Microsoft Identity Lifecycle Manager 2007 Frequently Asked Questions

ILM 2007 is a solution that builds on the metadirectory and user provisioning capabilities in Microsoft Identity Integration Server 2003 (MIIS) and adds new capabilities for managing strong credentials such as smart cards, providing an integrated approach that pulls together metadirectory, digital certificate and password management, and user provisioning across Windows and other enterprise systems.

ILM 2007 Feature Pack 1 is the version of ILM 2007 that is available today for customer to buy or download as evaluation. FP1 was released in October 2007 and adds enhanced management agent support for pure Exchange 2007 environments, expanded certificate and smart card management support for Windows Vista, Offline Windows Vista-integrated smart card PIN unblock, Smart card PIN unblock for Windows XP and expanded client localization options.

ILM 2007 brings together three key features:

ILM 2007 is available today.

ILM 2007 includes and enhances the functionality of MIIS 2003. By integrating the metadirectory and user provisioning features of MIIS 2003 with a management solution for strong credentials, ILM is a powerful solution for managing the entire identity life cycle of users and credentials.

Certificate Lifecycle Manager (CLM) is a policy- and workflow-driven technology that helps organizations manage the lifecycle of digital certificates and smart cards. This technology is a key component of ILM 2007.

Certificate Lifecycle Manager is part of ILM 2007. By acquiring ILM 2007 you will gain all of the features and technologies of CLM.

A 180-day ILM 2007 Evaluation Edition is available for you to explore how you can manage identities, certificates, and smart cards across your organization. The 180-day ILM 2007 evaluation software requires Microsoft Windows Server 2003 and Microsoft SQL Server 2005 or SQL Server 2000. Additional system requirements for the ILM 2007 Evaluation Edition are detailed in the System Requirements section later in this FAQ.

ILM 2007 Certificate Management (CLM) is available in English, German, French, Spanish, Japanese, Chinese, Italian, Dutch, and Portuguese.

The Identity Synchronization and User Provisioning features are only available in English.

To run ILM 2007 as an evaluation version or in production, you need:

* Windows Server 2008 32 bit support requires KB946797 on ILM 2007 FP1

Yes, SQL Server may be run on the same server on which ILM 2007 is running. Typically, performance is enhanced when SQL Server and ILM 2007 run on the same server.

Yes, Windows Server 2008 32 bit is a supported platform.

The user provisioning and synchronization services can be installed on Windows Server 2008. Note that you might need to turn off UAC (User Access Control) when adding new Management Agents. SQL MA is one example where the MA needs elevated privilege on Windows to be able to impersonate the user account used to connect to remote system.

With the update in KB article 946797 Certificate lifecycle management can be installed on Windows Server 2008 32 bit and use Active Directory Certificate Services Enterprise CA on Windows Server 2008 32 bit. See the KB article for more details.

Yes. The PCNS agent can be installed on ADDS on Windows Server 2008 32 and 64 bit.

No, ILM 2007 is currently not supported in any virtual environment. See KB article 957006 for a list of server software supported on virtualization.

Yes. All of the server-side components of ILM 2007 may run on the same server. However, depending on the security requirements on your environment and the processing required by your ILM 2007 server configuration, you may find it beneficial to run the components on different servers.

ILM 2007 is available through Volume Licensing channels.

ILM 2007 is licensed on a Server plus User Client Access License (CAL) basis for production usage. For non-production usage, ILM 2007 is also available in a 180-day Evaluation Edition and as part of the MSDN subscription.

ILM 2007 production licenses are priced at $15,000 per server and $25 per user CAL. You must acquire and assign a user CAL for each person for whom Identity Lifecycle Manager 2007 issues or manages one or more digital certificates. Otherwise, you do not need user CALs only to access instances of the server software.

These prices are U.S. prices for the Open NL pricing level and may vary slightly by country and by reseller. This product is only available through volume licensing programs.

You must acquire and assign a user CAL for each user person for whom Identity Lifecycle Manager 2007 issues or manages one or more digital certificates. Otherwise, you do not need user CALs only to access instances of the server software. Furthermore, the only types of CALs available with ILM 2007 are user CALs. Device CALs are not available.

An ILM 2007 external connector is available for $18,000 per server

Many MIIS 2003 customers participate in the Software Assurance program, which entitles them, among other benefits, to future versions of MIIS. Future versions of MIIS are being rolled into ILM 2007. As a one-time exception in connection with this transition, we are granting Select, Enterprise, Open License, and Open Value customers with active Software Assurance for MIIS 2003 as of April 30, 2007:

ILM 2007 licenses granted under this offer will include Software Assurance coverage. That coverage will expire when the corresponding MIIS 2003 coverage expires. Upon expiration of that coverage, customers may renew their software Assurance on the ILM 2007 license. Customers must acquire ILM 2007 CALs separately.

Every user identity that is managed by ILM 2007 does require a SQL Server CAL or SQL Server license using Per Processor licensing. Please consult the SQL Server licensing site for up-to-date information on how SQL Server is licensed, including answers to frequently asked questions.

No. You may use a copy of SQL Server that you have already licensed. ILM 2007 does not require a copy for its own exclusive use. It may be shared with other applications.

Setup for ILM 2007 is designed to perform upgrades where appropriate. For example, ILM 2007 Volume License can upgrade an existing MIIS 2003 installation, Identity Integration Feature Pack (IIFP), ILM 2007 Evaluation Edition, and ILM 2007 MSDN. IIFP cannot upgrade anything except a previous IIFP. ILM 2007 MSDN cannot upgrade anything except a previous MIIS 2003 MSDN, etc.

Below is a matrix that shows the upgrade paths available. The latest available version of ILM 2007 is ILM 2007 FP1.

Mainstream support for MIIS 2003 expired on October 14, 2008. IIFP mainstream support also expired on this date and follows the MIIS 2003 support lifecycle. The details of the MIIS 2003 product support lifecycle can be found at the Microsoft Support Lifecycle where you also find the lifecycle for ILM 2007.

Visit the Identity and Access Partner page to learn more about ILM 2007 partners.

Smart card platforms are supported indirectly through the middleware used to interface to the card. The middleware controls which specific cards are supported by it. ILM 2007 supports two forms of middleware: BaseCSP and PKCS#11. Any BaseCSP smart card module that conforms to the BaseCSP specification is supported by ILM 2007. ILM 2007 support for PKCS#11 includes support for the following vendors:

ILM "2" will extend the functionality of ILM 2007 with new capabilities that will:

In addition, Microsoft is implementing ILM "2" on a common set of services—including workflow, delegation, Web services APIs, and logging—that customers and independent software vendors can use to customize and extend the functionality in ILM "2".

ILM "2" extends the functionality of ILM 2007 with new capabilities focused on empowering end users to manage aspects of their digital identities through tools they are comfortable with, such as Office and Windows. ILM "2" provides a series of solutions for management of users, access, credentials, and policies that empower end users with self-service while ensuring that IT is firmly in control. Microsoft is also implementing ILM "2" on a common set of services—including workflow, delegation, Web services APIs, and audit logs—that customers and ISVs can use to extend the core product functionality.