50,39 €
Mehr erfahren.
- Herausgeber: Packt Publishing
- Kategorie: Wissenschaft und neue Technologien
- Sprache: Englisch
A complete handbook on Microsoft Identity Manager 2016 – from design considerations to operational best practices
About This Book
- Get to grips with the basics of identity management and get acquainted with the MIM components and functionalities
- Discover the newly-introduced product features and how they can help your organization
- A step-by-step guide to enhance your foundational skills in using Microsoft Identity Manager from those who have taught and supported large and small enterprise customers
Who This Book Is For
If you are an architect or a developer who wants to deploy, manage, and operate Microsoft Identity Manager 2016, then this book is for you. This book will also help the technical decision makers who want to improve their knowledge of Microsoft Identity Manager 2016. A basic understanding of Microsoft-based infrastructure using Active Directory is expected. Identity management beginners and experts alike will be able to apply the examples and scenarios to solve real-world customer problems.
What You Will Learn
- Install MIM components
- Find out about the MIM synchronization, its configuration settings, and advantages
- Get to grips with the MIM service capabilities and develop custom activities
- Use the MIM Portal to provision and manage an account
- Mitigate access escalation and lateral movement risks using privileged access management
- Configure client certificate management and its detailed permission model
- Troubleshoot MIM components by enabling logging and reviewing logs
- Back up and restore the MIM 2015 configuration
- Discover more about periodic purging and the coding best practices
In Detail
Microsoft Identity Manager 2016 is Microsoft's solution to identity management. When fully installed, the product utilizes SQL, SharePoint, IIS, web services, the .NET Framework, and SCSM to name a few, allowing it to be customized to meet nearly every business requirement.
The book is divided into 15 chapters and begins with an overview of the product, what it does, and what it does not do. To better understand the concepts in MIM, we introduce a fictitious company and their problems and goals, then build an identity solutions to fit those goals. Over the course of this book, we cover topics such as MIM installation and configuration, user and group management options, self-service solutions, role-based access control, reducing security threats, and finally operational troubleshooting and best practices.
By the end of this book, you will have gained the necessary skills to deploy, manage and operate Microsoft Identity Manager 2016 to meet your business requirements and solve real-world customer problems.
Style and approach
The concepts in the book are explained and illustrated with the help of screenshots as much as possible. We strive for readability and provide you with step-by-step instructions on the installation, configuration, and operation of the product.
Throughout the book, you will be provided on-the-field knowledge that you won't get from whitepapers and help files.
Sie lesen das E-Book in den Legimi-Apps auf:
Seitenzahl: 522
Veröffentlichungsjahr: 2016
Ähnliche
Table of Contents
Microsoft Identity Manager 2016 Handbook
Microsoft Identity Manager 2016 Handbook
Copyright © 2016 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
First published: July 2016
Production reference: 1150716
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham B3 2PB, UK.
ISBN 978-1-78528-392-5
www.packtpub.com
Credits
Authors
David Steadman
Jeff Ingalls
Reviewers
Jochen Nickel
Tomica Kaniski
Peter Geelen
Brandon James
Jeff Stokes
Arik Noyman
Commissioning Editor
Nadeem Bagban
Acquisition Editor
Meeta Rajani
Content Development Editors
Pooja Mhapsekar
Amey Varangaonkar
Technical Editor
Taabish Khan
Copy Editors
Shruti Iyer
Sonia Mathur
Project Coordinator
Suzanne Coutinho
Proofreader
Safis Editing
Indexer
Rekha Nair
Graphics
Kirk D'Penha
Production Coordinator
Shantanu N. Zagade
Cover Work
Shantanu N. Zagade
About the Authors
David Steadman has been an IT industry influencer and dedicated husband for more than 17 years. He has held prestigious positions at some of the world's most innovative technology companies, including his service as a senior escalation engineer within the identity platform at, possibly, the most famous tech company on the planet, Microsoft. He is an entrepreneur, active learner, and a man constantly looking to develop and expand new skills in order to leverage the technology of the future. When not at his job, David enjoys family time and coaching soccer.
I would like to express my gratitude to the many people who saw me through this book, to all those who provided support; talked things over; read; wrote; offered comments; allowed me to quote their remarks; and assisted in the editing, proofreading, and design of this book.
Above all, I want to thank my wife, Amy, and the rest of my family, who supported and encouraged me despite all the time it took me away from them. It was a long and difficult journey for them. I want to thank the Microsoft Identity Support team, the Engineer team, specifically Steve Light, Ziv Yankelovich, Mark Wahl, Brandon James, Juan Olivencia, and Steve Klem, and my manager, Franz Foster, for all the discussions on this book and off-the-wall questions.
Last but not least, I want to thank my Dad and Grandfather for showing me that hard work and dedication can go a long way!
Jeff Ingalls is a husband, father, and cancer-surviving dyslexic who works out of his Ohio home office in identity and access management. Jeff has been working with Microsoft technologies for over 20 years and with the Microsoft identity software since its conception in 2003. He has provided solutions to various private and public sectors including automotive, DoD, education, health and services, small businesses, and state and local government. He enjoys learning, teaching, and learning some more. Jeff has a graduate degree in information technology and an undergraduate degree in mathematics. In his free time, he enjoys spending time with his family, cooking, and reading non-fiction. You can reach him at <[email protected]>.
I would like to thank Packt Publishing for the opportunity, David Steadman for running the long writing race with me, the MIM product group team for their speedy replies and assistance, the technical reviewers, and especially my wife and kids for their sacrifices during the writing of this book. I would also like to make a special thanks to industry leaders I have met throughout my career who provided me with a rich personal and professional growing soil: Chuck Mirabitur, Vern Rottmann, Barb Moro, Mark Edwards, and Mikel Hancock.
About the Reviewers
Jochen Nickel is a cloud, identity, and access management solution architect with a focus on and deep technical knowledge about identity and access management. He is currently working for inovit GmbH in Switzerland and spends the majority of each workday planning, designing, and implementing identity and access management solutions, including the Microsoft Identity Manager, Azure Active Directory Premium, and the Microsoft Azure Rights Management Services.
Jochen has been part of many projects, proof of concepts, reviews, reference architectures, and workshops in this field of technology. Furthermore, he is a Microsoft VTSP Security, Identity, and Access Management from Microsoft Switzerland, and he uses his experience for the directly-managed business accounts in Switzerland. He has also been an established speaker at many technology conferences.
Committed to continuous learning, Jochen holds Microsoft certifications such as MCSD Azure Solutions Architect, MCITP, MCSE/A Office 365/Private Cloud, MCTS, and many other security titles, such as the Certified Information Systems Auditor (CISA). He enjoys spending as much time as possible with his family to get the energy to handle such interesting technologies.
As an active writer and reviewer, Jochen has authored the book Learning Microsoft Windows Server 2012 Dynamic Access Control and the upcoming book Mastering Identity and Access Management with Microsoft Azure, both by Packt Publishing.
He also reviewed the books Windows Server 2012 Unified Remote Access Planning and Deployment by Erez Ben-Ari and Bala Natarajan and the book Windows Server 2012 R2 Administrator Cookbook by Jordan Krause, both by Packt Publishing.
I would like to thank David and Jeff for the chance and opportunity to be a small helper in this project by serving as a technical reviewer.
Tomica Kaniski has been active in the IT field for years. He started out as a web designer and web developer, did some Windows development during college days, and then finally found out his true passion—systems administration on the Microsoft platform. Systems administration, virtualization, deployment, management, consulting, support, and so on; you name it, he has been doing it since 2008 and teaching about it since 2011, when he got his Microsoft Certified Trainer title.
In 2009, Tomica passed his first MCP exam and became a Microsoft Certified Professional. Certification is something that he continued doing throughout the years, and he now has certificates, titles, and knowledge about almost the entire Microsoft product portfolio. In 2010, Tomica was awarded his first Microsoft MVP title (Management Infrastructure), then got switched to Virtualization (Hyper-V), and lately Cloud and Datacenter Management. He is strongly engaged with communities and is one of the community leads in Croatia.
Nowadays, you can find Tomica presenting at various local and regional conferences, user group meetings, and other events. You can say that he is fully engaged with Microsoft products and technologies (with a strong focus on Windows Server, Hyper-V, System Center, and Azure) and is mostly interested in products that are yet to be released.
In his spare time, he plays bass guitar and also likes to read and travel. He currently works in the telecommunications industry, for VIPnet d.o.o. in Croatia (a Telekom Austria Group/América Móvil company).
Other books on which Tomica has worked include Microsoft System Center Virtual Machine Manager 2012 R2 Cookbook, Edvaldo Alessandro Cardoso, Packt Publishing; Introducing Windows Server 2012, Mitch Tulloch, Microsoft Press; and Windows Server 2012 MOAC courseware from Wiley.
I would like to thank my family for their patience and constant support.
Peter Geelen is the owner of and a managing consultant at Quest For Security. Over the years, he has gathered strong experience in enterprise security and identity and access management, including information protection, cybersecurity, corporate security policies, security hardening, and cloud security.
Committed to continuous learning, Peter holds renowned security certificates such as CCSK, CISSP, CISSP-ISSAP, and CISA. He is also an MCT (Microsoft Certified Trainer), MCSA, MCTS, MCSE:Security, and MCSA:Security. Also, he is ITIL and PRINCE2 foundation certified.
Since 2005, Peter's technical focus is Microsoft identity and access solutions: MIIS, ILM, FIM 2010, MIM 2016, and related platforms such as PKI, UAG, ADFS, single sign-on, and security solutions. You can find a more detailed overview of Peter's career on his LinkedIn profile at http://be.linkedin.com/in/pgeelen.
Peter strives to spend time helping the Microsoft community both online as offline through the following:
You can find his personal blog at http://blog.identityunderground.be.
Peter has also reviewed all published FIM books and videos:
Brandon James is a support escalation engineer who works with troubleshooting, debugging, and implementing identity management solutions using Forefront Identity Manager and Microsoft Identity Manager. Working with many enterprise customers, he has worked on various on-premise and cloud solutions. He holds a bachelor's degree in computer engineering and a master's degree in computer science.
Jeff Stokes is an old-hand IT pro based in the Southeast United States. He has worked as a reviewer on books such as MCSA 2012 R2 Study Guide, William Panek, Wiley, and Optimizing and Troubleshooting Hyper-V Networking, Mitch Tulloch, Microsoft Press. He also coauthored Mastering the Microsoft Deployment Toolkit, with Manuel Singer, published by Packt Publishing. He is currently a content developer for Microsoft, covering Azure big data solutions.
I'd like to thank my family for the love and routine care and feeding that allows me to focus on technology while still staying sane.
Arik Noyman grew up in Tel Aviv, Israel, and completed with honors his bachelor's degree in computer science at The Academic College of Tel Aviv. Later, he went on to obtain an MBA from Tel Aviv University.
In parallel, Arik imparted his knowledge as a lecturer in Tel Aviv University and in The Academic College of Tel Aviv, while also working in SAP as a senior team leader in charge of the SAP solutions of e-commerce for SME. He was honored thrice for his tremendous achievements at SAP.
Later on, Arik moved to Microsoft, where he currently works as a senior lead. In Microsoft, he leads the R&D of the new Microsoft Identity Manager 2016. Currently, he leads the cyber security effort to protect Azure resources.
www.PacktPub.com
eBooks, discount offers, and more
Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at <[email protected]> for more details.
At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.
https://www2.packtpub.com/books/subscription/packtlib
Do you need instant solutions to your IT questions? PacktLib is Packt's online digital book library. Here, you can search, access, and read Packt's entire library of books.
Why subscribe?
Instant updates on new Packt books
Get notified! Find out when new books are published by following @PacktEnterprise on Twitter or the Packt Enterprise Facebook page.
Preface
Microsoft Identity Manager 2016 (MIM 2016) is a tool that helps you manage identities and automate identity-related business processes that reduce operational cost and, done right, improve security.
Microsoft Identity Manager 2016 Handbook is an in-depth guide to identity management. You will learn how to manage users and groups and implement self-service parts, troubleshooting, and best practices. You will see how to implement identity management and set up a smart card logon for strong administrative accounts within Active Directory. This book also covers certificate management, reporting, and role-based access control using BHOLD. We will also discuss in detail MIM reports to audit the identity management life cycle.
With Microsoft Identity Manager 2016 Handbook, you will be able to implement and manage MIM 2016 almost effortlessly.
The story in this book
Identity management can be thought of as a marriage between business requirements and technology; therefore, implementing and operating MIM 2016 requires technical skill and business acumen. Throughout this book, we will follow a fictional case study, and you will learn to implement all the features of MIM 2016 according to business requirements. You will see how to install a complete MIM 2016 infrastructure, including both test and production environments.
This book aims to guide you through technical aspects and provide some business requirement help too in the form of questions, tips, and common errors. In order to explain MIM 2016 concepts, we have chosen to write this book using a fictitious company as an example.
What this book covers
Chapter 1, Overview of Microsoft Identity Manager 2016, gives an overview of the MIM 2016 product, a history of how the product has evolved, and an overview of each MIM major component: the MIM Synchronization service, MIM Service, the MIM portal, MIM Reporting, certification management, role-based access management, and privileged access management. Important terminology will also be discussed.
Chapter 2, Installation, covers the prerequisites for installing different components of MIM 2016, how to actually install the components, and a few post-installation steps to get it working.
Chapter 3, MIM Sync Configuration, focuses on the MIM Synchronization service; specifically, topics such as configuring Management Agents, schema management, initial load versus scheduled runs, and moving configurations from the development to the production environment. If you have an environment already set up, this chapter can act as a guide for you to verify that you have not missed any important steps that will cause your MIM environment to not work properly.
Chapter 4, MIM Service Configuration, presents the MIM service capabilities, configuring and customizing the web portal, and developing custom activities.
Chapter 5, User Management, covers how to use the MIM portal to provision accounts without any code, how to manage users, policies, and sets. User management is the primary goal for most MIM deployments.
Chapter 6, Group Management, presents the different group scopes and types in AD and MIM, creating criteria-based groups, and working with client add-ins. Once you have user management in place, it is usually time to start looking at group management, which will be covered in this chapter.
Chapter 7, Role-Based Access Control with BHOLD, will show how you can apply role-based access control and attestation to help an organization implement integration with the identity solution. The BHOLD suite provides organizations the ability to define roles and control access based upon those roles.
Chapter 8, Reducing Threats with PAM, demonstrates how to mitigate access escalation and lateral movement risks using privileged access management and its components. MIM helps reduce internal and external threats by working with Active Directory Domain Services to provide a privileged access management interface.
Chapter 9, Password Management, will explore the self-service password reset (SSPR) feature that allows users to reset their own passwords if they have forgotten them. You will learn how password synchronization works and its configuration.
Chapter 10, Overview of Certificate Management, takes you through certificate management and the main components of the CM. We will also uncover the agents accounts and the permission model.
Chapter 11, Installation and the Client Side of Certificate Management, shows how to install and configure the core components of the certificate management solution in continuation to the previous chapter. We will look into what is needed to get the baseline installed and configured. We will also look into deploying the Modern App.
Chapter 12, Certificate Management Scenarios, looks at the organizational scenarios while creating the certificate template and linking to the profile template, which is the final step once the certificate management solution is in place. We will look at implementing cross forest and ADFS scenarios and glance at some other certificate models.
Chapter 13, Reporting, covers the MIM 2016 out-of-box reporting features, how reporting works, the mechanics under the hood, and customizing and deploying reports. MIM 2016 provides built-in reporting functionality to show how user and group memberships change over time.
Chapter 14, Troubleshooting, demonstrates how to troubleshoot core MIM components by enabling logging, reviewing logs, and using tools.
Chapter 15, Operations and Best Practices, covers how to operate MIM 2016 on a daily basis. You will learn suggested monitoring areas, how to back up and restore the MIM configuration, and coding best practices.
What you need for this book
In this book, we install and configure a complete MIM 2016 environment. In this book, all the installations and servers use the following operating system:
The required software are as follows:
Apart from the software required to get MIM 2016 up and running, Microsoft Exchange 2013 is also used or referred to in the book.
Who this book is for
This book is for architects, developers, and operational staff who want to deploy, manage, and operate Microsoft Identity Manager 2016 and for technical decision makers who want to improve their Microsoft Identity Manager 2016 knowledge. Readers should have a basic understanding of Microsoft-based infrastructure using Active Directory. Identity management beginners and experts will be able to apply the examples and scenarios to solve real-world business problems.
Conventions
In this book, you will find a number of text styles that distinguish between different kinds of information. Here are some examples of these styles and an explanation of their meaning.
Code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles are shown as follows: "This is done by modifying the web.config file."
A block of code is set as follows:
Any command-line input or output is written as follows:
New terms and important words are shown in bold. Words that you see on the screen, for example, in menus or dialog boxes, appear in the text like this: "We should make it a habit to right-click and select Run as administrator."
Note
Warnings or important notes appear in a box like this.
Tip
Tips and tricks appear like this.
Reader feedback
Feedback from our readers is always welcome. Let us know what you think about this book—what you liked or disliked. Reader feedback is important for us as it helps us develop titles that you will really get the most out of.
To send us general feedback, simply e-mail <[email protected]>, and mention the book's title in the subject of your message.
If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide at www.packtpub.com/authors.
Customer support
Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.
Downloading the color images of this book
We also provide you with a PDF file that has color images of the screenshots/diagrams used in this book. The color images will help you better understand the changes in the output. You can download this file from https://www.packtpub.com/sites/default/files/downloads/MicrosoftIdentityManager2016Handbook_ColorImages.pdf.
Errata
Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books—maybe a mistake in the text or the code—we would be grateful if you could report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded to our website or added to any list of existing errata under the Errata section of that title.
To view the previously submitted errata, go to https://www.packtpub.com/books/content/support and enter the name of the book in the search field. The required information will appear under the Errata section.
Piracy
Piracy of copyrighted material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works in any form on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy.
Please contact us at <[email protected]> with a link to the suspected pirated material.
We appreciate your help in protecting our authors and our ability to bring you valuable content.
Questions
If you have a problem with any aspect of this book, you can contact us at <[email protected]>, and we will do our best to address the problem.
Chapter 1. Overview of Microsoft Identity Manager 2016
Microsoft Identity Manager 2016 (MIM 2016) is not one product but a family of products working together to mitigate challenges regarding identity management. In this chapter, we will discuss the MIM family and provide a brief overview of the major components available. The following diagram shows a high-level overview of the MIM family and the components relevant to an MIM 2016 implementation:
Within the MIM family, there are some parts that can live by themselves and others that depend on other parts. To fully utilize the power of MIM 2016, you should have all the parts in place, if possible. At the center, we have MIM Service and MIM Synchronization Service (MIM Sync). The key to a successful implementation of MIM 2016 is to understand how these two components work—by themselves as well as together.
The Financial Company
The name of our fictitious company is The Financial Company. The Financial Company is neither small nor big. We will not give you any indication of the size of this company because we do not want you to take our example setup as being optimized for a company of a particular size, although we will provide some rough sizing guidelines later.
As with many other companies, The Financial Company tries to keep up with modern techniques within their IT infrastructure and is greatly concerned with unauthorized security issues. They are a big fan of Microsoft and live by the following principle:
If Microsoft has a product that can do it, let's try that one first.
The concept of cloud computing is still somewhat fuzzy to them, and they do not yet know how or when they will be using it. They do understand that in the near future, this technology will be an important factor for them, so they have decided that for every new system or function that needs to be implemented, they will take cloud computing into account.
The challenges
During a recent inventory of the systems and functions that their IT department supported, a number of challenges were found. We will now have a look at some of the identity management (IdM)-related challenges that were uncovered.
Provisioning of users
The Financial Company discovered a new employee or contractor may wait up to a week before accounts are provisioned to the various required systems, and the correct access is granted to each person to do his/her job. The Financial Company would like account provisioning and proper access granted within a few hours.
The identity life cycle procedures
A number of identity life cycle management issues were found.
Changes in roles took way too long. Access based on old roles continued even after people were moved to a new function or after they changed their job. The termination and disabling of identities was also sometimes missed. A security review found active accounts of users who had left the company more than six months ago.
The security review found one HR consultant who had left The Financial Company months ago that still had VPN access and an active administrative HR account. The access should have been disabled when the project was completed and the consultant's contract had ended.
The Financial Company would like a way of defining identity management policies and a tool that detects anomalies and enforces their business policies. The Financial Company would like business policy enforcement to take no more than a few hours.
Highly privileged accounts (HPA)
The Financial Company has been successful in reducing the number of powerful administrative accounts over the last few years; however, a few still exist. There are also other highly privileged accounts and a few highly privileged digital identities, such as code signing certificates. The concern is that the security of these accounts is not as strong as it should be.
Public key infrastructure (PKI) within The Financial Company is a one-layer PKI, using an Enterprise Root CA without hardware security module (HSM). The CSO is concerned that it is not sufficient to start using smart cards because he feels the assurance level of the PKI is not high enough.
Password management
The helpdesk at The Financial Company spends a lot of time helping users who have forgotten their password. Password resets are done for internal users as well as partners with access to shared systems.
Traceability
The Financial Company found that they had no processes or tools in place to trace the status of identities and roles historically. They wanted to be able to answer questions such as:
The environment
The following diagram gives you an overview of the relevant parts of the current infrastructure within The Financial Company:
The diagram does not represent any scaling scenarios but rather shows the different functions we will be using in this book.
In the following table, you will find a short summary of the systems involved:
System
Usage
Products installed/to be installed
DC
This is the domain controller for the Active Directory domain thefinancialcompany.net.
The AD DS and DNS roles need to be installed.
CA
This is the Enterprise Root CA. The Financial Company uses only a one-layer PKI without any HSM.
AD CS, including the Web Enrollment role, needs to be installed.
SQL
The central Microsoft SQL server is used by many systems. Among these systems are the HR and Phone systems.
SQL Server 2014, including Integration Services, needs to be installed.
TFCEX01/02
This is the e-mail system.
Exchange 2013 needs to be installed.
TFCMIM02
This is the test and development server for MIM.
SQL Server 2014 and Visual Studio 2013, along with MIM Sync, Service, and Portal, need to be installed.
TFCSYNC01/0
This is the MIM Synchronization server.
MIM Synchronization service.
TFCMIM01
This is the MIM Web Service and Portal server.
MIM Service and MIM Portal need to be installed.
TFCCM01
This is the MIM Certificate Management server.
MIM CM Service and Portal need to be installed.
TFCSSPR01
This is the MIM Password Registration and Reset server.
MIM Password Registration and Reset need to be installed.
TFCSCSM-MGMT01
This is the SCSM Management server used by MIM Reporting.
SQL Server 2014 and System Center Service Manager need to be installed.
TFCSCSM-DW01
SCSM Data Warehouse server used by MIM Reporting.
SQL Server 2014 and System Center Service Manager need to be installed.
All systems have Microsoft Windows Server 2012 R2 as the operating system.
The products installed or to be installed show the status of the systems when we start our journey in this book. Details about the features and products already installed will be explained in Chapter 2, Installation.
The Active Directory domain within The Financial Company is thefinancialcompany.net, which uses TFC as the NetBIOS name. The public domain used by The Financial Company is thefinancialcompany.net; this is also the primary e-mail domain used.
Moving forward
The CIO, CSO, and CTO of The Financial Company found that the solutions explained to them by the identity management company would indeed help mitigate the challenges they were facing. They decided to implement MIM 2016.
In this book, we will follow The Financial Company as it implements MIM 2016. We will take a look at how the different features and functions of MIM 2016 will, in the end, solve all the issues that the company detects.
The use of digital identities through smart cards is very new to them, so they decided that this should initially be implemented as a proof of concept.
The history of Microsoft Identity 2016
In 1999, Microsoft bought a company called Zoomit, which had a product called VIA, a directory synchronization product. Microsoft incorporated Zoomit VIA into the product known as Microsoft Metadirectory Services (MMS). MMS was only available as a Microsoft Consulting Services solution.
Microsoft released Microsoft Identity Integration Server (MIIS) in 2003, which was the first publicly available version of the synchronization engine we know today as MIM 2016 Synchronization Service.
In 2005, Microsoft bought a company called Alacris. Alacris had a product called IdNexus that managed certificates and smart cards, which Microsoft renamed Certificate Lifecycle Manager (CLM).
Microsoft took MIIS (now with Service Pack 2) and CLM and consolidated them into a new product in 2007 called Identity Lifecycle Manager 2007 (ILM 2007). ILM 2007 was a directory synchronization tool with the optional certificate management feature.
In 2010, Microsoft released Forefront Identity Manager 2010 (FIM 2010). FIM 2010 added the FIM Service component, which provides workflow capabilities, self-service capabilities, and a codeless provisioning option to the synchronization engine. Many identity management operations that used to require a lot of coding were suddenly available without a single line of code.
Microsoft announced the acquisition of some of the BHOLD suite in 2011, which is a product that provides identity and access governance functionality. A year later, in 2012, FIM 2010 R2 was released, reporting was added, BHOLD and additional browser support for Password Reset Portal were incorporated, performance was improved, and better troubleshooting capabilities were introduced. Support for Active Directory 2012, SQL Server 2012, and Exchange 2013 was added with FIM 2010 R2 Service Pack 1, which was released in 2013.
Components at a glance
Let's take a look at the major components of MIM in the following table:
Component
Description
Details
MIM Synchronization Service, Sync Engine, or MIM Sync
This is the Windows service that handles identity and password synchronization between systems.
The MIM component is required. It uses the SQL database to store its configuration and configured identity information.
MIM Portal
This is the IIS website that can be used for administrative management and user self-service.
It uses SQL database to store its schema, policies, and identity information. This is required for codeless provisioning.
MIM Service
This is the Windows service that provides MIM Portal with web APIs.
It is an optional MIM component. This is required if you want to deploy MIM Portal or the self-service password reset.
BHOLD
This is the suite of services and tools that integrates with MIM and enhances its offerings by adding RBAC, attestation, analytics, and role reporting.
This is an optional MIM component. It uses the SQL database and IIS and is a required component if you want RBAC.
Reporting
Adds new tables and the SQL agent job to allow SCSM to interact with MIM Service to produce historical reports.
This is an optional MIM component. It uses SQL Server Reporting Service, SCSM, and Data Warehouse.
MIM Synchronization Service
MIM Synchronization Service is the oldest member of Microsoft's identity family. Anyone who has worked with MIIS 2003, ILM 2007, FIM 2010, or MIM 2016 will find the MIM synchronization engine very similar. Visually, the management tools look the same. MIM Synchronization Service can work by itself without any other MIM component installed, although not all product features are possible using only MIM Synchronization Service.
MIM Synchronization Service is like a heart that pumps identity data between systems. Identity data could be a new user account, an update to someone's department, an updated member of a group, the modification of a contact, and so on. Synchronization is sometimes referred to as data flowing from one system to another, and this is a good way to think of it.
We will explore the MIM Synchronization Service features and dive deeper into why the MIM Synchronization Service is such a powerful tool when leveraged with the rest of the identity management stack.
MIM Portal and Service
MIM Portal is usually the starting point for administrators who configure the MIM Service because of its SharePoint recognizable web components. MIM Service has its own database, in which it stores information about the identities it manages. MIM Portal is the way to make changes to these identities, which can trigger changes in other connected systems.
MIM Service plays many roles in MIM, and during the design phase, the capabilities of MIM Service are often in focus. MIM Service allows you to enforce the Identity Management policy within your organization and also makes sure you are compliant at all times.
MIM Portal can be used for self-service scenarios, allowing users to manage some aspect of the Identity Management process. For example, the self-service password reset is only possible after you deploy MIM service.
MIM Portal is actually an ASP.NET application using Microsoft SharePoint as a foundation, and can be modified in many ways. MIM Service adds custom activities around the MIM and cloud integration story.
The configuration of MIM Service is usually done using MIM Portal, but it may also be configured using PowerShell or even your own custom interface.
MIM Certificate Management
Certificate Management is an optional MIM component. MIM CM can be, and often is, used by itself without any other parts of MIM being present. It is also the component with the poorest integration with other components.
You will find that it hasn't changed much since its predecessor, Certificate Lifecycle Manager (CLM), was released.
MIM CM is mainly focused on managing smart cards, but it can also be used to manage and trace any type of certificate requests. This also includes machine certificates, but there is a slight limitation when we move to machine certs. FIM CM was developed around the user context.
The basic concept of MIM CM is that a smart card is requested using the MIM CM portal. Information regarding all requests is stored in the MIM CM database.
The certification authority, which handles the issuing of the certificates, is configured to report the status back to the MIM CM database.
The MIM CM portal also contains a workflow engine so that the MIM CM admin can configure features such as e-mail notifications as a part of the policies.
In MIM, we add new features, which include the modern app for Windows. Also, a new REST API will be introduced, which we will explore and configure in conjunction with the modern app with MIM CM.
During the configuration, we'll explore the authentication and authorization settings in more detail. This will enable you to fully understand the permission model around MIM CM that is required.
Role-Based Access Control (RBAC) with BHOLD
BHOLD is one of the newest members of MIM and was introduced in Forefront Identity Manager 2010. The acquisition helped customers implement and overcome compliance issues, IT security issues, operational fantasy, and business agility. One of the benefits of BHOLD is that we can easily define and manage access-based user roles that also regularly ensure that access rates are maintained. Also, the integration between BHOLD and FIM enables users with a self-service access request and approval process.
The BHOLD suite encompasses its own reporting analytics, which is the model generator to define working with roles. We will dive into the attestation engine's core role within BHOLD and deployment scenarios. In all these components, the BHOLD core is required. In the coming chapters, we will discuss and touch upon what all of these available suites do and the capability they bring to your organization.
MIM Reporting
Reporting was brand new to FIM and added the capability to audit users and groups via completed MIM Portal requests. This MIM component provides integrated reporting with System Center Service Manager as the main engine.
The purpose of Reporting is to give you a chance to view historical data. There are some reports already built into MIM 2016, and organizations also have the option to develop their own reports that comply with their Identity Management policies.
In Chapter 13, Reporting, we will discuss how Reporting works, the main components involved, and how you can create custom reports.
Privilege Access Management
Privilege Access Management (PAM) provides the ability to defend against particular vulnerabilities, such as "pass-the-hash", spear-phishing, and other hacking techniques that attempt to gain high privileges across the enterprise. PAM integrates with Active Directory to apply an expiration to group membership. That is to say, the membership of a highly privileged (and organizationally chosen) group is automatically removed by Active Directory after a specified duration. MIM adds self-service request capabilities, allowing users who are granted the permission to request the membership of a group to receive membership for a specified time. The end result is that people no longer need the permanent membership of highly privileged groups.
Licensing
We will put this part in here, not to tell you how MIM 2016 is licensed but rather to tell you that it can be complex. Depending on which parts you are using—and, in some cases, how you are using them—you need to buy different licenses. MIM 2016 will continue to use both Server licenses and Client Access Licenses (CALs).
In almost every MIM project, the licensing cost has been negligible compared to the benefit of implementing it (for example, adding up the operational cost of provisioning a single user or resetting a password while considering typos, the accounts not done on time, or those left active that should have been disabled). There are strong reasons for having identity management in every business, and if you are reading this book, we would expect you to have already come to the conclusion that identity management will save you money. But even so, make sure you contact your Microsoft licensing partner or your Microsoft contact to clear any questions you might have about licensing.
Also, note that at the time of writing this book, Microsoft has stated that you can install and use Microsoft System Center Service Manager for MIM Reporting without having to buy SCSM licenses.
Read more about MIM Licensing at http://aka.ms/MIMLicense.
Summary
The Financial Company will reduce the new employee account provision time by implementing MIM 2016. MIM 2016 will be used to terminate and disable accounts, manage roles, groups, and secure HPA. Empowering end users to perform self-service password resets will reduce helpdesk calls. You now know a little about the company we will be using in this book to explain concepts. We have outlined the bit of the history of how the product evolved and an overview of each component.
As you can see, Microsoft Identity Manager 2016 is not just one product but a family of products. We gave you a short overview of the different components, new and old, and together, we will go through the challenges of The Financial Company and implement some solutions.
For those who have worked with the previous versions of Microsoft Identity Manager 2016, you will see that the platform has not changed much other than a few additional features and platform-supported items. Still, we will explore the components that have been around for years and provide information you may have missed.
In the next chapter, we will look at how to install and configure some of the MIM components. We will then dig into the component details. In some areas, we will go deeper than others because we feel there is a lack of good material on the topic. There is a lot of material to cover, and at one point, we needed to make a judgment call on what would help the largest amount of people while keeping the book at a reasonable size.
Chapter 2. Installation
As we have already discussed, Microsoft Forefront Identity Manager 2016 (MIM 2016) is not one product but a family of products.
This also means that there are many different ways of installing the product, depending on what parts you want and how you would like to separate them on different systems.
We can choose to separate the different components based on the load or just because we like it clean.
As an example, we will look at the setup used by The Financial Company. They are doing a split installation for the configuration to include sync and service on separate physical nodes.
In this chapter, we will look at the following topics:
Capacity planning
At the Microsoft download center, you can download the Forefront Identity Manager Capacity Planning Guide (http://bit.ly/MIMCapacityPlanning). We will not dig deep into capacity planning in this book, but make sure your setup is done in a way that allows you to easily make your MIM environment expand to cope with future needs.
If you look at the following table, you'll see that capacity planning is not easy because there is no straight answer to the problem. When we have 10,000 users, how should we plan our MIM environment? There are many parameters to look at:
Design factor
Considerations
Topology
This is the distribution of MIM services among computers on the network.
Hardware
This is the physical hardware and any virtualized hardware specifications that you are running for each MIM component. It includes CPU, memory, network adapter, and hard drive configurations.
MIM policy configuration objects
This is the number and type of MIM policy configuration objects, which includes sets, Management Policy Rules (MPRs), and workflows—for example, how many workflows are triggered for operations, how many set definitions exist, and what the relative complexity of each is.
Scale
This is the number of users, groups, calculated groups, and custom object types, such as computers, to be managed by MIM. Also, consider the complexity of dynamic groups, and be sure to factor in group nesting.
Load
This is the frequency of the anticipated use—for example, the number of times you expect new groups or users to be created, the passwords to be reset, or the portal to be visited in a given time period. Note that the load may vary during the course of an hour, day, week, or year. Depending on the component, you may have to design for peak or average load.
The fact that MIM 2015 release includes a number of performance improvements also makes it harder to find relevant facts as so far, most performance testing has been around earlier releases.
We would like to point out one fact, though. In the earlier versions of MIM, FIM, MIIS, and ILM, there were huge performance gains by colocating the synchronization service database with the synchronization service itself. In modern 10-Gigabit networks, and with the changes in the design of MIM, this is no longer the case. Also, as centralized database servers tend to have better CPU and disk performance, you could even gain performance today by having the database and the service separated.
Note
When looking at the overall performance in MIM, databases are the components to focus on!
eparating roles
If we look at all the MIM features we are about to install, we need to understand that in theory, we might be able to put them all in one box; however, this is not practical, and in some cases, it is not even supported by Microsoft.
The example setup we will use in this book for The Financial Company can be used as a starting point.
Databases
As you will see, you need quite a few databases. Depending on the load and other factors, you can choose to install the databases locally on each box hosting a MIM feature, or choose to have them all on a central Microsoft SQL server. Alternatively, you can even mix the two approaches.
If you find that your initial approach was not optimal, don't be alarmed. Moving the databases is fully supported. In this book, we will use so-called SQL aliases when referencing the databases. One reason for this is that it makes moving the databases simpler.
System Center Service Manager Data Warehouse, required by the MIM Reporting feature, usually uses a separate SQL server or instance.
MIM features
As with the databases, the MIM features can also be colocated or separated. The only issue here is that MIM Certificate Management should not be colocated with other parts of MIM. The main reason for this is that the MIM CM setup and configuration tool thinks it owns its local web server (IIS). If you have other MIM features using IIS in the same box, you will get a conflict.
Also, System Center Service Manager used for Reporting requires separate servers. Read more about this at http://aka.ms/SCSM2010Deployment.
If we were to give you all the possible scenarios for the ways you could separate the MIM features in order to get fault tolerance, performance, and so on, we would have to add some 50 pages just to cover this topic. We suggest you take a good look at the Microsoft TechNet site (http://bit.ly/MIMplanning) to find out how your company should separate or colocate different parts.
In this book, The Financial Company will use a design that can easily be expanded if the need arises. If you find that your company requires much better performance or that you need to only use a part of the product or colocate more services, this book will still be valid when it comes to the requirements and setup procedures.
Hardware
Whether to virtualize or not is the question for many companies today. All components of MIM 2015 can be virtualized. If you have chosen to virtualize your SQL servers, a starting point for the discussion on virtualization is available at http://aka.ms/VirtualizationBestPractices.
Installation order
The MIM CM components can be installed regardless of other MIM pieces.
If you have an existing SCSM environment, the SCSM servers might already be in place, but may still need some updates to support MIM 2016R2 Reporting.
The following SCSM servers need to be installed before we install the MIM Reporting feature, as the MIM service uses the client to communicate with the SCSM server:
MIM components also have some dependencies that make it logical to install them in a certain order. They should be installed in the following order:
If you have a configuration similar to that of The Financial Company, the order of installation could be to start off with the test/development environment. We will use the domain : server name : feature to install syntax in the following installation lists. For complete server names, refer to the server names used in Chapter 1, Overview of Microsoft Identity Manager 2016.
We will then move on to installing the production environment in the following order:
MIM CM can be installed at any point, but it also has two components that we usually install in the following order as there are dependencies within MIM CM, as well:
Prerequisites
Before we can start installing any components, there are a number of prerequisites that we need to make sure we have in place.
The main reason for errors in MIM is mistakes made during this phase of the installation. Sometimes, it is hard to backtrack the errors, especially if you get Kerberos authentication errors.
Databases
The Company will have several servers running Microsoft SQL Server. The server names in the following list refer to the server names used in Chapter 1, Overview of Microsoft Identity Manager 2016:
All instances of SQL Server run the SQL Server 2014 release, except System Center as it requires SQL 2012. This can be upgraded to 2014 once System Center is installed as this is the only supported way at the time of writing this book. A list of supported platforms and useful information can be found at http://bit.ly/MIMSupportedplat. If you're looking for Forefront Identity Manager to see the differences, then this can be found at http://bit.ly/FIMSupportedplat.
The technical requirements for the SQL servers are that they must have at least SQL Server 2008 R2 (64-bit version) installed.
There are many resources on how to install SQL Server, but we have added our own guide here because we would like to point out some things related to MIM 2015.
Collation and languages
In this book, we will not go into the different SQL Server collation settings to support different languages in MIM 2016 or in System Center Service Manager 2012 or later. Read more about the MIM 2016 language packs at http://aka.ms/FIMLanguagePacks.
For more information on SQL Server collations, take a look at http://aka.ms/SQLCollations. SCSM has its own collation problems, which are described at http://aka.ms/SCSMCollations.
We will go over some of these items during the reporting and integration chapters later in the book.
If you need support for other languages, read the information in the previous links. On the TechNet site (http://bit.ly/MIMbefore), the following information can be found, which can also act as guidance:
"Work with your SQL Server database administrator (DBA) to determine the correct collation setting to use for your MIM Service database. The collation setting determines the sorting order and how indexing works.
The default collation set during installation is SQL_LATIN1_General_CP1_CI_AS.
If the server running Windows is using a character set that is different from the Latin alphabet, then you might consider a different collation.
Ensure that the selected collation is case insensitive (indicated by _CI_).
If you change the collation setting, ensure that the collation setting is the same on the MIM Service database and on the system databases master and tempdb.
If you install the MIM Service and later decide to change the collation setting, you must manually change the collation setting on every table in the MIM Service database."
We have so far only worked with customers using the Latin alphabet and therefore use the collation SQL_LATIN1_General_CP1_CI_AS to begin with.
As not all components of MIM 2015 have the same list of supported languages, you need to figure out at which user interfaces other languages are required within your organization and whether they are supported by the features of MIM you intend to use.
SQL aliases
It is
