Archive for the ‘Forefront Identity Manager’ Category

Installing and configuring the Outlook Live Management Agent with Forefront Identity Manager 2010.   9 comments

Hi folks,

As much as it surprises me, I still receive the odd question about the Outlook Live Management Agent when used in conjunction with Forefront Identity Manager 2010. It’s with that in mind that I’m providing the following brief write-up on how to manually install the OLMA, and although there’s not a lot of value in covering the attribute flow in depth, I’ll at least provide a guideline on how to configure the management agent to work with Live@EDU.

Please pay attention to the fact I mentioned this relates to a manual installation of the agent and subsequent configuration. We do not use the Self Service Portal component form FIM 2010 as Sharepoint is not our university’s standard for collaboration. As such, we only use the Synchronisation Service Manager along with writing the code ourselves.

Part 1: Installing the Outlook Live Management Agent.

  1. Download the “OLSync R4 Download Package.zip” file from connect.microsoft.com – you’ll need to use your Live@EDU registered admin account to do this;
  2. Extract the contents of the .zip file;
  3. Run the Galsync_R4_v2.msi installer:
    1. Welcome screen = Next;
    2. License agreement page = I agree & Next;
    3. Installation option = Extract files for manual installation & Next;
    4. Extract files = choose a directory & Extract;
    5. Finish.
  4. Using Explorer, navigate to the location where you extracted the files to from step 3 above where you should see the following three sub-directories:
    1. Extensions;
    2. SourceCode;
    3. UIShell
  5. Copy all of the contents of each directory as follows (I’m just using the default installation directory for FIM as the destination):
    1. Extensions -> C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Extensions
    2. SourceCode -> C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\SourceCode
    3. UIShell\XMLs\PackagedMAs -> C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\UIShell\XMLs\PackagedMAs
  6. You have now completed a manual installation of the Outlook Live Management Agent.

Part 2: Configuring the Outlook Live Management Agent.

  1. Start the Forefront Synchronisation Manager;
  2. Select the “Management Agents” tab;
  3. Choose the Create action either from the side menu, or the context-sensitive menu;
  4. Choose “Outlook Live Management Agent” from the drop-down list named “Management agent for”;
  5. Give it whatever name you feel suits the purpose;
  6. Next;
  7. Set “Connect to” equal to “https://ps.outlook.com/powershell;”
  8. Set “User” equal to the account you created as your service account, which by default will look something like “olsync@university.edu.au”;
  9. Set “Password” equal to whatever you set the password to be;
  10. Next;
  11. Click the New button:
    1. Set “Parameter Name” equal to “ProvisioningDomain”;
    2. Set “Value” equal to your Live@EDU domain name, for example “university.edu.au”;
    3. For a list of this and other parameters you can set, have a read of this outlook.com help page.
  12. OK;
  13. Next;
  14. Next (skipping “Configure Attributes”);
  15. Next (skipping “Map Object Types”);
  16. Next (skipping “Define Object Types”);
  17. Next (skipping “Configure Connector Filter” – though you may want to come back to this depending on your requirements);
  18. Configuring the “Join and Projection Rules” section depends on your current FIM topology and could take a light year to discuss. If you’ve work with ILM/FIM before, just do what you do best here. If you have absolutely no idea, then you can use the following as a simplistic example for creating mailboxes. We use the metaverse attribute “accountName” as our primary key, meaning our configuration for this screen is as follows:
    1. Highlight “Mailbox”;
    2. Click “New Join Rule”;
    3. On the left side (“Data source”) choose “Alias”;
    4. On the right side (metaverse) choose “accountName”;
    5. Click the “Add Condition” button, and if you’re prompted about the attribute being non-indexed, just accept that and move on;
    6. OK;
  19. Next;
  20. Okay, with this screen you’re largely on your own – sorry. There’s just too much scope for variance here between organisations/institutions, and it’s extremely likely you’re also going to be dealing with writing your own rule extensions here, too. Still, just so you have some point of reference, here’s the attributes we populate with what they’re based on in brackets:
    1. UserPrincipalName (custom e-mail address attribute);
    2. Name (accountName metaverse attribute);
    3. DisplayName (displayName metaverse attribute);
    4. Alias (accountName metaverse attribute);
    5. WindowsLiveID (custom e-mail address attribute – same as UserPrincipalName);
    6. FirstName (firstName metaverse attribute);
    7. LastName (lastName metaverse attribute);
    8. EmailAddresses (rule extension as there are multiple addresses added to accounts, and we also have to be able to handle name changes – as I suspect you will, too);
  21. Next;
  22. Next (skipping “Deprovisioning” – again, it’s up to you as to how you handle this – if at all);
  23. If you have enabled PCNS – or intend to, then you can use this final screen (“Configure Extensions”) to enable password management, and if you have written one, to include the “Rules extension name” (a .DLL file – which is beyond the scope of this article).
  24. You have now finished defining the structure of your Outlook Live Management Agent.

Part 3: Rules extensions.

This is an exceptionally important part of the process, but beyond the scope of this article. Essentially, if you’re not already familiar with ILM/FIM then you’re possibly not aware that you will need to create at least one rule extension which handles the provisioning of new objects into the Live@EDU connector space.

If you deployment requires it, you may also need to write another rules extension that handles the customised calculation of values to flow back out from the metaverse to the connector space for the OLMA. To give you a simple example, the code might do something as simple as combine a student’s given and surnames to produce a display name. You can’t do this with the “Direct” flow (in the attribute flow screen of the MA). It needs to be an “Advanced” export flow, for which you specify the rule name and write the code to go along with it.

At this point you have done enough to get the OLMA talking to Live@EDU – so long as there no other peripheral issues such as ports being blocked by firewalls and whatnot. You can proceed to run a Full Import and Full Synchronise cycle(s) to populate the connector space and metaverse respectively, though before you can provision accounts into Live@EDU, you’ll have to write your own code to handle the provisioning of the object within the Provision() function.

Cheers,
Lain

Advertisements

Working with OLSync R4 and Forefront Identity Manager 2010 RC1.   4 comments

Hi All,
This is just a quick and dirty entry illustrating the steps I went through to get the Live@EDU Outlook Live Management Agent (R4 release) to install on Forefront Identity Manager 2010 RC1. I say this is a “dirty” entry because it’s really just a cut and paste from the most recent reply I sent to someone prodding me for more information with the salutations and best wishes taken out for privacy reasons.
The content is not a click-by-click walkthrough, and as I note in the body, it’s not necessarily the perfect manner in which to work around the 64-bit and installation prerequisite caveats. That said, the approach worked for us, and we are now running both products in a production capacity for some 12,500+ student accounts. In fact, I daresay it’s working better than we’d initially expected.
One task I still have to work through, which is worth reiterating here, is to set up another FIM installation to take a look at the option of importing the OLMA directly from within the FIM Synchronisation Manager. Right now, I have no idea where I’m going to find the time, but it is something I will look at if there’s still a point in doing so sometime down the track. The sole incentive for doing so is to avoid the hassle involved with manipulating the original MSI in order to get it to install the OLMA.
Without further ado, the content you’re most likely interested in is pasted below.
Good luck,
Lain

Yes, we’ve successfully provisioned accounts from Active Directory to Live@EDU with FIM2010 RC1 – in fact, we’re using RC1 in production now, and maintain a current user base of 12,500-ish students accounts in Live@EDU, so it’s a reasonable sized environment.

As I included in my post, we are running FIM over two servers:

FIM Server:

  • Windows 2008 R2 64-bit hosted on VMware
  • 12 GB RAM
  • OLSync R4 32-bit (in “AD account only” mode, because we do not yet have Exchange)
  • Four management agents (SQL Server, iPlanet, Active Directory and Outlook Live)
  • Manual configuration of OLMA
  • The portal component of FIM is not installed, so there is no codeless provisioning
FIM back end:
  • Windows Server 2008 R2 32-bit
  • 4 GB RAM
  • SQL Server 2008 with SP1
I’m assuming you already have FIM installed, in which case the only issue you face is installed the Outlook Live Management Agent (OLSync R4). The .msi from the Microsoft Connect site is specifically locked down to 32-bit operating systems, and has four or five prerequisite checks. These two facets stop you from installing OLSync on the FIM server, since the FIM server can only be 64-bit, not 32-bit.

There are two methods for installing the Outlook Live Management Agent:

  1. via the .msi package, or
  2. via the Management Agents section > Actions menu > Import Management Agent… option from within FIM itself.
I used option 1, but I had to alter the .msi from Microsoft to do it. Firstly, I had to change the 32-bit flag within the .msi to 64-bit using a Microsoft program called Orca, and secondly, I created a transform to avoid the prerequisite checks that the installer launches (checking for ILM2007 and an empty management agent directory). While this allowed me to install the Outlook Live Management Agent, the installation for the configuration wizard failes, as it requires a component specific to ILM2007 FP1 which is no longer found in FIM2010. I did not find this to be a problem, as I simply configured the OLMA manually.

While the above approach worked, I’m hoping to take a look at using the second option I mentioned, as I expect it will be easier than editing the msi. Instead of installing the .msi, it can be instructed to just extract the OLMA source files. These files include the management agent XML files, so some time next week when I have a chance to build a second FIM server, I’m going to take a look at that option just for fun, because as I say, I expect it will be easier than the first option.

Once you have the Outlook Live Management Agent installed, it’s a simple matter of configuring the various screens within the MA in order to provision accounts into Live@EDU. Firstly, you need to have set up a special account manually within the Live Administration page called a service account. Once you have this service account, you can fill out the Management Agent as follows:

Configure Connection Information page:

If you are unsure as to how to create a service account, please refer to this article from the guys over at the Live service: http://help.outlook.com/en-us/140/dd490638.aspx.
Configure Additional Parameters page:
Configure Join and Projection Rules: (this section will vary for you if you run Exchange; we don’t run Exchange – at least, not yet)
  • Mailbox.Join: Alias->Direct->accountName (you can choose your own relationship here; this is what we chose to use)
  • Mailbox.Project: Person
Configure Attribute Flow page (Mailbox class on the left, metaverse Person on the right):
  • UserPrincipalName <- LiveID (LiveID is a custom attribute we added to the metaverse.person class, since our original source is not AD)
  • Name <- accountName (metaverse.accountName is our flat name that we also use as the AD sAMAccountName, for example lain.robertson; Name MUST be unique!)
  • DisplayName <- displayName
  • Alias <- accountName
  • WindowsLiveID <- LiveID
  • FirstName <- firstName
  • LastName <- lastName
  • DistinguishedName -> LiveDN (Live DN is a custom attribute we added to the metaverse.person class as a way of verifying a user has successfully been provisioned to Live)
Configure Extensions page (note: this section is only useful if you’re running the Password Change Notification Services):
For the pages that I’ve deliberately left out, they can be skipped (apart from the first page, where you have to provide a name for your MA).

From this point onwards, I’m going to assume you know what you’re doing with FIM, because it’s no different to ILM2007 in that you run Imports, Synchronisations, and in OLMAs case, the combined EDIDS step that performs the export, immediately followed by the delta import and synchronisation.

I hope this helps you get started!

Cheers,
Lain