For years I have been trying to predict the future of Identity Management, but every time I look in my crystal ball it is just too cloudy to see anything. In fact anytime I look in my crystal ball on just about any technology topic the only thing it shows me are clouds! I was beginning to think it was broken. But then, yesterday, I watched Andreas Kjellman present at the FIM user group
As we know a SID is 12 Bytes long or 96 bits long and is composed of several components, among them the domain identifier and the relative identifier or RID of a particular object. The RID is 30 bits long which means you have approximately 1 billion RIDs. So while you think it is unlikely that you will run out of RIDs, according to http://TechNet.microsoft.com/en-us/library/jj574229.aspx you can encountering this if you have accidentally used scripts or provisioning tools (like FIM) to shoot your self in the foot and create gobs and gobs of users, you let some end-user go out of control creating waaaay too many groups, you increased the RID pool size to be too big, did lots of DC demotion and promotion, cleanups, forest recoveries or invalidated RID pools.
So in 1 hr and 20 min I will present on November 13, 2013 21:00 UTC See when this is in your timezone David Lundell Impact of deprecated features.This session will go over various deprecated features that the FIM product group have announced are to be eliminated in future releases, such as XMA v1 (ECMA v1), transaction properties, multi-mastery and equal precedence, with advice on planning for and working around their future absence.
If one of your AD domains has a NetBios domain name that doesn’t match the leftmost part of your FQDN you need to have the Replicating Directory Changes permission given to your AD MA account. This is documented in a few places including my book. However, DirSync misses this step. Normally, Dirsync does a very good job of installing and configuring everything which you need without needing you to be an expert in FIM, but this is one thing it misses.
I see two challenges: 1. There is not feature pari… Craig Martin - Oct 3, 2013I see two challenges: 1. There is not feature parity between the two types of sync rules 2. The imperative support (VBA) in the new sync rules is limited and difficult to debug My wish is that we had better extensibility in the new sync rules (scrap VBA, or figure out how to improve the extensibility and debugging).
Michael Pearn from down under wrote about his experience trying to use just Declarative Sync Rules His experience – especially the religious debates are similar to my own. It made me recall my presentation at TEC 2012 the FIM 2010 R2 Showdown: Classic vs. Declarative The vast majority of old hands at the presentation declared for Classic both before and after the presentation. During the presentation I attempted to view anything you could do without code as declarative whether it came from a sync rule or not, especially if it was a new feature.
One of my fellow MVPs and Insight teammates Alessandro Cardoso (he runs one of our practices down under) announced on his blog that Windows 2012 R2 and Windows 8.1 RTM now on MSDN and Technet. He goes on to mention the salient points around 2012 R2 for virtualization so I thought I would discuss some of the benefits for Active Directory and ADFS One key thing is that ADFS on Windows Server 2012 R2 doesn’t require IIS so now it can and should be installed on domain controllers.
Microsoft put out a release day before yesterday (8/13/13) to fix a security vulnerability in ADFS 2.0 It caused an outage for SSO with Office365 for a customer of ours (they had the servers set to auto update). http://technet.microsoft.com/en-us/security/bulletin/ms13-066 http://support.microsoft.com/kb/2843639 http://support.microsoft.com/kb/2843638 At the moment we recommend NOT installing these updates. We saw the following error repeated for every authentication attempt: Event ID 111 Federation service encountered an error while processing the ws-trust request.
At last year’s Cloud Identity Summit in Vail I heard a lot about how the password is dead. I expect to hear a lot more this year. Most of it fit into one of several categories: Complaints about why passwords should be dead In other words all of the various problems with passwords – and there are Schemes to have various applications depend on someone else’s password
Congratz, David… Søren Granfeldt - Jul 1, 2013Congratz, David…
