An essential element of managing computer networks is organizing information about people, applications, and network devices. Managing identity information is challenging because the essential data that describes people in an environment changes so frequently. For example, in a given month a large percentage of an organization's employees may change jobs, assume different roles, become associated with different projects, move to a new office, or even change their names. All these changes, while seemingly minor, can pose a significant challenge in complex networks with multiple identity stores.
This paper discusses how to aggregate and synchronize user identity information across multiple directories and identity stores in a heterogeneous environment. The result is to enable centralized administration of user identities across an organization's identity stores. The paper also provides detailed configuration tasks you can perform to achieve this by using Microsoft® Identity Integration Server 2003, Enterprise Edition with Service Pack 1 (MIIS 2003 with SP1).
Organizations store identity information as data objects in numerous data repositories. When identity information becomes inconsistent between identity stores, it can become difficult to use appropriately. Synchronizing information between multiple data repositories is challenging, time consuming, and expensive.
The business challenges that relate to identity synchronization include:
In large organizations, you can often find over one hundred discrete identity stores, all of which contain overlapping and usually conflicting personal data. Managing this identity data across many systems that use manual processes or custom scripts is simply not cost effective or accurate enough to meet the business needs of most organizations.
Management needs to know that the costs of managing user identities are as low as reasonably possible. Identity life-cycle management should also scale efficiently across various applications and network resources, and not require additional staff for every application brought on line or group of users hired.
Efficient administrative processes based on capable technologies for identity aggregation and synchronization can provide the following business benefits:
The audience for this paper includes architects, IT professionals, IT decision makers, and consultants working in organizations with multiple identity stores.
This paper assumes the reader has a moderate knowledge of identity and access management concepts and technologies as described in the "Fundamental Concepts" paper in this series.
To implement the solutions in this paper, readers should have an understanding of the infrastructure described and implemented in the "Platform and Infrastructure" paper in this series. For a greater understanding of MIIS 2003, review the Microsoft Identity Integration Server 2003 Technical Reference.
This paper consists of seven chapters. Each chapter builds on the previous one to demonstrate how a typical company plans, builds, tests, and operates an identity aggregation and synchronization solution by using MIIS 2003 with SP1 and the Microsoft Active Directory® directory service. The chapters cover the following topics:
Chapter 1: Introduction
The introduction provides an executive summary, the recommended audience for the paper, and an overview of each chapter in the paper.
Chapter 2: Approaches to Identity Aggregation and Synchronization
This chapter covers various approaches for identity aggregation and synchronization, including the recommended approach of using an identity integration product.
Chapter 3: Issues and Requirements
This chapter introduces the identity aggregation and synchronization challenges that Contoso Pharmaceuticals (a fictitious company with typical problems) faces, as well as their technical issues and requirements.
Chapter 4: Designing the Solution
This chapter describes the logical design of a solution for Contoso and how it works. It addresses Contoso issues and requirements with an identity aggregation and synchronization solution based on Microsoft technologies.
Chapter 5: Implementing the Solution
This chapter takes the design from the previous chapter and further refines it by providing step-by-step prescriptive guidance to implement the solution. It shows how you can set up identity aggregation and synchronization in a secure and functional way. This chapter also introduces the Tools and Templates provided for this paper.
Chapter 6: Testing the Solution
This chapter describes how to validate the implemented solution scenarios from Chapter 5. It also provides some troubleshooting steps to help with common implementation challenges.
Chapter 7: Operational Considerations
This chapter concludes the paper with details on operational procedures for running an identity aggregation and synchronization solution on a day-to-day basis.
In addition to a general discussion of identity synchronization approaches, this paper also provides detailed prescriptive guidance for implementing an identity aggregation and synchronization solution that builds on the Contoso Pharmaceuticals scenario introduced in the "Platform and Infrastructure" paper in this series. In this scenario, Contoso has two Active Directory forests, a Sun ONE Directory, and a Lotus Notes database to integrate.
This scenario has been compiled by Microsoft to illustrate the typical challenges organizations face in providing identity aggregation and synchronization, and includes guidance on how Microsoft technologies can address them. Chapters 3 through 7 focus entirely on this solution scenario.
Implementing an identity aggregation and synchronization solution provides a recommended foundation for building other identity life-cycle management solutions such as provisioning (fully automated or using workflow), entitlement management (groups in particular) and credential management (passwords in particular).
Note The "Password Management" paper in this series builds on the solution scenario in this paper to provide password change, reset, and propagation services.
A typical large organization may have dozens of data stores for identity information. Even medium and small organizations usually have several identity stores. The challenge is how to aggregate the correct data from all of the identities in an organization and then synchronize the correct data with identity stores that may have incorrect or out-of-date data.
For example, an employee's job title and address are usually stored in more than one identity store. When an employee moves or is promoted, the same information must be updated in several different identity stores. To further complicate matters, identity stores are often managed by independent departments. Keeping track of these changes and propagating them to all identity stores within an organization is the process of identity aggregation and synchronization.
There are three main types of identity data sources:
This section also discusses a special type of database: the Human Resources (HR) department database.
To manage data objects, organizations often use a specialized data store called a directory. A directory provides a well-defined set of object classes with associated attributes and a hierarchical view for organizing objects. A directory service exposes the operations necessary to locate and manage the content of a directory.
Typically, directories are used for:
Historically, directories were custom applications that were designed to fulfill a specific role within an organization's network environment. In many cases, separate directories were implemented to contain relevant information to satisfy specific target functions.
There are many identity stores in an organization that are not directory-based. Identity stores for individual applications are often implemented as databases for the following reasons:
For these cases, databases can easily adapt to storing identity information, but there are several drawbacks. Databases are inherently non-hierarchical, but when storing information about people it is usually more convenient to mimic typical organizational hierarchies like companies, departments, and teams. These hierarchical structures help to easily locate objects and provide intuitive searching capabilities. In addition, databases generally do not follow a common schema that defines the data and its characteristics.
Additionally, databases do not come with a suite of security services for authentication, authorization, trusts, and security auditing — all required functionality must be programmed uniquely (and unnecessarily) for each database.
Flat files (text-based files such as comma-delimited and XML files) can also serve to store identity information, especially with older applications. Flat file identity stores suffer from all of the same issues as databases, but typically provide significantly worse performance and management.
Flat files are often used for importing and exporting information between data sources and platforms if direct integration is otherwise infeasible.
The HR database (or equivalent) is a special case because of the functions of the HR department and their role in the management of an organization's users. The HR database is usually an authoritative source of information about the existence of user identities and many of the key attributes of a person, such as employee ID, first name, last name, home address, and so on.
The HR department is typically the first to know that an employee has been either hired or fired, thus being the authoritative indication that a user identity should be added, or removed, from the environment. The HR database also manages many user attributes, which makes it an important source of identity data that must be synchronized to other identity stores.
For security and privacy reasons it is usually difficult to have an HR database participate directly with identity integration services. However, HR departments will typically permit a reduced database view with read-only access, or a flat file containing specific fields from the HR database to be used.
Regardless of how identity data is stored, there are several common scenarios that affect the management of this information. The following table describes some of these scenarios.
Table 2.1. Identity Scenarios and Requirements
Scenario | Requirements |
Implementing single sign on | Manage user name, password, and access rights information across many different platforms and applications. |
Managing a global address book | Synchronize mailbox information among the e-mail directories that are used within a company. |
Managing e-commerce applications | Synchronize information for suppliers and extranet users, such as digital certificates, with e-commerce directories that reside in perimeter networks. |
Hiring/firing employees | Quickly propagate information about newly hired employees to all systems that require identity information, and quickly perform the same processes in reverse when employees leave. |
The following sections describe a number of approaches that are commonly used to accomplish these tasks, including:
Manual administration is the default mechanism for managing the attributes of users in identity stores. Some identity stores, such as the Microsoft® Active Directory® directory service, provide tools similar to the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in. This tool provides a convenient graphical interface that is easy to use and provides quick and easy manipulation of user attributes.
Although manual tools are intuitive and easy to use for a trained IT administrator, they are cumbersome to use across multiple identity stores and often result in errors and inconsistencies.
After manual administration becomes cumbersome, the typical next step is for the IT administrator to create scripts that manage identity attributes in various stores. Through powerful scripting languages such as PERL or Visual Basic® and interfaces such as the Active Directory Scripting Interface (ADSI), it is fairly easy to create scripts that can manipulate identity data in an organization.
While easy to create and cheap to implement, most script-based identity synchronization solutions have one or more of the following issues:
Integration services provide another approach to automating maintenance of identity information, although they usually only integrate with a single type of identity store without the flexibility of a full identity integration product. Examples of these integration services are:
A metadirectory is a store containing information from multiple directories. It provides a centralized view of relational data from disparate identity stores throughout the enterprise. Even though separate directories may not share information, metadirectories make this relational view of data from all directories possible.
Although metadirectory products may attempt to provide a single view of identities, they do not always aggregate and synchronize identity information with each of the connected data sources. Customers want this crucial capability to ensure the applications that use each identity store relay accurate and up-to-date information to their users.
Microsoft Metadirectory Server 2.2, the precursor to Microsoft Identity Integration Server 2003, Enterprise Edition is an example of a metadirectory product.
An identity integration product is designed to provide all of the functionality of scripts and integration services, but also address the drawbacks listed in the previous sections. Identity integration products also provide additional functionality that may be very hard or impossible to implement with scripts.
Identity integration products typically provide the following set of features:
Microsoft offers two identity integration products:
Both products have similar software requirements; Windows Server 2003, Enterprise Edition and Microsoft SQL Server 2000, Enterprise Edition or SQL Server 2000 Developer Edition (for testing purposes only). However, each product offers a different level of support for integration with external systems.
Note SQL Server 2000 Developer Edition is licensed per developer and must be used for designing, developing, and testing purposes only. It should not be confused with Microsoft SQL Server Desktop Engine (MSDE). For more information see Microsoft SQL Server: How to Buy.
MIIS 2003 with SP1 is an enterprise identity integration product from Microsoft; it replaces the previous metadirectory product, Microsoft Metadirectory Services (MMS) 2.2. MIIS 2003 with SP1 provides all the identity integration product features listed in the previous section.
For more information about MIIS 2003 with SP1, including the MIIS 2003 Technical Reference, see the MIIS 2003 page on Microsoft.com at www.microsoft.com/miis and the Microsoft Identity Integration Server 2003 Frequently Asked Questions page.
MIIS 2003 with SP1 uses Microsoft SQL Server 2000, Enterprise Edition or Standard Edition as its identity store for the metaverse as well as for individual views of each connected directory, application, or data source. The following table defines the connected identity stores (called management agents) that are available in MIIS 2003 with SP1.
Table 2.2. MIIS 2003 with SP1 Management Agent Categories
Connected identity store | Example |
Network operating systems and directory services | Microsoft Windows NT®Active Directory (Windows 2000 Server and later)Active Directory Application ModeNovell eDirectory 8.6.2, 8.7, and 8.7.3Sun ONE Directory Server 5.0, 5.1, or 5.2 (formerly iPlanet Directory Server)IBM Directory Server 4.1, 5.1 or 5.2Resource Access Control Facility (RACF)X.500 Systems |
E-mail systems | Microsoft Exchange 5.5Microsoft Exchange 2000 and later (GAL synchronization)Lotus Notes and Domino 4.6 and later |
Application systems | PeopleSoftSAPERP1Telephone switchesXML- and DSML-based systems |
Databases | IBM DB2 Universal Database 7 and 8.1 on Windows, 8.1 on Linux and 5.1.5 on OS/400Microsoft SQL Server 7.0 and 2000Oracle 8i and 9i |
File-based agents (for generic connections) | DSML v2 (Directory Services Markup Language)LDIF (LDAP Data Interchange Format)CSV (comma-separated value) and other delimited formatsFixed widthAttribute-value pairs |
For an up-to-date list of supported systems and other enhancements in MIIS 2003 with SP1, see MIIS 2003 Product Overview.
The Identity Integration Feature Pack (IIFP) 1a for Windows Server Active Directory is a reduced feature set version of MIIS 2003 with SP1 with a limited number of management agents. The Identity Integration Feature Pack provides connections only to the following directories and e-mail applications:
The IIFP is appropriate for environments that operate Microsoft directory products. For example, it is useful for synchronizing identity information between multiple forests and ADAM instances.
The software requirements for IIFP are similar to MIIS 2003 with SP1: Windows Server 2003, Enterprise Edition and Microsoft SQL Server 2000, Enterprise Edition, Standard Edition or Developer Edition (for testing purposes only).
Implementing effective identity aggregation and synchronization requires a detailed analysis of the key business and technology drivers. This chapter records these factors for the fictitious Contoso Pharmaceuticals environment, and lists the solution requirements along with the security vulnerabilities that must be addressed by the following closely related solution scenarios.
For more information about the Contoso Pharmaceuticals example organization, see the "Platform and Infrastructure" paper in this series.
Organizations running multiple identity stores in heterogeneous environments often face the challenge of synchronizing digital identities across different stores in order to meet their business requirements.
Contoso experienced difficulties trying to integrate the digital identities from a recently acquired company, Fabrikam, with their existing information systems. Isolated directories and identity stores complicate the problem of overlapping identity information, because much of the information is missing, out of date, or incorrect.
Contoso identified the following business issues to address through identity aggregation and synchronization:
Contoso has identified several technical issues related to identity synchronization:
Contoso needs to keep multiple identity stores synchronized manually, which results in critical security issues such as incorrect entitlement information. Applications use entitlement information in different identity stores to authorize user access. Often this entitlement information is entered incorrectly, outdated, or inconsistent with authoritative identity stores.
While there aren't many security issues related to identity aggregation and synchronization, this solution provides a solid foundation for other solutions such as provisioning and password management, which are a source of significant security risks for many organizations.
From these issues, Contoso produced the following set of requirements for aggregating and synchronizing its digital identity information:
The previous chapter considered the business, technology, and security issues for an identity aggregation and synchronization scenario, and listed the solution requirements. Designing the appropriate solution is the next part of the overall process.
The following sections in this chapter present a solution concept, the solution prerequisites, and a solution architecture for identity aggregation and synchronization. After the design is complete, a description is provided of how each of the solutions work.
Contoso has decided to use an identity integration product to meet the requirements described in the previous chapter.
The following figure depicts the solution concept for identity aggregation and synchronization in the Contoso environment:
Figure 4.1. Solution concept for identity aggregation and synchronization
The Contoso solution will aggregate data through an identity integration product. This product will contain a database of aggregated identity information from multiple connected data sources and provides a single global, integrated view of all combined objects. The product will be configured to synchronize objects and object attributes between each of the identity stores.
To overcome all of the business, technology, and security issues by achieving their solution requirements, Contoso selected Microsoft® Identity Integration Server 2003, Enterprise Edition with Service Pack 1 (MIIS 2003 with SP1).
Note The "Password Management" paper in this series builds on the solution scenario in this paper to provide password change, reset, and propagation services.
Contoso has the following directories and identity stores that need to participate in the solution:
A Sun ONE Directory (formerly iPlanet Directory Server) contains Fabrikam user information for use with a legacy application.
An extranet Active Directory forest contains Contoso sales employee shadow accounts that are mapped to employee X.509 certificates, and accounts for customers and partners that require extranet access.
All identity information is currently maintained manually within each of these identity stores. Chapter 5, "Implementing the Solution", in this paper includes details for adding the required Lotus Notes and Sun ONE Directory users.
You can use a one-way trust from your extranet Active Directory to your intranet Active Directory instead of employee shadow accounts. The "Platform and Infrastructure" paper in this series provides more information about choosing between trusts and shadow accounts for extranet purposes and includes scripts to establish the intranet Active Directory forest and extranet Active Directory forest as described in this paper.
For more information about using X.509 certificates for extranet access and single sign on, see the "Extranet Access Management" paper in this series.
Designing and planning an identity aggregation and synchronization solution based on MIIS 2003 with SP1 should be performed as you would in any other IT project, including gathering requirements, conceptual design, logical design, physical design, building a proof of concept, and creating project plans, schedule, and a budget.
Note The papers in this series focus on the unique aspects of each solution scenario rather than the normal activities of a technology project life-cycle. For more information about planning, building, and deploying technology solutions of all kinds see the Microsoft Solutions Framework Web site.
Contoso followed the several planning and design activities for MIIS 2003 with SP1 to arrive at an architecture for their identity aggregation and synchronization solution that includes:
Each of these architectural elements is described in the following sections.
A central part of any identity aggregation and synchronization project is establishing which identity stores are the authoritative sources for both object types and object attributes. MIIS 2003 with SP1 uses a management agent (MA) to connect to each identity store. The MAs chosen by Contoso are listed in the following table, and detailed information about each is provided in the following sections.
Table 4.1. Contoso Management Agents
Data source | MA type | Data source description |
Intranet directory | Active Directory | The intranet directory contains all Contoso and Fabrikam users. |
Lotus Notes Release 6.5.4 | Lotus Notes 4.6 or 5.0 (works with later releases of Lotus Notes) | The Lotus Notes address book (NAB) contains users from Fabrikam who will continue to use Lotus Notes e-mail until they migrate to Exchange 2003. |
Extranet directory | Active Directory | The extranet directory contains all extranet users, including customers, partners, and shadow accounts for employees. |
Sun ONE Directory Server 5.1 | Sun and Netscape Directory Servers | Sun ONE Directory Server 5.1 contains entries for users from Fabrikam to support authentication requests for a legacy application. |
The Contoso intranet Active Directory is the primary directory service used by Contoso. It provides directory and security services throughout Contoso's corporate network and it is the main directory they would like to manage; changes made here should be synchronized to the other connected data sources.
The Intranet Directory MA is required to:
The intranet Active Directory will be the authoritative source for Contoso user objects in this solution.
All user accounts in the intranet Active Directory are mailbox-enabled for Exchange 2003 integration. However, users from the acquisition of Fabrikam still have e-mail accounts in Lotus Notes and accordingly must not have Exchange mailboxes as well.
Fabrikam employees will continue to use Lotus Notes for e-mail until they are migrated to Exchange 2003. Until this occurs, the Notes address book information must be synchronized to the intranet Active Directory so that other Contoso users may reference it through the global address list (GAL). Similarly, Exchange address book information in Active Directory must synchronize to Lotus Notes.
Lotus Notes will be the authoritative source for Fabrikam user objects in this solution.
The Contoso extranet Active Directory authenticates Contoso employees that access applications from the Internet. It also supports extranet access for customer and partner user accounts.
The "Extranet Access Management" paper in this series describes how employee extranet access is based on public key infrastructure (PKI) client certificate credentials. To support this authentication method, Contoso maintains employee accounts as "shadow" accounts in the extranet directory.
These employee shadow accounts are only for certificate-based authentication and contain a limited amount of authorization information relevant to extranet applications. Only a small subset of each user's attributes need to be synchronized.
Employee X.509 certificates provided by the PKI must be mapped to their extranet shadow accounts. The user's account password and other sensitive information is not synchronized to the extranet directory.
Sun ONE Directory Server 5.1 contains entries for users from the merger with Fabrikam. This directory supports authentication requests to access a legacy application that would be too expensive to migrate to Active Directory.
One of Contoso's challenges was to find attribute values that exist consistently across all identity stores that could be used to link (or join in MIIS terminology) identities between stores. Contoso was fortunate in that all of the identity stores included in the solution scope had a single common attribute value, the employee's identification number (employeeID), which could be used to link the identity objects in each store with the objects that would be created in the metaverse.
Contoso understood that there was a possibility for errors in the employeeID attribute values in different identity stores, so there would need to be a manual intervention at some point to join user objects with the wrong employeeID attribute value. The worst case that the Contoso architects could plan for was that if an employeeID attribute in one directory was wrong but matched the value for another user. If that were the case then there could be any number of resulting problems including overwritten attributes, deleted accounts, and incorrect lookups.
To resolve this potential issue, Contoso could have specified an additional join criteria such as surname (SN). In this case, both employeeID and SN would have to match in order for the join to succeed. After careful analysis of the data in each store, Contoso decided that the risk due to bad employeeID attribute values was low and additional criteria for joins was not introduced because it would introduce a greater chance of failure during the automated join process.
Attribute flow rules can be used to update attribute values both into (import) and out of (export) the metaverse. These import or export attribute flow rules can have either a direct or computed attribute mapping type.
Attribute precedence is used to configure the order in which two or more imported attributes are applied. This capability is useful when multiple management agents contribute to a single metaverse attribute and you want to guarantee that one particular imported attribute is given precedence over all others.
The following table lists a small subset of the attributes in the metaverse to show how Contoso has chosen to define attribute flow.
Table 4.2. Attribute Identity Flow in Contoso
Attribute | Purpose | Intranet | Notes | Extranet | Sun |
employeeID | A unique number for each employee | Source (has precedence) UsesCalculated | Source (if not present in Intranet)UsesCalculated | Uses | Uses |
displayName | The name displayed by many user interfaces | Source (has precedence) UsesCalculated | Source (if not present in Intranet)UsesCalculated | Uses | Uses |
sAMAccountName | Logon ID | Source (has precedence) UsesCalculated | Source (if not present in Intranet)UsesCalculated | Uses | Uses |
altSecurityIdentities | Certificate mapping field | Uses | UsesCalculated |
Legend:
Source = Source for each attribute. There can be more than one source for an attribute, in which case it is necessary to specify attribute precedence. In this environment, the Intranet Active Directory has precedence.Uses = This MA uses this attribute to populate the connected identity storeCalculated = Attribute is calculated by the MA extension based on the values supplied by the source identity store
The following figure illustrates the logical design of Contoso's identity integration configuration.
Figure 4.2. Logical design for the MIIS 2003 with SP1 identity aggregation and synchronization solution
Each connector space (CS) contains a subset of objects and attributes from the connected data source (such as Lotus Notes or Sun ONE Directory Server) and acts as a staging area between the connected data source and the MIIS 2003 with SP1 metaverse (MV).
A management agent (MA) is a bi-directional data pump that manages attribute flow between a connected data source, a connector space (CS), and the MIIS 2003 with SP1 metaverse (MV).
The metaverse is a storage area that contains the aggregated identity information from multiple connected data sources and provides a single global, integrated view of all combined objects.
The metaverse in MIIS 2003 with SP1 is stored on Microsoft SQL Server™ 2000, Enterprise Edition or Standard Edition to provide a highly scalable and robust data store. MIIS 2003 with SP1 takes advantage of the transaction capabilities in SQL Server 2000 to provide checkpoint and rollback capabilities when testing attribute flows and for error recovery logic.
After implementing the solution as described in Chapter 5, a few tasks — initial identity integration operations — are performed to prepare the environment for normal operations.
After projecting or joining, the MA will perform inbound synchronization then outbound synchronization, each depending on the flow rules established. Inbound and outbound synchronization are explained later in this section.
At Contoso, the metaverse was constructed by running each MA in the order that was needed to project new objects and attributes into the metaverse or join to existing objects. The metadirectory construction requirement resulted in the following MA run order.
The following figure illustrates the import, project, and join operations. The numbered steps correspond with the numbers in the figures.
Figure 4.3. Importing, projecting, and joining
Figure 4.4. Attribute flow via synchronization and an MA export
Now that links are established from each connector space to the metaverse through a Project or Join, each MA can import and export objects and attributes between the connected data source and the connector space.
After this initial set of tasks is completed, Contoso regularly runs each MA as described in the following section to ensure ongoing consistency.
Run profiles provide a series of steps that tell the MA what to do. Each MA requires at least one run profile consisting of at least one step. Steps might include a complete synchronization of all attributes and values from a connected identity store, or just the changes since the last update.
You can configure any number of run profiles for a particular MA, each of which can perform a specific set of steps. The following are the different operations you can carry out by using run profiles in MIIS.
Note There are additional subtle differences between one-step and two-step profiles. For a more detailed description, please see the Microsoft Knowledge Base Article Understanding Run Profiles in MIIS 2003.
Each MA is usually run through an import, synchronization, and an export, as shown in the following figure. Connected data sources considered authoritative for objects or attributes are usually imported and synchronized first.
Figure 4.5. MA run profile relationships
To enable appropriate attribute flow between the MAs, Contoso has created a regular job that runs each MA through several run profiles. All four MAs are run with the same run profiles:
The first set of MA runs imports delta changes (objects that have changed since the last import) from each connected data source and stages these changes in the connector space. All delta changes in the connector space are then synchronized with the metaverse based on attribute flow; inbound synchronization pulls changes in to the metaverse, and outbound synchronization pushes changes in the metaverse into the connector space.
The Intranet Active Directory MA is run first to ensure that changes made here are available in the metaverse for the other directories. Then the other MAs complete the first round.
The second set of MA runs exports all of the changes made to each connector space back into the connected data sources. The export run profile is performed on all four MAs.
This solution provides two key capabilities that Contoso is interested in; data aggregation and synchronization. Additionally, Contoso has written some custom code to support certificate mapping for employee extranet access that uses X.509 certificates. Each of these processes is described in the following sections.
Data aggregation typically happens when MIIS 2003 with SP1 is initially deployed. Many of the data sources do not contain a full view of the user and are missing attributes available in others. Data aggregation, also known as inbound synchronization, allows data only available in some identity data stores to be added to the metaverse.
The following figure represents the data aggregation process:
Figure 4.6. Inbound synchronization (data aggregation)
By using the information that has been staged in the connector space, the data aggregation process creates in the metaverse an integrated view of the data stored in connected data sources.
After identity data has been aggregated into the metaverse, (outbound) synchronization gives each identity store a more accurate depiction of the users throughout Contoso.
Outbound synchronization, also called account management, is a process by which the system uses data in the metaverse to update the content of the connector space.. The following figure continues the scenario from the previous figure to depict this process.
Figure 4.7. Outbound synchronization (account management)
The account management process updates connected directory objects when metaverse objects change. Both processes are dictated by rules that you configure in MIIS 2003 with SP1.
MIIS 2003 with SP1 administrators can customize synchronization rules by creating rules extensions. Rules extensions are used when declarative rules (simple declarations of attribute relationships) for processing information do not suffice. An attribute that needs a complex modification can be handled by an MA extension that is run during import and export run profiles.
MIIS 2003 with SP1 uses Visual Studio® .NET 2003 to provide an advanced development and debugging environment for rules extensions. You create rules extensions by using a programming language such as Microsoft Visual Basic® .NET or C#. Rules extensions are implemented as a Microsoft .NET Framework class library.
Rules extensions are often very straightforward and only need a single line to be coded, which does not require developer or programmer involvement. In more complex scenarios, developing rules extensions should be treated with the same rigor of a software development project.
An attribute called altSecurityIdentities is used by the Contoso extranet Active Directory to map employee shadow accounts to X.509 certificates used by employee workstations when accessing extranet applications via the Internet. Certificate authentication is preferred by Contoso for employee extranet use because no passwords are used, thereby protecting employee intranet passwords from extranet attacks. Each employee shadow account required for extranet access must have this attribute properly defined for authentication to succeed.
The altSecurityIdentities attribute is not used in the intranet Active Directory and cannot be created by using (simple) declarative rules, so an Extranet Active Directory MA extension has been developed to create this attribute. Even after accounts are created, the certificate and related attributes may change so that the altSecurityIdentities attribute would need to be updated appropriately, and Contoso prefers this process to be automated. The altSecurityIdentities attribute is a text string made up of the following identity information:
The following is an example of a completed altSecurityIdentities string:
X509:<I>DC=com,DC=contoso,DC=corp,CN=Contoso Issuing CA
<S>DC=com,DC=contoso,DC=corp,DC=na,OU=ContosoCorp,OU=Employees,
CN=0277946,E=Jsmith@contoso.com
For the code details behind this certificate mapping, please see the ExtranetADMA extension project (ExtranetDirectoryADMA.vb file) in the Tools and Templates for this paper.
The Contoso solution presented in this paper illustrates how MIIS 2003 with SP1 can deliver identity aggregation and attribute synchronization across a wide variety of directory and non-directory identity stores. MIIS 2003 with SP1 can automate the process of managing and updating identity information across heterogeneous platforms while maintaining the integrity and ownership of the data across an organization.
You can customize decisions and configurations required for attribute flow, join, projection, and attribute manipulation. Taken together with the other products in this solution, MIIS 2003 with SP1 provides a powerful addition to your identity and access management platform.
Synchronizing identity information establishes a foundation for several additional identity life-cycle management solutions, including:
The "Password Management" paper in this series provides additional information about how Contoso has extended this solution to ensure password strength and provide password change, reset, and propagation capabilities.
Many organizations build on aggregation and synchronization and use additional capabilities of MIIS 2003 with SP1, such as the automation of provisioning and deprovisioning.
Another useful solution enabled by aggregation and synchronization is the automated generation and maintenance of security groups and distribution lists.
For more information about these topics, please see the MIIS 2003 Scenario Walkthroughs, available on the Microsoft Identity Integration Server 2003 Web page.
You now understand the business requirements and specifications for implementing the solution that addresses the identity aggregation and synchronization issues at Contoso. This chapter provides prescriptive guidance on how to implement the necessary components of the identity and access management solution by using Microsoft® Identity Integration Server 2003, Enterprise Edition with Service Pack 1 (MIIS 2003 with SP1).
The prerequisites and implementation guidance in this chapter can be verified by following the guidance in Chapter 6, "Testing the Solution."
The Identity and Access Management download package includes Identity and Access Management Tools and Templates.msi, which is the Tools and Templates installer file. The Tools and Templates that are part of this download include text-based scripts, code samples, and configuration files that are related to identity and access management, but do not include any executable programs or compiled code.
Note These samples are provided as examples only. Be sure to review, customize, and test these tools and templates before you use them in a production environment.
When you run the installer file, the resulting folder structure will look similar to the one displayed in the following figure, depending on where you choose to install it.
Figure 5.1. The Tools and Templates folder structure
This guide assumes that you have installed the Tools and Templates into the default location (%UserProfile%\My Documents\Identity and Access Management Tools and Templates). If you use a different installation location, ensure that you use the same path in all the steps in this document.
Note The Tools and Templates MSI package can sometimes produce an error during the installation process. See the Identity and Access Management Series Readme.htm file for more information.
Table 5.1. The Baseline Folder
File name | Purpose |
SunOneObjects.ldf | This file is used to create users in Sun ONE Directory Server 5.1 (formerly iPlanet Directory Server) by using LDIFDE.exe. |
LotusObjects.txt | This file is used to create users in Lotus Notes 6.5.4 by using the Import function in Domino Administrator. |
MIIS Extensions are used for advanced flow rules and certificate mapping. The current source code was designed for this scenario and must be complied into DLLs. These files must be placed into the Extensions directory in the MIIS folder structure. These extensions are then updated and used during the synchronization process.
ExtranetDirectoryADMA Project — implements the ExtranetDirectoryADMAExtension.DLL file.
Table 5.2. The ExtranetDirectoryADMA Subfolder
File name | Purpose |
AssemblyInfo.vb | An information file that contains metadata about the assemblies in a project, such as name, version, and culture information. |
ExtranetDirectoryADMA.sln | The solution file used within the development environment. It organizes all elements of the Extranet Directory ADMA into a single solution. |
ExtranetDirectoryADMA.vb | VB.net file for the Extranet Directory ADMA extension. |
ExtranetDirectoryADMA.vbproj | The project file for the Extranet Directory ADMA project, it contains the configuration and build settings and keeps a list of files associated with the project. |
IntranetDirectoryADMA Project — implements the IntranetDirectoryADMAExtension.DLL file.
Table 5.3. The IntranetDirectoryADMA Subfolder
File name | Purpose |
AssemblyInfo.vb | An information file that contains metadata about the assemblies in a project, such as name, version, and culture information. |
IntranetDirectoryADMA.sln | The solution file used within the development environment. It organizes all elements of the Intranet Directory ADMA into a single solution. |
IntranetDirectoryADMA.vb | VB.net file for the Intranet Directory ADMA extension. |
IntranetDirectoryADMA.vbproj | The project file for the Intranet Directory ADMA project, it contains the configuration and build settings and keeps a list of files associated with the project. |
Lotus Notes MAExtension Project — implements the Lotus Notes MAExtension.dll file.
Table 5.4. The Lotus Notes MAExtension Subfolder
File name | Purpose |
AssemblyInfo.vb | An information file that contains metadata about the assemblies in a project, such as name, version, and culture information. |
Lotus Notes MAExtension.sln | The solution file used within the development environment. It organizes all elements of the Lotus Notes MA into a single solution. |
Lotus Notes MAExtension.vb | VB.net file for the Lotus Notes MA extension. |
Lotus Notes MAExtension.vbproj | The project file for the Lotus Notes MA project. It contains the configuration and build settings and keeps a list of files associated with the project. |
Table 5.5. The MA Configuration Folder
File name | Purpose |
IDMGTExtranet.xml | This configuration file is used to import configuration data that can be changed without having to modify the source code for configuration specific information. This file should be placed in the Extensions folder. |
MVSchemaExport.xml | This schema file updates the default metaverse schema that is created when installing MIIS 2003 with SP1. The scenario requires metaverse extension to add specific attributes. The MVSchemaExport.xml file imports these additional attributes into the metaverse which then update the default MIIS schema. |
Exported management agents contain saved MA configuration information, which can then be imported into MIIS 2003 with SP1 Identity Manager. The call-based MAs must check with the connected directory for a valid user account and password as well as connected directory specific partitions. You may need to change connection and partition information if the connected directory structure is not the same as that specified in the file.
Table 5.6. The MA Exports Folder
File name | Purpose |
ExtranetADMA.xml | Exported management agent for the External Directory MA. |
IntranetADMA.xml | Exported management agent for the Infrastructure Directory MA. |
LotusNotesMA.xml | Exported management agent for the Lotus Notes MA. |
The following scripts can be used in conjunction with the Windows schedule to the MA synchronization.
Table 5.7. The Operations Folder
File name | Purpose |
MA-Runs.cmd | Used to serialize the run of the management agents by calling the runMA.vbs by passing the appropriate parameters to call the MA run profile. |
runMA.vbs | Uses Windows Management Instrumentation (WMI) to execute MA runs based on MA name and profile. |
The Contoso identity and access management solution requires the following software. To implement and test the entire Contoso solution, all components must be installed. The recommended configuration is to implement all components in order to work through the entire solution from beginning to end. It is essential to install the software in the prescribed order for this scenario to work properly. Please refer to the diagram in chapter 4 for a clear picture of the network architecture of these components:
For these implementation details to work correctly, you need to have a basic Contoso infrastructure implemented as introduced in the "Platform and Infrastructure" paper in this series, as described in the "Designing the Infrastructure" and "Implementing the Infrastructure" chapters, including:
An intranet Active Directory forest that contains the provided Contoso organizational units (OUs) and users.
An extranet Active Directory forest that contains the provided Contoso OUs, groups, and users.
A three-tier public key infrastructure (PKI) for certificate services, which is required for completion of the "Extranet Access Management" paper in this series.
Note The beginning of Chapter 6, "Testing the Solution" later in this paper provides some basic verification tests to ensure that your infrastructure is implemented correctly.
Implementing this solution scenario will involve performing the following activities, each of which are detailed in the following sections:
The Contoso design provides for the greatest possible isolation between the external and internal network. However, the design calls for the synchronization of shadow accounts in the extranet Active Directory. For this to work, you must open ports in the firewall between the intranet and extranet as shown in tables 5.8 and 5.9. Configure the firewall to allow traffic initiation only from the intranet side over these ports.
In order to reduce the number of open ports, configure the remote procedure call (RPC) dynamic port allocation on the domain controller for perimeter.contoso.com in the external network. Contoso selected ports in the range 57500-57520.
For more information about setting dynamic RPC ports through a firewall see How to configure RPC dynamic port allocation to work with firewalls.
For MIIS 2003 with SP1 (located in the intranet Active Directory forest corp.contoso.com) to connect to the extranet Active Directory forest (perimeter.contoso.com), the internal DNS service must be able to resolve addresses and service records for the external forest. In addition to opening the DNS ports in the firewall, also add a Conditional DNS forward directive in the intranet corp.contoso.com root nameserver that points to the extranet perimeter.contoso.com nameserver.
To configure conditional forwarders in the internal root domain controller
The following table lists all the outbound ports in the external firewall that need to be opened from the MIIS 2003 with SP1 server's IP address to the external domain controller's IP address.
Table 5.8. Outbound Ports from MIIS 2003 with SP1 Server to External Domain Controller
Outbound port | Protocol | Purpose |
389 | TCP and UDP | LDAP |
88 | TCP and UDP | Kerberos authentication protocol |
135 | TCP | RPC Endpoint Mapper |
57500-57520 | TCP | Dynamic RPC ports |
464 | TCP and UDP | Kerberos Change Password |
The following table lists the outbound port in the internal firewall that needs to be opened from the internal root domain controller's IP address to the external domain controller's IP address.
Table 5.9. Outbound Port from Internal Root Domain Controller to External Domain Controller
Outbound port | Protocol | Purpose |
53 | TCP and UDP | DNS |
After all the prerequisites have been installed and verified, you can run the provided scripts to further configure the Contoso environment. Configuring the Contoso environment for this MIIS 2003 with SP1 scenario involves creating a set of base level objects in Lotus Notes and Sun ONE Directory Server. Complete the following tasks to configure each respective system.
The Contoso Sun ONE Directory Server is required for authentication to legacy Contoso applications. If you have implemented the Sun ONE component in your solution, these scripts will create the required users needed for the Contoso scenario. These scripts should be executed from an open command prompt.
Execute the SunONEObjects.ldf file by using the ldifde.exe tool. Ensure that you execute ldifde.exe as follows from the command prompt:
LDIFDE.EXE -i -s <server name> -a "<target user DN>" * -f <Ldf Object Filename>
-i enables "import" mode for LDIFDE.
-s denotes the server name hosting the Sun ONE Directory.
-a specifies the full distinguished name of a valid Sun ONE user identity that will be used to perform a simple bind to LDAP. This identity must be for a user who currently exists in Sun ONE. This value must be followed by an asterisk *.
-f specifies the LDIF compliant file to process.
An example of script execution is as follows:
LDIFDE.EXE -i -s <Sun ONE Server> -a "uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot" * -f "%UserProfile%\My Documents\Identity and Access Management Tools and Templates\Identity Aggregation and Sync\Baseline\SunONEObjects.ldf"
You can execute the script remotely. If so, ensure that the target workstation has access to the Sun ONE Directory Server namespace.
To configure the Sun ONE Directory Server environment
LDIFDE.EXE -i -s FFL-SA-IPLANET -a "uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot" * -f "%UserProfile%\My Documents\Identity and Access Management Tools and Templates\Identity Aggregation and Sync\Baseline\SunONEObjects.ldf"
Replace FFL-SA-IPLANET with the hostname of your Sun ONE Directory Server.
Lotus Notes is used for e-mail by the external Fabrikam organization. If you have implemented the Lotus Notes component in your solution, complete the following steps to manually add five test users.
Note You can add these users automatically by using the import function in the Lotus Notes Administrator program to import the LotusObjects.txt file into the Fabrikam Directory.
To configure the Lotus Notes environment
Table 5.10. Basic Tab Information for Fabrikam Users
First name | Last name | Short name | User name |
Robert | Barker | rbarker | Robert Barker/Fabcorp |
Richard | Byham | rbyham | Richard Byham/Fabcorp |
Susan | Eaton | Seaton | Susan Eaton/Fabcorp |
Table 5.11. Mail Tab Information for Fabrikam Users
Mail system | Domain | Mail server | Mail file | Internet address |
Notes | Fabrikam | FFL-sa-lotus | Robert Barker/Fabcorp | rbarker@fabrikam.com |
Notes | Fabrikam | FFL-sa-lotus | Richard Byham/Fabcorp | rbyham@fabrikam.com |
Notes | Fabrikam | FFL-sa-lotus | Susan Eaton/Fabrikam | seaton@fabrikam.com |
Table 5.12. Work/HomeTab Information for Fabrikam Users
Title | Company | Department | EmployeeID | Manager | City | Country |
Engineer II | Fabrikam | Research & Development | 0871357 | rbyham | London | United Kingdom |
Manager Research & Development | Fabrikam | Research & Development | 0681581 | dbradley | London | United Kingdom |
Engineer | Fabrikam | Research & Development | 0089171 | rbyham | London | United Kingdom |
Table 5.13. Basic Tab Information for Contoso Users
First name | Last name | Short name | User name |
Amy | Alberts | aalberts | aalberts |
David | Bradley | dbradley | dbradley |
Table 5.14. Mail Tab Information for Contoso Users
Mail system | Forwarding address |
Other Internet Mail | aalberts@contoso.com |
Other Internet Mail | dbradley@contoso.com |
Table 5.15. Work/HomeTab Information for Contoso Users
Personal title | Company | Department | EmployeeID | Manager | City | Country |
Research Assistant | Contoso | Customer Service | 0061054 | rbyham | Palo Alto | United States |
Chief Executive Officer | Contoso | Operations | 0042399 | Palo Alto | United States |
When complete, there should be five users (three from Fabrikam and two from Contoso) present in the environment.
The tasks in this section provide guidance for installing MIIS 2003 with SP1 and configuring it for the sample Contoso environment. These tasks include:
The steps in this task assume that Windows Server 2003, Enterprise Edition, Microsoft SQL 2000, and MIIS 2003 with SP1 are installed on the C: drive.
Important Perform these instructions in the prescribed sequence. Performing any steps out of order may cause the scenario to fail.
To install MIIS 2003 with SP1 and perform basic configuration
Note This is only for test systems, as production systems would typically not include Visual Studio. On production systems, all debugging should be done in the test environment, and only the changed DLL should be moved into Visual Source Safe (VSS). When the DLL is in VSS, it can then be checked out and moved into the production system.
MIIS 2003 with SP1 uses service accounts for several MAs, such as the Active Directory and the SQL Server MAs. You must ensure that these service accounts exist before you install MIIS 2003 with SP1.
To create the service accounts
The Microsoft Identity Integration Server service runs in the security context of a specific account. Because the account will have access to all of the MIIS 2003 with SP1 resources, this account should be locked down.
The Active Directory MA Accounts in the intranet and extranet Active Directory forests must have permission to discover objects and their attributes as well as write attribute updates to those accounts. Because Contoso has not yet implemented provisioning and deprovisioning of user accounts, permissions are not required to create and delete objects.
To configure the service accounts for appropriate access
Repeat the previous steps for the extranet Active Directory perimeter.contoso.com using the MIISADExtranet account.
Note Replicate Directory Changes is required on each domain in the forest for which you will be discovering objects. For more information about how to set the Replicate Directory Changes permission, see How to grant the "Replicating Directory Changes" permission for the Microsoft Metadirectory Services ADMA service account.
Repeat the previous steps in the extranet Active Directory for the MIISADExtranet account in this organizational unit: OU=Employees,OU=Accounts,DC=perimeter,DC=contoso,DC=com
Note The Write All Properties permission should be assigned on all objects in each OU that MIIS service accounts need to manage.
This task installs MIIS 2003 with SP1 with the default settings.
To install MIIS 2003 with SP1
Note If a user other than an administrator for MIIS 2003 with SP1 runs this scenario, you must first add the user to the MIISAdmins group.
There are several MIIS Extensions included with the Tools and Templates for this paper. These extensions need to be compiled into DLLs for use with MIIS 2003 with SP1.
To open the MIIS Extensions and compile the DLLs
This creates the IntranetDirectoryADMA.dll file.
Table 5.16. Additional Custom Extension Projects
Project name | Compiled .dll file |
ExtranetDirectoryADMA | ExtranetDirectoryADMA.dll |
Lotus Notes MAExtension | Lotus Notes MAExtension.dll |
<MIIS Installation Directory>\Extensions directory.
Note The default MIIS 2003 with SP1 installation directory is C:\Program Files\Microsoft Identity Integration Server.
Table 5.17. Configuration Parameters for the Extranet Management Agent
XML variable | Use | Typical value |
Ext-upn-suffix | UPN suffix for extranet Active Directory domain users. | @na.corp.contoso.com |
ExtMailDomain | E-mail domain for extranet users. | @contoso.com |
issuing-CA-dn | Distinguished name for issuing CA in reverse order format. | DC=com,DC=contoso,DC=corp,CN=ICA |
CA-subject-prefix | Distinguished name for users in CA subject in reverse order format. | DC=com,DC=contoso,DC=corp,DC=na,OU=ContosoCorp,OU=Employees |
You must complete this task if you implement Sun ONE Directory Server integration for your implementation.
To configure MIIS 2003 with SP1 for Sun ONE Directory Server 5.1 integration
Note To enable secure connections to your Sun ONE Directory server, enable SSL on Sun ONE.
You must complete this task if you implement Lotus Notes integration.
To configure MIIS 2003 with SP1 for Lotus Notes integration
This section provides detailed procedures to configure the four management agents (MA). During this process, you also will configure the following management agent functionality:
You will use MIIS 2003 with SP1 Identity Manager to create the four MAs and specify all of the details for object, attribute, and rule selection for each of them. To accomplish this you must complete the following tasks in the order they are listed:
This scenario requires you to add two attributes to the MIIS 2003 with SP1 schema. In order to expedite this process, use the exported metaverse schema to import these attributes into MIIS.
To extend the metaverse schema using an exported metaverse schema
The following attributes should be added for Object Type: Person by the metaverse schema import process:
Now you can define the options for the Sun ONE Directory Server 5.1 MA to enable it to import existing Sun ONE directory data. In the following task, you will create the join rule and the conditions in which connector space objects for the Sun ONE Directory Server MA join to the metaverse person object. You will also create import and export attribute flow mappings for the Sun ONE Directory MA data source attributes.
To create the Sun ONE Directory Server 5.1 MA
Note For secure communications to the Sun ONE Directory Server, enable SSL on the server and select Enable Secure Sockets Layer (SSL) for communications on the Create Management Agent, Specify Logon Information page.
Table 5.18. Sun ONE Directory MA Attribute Mapping
Sun ONE Directory attribute (person object) | Metaverse attribute (person object) | Mapping type | Flow direction |
description | company | Direct | Export |
displayName | displayName | Direct | Export |
employeeNumber | employeeID | Direct | Export |
facsimileTelephoneNumber | facsimileTelephoneNumber | Direct | Export |
givenName | givenName | Direct | Export |
l | l | Direct | Export |
| | Direct | Export |
sn | sn | Direct | Export |
telephoneNumber | telephoneNumber | Direct | Export |
title | title | Direct | Export |
uid | uid | Direct | Export |
manager | manager | Direct | Import |
Complete the following steps to accomplish this task. Please note that "Intranet Directory" refers to the corp.contoso.com domain.
To set up the Intranet Directory MA
The Configure Directory Partition pane opens if the account and password are validated.
Note If you are using different forest or domain names than corp.contoso.com, a Partition Matching dialog box will appear. If this occurs, in the right pane of the Existing Partitions field, clear all existing partitions except for the Active Directory domain to which users will be provisioned. Leave only one domain partition selected. Click Match and then click OK.
Table 5.19. Attribute Flow for the Intranet Active Directory MA
Intranet directory attribute(person object) | Metaverse attribute (person object) | Mapping type | Flow direction |
c | company, c | Advanced | Export |
co | company, co | Advanced | Export |
company | company | Advanced | Export |
department | company, department | Advanced | Export |
department | company, department | Advanced | Export |
displayName | company, displayName | Advanced | Export |
employeeID | company, employeeID | Advanced | Export |
facsimileTelephoneNumber | company, facsimileTelephoneNumber | Advanced | Export |
givenName | company, givenName | Advanced | Export |
l | company, l | Advanced | Export |
| company, mail | Advanced | Export |
mailNickName | company, sAMAccountName | Advanced | Export |
sAMAccountName | company, sAMAccountName | Advanced | Export |
sn | company, sn | Advanced | Export |
targetAddress | company, mail | Advanced | Export |
telephoneNumber | company, telephoneNumber | Advanced | Export |
title | company, title | Advanced | Export |
company, c | c | Advanced | Import |
company, co | co | Advanced | Import |
company, department | department | Advanced | Import |
company, displayName | displayName | Advanced | Import |
company, employeeID | employeeID | Advanced | Import |
company, facsimileTelephoneNumber | facsimileTelephoneNumber | Advanced | Import |
company, givenName | givenName | Advanced | Import |
company, l | l | Advanced | Import |
company, mail | | Advanced | Import |
company, sAMAccountName | sAMAccountName | Advanced | Import |
company, sn | sn | Advanced | Import |
company, telephoneNumber | telephoneNumber | Advanced | Import |
company, title | title | Advanced | Import |
manager | manager | Direct | Import |
userPrincipalName | userPrincipalName | Direct | Import |
company | company | Advanced | Import |
Complete the following steps to accomplish this task. Please note that "Extranet Directory" refers to the perimeter.contoso.com domain.
To set up the Extranet Directory MA
The Configure Directory Partition pane opens if the account and password are validated.
Note If you are using different OUs than those preconfigured in the MA export, locate the Select Containers box in the Configure Directory Partition pane and then click Containers. Expand the console tree, ensure that the OUs you are using are selected, and then click OK.
Table 5.20. Attribute Flow for the Extranet Active Directory MA
Extranet directory attribute (person object) | Metaverse attribute (person object) | Mapping type | Flow direction |
altSecurityIdentities | samAccountName | Advanced | Export |
c | c | Direct | Export |
co | co | Direct | Export |
company | company | Direct | Export |
department | department | Direct | Export |
employeeID | employeeID | Direct | Export |
givenName | givenName | Direct | Export |
l | l | Direct | Export |
| | Direct | Export |
manager | manager | Direct | Export |
sAMAccountName | sAMAccountName | Direct | Export |
sn | sn | Direct | Export |
userPrincipalName | userPrincipalName, samAccountName | Advanced | Export |
After completing this procedure, verify that the Extranet Directory parameters are correctly defined in the <MIIS Installation Directory>\Extensions\ IDMGMTExtranet.xml file. The extension DLLs read this XML file to use the information it contains when processing export flow rules.
Note MIIS 2003 with SP1 validates the account access to Lotus Notes through the installed Lotus Notes client on the MIIS 2003 with SP1 server. You must access Lotus Notes by using the Notes administrator before you continue the management agent creation process.
To create this management agent, you will import the saved (exported) configuration file to accomplish this task.
To create the Lotus Notes management agent
Note You must supply the Lotus Notes administrator password to open the OU.
Table 5.21. Attribute Flow for the Lotus Notes MA
Lotus Notes attribute (person object) | Metaverse attribute (person object) | Mapping type | Flow direction |
companyName | company | Advanced | Export |
department | company, department | Advanced | Export |
employeeID | company, employeeID | Advanced | Export |
firstName | company, givenName | Advanced | Export |
lastName | company, sn | Advanced | Export |
mailAddress | company, mail | Advanced | Export |
officeCity | company, l | Advanced | Export |
officeCountry | company, co | Advanced | Export |
officeFaxPhoneNumber | company, facsimileTelephoneNumber | Advanced | Export |
officePhoneNumber | company, telephoneNumber | Advanced | Export |
shortName | company, sAMAccountName | Advanced | Export |
title | company, title | Advanced | Export |
companyName | company | Advanced | Import |
companyName, department | department | Advanced | Import |
companyName, lastName, firstName | displayName | Advanced | Import |
companyName, employeeID | employeeID | Advanced | Import |
companyName, firstName | givenName | Advanced | Import |
companyName, lastName | sn | Advanced | Import |
companyName, internetAddress | | Advanced | Import |
companyName, officeCity | l | Advanced | Import |
companyName, officeCountry | co | Advanced | Import |
companyName, officeFaxPhoneNumber | facsimileTelephoneNumber | Advanced | Import |
companyName, officePhoneNumber | telephoneNumber | Advanced | Import |
companyName, shortName | sAMAccountName | Advanced | Import |
companyName, title | title | Advanced | Import |
manager | manager | Direct | Import |
The metaverse schema that was imported earlier in the implementation has already set both attribute precedence and manual precedence. Use the following guidance for a better understanding of how and what was set with this solution.
To create the attribute precedence flow
Table 5.22. Attribute Flow Precedence
Metaverse attribute | Management agent name | Rank |
manager | Intranet Directory MA | 1 |
manager | Lotus Notes MA | 2 |
manager | Sun ONE Directory MA | 3 |
Manual precedence can be set when all management agents with import flow rules are using advanced flow rules. Contoso uses manual precedence to allow two different management agents to be authoritative over attributes into the metaverse. For Fabrikam users Lotus Notes will be authoritative. For Contoso users the Intranet Directory MA will be authoritative.
To set manual attribute flow precedence
The next task is to create run profiles for each of the management agents. The following steps use the Sun ONE Directory MA as an example, because this agent requires you to define four run profiles.
To create run profiles for the Sun ONE Directory MA
Follow steps 1 through 6 to create three more single-step and one two-step run profiles by using the parameters provided in the following table. Then click OK to close the Configure Run Profiles for "Sun ONE Directory MA" dialog box.
Table 5.23. Additional One-step Run Profiles for the Sun ONE Directory MA
Run profile name | Type |
Delta Synchronization | Delta Synchronization |
Delta Import (Stage Only) | Delta Import (Stage Only) |
Full Synchronization | Full Synchronization |
Note You must have the Retro Changelog plug-in enabled to be able to create a Delta Import run profile. It is strongly recommended that you configure deltas, as it will decrease the processing time of the MA run. For all other MAs, the run profiles should be imported during the Management Agent Import process. The exception will be if the partition information changes—for example, if the Active Directory MA is configured to use a different domain name in your test environment. In this case, the run profiles might be missing and therefore you must create new run profiles. Thus, each MA should be checked after it is imported to verify the run profile information is configured correctly.
To create two-step run profiles for the Sun ONE Directory MA
Table 5.24. Additional two-step run profile for the Sun ONE Directory MA
Run profile name | Type |
Export | Step 1: Export Step 2: Delta Import/Delta Synchronization |
The following sections divide identity integration operations for Contoso into different tasks. An overview of these stages and the tasks within each is provided here, and the following sections provide step-by-step instructions for each of the tasks.
MIIS identity aggregation operations consist of 7 tasks. This operational stage takes existing data from the baseline installation and propagates it to other systems.
To initialize MIIS 2003 with SP1 connector spaces, you will need to run each management agent you created in the previous section. You can initialize connector space by running the management agent with a Full Import (Stage Only).
To run the Intranet Directory management agent full import
Note If the status does not show success, examine the error and correct it.
Use steps 1 through 5 to complete the initialization process for the run profiles in the following table.
Table 5.25. Additional Run Profiles to Complete MIIS 2003 with SP1 Initialization
Management agent | Run profile |
Lotus Notes MA | Full Import (Stage Only) |
Sun ONE Directory MA | Full Import (Stage Only) |
Extranet Directory MA | Full Import (Stage Only) |
Complete the following steps to accomplish this task.
To synchronize intranet Active Directory Contoso users
This step projects intranet Active Directory Contoso users into the metaverse. Fabrikam users will remain unjoined (called disconnector objects in MIIS 2003 with SP1) because they have not been projected into the metaverse yet. To view the connector space, on the Actions menu, click Search Connector Space.
Complete the following steps to accomplish this task.
To synchronize Lotus Notes users
This step projects Lotus Notes Fabrikam users into the metaverse and joins Contoso users projected in the metaverse in Task 2. To view the connector space, on the Actions menu, click Search Connector Space.
Note If the status does not show success, examine the error and correct it.
Complete the following steps to accomplish this task.
To synchronize Intranet Directory Contoso users
This step joins intranet Active Directory Fabrikam users into the metaverse. Before you complete this task, Fabrikam users were disconnector objects because Lotus Notes had not projected into the metaverse when we ran the full synchronization on the intranet Active Directory MA the first time. After running another Full Synchronization on the management agent, the Fabrikam users will join the existing metaverse users. To view the connector space, on the Actions menu, click Search Connector Space.
Complete the following steps to accomplish this task.
To join staged Extranet Active Directory users to existing metaverse users
This step joins extranet Active Directory information with users in the metaverse. To view the connector space, on the Actions menu, click Search Connector Space.
Complete the following steps to accomplish this task.
To join staged Sun ONE Directory users to existing metaverse users
This step joins Sun ONE Directory information with users in the metaverse. To view the connector space, on the Actions menu, click Search Connector Space.
Complete the following steps to accomplish this task.
To export metaverse attribute updates to existing users
Table 5.26. Additional Run Profiles to Complete MIIS 2003 with SP1 Exports
Management agent | Run profile |
Intranet Directory MA | Export |
Sun ONE Directory MA | Export |
Extranet Directory MA | Export |
This chapter describes how to validate the implemented solution scenarios from the previous chapter. It also provides some troubleshooting steps to help with common implementation challenges. Comprehensive guidance for testing the end-to-end user and administrator experience is not provided.
Before you start to test the implementation guidance in this paper, there are a few basic verification tests that you should perform to ensure correct configuration of the solution infrastructure. These prerequisite tests are designed to provide you with a means to quickly check that your network setup complies with the "Implementation Prerequisites" section in Chapter 5, "Implementing the Solution," before undergoing further implementation testing.
Tests to validate the prerequisites include:
Complete the following tests to verify that both intranet and extranet domain controllers are working properly and not generating any errors.
To verify that the domain controllers are working correctly
The dcdiag utility executes a series of tests. All tests should pass.
To check the domain controllers' event logs for errors
There should not be any errors in the logs.
Complete the following tests to verify that the Lotus Notes and Sun ONE Directory Server 5.1 (formerly iPlanet Directory Server) servers are working properly.
To verify the Lotus Notes server is working correctly
The user interface (UI) should display the server status as Listening for TCP/IP connections.
To verify the Sun ONE Directory Server is working correctly
The UI should display server status as Started.
Complete the following steps to confirm that SMTP addresses end in @contoso.com.
To verify the Exchange server is configured correctly
The Exchange server must have an SMTP type with an address value of @contoso.com
Complete the following steps to confirm that domain name lookups to both the intranet and extranet domains work properly from the Microsoft Identity Integration Server 2003, Enterprise Edition with Service Pack 1 (MIIS 2003 with SP1) server.
To verify domain name lookups
Name: na.corp.contoso.com
Address: 192.168.0.202
NSLOOKUP must succeed when it uses the fully qualified domain names (FQDN) of the intranet and extranet domains.
Complete the following steps to verify network connectivity to the intranet and extranet domain controllers, the Sun ONE Directory Server, and the Lotus Domino server.
To verify network connectivity
All network connectivity tests should pass without failure.
After the "Contoso Baseline Preparation" and "Intranet Firewall Configuration" sections in Chapter 5, "Implementing the Solution," have been completed in your environment, you are ready to validate your implementation to ensure that the base environment meets the Contoso requirements. Executing the tests in this section will help ensure smooth implementation of the scenarios.
Use the information in the following sections to ensure that the base environment you established in a test lab environment is a valid representation of the Contoso scenario.
Tests to validate the base environment include:
Complete the following steps to verify that the required Storage Groups and Mailbox stores exist on the Microsoft Exchange server.
To verify Exchange server Storage Groups and Mailbox stores
The specified Storage Groups and Mailbox stores should be present and mounted.
Complete the following steps to verify that organizational units (OU) and user accounts have been created in the intranet domain na.corp.contoso.com.
To verify intranet OUs and user accounts
OU=ContosoCorp,DC=na,DC=corp,DC=contoso,DC=com
OU=Employees,OU=ContosoCorp,DC=na,DC=corp,DC=contoso,DC=com
OU=Disabled,OU=ContosoCorp,DC=na,DC=corp,DC=contoso,DC=com
OU=Groups,OU=ContosoCorp,DC=na,DC=corp,DC=contoso,DC=com
OU=Solaris Workstation,OU=ContosoCorp,DC=na,DC=corp,DC=contoso,DC=com
OU=Employees,OU=ContosoCorp,DC=na,DC=corp,DC=contoso,DC=com
The specified OUs and user accounts should exist in the intranet domain.
Complete the following steps to verify that OUs and user accounts have been created in the extranet domain perimeter.contoso.com.
To verify extranet OUs and user accounts
OU=Accounts,DC=perimeter,DC=contoso,DC=com
OU=Employees,OU=Accounts,DC=perimeter,DC=contoso,DC=com
OU=Disabled,OU=Accounts,DC=perimeter,DC=contoso,DC=com
OU=Groups,OU=Accounts,DC=perimeter,DC=contoso,DC=com
OU=Internal,OU=Accounts,DC=perimeter,DC=contoso,DC=com
OU=Trial Users,OU=Accounts,DC=perimeter,DC=contoso,DC=com
OU=Employees,OU=Accounts,DC=perimeter,DC=contoso,DC=com
The specified OUs and user accounts should exist in the extranet domain.
Complete the following tests to verify that user accounts have been created in the Lotus Notes and Sun ONE Directory Server 5.1 servers.
To verify user accounts on a Lotus Notes server
The UI should display Lotus Notes user accounts with a Company attribute of Fabrikam.
To verify user accounts in Sun ONE Directory Server 5.1
The UI should display Sun ONE Directory user accounts with an SMTP mail address attribute equal to @fabrikam.com.
Complete the following steps to verify that an intranet firewall rule has been configured to allow the MIIS 2003 with SP1 server to communicate with the extranet domain controller.
To verify configuration of the intranet firewall
The specified firewall rules should exist and have been properly configured.
Use the information in the following sections to test that aggregation and synchronization of identity data is correctly configured. Additionally, these tests validate that the scenario is working according to the requirements defined by Contoso.
Tests to validate aggregation and synchronization include:
Complete the following steps to verify the installation of Microsoft SQL Server™ 2000 on the MIIS 2003 with SP1 server.
To verify the installation of SQL Server 2000
SQL Server 2000 should be running.
Complete the following steps to verify the installation of the Visual Studio.NET development environment.
To verify the installation of Visual Studio.NET
The Visual Studio.NET development environment should open without any errors.
Complete the following steps to verify the installation of MIIS 2003 with SP1.
To verify the installation of MIIS 2003 with SP1
Identity Manager should open without any errors.
Complete the following steps to verify the kdcWaitTime registry key setting.
To verify the kdcWaitTime setting
There should be a REG_DWORD value named KdcWaitTime and its value should be set to 30 (decimal value).
Complete the tests in this section to verify the creation of management agent (MA) assemblies, that they are copied to the appropriate folder, that the configuration settings in the IDMGTExtranet.xml file are correct, and that the MAs are created in Identity Manager.
To verify MA assembly creation
The management agent solutions should compile and create the following MA assemblies without any errors:
No errors should occur while building the solutions.
To verify that the MA assemblies are copied to the appropriate folder
All the assemblies should exist in the \Extensions folder of the MIIS 2003 with SP1 server.
To verify the configuration settings in IDMGTExtranet.xml
The configuration file IDMGTExtranet.xml should be present in the MIIS 2003 with SP1 server's \Extensions folder and have the correct settings.
To verify that MAs are created in Identity Manager
All the specified MAs should exist in Identity Manager.
Complete the tests in this section to verify aggregation of identity attribute information from various groups of users to the metaverse.
Each of the searches performed in these tests should return an instance of a person object in the metaverse.
To verify aggregation of information from users in the intranet Active Directory
To verify aggregation of information from users in the extranet Active Directory
To verify aggregation of information from Sun ONE users
To verify aggregation of information from Lotus Notes users
Complete the tests in this section to verify the synchronization of identity attribute information from persons in the metaverse to users in the organization.
To verify synchronization of information to users in the intranet Active Directory
User objects should have the specified attributes populated in the intranet Active Directory.
To verify synchronization of information to users in the extranet Active Directory
User objects should have the specified attributes populated in the extranet Active Directory.
To verify synchronization of information to Lotus Notes Person records
The Person records should have the specified attributes populated in Lotus Notes.
To verify synchronization of information to Sun ONE inetOrgPerson records
The inetOrgPerson records should have the specified attributes populated in Sun ONE Directory Server 5.1.
Complete the following steps to verify that synchronized Lotus Notes accounts for users in the intranet Active Directory have contoso.com e-mail addresses.
To verify the configuration of synchronized Lotus Notes accounts
Synchronized Lotus Notes accounts for intranet Active Directory users should have the Internet address attribute populated as specified.
Complete the following steps to verify that intranet Active Directory Exchange users are synchronized as Person records in Lotus Notes with the Internet address attribute properly set.
To verify synchronization of intranet Active Directory Exchange users
Intranet Active Directory Exchange users should be synchronized as Person records in Lotus Notes.
Complete the following steps to verify that telephone number changes to intranet Active Directory users are propagated to the Lotus Notes server.
To verify changes are propagated to Lotus Notes
The telephone number of the person should be changed in the Lotus Notes server.
Complete the following steps to verify certificate mapping for extranet users.
To verify certificate mapping
The value for the altSecurityIdentities attribute should be populated by the MA of the directory used for certificate mapping.
This section of the chapter provides information about some common errors that you may encounter while testing this scenario and how to most likely resolve them. However, the information provided in the following tables is not an exhaustive list of errors and troubleshooting procedures.
Table 6.1. Troubleshooting Baseline Procedures
Error | Troubleshooting procedure |
Cannot open dsa.msc. | Ensure that the account being used to open dsa.msc has administrative privileges. |
Cannot connect to the Lotus Notes server using Lotus Domino Administrator from the MIIS 2003 with SP1 server. | Verify that the Lotus Notes server is running and listening for TCP/IP connections. Verify that the latest Cert.id and User.id files are updated in the <Lotus Installation folder>\Notes\Data folder. |
Cannot open Identity Manager. | Ensure that the account used to open Identity Manager is a member of the MIIS Admins group. |
Table 6.2. Troubleshooting Aggregation and Synchronization
Error | Troubleshooting procedure |
Status: "Stopped-extension-dll-file-not-found." While trying to run Full Synchronization for any MA and the state of the MA returns to Idle | Check if the following DLL files are present in the <MIIS 2003 with SP1 Installation folder>\Extensions folder.• IntranetDirectoryADMA.dll• ExtranetDirectoryADMA.dll• Lotus Notes MAExtension.dll |
Error: Permission-issue Connected data source error: Insufficient access rights to perform the operation | Verify the MIISADIntranet and MIISADExtranet accounts are given adequate permissions as described in the "Service Account Configuration" section in Chapter 5, "Implementing the Solution." |
Error: Missing-DN While running Full Import (Stage Only) of Lotus Notes MA | Verify the properties of Lotus Notes users are populated in the manual process as described in the "Populate Lotus Notes" task in the "Contoso Baseline Preparation" section of Chapter 5, "Implementing the Solution." |
This chapter describes certain activities required to administer the Contoso identity and access management solution. It includes details on managing the database for Microsoft® Identity Integration Server 2003, Enterprise Edition with Service Pack 1 (MIIS 2003 with SP1), monitoring for errors, and troubleshooting issues.
MIIS 2003 with SP1 stores the entire metaverse in a Microsoft SQL Server™ database. This section describes some database management activities.
MIIS 2003 with SP1 database sizes will vary based on the number of objects processed through the system, the number of management agents, and the number of multivalued and reference attributes. However, run history data is very expensive in terms of increasing database size.
Run history information is detailed and consumes a lot of space in the database. To manage the size of the database, it is important to manage run histories information in MIIS 2003 with SP1. It's possible to clear run histories manually with Identity Manager, but the best way of managing this information is to automate the process on a predefined schedule.
You can automate the clearing of run histories by using Windows Management Instrumentation (WMI) or with the MIIS_ClearRunHistory.exe tool, which is part of the MIIS Resource Tool Kit. For more information, download the Resource Tool Kit from the Microsoft Identity Integration Server 2003 Resource Took Kit 2.0 page.
Simple versus full recovery mode for a Microsoft SQL Server database affects log file size. The MIIS 2003 with SP1 database is set to simple recovery mode by default. In most of the configuration for MIIS 2003 with SP1, full recovery mode is not required due to the nature of MIIS 2003 with SP1 server data, and the fact that it can be rebuilt from existing connected directory data.
Simple recovery mode sets the log settings to overwrite, which reduces log file sizes during the time between backups. In addition, you may encounter a problem if you do not regularly clear run history information; you may end up having to delete a large number of run histories. MIIS 2003 with SP1 deletes run histories in one delete transaction, which means that even if you are running in simple recovery mode, executing this transaction can take a considerable amount of time — especially if your log files are rapidly increasing in size.
If you do not have the disk capacity to handle such a situation you may run out of disk space on the log file drive, which will require you to truncate the log file using the query analyzer. If the problem becomes significant (for example, if you have a large buildup of run histories and a small drive capacity without resources to increase the size), you can use a batch file to clear the run history in small increments and truncate the log file in between runs.
This section shows how to automatically schedule MA runs. You can schedule a command file to run the management agents regularly using the Windows Scheduler service.
To accomplish this task and schedule the MAs hourly, complete the following tasks on the MIIS 2003 with SP1 server:
To create an account to run scheduled tasks
To add the MIISScheduler account to the appropriate groups
Note In order to run a command or batch file (because it requires using cmd.exe) you must either be a member of the administrators group or run interactive. If you only use a VBScript, you can schedule this to run under the context of a non-administrator. Therefore, if you don't want to add the user to the administrator group, you can either modify the existing VBScript to either hardcode the values or to pass them in using alternative method.
To set user rights for the MIISScheduler account on the MIIS Server
Note The Access this computer from the Network user right is required for the MIISScheduler account when creating the task. However, after the task has been created it is not required to run the scheduled task. Therefore, you may want to restrict this account further after you have created the scheduled MA run by enabling the Deny access to this computer from the network user right for the MIISScheduler user account.
To set up a scheduled MA run
For more information about configuring the Windows Scheduling Service, search for "schedule a new task" in Windows Help and Support.
Note You can use the MASequencer tool in the MIIS 2003 with SP1 Resource Toolkit instead of the MA-runs.cmd file to schedule management agents. For more information, download the Microsoft Identity Integration Server 2003 Resource Took Kit 2.0.
All error messages in MIIS 2003 with SP1 are recorded in the application event logs and the statistics are displayed when the management agent run completes. You can access these statistics using the Operation view in Identity Manager. You can save each run history into a file and send them to Microsoft Support Services to help diagnose problems on the system.
Complete the following steps to accomplish this task:
To save a run history
Complete the following steps to accomplish this task:
To save an application log
You can drop a log file during the import or export phase of running a call-based management agent. You may want to drop a log file to:
Use this setting to drop a log file while continuing to update either the connector space or the connected directory in MIIS 2003 with SP1. This setting is useful when you are trying to troubleshoot an issue in which you need to see the last object processed before an error. In addition, you can use this setting to track changes to the connector space or the connected directory. However, this setting will increase the management agent processing time slightly, and it will also require disk space for storage.
If you plan to keep log file data for an extended period, you will need a mechanism to archive the files and purge them periodically. Typically, this level of auditing is not required unless you are requesting Microsoft to track an intermittent ongoing issue. However, some organizations may have reasons to track changes at this level.
This example implements the full import (stage only) drop log file option. However, you should configure your log file settings for the specific goals you are trying to meet in your troubleshooting process.
Complete the following steps to accomplish this task:
To use the full import (stage only) drop log file option
You can use the Preview function in MIIS 2003 with SP1 to test the effects of synchronization for an object in a connector space before you synchronize it with the metaverse. Preview can be useful for viewing source object details, steps in the synchronization process leading up to an error, connector filters, object deletion, join and projection rules, etc.
To use Preview, you must log on as a member of the MIISAdmins security group. It is a best practice to use Preview to test any changes made to rules in MIIS 2003 with SP1 before executing a synchronization. Use the Preview function after manual processing when you have completed a Delta or Full Import Stage Only run profile.
Note Microsoft recommends testing all changes in a non-production MIIS 2003 with SP1 environment. If the change is to an MA, you can use the Export Server Configuration and Import Server Configuration functionality in MIIS 2003 with SP1 to update the MA on the production system. Alternatively, for changes to custom extensions, you would move the compiled .DLL file, in which case you should consider using a version control system such as Visual SourceSafe (VSS).
To use the Preview function to test synchronization