Welcome to the technical reference guide for Microsoft® Identity Lifecycle Manager "2" (ILM "2"). In this guide you will find information about the various features within ILM "2". The information found in this guide only applies to this release of ILM "2" Release Candidate (RC).
What This Document Covers
This document outlines operating functions that you will encounter when using the ILM "2" product. You can use this document as a guideline when you configure various features within the ILM "2" system. In addition, you can use this document to guide you as you troubleshoot issues that arise when you use ILM "2".
Topics covered in this document are:
General
In this section, you can find information about general operating procedures when using ILM "2".
Deletion of an object referenced by another object
- In this Release, attributes of “reference” syntax must have bindings to object types which indicate that they are optional, as they may be automatically removed by the system. When deleting an object that is referenced in another object’s attribute, the reference value in the referring object is also deleted. If the reference value being removed is the last value of the attribute in the referring object, then the attribute is deleted. This design preserves database integrity. The deleted values can be found using historical query.
Users and Groups
In this section you can find information about User and Group operations in ILM "2".
Users must be fully synchronized to Active Directory (AD DS) before they can log in to the ILM Portal)
- When accessing ILM "2", the user under which the browser process is running must be a Person resource in the ILM "2" database as well as a User entry in AD DS. If the user does not have a resource in the ILM "2" database, ILM "2" will return a Permission Denied error message.
Synchronization
This section contains information about the ILM “2” Synchronization Service.
New rules extension projects are created in Visual Studio 2008 Professional Edition
-
When you create a rules extension project using Identity Manager, located in the ILM "2" Metadirectory Services, the project is created in Microsoft Visual Studio 2008, Professional Edition.
.gif) Note |
|---|
|
If you use Visual Studio 2008 with your existing rules extensions, the extensions are converted to a Visual Studio 2008 project and are converted to the Microsoft .NET Framework 2.0. |
-
Visual Studio 2008, Professional Edition.
-
Microsoft Visual Basic® 2008 Professional Edition development system.
Alternatively, you can use Visual Basic® 2008 Express Edition.
-
Microsoft Visual C#® 2008 Professional Edition development tool.
Alternatively, you can use Visual C#® 2008 Express Edition.
For more information about upgrading Visual Studio .NET Professional 2003 or Visual Studio .NET Professional 2005 projects to Visual Studio 2008, see How to: Upgrade Projects Created in Visual Studio .NET 2002, 2003, and 2005 (http://go.microsoft.com/fwlink/?LinkId=77551)
Debugging rules extensions Using Visual Basic or Visual C# Express Edition
To debug rules extensions with Microsoft CLR Debugger 2008
Copy the retail symbols to the <MIIS_install>\bin folder, typically C:\Program Files\Microsoft Identity Integration Server\Bin.
Ensure that the rule extension .pdb file is located in the <MIIS_install>\Extensions folder along with its DLL.
If the Extensions folder does not contain the .pdb file, open the rules extension with Visual C# 2008 Express Edition or Visual Basic 2008 Express Edition. Select Property Pages, select Build, select Advanced, and then select Full for Debug.
Rebuild the rules extension.
Open the source file in Microsoft common language runtime (CLR) Debugger 2008, and then set the breakpoints.
Attach the debugger to the miiserver server process.
Expand the Modules tab.
Event messages appear indicating whether the symbol files loaded successfully. If any symbol file did not load successfully, everything appears to work, but the breakpoint is not hit.
To set breakpoints in the code
Open the rules extension source file.
At the top reference section of rule extension code, type 'using System.Diagnostics;'.
In the code where you want to set a breakpoint, type Debugger.Breakpoint();.
Rebuild the rules extension.
Attach the debugger to miiserver server process.
.gif) Important |
|---|
|
Do not use the Debugger.Launch method with CLR Debugger 2008. Using this method causes the ILM "2" Synchronization Service to freeze. |
-
Visual Studio 2008 reports a warning when you create a rules extension project in Identity Manager, if the output directory for the Visual Studio project is located under a system directory, for example, \program files, which is where ILM "2" Synchronization Service is typically installed. The warning says that there is a potential security risk to storing the .config file under a system directory.
| Note |
|---|
|
Visual Studio 2008 displays this warning regardless of whether the project includes a .config file. |
If you choose to open the project normally, you can build the assembly. However, the warning pops up each time that the project loads.
Changing a group from named to computed membership requires a full import
-
If a group is changed from having named members to contain computed members, the change will not allow the ILM MA to get the new members through a delta import. A full import is needed on the management agent to get the members.
Join and project from the ILM MA is always based on GUIDs
-
The ILM management agent (MA) always uses GUIDs for joining and projecting objects from the ILM App Store into the Metaverse. It is not possible to configure the ILM MA to use any other join criteria, like AccountName. When you are planning your other MAs, take this into consideration. Avoid projecting objects into the MetaVerse from other MAs if you plan to manage the object in ILM; project them from the ILM MA and join from the other MA. Another possibility is to provision to the ILM MA, and then manage it as usual.
Schema
This section of covers information about the ILM "2" schema.
Configuration objects are created as deprecated objects
-
On the All Resources page, you can create a Configuration object. It is advised that you do not do this as the Configuration object will be created as a deprecated object.
Workflow and Request Processing
This section covers information about the operations of the workflow and request processing components of ILM "2".
Use of DateTime attributes in Synchronization Rule activity will not work
-
When you configure the synchronization rule activity it is possible to select attributes of type DateTime. At runtime, use of DateTime will not apply the synchronization rule as expected. Use an attribute of another attribute types.
Use properly formatted numeric values in the function activity
-
The function activity will only work with positive integers when the expected result is a numeric value. Adding decimals, +/-, or any other character will cause the activity to fail.
Attaching authentication workflows
-
In ILM "2" it is possible to attach an Authentication workflow to an operation and have the authentication challenge show up in the ILM Portal. It is not possible to attach an authentication workflow to an approval of a request.
System user has no display name
-
All objects in the ILM "2" system has a reference to the creator of the object. For this release, when an object is created by the system itself, for example in approval objects, the display name for the creator of the object will be shown in the portal as "display name of referenced resource not available."
Need to add quotes in a custom activity for Lookup parameters
-
In the function activity you can select a "Custom Expression" that will allow entering a function expression directly. To reference Lookup parameters, they must be added in quotes (unlike all other activities). A correct example to reference the display name in a custom expression is "[//Target/DisplayName]".
Notification activities cannot be added to Authentication process
- In this release, notification activities cannot be added to Authentication processes.
ILM Portal will not navigate to summary page when clicking "OK" to update a process without permission
- In this release, when attempting to edit a workflow that the user does not have access to edit, they are taken to the Activities tab and can continue navigating through the workflow until they reach the Access Denied message on the Summary page.
A user without administrative permissions cannot see the Request Phase data for workflows on the All Processes page
- When a user without administrative permissions views workflows on the All Processes page, they will not be able to see the Request Phase data. To workaround this issue, click the process itself to view the process type in the General tab.
In an approval activity, there are additional attributes that are not relevant for approvals
- In the approval activity there are additional attributes that are not relevant for approvals listed. In this release, you can ignore the following attributes:
- [//Requestor/AuthNLockoutRegistrationID]
- [//Requestor/AuthNWFLockedOut]
- [//Requestor/AuthNWFRegistered]
- [//Requestor/DetectedRulesList]
- [//Requestor/ExpectedRulesList]
- [//Target/AuthNLockoutRegistrationID]
- [//Target/AuthNWFLockedOut]
- [//Target/AuthNWFRegistered]
- [//Target/DetectedRulesList]
- [//Target/ExpectedRulesList]
Cannot edit a workflow that has an imported file
- In this release, you cannot edit a workflow that has an imported file. To workaround this issue, delete the workflow and create a new workflow. You can then import the file in the new workflow.
Import XAML crashes if the duration field for Approval is set to less than one day in a Custom Workflow
- For this release, do not set the duration field in a custom approval to less than 1 day. Durations set to integers will only use the digits to the left of the decimal point. For example, if the integer is 2.5, only the number 2 is used. In this release, only use whole numbers with a value range of 1 to 100.
Run on Policy Update does not exist in the view mode
- In this release, to view the Run on Policy Update field, you must open the workflow in Edit mode.
Cannot select XOML in Processes-Advanced search
- For this release, you cannot filter processes by the XOML attribute in search mode.
Cannot create a process after importing XOML
- For this release, when you import XOML, you cannot go back and edit that process to add activities. You must create a new process.
Text in the subject line of an approval or notification
- If you type text into the subject line of an approval or notification activity and then add a variable from the Workflow Data lookup, the variable will be placed before the text. You will need to move the text in front of the variable to have the subject line make sense.
User Provisioning
This section covers operational information about the User Provisioning component in ILM "2".
Attributes defined in Relationship criteria must also be part of initial flow
-
When you are defining a Synchronization Rule with outbound flows, you will also define the relationship criteria; this is similar to the join rules in MIIS 2003/ILM 2007. The attributes defined in the relationship criteria must also be defined in the outbound attribute flows and marked for "initial flow". If this step is omitted, the join will not happen and additional attribute flows will not be applied.
Do not use "initial only" flows for inbound attribute flows
-
When defining synchronization rules it is possible to configure an inbound flow to be applied as an initial only flow. Configuring attribute flow as initial only for inbound flows will result in the attributes not flowing.
Accessing metaverse reference attributes during initial outbound provisioning is not allowed
-
When performing outbound provisioning, you cannot flow a reference attribute as part of the initial flow. Reference attributes must only be flowed as persistent. If you try to access a metaverse attribute during initial flow, a provisioning failure will result.
ILM Password Reset Extensions
This section of the document covers operational information about the ILM Password Reset Extensions in ILM "2".
Password Reset Extensions do not work if TCP WMI ports are blocked
-
The Password Reset Extensions use the TCP WMI ports. If the firewall on the ILM "2" server machine is on and these ports are blocked, Password Reset Extensions will not work. Manually unblock the ports if necessary. For more information, see the MIIS 2003 Technical Reference at http://go.microsoft.com/fwlink/?LinkId=38680.
Answers to "Question & Answer” Gate Questions cannot contain more than 255 Characters
-
Answers longer than 255 characters will be truncated, and the user will not be able to pass the gate since the registered answer and the truncated answer will not match.
Require re-registration for all users if the questions in the Question and Answer gate are modified or changed
-
If you change the questions or modify the Questions and Answer gate, you should click Require Re-registration on the workflow to force all users to reregister for password reset.
Multiple incorrect password attempts disables the "Reset" button
-
When a user enters an incorrect password multiple times, the GINA disables the controls for a specified period and the Reset button is disabled. To log on to the computer with the new password the user needs to reboot the machine or wait for the GINA to unlock itself.
Entering the domain name in the Windows logon screen
-
When using the password reset wizard, specifying the full domain name in the Windows XP logon screen will cause a “user not provisioned” error message. Use only the short domain name. For example, the following formats are acceptable: netbiosnameofdomain\username or username@netbiosnameofdomain.
Authentication administration user page
-
The Authentication Administration user page displays only the workflows for which the user has registered.