[Update2] FIM 2010 and Exchange 2010 Provisioning and which Account must be Member of the Exchange Recipient Administrators Group?

Posted on February 10, 2012 by Dominik Zemp

With this short blog, I would like to point you to another confusing statement that you can find in the article on http://technet.microsoft.com/en-us/magazine/ff472471.aspx:

image

If you just add the service account to the Exchange Recipient group, you will see the following error event in EventLog (and of course, the run profile will stop/fail with the error stopped-extension-dll-exception).

There is an error in Exch2010Extension BeginExportToCd() function.Type: System.Management.Automation.Remoting.PSRemotingTransportException

Message:

“Microsoft.MetadirectoryServices.ExtensionException: Processing data from remote server failed with the following error message: The user “<domain>/<ADMAAccount>” isn’t assigned to any management roles. For more information, see the about_Remote_Troubleshooting Help topic.

So based on the error, it’s clear that you have to add the account used for the Active Directory Management Agent to the Exchange Recipient Administrators group, instead of the FIM Sync Service service account.

Posted in Forefront, Forefront|Forefront Identity Manager | Tagged | Leave a comment

[Update] BitLocker and How To Change the User PIN

Posted on February 9, 2012 by Dominik Zemp

I’ve just seen that this blog post about BitLocker and how a Windows standard user can change the PIN got many hits in the last couple of days. So I’ve just decided to write a short update on that topic…

My old blog (http://blog.gocloud-security.ch/2009/12/09/bitlocker-and-how-to-change-the-user-pin/) describes a possible solution/approach with a custom service or process that calls the manage-bde command. Now, since a couple of month, there is a much smarter way to allow your Windows standard users to change the BitLocker PIN – MBAM (Microsoft BitLocker Administration and Monitoring)!

MBAM has been released in August 2011 as part of MDOP and integrates different capabilities that have been missed with BitLocker. For example a helpdesk key recovery UI, single recovery keys (the MBAM client will create a new key once a BitLocker recovery key has been exposed), and different audit and compliance reports.

You can find a technical slide deck with all required information about MBAM
on http://media.ch9.ms/teched/na/2011/ppt/WCL317.pptx.

Posted in Uncategorized, Windows BitLocker | Leave a comment

A Solution for Private Cloud Security

Posted on January 22, 2012 by Dominik Zemp

And a next blog based on the recent announcements of Microsoft.

The A Solution for Private Cloud Security is a series of three papers on private cloud security. And is therefore a part of a collection of documents comprise the Reference Architecture for Private Cloud documentation set.

The current version of the A Solution for Private Cloud Security considers the security aspects of design and create robust and comprehensive private and hybrid cloud environments and consists of the following three papers:

  • Blueprint for A Solution for Private Cloud Security
  • Design Guide for A Solution for Private Cloud
  • Operations Guide for A Solution for Private Cloud

You can download all three documents in Word format as well, on http://gallery.technet.microsoft.com/A-Solution-for-Private-67209ab1.

Posted in Uncategorized | Tagged | Leave a comment

Free Microsoft Private Cloud Training

Posted on January 21, 2012 by Dominik Zemp

After Microsoft’s announcement of the new System Center 2012 wave, a true private cloud builder, Microsoft offers a free 2-day virtual training event to help the world learn about the upcoming enhancements with the Creating & Managing a Private Cloud with System Center 2012 Jump Start.

You can find more information about this free training on http://blogs.technet.com/b/server-cloud/archive/2012/01/20/free-microsoft-private-cloud-training.aspx

And information about System Center 2012 and the new capabilities to build a private cloud can be found on http://blogs.technet.com/b/server-cloud/archive/2012/01/17/system-center-2012-a-true-private-cloud-builder.aspx.

Posted in Uncategorized | Tagged | Leave a comment

FIM 2010 Community Resources

Posted on January 19, 2012 by Dominik Zemp

I thought it would be nice to blog about all the awesome community-related FIM activities/resources. So let’s kick off…

… and more with a next update!

Posted in Forefront, Forefront|Forefront Identity Manager | Tagged | Leave a comment

Rollup 1 for Forefront UAG 2010 Service Pack 1 Update 1

Posted on January 12, 2012 by Dominik Zemp

Today, Microsoft released a first rollup package for UAG 2010 SP1 Update 1. You can find a list of all fixes that are included in the rollup 1 on http://support.microsoft.com/kb/2647899.

Oh and yes, a rollup 1 for TMG 2010 SP2 has been published as well: http://support.microsoft.com/kb/2649961

Posted in Forefront, Forefront|TMG, Forefront|UAG | Tagged | Leave a comment

[Update] FIM 2010 and Exchange 2010 Provisioning

Posted on December 23, 2011 by Dominik Zemp

Last year, I wrote a first blog (http://blog.gocloud-security.ch/2010/05/13/fim-2010-and-exchange-2010-provisioning) about Exchange 2010 provisioning with FIM 2010 (codeless or not). Now, I’m currently working on a project where one requirement is the quick’n’dirty provisioning of mail-enabled users (please do not mistake a mail-enabled user with a mailbox user!).

The link that I used in my past blog was the one pointing to the TechNet magazine (http://technet.microsoft.com/en-us/magazine/ff472471.aspx). And one point which really confused me was the following:

image

Based on another table, the following attributes are required for a mail-enabled user:image

Another interesting point is the following:image

Now, wait a second… does that mean that I have to set the msExchHomeServerName as well when using Exchange 2010?? And should I use the ExchangeUtils class (of the Microsoft.MetadirectoryServicesEx) and especially the overloaded CreateMailEnabledUser() method? The answer is simple NO – for both questions!

First of all, have a look at the source code of the ExchangeUtils.CreateMailEnabledUser() method (btw, I used the free dotPeek from JetBrains as decompiler):image

So no magic! What the CreateMailEnabledUser() method really does is set the two attributes – the mailNickname and targetAddress – that’s all! But there is another important part as well – the objectType = “user”; line. You are fine with that as long as you use the user class (default in Active Directory) when provisioning the user objects. But that’s not the case in the current project (where we use a custom class in the schema) and therefore anyway a no-go for the CreateMailEnabledUser() method!

Posted in Forefront, Forefront|Forefront Identity Manager | Tagged , | Leave a comment

A Guide to Claims-Based Identity and Access Control, Second Edition–Downloadable eBook

Posted on December 18, 2011 by Dominik Zemp

The phenomenal resource (book) ‘A Guide to Claims-Based Identity and Access Control’ has been renewed and published on MSDN a couple of weeks ago. This resource is the best I’ve ever seen for claims-based authentication and in particular AD FS 2.0! Every second invested in reading this book is more than worth the time!

You can find the online version of the 2nd edition on:

But now the reason of this post – in addition to the online version, there is now downloadable PDF version of the 2nd edition. You can download it from:

So the last thing that is missing is a printed version of the book… for those of you who want to read it under the Christmas tree. Smile

Posted in Active Directory Federation Services (AD FS) 2.0, Windows Azure, Windows Azure|Access Control Service, Windows Azure|Windows Azure Active Directory | Tagged , , , | Leave a comment

Windows Azure Active Directory

Posted on December 12, 2011 by Dominik Zemp

A really interesting “change” in the name of one of the Windows Azure components, not particular from a content point of view. Read the lines below:

Windows Azure Active Directory is a cloud service that provides identity and access capabilities for applications on Windows Azure and Microsoft Office 365. Windows Azure Active Directory is the multi-tenant cloud service on which Microsoft Office 365 relies on for its identity infrastructure.
 
Windows Azure Active Directory utilizes the enterprise-grade quality and proven capabilities of Active Directory, so you can bring your applications to the cloud easily.  You can enable single sign-on, security enhanced applications, and simple interoperability with existing Active Directory deployments using Access Control Service (ACS), a feature of Windows Azure Active Directory.

Maybe this indicates the direction of the journey… But anyway, at the moment the Windows Azure Active Directory is just the cloud implementation of AD FS 2.0 (with some custom capabilities).

Read the full article on  http://www.windowsazure.com/en-us/home/tour/access-control/

Posted in Office 365, Windows Azure, Windows Azure|Access Control Service, Windows Azure|Windows Azure Active Directory | Tagged , , | 1 Comment

Web-based Self-Service Password Reset with FIM 2010 R2

Posted on December 9, 2011 by Dominik Zemp

With this blog, I want to highlight some of the very interesting articles about one of the new features of FIM 2010 R2 – the web-based self-service password reset.

Articles from Anthony Ho:

Articles from Paul Williams:

Articles from Patrick Layani:

 

And finally, the Evaluation Guide on TechNet: http://technet.microsoft.com/en-us/library/hh322874(WS.10).aspx

Posted in Forefront, Forefront|Forefront Identity Manager | Tagged | Leave a comment