Manager 2010 R2 Handbook



Similar documents
Course 50382A: Implementing Forefront Identity Manager 2010 OVERVIEW

CL_50382 Implementing Forefront Identity Manager 2010

Implementing Forefront Identity Manager 2010

Implementing and Managing Microsoft Server Virtualization

Active Directory Services with Windows Server

MOC 5047B: Intro to Installing & Managing Microsoft Exchange Server 2007 SP1

Active Directory Services with Windows Server MOC 10969

Administering Team Foundation Server 2013

SSC2016: SharePoint 2016 Administrator s Survival Camp

Managing Office 365 Identities and Services

Managing Office 365 Identities and Services

How to Create a Delegated Administrator User Role / To create a Delegated Administrator user role Page 1

Active Directory Services with Windows Server 10969B; 5 days, Instructor-led

55034-Project Server 2013 Inside Out

Mod 3: Office 365 DirSync, Single Sign-On & ADFS

Active Directory Services with Windows Server

IT Service Management with System Center Service Manager

DottsConnected SHAREPOINT 2010 ADMIN TRAINING. Exercise 1: Create Dedicated Service Accounts in Active Directory

Managing Office 365 Identities and Services 20346C; 5 Days, Instructor-led

Course 20346: Managing Office 365 Identities and Services

Microsoft Active Directory Services with Windows Server

126 SW 148 th Street Suite C-100, #105 Seattle, WA Tel: Fax:

Manage all your Office365 users and licenses

IT Service Management with System Center Service Manager

MS-55115: Planning, Deploying and Managing Microsoft Project Server 2013

10215A Implementing and Managing Microsoft Server Virtualization

Course Active Directory Services with Windows Server

LEARNING SOLUTIONS website milner.com/learning phone

MS 6419 Configuring, Managing and Maintaining Windows Server 2008-based Servers

Office 365. Migrating and Managing Your. Business in the Cloud. Matthew Katzer. Don Crawford

Project Server 2013 Inside Out Course 55034; 5 Days, Instructor-led

Course 6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Microsoft Project Server 2010 Technical Boot Camp

IT Service Management with System Center Service Manager

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Outline SSS Microsoft Windows Server 2008 Hyper-V Virtualization

Course 55115: Planning, Deploying and Managing Microsoft Project Server 2013

MOC ACTIVE DIRECTORY SERVICES WITH WINDOWS SERVER

Active Directory Services with Windows Server

Implementing Microsoft Azure Infrastructure Solutions

Course 6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Implementing and Managing Microsoft Server Virtualization

NE-6425C Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

6425C - Windows Server 2008 R2 Active Directory Domain Services

Course 55034A: Microsoft Project Server 2013 Inside Out

Implementing Microsoft Azure Infrastructure Solutions

Bill Fiddes Learning and Development Specialist Rob Latino Program Manager in Office 365 Support

Configuring and Troubleshooting Windows 2008 Active Directory Domain Services

Course 10969A Active Directory Services with Windows Server

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Microsoft. Course 20463C: Implementing a Data Warehouse with Microsoft SQL Server

Course Syllabus. 2553A: Administering Microsoft SharePoint Portal Server Key Data. Audience. At Course Completion.

6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Course 20533: Implementing Microsoft Azure Infrastructure Solutions

Configuring and Troubleshooting Identity and Access Solutions with Windows Server 2008 Active Directory

MS-6425C - Configuring Windows Server 2008 Active Directory Domain Services

FOREFRONT IDENTITY MANAGEMENT

Implementing Microsoft Azure Infrastructure Solutions

Mod 2: User Management

Course 6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Implementing Project Server 2010

Implementing Microsoft Azure Infrastructure Solutions

Novell to Microsoft Conversion: Identity Management Design & Plan

Table of Contents Introduction... 2 Azure ADSync Requirements/Prerequisites:... 2 Software Requirements... 2 Hardware Requirements...

Configuring, Managing and Maintaining Windows Server 2008-based Servers

AV-005: Administering and Implementing a Data Warehouse with SQL Server 2014

Course 6419B: Configuring, Managing and Maintaining Windows Server 2008-based Servers

Planning, Implementing and Managing a Microsoft SharePoint 2003 Infrastructure

(80539A) Installation and Deployment in Microsoft Dynamics CRM 2013

Implementing Microsoft Azure Infrastructure Solutions

ArcSight Express Administration and Operations Course

Implementing Microsoft Azure Infrastructure Solutions 20533B; 5 Days, Instructor-led

Microsoft Implementing Microsoft Azure Infrastructure Solutions

OpenAM. 1 open source 1 community experience distilled. Single Sign-On (SSO) tool for securing your web. applications in a fast and easy way

Tl enterprise i..motos*:o()0: fr/per'ise achnoa. SAP NetWeaver MDM 7.1. Administrator's Guide. Uday Rao J PUBLISHING. excel

Course 20533B: Implementing Microsoft Azure Infrastructure Solutions

Installation and Configuration in Microsoft Dynamics NAV 5.0

Course 6425C: Five days

Planning, Deploying and Managing Microsoft Project Server 2013

SQL Server 2008 R2 Express Edition Installation Guide

Optimizing Microsoft Exchange in the Enterprise Part II: Hub Transport Server and Lync-SharePoint Integration

Microsoft Dynamics CRM 2011 Installation and Deployment

Implementing and Administering Windows Small Business Server 2008

Implementing and Managing Windows Server 2008 Hyper-V

Implementing a Data Warehouse with Microsoft SQL Server

Microsoft Enterprise Search for IT Professionals Course 10802A; 3 Days, Instructor-led

M6425a Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Cloud-Accelerated Hybrid Scenarios with SharePoint and Office 365

6445A - Implementing and Administering Small Business Server 2008

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

c360 Portal Installation Guide

Administration Guide for the System Center Cloud Services Process Pack

Transcription:

Microsoft Forefront Identity Manager 2010 R2 Handbook A complete handbook on FIM 2010 R2 covering both Identity and Certificate Management Kent Nordstrom n, ' enterp rise^., "N ' PUBLISHING - BIRMINGHAM MUMBAI

Preface 1 Chapter 1: The Story in this Book 7 The Company 7 The challenges 8 Provisioning of users 8 Identity lifecycle procedures 8 Highly Privileged Accounts (HPA) 8 Password management 9 Traceability 9 The solutions 9 Implement FIM 2010 R2 9 Start using smart cards 10 Implement federation 10 The environment 11 Moving forward 12 Summary 13 Chapter 2: Overview of FIM 2010 R2 15 The history of FIM 2010 R2 16 FIM Synchronization Service (FIM Sync) 17 Management Agents 19 Non-declarative vs. declarative synchronization 20 Password synchronization 20 FIM Service Management Agent 21 FIM Service 21 Request pipeline 22 FIM Service Management Agent 23 Management Policy Rules (MPRs) 23

FIM Portal 24 Self Service Password Reset (SSPR) 24 FIM Reporting 25 FIM Certificate Management (FIM CM) 25 Certificate Management portal 26 Licensing 27 Summary 28 Chapter 3: Installation 29 Development versus production 29 Capacity planning 30 Separating roles 31 Databases 31 FIM features 31 Hardware 32 Installation order 32 Prerequisites 34 Databases 34 Collation and languages 35 SQL aliases 36 FIM-Dev 38 SQL 38 SCSM 39 Web servers 41 FIM Portal 41 FIM Password Reset 42 FIM Certificate Management 44 Service accounts 45 Kerberos configuration 48 SETSPN 50 Delegation 52 System Center Service Manager Console 52 Installation 53 FIM Synchronization Service 53 FIM Service and FIM Portal 58 FIM Password Reset portal 67 FIM Certificate Management 70 SCSM management 71 SCSM Data Warehouse 76 Post-installation configuration 80 Granting FIM Service access to FIM Sync 80 Securing the FIM Service mailbox 80 Disabling indexing in SharePoint 80

Redirecting to IdentityManagement 81 Enforcing Kerberos 81 Editing binding in IIS for FIM Password sites 82 Registering SCSM Manager in Data Warehouse 82 FIM post-install scripts for Data Warehouse 87 Summary 87 Chapter 4: Basic Configuration 89 Creating Management Agents 90 Active Directory 90 Least privileged 91 Directory replication 93 Password reset 93 Creating AD MA 93 HR (SQL Server) 105 Creating SQL MA 107 Run profiles 116 Single or Multi step 116 Schema management 116 FIM Sync versus FIM Service schema 116 Object deletion in MV 117 Modifying FIM Service schema 118 FIM Service MA 120 Creating the FIM Service MA 120 Creating run profiles 127 First import 128 Filtering accounts 128 Initial load versus scheduled runs 130 Moving configuration from development to production 131 Maintenance mode for production 132 Disabling maintenance mode 133 Exporting FIM Synchronization Service settings 134 Exporting FIM Service settings 134 Exporting the FIM Service schema 135 Exporting the FIM Service policy 135 Generating the difference files 136 Generating the schema difference 136 Generating the policy difference 136 Importing to production 137 Importing custom code 137 Importing the Service schema difference 137 Importing the Synchronization Service settings 137 Importing the FIM Service policy 140

PowerShell scripts 141 Summary 141 Chapter 5: User Management 143 Modifying MPRs for user management 143 Configuring sets for user management 148 Inbound synchronization rules 150 Outbound synchronization rules 158 Outbound synchronization policy 159 Outbound system scoping filter 159 Detected rule entry 160 Provisioning 161 Non-declarative provisioning 162 Managing users in a phone system 163 Managing users in Active Directory 170 useraccountcontrol 170 Provision users to Active Directory 173 Synchronization rule 174 Set 177 Workflow 178 MPR 181 Inbound synchronization from AD 183 Temporal Sets 185 Self-service using the FIM portal 186 Managers can see direct reports 188 Users can manage their own attributes 190 Managing Exchange 194 Exchange 2007 194 Exchange 2010 195 Synchronization rule for Exchange 195 Mailbox users 196 Mail-enabled users 197 Summary 198 Chapter 6: Group Management 199 Group scope and types 199 Active Directory 199 FIM 201 Type 201 Scope 202 Member Selection 202 Installing client add-ins 206 Add-ins and extensions 206 Modifying MPRs for group management 210

Creating and managing distribution groups 212 Importing groups from HR 219 F1M Service and Metaverse 222 Managing groups in AD 224 Security groups 225 Distribution groups 229 Synchronization rule 229 Set 233 Workflow 234 MPR 236 Summary 237 Chapter 7: Self-service Password Reset 239 Anonymous request 239 QA versus OTP 240 Enabling password management in AD 240 Allowing FIM Service to set passwords 242 Configuring FIM Service 246 Security context 247 Password Reset Users Set 247 Password Reset AuthN workflow 248 Configuring the QA gate 249 The OTP gate 251 Require re-registration 254 SSPR MPRs 255 The user experience 255 Summary 262 Chapter 8: Using FIM to Manage Office 365 and Other Cloud Identities 263 Overview of Office 365 263 DirSync 267 Federation 273 PowerShell or Custom MA 277 Using UAG and FIM to get OTP for Office 365 279 Summary 280 Chapter 9: Reporting 281 Verifying the SCSM setup 281 Synchronizing data from FIM to SCSM 283 Default reports 285 The SCSM ETL process 286 Looking at reports 289 Allowing users to read reports 291

Modifying the reports 294 Summary 296 Chapter 10: FIM Portal Customization 297 Components of the Ul 298 Portal Configuration 301 Navigation Bar Resource 302 Search scopes 311 Usage Keyword 311 Search Definition 313 Results 314 Creating your own search scope 315 Filter Permissions 318 RCDC 319 Summary 323 Chapter 11: Customizing Data Transformations 325 Our options 325 PowerShell 326 Classic rules extensions 326 SSIS 327 Workflow activities 328 Extensible Connectivity Management Agent 328 Managing Lync 329 Provision Lync Users 329 Managing multivalued attributes 331 Selective deprovisioning 339 The case with the strange roles 340 Summary 345 Chapter 12: Issuing Smart Cards 347 Our scenario 347 Assurance level 348 Extending the schema 349 The configuration wizard 351 Create service accounts 351 Create certificate templates for FIM CM service accounts 352 FIM CM User Agent certificate template 353 FIM CM Enrollment Agent certificate template 356 FIM CM Key Recovery Agent certificate template 356 Enable the templates 356 Require SSL on the CM portal 357 Kerberos again! 357 Install SQL Client Tools Connectivity 358

Run the wizard 359 Backup certificates 364 Rerunning the wizard 365 The accounts 365 The database 365 Configuring the FIM CM Update Service 366 Database permissions 366 Configuring the CA 367 Installing FIM CM CAfiles 367 Configuring Policy Module 368 Installing the FIM CM client 371 FIM CM permissions 372 Service Connection Point 372 Users and groups 374 Certificate Template 375 Profile Template object 377 Profile Template settings 378 Allowing managers to issue certificates for consultants 379 Creating a Profile Template for consultant Smart Cards 379 Configuring permissions for consultant Smart Cards 382 John enrolls a Smart Card 382 RDP using Smart Cards 386 CM Management Agent 386 Summary 387 Chapter 13: Troubleshooting 389 Reminder 389 Troubleshooting 390 Kerberos 390 Connected Data Sources 392 FIM Sync 393 FIM Service 398 Request errors 398 Sync errors 401 Reporting 404 FIM CM 405 Agent certificates 406 CA 407 FIM clients 407 Backup and restore 408 FIM Sync 408 FIM Service and Portal 409 FIM CM 409

Table ofcontents Source code 410 Summary 411 Afterword 413 Index 415 [ viii ]

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information