• No results found

Manager 2010 R2 Handbook

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Manager 2010 R2 Handbook"

Copied!
9
0
0

Loading.... (view fulltext now)

Download now ( 9 Page )

Full text

(1)

Microsoft Forefront

Identity

Manager

2010

R2

Handbook

A

complete

handbook

on

FIM 2010

R2

covering

both

Identity

and Certificate

Management

Kent Nordstrom

rise^

PUBLISHING BIRMINGHAM-MUMBAI n, .,

enterp

' "N '

(2)

Table

of

Contents

Preface

1

Chapter

1: The

Story

in this Book

7

The

Company

7

The

challenges

8

Provisioning

of

users 8

Identity lifecycle

procedures

8

Highly Privileged

Accounts

(HPA)

8

Password

management

9

Traceability

9

The

solutions

9

Implement

FIM 2010 R2 9

Start

using

smart cards

10

Implement

federation

10

The environment

11

Moving

forward

12

Summary

13

Chapter

2: Overview

of FIM 2010 R2

15

The

history

of FIM

2010 R2

16

FIM

Synchronization

Service

(FIM Sync)

17

Management Agents

19

Non-declarative

vs. declarative

synchronization

20

Password

synchronization

20

FIM Service

Management

Agent

21

FIM Service

21

Request pipeline

22

FIM Service

Management Agent

23

(3)

Table

of

Contents

FIM Portal

24

Self Service Password Reset

(SSPR)

24

FIM

Reporting

25

FIM Certificate

Management (FIM CM)

25

Certificate

Management portal

26

Licensing

27

Summary

28

Chapter

3: Installation

29

Development

versus

production

29

Capacity

planning

30

Separating

roles 31 Databases 31 FIM

features

31

Hardware

32

Installation order

32

Prerequisites

34 Databases 34

Collation and

languages

35

SQL aliases 36 FIM-Dev 38 SQL 38 SCSM 39

Web

servers

41

FIM Portal 41

FIM Password Reset 42 FIM Certificate

Management

44

Service accounts 45

Kerberos

configuration

48

SETSPN 50

Delegation

52

System

Center Service

Manager

Console 52

Installation

53

FIM

Synchronization

Service

53

FIM Service and FIM Portal

58

FIM Password

Reset

portal

67

FIM Certificate

Management

70

SCSM

management

71

SCSM Data Warehouse

76

Post-installation

configuration

80

Granting

FIM Service

access to FIM

Sync

80

Securing

the FIM Service mailbox

80

(4)

of

Redirecting

to

IdentityManagement

81

Enforcing

Kerberos

81

Editing binding

in IIS

for

FIM Password

sites 82

Registering

SCSM

Manager

in

Data Warehouse 82

FIM

post-install scripts

for

Data Warehouse 87

Summary

87

Chapter

4: Basic

Configuration

89

Creating Management Agents

90

Active

Directory

90 Least

privileged

91

Directory

replication 93 Passwordreset 93

Creating

AD MA 93 HR

(SQL

Server)

105

Creating

SQL MA 107 Run

profiles

116

Single

orMultistep 116

Schema

management

116

FIM

Sync

versus FIM Service schema

116

Object

deletion

in MV

117

Modifying

FIM Service

schema

118

FIM Service MA 120

Creating

the FIM

Service

MA 120

Creating

run

profiles

127

First

import

128

Filtering

accounts

128

Initial

load

versus

scheduled

runs 130

Moving configuration

from

development

to

production

131 Maintenance mode for

production

132 Disablingmaintenance mode 133

Exporting

FIM

Synchronization

Service

settings

134

Exporting

FIM Service

settings

134

Exporting

the FIM Service schema 135

Exporting

the FIM Service

policy

135

Generating

the difference files 136

Generating

the schema difference 136

Generating

thepolicydifference 136

Importing

to

production

137

Importing

custom code 137

Importing

theService schemadifference 137

Importing

the

Synchronization

Service

settings

137

(5)

Table

of

Contents

PowerShell

scripts

141

Summary

141

Chapter

5: User

Management

143

Modifying

MPRs

foruser

management

143

Configuring

sets

foruser

management

148

Inbound

synchronization

rules

150

Outbound

synchronization

rules

158

Outbound

synchronization

policy

159

Outbound

system scoping

filter 159

Detected rule

entry

160

Provisioning

161

Non-declarative

provisioning

162

Managing

usersin a

phone system

163

Managing

usersin Active

Directory

170

userAccountControl

170

Provision users to Active

Directory

173

Synchronization

rule 174

Set 177

Workflow 178

MPR 181

Inbound

synchronization

from AD 183

Temporal

Sets

185

Self-service

using

the

FIM

portal

186

Managers

can see

direct

reports

188

Userscan manage theirown attributes 190

Managing Exchange

194

Exchange

2007

194

Exchange

2010

195

Synchronization

rule for

Exchange

195

Mailboxusers 196

Mail-enabledusers 197

Summary

198

Chapter

6:

Group Management

199

Group

scope and

types

199

Active

Directory

199

FIM 201

Type

201

Scope

202

Member Selection 202

Installing

client add-ins

206

Add-ins

and extensions 206

(6)

Creating

and

managing

distribution groups

212

Importing

groups from HR

219

F1M

Service

and Metaverse 222

Managing

groups in AD

224

Security

groups

225

Distribution

groups

229

Synchronization

rule 229 Set 233 Workflow 234 MPR 236

Summary

237

Chapter

7: Self-service Password Reset

239

Anonymous

request

239

QA

versus

OTP

240

Enabling password management

in AD 240

Allowing

FIM Service to set

passwords

242

Configuring

FIM

Service

246

Security

context

247

Password

Reset

Users Set

247

Password Reset AuthN workflow 248

Configuring

the QA

gate

249

The OTPgate 251

Require re-registration

254

SSPR MPRs

255

The user

experience

255

Summary

262

Chapter

8:

Using

FIM to

Manage

Office

365 and

Other Cloud

Identities

263

Overview of

Office

365

263

DirSync

267

Federation 273

PowerShell

orCustom MA 277

Using

UAG and FIM

to

get

OTP for Office

365 279

Summary

280

Chapter

9:

Reporting

281

Verifying

the

SCSM

setup

281

Synchronizing

data from FIM to SCSM

283

Default

reports

285

The SCSM ETL process 286

Looking

at

reports

289

(7)

Table

of

Contents

Modifying

the

reports

294

Summary

296

Chapter

10: FIM Portal Customization

297

Components

of the

Ul

298

Portal

Configuration

301

Navigation

Bar Resource

302

Search scopes 311

Usage Keyword

311

Search Definition

313

Results

314

Creating

yourown search scope

315

Filter Permissions 318

RCDC 319

Summary

323

Chapter

11:

Customizing

Data Transformations

325

Our

options

325

PowerShell 326

Classic rules

extensions 326

SSIS

327

Workflow activities

328

Extensible

Connectivity Management Agent

328

Managing Lync

329

Provision

Lync

Users

329

Managing

multivalued attributes

331

Selective

deprovisioning

339

The case with the

strange

roles

340

Summary

345

Chapter

12:

Issuing

Smart Cards

347

Our scenario

347

Assurance level 348

Extending

the schema

349

The

configuration

wizard

351

Create

service accounts 351

Create certificate

templates

for FIM CM

service accounts 352

FIMCM UserAgentcertificatetemplate 353 FIM CM Enrollment

Agent

certificate

template

356 FIM CM

Key Recovery Agent

certificate

template

356 Enable the

templates

356

Require

SSL

on

the

CM

portal

357

Kerberos

again!

357

(8)

Run the wizard

359

Backup

certificates 364

Rerunning

the

wizard

365

Theaccounts 365

The database 365

Configuring

the FIM CM

Update

Service 366

Database

permissions

366

Configuring

the

CA 367

Installing

FIM CM CAfiles

367

Configuring

Policy

Module

368

Installing

the FIM CM client 371

FIM

CM

permissions

372

Service Connection Point

372

Users and

groups

374

Certificate

Template

375

Profile

Template object

377

Profile

Template

settings

378

Allowing

managers

to

issue certificates for

consultants 379

Creating

a Profile

Template

for consultant

Smart

Cards

379

Configuring

permissions

for consultant Smart Cards

382

John enrollsa Smart Card 382

RDP

using

Smart Cards

386

CM

Management Agent

386

Summary

387

Chapter

13:

Troubleshooting

389

Reminder 389

Troubleshooting

390 Kerberos

390

Connected Data Sources

392

FIM

Sync

393 FIM Service 398

Request

errors 398

Sync

errors 401

Reporting

404 FIM CM

405

Agent

certificates 406 CA 407

FIM clients

407

Backup

and restore

408

FIM

Sync

408

FIM

Service

and Portal 409

(9)

Table

of

Contents Source code 410

Summary

411

Afterword

413

Index

415

[

viii

]

References

Download now ( PDF - 9 Page - 260.62 KB )

Related documents

EEOC Stats. Preparing & Responding to EEOC Charges

A prompt and thorough investigation is essential to an effective defense of an EEOC Charge.  Conduct your own

Digital Screens. Technical specifications (Eindhoven Airport) DESIGN INFORMATION. Portrait HD 46 inch. Aspect ratio Definition Size.

www.mmdmedia.wetransfer.com (attn [email protected] mentioning MMD Media + Advertiser +Campagne name) DESIGN INFORMATION Portrait HD 50 inch Portrait 1080 x 1920

Chess Informant - Kortchnoi - Ruy Lopez (C82)

c3 SPANSKA PARTIJA Otvorena variianta HCnAHCKAtl nAPTH• 0TKpWTWií •apllGHT RUY LOPEZ Open Defence SPANISCHE PARTii Offene Yerteicligung PARTii ESPAGNOLE Variante

I. GOD OWNS ALL THAT WE HAVE

Even so, you will do well for the Lord if you are faithful or trustworthy to use the time, talent, and treasure that the Lord has given you, not just for yourself, but also to build

SPIRITUAL DISCIPLINES COMPANION. Bible Studies and Practices to Transform Your Soul. Jan Johnson

Another startling dimension of Jesus’ pattern of solitude is that he took time alone in spite of being a “people person .” Unlike John the Baptist, Jesus was not a

Navigating the Storm: How Proficient Organizational Culture Promotes Clinician Retention in the Shift to Evidence-Based Practice

First, we hypothesized that clinicians working in organizations with more proficient cultures would be less likely to experience turnover during the following year of a system-wide

Acquired Epidermodysplasia Verruciformis Due to Multiple and Unusual HPV Infection Among Vertically-Infected, HIV-Positive Adolescents in Zimbabwe

In addition to identifying ‘‘expected’’ EV-associated b-HPV types in skin biopsies from affected areas, HPV types 1 and 2 were detected in each bi- opsy, as well as 7 or more

On minimal decompositions of low rank symmetric tensors

(1) The Waring locus can be open: if we consider a general plane cubic of rank 4, we know that the apolar ideal is generated by three conics which define a linear base-point-free