Microsoft Forefront Identity Manager 2010 R2 Handbook -- Table of Contents -- Microsoft Forefront Identity Manager 2010 R2 Handbook -- Credits -- About the Author -- About the Reviewers -- www.PacktPub.com -- Support files, eBooks, discount offers and more -- Why Subscribe? -- Free Access for Packt account holders -- Instant Updates on New Packt Books -- Preface -- What this book covers -- What you need for this book -- Who this book is for -- Conventions -- Reader feedback -- Customer support -- Downloading the example code -- Errata -- Piracy -- Questions -- 1. The Story in this Book -- The Company -- The challenges -- Provisioning of users -- Identity lifecycle procedures -- Highly Privileged Accounts (HPA) -- Password management -- Traceability -- The solutions -- Implement FIM 2010 R2 -- Start using smart cards -- Implement federation -- The environment -- Moving forward -- Summary -- 2. Overview of FIM 2010 R2 -- The history of FIM 2010 R2 -- FIM Synchronization Service (FIM Sync) -- Management Agents -- Non-declarative vs. declarative synchronization -- Password synchronization -- FIM Service Management Agent -- FIM Service -- Request pipeline -- FIM Service Management Agent -- Management Policy Rules (MPRs) -- FIM Portal -- Self Service Password Reset (SSPR) -- FIM Reporting -- FIM Certificate Management (FIM CM) -- Certificate Management portal -- Licensing -- Summary -- 3. Installation -- Development versus production -- Capacity planning -- Separating roles -- Databases -- FIM features -- Hardware -- Installation order -- Prerequisites -- Databases -- Collation and languages -- SQL aliases -- FIM-Dev -- SQL -- SCSM -- Web servers -- FIM Portal -- FIM Password Reset -- FIM Certificate Management -- Service accounts -- Kerberos configuration -- SETSPN -- Delegation -- System Center Service Manager Console -- Installation.

FIM Synchronization Service -- FIM Service and FIM Portal -- FIM Password Reset portal -- FIM Certificate Management -- SCSM management -- SCSM Data Warehouse -- Post-installation configuration -- Granting FIM Service access to FIM Sync -- Securing the FIM Service mailbox -- Disabling indexing in SharePoint -- Redirecting to IdentityManagement -- Enforcing Kerberos -- Editing binding in IIS for FIM Password sites -- Registering SCSM Manager in Data Warehouse -- FIM post-install scripts for Data Warehouse -- Summary -- 4. Basic Configuration -- Creating Management Agents -- Active Directory -- Least privileged -- Directory replication -- Password reset -- Creating AD MA -- HR (SQL Server) -- Creating SQL MA -- Run profiles -- Single or Multi step -- Schema management -- FIM Sync versus FIM Service schema -- Object deletion in MV -- Modifying FIM Service schema -- FIM Service MA -- Creating the FIM Service MA -- Creating run profiles -- First import -- Filtering accounts -- Initial load versus scheduled runs -- Moving configuration from development to production -- Maintenance mode for production -- Disabling maintenance mode -- Exporting FIM Synchronization Service settings -- Exporting FIM Service settings -- Exporting the FIM Service schema -- Exporting the FIM Service policy -- Generating the difference files -- Generating the schema difference -- Generating the policy difference -- Importing to production -- Importing custom code -- Importing the Service schema difference -- Importing the Synchronization Service settings -- Importing the FIM Service policy -- PowerShell scripts -- Summary -- 5. User Management -- Modifying MPRs for user management -- Configuring sets for user management -- Inbound synchronization rules -- Outbound synchronization rules -- Outbound synchronization policy -- Outbound system scoping filter -- Detected rule entry.

Provisioning -- Non-declarative provisioning -- Managing users in a phone system -- Managing users in Active Directory -- userAccountControl -- Provision users to Active Directory -- Synchronization rule -- Set -- Workflow -- MPR -- Inbound synchronization from AD -- Temporal Sets -- Self-service using the FIM portal -- Managers can see direct reports -- Users can manage their own attributes -- Managing Exchange -- Exchange 2007 -- Exchange 2010 -- Synchronization rule for Exchange -- Mailbox users -- Mail-enabled users -- Summary -- 6. Group Management -- Group scope and types -- Active Directory -- FIM -- Type -- Scope -- Member Selection -- Manual -- Manager-based -- Criteria-based -- Installing client add-ins -- Add-ins and extensions -- Modifying MPRs for group management -- Creating and managing distribution groups -- Importing groups from HR -- FIM Service and Metaverse -- Managing groups in AD -- Security groups -- Distribution groups -- Synchronization rule -- Set -- Workflow -- MPR -- Summary -- 7. Self-service Password Reset -- Anonymous request -- QA versus OTP -- Enabling password management in AD -- Allowing FIM Service to set passwords -- Configuring FIM Service -- Security context -- Password Reset Users Set -- Password Reset AuthN workflow -- Configuring the QA gate -- The OTP gate -- Require re-registration -- SSPR MPRs -- The user experience -- Summary -- 8. Using FIM to Manage Office 365 and Other Cloud Identities -- Overview of Office 365 -- DirSync -- Federation -- PowerShell or Custom MA -- Using UAG and FIM to get OTP for Office 365 -- Summary -- 9. Reporting -- Verifying the SCSM setup -- Synchronizing data from FIM to SCSM -- Default reports -- The SCSM ETL process -- Looking at reports -- Allowing users to read reports -- Modifying the reports -- Summary -- 10. FIM Portal Customization -- Components of the UI.

Portal Configuration -- Navigation Bar Resource -- Search scopes -- Usage Keyword -- Search Definition -- Results -- Creating your own search scope -- Filter Permissions -- RCDC -- Summary -- 11. Customizing Data Transformations -- Our options -- PowerShell -- Classic rules extensions -- SSIS -- Workflow activities -- Extensible Connectivity Management Agent -- Managing Lync -- Provision Lync Users -- Managing multivalued attributes -- Selective deprovisioning -- The case with the strange roles -- Summary -- 12. Issuing Smart Cards -- Our scenario -- Assurance level -- Extending the schema -- The configuration wizard -- Create service accounts -- Create certificate templates for FIM CM service accounts -- FIM CM User Agent certificate template -- FIM CM Enrollment Agent certificate template -- FIM CM Key Recovery Agent certificate template -- Enable the templates -- Require SSL on the CM portal -- Kerberos again! -- Install SQL Client Tools Connectivity -- Run the wizard -- Backup certificates -- Rerunning the wizard -- The accounts -- The database -- Configuring the FIM CM Update Service -- Database permissions -- Configuring the CA -- Installing FIM CM CA files -- Configuring Policy Module -- Installing the FIM CM client -- FIM CM permissions -- Service Connection Point -- Users and groups -- Certificate Template -- Profile Template object -- Profile Template settings -- Allowing managers to issue certificates for consultants -- Creating a Profile Template for consultant Smart Cards -- Configuring permissions for consultant Smart Cards -- John enrolls a Smart Card -- RDP using Smart Cards -- CM Management Agent -- Summary -- 13. Troubleshooting -- Reminder -- Troubleshooting -- Kerberos -- Connected Data Sources -- FIM Sync -- FIM Service -- Request errors -- Sync errors -- Reporting -- FIM CM -- Agent certificates -- CA -- FIM clients.

Backup and restore -- FIM Sync -- FIM Service and Portal -- FIM CM -- Source code -- Summary -- A. Afterword -- Index.