You now understand the business requirements and specifications for implementing the solution that addresses the identity aggregation and synchronization issues at Contoso. This chapter provides prescriptive guidance on how to implement the necessary components of the identity and access management solution by using Microsoft® Identity Integration Server 2003, Enterprise Edition with Service Pack 1 (MIIS 2003 with SP1).
The prerequisites and implementation guidance in this chapter can be verified by following the guidance in Chapter 6, “Testing the Solution.”
On This PageTools and Templates
The Identity and Access Management download package includes Identity and Access Management Tools and Templates.msi, which is the Tools and Templates installer file. The Tools and Templates that are part of this download include text-based scripts, code samples, and configuration files that are related to identity and access management, but do not include any executable programs or compiled code.
Note These samples are provided as examples only. Be sure to review, customize, and test these tools and templates before you use them in a production environment.
When you run the installer file, the resulting folder structure will look similar to the one displayed in the following figure, depending on where you choose to install it.
 Figure 5.1. The Tools and Templates folder structure
This guide assumes that you have installed the Tools and Templates into the default location (%UserProfile%\My Documents\Identity and Access Management Tools and Templates). If you use a different installation location, ensure that you use the same path in all the steps in this document.
Note The Tools and Templates MSI package can sometimes produce an error during the installation process. See the Identity and Access Management Series Readme.htm file for more information. Folder: BaselineTable 5.1. The Baseline Folder SunOneObjects.ldf | This file is used to create users in Sun ONE Directory Server 5.1 (formerly iPlanet Directory Server) by using LDIFDE.exe. | LotusObjects.txt | This file is used to create users in Lotus Notes 6.5.4 by using the Import function in Domino Administrator. |
Folder: MIIS ExtensionsMIIS Extensions are used for advanced flow rules and certificate mapping. The current source code was designed for this scenario and must be complied into DLLs. These files must be placed into the Extensions directory in the MIIS folder structure. These extensions are then updated and used during the synchronization process. Subfolder: ExtranetDirectoryADMA
ExtranetDirectoryADMA Project — implements the ExtranetDirectoryADMAExtension.DLL file.
Table 5.2. The ExtranetDirectoryADMA Subfolder AssemblyInfo.vb |
An information file that contains metadata about the assemblies in a project, such as name, version, and culture information.
| ExtranetDirectoryADMA.sln | The solution file used within the development environment. It organizes all elements of the Extranet Directory ADMA into a single solution. | ExtranetDirectoryADMA.vb | VB.net file for the Extranet Directory ADMA extension. | ExtranetDirectoryADMA.vbproj |
The project file for the Extranet Directory ADMA project, it contains the configuration and build settings and keeps a list of files associated with the project.
|
Subfolder: IntranetDirectoryADMA
IntranetDirectoryADMA Project — implements the IntranetDirectoryADMAExtension.DLL file.
Table 5.3. The IntranetDirectoryADMA Subfolder AssemblyInfo.vb |
An information file that contains metadata about the assemblies in a project, such as name, version, and culture information.
| IntranetDirectoryADMA.sln | The solution file used within the development environment. It organizes all elements of the Intranet Directory ADMA into a single solution. | IntranetDirectoryADMA.vb | VB.net file for the Intranet Directory ADMA extension. | IntranetDirectoryADMA.vbproj |
The project file for the Intranet Directory ADMA project, it contains the configuration and build settings and keeps a list of files associated with the project.
|
Subfolder: Lotus Notes MAExtension
Lotus Notes MAExtension Project — implements the Lotus Notes MAExtension.dll file.
Table 5.4. The Lotus Notes MAExtension Subfolder AssemblyInfo.vb |
An information file that contains metadata about the assemblies in a project, such as name, version, and culture information.
| Lotus Notes MAExtension.sln | The solution file used within the development environment. It organizes all elements of the Lotus Notes MA into a single solution. | Lotus Notes MAExtension.vb | VB.net file for the Lotus Notes MA extension. | Lotus Notes MAExtension.vbproj | The project file for the Lotus Notes MA project. It contains the configuration and build settings and keeps a list of files associated with the project. |
Folder: MA ConfigurationTable 5.5. The MA Configuration Folder IDMGTExtranet.xml | This configuration file is used to import configuration data that can be changed without having to modify the source code for configuration specific information. This file should be placed in the Extensions folder. | MVSchemaExport.xml | This schema file updates the default metaverse schema that is created when installing MIIS 2003 with SP1. The scenario requires metaverse extension to add specific attributes. The MVSchemaExport.xml file imports these additional attributes into the metaverse which then update the default MIIS schema. |
Folder: MA Exports
Exported management agents contain saved MA configuration information, which can then be imported into MIIS 2003 with SP1 Identity Manager. The call-based MAs must check with the connected directory for a valid user account and password as well as connected directory specific partitions. You may need to change connection and partition information if the connected directory structure is not the same as that specified in the file.
Table 5.6. The MA Exports Folder ExtranetADMA.xml | Exported management agent for the External Directory MA. | IntranetADMA.xml | Exported management agent for the Infrastructure Directory MA. | LotusNotesMA.xml | Exported management agent for the Lotus Notes MA. |
Folder: OperationsThe following scripts can be used in conjunction with the Windows schedule to the MA synchronization. Table 5.7. The Operations Folder MA-Runs.cmd | Used to serialize the run of the management agents by calling the runMA.vbs by passing the appropriate parameters to call the MA run profile. | runMA.vbs | Uses Windows Management Instrumentation (WMI) to execute MA runs based on MA name and profile. |
Implementation Prerequisites
The Contoso identity and access management solution requires the following software. To implement and test the entire Contoso solution, all components must be installed. The recommended configuration is to implement all components in order to work through the entire solution from beginning to end. It is essential to install the software in the prescribed order for this scenario to work properly. Please refer to the diagram in chapter 4 for a clear picture of the network architecture of these components:
| • | Microsoft Windows Server™ 2003, Enterprise Edition. | | • | Microsoft SQL Server™ 2000, Enterprise Edition with Service Pack 3 (SP3). In the following prescriptive steps, SQL Server is running on the same server as MIIS 2003 with SP1. | | • | MIIS 2003 with SP1. | | • | Exchange Server 2003 in the intranet Active Directory forest. | | • | Visual Studio® .NET 2003 to build rules extensions. In the following prescriptive steps, this software is installed on the same server as MIIS 2003 with SP1. | | • | Scenario-specific scripts to create the MIIS 2003 with SP1 extensions and MA export files. | | • | Sun ONE Directory Server 5.1 (formerly iPlanet Directory Server). | | • | Lotus Notes Domino Server Release 6.5.4. | | • | Lotus Notes Client Release 6.5.4 installed on the MIIS 2003 with SP1 server. |
For these implementation details to work correctly, you need to have a basic Contoso infrastructure implemented as introduced in the “Platform and Infrastructure” paper in this series, as described in the “Designing the Infrastructure” and “Implementing the Infrastructure” chapters, including:
An intranet Active Directory forest that contains the provided Contoso organizational units (OUs) and users.
An extranet Active Directory forest that contains the provided Contoso OUs, groups, and users.
A three-tier public key infrastructure (PKI) for certificate services, which is required for completion of the “Extranet Access Management” paper in this series.
Note The beginning of Chapter 6, “Testing the Solution” later in this paper provides some basic verification tests to ensure that your infrastructure is implemented correctly. Implementation Overview
Implementing this solution scenario will involve performing the following activities, each of which are detailed in the following sections:
| • | Intranet Firewall Configuration | | • | Contoso Baseline Preparation | | • | Service Account Preparation | | • | MIIS 2003 with SP1 Installation and Configuration | | • | MIIS 2003 with SP1 Management Agent Configuration | | • | Initial Identity Management Operations |
Intranet Firewall Configuration
The Contoso design provides for the greatest possible isolation between the external and internal network. However, the design calls for the synchronization of shadow accounts in the extranet Active Directory. For this to work, you must open ports in the firewall between the intranet and extranet as shown in tables 5.8 and 5.9. Configure the firewall to allow traffic initiation only from the intranet side over these ports.
In order to reduce the number of open ports, configure the remote procedure call (RPC) dynamic port allocation on the domain controller for perimeter.contoso.com in the external network. Contoso selected ports in the range 57500-57520.
For more information about setting dynamic RPC ports through a firewall see
How to configure RPC dynamic port allocation to work with firewalls.
For MIIS 2003 with SP1 (located in the intranet Active Directory forest corp.contoso.com) to connect to the extranet Active Directory forest (perimeter.contoso.com), the internal DNS service must be able to resolve addresses and service records for the external forest. In addition to opening the DNS ports in the firewall, also add a Conditional DNS forward directive in the intranet corp.contoso.com root nameserver that points to the extranet perimeter.contoso.com nameserver.
To configure conditional forwarders in the internal root domain controller 1. | Launch the DNS Admin tool on <ROOT_DC_NAME>. | 2. |
In the console tree, right-click <ROOT_DC_NAME> and then click Properties. | 3. |
In the <ROOT_DC_NAME> Properties dialog box, click the Forwarders tab.
| 4. |
In the DNS Domain box, click New. | 5. |
In the New Forwarder dialog box, in the DNS Domain box, type perimeter.contoso.com and then click OK. | 6. |
Ensure the perimeter.contoso.com domain is selected. In the Selected domain’s forwarder IPaddress list box, type <ip_address> (where <ip_address> is the IP address of the external domain DNS server), and then click Add. | 7. |
In the <ROOT_DC_NAME> Properties dialog box, click the Root Hints tab and then click Remove to remove all entries.
|
The following table lists all the outbound ports in the external firewall that need to be opened from the MIIS 2003 with SP1 server's IP address to the external domain controller's IP address. Table 5.8. Outbound Ports from MIIS 2003 with SP1 Server to External Domain Controller 389 | TCP and UDP | LDAP | 88 | TCP and UDP | Kerberos authentication protocol | 135 | TCP | RPC Endpoint Mapper | 57500-57520 | TCP | Dynamic RPC ports | 464 | TCP and UDP | Kerberos Change Password |
The following table lists the outbound port in the internal firewall that needs to be opened from the internal root domain controller's IP address to the external domain controller's IP address. Table 5.9. Outbound Port from Internal Root Domain Controller to External Domain Controller Contoso Baseline Preparation
After all the prerequisites have been installed and verified, you can run the provided scripts to further configure the Contoso environment. Configuring the Contoso environment for this MIIS 2003 with SP1 scenario involves creating a set of base level objects in Lotus Notes and Sun ONE Directory Server. Complete the following tasks to configure each respective system.
| • | Task 1: Populate Sun ONE Directory Server | | • | Task 2: Populate Lotus Notes |
Task 1: Populate Sun ONE Directory Server
The Contoso Sun ONE Directory Server is required for authentication to legacy Contoso applications. If you have implemented the Sun ONE component in your solution, these scripts will create the required users needed for the Contoso scenario. These scripts should be executed from an open command prompt.
Using SunONEObjects.ldf
Execute the SunONEObjects.ldf file by using the ldifde.exe tool. Ensure that you execute ldifde.exe as follows from the command prompt:
Note: The line has been split into multiple lines for readability.However,
while trying it out on a system you must enter it as one line without breaks. LDIFDE.EXE -i -s <server name> -a "<target user DN>"
* -f <Ldf Object Filename> -i enables “import” mode for LDIFDE. -s denotes the server name hosting the Sun ONE Directory. -a specifies the full distinguished name of a valid Sun ONE user identity that will be used to perform a simple bind to LDAP. This identity must be for a user who currently exists in Sun ONE. This value must be followed by an asterisk *. -f specifies the LDIF compliant file to process. An example of script execution is as follows: Note: Some of the lines in the following code have been displayed
on multiple lines for better readability.
LDIFDE.EXE -i -s <Sun ONE Server> -a "uid=admin,
ou=Administrators,ou=TopologyManagement,o=NetscapeRoot"
* -f "%UserProfile%\My Documents\Identity and Access
Management Tools and Templates\Identity
Aggregation and Sync\Baseline\SunONEObjects.ldf"
You can execute the script remotely. If so, ensure that the target workstation has access to the Sun ONE Directory Server namespace.
To configure the Sun ONE Directory Server environment 1. | Log on to the server hosting Sun ONE Directory Server 5.1 with administrative privileges. | 2. |
Check to ensure the SunONEObjects.ldf file is present in the %UserProfile%\My Documents\Identity and Access Management Tools and Templates\Identity Aggregation and Sync\Baseline folder.
| 3. |
Click Start, click Run, type CMD.EXE and then press ENTER to open a command prompt.
| 4. |
Execute LDIFDE.EXE from the command line to process the Sun ONE LDIF compliant data file SunONEObjects.ldf. | 5. |
Execute LDIFDE.EXE by using the SunONEObjects.ldf file. Ensure that you execute the script as follows from the command prompt:
Note: Some of the lines in the following code have been displayed
on multiple lines for better readability.
LDIFDE.EXE -i -s FFL-SA-IPLANET -a "uid=admin,
ou=Administrators,ou=TopologyManagement,o=NetscapeRoot"
* -f "%UserProfile%\My Documents\Identity and Access
Management Tools and Templates\Identity Aggregation
and Sync\Baseline\SunONEObjects.ldf" Replace FFL-SA-IPLANET with the hostname of your Sun ONE Directory Server. | 6. |
When prompted, enter the password for the user account associated with the -a switch.
| 7. |
Ensure that the script returns a The command has completed successfully status for all operations. If any errors occur, correct the problem and rerun the script.
|
Task 2: Populate Lotus Notes
Lotus Notes is used for e-mail by the external Fabrikam organization. If you have implemented the Lotus Notes component in your solution, complete the following steps to manually add five test users.
Note You can add these users automatically by using the import function in the Lotus Notes Administrator program to import the LotusObjects.txt file into the Fabrikam Directory. To configure the Lotus Notes environment 1. | Log on to the server hosting Lotus Notes with administrative privileges to the Notes e-mail system. | 2. |
Using the Notes Administrator, create three Fabrikam users based on the information provided in the following tables:
Table 5.10. Basic Tab Information for Fabrikam Users Robert | Barker | rbarker | Robert Barker/Fabcorp | Richard | Byham | rbyham | Richard Byham/Fabcorp | Susan | Eaton | Seaton | Susan Eaton/Fabcorp |
Table 5.11. Mail Tab Information for Fabrikam Users Notes | Fabrikam | FFL-sa-lotus | Robert Barker/Fabcorp | rbarker@fabrikam.com | Notes | Fabrikam | FFL-sa-lotus | Richard Byham/Fabcorp | rbyham@fabrikam.com | Notes | Fabrikam | FFL-sa-lotus | Susan Eaton/Fabrikam | seaton@fabrikam.com |
Table 5.12. Work/HomeTab Information for Fabrikam Users Engineer II | Fabrikam | Research & Development | 0871357 | rbyham | London | United Kingdom | Manager Research & Development | Fabrikam | Research & Development | 0681581 | dbradley | London | United Kingdom | Engineer | Fabrikam | Research & Development | 0089171 | rbyham | London | United Kingdom |
| 3. |
Using the Notes Administrator, create two Contoso users based on the information provided in the following tables:
Table 5.13. Basic Tab Information for Contoso Users Amy | Alberts | aalberts | aalberts | David | Bradley | dbradley | dbradley |
Table 5.14. Mail Tab Information for Contoso Users Other Internet Mail | aalberts@contoso.com | Other Internet Mail | dbradley@contoso.com |
Table 5.15. Work/HomeTab Information for Contoso Users Research Assistant | Contoso | Customer Service | 0061054 | rbyham | Palo Alto | United States | Chief Executive Officer | Contoso | Operations | 0042399 | | Palo Alto | United States |
|
When complete, there should be five users (three from Fabrikam and two from Contoso) present in the environment.
MIIS 2003 with SP1 Installation and ConfigurationThe tasks in this section provide guidance for installing MIIS 2003 with SP1 and configuring it for the sample Contoso environment. These tasks include: | • | Task 1: Preparing the MIIS Server | | • | Task 2: Service Account Creation | | • | Task 3: Service Account Configuration | | • | Task 4: Install MIIS 2003 with SP1 Server | | • | Task 5: Build MIIS Extensions | | • | Task 6: Configure Sun ONE Directory Server 5.1 for this Scenario | | • | Task 7: Configure Lotus Notes release 6.5.4 for this Scenario |
Task 1: Preparing the MIIS Server
The steps in this task assume that Windows Server 2003, Enterprise Edition, Microsoft SQL 2000, and MIIS 2003 with SP1 are installed on the C: drive.
Important Perform these instructions in the prescribed sequence. Performing any steps out of order may cause the scenario to fail. To install MIIS 2003 with SP1 and perform basic configuration 1. |
Install Windows Server 2003, Enterprise Edition.
1. | The computer name for the scenario is FFL–NA–MIIS–01. You can choose another computer name without affecting the scenario. | 2. | Configure the IP address of your MIIS Server in the same address space of your network. Ensure that the DNS entries in the TCP/IP properties of the network connection are correct. Otherwise, you will not be able to join the computer to the domain. | 3. | Join the computer to the domain na.corp.contoso.com. | 4. | Install IIS 6.0 with ASP.NET support and FrontPage Server 2002 Extensions (pre-requisites for Visual Studio .NET 2003). |
| 2. |
Install SQL Server 2000, Enterprise Edition.
| 3. | During setup, be sure to select Windows Authentication Mode for SQL Server. | 4. | Install SQL Server 2000 Service Pack 3 (SP3). After SP3 setup completes, ensure that the SQL Server service is running. | 5. |
Install Microsoft Visual Studio .NET 2003 on the MIIS 2003 with SP1 server, which will allow you to develop or debug MIIS 2003 with SP1 extensions.
Note This is only for test systems, as production systems would typically not include Visual Studio. On production systems, all debugging should be done in the test environment, and only the changed DLL should be moved into Visual Source Safe (VSS). When the DLL is in VSS, it can then be checked out and moved into the production system. |
Task 2: Service Account Creation
MIIS 2003 with SP1 uses service accounts for several MAs, such as the Active Directory and the SQL Server MAs. You must ensure that these service accounts exist before you install MIIS 2003 with SP1.
To create the service accounts 1. |
Create the
MIISservice account by using the Computer Management, Local Users and Computers console on the MIIS server.
| 2. |
Create the
MIISADIntranet account by using Active Directory Users and Computers in the intranet forest.
| 3. |
Create the
MIISADExtranet account by using Active Directory Users and Computers in the extranet forest.
|
Task 3: Service Account Configuration
The Microsoft Identity Integration Server service runs in the security context of a specific account. Because the account will have access to all of the MIIS 2003 with SP1 resources, this account should be locked down.
The Active Directory MA Accounts in the intranet and extranet Active Directory forests must have permission to discover objects and their attributes as well as write attribute updates to those accounts. Because Contoso has not yet implemented provisioning and deprovisioning of user accounts, permissions are not required to create and delete objects.
To configure the service accounts for appropriate access 1. | Set restrictions for the MIIS Service Account on the MIIS server by performing the following steps: 1. | Open Local Security Policy on the MIIS server. | 2. | In the console tree, click User Rights Assignment located under Security Settings, Local Policies. | 3. | In the details pane, double-click the user right Deny log on as a batch job. | 4. | In UserRight Properties, click Add User or Group. | 5. | Add the MIISservice account, and click OK. | 6. | Repeat steps c to e until all the following user rights restrictions have been set: | • | Deny log on locally. | | • | Deny log on by using Terminal Services. | | • | Deny access to this computer from the network. |
|
| 2. | Configure the MA service accounts to discover objects by granting the Replicating Directory Changes permission: 1. | Log on to an intranet domain controller. | 2. | Open the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in. | 3. | On the View menu, click Advanced Features. | 4. | Right-click the domain object na.corp.contoso.com, and then click Properties. | 5. | On the Security tab, if the account MIISADIntranet is not listed, click Add, enter the account, and click OK; if the account is listed, proceed to step h. | 6. | In the Select Users, Computers, or Groups dialog box, select the desired user account, and then click Add. | 7. | Click OK to return to the Properties dialog box. | 8. | Click the Intranet or Extranet user account as applicable. | 9. | Click to select the Replicate Directory Changes check box in the Allow column. | 10. | Click Apply, and then click OK. | 11. | Close the MMC snap-in. |
Repeat the previous steps for the extranet Active Directory perimeter.contoso.com using the MIISADExtranet account. Note Replicate Directory Changes is required on each domain in the forest for which you will be discovering objects. For more information about how to set the Replicate Directory Changes permission, see How to grant the "Replicating Directory Changes" permission for the Microsoft Metadirectory Services ADMA service account. | 3. |
Configure the Write All Properties permission on OUs containing user accounts managed by MA service accounts by performing the following:
1. | Log on to an intranet domain controller. | 2. | Open the Active Directory Users and Computers MMC snap-in. | 3. | On the View menu, click Advanced Features. | 4. | Right-click the Employees organizational unit OU=Employees,OU=ContosoCorp,DC=na,DC=corp,DC=contoso,DC=com and then click Properties. | 5. | On the Security tab, if the account MIISADIntranet is not listed, click Add, enter the account, and then click OK; if the account is listed, proceed to step h. | 6. | Click OK to return to the Properties dialog box. | 7. | Click the Intranet or Extranet user account as applicable. | 8. | Click the Advanced button. | 9. | Select the Active Directory account; click the Edit button. | 10. | In the Apply Onto box, select Child Objects Only. | 11. | Select the following boxes to set permissions: | • | Read All Properties | | • | Write All Properties |
| 12. | Click OK to close the Permission Entry dialog box, click OK to close the Advanced Security Settings dialog box, and then click OK again. |
Repeat the previous steps in the extranet Active Directory for the MIISADExtranet account in this organizational unit: OU=Employees,OU=Accounts,DC=perimeter,DC=contoso,DC=com Note The Write All Properties permission should be assigned on all objects in each OU that MIIS service accounts need to manage. |
Task 4: Install MIIS Server 2003This task installs MIIS 2003 with SP1 with the default settings. To install MIIS 2003 with SP1 1. |
Install MIIS 2003 with SP1, accepting all defaults during the setup process. At the prompt for the service account, enter the account details for the new MIIS 2003 with SP1 service account
MIISservice and the computer name of the server running MIIS 2003 with SP1. The account that you use when you run setup is placed in the group with the highest privileges, which is the MIIS 2003 with SP1 administrators group (MIISAdmins).
| 2. |
After completing the setup process, you must log off the computer and then log on again for MIIS 2003 with SP1 to recognize your membership in the MIISAdmins group. Perform this step before running MIIS 2003 with SP1 the first time.
Note If a user other than an administrator for MIIS 2003 with SP1 runs this scenario, you must first add the user to the MIISAdmins group. | 3. | Increase the default Kerberos version 5 authentication protocol time-out value on the MIIS 2003 with SP1 server by adding the registry parameter KdcWaitTime to the following registry key and setting the time-out value to 30 seconds. This time-out value must be increased from the default of 5 seconds to ensure that you do not experience Kerberos protocol time-out issues caused by network latency. 1. | Start Registry Editor. | 2. | Under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ Lsa\Kerberos\Parameters key, create a REG_DWORD value named KdcWaitTime and set its value to 30 (seconds). | 3. | Restart the MIIS 2003 with SP1 server for the changes to take effect. |
|
Task 5: Build MIIS ExtensionsThere are several MIIS Extensions included with the Tools and Templates for this paper. These extensions need to be compiled into DLLs for use with MIIS 2003 with SP1. To open the MIIS Extensions and compile the DLLs 1. | Open Visual Studio 2003. | 2. |
Click File, point to Open, and then click Project. | 3. |
Open IntranetDirectoryADMA.sln from %UserProfile%\My Documents\Identity and Access Management Tools and Templates\Identity Aggregation and Sync\MIIS Extensions\IntranetDirectoryADMA.
| 4. |
On the Build menu, click Build Solution. This creates the IntranetDirectoryADMA.dll file. | 5. | Repeat steps 1-4 for all projects in the following table. Table 5.16. Additional Custom Extension Projects ExtranetDirectoryADMA | ExtranetDirectoryADMA.dll | Lotus Notes MAExtension | Lotus Notes MAExtension.dll |
| 6. | Copy all three compiled DLL files to the following location: <MIIS Installation Directory>\Extensions directory. Note The default MIIS 2003 with SP1 installation directory is C:\Program Files\Microsoft Identity Integration Server. | 7. |
Copy the %UserProfile%\My Documents\Identity and Access Management Tools and Templates\Identity Aggregation and Sync \MA Configuration\IDMGTExtranet.xml file to the <MIIS Installation Directory>\Extensions folder.
| 8. |
Edit the <MIIS Installation Directory>\Extensions\IDMGTExtranet.xml file as necessary to modify the extranet management agent parameters. The following table shows the default values for these parameters. Additionally, if your configuration is different with regard to server name or OU structure, modify this file to reflect the correct names.
Table 5.17. Configuration Parameters for the Extranet Management Agent Ext-upn-suffix | UPN suffix for extranet Active Directory domain users. | @na.corp.contoso.com | ExtMailDomain | E-mail domain for extranet users. | @contoso.com | issuing-CA-dn | Distinguished name for issuing CA in reverse order format. |
DC=com,
DC=contoso,
DC=corp,
CN=ICA
| CA-subject-prefix | Distinguished name for users in CA subject in reverse order format. |
DC=com,DC=contoso,DC=corp,DC=na,
OU=ContosoCorp,OU=Employees
|
|
Task 6: Configure Sun ONE Directory Server 5.1 for this ScenarioYou must complete this task if you implement Sun ONE Directory Server integration for your implementation. To configure MIIS 2003 with SP1 for Sun ONE Directory Server 5.1 integration 1. |
Locate Sun ONE Directory Server 5.1. The Contoso environment uses OU=People and DC=Fabrikam,DC=com in the Sun ONE Directory Server.
| 2. |
To enable delta import capabilities, enable the Retro Changelog plug-in on the Sun ONE Directory Server.
|
Note To enable secure connections to your Sun ONE Directory server, enable SSL on Sun ONE. Task 7: Configure Lotus Notes Release 6.5.4 for this ScenarioYou must complete this task if you implement Lotus Notes integration. To configure MIIS 2003 with SP1 for Lotus Notes integration 1. | Locate the Lotus Notes Domino Release 6.5.4 server. The Contoso environment uses the Lotus Notes OU Fabrikam (/O=Fabrikam) as the certifier. | 2. | Install the Lotus Notes Release 6.5.4 client on the computer running MIIS 2003 with SP1. The Lotus Notes MA uses this client to access the Lotus Notes Address Book (NAB). 1. | Verify that you have access to Lotus Notes with the Lotus Notes client before you create the Lotus Notes MA while using the Lotus Notes administrator account. | 2. | Assign the MIIS 2003 with SP1 service account MIISservice full control permissions on the Lotus Notes installation directory on the MIIS 2003 with SP1 server. |
|
MIIS 2003 with SP1 Management Agent Configuration
This section provides detailed procedures to configure the four management agents (MA). During this process, you also will configure the following management agent functionality:
| • | Import sources or export targets | | • | Import attribute flow rules | | • | Projection rules | | • | Join rules | | • | Export attribute flow rules | | • | Run profiles |
You will use MIIS 2003 with SP1 Identity Manager to create the four MAs and specify all of the details for object, attribute, and rule selection for each of them. To accomplish this you must complete the following tasks in the order they are listed:
| • | Task 1: Extend the MIIS Metaverse Schema | | • | Task 2: Create the Sun ONE Directory Server Management Agent | | • | Task 3: Create the Intranet Directory Management Agent | | • | Task 4: Create the Extranet Directory Management Agent | | • | Task 5: Create the Lotus Notes Management Agent | | • | Task 6: Set Attribute Flow Precedence | | • | Task 7: Set Manual Attribute Flow Precedence | | • | Task 8: Create Run Profiles |
Task 1: Extend the MIIS 2003 with SP1 Metaverse Schema
This scenario requires you to add two attributes to the MIIS 2003 with SP1 schema. In order to expedite this process, use the exported metaverse schema to import these attributes into MIIS.
To extend the metaverse schema using an exported metaverse schema 1. |
Click Start, point to All Programs, point to Microsoft Identity Integration Server, and then click Identity Manager. | 2. |
On the Tools menu, click Metaverse Designer. | 3. |
On the Actions menu, click Import Metaverse Schema. | 4. |
In the Open dialog box, locate the file %UserProfile%\My Documents\Identity and Access Management Tools and Templates\Identity Aggregation and Sync\MA Configuration\Mvschemaexport.xml, included as part of the Tools and Templates for this paper. After you have located the file, click Open. | 5. |
The following message should display: The schema import completed successfully. Click OK to close the dialog.
The following attributes should be added for Object Type: Person by the metaverse schema import process: | • | sAMAccountName | | • | userPrincipalName |
|
Task 2: Create the Sun ONE Directory Server 5.1 Management Agent
Now you can define the options for the Sun ONE Directory Server 5.1 MA to enable it to import existing Sun ONE directory data. In the following task, you will create the join rule and the conditions in which connector space objects for the Sun ONE Directory Server MA join to the metaverse person object. You will also create import and export attribute flow mappings for the Sun ONE Directory MA data source attributes.
To create the Sun ONE Directory Server 5.1 MA 1. | Create the management agent by performing the following: 1. | On the Tools menu, click Management Agents. | 2. | On the Actions menu, click Create. | 3. | In Create Management Agent, in Management agent for, click Sun and Netscape directory servers. | 4. | In Name, type Sun ONE Directory MA. | 5. | Click Next. |
| 2. | Specify logon information by performing the following: 1. | In Create Management Agent, on the Specify Logon Information page, in Server, type the name of the Sun ONE Directory Server 5.1 server to which you want to connect, and then type a port number, user name, and password. | 2. | Click Next. |
Note For secure communications to the Sun ONE Directory Server, enable SSL on the server and select Enable Secure Sockets Layer (SSL) for communications on the Create Management Agent, Specify Logon Information page. | 3. | To set the naming context configuration, perform the following: 1. | In Select a Naming Context, select the partition for the naming context. | 2. | If you are using the default scenario setup, this will be dc=fabrikam,dc=com. | 3. | Click Containers to select it. | 4. | On the Select Containers page, clear the check boxes for all containers except the container where the scenario data was imported during setup. If you are using the default scenario setup, this will be People. | 5. | Click OK, and then click Next. | 6. | Select object types. | 7. | In Object Types, click inetOrgPerson. | 8. | Click Next. | 9. | Select attributes. | 10. | In Attributes, select Show All, and then select the following attributes: | • | description | | • | displayName | | • | employeeNumber | | • | facsimileTelephoneNumber | | • | givenName | | • | mail | | • | manager | | • | sn | | • | telephoneNumber | | • | uid | | • | l | | • | title |
| 11. | Click Next. |
| 4. |
Do not modify the settings on the Configure Connector Filter page. Click Next. | 5. | Configure join and projection rules: 1. | In Data Source Object Type, select inetOrgPerson. | 2. | Click New Join Rule. | 3. | In Metaverse object type, select Person. | 4. | In Mapping Type, click Direct. | 5. | In the Data source attribute list, select employeeNumber and in the Metaverse attribute list, select employeeID. | 6. | Click Add Condition. | 7. | Click OK. | 8. | Click Next. |
| 6. | Configure attribute flow. 1. | In Data source object type, select inetOrgPerson. | 2. | In Metaverse object type, select Person. | 3. | In Mapping Type, click Direct. | 4. | In Flow Direction, click the correct flow direction based on the following table. | 5. | Create the attribute mappings as indicated in the following table and then click Next. |
Table 5.18. Sun ONE Directory MA Attribute Mapping description | company | Direct | Export | displayName | displayName | Direct | Export | employeeNumber | employeeID | Direct | Export | facsimileTelephoneNumber | facsimileTelephoneNumber | Direct | Export | givenName | givenName | Direct | Export | l | l | Direct | Export | mail | mail | Direct | Export | sn | sn | Direct | Export | telephoneNumber | telephoneNumber | Direct | Export | title | title | Direct | Export | uid | uid | Direct | Export | manager | manager | Direct | Import |
| 7. |
Do not modify the settings of the Configure Deprovisioning page. Click Next. | 8. |
Do not modify the settings of the Configure Extensions page. Click Finish. |
Task 3: Create the Intranet Directory Management AgentComplete the following steps to accomplish this task. Please note that “Intranet Directory” refers to the corp.contoso.com domain. To set up the Intranet Directory MA 1. |
In Identity Manager, on the Tools menu, click Management Agents. | 2. |
On the Actions menu, click Import Management Agent. | 3. |
In the File Open dialog box, browse to %UserProfile%\My Documents\Identity and Access Management Tools and Templates\Identity Aggregation and Sync\MA Exports, select the IntranetADMA.xml file, and then click Open. | 4. |
In the Create Management Agent pane, ensure that the Name field contains Intranet Directory MA, and then click Next. | 5. |
In the Connect to Active Directory Forest pane, in the Forest name field, type corp.contoso.com (or the name of your intranet Active Directory forest).
| 6. |
In the User name field, type
MIISADIntranet to define the name of the user account MIIS 2003 with SP1 will use to access Active Directory.
| 7. |
In the Password field, type the account password.
| 8. |
In the Domain field, type na.corp.contoso.com to define the appropriate domain for the
MIISADIntranet account, and then click Next to continue.
The Configure Directory Partition pane opens if the account and password are validated. Note If you are using different forest or domain names than corp.contoso.com, a Partition Matching dialog box will appear. If this occurs, in the right pane of the Existing Partitions field, clear all existing partitions except for the Active Directory domain to which users will be provisioned. Leave only one domain partition selected. Click Match and then click OK. | 9. |
Review the information in the Configure Directory Partition pane, and then click Next. | 10. |
Review the information in the Select Object Types pane, and then click Next. | 11. |
Review the information in the Select Attributes pane, and then click Next. | 12. |
Review the information in the Configure Connector Filter pane, and then click Next. | 13. |
Review the Configure Join and Projection Rules, and then click Next. | 14. |
Review the Attribute Flow for person objects; they should be the same as shown in the following table.
Table 5.19. Attribute Flow for the Intranet Active Directory MA c |
company,
c
| Advanced | Export | co |
company,
co
| Advanced | Export | company | company | Advanced | Export | department |
company,
department
| Advanced | Export | department |
company,
department
| Advanced | Export | displayName |
company,
displayName
| Advanced | Export | employeeID |
company,
employeeID
| Advanced | Export | facsimileTelephoneNumber |
company,
facsimileTelephoneNumber
| Advanced | Export | givenName |
company,
givenName
| Advanced | Export | l |
company,
l
| Advanced | Export | mail |
company,
mail
| Advanced | Export | mailNickName |
company,
sAMAccountName
| Advanced | Export | sAMAccountName |
company,
sAMAccountName
| Advanced | Export | sn |
company,
sn
| Advanced | Export | targetAddress |
company,
mail
| Advanced | Export | telephoneNumber |
company,
telephoneNumber
| Advanced | Export | title |
company,
title
| Advanced | Export |
company,
c
| c | Advanced | Import |
company,
co
| co | Advanced | Import |
company,
department
| department | Advanced | Import |
company,
displayName
| displayName | Advanced | Import |
company,
employeeID
| employeeID | Advanced | Import |
company,
facsimileTelephoneNumber
| facsimileTelephoneNumber | Advanced | Import |
company,
givenName
| givenName | Advanced | Import |
company,
l
| l | Advanced | Import |
company,
mail
| mail | Advanced | Import |
company,
sAMAccountName
| sAMAccountName | Advanced | Import |
company,
sn
| sn | Advanced | Import |
company,
telephoneNumber
| telephoneNumber | Advanced | Import |
company,
title
| title | Advanced | Import | manager | manager | Direct | Import | userPrincipalName | userPrincipalName | Direct | Import | company | company | Advanced | Import |
| 15. |
Review the information in the remaining panes and then click Finish to complete this wizard.
|
Task 4: Create the Extranet Directory Management AgentComplete the following steps to accomplish this task. Please note that “Extranet Directory” refers to the perimeter.contoso.com domain. To set up the Extranet Directory MA 1. |
In Identity Manager, on the Tools menu, click Management Agents. | 2. |
On the Actions menu, click Import Management Agent. | 3. |
In the File Open dialog box, browse to the location %UserProfile%\My Documents\Identity and Access Management Tools and Templates\Identity Aggregation and Sync\MA Exports, select the ExtranetADMA.xml file, and then click Open. | 4. |
In the Create Management Agent pane, in the Name field, type Extranet Directory MA and then click Next. | 5. |
In the Connect to Active Directory Forest pane, locate the Forest name field and type the extranet Active Directory forest name, perimeter.contoso.com. | 6. |
In the User name field, type MIISADExtranet to define the Enterprise Administrator account MIIS 2003 with SP1 will use to access the extranet Active Directory.
| 7. |
In the Password field, type the account password.
| 8. |
In the Domain field, type perimeter.contoso.com to define the appropriate domain for the MIISADExtranet account and then click Next. The Configure Directory Partition pane opens if the account and password are validated. Note If you are using different OUs than those preconfigured in the MA export, locate the Select Containers box in the Configure Directory Partition pane and then click Containers. Expand the console tree, ensure that the OUs you are using are selected, and then click OK. | 9. |
Review the information in the Configure Directory Partition pane, and then click Next. | 10. |
Review the information in the Select Object Types pane, and then click Next. | 11. |
Review the information in the Select Attributes pane, and then click Next. | 12. |
Review the information in the Configure Connector Filter pane, and then click Next. | 13. |
Review the Configure Join and Projection Rules, and then click Next. | 14. |
Review the Attribute Flow for person objects; they should be the same as shown in the following table.
Table 5.20. Attribute Flow for the Extranet Active Directory MA altSecurityIdentities | samAccountName | Advanced | Export | c | c | Direct | Export | co | co | Direct | Export | company | company | Direct | Export | department | department | Direct | Export | employeeID | employeeID | Direct | Export | givenName | givenName | Direct | Export | l | l | Direct | Export | mail | mail | Direct | Export | manager | manager | Direct | Export | sAMAccountName | sAMAccountName | Direct | Export | sn | sn | Direct | Export | userPrincipalName |
userPrincipalName, samAccountName
| Advanced | Export |
| 15. |
Review the information in the remaining screens, click Next to continue. Click Finish to complete the wizard.
|
After completing this procedure, verify that the Extranet Directory parameters are correctly defined in the <MIIS Installation Directory>\Extensions\ IDMGMTExtranet.xml file. The extension DLLs read this XML file to use the information it contains when processing export flow rules.
Task 5: Create the Lotus Notes Management AgentNote MIIS 2003 with SP1 validates the account access to Lotus Notes through the installed Lotus Notes client on the MIIS 2003 with SP1 server. You must access Lotus Notes by using the Notes administrator before you continue the management agent creation process.
To create this management agent, you will import the saved (exported) configuration file to accomplish this task.
To create the Lotus Notes management agent 1. |
In Identity Manager, on the Tools menu, click Management Agents. | 2. |
On the Actions menu, click Import Management Agent. | 3. |
In the File Open dialog box, browse to %UserProfile%\My Documents\Identity and Access Management Tools and Templates\Identity Aggregation and Sync\MA Exports, select the LotusNotesMA.xml file, and then click Open. | 4. |
In the Create Management Agent pane, in the Name field, type Lotus Notes MA and then click Next. | 5. |
In the Connect to Notes Server pane, in the Hierarchical server name field, type the name of the Lotus Notes server in the following hierarchical format:
servername/notescertifier. | 6. |
Click Browse, and then navigate to the Lotus Notes client user ID file previously installed for the Lotus Notes Administrator.
| 7. |
In the Password field, type the account password.
| 8. |
In the Address Books field, ensure that names.nsf appears, and then click Next. | 9. |
In the Configure Organizational Units pane, define the association between the Lotus Notes Address Book, the OU (certifier) and the Certifier Path with the Cert.id file. To do this, click the Edit button.
| 10. |
In the Organization Unit Certifier Detail dialog box, next to Specify certifier, click the Browse button. Navigate to the certifier ID file associated with the OU, select the file, and then click OK. | 11. |
In the Organization Unit field, verify O=fabcorp in the Address Book field, verify names.nsf, and then, in the Password field, enter your password and then click OK. Note You must supply the Lotus Notes administrator password to open the OU. | 12. |
In the Configure Organizational Units pane, click Next. | 13. |
Review the information in the Select Object types pane, and then click Next. | 14. |
Review the information in the Select Attributes pane, and then click Next. | 15. |
Review the information in the Configure Connector Filter pane, and then click Next. | 16. |
Review the Configure Join and Projection Rules, and then click Next. | 17. |
Review the Attribute Flow for person objects; they should be the same as shown in the following table:
Table 5.21. Attribute Flow for the Lotus Notes MA companyName | company | Advanced | Export | department |
company,
department
| Advanced | Export | employeeID |
company,
employeeID
| Advanced | Export | firstName |
company,
givenName
| Advanced | Export | lastName |
company,
sn
| Advanced | Export | mailAddress |
company,
mail
| Advanced | Export | officeCity |
company,
l
| Advanced | Export | officeCountry |
company,
co
| Advanced | Export | officeFaxPhoneNumber |
company,
facsimileTelephoneNumber
| Advanced | Export | officePhoneNumber |
company,
telephoneNumber
| Advanced | Export | shortName |
company,
sAMAccountName
| Advanced | Export | title |
company,
title
| Advanced | Export | companyName | company | Advanced | Import |
companyName,
department
| department | Advanced | Import |
companyName,
lastName,
firstName
| displayName | Advanced | Import |
companyName,
employeeID
| employeeID | Advanced | Import |
companyName,
firstName
| givenName | Advanced | Import |
companyName,
lastName
| sn | Advanced | Import |
companyName,
internetAddress
| mail | Advanced | Import |
companyName,
officeCity
| l | Advanced | Import |
companyName,
officeCountry
| co | Advanced | Import |
companyName,
officeFaxPhoneNumber
| facsimileTelephoneNumber | Advanced | Import |
companyName,
officePhoneNumber
| telephoneNumber | Advanced | Import |
companyName,
shortName
| sAMAccountName | Advanced | Import |
companyName,
title
| title | Advanced | Import | manager | manager | Direct | Import |
| 18. |
Review the remaining panes and then click Finish to complete the wizard.
|
Task 6: Set Attribute Flow PrecedenceThe metaverse schema that was imported earlier in the implementation has already set both attribute precedence and manual precedence. Use the following guidance for a better understanding of how and what was set with this solution. To create the attribute precedence flow 1. | Configure attribute precedence flow for the Manager attribute: 1. | In Identity Manager, on the Tools menu, click Metaverse Designer. | 2. | In Object Types, click Person. | 3. | In Attributes, click manager. | 4. | On the Actions menu, click Configure Attribute Flow Precedence. | 5. | Use the Up or Down arrow to match the ranking indicated in the following table and click OK. Table 5.22. Attribute Flow Precedence manager | Intranet Directory MA | 1 | manager | Lotus Notes MA | 2 | manager | Sun ONE Directory MA | 3 |
|
|
Task 7: Set Manual Attribute Flow PrecedenceManual precedence can be set when all management agents with import flow rules are using advanced flow rules. Contoso uses manual precedence to allow two different management agents to be authoritative over attributes into the metaverse. For Fabrikam users Lotus Notes will be authoritative. For Contoso users the Intranet Directory MA will be authoritative. To set manual attribute flow precedence 1. | Configure manual attribute precedence flow for a number of attributes. 1. | In Identity Manager, on the Tools menu, click Metaverse Designer. | 2. | In Object types, click person. | 3. | In Attributes, click company. | 4. | On the Actions menu, click Configure Attribute Flow Precedence. | 5. | In Configure Attribute Flow Precedence, verify the check box is selected to Use Manual Flow Precedence with all of the following attributes: | • | c | | • | co | | • | company | | • | department | | • | employeeID | | • | facsimi |
|
|
|
