrating your ILM 2007 environment to FIM 2010.
  • FIM 2010 Installation Guide
    • This document describes the prerequisites and steps necessary to install the FIM Service, the FIM Synchronization Service, the FIM Portal, and the FIM Add-in for Outlook.
  • FIM 2010 Post Installation Configuration Guide
    • This document provides configurations and procedures to be performed after a successful installation. Depending on your environment, some of these tasks may be optional.
  • Configuration Migration Deployment Guide
    • This document describes the steps for migrating configuration data from a test environment to the FIM Service and the FIM Synchronization Service.
  • Custom Resource and Attribute Management Deployment Guide
    • This document provides end-to-end steps for synchronizing custom resources and attributes to Active Directory.
  • Password Reset Deployment Guide
    • This document provides instructions to help you to configure the password reset and registration feature by using the FIM Portal.
  • How Do I Synchronize Users from Active Directory Domain Services to FIM
    • This guide walks you through the main building blocks that are involved in the process of populating FIM with user data from Active Directory® Domain Services (AD DS), describes how you can verify whether your scenario works as expected, provides suggestions for managing Active Directory users by using FIM, and lists additional sources for information.
  • How Do I Synchronize Groups from Active Directory Domain Services to FIM
    • This guide walks you through the main building blocks that are involved in the process of populating FIM with group data from AD DS, describes how you can verify whether your scenario works as expected, provides suggestions for managing Active Directory groups by using FIM, and lists additional sources for information.
  • How do I Provision Users to Active Directory Domain Services
    • This guide walks you through the main building blocks that are involved in the process of provisioning users from FIM to AD DS, describes how you can verify whether your scenario works as expected, provides suggestions for managing Active Directory users by using FIM, and lists additional sources for information.
  • How do I Provision Groups to Active Directory Domain Services
    • This guide walks you through the main building blocks that are involved in the process of provisioning groups from FIM to AD DS, describes how you can verify whether your scenario works as expected, provides suggestions for managing Active Directory groups by using FIM, and lists additional sources for information.

Operations

  • Best Practices for FIM 2010
    • The document provides guidance and tips for deploying, maintaining, and troubleshooting FIM.
  • FIM 2010 Backup and Restore Guide
    • This guide describes the steps for locating data in FIM server-side components, finding resources to perform the actual backup, and then restoring the data in a test environment.
  • Troubleshooting FIM 2010
    • This document provides guidance for diagnosing common issues with FIM.

Technical Reference

Common Tasks

This section contains suggested approaches to the FIM documentation.

If you are new to FIM 2010
If you are migrating from ILM 2007 to FIM 2010
For pre-installation design and planning
For user and group management
For data synchronization with external systems
For customizing your FIM 2010 environment
For operational maintenance on your FIM 2010 environment
Additional references

For additional references and guidance, see:

Tuesday, May 18, 2010

Service Principal Name (SPN) checklist for Kerberos authentication with IIS 7.0/7.5

 

This post is more about the confusion that may arise around SPNs for setting up Kerberos authentication in IIS 7.0. IIS 7.0 has a new Kernel-mode authentication feature using which the ticket for the requested service is decrypted using Machine account (Local system) of the IIS server. It no longer depends upon the application pool Identity for this purpose by default and in turn improves the performance.

Here is how it looks like.

image

image

So what does this mean?

You no longer need to worry about the correlation between HTTP SPNs and the Application pool Identity that was required in the earlier version i.e. IIS 6.0. But that's not blindly true. There has been some confusion whether we don't have to care at all about SPNs or may have to depending upon the settings. Here is a checklist to give more clarity for different scenarios that you may fall under:

SCENARIO 1a

  • IIS 7.0 Web Site/Application
  • Authentication
    Integrated Windows authentication
  • Application Pool Identity
    NETWORK SERVICE
  • Kernel-Mode authentication
    Enabled (<attribute name="useKernelMode" type="bool" defaultValue="true" /> in the ApplicationHost.config file)
  • Site URL
    Accessed with the NetBIOS name, like http://<myIISserver-NetBIOS-name>/Default.aspx

SPNs will be required ONLY for the IIS machine account:

HOST/<myIISserver-NetBIOS-name>

HOST/<myIISserver-NetBIOS-name.fully-qualified-domainname> for e.g. HOST/myIISserver.mydomain.com

***Note: By default HOST/<myIISserver-NetBIOS-name> and HOST/<myIISserver-NetBIOS-name.fully-qualified-name> is already added for the machine account when a machine is added to a domain and HTTP forms a part of HOST. So you may not have to do anything special here for SPNs. Everything should be set by default.

You can check the set of existing SPNs for the machine account by running the following command:

> Setspn.exe -L <myIISserver-NetBIOS-name> or directly using a Snap-in like Adsiedit.msc.

SCENARIO 1b

  • IIS 7.0 Web Site/Application
  • Authentication
    Integrated Windows authentication
  • Application Pool Identity
    Custom account for e.g. Domain1\Username1
  • Kernel-Mode authentication
    Enabled (<attribute name="useKernelMode" type="bool" defaultValue="true" /> in the ApplicationHost.config file)
  • Site URL
    Accessed with the NetBIOS name, like http://<myIISserver-NetBIOS-name>/Default.aspx

The SPN requirements remain the same as above. You don't have to add SPNs like http/<myIISserver-NetBIOS-name> for the Domain1\Username1 unlike in IIS 6.0 (where we had to add an SPN of the form http/<myIISserver-NetBIOS-name> for the Application Pool identity).

SPNs will be required ONLY for the IIS machine account:

HOST/<myIISserver-NetBIOS-name>

HOST/<myIISserver-NetBIOS-name.fully-qualified-domainname> for e.g. HOST/myIISserver.mydomain.com

***Note: By default HOST/<myIISserver-NetBIOS-name> and HOST/<myIISserver-NetBIOS-name.fully-qualified-name> is already added for the machine account when a machine is added to a domain and HTTP forms a part of HOST. So you may not have to do anything special here for SPNs. Everything should be set by default.

You can check the set of existing SPNs for the machine account by running the following command:

> Setspn.exe -L <myIISserver-NetBIOS-name> or directly using Snap-in like Adsiedit.msc.

SCENARIO 2a

  • IIS 7.0 Web Site/Application
  • Authentication
    Integrated Windows authentication
  • Application Pool Identity
    NETWORK SERVICE
  • Kernel-Mode authentication
    Enabled (<attribute name="useKernelMode" type="bool" defaultValue="true" /> in the ApplicationHost.config file)
  • Site URL
    Accessed with a Custom Host name, like http://www.mysite.com


SPNs will be required ONLY for the IIS machine account in the following format:

HTTP/<site-custom-name> for e.g. HTTP/www.mysite.com

You can add an SPN using Setspn.exe like

> Setspn -a http/<site-custom-name> <myIISserver-NetBIOS-name>

where <myIISserver-NetBIOS-name> is the IIS machine account and <site-custom-name> is the custom host/host header name for the Web Site URL.

e.g. > Setspn -a http/www.mysite.com <myIISserver-NetBIOS-name>
*The command is NOT case sensitive

You can check the existing set of SPNs for the machine account by running the following command:

> Setspn.exe -L <myIISserver-NetBIOS-name>

SCENARIO 2b

  • IIS 7.0 Web Site/Application
  • Authentication
    Integrated Windows authentication
  • Application Pool Identity
    Custom account for e.g. Domain1\Username1
  • Kernel-Mode authentication
    Enabled (<attribute name="useKernelMode" type="bool" defaultValue="true" /> in the ApplicationHost.config file)
  • Site URL
    Accessed with a Custom host/Host header name, like http://www.mysite.com

SPNs will be required ONLY for the IIS machine account and NOT for Domain1\Username1 account unlike in IIS 6.0.

HTTP/<site-custom-name> for e.g. HTTP/www.mysite.com

You can add an SPN using Setspn.exe like

> Setspn -a http/<site-custom-name> <myIISserver-NetBIOS-name> where <myIISserver-NetBIOS-name> is the IIS machine account and <site-custom-name> is the custom host/host header name for the Web Site URL.

e.g. > Setspn -a http/www.mysite.com <myIISserver-NetBIOS-name>
*The command is NOT case sensitive

You can check the existing set of SPNs for the machine account by running the following command:

> Setspn.exe -L <myIISserver-NetBIOS-name>

Special case of running IIS 7.0 in a WEB FARM
If you are running IIS 7.0 server in a Web farm the KDC will not know in advance which individual server the request may go to and hence ticket decryption may fail. Hence in such a scenario instead of registering SPNs under a specific machine account use a domain account. I am not a SharePoint guy but based on what I have read on the Web this scenario is also applicable to a single SharePoint server configuration.

There are two ways to go:

Either

Disable Kernel mode authentication and follow the general steps for Kerberos as in the previous IIS 6.0 version. Refer this

Or,

[Recommended for Performance reasons]

Let Kernel mode authentication be enabled and the Application pool's identity be used for Kerberos ticket decryption. The only thing you need to do here is:

1. Run the Application pool under a common custom domain account.

2. Add this attribute "useAppPoolCredentials" in the ApplicationHost.config file.

<system.webServer>
   <security>
      <authentication>
         <windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true" />
      </authentication>
   </security>
</system.webServer>

Remember there is no GUI setting for this. You need to modify the ApplicationHost.config file from

<%SystemDrive%>/Windows/System32/inetsrv/config folder on the IIS 7.0 machine.

3. Add the SPNs in the form:

http/<virtualhost-name> and

http/<virtualhost-name.fully-qualified-name>  for the Application Pool Identity.

Ensure that we don't have such an entry for SPNs for any other account including IIS server machine account.

*If we have the same SPN mapped to multiple accounts (be it a machine or an user account) it leads to Duplicate SPNs and will break Kerberos.

Hope this helps!

SCCM OSD/PXE Issues in Native Mode

There have been many posts out there trying to address the issue behind Native Mode and PXE and/or Boot Media problems.  This posting publishes information I found in the following article and additions which I have made to clarify some certificate configurations.

Step 1

In the site properties , check that you have imported your Root CA certificates. If you have subordinate CA servers , import them as well as I have seen issues arriving when not importing them .The picture below will give you the idea :

clip_image001

clip_image002

Step 2

Create your OSD PXE service point Certificate & export it . Go to your certificate authority and duplicate the Computer certificate , name it Configmgr OSD certificate and make sure that you could export the private key !
clip_image003

My Comments:  

MAKE SURE SUBJECT NAME TAB CONTAINS: SUPPLY IN REQUEST. When the request is made, give the certificate the following Attributes:

  • CommonName: <FQDN> (i.e. OSDpxeBootCert.<domain>.Com)
  • Alternate name: <Fqdn> OSDpxeBootCert.<domain>.com
  • Friendly name: Any descriptive name.

Note:  Because certificates are Required through out the native mode deployment.  FQDNs are also required for certificate Subject name and Alt Subject Names.

clip_image004

When you have created the certificate , export it to a DER format by going to MMC - Certificates - personal - Request new certificate . Select the Configmgr OSD certificate and install it on your machine . When done , right click on the certificate and select export . Export the certificate with private key and when exported , delete the certificate you have requested .

Step 3

Import you in the PXE role configuration pane .

Now we go to the SCCM console and go to Site systems - PXE Role , import the certificate you just exported . The picture below explains it :

clip_image005

You will get the following warning when you exported the certificate on the Site server itself . This is no problem and you should select "yes" to continue

clip_image006

Check the PXE Certificate in the SCCM console.  Verify that the Root CA is trusted.

Try opening the Certificates | PXE node in SCCM.  Find the certificate that is not "blocked" and right-click to Open it.  Check the status of the CA Certificate.  I found that it was "Not Trusted" in my environment. 

When I clicked the Install button and selected the Trusted Root CA Authorities, the certificate was then "valid" when I reopened the certificate.  My SMSPXE.log no longer reflected that the certificate was not set.

clip_image007

Step 4

Check that the following things below are set correctly

Network Access Account Not Set

Go into the Client Policy in SCCM and set a Network Access Account.  It sometimes "disappears" even after everything has been working fine. And then the OSD Task sequence cannot access the content on the Distribution point !

OSD Task Sequence: “There are not task sequences available for this computer”

OSD Task Sequence fails with "There are no task sequences available for this computer" if multiple machines have the same SMBIOS GUID

 

Issue: 

When attempting to deploy an operating system using OSD in System Center Configuration Manager 2007, the Task Sequence may fail with the following error:

There are no task sequences available for this computer.

If you look in the SMSTS.log you may also see the following error:

No assigned task sequence.

Setting wizard error: There are no task sequences available for this computer.

The SMSTS.log may also show the SMBIOS GUID as follows:

Setting SMBIOS GUID = 4C4C4544-0000-2010-8020-80C04F202020.

or

Setting SMBIOS GUID = 03000200-0400-0500-0006-000700080009.

Note: Analyzing the Advertisement and the Collection confirms that the target computer is in the proper Collection that the Advertisement is pointing to. Deleting the computer from the SCCM database and re-adding it back to the SCCM and the Collection via the Import Computer Information wizard using the MAC address or SMBIOS GUID does not resolve the problem.

Cause:

The issue can be caused by there being more than one computer in the environment with the same SMBIOS GUID (aka System UUID). Similar to MAC Addresses, SMBIOS GUIDs should be unique on each computer and no two computers should have the same SMBIOS GUID. The SMBIOS GUID is stored in the computer's BIOS. Do not confuse the SMBIOS GUID with the SMS GUID. These are two separate, different, and distinct items.

The problem occurs because when the SCCM database is queried for available Task Sequences that are advertised to that PC, it does so first by using the computers SMBIOS GUID. Each record in the SCCM database records the computers SMBIOS GUID under the field System UUID. If it does not match a record with the SMBIOS GUID, it then uses the MAC Address.

However, if multiple computers exist in the environment and are in the SCCM database with the same SMBIOS GUID, it may find the record for a PC other than the one where the Task Sequence is trying to be initiated. It will then query policy for that other PC, and if that other PC does not have a Task Sequence advertised to it, it will return back that there are no task sequences available for this computer.

Resolution: 

To see if this problem exists in your environment, create a query or collection in SCCM based on the suspected duplicate SMBIOS GUID. If more than one computer has the same SMBIOS GUID then the problem exists in the environment and needs to be fixed at a hardware level. You will need to contact the OEM vendor for a fix.

I Have found the following to resolve the problem (If you are doing a Build and Capture):

  • Verify the Reference machine does not already exist in a computer collection (Agent was once installed, etc…)
    • If so remove it.
  • Create a collection using the SMBIOS GUID located in the SMSTS.log "Setting SMBIOS GUID".
    • System Resource
    • System UUID
    • <Guid Value>
  • Advertise your task sequence to "Unknown Computers" Collection.

Additional Information:  The SMBIOS GUID SMBIOS GUID (aka System UUID) can be found in the SMSTS.log in the line:

"Setting SMBIOS GUID = "

It can also be found by inspecting the SMSPXE.log as the PC tries to PXE boot. In addition, it can also be obtained by hitting the Pause/Break key on the keyboard on the affected PC at the PXE boot screen. The SMBIOS GUID should be displayed somewhere on that screen.

Getting Started with FIM 2010

The following resources are available for Getting Started with FIM 2010

Task Sequence Error 0x80004005

Issue: During an Operating System Build / Capture task, you receive the following error upon the Configure Windows task.
Task Sequence:  %TaskName% has failed with the error code (0x80004005).  For more information, please contact your system administrator or helpdesk operator.

Resolution: This might be the product activation code for Windows Vista/Win7. Try once without any activation code and if that works add the activation code to the file \source\pid.txt

Thursday, May 13, 2010

Kernel-Processor-Power EventID 37

On some of our HP DL360G6 servers, the following warning (event id 37) showed up in the event log of Windows 2008 R2

Log Name:      System
Source:        Microsoft-Windows-Kernel-Processor-Power
Date:          <date>
Event ID:      37
Task Category: (7)
Level:         Warning
Keywords:     
User:          SYSTEM
Computer:      <servername>
Description:
The speed of processor 0 in group 0 is being limited by system firmware. The processor has been in this reduced performance state for 2139 seconds since the last report.”

To solve this error, do the following:

  1. In Windows, check your Power Options. Make sure that your Power Scheme is set to High Performance, and check that every option is set to “Always On”.
  2. Make sure you have installed all latest drivers and firmware, especially for your motherboard and CPU.
  3. Reboot your computer and go to your BIOS settings. Make sure that your power settings are set to maximum. This differs from computer to computer.

In case the error occurs on a HP server, you should set in the Minimum Processor Idle Power State “No C-states”:

  1. Enter BIOS by pressing F9 on POST
  2. Navigate to “Power Management Options” => “Advanced Power Management Options” => “Minimum Processor Idle Power State”
  3. Choose “No C-States