Friday, February 15, 2008

Using the Group Populator application with ILM 2007 FP1

UPDATE 07.29.2008 - Corrected the version of Windows from Standard to Enterprise.

In the Microsoft Identity and Access Management Series, Microsoft provided a Group Populator application for MIIS 2003 to allow for the provisioning and management of Groups within MIIS.  As you should already know, MIIS 2003 is now ILM 2007.  ILM 2007 FP1 requires Visual Studio 2005 and .NET 2.0, but the application code was done in VS 2003 and .NET 1.1.  Let the fun begin!

The instructions documented in this post are taken from here (also a great location for background information on the Group Populator application), and updated wherever I ran into issues.

As an FYI, I am using the following applications and versions:

  • Windows Server 2003 Enterprise SP2
  • ILM 2007 FP1
  • SQL 2005 SP2
  • Visual Studio 2005 SP1
  • .NET Framework 2.0 SP1

Installing the Pre-Requisites

To get started, you'll need a few Windows pre-requisites:

  • IIS (with ASP.NET)
  • Message Queuing (with MSMQ HTTP Support)

image

image 

Now that you have MSMQ installed, you'll need to configure the appropriate queues for the IdM Notification Service.  To create the queues follow these steps:

  1. In Administrative Tools, open the Computer Management console.
  2. Expand Services and Applications, and then expand Message Queuing.
  3. Right-click Private Queues, and select the option to create a new queue.
  4. Type the name as AccountProvisioning and then select the Transactional option.
  5. Do not change the other default options, and click OK.
  6. Repeat steps 3, 4, and 5 to create message queues called SelfServiceProvisioning and miisGroupManagement.

In IIS, under Web Service Extensions, ensure  ASP.NET 2.0.0xxx is listed and allowed. If you installed IIS after you installed the .NET 2.0 Framework, it likely won't be.  You can run the 'aspnet_regiis -i' command from %windir%\Microsoft.NET\Framework\v2.0.50727 to re-register it.

image

Preparing the IdM Notification Service

One of the components used by the Group Populator application is the IdM Notification Service (also included in the Microsoft Identity and Access Management Series).  The IdM Notification Service used some code provided by Microsoft called the Data Access Application Block for .NET v2 to simplify the accessing of SQL data from .NET code.  Unfortunately, it doesn't work for .NET 2.0.

Instead, download and install the Enterprise Library for .NET Framework 2.0 - January 2006.  After the install, go to Start - Microsoft patterns & practices - Enterprise Library - January 2006 and launch Build Enterprise Library.cmd.  This will compile all of the components within the Enterprise Library.

Now download and install the Microsoft Identity and Access Management Series.  Extract it and install the Identity and Access Management Tools and Templates.msi included within it.

So as not to alter the original code, copy the IdMNotificationSvc solution directory (under "Identity and Access Management Tools and Templates\Provisioning and Workflow") to a different location.  I prefer to keep all my ILM-related code together, so I copy it to my "ILM Projects" directory.

Open the IdMNotificationSvc solution in Visual Studio 2005, and allow it to convert it from .NET 2003 to .NET 2005.  Now you'll need to add a project reference to one of the .dlls from the Enterprise Library we compiled earlier.  Go to Project - Add Reference and browse to the Microsoft.Practices.EnterpriseLibrary.Data.dll (by default, located in the "\Program Files\Microsoft Enterprise Library January 2006\bin" directory).

Then, in SMTPmailer.cs, you must replace

using Microsoft.ApplicationBlocks.Data;

with

using Microsoft.Practices.EnterpriseLibrary.Data;

or it won't compile. Microsoft.ApplicationBlocks.Data was the old name, Microsoft.Practices.EnterpriseLibrary.Data is the new name.  If you want to clean it up even more, you can remove the reference for Microsoft.ApplicationBlocks.Data.  Then save and compile the solution.  As a side note, you may need to turn off the Explicit Option in the project unless you want to go through all of the code and add the Dim statements for every variable.

Now that the solution is built you must configure the compiled IdMNotificationSvc.exe to run as a service.  To do this, follow these steps:

  1. Open a command prompt and run the InstallUtil.exe to create the service.  Use the syntax: C:\<.NET Framework Installation Folder>InstallUtil <IdMNotificationSvc.exe build path>.  For example:

    C:\Windows\Microsoft.NET\Framework\v1.1.4322>InstallUtil C:\IdmNotificationSvc\bin\debug\IdMNotificationSvc.exe
  2. Type NET START IdMNotificationSvc to start the service.

Creating the Group Management Database

In my sample environment, SQL is installed on the same server as ILM.  You will need to execute this section on your SQL server, and the account running the script must have SQL admin rights in order to create a SQL database.

Browse to the "Identity and Access Management Tools and Templates\Provisioning and Workflow\GroupManagement\GroupManagementDB" directory.  For a remote SQL server, copy this directory locally.  Launch the CreateGroupPopulatorDB.cmd file.

Following the execution of the file, you should have and miisGroupManagement SQL database.  Since the script will create the DB in the default SQL location, you may need to move the database and log files to your desired locations.

Building the Group Management Website

Like the IdM Notification Service project, copy the miisGroupManagement solution directory (under "Identity and Access Management Tools\Provisioning and Workflow\GroupManagement") to a different location so as not to alter the original code.

Open the miisGroupManagement solution and allow Visual Studio 2005 to convert it.  You must also follow the post-conversion step of setting up the project as a web application.  Follow the directions given by Visual Studio after the conversion is complete.  Now you can compile the solution.  There should be no changes required to the code, but again, you may need to turn off the Explicit Option in the project unless you want to go through all of the code and add the Dim statements for every variable.

Now that the code is compiled, a virtual directory in IIS must be created for the web application.  Open the IIS administration console and under the default web site, start the wizard to create a new virtual directory and use the following settings:

  1. For the Alias, use miisGroupManagement.
  2. Use the directory of the miisGroupManagement solution.
  3. Allow the Read and Run Scripts permissions.

Once the wizard is done, open the Properties of the new virtual directory and configure the default page to be Default.aspx (on the Documents tab).

image

Now go to the Directory Security tab, and click Edit under Authentication and Access Control.  Disable anonymous access and enable Integrated Windows authentication.

image

As a side note, now would be a good time to take a look at the permissions of the miisGroupManagement solution directory and ensure you aren't allowing the wrong users to access this site.

Test the website by browsing to http://localhost/miisGroupManagent from the ILM server, or substitute your server name in place of localhost to try it remotely.  You should see the following:

image

Building the Group Populator Application

Like the other projects, copy the GroupPopulator solution directory (under "Identity and Access Management Tools\Provisioning and Workflow\GroupManagement") to a different location so as not to alter the original code.

Open the GroupPopulator solution and allow Visual Studio 2005 to convert it.  There should be no changes required to the code, but again, you may need to turn off the Explicit Option in the project unless you want to go through all of the code and add the Dim statements for every variable.

Configuring ILM

Rather than regurgitate the fine documentation that is already out there for this, I will simply say that from the instructions provided here, you should now complete Task 4: Configuring the Metaverse for Groups and Task 5: Creating the New MA (under the Group Management section).

Putting it all Together

Now that you have configured the Group Management MA, you can start to add groups to the Group Management web application.  To update the membership of the groups according to the clause and any exceptions you defined, you must run the GroupPopulator.exe application (created when you compiled the Group Populator solution earlier).  As you can probably guess, the GroupPopulator.exe will need to be run regularly to update the group memberships based on any additions, deletes, or changes in the Metaverse.

Depending on how you plan on using the application, you will also need to configure your other MAs accordingly to support the management of groups.  If provisioning of groups will be done, you will also need to update your provisioning code.

That should get you going with the Group Populator application.  I hope this helps anyone who runs into the issues I had using the application with ILM 2007, Visual Studio 2005, and .NET 2.0.