Blog

SSL v TLS with EntraID Sync and MIM's Generic LDAP Connector

April 11, 2024

Everyone knows that SSL is vulnerable and we should therefore use TLS. What isn’t well understood is the options presented for Binding (authentication) when using the Generic LDAP Connector with AADConnect or the Generic LDAP ECMA 2.x with MIM.

We are presented 5 options:

Anonymous
Basic
Kerberos
SSL
TLS

Generic LDAP Authentication Options

When we tested we could get the SSL option to work over port 636, and we could get the TLS option to work on port 389 but we couldn’t get the TLS option to work over port 636. Using a protocol analyzer we confirmed that both ways were using TLS 1.2.

What does MIM's StoreChk.exe do?

March 29, 2024

I watched through SQL Profiler to better understand what these checks do, and I found an error with check #10. It says it is “Checking Lineage Guid table for MV objects with invalid MV object ids” but the SQL query it issues is the same as the query for Check # 9 “Checking Lineage Date table for MV objects with invalid MV object ids.” It queries the Lineate Date table instead of the Lineage GUID table like it says.

MIM StoreChk.exe Assumes SQL is Local

March 28, 2024

On occasion you (usually with the help of PSS – Product Support Services) may need to verify the integrity of the MIM Synchronization Service Database. To do this you can use the Store Check tool, StoreChk.exe located in the bin folder under the root of your MIM Synchronization install.

While the storechk tool does read the registry to find the name of the database (almost always is FIMSynchronizationService) it does not read the Server or Instance name registry values in the parameters key of the registry. Instead it defaults to assume that the SQL Server is co-located on the same machine as MIM Sync.

SQL Always On Availability Groups for MIM

By David in MIM

April 26, 2022

Image from: https://learn.microsoft.com/en-us/azure/azure-sql/virtual-machines/windows/availability-group-overview

Edited July 2 2022 after reviewing my Facebook discussion with Eugene Sergeev on Microsoft’s product team.

MIM 2016 SP2 (and 4.4.1459.0 or later supports SQL Server Always On Availability Groups (AG))! Yeah!

Ok let’s implement it!

But wait! It won’t give us all we hope for!

Up to the moment distributed backup of the data – yes!
Automatic instant failover – not without a huge caveat!

What do you mean it won’t give us Automatic Instant Failover?

Wanted: Up and coming Cyber Security Professionals

June 18, 2020

Cyber Security – Identity Management Implementer

Secure your identities against the dangers of the Cyber World, automate the repetitive, and empower your users!

Let’s

Shut the front door on the most obvious vector for Cyber-attacks
Reduce the IT department’s compliance burden (SOX, HIPAA, FERPA, GLBA, ISO etc).
Free IT people to do tasks that require more brain power

By

Automating the drone-like work of managing user identities
Disabling accounts of terminated users

Continue reading

MIM Portal Groups whose displayedOwner isn't among the Owners

October 30, 2019

In the MIM Portal it will create issues if you have a group whose displayedOwner isn’t among the objects in the multivalued reference attribute Owner. Querying this through XPath is just about impossible so here is the SQL query to do it.

SET TRANSACTION ISOLATION LEVEL READ UNCOMMITTED

GO

USE FIMService

GO

SELECT DOwn.*

FROM (

SELECT groupObjID = G.[objectID]

, GroupDisplayName = GAOVS.ValueString

, userDisplayName= UAOVS.ValueString

, UserObjID = U.[objectid]

Latency vs the Cloud

January 23, 2019

“The cloud is so fast! We can spin up servers and services so quickly to extend our environment and then all the users across the globe can access these services, so why does it take so long for you to get our users into the cloud?”

(Latency) x (# of Round Trips)

Most Cloud Identity Management APIs are built so that consumers must retrieve the data one object at a time or load it one object at a time. This means one roundtrip per object. Naturally, a data set in the cloud tends to be farther away than between two servers in the same data center. So the one object at time paradigm that worked ok in the data center works fine in the cloud for very small sets of objects. Once you start loading even moderately sized data sets of objects the additional latency shows up quite harshly. More bandwidth won’t solve the problem.

MIM Open Source Schedulers

December 17, 2018

Your MIM installation is in, the config is done, programming all set and now to automate the running of the Management Agents.

Options? Most people use Windows Task Scheduler with a PowerShell script or VBScript – which works but can get cumbersome to maintain. With my SQL Server background, I often use SQL Server Agent Jobs because it has much better follow up and executing database commands.

Task Scheduler – runs as a windows service

Continue reading

MIM Open Source Schedulers - Comments

December 17, 2018

A friend have point out that my run script was men…

Andas - Apr 0, 2019

A friend have point out that my run script was mentioned in you blog.
Have new version that I have used some time but not update on Github, have done so now.
The new version have some nice more functions, so you may script disconnects and previews.

How to Be an MVP in Life -- Launching Nov 27th

November 21, 2018

We are launching my new book, “How to Be an MVP in Life: Lessons in Living and Leadership from Sports & Tech MVPs” on November 27th. It is available now for Pre-order at Amazon.

Featuring an interview with the 2016 World Series MVP, Ben Zobrist, stories about 2-time Pro-Sports MVPs: Steve Nash, Dale Murphy, Steve Young and Sid the Kid Crosby, as well as interviews with 18 Microsoft MVPs.

More info