We're starting to see this show up more in the press after the PDC. http://www.infoworld.com/article/05/09/21/HNinfocard_1.html

The Microsoft Identity and Access Management Solution Series is a set of prescriptive guidance, code samples, and architecture references that guide customers on building real life Identity Management solutions.  This web cast will cover the upcoming release on Provisioning and Workflow as well as a roadmap.  I have tested this solution myself and it is quite impressive.  It shows SAP provisioning, a group management portal, and a simple workflow app for approving and provisioning contractor accounts.  Link to web cast on 9/14 here.  I would assume it will be available after 9/14 in a recording. Abstract: "As organizations grow, they tend to accumulate multiple systems and standards for storing and using digital identities. These systems can include directory services, human resource databases, financial systems, custom applications, and Web sites. This session focuses on the most recent prescriptive guidance in the Microsoft Identity and Access Management Solution Series (I&AM Solution Series) for Password Management, Self-service Provisioning GUI, and the Administrative Group Management tool. The session will also offer a sneak peak at the roadmap for the I&AM Solution Series and the team's current activities." http://www.microsoft.com/events/EventDetails.aspx?CMTYSvcSource=MSCOMMedia&Params=%7eCMTYDataSvcParams%5e%7earg+Name%3d%22ID%22+Value%3d%221032279715%22%2f%5e%7earg+Name%3d%22ProviderID%22+Value%3d%22A6B43178-497C-4225-BA42-DF595171F04C%22%2f%5e%7earg+Name%3d%22lang%22+Value%3d%22en%22%2f%5e%7earg+Name%3d%22cr%22+Value%3d%22US%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcParams%5e

Link to News.com article Though this seems like a great idea, it has scary implications. Peoplen are pretty protective of their medical record. Reminds me of that Seinfeld where Elaine had a bad doctor visit and they put it on her record. She could not see it, but it caused her pains going to other doctors. Anyway, I wouldn't imagine doctors are generally good with IT security and probably don't maintain in house security staffs. This seems like an accident waiting to happen. If it is hosted, then someone might be able to steal medical info on lots of people at once. I think this kind of thing is important to society, but if we don't get the security right, we could be in trouble.

Seriously, this stuff is really hard. I work in the Identity Management space and most of my time has focused more on enterprise Idm solutions (things like metadirectories and provisioning). Recently, I have been studying this from a more wholistic internet identity management topic. Much of the discussion has started without me on Blogs like Kim Cameron's Identity Weblog (http://www.identityblog.com). There are a lot of different aspects to the problem and many of these have been well discussed on Blogs across the internet. Kim Cameron (with the help of the Blogosphere) has created the "Laws of Identity" which help shape the kinds of things we need as a community to solve these problems. This is certainly a head start on the solution. Why do I say this is hard? Well, I know that this is a technology problem, but the majority of the users are non-techie people. I think about my wife, my kids, my in-laws, and many of my friends who grew up in the internet age. In many cases, people ignore the information put in front of them and click whatever buttons they can to continue the transaction they are working on. If we put an Infocard in front of them, will they pay attention? will they pick the appropriate identity or just the default (with all the extraneous claims in it)? If the site they are browsing is a rouge site and the browser warns them, will it matter to them? We have all seen the message about the SSL cert not being trusted. Do you want to continue? Of course I do! Most people do. If the Metasystem makes things more secure, but 10 times more difficult (for internet commerce), is it really going to work? How do I use my Infocard when I am not on my personal machine? The laws of identity talk about this kind of stuff, but solving the problems is still quite hard. It should be fun to watch.

Clint Boulton's interesting article talks about Identity Management delivering Idm solutions as web services.  I think this ties in well with Microsoft's plan for the Identity Metasystem and Infocard.    

Below is a trip report from my big ride last Friday (7/8). Overall, the trip was great.  Certainly the toughest physical accomplishment of my life.  The first 50 miles were basically simple.  After that, it was all uphill and extremely steep over the Chestnut and Laurel ridges.  The grades here ranged from 10-14%.  I also had a good number of dogs that seemed to want to attack.  This really spoiled a lot of the enjoyment for me. For a picture of the route, click here Trip Statistics Total distance: 68 miles Total time:  5 hours 48 min Speed:  Avg - 12 mph  /  Max - 41.6 mph Altitude:    Chestnut Ridge (2300 ft) & Laurel Ridge (2800 ft) Counties traveled: 5 (Washington, Allegheny, Westmoreland, Fayette, Somerset Route Diary 1. To Monongohela (12 miles at end)Trip started from my driveway.  Followed roads down to Mingo Creek Park and down to Rte 88.  88 South into Monongohela.  Joins with Rte 136 and followed this across the river and to the east. 2. To West Newton (22 miles)Followed 136E towards Rte. 51.  Pretty much uphill all the way to 51.  First tough climb of the ride. Road had some cars on it, but was not too busy.  Plenty of shoulder to ride on if needed.  After 51 intersection, 4 miles to West Newton.  Pretty much downhill from here aside from a small hill.  Stopped at trail entrance just before the river.  Bike shop (Korber’s Bike Shop) & bathroom located here. 3. Bike Trail to Smithton (28 miles)Took bike trail South along the river.  There was a parking area in Cedar Creek, but I did not stop.  http://www.atatrail.org.  It was 6 miles to the Smithton Parking area.  This was much smaller, but I was able to spot the exit at the end of the parking lot. 4. To Scottdale / Connelsville (38 miles)Took a left onto 981 E and crossed the Yough River.  I took this rode all the way to Scottdale.  Very nice road for riding.  No major climbs or attack dogs and traffic was minimal.  After about 7.6 miles, 981 split to the left (In Ruffs Dale, PA).  I stayed right and the road eventually changed its name to Homestead Avenue. 5. To Normalville (56 miles)This is where things got difficult.  I was hoping to take back roads up the Chestnut Ridge into Normalville.  I had it all mapped out, but I could not find the road I needed (T731).  These little township roads can be poorly marked.  Anyway, after a bunch of looking, I gave up and took 119 S into Connelsville.  This was ugly.  Rumble strips and tons of traffic.  Not really a road that is made for bikes.  Then I decided to take the route to the cabin on the roads that I know from driving.  I took 711 out from Connelsville.  Brutal climbs that were extremely steep.  At least 14% grade at times.  To make matters worse, there were tons of big trucks going to a quarry up the road.  711 was so tight, that I had to pull off the bike and stop when trucks went by.  Peak was about 2300 feet.  Climb was 9 miles long.  Connelsville is 905 feet, so the total climb was 1395 feet. 6. To Cabin (68 miles)Stopped in Normalville at a market to recover.  Still another big steep climb ahead.  653 was also full of 12-14% grade roads and had a lot of trucks due to another quarry.  I climbed as best I could and was going as slow as 3mph at times.  A couple times, I really did have to stop.  Not sure if it was any tougher, or if I was running out of steam.  At the very bottom of the climb, a Rotweiler jumped out at me and was not on a leash.  He was showing teeth and looked ready for action.  Since I had a giant climb in front of me, I was quite concerned.  Luckily a truck came down the hill and scared him off.  Yikes.  Peak was 2800 feet.  Climb was 6 miles long.  Normalville is at 1800 feet, so the total climb here was about 1000 feet.  When I saw the Laurel Ridge State Park signs, I knew I was home free.  All downhill to our cabin from there.  Family was waiting for me cheering at the end. What I brought 3 replacement tire tubes 2 patch kits Rain jacket 2 bike water bottles + 1 extra bottle filled with Gatorade 2 Cliff Shot Gels – Razz Sorbet Fig newtons Tools – pump, multi-tool, allen wrenches, tire irons, Phillips screwdriver Wallet & mobile phone Changes for Next Time Possibly take 819S from Scottdale to 201 and then into Connelsville. A woman in Normalville from the market told me a better way from Connelsville.  She said to take Breakneck, to Quail Hill, to the Clinton Bypass.  This would guide me down to 381 and into Normalville.  I’m sure the climbs over Chestnut Ridge would still be there, but there would hopefully be less traffic. For a longer trip (possibly easier), I could pick up the trail again in Connelsville and follow it to Ohiopyle.  From there, I could get picked up or take it all the way past Confluence to Rockwood.  From Rockwood, I could take 653 going the other way and climb the Laurel Ridge from the other side.  Rockwood is at 1,826 feet, so some of the climb would be done on much less steeper grades.  Connelsville to Rockwood would be 47 miles and then about 11 miles up to cabin.  This would make for an overall distance of 108 miles.

This was an announcement at Tech-Ed Europe today.  http://www.vnunet.com/vnunet/news/2139352/active-directory-moves-towards Pretty exciting.  You could certainly have developed your own OpenLDAP MA using the extensible MA, but this will take some of the manual effort out of the picture. 

This book has some great details on Active Directory Group Policies.  I can't wait to get a copy myself.  http://www.microsoft.com/MSPress/books/8763.asp

This is somewhat old news by now, but I wanted to remind folks about the announcements in this press release.  http://www.microsoft.com/presspass/press/2005/may05/05-13MSSunEventPR.mspx Basically, Microsoft and Sun have really started to show some progress on partnerships that were annouced a year ago.  The two items that are most interesting to me are: 1. WS-Federation Interop.  Microsoft and Sun are working on interop protocols to allow WS-Federation and Liberty protocols to work together.  This will be accomplished by 2 specifications:  Web Single Sign-On Metadata Exchange (Web SSO MEX) Protocol and Web Single Sign-On Interoperability Profile (Web SSO Interop Profile). 2. WS-Management.  This new specification will allow systems management technologies to communicate cross platform more easily.  Today, we can use WMI to gather system data or send system commands to Windows systems.  WS-Management will allow similar activities, but to various platforms and hardware technologies without being Windows specific. Very exciting!

Yup, that is the title of this most critical KB article.  http://support.microsoft.com/?id=838962

I recently found a tool that can help do performance analysis on servers in your environment.  This tool gathers the data from the Performance Monitor and does some level of analysis to help diagnose issues.  It is especially good at IIS 6.0 and Active Directory. Link:  http://www.microsoft.com/downloads/details.aspx?FamilyID=61a41d78-e4aa-47b9-901b-cf85da075a73&DisplayLang=en From the Overview: Service Performance Advisor is a server performance diagnostic tool developed to diagnose root causes of performance problems in a Microsoft® Windows Server™ 2003 operating system, particularly performance problems for Internet Information Services (IIS) 6.0 and the Active Directory® directory service. Server Performance Advisor measures the performance and use of resources by your computer to report on the parts that are stressed under workload.

In general, MIIS solutions have one connected data source that is authoritative for deletes and drives the deprovisioning process.  A common MIIS configuration is to set the object deletion rule to delete the MV object when the connector is removed from this authoritative MA.  This will cause a MV delete and trigger all other MA's deprovisioning action. What if you want a MA to be authoritative for deletes, but you also want to use some logic to control the delete?  The metaverse rules extension contains a function "ShouldDeleteFromMV" that will allow you to have more control of the object deletion rule.  This object has the csentry as a parameter and allows you to look at the csentry or mventry attributes and make a decision on deletion. You do need to also make sure the csentry comes from the above mentioned authoritative MA.  Otherwise, your deletes could even be triggered from clearing out some "innocent" connector space.  The code below shows a possible implementation of this.  Test out your code for this type of function to make sure you have it right. Code 'If csentry is not coming from my authoritative MA, then I must not delete it (or some other logic could kick in)If csentry.MA.Name = "Authoritative MA Name" Then   'Check status attribute that is created by some MA   If mventry("someStatusAttribute").IntegerValue = 5 Then      'In my case, I am importing homeMDB into the metaverse and not deleting the value if a mailbox has been created.      If Not mventry("homeMDB").IsPresent Then         ShouldDeleteFromMV = True      Else         ShouldDeleteFromMV = False      End If   End IfElse   ShouldDeleteFromMV = FalseEnd If

The eWeek article below talks about Microsoft and the Liberty Alliance. I guess IBM recently decided to join the Liberty Alliance (along with already being a part of designing the ws-federation standards with Microsoft).  Interesting article. http://www.eweek.com/article2/0,1759,1681595,00.asp This stuff is all very early in the development cycle, but I suspect it will all work itself out eventually.  From a customer point of view, one just wants to be able to federate with various other customers and business partners regardless of the solution.  In the end, many of the solutions that will support federation will support both ws-federation standards along with Liberty.  If the demand is high for this type of solution, it will work out great for the customer.  If not, I suspect it will be more difficult.

I have posted on this Blog recently about life in MCS.  This probably holds true for consulting engagements in general.  Setting a comfortable travel schedule is really important when you are on the road all the time.  On the other hand, this travel schedule would need to be negotiated with the client.  In my case, that negotiation is not done by me, so I have very little to say in that.  Once things get rolling and you get acquainted with the client, you can probably figure out a good way to balance this. Working from home is an interesting idea.  On paper it seems to make sense.  If you are writing documentation, why would you need to be at the client's location?  Depending on your situation, you may get more interuptions at a client site than from little kids at home!  For short periods this might work, but in the long run, I believe a big part of consulting is building relationships with the customer.  Having face time to discuss the issues and iron out questions can go a long way in building a deeper level of trust.  If you are at home all the time, they tend to forget about you and start to stop seeing the value.  You could do this here and there, but not all the time.

My current project is using MIIS to assist with an Exchange Resource Forest. The company has decided to run Exchange in the headquarters and each sub-Company would maintain their own Active Directory for login and security.  The Exchange forest has placeholder accounts (mailboxes) that the external accounts have rights to. MIIS is responsible for two things: Synchronize the GALs from each sub-company to the central Exchange Resource Forest. Provision mailboxes when new accounts arrive on the sub-company Active Directories. It is an interesting project with some intriguing problems. Access to sub-company AD's:  In most cases, the sub-companies do not want to give access to their AD from the central MIIS server. We could certainly refine the access to read-only at certain containers, but there are still firewalls and other political factors that override.  In our case, we will likely ask the sub-company to export only the necessary data needed to an ADAM instance that can buffer some of the above issues. Migration status:  Initially, the primary data source for the user data is on the legacy side.  Once the users are migrated, my data flow rules need to switch directions for certain attributes.  We decided to add a "migration status" field that would be used in our MIIS logic to help customize the attribute flow presedence and direction. External account IDs/SIDs:  In order to permission the mailboxes, we obviously need a trust in place, but we also need the user account and/or the user SID from the sub-company AD.  The can prove challenging depending on how you are permissioning.  The permission process is also slightly different for a brand spanking new mailbox compared to one that already exists on the store. Once the migration is over, the whole thing becomes a lot easier.  With something this large, it could take a long time....