Session Abstracts

Directory & Identity Keynote:

The Future of Microsoft’s Key Directory and Identity Technologies. The 10th annual TEC for Directory & Identity will be kicked off by Microsoft’s Samuel Devasahayam, Principal Program Manager Lead in the Identity and Access Team, and Mark Wahl, Architect, Business Online Services Group. Join us as he shares the roadmap of the technologies that you use every day.

Directory & Identity Workshops:

PKI Troubleshooting – Hands-On
Speaker: Brian Komar

Join us for this hands-on workshop filled with labs as you walk through some of the most common troubleshooting scenarios seen by the leader of this session, Brian Komar of IdentIT Inc. The post-conference session is a combination of lecture and hands-on practice troubleshooting common and not-so-common PKI issues. The lab will include:

  • Troubleshooting certificate validation errors
  • Preparing for and performing disaster recovery of a CA
  • Enabling SHA2 signing in an environment with Windows XP and Windows Server 2003 clients
  • Locating a CA behind a firewall

Workshop is 13:30 to 17:30 Wednesday. All equipment will be provided.

Directory Service Sessions:

A Dozen Years AD – Discuss Previous and Future Design Decisions
Speaker: Ulf B. Simon-Weidner

Active Directory has evolved over the years, along with security recommendations and best practices. But has our corporate design changed that much? Is it required? What should we change, and what should we retain? This session will cover Active Directory Designs of the past, present and future.

AD Care and Feeding with PowerShell
Speaker: Craig Martin

You need to manage the data in your Active Directory.

  • People want access
  • Auditors want reports
  • Applications want reliable data
  • YOU just want a vacation and/or a raise!

PowerShell is the automation and integration platform for Microsoft, but FIM is the identity integration system, so what is the right tool for the job?  This session explains and demonstrates how PowerShell can rapidly solve your Active Directory data management challenges before you make a larger investment in a platform such as FIM.

A DS Geeks View on Access Control and Delegation
Speaker: Ulf B. Simon-Weidner

This updated session will cover the basics of the Windows Security model, and we will talk about new scenarios like Hosted ADs for multiple companies and how to hide information; how to use new technologies to ease administration; how to figure out what the permission model is in your AD; and how to monitor and ensure it’s not compromised.

ADFS Claims Rule Language Deep-Dive
Speaker: Brian Puhl & Laura E. Hunter

One of the most powerful features of ADFS 2.0 is its ability to produce claims data for applications that meet often-times exacting business requirements. Come join us as we dissect the claims rule language within ADFS, and discuss claims issuance, authorization rules, and transformation logic from the simplest to the most complex cases. See how MSIT has used the claims rule language to solve some real-world problems in managing a complex ADFS infrastructure to respond to the exacting data requirements of a diverse application inventory.

ADFS Troubleshooting in the Wild – Cookies and Tokens and Fiddler, Oh My!
Speaker: Brian Puhl & Laura E. Hunter

ADFS 2.0 is deployed, and now it’s time to dig in. No more “bouncy slide” for us, no, now we’re going to dissect a real-world end-to-end ADFS scenario involving multiple federation servers and complex business rules that need to be enacted at each step along the way. In our journey deep under the ADFS covers, we will explore:

  • Cookies – they’re not just a sometimes food for ADFS admins!
  • Token lifetimes – if this is all about SSO, where are all these prompts coming from?
  • User experience, the good and the bad – Back Button is the Enemy!
  • Troubleshooting it all – if the Back Button is the Enemy, a Fiddler (whether on the roof or otherwise) is certainly your friend!

Come join us as we explore debug techniques and try to break (and then fix) as much as we can in an hour.

Best Practices for Securing AD – Special Security “Highlights” Shared Over the Past 10 DEC/TEC Years
Speaker: Guido Grillenmeier

During the past 10 years of speaking at DEC and TEC, I have been able to learn and share a lot about AD security, especially when utilized in enterprise environments. This session is an updated version of a key topic that remains to be a non-trivial task: “hiding” data in Active Directory.
AD has quite decent capabilities to set permissions on objects in the directory to allow delegated administration of things like users, groups or computers to any security principal, so that many of the daily operation tasks do not have to be performed by domain administrators. But when it comes to making specific data visible to only those users who need to see them either because normal users should simply not see the objects or because the data is truly confidential, the default AD permissions can make this a rather complex task. This session discusses the different options for hiding data in AD and gives a guideline as to when it is appropriate to leverage which of the options. Topics covered are hiding data using the “normal” AD permissions (incl. List Mode and adjusting the Default Security of objects), as well as two more advanced options (adjusting the built-in Property Sets and Using the Confidentiality Bit). We’ll also discuss how this model is extended when using RODCs with Windows server 2008 or 2008 R2.

Building and Securing and Enterprise Directory with AD LDS
Speaker: Brian Desmond

Many LDAP directory solutions provide extremely flexible access control to limit what objects and attributes can be seen in the directory. Active Directory provides this too, but, it’s not always easy to convert business requirements around directory information to a technical implementation. In this session we’ll take a look at the finer points of access control in Active Directory and AD LDS.

Business in the Cloud, Identity Strategies and Technologies to Get Your Business Off the Ground
Speaker: Brian Puhl

Microsoft is more than just a cloud service provider, we’re a customer too!  Come join the discussion as we talk about the good, the bad, and the ugly of Microsoft’s adoption of cloud services.  We’ll look at the roles that AD, ADFSv2, and FIM – as well as others, like PKI and RMS, are providing the technical foundation for adoption of BPOS and 3rd party SaaS services, and how MSIT is using these technologies to move mission critical applications securely to cloud services like Windows Azure.

Cross-Organization Collaboration Using Microsoft SharePoint 2010 and Active Directory Federation Services 2.0
Speaker: Samuel Devasahayam

As the world grows more connected, demand is increasing for easy, secure ways to collaborate across companies and over the Internet using familiar tools and applications. In this session learn how to collaborate across boundaries using Microsoft Office, SharePoint, and Active Directory Federation Services 2.0. In addition, learn on how to model providing access to SharePoint resources to consumer Identities like LiveID, Yahoo, Google and FB using Azure Access Control Services.

Deploying a Highly Available ADFS Infrastructure
Speakers: Laura Hunter and Brian Puhl

Highly-Available ADFS one: So you have ADFS deployed. It’s live, it’s in production, you’ve worked out all of the typoes…now let’s get down to running this as a service. As more and more applications adopt claims-based authentication, your organization’s Security Token Service infrastructure will take on new importance to your end users and management, and learning how to operate it in a highly-available manner will become as critical as maintaining HA for services like Active Directory. In this session, come and hear how Microsoft IT has been deploying and running ADFS as a reliable, scalable service since 2006, and what lessons we’ve learned along the way that you can take back and apply right away.

How Microsoft Adopted Azure and Office 365
Speakers: Laura Hunter and Brian Puhl

Azure/O365 one: In this session, come and hear about adopting and implementing the Microsoft Cloud from seasoned identity professionals who have been working with these technologies first-hand from Day One. We’ll begin with an overview and description of the technologies that allow an Identity Management professional to interact with both Windows Azure and Office 365. We’ll then walk through real-life examples of how MSIT integrates Microsoft Cloud technologies from the perspective of both the application developer and the infrastructure architect. Along the way, we’ll share best practices and tales from the trenches from customers, partners, and Microsoft’s own internal Identity Management team.

Identity as a Service
Speaker: Danny Kim

This session covers the various implementations of a centralized identity in the cloud to service SaaS application’s need to authenticate across domains, organizations, and consumers .  The session will also cover a live implementation of OpenID to consume multiple identity sources in a SaaS environment.

IPv6 and Active Directory – Do I Care or Am I Scared?
Speaker: Ulf B. Simon-Weidner

The internet is running out of public classical IP-addresses and IPv6 has been enabled by default by the last two versions of the operating system. Are you prepared for the change? And even more interesting, is your AD prepared? What do you need to configure? In this session we will talk about the changes in IPv6 and which of them require your attention as an Active Directory Administrator.

Issuing Certificates for Cloud-Based Computing
Speaker: Brian Komar

To use certificates in a cloud-based scenario, the organizations must trust the certificates issued by a partner. This session covers methods available to ensure that the certificates issued by your CA are trusted by partner organizations. The session will cover commercial roots, cross-certification, and bridge CA deployments.

Locating Domain Controllers For Authentication And Access To The Default Domain DFS Share (SYSVOL)
Speaker: Jorge de Almeida Pinto

This session will focus on locating Active Directory Domain Controllers for two very important processes. The first process is authenticating accounts in AD followed by the process to access data stored on the default domain DFS share “SYSVOL” such as for example GPOs and logon scripts. Each process uses its own mechanism to locate a domain controller to service the request that’s being made. Both processes will be explained in detail in terms of how these work and how they interact with each other. To put everything together, a use case will highlight the configurations even better. If time allows, a demo will be part of the presentation.

Microsoft Office 365 Directory Integration
Speaker: Samuel Devasahayam

This session focus on the different identity options provided in the Office 365 with particular emphasis on Enterprise SSO. This session discusses how to integrate the customers AD for authentication and how AD FS facilitates this process including details on the authentication flows, deployment options and the use of strong authentication in Office 365.

Move or change your environment in parallel, not a only single application
Speaker: Holger Reiners

The migration or structural changes in long grown and complex Active Directory infrastructure with tight integrated applications is a huge challenge for every organization. From a technical perspective of a single application it is a challenge, but will get a huge challenge when multiple applications and services in parallel are effected. The session will identify the “typical” obstacles in grown Active Directories that will drive efforts or block the migration or changes. The definition of five different integration types of Active Directory related applications with the migration patterns will provide guidance how to plan and organize the tasks and dependencies. Additionally the session will provide a possible Identity management approach to mitigate and circumvent the challenges.

Networking for AD Pros – Build a Winning Replication Topology
Speaker: Brian Desmond
The premise of this session is twofold. The primary goal is to teach Active Directory architects and administrators how to interpret complex network diagrams and configuration information and to transform it into a site topology that efficiently uses the network. The second goal of the session is to teach the audience the basics of the three most common WAN technologies as they relate to their data.

Simplifying Certificate Enrollment to non-Windows Computers
Speaker: Brian Komar

Join us to learn about the challenges and perils of distributing certificates from a Microsoft CA to non-Windows clients. The session will include both manual and autoenrollment scenarios covering Mac computers, iPads, iPhones, and Linux based computers.

Upgrading Sysvol Replication from FRS to DFS-R in Windows Server 2008/2008R2
Speaker: Mark Parris
This session will explore how FRS and DFS-R function and how and why you should move to DFS-R for SYSVOL replication.

Forefront Identity Manager (FIM) Sessions

Bootstrap Your Identity with Federation
Speaker: Tomasz Onyszko

Cloud is like an electricity grid which is being powered by multiple power plants. You can use it without knowing which one you use as long as you have a correct plug. Do we have this plug right now for our user’s identity? Are we ready to plug others into our solutions? Federation technology opens doors for your applications to multiple identity sources – LiveID, OpenID, Facebook — just name it. It also enables your users to access applications in hosted in a cloud, with multiple applications and services vendors. How to leverage this variety of possibilities and connect those dots together to turn them into solution? During this talk you will see how scenario is being built around managing user’s identity and access based on Microsoft technology stack – AD, FIM, ADFS. You will learn how applications can be moved from current “on-premise” state to “cloud enabled” (private cloud, any cloud) state and how to enable access to applications for corporate and external users.

Building a Delegation Layer for FIM
Speaker: Ikrima Elhassan

FIM supports modeling delegation but does not provide it out of box.  How can you implement it for your customers?  We will address two commonly encountered scenarios: 1. A manager goes on vacation and needs to delegate his approvals to one of his subordinates. 2. An IT HelpDesk user needs to reset the password on behalf of someone who can’t access the local intranet.  During our proof of concept walk-through will also address the need to track who performed what operation on whose behalf.

Creating Authentication Activities in FIM
Speaker: Ikrima Elhassan

So your customer wants a smart card gate or a biometric gate…but they can’t afford a third party solution.  Or your client wants to implement their own web-based authentication challenge for password reset but talking to the QA Gate’s format is unsupported.  Or your customer’s asking for a non-AD password reset based activity. So, you research FIM documentation to find out how to create your own and sadly the documentation is sparse and confusing aka non-existent.  Rather than giving into despair, we will go over the extensibility infrastructure of authentication gates, how to create activities that listen on their own endpoint such as the password reset activity, and we will walk through the example of creating an OTP cellphone gate that performs a non-AD based password reset activity.

Creating Management with the New ECMA 2.0
Speaker: TBD

In this talk we will explain the new features of the Extensible Connectivity Management Agent and how you can best use them to develop connections for FIM to additional systems.

Deploying FIM CM in the Real World
Speaker: Brian Komar

Come to this session to hear about real-world experiences from a customer deployment, and you’ll learn about customizations used in the deployment. These include: Using HSMs in the deployment, integrating with a clustered CA, enhancing auditing with the notification API, and distributing custom emails that implement formatting (not clear text).

Identity as a Service
Speaker: Danny Kim
This session covers the various implementations of a centralized identity in the cloud to service SaaS application’s need to authenticate across domains, organizations, and consumers .  The session will also cover a live implementation of OpenID to consume multiple identity sources in a SaaS environment.

FIM 2010 Reporting Using SQL Server Reporting Services
Speakers: Jeremy Palenchar & Craig Martin

  • Reporting is a rather large feature gap for FIM 2010, but this doesn’t mean that reporting with FIM is complex. Sit back and see how SQL Reporting Services can easily be extended to treat the FIM Service like any other data source. Learn how the following SSRS features can provide the following benefits to your FIM deployment:
  • SSRS Report Designers – Produce FIM Reports in a Simple Design Experience
  • SSRS Data Driven Subscriptions – Automatically distribute custom reports to FIM users with data that pertains only to them
  • SSRS Caching – Push the FIM query demand to SSRS, offloading query traffic from the FIM Service
  • SSRS Report History – Allow FIM to purge the request history without losing access to the details
  • SSRS Delivery Extensions – Provide flexible FIM notifications including advanced formatting and processing
  • SSRS Data Processing Extensions – use SSRS to report on FIM Service data, and FIM Sync Run History

We will also show how to connect SSRS to a data warehouse to combine live FIM data with historical object and request history. Source code, database schemas, and sample reports will be provided. Participants in the session will be able to deploy a complete auditing and reporting solution in their environment.

FIM PowerShell Deep Dive
Speaker: Craig Martin

Look at me, I know PowerShell, I know FIM.  Now look at you, need to know FIM, you need to know PowerShell.  Look at me, I have mad mountain biking skills and will be riding my bike up and down those Red Rocks.  Now look at you, you can use PowerShell and today’s session to help you manage FIM like a guru.  Come to this session to see real PowerShell scenarios to make you look like me(except for the biking), including the following:
Automate FIM deployment tasks
Discover the FIM extensibility points to enable scenarios that are not yet very out-of-the-box
Automate FIM operational analysis

Historical Reporting and Auditing in FIM 2010 Using the FIM Service and a SQL Data Warehouse
Speaker: Jeremy Palenchar
Historical auditing and reporting is a key feature missing from FIM 2010. In this session, we’ll explore the use of the FIM Service and a SQL data warehouse to provide a robust and scalable solution for auditing and reporting on FIM requests. We will examine the code used to extract the information from the web service and examine the structure of the data warehouse. Session participants will be able to deploy this solution in their environment using the tools and lessons learned during this session.

Identity as a Service
Speaker: Danny Kim
This session covers the various implementations of a centralized identity in the cloud to service SaaS application’s need to authenticate across domains, organizations, and consumers .  The session will also cover a live implementation of OpenID to consume multiple identity sources in a SaaS environment.

Technical Overview of FIM 2010 R2|
Speaker: Mark Wahl

Join us for a lap around Forefront Identity Manager and specifically the updates we are making in the upcoming R2 release. This session will give you a good understanding of how FIM 2010 R2 fits into your organization’s infrastructure and what it can do to put you in control of identities across directories and applications.


The Tao of the MSIT Sync Engine: Where We Are, Where We Want to Be, and How We’re Getting There
Speaker: Laura E. Hunter

Underneath the shiny new toy that is the FIM self-service portal and its WWF workflows, lies a workhorse of a synchronization engine that provides a major pillar of functionality to any ILM or FIM implementation. For many organizations, the sync engine was their first foray into an Identity Management solution, and the code and logic behind the sync engine have been built up over time as new and updated requirements are unearthed.
In this talk, come hear about the current thinking on FIM synchronization processes within MSIT: how our core Identity Management principles are embodied in these processes, the places where reality has sometimes set in and sent us down a primrose path, and our strategy to optimize and improve this mission-critical component of the Microsoft Identity Management infrastructure.

Tic, tock, tic, tock – When Time in FIM Passes By
Speaker: Tomasz Onyszko

The implementation of an ILM/FIM solution often incorporates some use cases which are time related or require action to be scheduled to be executed at a specific time. The end of an agreement period, holidays, periodic permissions review – all these scenarios have a common factor – TIME.  In addition time shift can be used as a safety switch to create time-bomb scenarios which will prevent some changes from being active immediately and provide time to react or to withdraw the changes. ILM had no specific features which supported such scenarios, thus it had to be handled through some additional techniques at synchronization engine level. FIM 2010 provides temporal sets which incorporates time into the equation. This changes the landscape and moves processing of time-based events to FIM service instead of synchronization engine. This session will focus on implementation of time-related scenarios in user lifecycle management using ILM (synchronization service) / FIM. We will provide an explanation of time-based events processing using FIM and practical examples of implementation of such scenarios in ILM/FIM.

Scripting the Migration of the FIM 2010 Configuration Between Different Instances – The Good, The Bad and The Ugly
Speaker: Jorge de Almeida Pinto

In addition to the Synchronization Engine, FIM now also has a Portal. Both the Portal and the Synchronization Engine contain configuration items that determine the behavior FIM 2010. When having multiple instances of FIM 2010 (Development, Test, Production) it is important to have a semi-automated process that is able to migrate the configuration of one instance into the other instance as easily as possible. This session will focus on using the configuration export tooling, which is available within FIM, including experiences and best practices. If time allows, a demo will be part of the presentation.