The Experts Conference

Session Abstracts

Keynote:

The Future of Microsoft’s Key Directory and Identity Technologies. The 10th annual TEC for Directory & Identity will be kicked off by Uday Hegde, Group Program Manager in the Identity and Access Team at Microsoft, and Mark Wahl, Architect Business Online Services Group. Join us as they share the roadmap of the technologies that you use every day.

---

Pre-Conference Workshops:ADFSv2 and WIF

Presented by: Randy Wiemer

This workshop will delve into ADFSv2 and WIF. We’ll explain the parts and terminology and review the passive profile use-case.  Join us for a half day to:
1. Start with a 2008R2 VM with AD and a CA pre-configured.
2. Install ADFSv2
3. Install a Shibboleth SP configured for SAML 1.1
4. Configure an already written ASP.net app that does the SAML 1.1 piece as a WIF app (attendees will run FedUtil against it)
5. Configure the app as a relying party in ADFS
6. Exercise the system to see the Shibboleth app accept the SAML 1.1 POST
7. Watch the traffic with Fiddler
8. Compare the WS-Fed traffic between ADFS and the WIF app with the SAML 1.1 traffic between the WIF app and the SAML 1.1 app.

Workshop is 8 to noon Sunday. All equipment will be provided.

This FIM Workflow development pre-conference workshop offers four hours of in-depth, hands-on coding experience.  We will demonstrate how to build and deploy workflows for the FIM environment, looking specifically at excercising helper functions like the grammar resolver and implementing the inherited interfaces.  Join us and learn how to build a sequential workflow using a custom user interface to do things such as generate a user name and update a resource attribute.  Debugging and deployment exercises will also be examined. All equipment will be provided.

Join us for this hands-on morning filled with labs as you walk through some of the most common troubleshooting scenarios seen by the leader of this session, Brian Komar of IdentIT Inc. The pre-conference session is a combination of lecture and hands-on practice troubleshooting common and not-so-common PKI issues. The lab will include:
-    Troubleshooting certificate validation errors
-    Preparing for and performing disaster recovery of a CA
-    Enabling SHA2 signing in an environment with Windows XP and Windows Server 2003 clients
-    Locating a CA behind a firewall

Workshop is 8 to noon Sunday. All equipment will be provided.

Directory Services Sessions:

Pamela Dingle will put OAuth 2.0 into perspective for IT architects and professionals, explaining why this new revision of the protocol radically redefines itself and promises to be the security protocol every cloud API standardizes on in upcoming years. As Application Programming Interfaces increasingly become an expected and standardized part of communicating with applications in both private and public cloud scenarios, IT pros can use OAuth to control, audit and secure not only authentication, but authorization and web services calls, for both applications and the third party services that those applications may consume downstream.

Active Directory has evolved over the years, along with security recommendations and best practices. But has our corporate design changed that much? Is it required? What should we change, and what should we retain? This session will cover Active Directory Designs of the past, present and future.

This updated session will cover the basics of the Windows Security model, and we will talk about new scenarios like Hosted ADs for multiple companies and how to hide information; how to use new technologies to ease administration; how to figure out what the permission model is in your AD; and how to monitor and ensure it’s not compromised.

One of the most powerful features of ADFS 2.0 is its ability to produce claims data for applications that meet often-times exacting business requirements. Come join us as we dissect the claims rule language within ADFS, and discuss claims issuance, authorization rules, and transformation logic from the simplest to the most complex cases. See how MSIT has used the claims rule language to solve some real-world problems in managing a complex ADFS infrastructure to respond to the exacting data requirements of a diverse application inventory.

ADFS 2.0 is deployed, and now it’s time to dig in. No more “bouncy slide” for us, no, now we’re going to dissect a real-world end-to-end ADFS scenario involving multiple federation servers and complex business rules that need to be enacted at each step along the way. In our journey deep under the ADFS covers, we will explore:
• Cookies – they’re not just a sometimes food for ADFS admins!
• Token lifetimes – if this is all about SSO, where are all these prompts coming from?
• User experience, the good and the bad – Back Button is the Enemy!
• Troubleshooting it all – if the Back Button is the Enemy, a Fiddler (whether on the roof or otherwise) is certainly your friend!

Come join us as we explore debug techniques and try to break (and then fix) as much as we can in an hour.

This presentation will focus on Policy, standardization and best practices governing Microsoft IT’s ADFS 2.0 infrastructure. Specifically, we’ll look at ADFS onboarding initiatives (process vs automation), decoupling ADFS Service Property settings, answering the ” Should I enable or disable” questions; Claim projection: standard vs Non standard, claim rule script management, and attribute stores; overall ADFS Incident and Problem management.

This is an advanced session that will drill into a variety of GP management tasks using Microsoft’s own GP Module, native AD PowerShell functions and the author’s own (free) scripts and modules for managing GP. We’ll cover managing the lifecycle of GP (creating, linking, permissioning, modifying settings), creating inventories of and basic health checks on your GPO infrastructure, as well as look at the ability to report on the status of GP processing across your network.

AD FS 2.0 is increasingly used as the on-premises solution for federation and single sign-on to cloud applications such as Office 365.  However, organizations must often grant access not just to enterprise identities but also to customers and partners who don’t have federated enterprise identities.  Reusing consumer identities provided by internet identity providers such as Windows Live ID, Google and Facebook is starting to gain momentum as a solution for these issues.  The Azure Access Control Service (ACS) is a cloud hosted federation solution that can be used together with AD FS 2.0 to enable single sign-on to on-premises and cloud applications for both enterprise and consumer identities. This session will provide an overview of ACS and show how IT pros can take advantage of its many features for handling authentication and access control of on-premises and cloud applications.  We will demonstrate using AD FS 2.0 together with ACS and discuss which combination of the solutions is appropriate for a given scenario.

During the past 10 years of speaking at DEC and TEC, I have been able to learn and share a lot about AD security, especially when utilized in enterprise environments. This session is an updated version of a key topic that remains to be a non-trivial task: “hiding” data in Active Directory.

AD has quite decent capabilities to set permissions on objects in the directory to allow delegated administration of things like users, groups or computers to any security principal, so that many of the daily operation tasks do not have to be performed by domain administrators. But when it comes to making specific data visible to only those users who need to see them either because normal users should simply not see the objects or because the data is truly confidential, the default AD permissions can make this a rather complex task. This session discusses the different options for hiding data in AD and gives a guideline as to when it is appropriate to leverage which of the options. Topics covered are hiding data using the “normal” AD permissions (incl. List Mode and adjusting the Default Security of objects), as well as two more advanced options (adjusting the built-in Property Sets and Using the Confidentiality Bit). We’ll also discuss how this model is extended when using RODCs with Windows server 2008 or 2008 R2.

Many LDAP directory solutions provide extremely flexible access control to limit what objects and attributes can be seen in the directory. Active Directory provides this too, but, it’s not always easy to convert business requirements around directory information to a technical implementation. In this session we’ll take a look at the finer points of access control in Active Directory and AD LDS.

Microsoft is more than just a cloud service provider, we’re a customer too!  Come join the discussion as we talk about the good, the bad, and the ugly of Microsoft’s adoption of cloud services.  We’ll look at the roles that AD, ADFSv2, and FIM – as well as others, like PKI and RMS, are providing the technical foundation for adoption of BPOS and 3rd party SaaS services, and how MSIT is using these technologies to move mission critical applications securely to cloud services like Windows Azure.

Cloud computing technologies are becoming an essential part of our every day IT life. Single Sign-on solutions are already represented on the market but mastering them can be quite of a challenge. In this session, we’ll walk through ADFS setup step by step, touching all aspects that should be taken into consideration. This walkthrough is will tell you not only what you should do but also what you should not do.

This demo-centric presentation will tackle Service engineering limitations with ADFS 2.0 and creative solutions implemented to rectify such limitations. We will take an in-depth look at three Service engineering scenarios where ADFS 2.0 falls short and the custom solutions design/Architecture implemented to attain below-mentioned service engineering objectives:
-  Dynamic ADFS 2.0 ws-fed usage report generation and utilization
-  Wtrealm/wreply based Error handling
-  ADFS 2.0 federation Partner audit and Life cycle management process

Does security have to be the opposite of collaboration? Services like Microsoft SharePoint are too good to keep to yourself. This session presents a blend of architecture and “how to” detail about the ways we can enable workflow and collaboration between companies with the other Forefront product: Microsoft Forefront Unified Access Gateway Server 2010.

The internet is running out of public classical IP-addresses and IPv6 has been enabled by default by the last two versions of the operating system. Are you prepared for the change? And even more interesting, is your AD prepared? What do you need to configure? In this session we will talk about the changes in IPv6 and which of them require your attention as an Active Directory Administrator.

To use certificates in a cloud-based scenario, the organizations must trust the certificates issued by a partner. This session covers methods available to ensure that the certificates issued by your CA are trusted by partner organizations. The session will cover commercial roots, cross-certification, and bridge CA deployments.

Teleflex Incorporated (www.teleflex.com) has a core identity management strategy: one point of access. Sun LDAP was originally the central place for all identity information across this diversified global enterprise, but separate systems had developed over time, creating silos of information. Teleflex had also expanded its use of Microsoft Active Directory and needed to eliminate redundancies and maintenance across multiple directories. With Active Directory more and more becoming the authoritative source for various applications, Teleflex needed to shift its identity management strategy to fully leverage its investment in AD. So in 2010, the company kicked off a project to decommission its existing Sun LDAP directory, which had been in place for 6-7 years. Join us to hear about their journey firsthand.

This session will focus on locating Active Directory Domain Controllers for two very important processes. The first process is authenticating accounts in AD followed by the process to access data stored on the default domain DFS share “SYSVOL” such as for example GPOs and logon scripts. Each process uses its own mechanism to locate a domain controller to service the request that’s being made. Both processes will be explained in detail in terms of how these work and how they interact with each other. To put everything together, a use case will highlight the configurations even better. If time allows, a demo will be part of the presentation.

This session provides a preview of the identity and access solutions in Microsoft Office 365.  The session will focus on how authentication works for both web apps and rich client apps, how to enable single sign-on (SSO) using corporate AD credentials and AD FS 2.0 to Office 365 services, and the different SSO deployment options for Office 365 services.

This presentation will focus on real life experiences in a Fortune 500 company with federating users, applications and devices with the cloud. This presentation is designed to share our experiences with our peers in the industry in the hope of advancing the quality and supportability of federation between all entities. There will be two areas of focus:
1) Existing outbound federated provisioning and authentication into cloud providers
2) Planned Federation across protocols; It’s not just port 80 anymore.

It’s time to upgrade our directory infrastructure from w2k3 to w2k8 bring the architecture up to modern standards and repay infrastructure debt. This presentation is to share our experiences so you can avoid our mistakes and generally contribute back to the IT community, and as in previous presentations, we’d really like to encourage more companies to move onto AD LDS so that we aren’t one of the only few and proud.

Join us to learn about the challenges and perils of distributing certificates from a Microsoft CA to non-Windows clients. The session will include both manual and autoenrollment scenarios covering Mac computers, iPads, iPhones, and Linux based computers.

It is now common knowledge that Active Directory is widely deployed across all types of businesses.  After a decade plus of deploying and managing Active Directory, you might well imagine that we’ve picked up a few things along the way.  In this session, we’ll bring together a wide selection of many of the most valuable lessons including Active Directory’s lesser-known behaviors, some of the more deeply buried knobs, dials & switches, a few tricks-of-the-trade and perhaps even a get out of jail free(ish) card or two that will ultimately allow you to do your job better.

A common problem facing many enterprise organizations is knowing which technology or solution is the right solution to deploy. This session will describe the key architectural components in an overall identity management implementation and when it is appropriate to deploy a given technology or set of technologies. For example, when should you use a directory, directory synchronization, LDAP virtual directories or Federation? Over time, the industry has seen that one technology shouldn’t be used to solve all problems. Analyst firms such as Gartner have written reports on how on the surface these technologies may seem to compete, but instead complement each other well. Often, the right answer is implementing a mixture of technologies together. Each technology solves a unique problem, combining them into a complete solution is the key to a successful identity management initiative. We will drill down into some examples of where customers have implemented a blend of these technologies to drive down costs and complexities in their environments.

Forefront Identity Manager (FIM) Sessions

Cloud is like an electricity grid which is being powered by multiple power plants. You can use it without knowing which one you use as long as you have a correct plug.  Do we have this plug right now for our user’s identity? Are we ready to plug others into our solutions? Federation technology opens doors for your applications to multiple identity sources – LiveID, OpenID, Facebook — just name it. It also enables your users to access applications in hosted in a cloud, with multiple applications and services vendors. How to leverage this variety of possibilities and connect those dots together to turn them into solution? During this talk you will see how scenario is being built around managing user’s identity and access based on Microsoft technology stack – AD, FIM, ADFS. You will learn how applications can be moved from current “on-premise” state to “cloud enabled” (private cloud, any cloud) state and how to enable access to applications for corporate and external users.

FIM supports modeling delegation but does not provide it out of box.  How can you implement it for your customers?  We will address two commonly encountered scenarios: 1. A manager goes on vacation and needs to delegate his approvals to one of his subordinates. 2. An IT HelpDesk user needs to reset the password on behalf of someone who can’t access the local intranet.  During our proof of concept walk-through will also address the need to track who performed what operation on whose behalf.

This session will showcase custom activity workflows that integrate with SCCM to provide Bare-Metal (PXE Boot) computer installations and end-user application deployments at first login. We will take time to walkthrough the workflow activity code, discuss the implications of tracking catalogues of MAC Addresses, and how collections/advertisements play a vital role to the success of the solution. In large environments it is common to take five to seven days to onboard an associate — this session will help you identify and narrow that gap. Come to this session to see if magical PXEs really do fly around the room…

So your customer wants a smart card gate or a biometric gate…but they can’t afford a third party solution.  Or your client wants to implement their own web-based authentication challenge for password reset but talking to the QA Gate’s format is unsupported.  Or your customer’s asking for a non-AD password reset based activity. So, you research FIM documentation to find out how to create your own and sadly the documentation is sparse and confusing aka non-existent.  Rather than giving into despair, we will go over the extensibility infrastructure of authentication gates, how to create activities that listen on their own endpoint such as the password reset activity, and we will walk through the example of creating an OTP cellphone gate that performs a non-AD based password reset activity.

In the next few months a new development framework for creating management agents will be released for FIM2010. In this talk we will explain how the new framework is working and how you can use it.

Come to this session to hear about real-world experiences from a customer deployment, and you’ll learn about customizations used in the deployment. These include: Using HSMs in the deployment, integrating with a clustered CA, enhancing auditing with the notification API, and distributing custom emails that implement formatting (not clear text).

FIM’s Group Management capabilities combine with custom policies to create innovative Role Based Access Control solutions. In this session we will look at creating three basic role types: 1) Derived, based on existing Set logic, 2) Explicit, also based on existing logic, and 3) Temporal Membership where requests for explicit membership can be given start and end dates allowing membership to expire automatically. See how you can apply this to any data source by building a new role request process!

Have you ever wanted to connect your FIM implementation to a system that doesn’t have a management agent? FIM comes with the framework to build management agents that connect to practically anything. In this session we’ll take a look at how this framework works, how to present data from your XMA to FIM, and how to generate deltas. We’ll also build a custom XMA and you’ll walk away with the base code you need to quickly build your own XMAs.

Although FIM is moving more and more towards life in the cloud, there are still many cases where you will need to process good old-fashioned text files on disk for synchronization and reporting. PowerShell is the ideal tool for dealing with these files. Of course, PowerShell right out of the box does a great job of plain text and csv files. Using this as a jumping off point, this session will show you how to extend PowerShell’s basic capabilities to handle AVP and LDIF files, process XML run histories and MA configurations, and automate archiving of logging data. Along the way we will make some slight diversions into PowerShell’s Extensible Type System and the new *-Job cmd lets in PowerShell v2. Come to this session and you will leave with a deeper understanding of PowerShell’s potential, as well as a handy toolkit of scripts that will make all of your file processing jobs easier.

When released in Spring 2010, the new functionality in FIM was brimming with hope and promise – workflows, policies, a flexible portal, new ways of synchronizing data.  Flash forward one year of ACTUAL customer deployments.  This session will take you through the good, the bad, and the ugly around the new functionality with “hard won lessons from the field” – a broad, varied, and sometime amusing tale of OCG’s experience implementing FIM 2010 across many countries, different sizes and types of organization, and varied environments – filled with practical advice for a successful FIM deployment.

Reporting is a rather large feature gap for FIM 2010, but this doesn’t mean that reporting with FIM is complex. Sit back and see how SQL Reporting Services can easily be extended to treat the FIM Service like any other data source. Learn how the following SSRS features can provide the following benefits to your FIM deployment:

• SSRS Report Designers – Produce FIM Reports in a Simple Design Experience
• SSRS Data Driven Subscriptions – Automatically distribute custom reports to FIM users with data that pertains only to them
• SSRS Caching – Push the FIM query demand to SSRS, offloading query traffic from the FIM Service
• SSRS Report History – Allow FIM to purge the request history without losing access to the details
• SSRS Delivery Extensions – Provide flexible FIM notifications including advanced formatting and processing
• SSRS Data Processing Extensions – use SSRS to report on FIM Service data, and FIM Sync Run History

We will also show how to connect SSRS to a data warehouse to combine live FIM data with historical object and request history. Source code, database schemas, and sample reports will be provided. Participants in the session will be able to deploy a complete auditing and reporting solution in their environment.

When planning your FIM implementation or planning for its growth, everyone asks, “How many servers and how big should they be?”. Come hear from the author of “FIM Best Practices Volume 1: Introduction, Architecture and Installation”, David Lundell, as he helps you answer this question with decision trees and a sizing guide that picks up where the Capacity Planning Guide leaves off.

Look at me, I know PowerShell, I know FIM.  Now look at you, need to know FIM, you need to know PowerShell.  Look at me, I have mad mountain biking skills and will be riding my bike up and down those Red Rocks.  Now look at you, you can use PowerShell and today’s session to help you manage FIM like a guru.  Come to this session to see real PowerShell scenarios to make you look like me(except for the biking), including the following:

• Automate FIM deployment tasks
• Discover the FIM extensibility points to enable scenarios that are not yet very out-of-the-box
• Automate FIM operational analysis

This session will walk through creating a Windows Phone 7 application that consumes the FIM Web Services API to expose the Group Requests and Approvals features in FIM 2010.  The application allows the phone user to request access to a group, view approvals, and view pending requests. Come to this session to see how FIM and Windows Phone 7 can be used in your enterprise…

You hear a lot about the wonderful world of directory sync, SSO and federation with cloud applications, and all of these technologies really can do what they say on the tin, so long as you have an immaculately managed local directory. But do you? Migrating to the cloud may be just about to expose all those cracks that have been papered over for so long – be careful of what falls through!
This session will draw on the experience of a complex, multi-national BPOS migration, sharing the slip-ups, oversights and rude awakenings, as well as the steps taken to keep the project on track to a successful completion.

Historical auditing and reporting is a key feature missing from FIM 2010. In this session, we’ll explore the use of the FIM Service and a SQL data warehouse to provide a robust and scalable solution for auditing and reporting on FIM requests. We will examine the code used to extract the information from the web service and examine the structure of the data warehouse. Session participants will be able to deploy this solution in their environment using the tools and lessons learned during this session.

This session focuses on what the Dir Sync tool is used for, and what will be available in V2 of the tool. We will demo the tool and discuss when a company should use it in a deployment, depending on the size and needs of the company.

Learn how FIM can be integrated with Microsoft’s cloud middleware and SDKs to project an organization’s identities and policies to Software-As-A-Service applications, how to configure FIM to ensure quality identity data is available to these applications, and see examples of how to provide users with self-service access management from the FIM portal.

In addition to the Synchronization Engine, FIM now also has a Portal. Both the Portal and the Synchronization Engine contain configuration items that determine the behavior FIM 2010. When having multiple instances of FIM 2010 (Development, Test, Production) it is important to have a semi-automated process that is able to migrate the configuration of one instance into the other instance as easily as possible. This session will focus on using the configuration export tooling, which is available within FIM, including experiences and best practices. If time allows, a demo will be part of the presentation.

Do you need to move around millions of objects within a single MA in your ILM/FIM solution? Do your Full Imports and Full Syncs take days to complete? Come and see how Ensynch’s IDA practice developed practical methods for building XMA solutions that allow for large scale management of connectors that won’t take you days to manage. Learn about different import techniques that can be used to greatly speed up transaction times and that’s not all! Take away some sample code that will make your DBAs envious.

Underneath the shiny new toy that is the FIM self-service portal and its WWF workflows, lies a workhorse of a synchronization engine that provides a major pillar of functionality to any ILM or FIM implementation. For many organizations, the sync engine was their first foray into an Identity Management solution, and the code and logic behind the sync engine have been built up over time as new and updated requirements are unearthed.

In this talk, come hear about the current thinking on FIM synchronization processes within MSIT: how our core Identity Management principles are embodied in these processes, the places where reality has sometimes set in and sent us down a primrose path, and our strategy to optimize and improve this mission-critical component of the Microsoft Identity Management infrastructure.

The implementation of an ILM/FIM solution often incorporates some use cases which are time related or require action to be scheduled to be executed at a specific time. The end of an agreement period, holidays, periodic permissions review – all these scenarios have a common factor – TIME.  In addition time shift can be used as a safety switch to create time-bomb scenarios which will prevent some changes from being active immediately and provide time to react or to withdraw the changes. ILM had no specific features which supported such scenarios, thus it had to be handled through some additional techniques at synchronization engine level. FIM 2010 provides temporal sets which incorporates time into the equation. This changes the landscape and moves processing of time-based events to FIM service instead of synchronization engine. This session will focus on implementation of time-related scenarios in user lifecycle management using ILM (synchronization service) / FIM. We will provide an explanation of time-based events processing using FIM and practical examples of implementation of such scenarios in ILM/FIM.

The BPOS administration experience is limited in a number of key areas which make it insufficient to the needs of a large organization. While Office 365 brings some much needed delegation flexibility, it will still fall short in several key areas.
This session will demonstrate how the FIM 2010 Portal can be extended to become an administration console for BPOS, including:
•  Password reset,
•  Subscription and activation management,
•  Ability to assign subscriptions to different cost codes for internal billing, and
•  Making available information unavailable in the BPOS admin console, such as mailbox size, and tracking of mobile devices.