Microsoft Forefront Identity Manager 2010 R2 Handbook电子书

Microsoft Forefront Identity Manager 2010 R2 Handbook

Table of Contents

Microsoft Forefront Identity Manager 2010 R2 Handbook

Credits

About the Author

About the Reviewers

www.PacktPub.com

Support files, eBooks, discount offers and more

Why Subscribe?

Free Access for Packt account holders

Instant Updates on New Packt Books

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Downloading the example code

Errata

Piracy

Questions

1. The Story in this Book

The Company

The challenges

Provisioning of users

Identity lifecycle procedures

Highly Privileged Accounts (HPA)

Password management

Traceability

The solutions

Implement FIM 2010 R2

Start using smart cards

Implement federation

The environment

Moving forward

Summary

2. Overview of FIM 2010 R2

The history of FIM 2010 R2

FIM Synchronization Service (FIM Sync)

Management Agents

Non-declarative vs. declarative synchronization

Password synchronization

FIM Service Management Agent

FIM Service

Request pipeline

FIM Service Management Agent

Management Policy Rules (MPRs)

FIM Portal

Self Service Password Reset (SSPR)

FIM Reporting

FIM Certificate Management (FIM CM)

Certificate Management portal

Licensing

Summary

3. Installation

Development versus production

Capacity planning

Separating roles

Databases

FIM features

Hardware

Installation order

Prerequisites

Databases

Collation and languages

SQL aliases

FIM-Dev

SQL

SCSM

Web servers

FIM Portal

FIM Password Reset

FIM Certificate Management

Service accounts

Kerberos configuration

SETSPN

Delegation

System Center Service Manager Console

Installation

FIM Synchronization Service

FIM Service and FIM Portal

FIM Password Reset portal

FIM Certificate Management

SCSM management

SCSM Data Warehouse

Post-installation configuration

Granting FIM Service access to FIM Sync

Securing the FIM Service mailbox

Disabling indexing in SharePoint

Redirecting to IdentityManagement

Enforcing Kerberos

Editing binding in IIS for FIM Password sites

Registering SCSM Manager in Data Warehouse

FIM post-install scripts for Data Warehouse

Summary

4. Basic Configuration

Creating Management Agents

Active Directory

Least privileged

Directory replication

Password reset

Creating AD MA

HR (SQL Server)

Creating SQL MA

Run profiles

Single or Multi step

Schema management

FIM Sync versus FIM Service schema

Object deletion in MV

Modifying FIM Service schema

FIM Service MA

Creating the FIM Service MA

Creating run profiles

First import

Filtering accounts

Initial load versus scheduled runs

Moving configuration from development to production

Maintenance mode for production

Disabling maintenance mode

Exporting FIM Synchronization Service settings

Exporting FIM Service settings

Exporting the FIM Service schema

Exporting the FIM Service policy

Generating the difference files

Generating the schema difference

Generating the policy difference

Importing to production

Importing custom code

Importing the Service schema difference

Importing the Synchronization Service settings

Importing the FIM Service policy

PowerShell scripts

Summary

5. User Management

Modifying MPRs for user management

Configuring sets for user management

Inbound synchronization rules

Outbound synchronization rules

Outbound synchronization policy

Outbound system scoping filter

Detected rule entry

Provisioning

Non-declarative provisioning

Managing users in a phone system

Managing users in Active Directory

userAccountControl

Provision users to Active Directory

Synchronization rule

Set

Workflow

MPR

Inbound synchronization from AD

Temporal Sets

Self-service using the FIM portal

Managers can see direct reports

Users can manage their own attributes

Managing Exchange

Exchange 2007

Exchange 2010

Synchronization rule for Exchange

Mailbox users

Mail-enabled users

Summary

6. Group Management

Group scope and types

Active Directory

FIM

Type

Scope

Member Selection

Manual

Manager-based

Criteria-based

Installing client add-ins

Add-ins and extensions

Modifying MPRs for group management

Creating and managing distribution groups

Importing groups from HR

FIM Service and Metaverse

Managing groups in AD

Security groups

Distribution groups

Synchronization rule

Set

Workflow

MPR

Summary

7. Self-service Password Reset

Anonymous request

QA versus OTP

Enabling password management in AD

Allowing FIM Service to set passwords

Configuring FIM Service

Security context

Password Reset Users Set

Password Reset AuthN workflow

Configuring the QA gate

The OTP gate

Require re-registration

SSPR MPRs

The user experience

Summary

8. Using FIM to Manage Office 365 and Other Cloud Identities

Overview of Office 365

DirSync

Federation

PowerShell or Custom MA

Using UAG and FIM to get OTP for Office 365

Summary

9. Reporting

Verifying the SCSM setup

Synchronizing data from FIM to SCSM

Default reports

The SCSM ETL process

Looking at reports

Allowing users to read reports

Modifying the reports

Summary

10. FIM Portal Customization

Components of the UI

Portal Configuration

Navigation Bar Resource

Search scopes

Usage Keyword

Search Definition

Results

Creating your own search scope

Filter Permissions

RCDC

Summary

11. Customizing Data Transformations

Our options

PowerShell

Classic rules extensions

SSIS

Workflow activities

Extensible Connectivity Management Agent

Managing Lync

Provision Lync Users

Managing multivalued attributes

Selective deprovisioning

The case with the strange roles

Summary

12. Issuing Smart Cards

Our scenario

Assurance level

Extending the schema

The configuration wizard

Create service accounts

Create certificate templates for FIM CM service accounts

FIM CM User Agent certificate template

FIM CM Enrollment Agent certificate template

FIM CM Key Recovery Agent certificate template

Enable the templates

Require SSL on the CM portal

Kerberos again!

Install SQL Client Tools Connectivity

Run the wizard

Backup certificates

Rerunning the wizard

The accounts

The database

Configuring the FIM CM Update Service

Database permissions

Configuring the CA

Installing FIM CM CA files

Configuring Policy Module

Installing the FIM CM client

FIM CM permissions

Service Connection Point

Users and groups

Certificate Template

Profile Template object

Profile Template settings

Allowing managers to issue certificates for consultants

Creating a Profile Template for consultant Smart Cards

Configuring permissions for consultant Smart Cards

John enrolls a Smart Card

RDP using Smart Cards

CM Management Agent

Summary

13. Troubleshooting

Reminder

Troubleshooting

Kerberos

Connected Data Sources

FIM Sync

FIM Service

Request errors

Sync errors

Reporting

FIM CM

Agent certificates

CA

FIM clients

Backup and restore

FIM Sync

FIM Service and Portal

FIM CM

Source code

Summary

A. Afterword

Index