(2013-05-12) Forefront Identity Manager 2010 R2 Developer Reference Guides

Through the following links you can find the Developer Reference Guides for both FIM 2010 R2 and the Bhold Suite

• Forefront Identity Manager 2010 R2 Service Developer Reference
• The FIM 2010 R2 Service includes solutions for management of users, access, credentials, and policies. FIM 2010 R2 Service improves operational efficiency by automating common identity lifecycle management tasks and providing self-help solutions to end users. It provides self-service identity and access management capabilities such as password reset. It can be extended through the use of web service APIs, modifying the object schema, and creating custom workflows and activities. New to the Forefront Identity Manager 2010 R2 Service is the use of the SSPR SMS provide which provides a solution for sending one-time passwords to mobile phones.
• Forefront Identity Manager 2010 R2 Synchronization Service Developer Reference
• FIM 2010 R2 Synchronization Service provides identity synchronization and user provisioning across multiple directories. FIM 2010 R2 Synchronization Service now includes an updated extensible management agent framework that allows for the development of management agents that can access directories and data repositories not provided by the out-of-the box management agents.
• Forefront Identity Manager 2010 R2 BHOLD Developer Reference
• Microsoft BHOLD Suite extends the capabilities of FIM 2010 R2 by adding role-based access control to FIM 2010 R2, enabling organizations to define user roles and to control access to sensitive data and applications in a way that is appropriate for those roles. BHOLD Suite includes services and tools that simplify the modeling of the role relationships within the organization, map those roles to rights, and to verify that the role definitions and associated rights are correctly applied to users. These capabilities are fully integrated with FIM 2010, providing a seamless experience for end users and IT staff alike. BHOLD also provides a Web service API, which developers may use to create custom applications that can interact with BHOLD. These applications can be developed creating any .NET language or by using Active Server Pages and vbscript.
• Forefront Identity Manager 2010 R2 Certificate Management Developer
• FIM also provides sophisticated credential management features to both Windows Server and 3rd party certification authorities (CAs) by acting as an administrative proxy. Once installed within an organization, all digital certificate and smartcard management functions pass through FIM

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: http://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

(2013-04-23) A Hotfix Rollup Package (Build 4.1.3441.0) Is Available For Forefront Identity Manager 2010 R2

Microsoft has released a new hotfix rollup package for FIM 2010 R2. To download the hotfix or for more details, see: KB2832389.

-

Known issues in this update:

Synchronization Service
After this update is installed, rules extensions and custom management agents (MAs) that are based on Extensible MA (ECMA1 or ECMA 2.0) may not run and may produce a run status of "stopped-extension-dll-load." This issue occurs when you run such rules extensions or custom MAs after you change the configuration file for MIISServer.exe, Mmsscrpt.exe.config, or Dllhost.exe.config. For example, you edited the MIISServer.exe.config file to change the default batch size for processing sync entries for the FIM Service MA.
In this case, the synchronization engine installer for this update intentionally does not replace the configuration file to avoid deleting your previous changes. Because the configuration file is not replaced, entries that are required by this update will not be present in the files, and the synchronization engine will not load any rules extension DLLs when the engine runs a Full Import or Delta Sync run profile.
To resolve this issue, follow these steps:

1. Make a backup copy of the MIIServer.exe.config file.
2. Open the MIIServer.exe.config file in a text editor or in Microsoft Visual Studio.
3. Find the <runtime> section in the MIIServer.exe.config file, and then replace the content of the <dependentAssembly> section with the following:
   <dependentAssembly>
            <assemblyIdentity name="Microsoft.MetadirectoryServicesEx" publicKeyToken="31bf3856ad364e35" />
            <bindingRedirect oldVersion="3.3.0.0-4.1.2.0" newVersion="4.1.3.0" />
   </dependentAssembly>
   
4. Save the changes to the file.
   Find the Mmsscrpt.exe.config file in the same directory and the Dllhost.exe.config in the parent directory. Repeat steps 1 through 4 for these two files.
   Restart the Forefront Identity Manager Synchronization Service (FIMSynchronizationService).
   Verify that the rules extensions and custom management agents now work as expected.

-

Issues that are fixed or features that are added in this update

FIM Synchronization service

Issue 1

The Active Directory Management Agent (AD MA) would stop if there was an issue during Exchange provisioning. This would include data errors. After this update is installed, the AD MA will now only stop if there is a critical error it cannot recover from.

-

Issue 2

If several AD MAs target the same forest, the same object can appear multiple times in different MAs. When a password change came in from PCNS, the setting for the password source was not honored. This caused random requests to fail.

-

Issue 3

If the FIM Service MA has several reference attributes not selected in "Select Attributes", the Synchronization Service would still process these and would affect performance.

-

Issue 4

Doing a delta import on the FIM Service MA where there is an update to a single-valued reference attribute and the same attribute already has a change which has not yet been synchronized caused a "stopped-ma" error.

-

Issue 5

For ECMA2 Connectors empty reference attribute data could crash the Synchronization Service during the reference retry phase.

-

Issue 6

When an error is returned on an object during add in ECMA2, the interface expected the anchor to be returned. This value would not always be available in failure cases.

-

Issue 7

During Schema Refresh on an ECMA2 Connector, the UI did not ask for encrypted parameters, for example password. Any Connector that depends on this information to be able to connect to the server to obtain the schema would fail.

-

Issue 8

An export-only ECMA2 did not correctly handle errors when returned from the Connector. This resulted in an error "The image or delta doesn’t have an anchor.

-

Issue 9

When several exports are run without a confirming import and not all references could be exported, the Synchronization Service could report a "stopped-server" error.

-

Issue 10

Flowing a constant value of 0 or 1 to a number attribute by using classic attribute flows caused an error in the UI "Import Attribute Validation Error."

-

Issue 11

Adding a value to a reference value by using scripted code throws an error "Object reference not set to an instance of an object" because of a regression in FIM 2010 R2 SP1. This is an example of code which fails:

csentry["member"].Values.Add(<string>)

-

Issue 12

When a custom extension does not return control to the Synchronization Service in time, typically 5 minutes, the Synchronization Service crashes. For example, this problem might occur with a custom password extension during password synchronization.

-

Feature 1

The Synchronization Service’s contract DLL MetadirectoryServicesEx is no longer dependent on the FIM Synchronization Service. It is now possible to load an ECMA2 Connector outside the Service which enables the ability to create unit tests for these Connectors in Visual Studio.

Feature 2

This release includes ECMA2.2 which has several new features added.

This includes the following:

• A new capabilities page and calling the capabilities later in the flow. It is now possible to ask the user for information and connect to the target directory and use that information for the Connector’s capabilities.
• Support is added for DN as anchor for LDAP based directories and not providing the object type for update and delete operations in delta import.
  
  Additional details can be found on the Microsoft Developer Network (MSDN) website for ECMA2.

-

FIM Certificate Management

Issue 1

Windows 8 TPM-based virtual smart cards could not be provisioned because of a change in Smart Card Minidriver Specification v.7.

-

Issue 2

The ability to print photos is added by using ID Works. In order to print a photo, add the following to the field mappings:

{User!attribute!binary}

-

Issue 3

Advanced search in Bulk Client does not work as expected when more than 1,000 results is returned from Active Directory.

-

Self-Service Password Reset

Issue 1

If a new password has a string that might violate the ASP.NET request validator such as "<script>", the operation would fail with the exception "A potentially dangerous Request.Form value was detected from the client". To support these characters in a new password, open the Web.config file and find the following entry:

<add key="Base64EncodePasswordFields" value="false" />

Change the value to "true". Make sure that you update this for both password registration and password reset portal servers.

-

FIM BHOLD suite

Issue 1

In a special case after the bhold connector was deleted in the FIM Synchronization Service and re-created, an import would be unable to see all objects in bhold. To address this issue, run the SQL script (extract the FIMBHOLD_KB2832389.zip file) that is contained inside the hotfix download package.

-

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: http://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

(2013-02-19) A Hotfix Rollup Package (Build 4.1.3419.0) Is Available For Forefront Identity Manager 2010 R2

Microsoft has released a new hotfix rollup package for FIM 2010 R2. To download the hotfix or for more details, see: KB2814853.

-

This update fixes the following issues that were not previously documented in the Microsoft Knowledge Base.

FIM Synchronization service

Issue 1

In some cases, the Exchange configuration options on the Active Directory Management Agent do not appear. These options will now always be visible even if Exchange is not detected in the source directory.

-

Issue 2

When Exchange post-processing PowerShell cmdlets are run during export on the Active Directory Management Agent, the host process can stop for many reasons. In this case, the Active Directory Management Agent continues the export but does not try to run the Exchange cmdlets. With the changed behavior in this fix, the export run is now stopped so that the process can be restarted from where it ended.

-

Issue 3

The Synchronization service crashes in certain scenarios when references to newly created objects are exported into ECMA2 Connector (also known as "reference retry").

-

Issue 4

An ECMA1/XMA with call-based export crashes the Synchronization service. This problem occurs in some scenarios in which the following conditions are true:

Reference attributes are constantly rejected by the target directory.
The Synchronization service is trying to determine which value is causing the problem. It does this by trying to export a multivalued reference attribute as several individual changes (known as "fourth pass reference retry").

-

Issue 5

A full import might be stuck at the "Completing-Obsoletions" stage if the obsoletion of an object cascades into the obsoletion of related objects.

-

FIM service and portal

Issue 1

If a user who has access to advanced pages for a group (typically, an administrator) made a change to the object in this view, the group would contain invalid members. If the user was trying to delete the group, the system would be in a state in which no additional requests could be processed.

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: http://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

(2013-02-08) Parsing A Pending Exports Drop File And Viewing Changes Offline

The following is quite a good post about parsing a pending exports drop file and viewing it in the PowerShell GridView.

-

SOURCE: FIM – CS Export XML Parser

-

<QUOTE SOURCE=”FIM – CS Export XML Parser”>

When implementing a new management agent or performing a mass change in FIM, I always want to be sure that any object exports are identified and intentional for all add / updates / deletes. The Sync engine does a great job at showing this for a small amount of objects. But what if you have hundreds, or even thousands object adds/updates/deletes? What if you wanted to validate that a specific attribute or object isn’t getting modified? How can we extract out that information into a sortable/manageable form? Looking around on the forums and online, I’ve seen tools to report the statistics, but not the actual data. The closest I’ve seen was from http://www.wapshere.com/missmiis/using-powershell-to-parse-a-csexport-file

Say, I want to be able to see the following below but in a more manageable form.

Figure 1: Pending Exports (Adds, Modifies And Deletes)

-

Figure 2: Pending Export (Add) Of A Specific Objects

-

(And, say I want to see what’s happening for the 102 updates, 1 adds, and 1 deletes)

Figure 3: Run Profile Statistics For The “Export (Drop File And Stop Run)” Run Profile

-

At first I looked around to see what FIM was capable of in reporting this information. Seems there were 2 main options. Either the Management Agent’s Drop File & Stop on Export or the CSExport.exe utility that comes with the Sync Engine. Both these options creates a XML file, however they are subtly different from each other. Below are the two described in detail.

-

CSEXPORT.EXE

This is the most powerful tool for exporting data out from the connector space. It comes with the FIM 2010 product and has a nice usage help to export only the information your after. This tool will export all the connector space objects into an XML file containing “tower” holograms. These tower holograms represent what is pending import/export/es-crowed/unapplied, etc..

An example of the command for exporting all pending export data from the FIM Service MA is shown below:

csexport.exe "FIM Service" "pendingExport.xml" /f   /o:h

-

Figure 4: Using CSEXPORT

-

You can find this utility in the “Bin” folder of where the sync engine service is installed. Depending on the number of objects pending export, this will give you a XML document filtered on the pending exports (similar to searching the connector-space on the MA for Pending Export). The hard part is making meaningful (and accurate) use out of the generated XML document.

This is where I started experimenting, creating modifications in Test and exporting the data to determine how the objects are represented in XML document. Unfortunately there is no documentation I can find on the exact behavior of these holograms (such as what happens when you have an export error, and pending modifications). I ended up writing a c# console XML parser, based off my testing in DEV. I plan on making it more customizable, but for now it seems to work ok. The utility I wrote will take any pending export file as generated from the CSExport.exe program and transform the XML into a CSV format (quote encased, pipe-delimited). The first three columns “ID, ObjectType, OperationType” exist for all objects and should be self explanatory. The rest of the columns show all add/update/delete attributes for any objects being added/updated/deleted. Blank means that it doesn’t apply to the object or it’s not being updated.

The utility can be ran to “-showmodifications” or just display what the values will be updated to. The difference is that the showmodifications will display the “Old Value” as seen in the Sync Engine whenever possible (see image below)

Figure 4: Viewing The CSV Produced By The CSExportParse Utility In ShowModifications Mode (Download Link available later)

-

*note, there are some side effects with viewing the “-showmodifications” output due to the way line breaks are outputted, I’ll blog more about that later*

When ran without the “-showmodifications” switch the output will be similar to the following image below:

Figure 5: Viewing The CSV Produced By The CSExportParse Utility In Normal Mode (Download Link available later)

-

As you can see in the images above, I imported the file into excel and can easily filter and group the data to show all changes queued up.

-

Download: CS Export Parser v1.0

*requires the .NET framework 3.5

-

Drop File and Stop Run (Export – Run Profile)

At first I decided to give parsing this information in PowerShell from the Log Export a try. I wanted to write a script that would transform the XML file into CSV format which can be sorted, queried, and manipulated in other programs, such as Excel. The result will be a CSV file with at least 3 headers:

1. “ID” – The connector-space “anchor” or unique identifier in the connector space
2. “ObjectType” – The type of object (Person,Group,Contact) of the CS object
3. “OperationType” – Defines what is happening to the object [being created/being updated/being deleted]

All additional header columns listed in the file are the attributes names themselves being added/updated and pertain only to the OpertationType of add / updates. *Note, the max number of columns added is based off the max number of attributes being added/modified from a single object. Also, anytime an object has an attribute value of blank (and the operation is update/add) it means that that particular attribute isn’t going to be modified in target system. Remember this shows what’s being updated, if the value is blank for a field, it doesn’t mean it’s being removed, just that the attribute wasn’t touched for that object.

The XML XML information (in my opinion) is simpler to interpret then the csexport. However, one annoyingly thing I discovered is that objectTypes don’t seem to be defined for any updates or deletes (just adds). Therefore you would need to look back on the object’s ID to determine what type of object it is, this isn’t really the case for the CSExport as you can export almost any information (including the objectType) to build the report. Another limitation is that in my testing for custom management agents ECMA, it shows all update operations as “Replace” and doesn’t give any information as to what is being modified

The script below can be used to generate the CSV file. *Note it doesn’t work with the CSExport utility.

Keep in mind that this is a work in progress…

NOTE FROM JORGE: the version of the code below can be used in a PowerShell script. I have been having issues with the script below when large amounts of data need to be read (e.g. 300000 lines) I have to split it in multiple files of for example 40000 lines to be able to read it. I still do not understand why this happens. The original script missed a declaration for $I = 0 in the update section

# http://blog.fractalengine.com/fim-log-export-xml-parser/
# File Name: FIM-Sync-Engine-Parse-Export-Run-Log.ps1

Param(
    [Parameter(Mandatory=$true)]
    [string] $filePath,
    [Switch] $showModifications
)
function ProcessExportXML
{
    $global:MainList = @()
    $global:Headers = @("ID","ObjectType","OperationType")
 
    if (!(Test-Path $filePath))
    {
        throw "Invalid path: $filePath"
    }
 
    try {
        [System.Xml.XmlDocument] $xml = New-Object System.Xml.XmlDocument
        $xml.Load($filePath)
        
        #have to load the namespaces
        $namespaceURI = $xml.mmsml.xmlns
        $ns = @{"e"=$namespaceURI}
 
        getAdds -xml $xml -ns $ns
        getDeletes -xml $xml -ns $ns
        getUpdates -xml $xml -ns $ns -mods $showModifications
 
        $report = $global:MainList | select $global:Headers
        return $report
 
    }
    catch { 
 
    }
 
}
 
function getUpdates($xml, $ns, $mods) {
    try {
        $updates = $xml | select-xml "//e:delta[@operation='update']" -Namespace $ns
        if ($updates -ne $null)
        {
            $totalUPD = $(if ($updates.count -gt 0) { $updates.count;} else { 1; })
            $iUPD = 0
            $updates | % {
                $node = $_.Node
                write-progress -Activity "Processing Updates" -Status $node.dn -PercentComplete ($iUPD / $totalUPD * 100)
                $obj = New-Object -TypeName System.Object
                $obj | Add-Member -MemberType NoteProperty -Name "ID" -Value $node.dn
                $obj | Add-Member -MemberType NoteProperty -Name "ObjectType" -Value $null
                $obj | Add-Member -MemberType NoteProperty -Name "OperationType" -Value $node.operation
 
                #get attributes
                $node.attr | % {
                    $item = $_
                    if ($global:Headers -notcontains $item.name)
                    {
                        $global:Headers += $item.name
 
                    }
 
                    switch ($item.operation)
                    {
                        "update" {
                            if ($mods)
                            {
                                #need to fix this, not sure how to handle multivalue attributes with modifications
                                if ($item.multivalued -eq $true)
                                {
                                    $stringBuilder = ""
                                    $valuesAdded = ($item.value | where { $_.operation -eq "add"})
                                    $valuesRemoved = ($item.value | where { $_.operation -eq "delete"})
                                    $valuesRemoved | % {
                                        $attributeValue = $_."#text"
                                        $stringBuilder += "Removed: [$attributeValue]`r`n"
                                    }
 
                                    $valuesAdded | % {
                                        $attributeValue = $_."#text"
                                        $stringBuilder += "Added: [$attributeValue]`r`n"
                                    }
                                    $obj | Add-Member -MemberType NoteProperty -Name $item.name -value $stringBuilder.trim()
                                }
                                else {
                                    $stringBuilder = ""
                                    $old = ($item.value | where { $_.operation -eq "delete"})."#text"
                                    $new = ($item.value | where { $_.operation -eq "add"})."#text"
                                    $stringBuilder = "Old: [$old]`r`nNew: [$new]"
                                    $obj | Add-Member -MemberType NoteProperty -Name $item.name -value $stringBuilder.trim()
                                }
                            }
                            else {
                                if ($item.multivalued -eq $true)
                                {
                                    $stringBuilder = ""
                                    $valuesAdded = ($item.value | where { $_.operation -eq "add"})
                                    $valuesAdded | % { 
                                        $attributeValue = $_."#text"
                                        $stringBuilder += "$attributeValue;"
                                    }
                                    $obj | Add-Member -MemberType NoteProperty -Name $item.name -value $stringBuilder.trim()
                                }
                                else {
                                    $obj | Add-Member -MemberType NoteProperty -Name $item.name -value (($item.value | where { $_.operation -eq "add" })."#text")
                                }
                            }
                        }
 
                        "delete" {
                            $obj | Add-Member -MemberType NoteProperty -Name $item.name -value "[deleted]"
                        }
 
                        "add" {
                            if ($item.multivalued -eq $true)
                            {
                                $stringBuilder = ""
                                $item.value | % { 
                                    $stringBuilder += "$_;"
                                }
                                $obj | Add-Member -MemberType NoteProperty -Name $item.name -value $stringBuilder
                            }
                            else {
                                $obj | Add-Member -MemberType NoteProperty -Name $item.name -value $item.value
                            }
                        }
                    }
                }
                $global:MainList += $obj
                $iUPD++
            }
        }
    }
    catch {
        write-host "Error! $_ "
    }
}
 
function getAdds($xml,$ns) {
    try {
        $adds = $xml | select-xml "//e:delta[@operation='add']" -Namespace $ns
        if ($adds -ne $null)
        {
            $totalADD = $(if ($adds.count -gt 0) { $adds.count;} else { 1; })
            $iADD = 0
            $adds | % {
                $node = $_.Node
                write-progress -Activity "Processing Adds" -Status $node.dn -PercentComplete ($iADD / $totalADD * 100)
                $obj = New-Object -TypeName System.Object
                $obj | Add-Member -MemberType NoteProperty -Name "ID" -Value $node.dn
                $obj | Add-Member -MemberType NoteProperty -Name "ObjectType" -Value $node."primary-objectclass"
                $obj | Add-Member -MemberType NoteProperty -Name "OperationType" -Value $node.operation
 
                #get attributes
                $node.attr | % {
                    $item = $_
                    if ($global:Headers -notcontains $item.name)
                    {
                        $global:Headers += $item.name
                    }
 
                    if ($item.multivalued -eq $true)
                    {
                        $stringBuilder = ""
                        $item.value | % {
                            $stringBuilder += "$_;"
                        }
                        $obj | Add-Member -MemberType NoteProperty -Name $item.name -value $stringBuilder
                    }
                    else {
                        $obj | Add-Member -MemberType NoteProperty -Name $item.name -value $item.value
                    }
                }
                $global:MainList += $obj
                $iADD++
            }
        }
    }
    catch {
        write-host "Error! $_"
    }
}
 
function getDeletes($xml, $ns) {
    try {
        $deletes = $xml | select-xml "//e:delta[@operation='delete']" -Namespace $ns
        if ($deletes -ne $null)
        {
            $totalDEL = $(if ($deletes.count -gt 0) { $deletes.count;} else { 1; })
            $iDEL = 0
            $deletes | % {
            $node = $_.Node
            write-progress -Activity "Processing Deletes" -Status $node.dn -PercentComplete ($iDEL / $totalDEL * 100)
                $obj = New-Object -TypeName System.Object
                $obj | Add-Member -MemberType NoteProperty -Name "ID" -value $node.dn
                $obj | Add-Member -MemberType NoteProperty -Name "ObjectType" -Value $null
                $obj | Add-Member -MemberType NoteProperty -Name "OperationType" -Value $node.operation
 
                $global:MainList += $obj
                $iDEL++
            }
        }
    }
    catch {
        write-host "Error! $_"
    }
}

ProcessExportXML

-

To use this you would simple run the “Log Export” from your MA, then copy this code into a powershell console and specify the filePath to the XML document generated from the MA.

FIM-Sync-Engine-Parse-Export-Run-Log.ps1 -filePath "<Source XML File>"
FIM-Sync-Engine-Parse-Export-Run-Log.ps1 -filePath "<Source XML File>" | Out-GridView

OR

FIM-Sync-Engine-Parse-Export-Run-Log.ps1 -filePath "<Source XML File>" -showModifications

FIM-Sync-Engine-Parse-Export-Run-Log.ps1 -filePath "<Source XML File>" -showModifications| Out-GridView

-

The “ShowModifications” mode will show the “old & new” attribute values in each cell. Once done you can pipe the $report to an Export-csv cmdlet to write it’s contents out to a file, or just a out-gridview to display it within a powershell gridview. This is useful if you plan to use excel to filter and sort the objects.  With the first command you will see something like this

Figure 6: Viewing The Output In PowerShell GridView When Running In Normal Mode

-

With the “-showModifications” switch it will look more like the following

Figure 7: Viewing The Output In PowerShell GridView When Running In ShowModifications Mode

-

</QUOTE SOURCE=”FIM – CS Export XML Parser”>

-

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: http://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

(2013-02-08) Parsing A CSExport Generated XML File Into A Scoped CSV File

I needed to research the CSExport output. However, that’s an XML file and not really helpful in diagnosing the data in it. Converting it to a CSV, so that it can be loaded into Excel is much much better. So after some google magic, I found Carol Wapshere’s script. However, that script had two issues I needed to solve. At first it does not support multi-values and I needed to diagnose the proxyAddresses attribute. And secondly, because the Get-Content CMDlet is being used to read the XML file it chokes if the XML file size is too large. The error can be seen below.

Figure 1: Error Reading An XML File File That’s Too Large With The Get-Content CMDlet

-

I added logic to the script to also process multi-valued attributes when applicable and instead of using the Get-Content CMDlet, I read the XML file as shown in the script below. I was not able to specify the “MaxCharactersInDcoument” property when using the Get-Content CMDlet. The XML file I was reading was about 500 MB and it contained about 1000000000 characters. The method I use below does not have a limit and allows the configuration “MaxCharactersInDcoument” property if needed.

# Original Script By Carol Wapsphere (http://www.wapshere.com/missmiis/using-powershell-to-parse-a-csexport-file)
# Script Rewrite By Jorge de Almeida Pinto (http://jorgequestforknowledge.wordpress.com/)
#
# Takes an XML file created by CSEXPORT, and produces a CSV file more suitable for opening in Excel.
# Supports both single-valued attributes and multi-valued attributes
#
# Before using the script:
#    * Define the attributes of interest
#    * Define the object types of interest. * means every object

Param(
    [Parameter(Mandatory=$true)]
    [string] $sourceXML,
    [string] $targetCSV
)

# List Of Attributes To Put In The CSV File. CHANGE THIS AS NEEDED!
# The First 5 Attributes Are Available For All Connector Spaces
$csvHeaderColumns = @("dn","connector-state","connector-type","mv-guid","object-type","givenName","sn","displayName","mail","mailNickname","legacyExchangeDN","proxyAddresses")

# Object Types Of Interest
$objectTypes = @("user")

# Read The Source XML File
[System.Xml.XmlDocument] $xmlCSExportDoc = New-Object System.Xml.XmlDocument
$xmlCSExportDoc.load($sourceXML)

# Check If CSV File Already Exists
If (Test-Path $targetCSV) {
    Remove-Item -Path $targetCSV -Force
}

# Write The CSV Header To The CSV File
ForEach ($csvHeaderColumn In $csvHeaderColumns) {
  If ($csvHeader -eq "" -Or $csvHeader -eq $null) {
      $csvHeader = $csvHeaderColumn
  } Else {
      $csvHeader = $csvHeader + "," + $csvHeaderColumn
  }
}
Add-Content $targetCSV $csvHeader

# Get The Information For The Scoped Objects
ForEach ($csObject In $xmlCSExportDoc."cs-objects"."cs-object") {
    If ($objectTypes -Contains $csObject."object-type" -Or $objectTypes -Contains "*") {
        $csObjectHashTable = @{}
        $csObjectHashTable.Add("dn",$csObject."cs-dn")
        $csObjectHashTable.Add("connector-state",$csObject."connector-state")
        $csObjectHashTable.Add("object-type",$csObject."object-type")
        If ($csObject.connector -eq "0") {
            $csObjectHashTable.Add("connector-type","disconnector")
            $csObjectHashTable.Add("mv-guid","")
            ForEach ($csObjectAttribute In $csObject."unapplied-export-hologram".entry.attr) {
                If ($csObjectAttribute.multivalued -eq "false") {
                    $csObjectHashTable.Add($csObjectAttribute.name,$csObjectAttribute.value)
                }
                If ($csObjectAttribute.multivalued -eq "true" -And $csObjectAttribute.type -ne "binary") {
                    $multivaluedAttrValues = ""
                    If ($csObjectAttribute.value -ne "" -And $csObjectAttribute.value -ne $null) {
                        ForEach ($value in $csObjectAttribute.value) {
                            If ($multivaluedAttrValues -eq "" -Or $multivaluedAttrValues -eq $null) {
                                $multivaluedAttrValues = $value
                            } Else {
                                $multivaluedAttrValues += ";" + $value
                            }
                        }
                        $csObjectHashTable.Add($csObjectAttribute.name,$multivaluedAttrValues)
                    } Else {
                        $csObjectHashTable.Add($csObjectAttribute.name,"")
                    }
                }
            }
        } Else {
            $csObjectHashTable.Add("connector-type","connector")
            $csObjectHashTable.Add("mv-guid",$csObject."mv-link"."#text")
            ForEach ($csObjectAttribute In $csObject."synchronized-hologram".entry.attr) {
                If ($csObjectAttribute.multivalued -eq "false") {
                    $csObjectHashTable.Add($csObjectAttribute.name,$csObjectAttribute.value)
                }
                If ($csObjectAttribute.multivalued -eq "true" -And $csObjectAttribute.type -ne "binary") {
                    $multivaluedAttrValues = ""
                    If ($csObjectAttribute.value -ne "" -And $csObjectAttribute.value -ne $null) {
                        ForEach ($value in $csObjectAttribute.value) {
                            If ($multivaluedAttrValues -eq "" -Or $multivaluedAttrValues -eq $null) {
                                $multivaluedAttrValues = $value
                            } Else {
                                $multivaluedAttrValues += ";" + $value
                            }
                        }
                        $csObjectHashTable.Add($csObjectAttribute.name,$multivaluedAttrValues)
                    } Else {
                        $csObjectHashTable.Add($csObjectAttribute.name,"")
                    }                    
                }
            }
        }
        
        $csvLine = ""
        ForEach ($csvHeaderColumn in $csvHeaderColumns) {
            If ($csObjectHashTable.Contains($csvHeaderColumn)) {
                If ($csvLine -eq "") {
                    $csvLine = "`"" + $csObjectHashTable.Item($csvHeaderColumn) + "`""
                } Else {
                    $csvLine += "," + "`"" + $csObjectHashTable.Item($csvHeaderColumn) + "`""
                }
            } Else {
                If ($csvLine -eq "") {
                    $csvLine = ","
                } Else {
                    $csvLine += ","
                }
            }
        }
        Add-Content $targetCSV $csvline
    }
}

-

When using the script you need to make adjustments to it before actually using it. This is shown below.

Figure 2: Configuring The Object Types And The Attributes To Be Parsed Into The CSV File

-

[1] you need to define the attribute list you want to parse in an array. The first 5 attributes are available for all object types in every connector.

[2] you need to define the object types you want to parse in an array.

To execute the script, see below.

Figure 3: Using The Script

-

.\FIM-Sync-Engine-Parse-CSExport.ps1 -sourceXML <Source XML> -targetCSV <Target CSV>

-

The CSV file in Excel should then look similar to

Figure 4: The CSV File In Excel

-

Happy diagnosing!

-

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: http://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

(2013-01-16) Deprecated Features In Future Releases Of FIM Synchronization Services

Microsoft has published a list of current features within FIM Synchronization Services (in FIM 2010 R2) that will become deprecated in a next version of the product. If you are using FIM right now, plan to stop using those features, if you want to be able to upgrade to feature versions of FIM.

The list of deprecated features can be found through the following link: Deprecated Features And Planning For The Future

-

But now, what’s the definition of “next version” or “future release”. It could be in a new major release or maybe it could be in some service pack or some update package. I think they (Microsoft) means “new major release”, but I’m not sure. They do clearly state: “You should not use deprecated features in new applications”. If I were you I would take that advise!

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: http://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

(2013-01-16) Technical References For FIM 2010 R2 And BHold

Through the following links you can find the technical references for both FIM 2010 R2 and the Bhold Suite.

• Forefront Identity Manager 2010 R2
• Microsoft BHOLD Suite

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: http://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

(2013-01-12) Service Pack 1 For Forefront Identity Manager 2010 R2 And BHold Has Been Released

Microsoft has released service pack 1 for both Forefront Identity Manager 2010 R2 and BHold. The build number is 4.1.3114.0. It appears you can only download it from MSDN and/or TechNet. Be aware though that both MSDN and Technet contain two versions of SP1. One version is integrated with the base FIM 2010 R2 installation which should only be used for new installs and one version should only be used for existing installs. For Bhold only one version exists, and that’s the one integrated with the base BHold installation. There appears to be no update for both PCNS and the BPA.

-

The KB number is KB2772429, however at the time of writing there is no article yet with detailed information. Most likely this KB article will be made available at a later moment.

-

The upgrade is quite straightforward. I just upgrade my test environment (everything on one machine). I started with the FIM Synchronization Service (service needs to be stopped before the upgrade), then the FIM Certificate Management Service, then the FIM Service/Portal (service needs to be stopped before the upgrade)followed by all available FIM Client components. If the FIM Portal URL is different from the site collection URL, make sure you can access the site collection URL prior to the upgrade of FIM Service/Portal.

-

Other blog posts writing about this:

• FIM 2010 R2 SP1 Released!
• FIM R2 (and BHOLD) SP1

-

UPDATE 2013-01-16:

• What’s New in Forefront Identity Manager 2010 R2 SP1
• Release Notes for Forefront Identity Manager 2010 R2 SP1
• What’s New in Microsoft BHOLD Suite SP1
• Release Notes for BHOLD Suite SP1

-

UPDATE 2013-02-01:

• KB Article: Service Pack 1 (build 4.1.3114.0) is available for Forefront Identity Manager 2010 R2

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: http://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

(2012-09-10) A Hotfix Rollup Package (Build 4.1.2548.0) Is Available For Forefront Identity Manager 2010 R2

Microsoft has released a new hotfix rollup package for FIM 2010 R2.

-

This hotfix fixes a number of issued. More interestingly it fixes an issue that was introduced by the previous hotfix. The previous hotfix rollup package (Build 4.1.2515.0) changes information in the Microsoft.MetadirectoryServicesEx.dll assembly file but does not change the file version number. Therefore, the file version numbers are mismatched when you try to update the file from version 4.1.2273.0 to version 4.1.2515.0.

After applying this hotfix check if all custom code (rules extension DLLs and activities) works as expected, just to be sure! If not, then recompile it.

-

For more detailed see: http://support.microsoft.com/?id=2750671

-

Issues that are fixed and features that are added in this update

-

General

Issue

This hotfix addresses an issue in which the digital signature on files that are produced and signed by Microsoft will expire prematurely, as described in Microsoft Security Advisory 2749655

(http://technet.microsoft.com/en-us/security/advisory/2749655)

-

FIM Synchronization Service

Issue 1

Assume that FIM 2010 R2 evaluates the IIF function of an outbound synchronization rule as "Null." For example, FIM 2010 R2 evaluates the IIF function to the jobTitle attribute, and the jobTitle attribute of the metaverse (MV) object has no value. In this situation, the corresponding attribute of the connector space object is not deleted as expected during the synchronization process.

Issue 2

When the ExchangeUtils:CreateMailbox method receives the logon SID for an account, the method requires administrator permissions in Active Directory.

-

FIM Service

New feature

When the FIM password reset activity does not connect to Active Directory, the Windows Management Instrumentation (WMI) components return a code. The code explains the reason for this failure.

-

FIM Reporting

Issue

When you perform the "Transform.Common" job when FIM 2010 is operating under a heavy load, the job fails because of a time-out. The time-out occurs when the computer processes the TransformEntityRelatesToEntityFact module.

Common Component (Microsoft.MetadirectoryServicesEx.dll)

Issue

Hotfix rollup build 4.1.2515.2 changes information in the Microsoft.MetadirectoryServicesEx.dll assembly file but does not change the file version number. Therefore, the file version numbers are mismatched when you try to update the file from version 4.1.2273.0 to version 4.1.2515.0.
When this issue occurs, you may experience the following symptoms:

You cannot load and run a custom management agent.
You cannot create a new FIM service management agent.

Notes

After you apply this hotfix rollup, the version of the Microsoft.MetadirectoryServicesEx.dll assembly file is 4.0.3.0.
The Microsoft.MetadirectoryServicesEx.dll assembly file is included in both the FIM Synchronization service and the FIM Service setup files.

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: http://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

(2012-09-24) The MA Run Scheduler From The IDM Explorer Blog

Søren Granfeldt, the IDM guy at the Identity Management Explorer has created a replacement for MSFT’s MAsequencer. MSFT’s MAsequencer is available from the MIIS 2003 Resource Kit (now that’s old stuff!) but it is not compatible with FIM 2010 (R2). Søren basically created a similar command line version that does work with FIM 2010 (R2). To help Søren develop the tool with cool features, he needs feedback of what you think of it including must/nice to haves. So, if you do use his MARunScheduler, make sure to provide feedback. You can do that through the following page: http://blog.goverco.com/p/marunscheduler.html

Thanks!

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: http://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————