Professional Documents
Culture Documents
Version 3.0
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise
noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are
fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under
copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any
means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft
Corporation.
The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and
warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies.
The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links are provided to
third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link
contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission
received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply
endorsement of Microsoft of the site or the products contained therein.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this
document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you
any license to these patents, trademarks, copyrights, or other intellectual property.
Copyright © 2007 Microsoft Corporation. All rights reserved.
Microsoft are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Table of Contents
Table of Contents....................................................................................................................................3
Section 1: About the Live@edu Program.................................................................................................7
Why Choose Live@edu?......................................................................................................................7
About This Guide.................................................................................................................................7
What if I get stuck?..............................................................................................................................8
Technology Overview..........................................................................................................................8
Live@edu Solution Details...................................................................................................................9
List of Features....................................................................................................................................9
Terms and Definitions........................................................................................................................10
Section 2: Checklist of Items before Deployment..................................................................................12
Section 3: Reserving a Domain with Windows Live Admin Center........................................................13
Select a Domain Name.......................................................................................................................13
Assign a Domain Administrator.........................................................................................................14
Review Settings and Accept Agreement............................................................................................15
Confirm the Administrator Account...................................................................................................15
Section 4: Identity Lifecycle Manager 2007...........................................................................................18
Primary Concepts and Terminology...................................................................................................18
System Requirements........................................................................................................................18
Metadirectory....................................................................................................................................18
Data Aggregation...............................................................................................................................20
Data Synchronization.........................................................................................................................20
Data Enforcement..............................................................................................................................20
Data Source.......................................................................................................................................21
Management Agent...........................................................................................................................21
Metaverse..........................................................................................................................................21
Connector Space................................................................................................................................22
Provisioning.......................................................................................................................................22
Running a Synchronization................................................................................................................22
Extensible Management Agents........................................................................................................23
State Based System...........................................................................................................................23
Operations.........................................................................................................................................23
Disaster Recovery Plan 1 (SQL Outage)..............................................................................................24
Disaster Recovery Plan 2 (ILM Server Outage)...................................................................................24
List of Maintenance Operations........................................................................................................25
Backing up Management Agents.......................................................................................................26
Section 5: Setting up the Environment..................................................................................................29
Installation requirements..................................................................................................................29
Section 6: Creating and Configuring the Data Source Management Agent...........................................31
Configuring the Data Source Management Agent.............................................................................31
Connecting to the Student Data Source............................................................................................31
Database Management Agents.........................................................................................................31
LDAP Management Agents................................................................................................................32
File-based Management Agents........................................................................................................34
Understanding the Student Data Source Schema..............................................................................34
Management Agent Schemas............................................................................................................34
Anchor Attributes..............................................................................................................................35
Object Types and Attributes..............................................................................................................35
Select a Subset of the Source Data....................................................................................................36
Database management agents..........................................................................................................36
LDAP management agents.................................................................................................................36
File-based Management Agents........................................................................................................37
Configure Connector Filter Rules.......................................................................................................37
Refine Further by Using Filters to Select Subsets...............................................................................37
Configure Join Rules..........................................................................................................................38
Configure Projection Rules................................................................................................................39
Configure Import Attribute Flow.......................................................................................................39
Configure Deprovisioning..................................................................................................................42
Configure Extensions.........................................................................................................................43
Section 7: Installing and Configuring the Export Management Agent...................................................44
Installing the Windows Live Management Agent..............................................................................44
Create the Windows Live (Export) Management Agent....................................................................45
Passport User Attributes....................................................................................................................55
Enable Provisioning...........................................................................................................................59
Section 8: Configure XML Files...............................................................................................................63
Configure XML Settings......................................................................................................................63
Configure Offers................................................................................................................................68
Section 9: Additional Settings................................................................................................................69
Managing MX Records.......................................................................................................................69
Section 10: Running the Solution...........................................................................................................70
Data Synchronization.........................................................................................................................70
Run Profiles........................................................................................................................................71
Configure the Full Import and Full Synchronization Run Profile for the Import Management Agent 71
Configure Export Run Profile for the Windows Live Management Agent..........................................72
Delta Import and Delta Synchronization............................................................................................72
Populating the Metaverse.................................................................................................................73
Troubleshooting the Staging of the Student Data.............................................................................73
Creating Windows Live IDs................................................................................................................73
Managing the Output Files................................................................................................................74
Features of the Windows Live Management Agent...........................................................................75
Renaming of E-mail Addresses..........................................................................................................75
Deleting Windows Live IDs................................................................................................................75
Setting an Object Deletion Rule.........................................................................................................76
Attribute Interdependencies.............................................................................................................77
Active vs. Inactive student handling..................................................................................................77
Configuring Multiple Sites.................................................................................................................78
Section 11: Password Management......................................................................................................79
Create Initial Password......................................................................................................................79
Password Reset..................................................................................................................................79
Password limitations..........................................................................................................................79
ILM Password Synchronization..........................................................................................................89
Using Other Systems as the Source for Password Changes...............................................................92
Reset Password Flow.........................................................................................................................93
Recovering from a Forgotten Password.............................................................................................93
Alternate E-mail Addresses................................................................................................................94
Section 12: Troubleshooting..................................................................................................................94
ILM 2007 Failure Analysis Process Flow.............................................................................................97
For “stopped-extension-dll-exception”.............................................................................................98
For “completed-export-errors“..........................................................................................................98
Getting Support.................................................................................................................................98
Disaster Recovery Plan (ILM Server Outage).....................................................................................98
Section 13: Advanced Topics...............................................................................................................108
Student Portal Integration...............................................................................................................108
High Availability...............................................................................................................................109
Integration of Live@edu Into a Pre-existing ILM Environment........................................................109
Distribution List Management.........................................................................................................110
Appendix A: Valid Region/Country Codes............................................................................................112
Appendix B: Language Codes...............................................................................................................123
Appendix C: TimeZone Codes..............................................................................................................125
Appendix D: U.S. Region Codes...........................................................................................................139
Appendix E: Certificate Install Information..........................................................................................142
Obtaining a Certificate for your Domain..........................................................................................142
Installing the certificate on the ILM Server......................................................................................142
Installing WinHTTP Configuration Tool............................................................................................142
Installing the certificate to Windows Live Admin Center.................................................................147
Appendix F: Migrating from the SDK tools...........................................................................................156
Appendix G: Support information........................................................................................................183
Using Microsoft Premier Online.......................................................................................................184
Steps to access the Microsoft Premier Online site..........................................................................184
Steps to file a support request with Microsoft:...............................................................................184
Tracking/Updating an Incident:.......................................................................................................185
Incident Severity Definition.............................................................................................................186
Section 1: About the Live@edu Program
The Live@edu program was established to allow various educational institutions to provide their users
an e-mail address at a custom, institution determined domain without the difficulties and costs of
maintaining an in-house mail infrastructure. This e-mail address could be a for-life e-mail address since
the program allows for the users to continue the use of the address with no time constraints.
The e-mail address issued by Live@edu is accessible and hosted by Windows Live Hotmail (previously
known as Hotmail), the largest free e-mail provider in the world and may be accessed through
http://mail.live.com as well as a myriad of other web sites. Additionally, institutions will be able to
integrate with the Windows Live Hotmail interface to expose the functionality through custom
education portals. This document describes the Windows Live Management Agent; an application
primarily used for automating the creation, management and deletion of Windows Live IDs for use with
Windows Live sites and applications. The Windows Live Management Agent is an administration tool
used by universities participating in the Live@edu program. In addition to Windows Live Hotmail, the
users will be able to use the Windows Live ID to sign up for services on sites such as Windows Live
Spaces and Windows Live Messenger in place of using the @Live.com, @hotmail.com and @msn.com
domains that are available to the general public. The technical implementation of the Windows Live
Management Agent is a plug-in application to Microsoft Identity Lifecycle Manager (ILM) 2007 that
allows for manipulation of Windows Live IDs for the allowed domains. Minimal configuration is required;
specifically, you will be asked to decide on how the e-mail address is created and provide a temporary
initial password.
No mail infrastructure requirement means there is no need to hire in-house support staff to
setup and maintain mail servers
Familiar user interface of Live.com/Hotmail increases adoption and lowers support costs
Powerful user creation and management tools
Integration with your current student e-mail directory
For-life e-mail address
Free
Technology Overview
Windows Live is a suite of services and web applications that can be accessed with one Windows Live ID.
To integrate the student, alumni, and/or applicant information you have at your school with the
Windows Live environment, you establish communication between the source of this information and
Windows Live. This is accomplished with a Microsoft application called Microsoft Identity Lifecycle
Manager (ILM) 2007. ILM 2007 can gather data from the source and create, manage and delete accounts
automatically once it is configured. The data source is the repository which contains information about
the students whose accounts you would like to create. This data source may be Active Directory, an
LDAP server, a text file, a database or any other data source supported by ILM 2007. This document will
be limited to covering the first four of the sources listed above; should you need information about
connecting to the other ones, please refer to the ILM 2007 documentation.
ILM 2007 is a software product that enables IT organizations to reduce the cost of managing the identity
and access life cycle by providing a single view of a user's identity across the heterogeneous enterprise
and through the automation of common tasks. In essence, ILM 2007 allows data sources that were
never designed to talk to each to other to communicate and synchronize data. For that reason, ILM 2007
is leveraged to allow your student data source to communicate with Windows Live. The Windows Live
Management Agent is a plug-in to ILM 2007 that knows how to communicate with Windows Live.
Additionally, ILM 2007 has other plug-ins that know how to communicate with lot of standard places
where identity information is stored such as LDAP servers, databases, etc. The other management
agents allow ILM 2007 to gather the student, alumni or application information and the Windows Live
Management Agent allows for the creation, eviction and modification of Windows Live IDs. Even though
ILM 2007 is designed to integrate a variety of data sources, we will be working with a limited subset of
the ILM 2007 functionality for the purposes of the Live@edu solution. As visualized by the diagram
below, the data flow occurs in one direction. First, the data is imported from the data source (LDAP,
database, etc). Then it is processed by ILM 2007 and exported to Windows Live. The result of this
process is a group of Windows Live IDs that are managed based on your existing student information.
Live@edu Solution Details
Now that you have a better understanding of ILM 2007 including the terminology, you can apply that
knowledge to the Live@edu solution. The following section provides an overview of the basics necessary
to understand Live@edu.
List of Features
Here are some of the features that you can expect from the Windows Live Management Agent
management agent.
Branding A customized user interface (UI) with logos, etc. to be displayed when
the user signs in to Windows Live Hotmail, Messenger, Spaces, and other
Windows Live services. Co-branding is now available through the
Windows Live Admin Center.
Eviction The process of setting a user into a state in which they will be required to
choose a new sign-in name that is not in the Windows Live domain on
their next sign-in attempt.
Identity The entity represented by NetID. A single identity may have multiple
credentials of different types associated with it.
NetID A unique identifier associated with a Windows Live ID. This is generated
automatically by Windows Live
Managed Namespace A namespace that is created and controlled by a partner whose users‘
accounts are authenticated by Windows Live ID.
OfferName The OfferName is a function of the Windows Live Admin Center that
controls advertising.
Profile Personal data about a user other than their e-mail account and password
(Windows Live ID), for example, first name, last name, and zip code are
properties of a user‘s profile.
Provisioning The process by which the Windows Live ID service agrees a partner is
authorized to set up a managed namespace. Alternatively: an ILM term
used to describe the creation of an object in a Connector Space.
Windows Live ID A username and password used to authenticate with Windows Live
Term or Acronym Definition
services. Synonymous with a “Passport ID”.
Section 2: Checklist of Items before Deployment
The following is a high level checklist of work items that need to be completed before you are fully
deployed on the Live@edu program. As you move forward on-boarding with Live@edu, you will be
given more detail around each of these items.
NOTE: BEFORE MOVING FORWARD ALL THE ABOVE STEPS MUST BE COMPLETE
NOTE: This Admin Guide covers provisioning of account to Hotmail Only. This guide does not
cover Exchange Labs provisioning
Section 3: Reserving a Domain with Windows Live Admin Center
Before you reserve your domain, please submit your enrollment form to the Windows Live Commercial
Partner Center. The enrollment form is available @ https://imagine-
windowslive.com/Education/Connect/Enroll/Default.aspx.
8. Once your credentials are confirmed, you are taken to the administration page for your domain.
At this point you should notify the Windows Live Commercial Partner Center (using this e-form:
https://support.live.com/default.aspx?productkey=wlpc&mkt=en-ww) that your domain(s) are
registered with Windows Live Admin Center. The Windows Live Commercial Partner Center will
configure your domain as a Live@edu domain and will provide you with the appropriate information for
you to begin creating Live@edu accounts.
Note: You will need to confirm an administrator account for all Windows Live domains separately.
It is recommended for security purposes that you register an administrator’s Windows Live ID for each
person that will be managing your domain. If you are using a certificate for authentication, the
certificate will need to be uploaded for each domain and installed on each computer that will be used
for administering the domain. For example, if you have 10 separate domains and 10 separate
administrators, there are 10 MX records to confirm.
In order to set up multiple administrator accounts for a single domain or assign administrators for a
tertiary domain, the above steps will have to be completed for each administrator added to the domain.
Section 4: Identity Lifecycle Manager 2007
Primary Concepts and Terminology
ILM 2007 is a metadirectory product that has a variety of uses for data synchronization and identity
management. In the case of the Live@edu program, it will be used to facilitate the management of
Windows Live IDs by synchronizing data from the data source for student information and Windows
Live. To further understand the role of ILM 2007 as it relates to Live@edu it is important to understand
the fundamentals of this type of product.
The ILM 2007 application runs on Windows 2003 Enterprise Edition. It relies upon Microsoft SQL Server
as the application data store to retain all of the settings for ILM 2007 as well as the identity data that is
synchronized through it.
System Requirements
Windows Server 2003 Enterprise Edition or Windows Server 2003 R2 Enterprise Edition
Microsoft SQL Server 2000 Enterprise Edition, Standard Edition, or Developer Edition with
Service Pack 3a or later; or Microsoft SQL Server 2005 Enterprise Edition, Standard Edition, or
Developer Edition (32-bit or 64-bit) with Service Pack 1 recommended
For a detailed list of requirements and answers to commonly asked questions, please refer to the ILM
2007 FAQ at http://www.microsoft.com/windowsserver/ilm2007/faq.mspx#EKD.
Metadirectory
A metadirectory collects information from different data sources throughout an institution and then
combines all or part of that information into an integrated unified view. This unified view presents all
the information about an object such as a student or network resource that is contained throughout the
institution. An Identity Management system may have a metadirectory at its heart and ILM 2007 is such
a system. A metadirectory performs the following functions:
Connects to a variety of data sources, importing a desired subset of data from each one
Combines all the information about each student or resource into a single entry
Presents to the institution the unified view of all known information about each student or
resource
Enforces rules as to which sources are authoritative for a given attribute and what precedence
applies where more than one source is authoritative
Microsoft currently distributes two separate versions of ILM 2007. The Live@edu version allows an
institution to connect to one data source for account imports and to Windows Live for account creation.
The full version of Microsoft Identity Lifecycle Manager 2007 is needed to connect to more than two
data sources. The following table lists the supported management agents for the full version of
Microsoft Identity Lifecycle Manager 2007. This table illustrates the capabilities of the full version of ILM
2007 to communicate with some of the types of data sources that ILM 2007 includes out of the box.
Network Operating Systems and Microsoft Active Directory Windows Server 2003 R2, 2003, and 2000
Directory Services Microsoft Active Directory Application Mode Windows Server 2003 R2
and 2003
Microsoft Windows NT 4.0
IBM Tivoli Directory Server
Novell eDirectory 8.6.2, 8.7, and 8.7.x
Sun Directory Server (Netscape/iPlanet/SunONE) 4.x and 5.x
E-mail and Messaging Microsoft Exchange 2007, 2003, 2000, and 5.5
Lotus Notes 6.x, 5.0, and 4.6
All Other Extensible Management Agent for connectivity to all other systems
If the previous table does not include your student data source, you have several options. The first is to
get the data out of your data source and into a format that ILM 2007 can recognize, such as an LDIF file
or delimited flat-file. Flat-files can often be the lowest common denominator between integrating two
systems. You also have the possibility to build your own extensible management agent to connect to the
data source.
Data Aggregation
In most institutions, student information exists in many different data repositories resulting in
duplication of student information; there is no single, reliable place to go for this information about a
student or faculty. Directories that hold identity information are often incompatible. These
incompatibilities include different naming conventions, different directory schemas, different
communication protocols and different data formats. The number of places in which organizations must
manage identity information increases with the addition of new systems. To solve the issues that result
from identity data residing in multiple repositories you can use a metadirectory to:
Combine the data for a specific person or resource in the metadirectory, thereby creating a
single entry that contains some or all of the identity information from each directory.
Present a single unified view that contains some or all of the attributes from the different
directories regardless of whether the directories are compatible.
Provide a platform that can become the basis of an Identity Management (IdM) system – it
contains the authoritative identity information for objects.
Data Synchronization
Because an institution‘s student information is often contained in different data repositories, a change
made to data in one repository is not automatically made in any of the other repositories. Making the
change throughout the organization requires the administrator(s) to make the change in each directory
manually. Therefore, updating data in each directory is costly, unreliable and may even present a
security risk. Unmanaged identity information quickly becomes disorganized which results in identity
information that is not synchronized throughout the organization. To manage changes to identity
information you can use a metadirectory to:
Data Enforcement
Data ownership issues often prevent effective coordination of an institution‘s identity information even
though it may be technically possible. Certain departments maintain a strong ownership of their data.
Although ownership of data is not an issue when directories remain separate, retaining ownership when
data is synchronized among multiple directories becomes more challenging. To address data ownership
issues you can use a metadirectory system to:
Enable administrators to define and enforce ownership relationships at the attribute level.
Allow, block, or reverse changes made to identity information. If a change to data is consistent
with the ownership rules it is allowed; otherwise, it is blocked (allowing local control) or
reversed.
Ensure that the departments that own the identity information in a specific directory will
maintain that ownership even when that directory is synchronized with other directories in the
organization.
Data Source
A data source for the Live@edu solution is any place where you have student information – a directory,
database, or other data repository that contains data to be integrated within ILM 2007. Data sources
can be enterprise directories (Active Directory, Novell, ADAM, etc), databases (Oracle, SQL, etc), or even
data in flat files, such as LDIF, DSML or delimited text.
Management Agent
A management agent is a component of ILM that manages the data associated with a specific data
source and connectivity to the data source. The management agent not only connects to the data
source, but is responsible for managing the flow of data (inbound and outbound). There is at least one
management agent for each data source. For many management agents, ILM 2007 communicates
directly with the data source – these are call-based and examples of such directories are LDAP and
Active Directory. For others, where a direct call is not possible, an intermediary file is used such as AVP,
LDIF or fixed width – these are file-based management agents. In some cases, the situation may be more
complex: there may be no management agent specifically for the data source or the data source may,
for example, support a mixture of file-based and call-based activities so that a simple file-based
management agent is insufficiently feature-rich. In such a case, the extensible management agent allows
a developer to create code which instructs the management agent how to communicate with the data
source.
Management agents are primarily configured by setting their properties within the wizard-like interface
in the Identity Manager, the application that manages and configures ILM 2007. There are occasions
when more complex operations are desired than those possible through the user interface (for example,
combining the contents of FirstName and LastName to make a displayName); in this case, a
management agent can be augmented by .dll extensions produced using Visual Basic.NET or C# or,
indeed, any language making use of the .NET Common Language Runtime (CLR). It is not necessary to
write code in most basic implementations of Live@edu, however remember that the capability is there
if needed.
Metaverse
The Metaverse is a set of tables within ILM 2007 that contain the integrated identity information from
multiple data sources. All identity information about a specific student or object, which is stored in
multiple data sources, is synthesized into a single entry in the metaverse. Your students will most likely
have a single unique object in the metaverse representing each student.
Connector Space
The connector space is a storage area and a staging area. It stores the different states that are used to
decide whether information in a data source has changed, or needs to be changed. It is also where
changes are staged on their way into or out of ILM 2007. Each data source has its own logical area in the
connector space, which is managed by its corresponding management agent. The connector space is
essentially a mirror of the related data source, with each object in the data source having a
corresponding entry in the connector space. The connector space does not contain the data source
object itself, but a subset of the object‘s attributes, as defined by the management agent.
Provisioning
When we think of objects in data sources, they will often be accounts, such as an Active Directory®
service account. The term account is often used even for groups, resources, and so on. Provisioning is
the creation of accounts in data sources (such as LDAP directories, databases, and e-mail systems). Once
provisioned, the account attributes can be managed as those of any existing object. The manual creation
(and removal or disabling) of accounts in several systems is administratively burdensome, prone to
errors and inconsistency, and leaves potential security gaps. For Live@edu, the act of provisioning refers
to the creation of a Windows Live ID account. You can use ILM 2007 to:
Provisioning will occur within ILM 2007 to create the Windows Live IDs in the Windows Live
environment. The Windows Live Management Agent will be entrusted to handle this task on behalf of
ILM 2007. This management agent will take the e-mail address of the student to be provisioned from
the data source, connect to the Windows Live server, create the account and then return the
confirmation to ILM 2007. Similarly, should the user who has an account need to have the account
evicted (deleted) from the school namespace, the management agent will again connect to the
Windows Live server to evict the account.
NOTE: This Admin Guide covers provisioning of account to Hotmail Only. This guide does not
cover Exchange Labs provisioning
Running a Synchronization
During development, a management agent is executed by means of the user interface. In production
systems, it is desirable to run management agents in sequence without user intervention, both on a
scheduled basis, and occasionally in response to specific events (for example, the submission of a new
student registration). Such automated execution of management agents is achieved using the WMI
functions of ILM 2007 in conjunction with a scheduling agent (described in detail later).
Extensible Management Agents
Management agents allow ILM 2007 to connect to a wide variety of different data sources to manipulate
data from them. While most of the management agents allow for connectivity to a specific connected
data source the extensible management agent has expanded the ILM 2007 connectivity options by
allowing developers to build any connection they want by simply creating code within the confines of a
management agent. Information is provided in the ILM 2007 developer reference help files and on
MSDN.
Operations
This section discusses common operational and maintenance related tasks that need to be performed
on the ILM 2007 server to ensure the solution is backed up and stable. Additionally common
troubleshooting methodology is outlined to assist in dealing with operational errors.
If you have the encryption keys mentioned above the easiest way to recover from an ILM server outage
is to reinstall ILM 2007 and the Windows Live Management Agent and point it to the existing SQL Server
Database. Once you provide the encryption keys and restore the supporting files in the proper folders
you should be up and running. Again, refer to “Restoring Microsoft Identity Lifecycle Manager 2007”. in
the ILM 2007 help.
List of Maintenance Operations
The table below provides a quick reference for those product maintenance tasks that the System
Administrator should perform on a regular basis. This list summarizes the tasks that are required to
maintain ILM operations. There are more best practices listed in the Help File of your ILM server.
Frequency Tasks
Daily View and examine the results of all the ILM management agent runs from the Identity
Manager Operation interface (see .Identity Manager. section below).
Weekly Examine the Run History to determine if it needs to be backed up and cleared.
As needed Understand and if needed fix all events reported in the Event Log
As needed Disconnect object incorrectly joined and make sure they are properly joined at the next
synchronization cycle
As needed When bad data is found through ILM, take the proper steps to ensure that the owner of
this data fixes it at the sourceBackup and clear the run history of ILM
Backing up Management Agents
Once you have your Windows Live ILM implementation up and running, it’s a good idea to back up the
management agents by exporting them in XML format.
1. To back up your management agents, highlight a management agent in the management agent
window, from the Actions menu, select Export Management Agent.
2. Save the management agent configuration file to a location on your hard drive.
3. To import your MA to a new or restored ILM implementation, from the Identity Manager, click
Import Management Agent.
4. Select the XML file for the management agent you want to import and click Open.
5. Verify your settings by visiting the configuration tabs in the MA, then click OK.
Section 5: Setting up the Environment
Installation requirements
The following requirements must be installed prior to implementing the Live@edu solution. Please refer
to the product documentation for the different products for more details.
Microsoft SQL Server 2005, or 2000, Standard or Enterprise Edition, Service Pack 3 (SP3)
ILM 2007 utilizes SQL server as the back end data store. This allows ILM 2007 to retain all of the
configuration settings for ILM 2007 as well as the identity information that is contained in ILM 2007.
During installation ILM 2007 creates the database it will use as its data store. ILM 2007 requires SQL
Server 2000 with Service Pack 3a (SP3a) or later. This means that SQL Server 2000 must be installed first
and then the SQL Server 2000 Service Pack must be applied.
Additionally there are five security groups that need to be configured. ILM 2007 creates three groups
during installation that control which tasks in the Identity Manager users can perform. The following
groups are created by ILM 2007:
MIISAdmins — Members of this group have full access to everything in the Identity Manager.
MIISOperators — Members of this group have access to Operations in the Identity Manager
only.
MIISOperators can run management agents, view synchronization statistics for each run, and
save the run histories to file. Members of the MIISOperators group must also be members of the
MIISBrowse group to open links in the synchronization statistics.
MIISJoiners — Members of this group have access to Joiner and Metaverse Search in the
Identity Manager. MIISJoiners can join or project disconnectors using Joiner, and use Metaverse
Search to view object properties and disconnect objects from the Metaverse.
ILM 2007 also creates two security groups during installation that do not have access to the Identity
Manager, but are used for authentication during password management operations:
MIISBrowse — Members of this group have permission to gather information about a user's
lineage when doing password reset operations with Windows Management Interface (WMI)
queries.
MIISPasswordSet — Members of this group have permission to perform all operations using the
password management interfaces with WMI. Members in this group inherit all MIISBrowse
permissions. For more information about setting passwords using WMI, open the ILM 2007
Developer Reference.
Typically it is best to create the service account and security groups before you begin setup otherwise
the person running the ILM 2007 installation will have to have rights in the domain to create the groups
through the setup program. After the ILM 2007 is installed, add your user account to the
MIISAdministrators group (or whatever is the name you chose for the group). Adding yourself will allow
you full control of ILM 2007.
Note: You must log out and log back in before security group membership will take effect.
License Agreement - You must accept the terms in the license agreement to continue with the
installation.
Setup Type Complete - Selecting this option allows, you to specify the values for the Store
Information, the Service Account Information, and the Group Information options. The
remaining options will be installed with their default values.
Store Information - You use the Store Information option to specify information about the SQL
Server that will be hosting the ILM 2007 database. You can chose between a local and remote
SQL Server, and between the default instance and a named instance of SQL Server.
Service Account Information - Use the Service Account Information option to specify the
account to be used for the ILM 2007 service. This account must already exist.
Group Information - ILM 2007 uses five different security groups to provide different levels of
access. The Group Information option is used to specify the names of these five groups. If the
groups do not exist the wizard will create them. In addition to creating the groups the wizard
will add the user account being used to perform the installation to the ILMAdmins group. This
option is only available if you selected the Custom setup type.
When the installation is complete and before you can run the Identity Manager, you must log off and
then log on again to have your new group membership (in the ILMAdmins group) take effect.
Section 6: Creating and Configuring the Data Source Management Agent
Configuring the Data Source Management Agent
There are nine basic steps to configure your data source management agent. These steps will vary
depending on the type of data source; however the overall concepts include the following:
Using these nine concepts and the details below should allow you to create a management agent that
connects to you data source to get the student information.
Note: The Table or View you specify for Full Import is also written to during Export. Not all views can
be written to in this way – a detail that will have to be taken into account during design. It is not
common that you will need to export to the data source when implementing a basic Live@edu
solution.
Management Agents that support the dynamic discovery of the source directory or database:
Active Directory
Active Directory Application Mode (ADAM)
Active Directory global address list (GAL)
Microsoft Exchange Server 5.5
Microsoft Exchange Server 5.5 (bridgehead server)
Novell eDirectory
Sun ONE directory services
Microsoft SQL Server
Oracle Database
Management Agents with a fixed schema that models the database structure:
Windows NT 4.0
Lotus Notes
Management Agents that require the discovery of the data in the sample file:
Anchor Attributes
The anchor attribute contains the unique value that links an object in the data source to its object in the
connector space. Management agents can make educated assumptions about anchor attributes. Here
are some examples: SQL Server management agents will offer (as a default) the primary key of the
source table if it is defined, although you can override this if necessary (this default won‘t work where a
view is used). You can assume that other database management agents behave like this (e.g. Oracle).
With AVP, delimited or fixed width management agents you must define the anchor. It is a reasonable
assumption that other text management agents behave like this. In the Active Directory management
agent the DN is treated as the anchor and during account creation a unique DN will be generated. The
way the management agent actually keeps track of AD accounts is through the AD GUID, although this
takes place under the covers and you don‘t actually see this. In this way, a DN can be changed in AD
resulting in a rename at next import. Renames cannot happen in simple anchor cases like SQL Server or
AVP. Most other LDAP-based management agents behave much like this (e.g. ADAM, Sun ONE, Lotus
Notes, eDirectory). LDIF and DSML management agents must contain a DN attribute and you must either
define this DN as the anchor attribute or select another attribute as the anchor. The full explanation of
this isn‘t appropriate here but in summary, if you have the DN as the anchor as well, it isn‘t possible for
ILM to detect a rename (i.e. if the object has moved, ILM can‘t keep track of it). Renames can be
recognized through special MOD DN and MOD RDN change type.
The object types and attributes available in the data source are reflected in the ILM system by the
generation of a schema for the connector space. It is sometimes required to specify additional details for
an attribute if the management agent is not able to identify those details from the data source. Where
the management agent understands its source system very well (the Active Directory management
agent, for example) there is no need (or potential) to modify the attributes which will be created in the
ILM system. However, for both file-based management agents and a more limited extent for database
management agents, it is possible to modify the attribute details. You can specify (for example) the data
type, the length of the data (minimum and maximum), whether the attribute will store a reference to
another object, and whether the attribute is multi-valued.
A join rule is made up of one or more conditions which compare connector space object attribute values
and metaverse attribute values looking for matches. As each connector space object is considered and if
all conditions are met for a given metaverse object then that object becomes a candidate for joining. If
this is not the case the next rule in the specified order will be tested and so on. Unless you are
integrating the Live@edu solution into an environment where you have an existing ILM 2007 installation
you will most likely not need to configure a join rule. Instead you will configure a projection rule. In a
disaster recovery scenario, for example, you would join disconnected object with its mail address.
Configure Projection Rules
Projection rules govern the conditions under which a new metaverse object is created from a connector
space object. Projection rules are responsible for determining if projection into the metaverse should
occur and the appropriate object type to employ. Projection rules differ from join rules in that during a
join process the metaverse is searched for existing objects; during the projection process projection
rules determine whether or not a new object is created in the metaverse so that other connector space
objects can link to it. Management agents apply projection rules to objects where a join has failed or join
rules were not configured.
Note: At least one of your management agents must have a projection rule or you’ll never get any
data in the metaverse.
You need to define a projection rule for your object type so that ILM 2007 will create the objects in the
metaverse for each of the imported students (except those filtered out). You will typically choose to
project your students through a declarative rule to the person object type.
If you want to create a custom attribute in Metaverse (for example, TempPassword), use the Metaverse
Designer tool. In Identity Manager, click Metaverse Designer.
Click Add Attribute from the Attributes Action list.
Click the New attribute button, type the attribute name, select the attribute type and click the tick box
next to Indexed. Click Ok. The Metaverse attribute is now ready to be used.
Advanced rules
You can also specify advanced rules which allow you to specify flow calculations with rules extensions.
For example, allowing the flow of a component of a distinguished name into a destination attribute as a
string. Finally, a common advanced mapping type is the constant option. This allows you to specify a
string value that will flow into the metaverse object for all linked objects of this type. Advanced
attribute flows are discussed in more detail in the ILM 2007 Developer Reference help file.
Configure Deprovisioning
Deprovisioning is the action applied to the connector space object as a result of either the deletion of its
connected metaverse object or a direct call for a deprovisioning of the connector space object from a
piece of code. For Live@edu, you will want to check the box next to “Do Not Recall Attributes” and
leave the radion button set to become a disconnector so that you don‘t start deleting objects from your
data source.
Stage a Delete
You can put the connector space object into a pending delete state; when the next export run is
performed the corresponding data source object will be deleted.
Rules Extension
Determine via a rules extension in which you will have to provide code to make the decision on what to
do with the object.
Configure Extensions
Extensions are code that is written, compiled, and configured for use with ILM 2007 that makes it
possible to add functionality to the rules provided in Identity Manager. They are not necessary for a
basic Live@edu implementation but allow for customized and extended functionality.
Section 7: Installing and Configuring the Export Management Agent
NOTE: This Admin Guide covers provisioning of account to Hotmail Only. This guide does not
cover Exchange Labs provisioning
1. Locate the Windows Live Management Agent installation file (WLCDMASetup.msi) and then
launch.
Create the Windows Live (Export) Management Agent
Make sure you are logged into the machine as a user that is a member of the ILM administrators group.
2. Open the ILM Identity Manager console by clicking Start ->. All Programs ->. Microsoft Identity
Integration Server -> Identity Manager.
4. On the Actions menu on the right you will see a list of actions that you can perform on a
management agent. Click Create to launch the wizard for creating a management agent.
5. Under Create Management Agent, there will be a dropdown list of all of the different installed
Management Agents. The fact that each of these management agents is installed on this server
means that this ILM installation could potentially connect to and communicate with each type of
data source in that list. Select WLCD Management Agent (Microsoft).
6. In the Name text box enter a name that describes the use of this management agent. Click Next.
7. On the Configure Connection Information page, enter your domain administrator credentials. If
you are using a certificate for authentication, click Next.
8. On the Configure Additional Parameters page, you can change the value for the name of the log
file created during every export to Windows Live.
9. On the Configure Attributes page, as with the other management agent you just created, you
could make further configuration changes – for example setting an anchor – but it has been
done already. Accept the default settings. Click Next.
10. On the Configure Object Types page accept the default settings (as with the other management
agents, there is only one type of object – evidently called PassportUser in this case, rather than
person – so there is nothing to do here. Click Next.
11. On the Configure Connector Filter page accept the default settings (since the Windows Live
Management Agent is export only, you will never have a requirement for a filter). Click Next.
12. On the Configure Join and Projection Rules page, accept the default settings. Join and
projections rules are associated with inbound synchronization, which usually applies to
imported records – we are only going to be exporting to Windows Live so there is no
requirement for such rules. Click Next.
13. On the Configure Attribute Flow page you must at a minimum create a rule to export the e-mail
address to Windows Live.
Ensure that the Data source object type is set to PassportUser
Ensure that the Metaverse object type is set to person (if applicable)
Under Metaverse Attributes on the bottom right, select the mail attribute or whichever
attribute you have contributed the e-mail address of the student to from the data source
Under Mapping Type in the middle, select Direct (this is the default)
Under Flow Direction in the middle, select Export (ensure that Allow Nulls is unchecked)
Under Data Source Attributes on the bottom left, select the SigninName attribute
Click New
14. Verify that the attribute flow is configured similar to the figure below:
This rule will allow the mail attribute that we contributed to the metaverse from the student data source
to flow out to the SigninName in Windows Live using a direct export rule.
Passport User Attributes
The SigninName string represents the member name (e-mail address). Windows Live ID e-mails names
must conform to the SMTP RFC 822 for the user name portion of the e-mail address and RFC 1035 for
the domain portion. Some exceptions are made:
50 characters max
No UNICODE
First character must be a letter (must be in ASCII code range of 97-122, 65-90)
Period (ASCII 46) allowed except for the first and last characters but cannot have two adjacent
periods
All other chars must be in ASCII code range of 48-57 (numbers), 65-90 (uppercase), 95
(underscore), 97-122 (lowercase)
Note: Configuring the SigninName is the minimum that you need to do for this management agent;
however there are also other attributes that you can use to change settings or set initial account
passwords. The following attributes allow you to flow the following values to specific student
accounts.
Attribute Description
<dn> The distinguished name is used as an anchor.
AltEmail The user‘s alternate e-mail address. A string with a maximum length of 129
characters. Set this for the students if you know it so that they don‘t have to call
the helpdesk to have the administrators of the solution reset their password if they
forget it. Sets only on creation of account, not on update.
Birthdate The user‘s birth date. A string with a maximum length of 10 characters in the
following format: dd:mm:yyyy. Sets only on creation of account, not on update.
Country The user‘s country. A string with a maximum length of 2 characters. Sets only on
creation of account, not on update. There is a list of valid Country Codes in
Appendix A.
DeleteUser A boolean value (true or false) that determines whether an account should be
evicted from the managed namespace.
Export_password An attribute used by ILM for password management. Not user configurable.
Attribute Description
FirstName A member’s given name. Sets only on creation of account, not on update.
LanguageCode The member’s language. A string with a maximum length of 5 characters. Sets only
on creation of account, not on update. There is a list of valid Language Codes in
Appendix B.
MailDisabled Boolean value (1 or 0) that represents if a user is blocked from logging in. A setting
of 1 indicates that the user is blocked and will not be able to use his or her Windows
Live ID to access any services. This might be used to lock a student out of their
account while an investigation of invalid behavior takes place. Remember that
evicting accounts means that the account can no longer be a member of the
university namespace. Blocking a user is a reversible operation, where eviction is
not.
NetID A long string representing the user‘s ID in the Windows Live system. This unique
identifier will be assigned by the Live ID servers and does not need to be managed.
OfferName A string that represents the OfferID associated with the user, for example, US No
Ads. Offers must be configured on the Microsoft system to be valid. If you are
having issues with your offer, please contact the Windows Live Commercial Partner
Center using this e-form: https://support.live.com/default.aspx?
productkey=wlpc&mkt=en-ww
PostalCode The user‘s postal code. A string with a maximum length of 15 characters; United
States only. Sets only on creation of account, not on update.
RegionCode The user‘s region. A string with a maximum length of 10 characters; United States
only. Sets only on creation of account, not on update. There is a list of valid Country
Codes in Appendix A.
ResetPassword A value that determines whether a user should be prompted to change their
password during first login.
Attribute Description
TempPassword The temporary initial password for a new Windows Live ID. The password must be
reset by the user on initial login. There are several options for managing passwords
for the accounts. If you choose to set the initial password to a known value, this is
the right value to set. Otherwise you can leave this setting blank and have the
Windows Live Management Agent create a password for you in which case the
password would be available in the log file for you to communicate to the students.
Please see the Password Management section of this document for more
information.
TimeZone The user‘s time zone. This setting is important to set for the students so that
features such as the calendar are properly experienced. If the time zone is not set,
then the mailbox defaults to GMT. Sets only on creation of account, not on update.
There is a list of valid time zones in Appendix C.
16. On the Configure Deprovisioning page, accept the default settings which should be Make them
disconnectors. This will prevent your users from inadvertently getting evicted from the Windows
Live namespace. Click Next.
17. If you are using password synchronization with Active Directory, click the Enable Password
Management tick box, otherwise on the Configure Extensions page, click Finish.
Enable Provisioning
ILM 2007 uses the term provision to describe the process that it goes through to create a new account.
For ILM 2007 to be able to create new accounts in Windows Live you must first enable provisioning.
Typically using ILM 2007 to provision (create) accounts requires some code to be written so that it
knows how to properly create those accounts. The Live@edu installation has already taken care of this
for you by placing the compiled code into the correct folder. The compiled code is referred to as a
Metaverse Rules Extension. You will need to configure ILM 2007 to use that Metaverse rules extension
to create accounts in Windows Live. This is done by pointing ILM 2007 to the rules extension that was
installed on the machine during setup of the Windows Live Management Agent and checking the box to
enable provisioning.
18. In Identity Manager, on the Tools menu, click Options
19. On the Configure Extensions dialog box, click Enable Metaverse Rules Extensions.
20. To pick the name of the Rules Extension from the list of files in the Extensions folder, click
Browse.
21. Select WLCDMVExtensionLoader.dll from the list of file names.
You should see the filename WLCDMVExtensionLoader.dll that you selected in the Rules extension name
field.
23. Click Enable Provisioning Rules Extension.
WLCDGlobalConfig.xml
This XML file uses elements that the management agent uses to apply global account attributes and
controls for a domain, such as certificate authentication, offers, and global user attributes.
The WLCDGlobalConfig.xml contains settings that apply to all Windows Live member accounts
provisioned with ILM. It may be opened with Notepad as a text file for ease of viewing and editing. You
will need to change values for at least the DefaultOfferName and Domain Name elements to reflect your
offer and domain name assigned to you. This file resides in the ILM Extensions directory (usually
c:\program files\microsoft identity integration server\extensions). Here is an example WLCD
GlobalConfig XML file:
Elements
An element in XML is defined as a unit of XML data, delimited by tags. An XML element can enclose
other elements. The following elements make up the body of the management agent Global
Configuration XML file:
Element Description
<DefaultCert> If using a certificate for authentication, the elements subject and issuer
need to contain the strings for both Subject and Issuer from the
Windows Live Admin Center Control Panel in the SDK menu.
<DefaultResetPassword> Controls whether members have to reset their password during the
initial login experience. This element can contain the values True or
False.
<Url> Contains the URL for the Windows Live Admin Center administration
website for provisioning accounts, such as
https://domains.live.com/service/ManageDomain2.asmx.
<Domain name=""> Contains the value of your fully qualified domain between the quotation
marks, such as wledutraining.com.
<DefaultUserAttributes> Contains values for the attributes below that will be applied globally to
all member accounts.
Element Description
Note: Global attributes from the XML are only set on member accounts upon account creation.
Setting the attribute values after provisioning accounts will not update them.
WLCDProvisioningConfig.xml
This XML file controls the settings that are relevant to ILM 2007 and how you have it configured. You
will need to edit this file for the solution to work properly. This XML file is used to identify the name of
your export management agent and enable account creation of Windows Live IDs in ILM 2007. Other
elements may also be set in this file to identify and customize your ILM environment, such as
MVEntryObject and MVEntryAttribute, if you customized them. An administrator can also use this XML
file to filter domains and add custom assemblies for added functionality, or specify more than one
export management agent.
You will need to enter the name of your management agent in the name element and (optionally) the
MVEntryObject and the MVEntryAttribute. This file resides in the same ILM extensions directory
(usually c:\program files\microsoft identity integration server\extensions) as the WLCDGlobalConfig. The
following is a sample WLCDProvisioningConfig XML :
Elements
Element Description
<rules-extension-properties> Wrapper element for the contents of the file.
<ManagementAgent> Contains several sub elements specifying the attributes to which this
rule extension applies. There should be one ManagementAgent
element for each Windows Live Management Agent in ILM 2007.
<MVEntryObject> The type of the Metaverse Entry Object containing member account
information, the XML file’s default MVEntryObject is person.
Usually, it is set to “person”. This value should match that used in
configuring the management agent‘s attribute flow.
<Domain> The domain to which the rule extension applies. If you only have
one e-mail domain that you have set up with Live@edu, this is the
domain that should appear here (wledutraining.com). This attribute
may be repeated.
<Name> The domain specified for filtered exports. Only used if Filter is
Element Description
specified.
<add-assemblies> A node that contains multiple assembly elements and configures the
Metaverse extension DLLs that are to be used by ILM 2007.
<assembly The name of the assembly to run. You can copy and paste
name="WLCDMVExtension.dll additional assembly names if you are running other rules
" extensions.
Note: If you have multiple Windows Live Management Agents in ILM 2007, you must create a
<ManagementAgent> node with all the required data for each one.
Configure Offers
OfferName and OfferAction are 2 attributes in version 3 of the Windows Live Management Agent that
ensure accounts receive the Live@edu offers for your domain. All accounts must have their OfferName
and OfferAction configured.
Your offer name is provided to you by the Windows Live Commercial Partner Center when they
configure your domain as a Live@edu domain. Appropriate offer actions are Add and Delete.
Attribute Flow
In the Attribute Flow scenario, the values for OfferName and OfferAction are stored in your source data
and flowed through ILM in much the same way as e-mail address. OfferName assumes the OfferAction
of Add if it is not specified.
WLCDGlobalConfig
In the Global Config scenario, the values for OfferName are included in the WLCDGlobalConfig XML file
and stamped on member accounts at the time of creation.
Section 9: Additional Settings
Managing MX Records
MX records specify how to route mail to your new e-mail domain. It is critical that these are modified
correctly for the proper routing of mail messages to your Windows Live IDs. These records must be
modified in your DNS server by the DNS server administrator.
Add a Sender Policy Framework (SPF) Record for Each E-mail Domain
To facilitate the combating of unsolicited e-mail you are encouraged to create an SPF record and add it
to the DNS records of your domain. This record will allow the receivers of e-mail from your domain to be
certain that the e-mail did indeed come from the domain it purports to be from. This will minimize the
chance of it being filtered or rejected by the receiving mail server if that server is checking SPF records.
An example of Add Sender ID TXT Record DNS Entry:
For instance,
Data Synchronization
Data flow in ILM 2007 occurs in three phases: import, synchronization, and export. Importing is the
process of retrieving data from a connected data source and storing it in the connector space. Objects
must exist in the connector space to store the data being imported. If new objects are needed in the
connector space they are created during the import operation. The process of creating the new objects
and storing the newly imported data in the connector space is referred to as staging. Once data is
staged, it is ready for inbound synchronization. Inbound synchronization is the process that adds the
imported (staged) data to the Metaverse. During the import (staging) operation all data is imported into
the connector space including objects that meet the filtering criteria. All filtered objects in the connector
space are ignored during inbound synchronization so they do not get processed and are not added to
the Metaverse. Join and projection rules are applied during inbound synchronization to create
Metaverse objects as necessary and connect connector space objects to Metaverse objects. Import
attribute flow rules are applied during inbound synchronization to further control exactly what data
flows from the connector space to the Metaverse.
Outbound synchronization takes place at the same time as inbound synchronization and is the process
of retrieving data from the Metaverse and storing it in the connector space to get it ready for export.
Exporting is the process of sending data in the connector space to a connected data source. Outbound
synchronization and exporting data are discussed in more detail later in this guide.
Now that the management agents are configured you can begin processing the data. ILM 2007 makes it
possible for you to examine the data being processed during each phase of the data flow process. You
may take advantage of this feature to familiarize yourself with the statistics and message displays that
are shown during and at the completion of the runs.
Run Profiles
For each management agent you can define a number of run profiles. These are used to initiate each of
the three phases of data flow. Run profiles provide operating parameters to management agents each
time they are run. The information in the run profile varies based on the management agent that uses it.
For example, a run profile for a delimited text file management agent contains parameters indicating the
name of the text file that is used as the connected data source and data indicating which phase of the
data flow is to be processed.
In this document you create one run profile for each management agent. This makes it possible to
process one phase of the data flow and then stop and examine the data to make sure data is flowing as
expected allowing you to monitor and troubleshoot the implementation of a new deployment. Once
data flow has been verified and you are confident everything is functioning properly, you can create
more sophisticated run profiles that perform a number of steps at once. For the purposes of this
walkthrough and to help you learn how data flows simpler individual run profiles are used for each
phase of data flow rather than combining multiple phases into a more extensive run profile.
Configure the Full Import and Full Synchronization Run Profile for the Import Management
Agent
The first run profile is used to stage the data from the source management agent to the connector space
and from there, to synchronize it with the Metaverse. ILM 2007 allows the combining of these two
actions into a single run profile.
3. Click the name of the source management agent that you assigned to it at the time of creation.
4. In the Actions menu, choose Configure Run Profiles. The Configure Run Profiles for <management
agent Name> screen opens.
6. Enter Full Import and Full Synchronization as the name of the run profile in the Name text box and
click Next.
7. On the Configure Step screen specify the type of operation that will occur when this run profile is
used. This is where you choose the phase of data flow that will be processed when this run profile is
used. In the drop-down list, choose Full Import and Full Synchronization. This option will cause all
the data in the data source to be staged in the connector space.
8. The other options on this screen are not needed in this instance. Click Next.
Configure Export Run Profile for the Windows Live Management Agent
The second run profile that you will need to create is the Export run profile for the Windows Live
Management Agent. This profile exports the data from the Windows Live ID connector space and sends
it to the Windows Live service for processing. Examples of data that may be exported as part of an
Export run of the Windows Live Management Agent include adding (provisioning) o users, eviction
(removal from namespace) of users, and resetting passwords . To create the Export run profile please
follow the steps above used to create the Full Import and Full Synchronization profile Create the Export
profile for the Windows Live Management Agent but instead of selecting the Full Import and Full
Synchronization in the drop-down list, select Export. To verify that the run profile has been created
select the name you have assigned to the Windows Live Management Agent in the management agents
screen and then select Run from the Actions menu. You should see a screen listing the profiles with the
Export profile being listed.
Setting up Deltas
Setting up deltas is straight forward if you are using Active Directory as the .source. data store. AD
inherently supports deltas by default and the only change that must be made to accommodate deltas is
the creation of a run profile that explicitly uses them. Choose the .Delta Import, Delta Synchronization.
step rather than the .Full Import, Full Synchronization. step when creating the profile. The deltas will
automatically be created and used by the AD management agent. Should AD not be your data source,
you may still be able to create deltas if your source supports it. For example, deltas have been
implemented with such systems as LDAP directories, SQL servers and many others. Please see the
Developer Reference in the Help menu of Identity Manager for more information on setting up and
configuring deltas in various connected directories.
Populating the Metaverse
Now that you are have created the appropriate Run Profiles, you will need to first populate the ILM
Metaverse before you are able to create new Windows Live IDs from the data that it will contain. To
populate the Metaverse run the data source management agent with a Full Import Full Synchronization
run profile. This type of run should occur at regular intervals but should probably not be the standard
daily run that you will want to execute. Running Full imports and full synchronization routines consumes
time because every object is evaluated. In the ILM management console, on the Tools menu, click
management agents, and then click the data source management agent (the name that you have
previously assigned to it) to highlight it. On the Action menu click Run to display the Run management
agent dialog box. Under Run profiles click the appropriate profile for Full Import, Full Synchronization
(for most setups like the one discussed above, there is only one), and then click OK.
Note: If the option is available, create and run a delta import delta synchronization instead of a full
import full synchronization. The “Delta Import, Delta Synchronization” profile can be run via steps
similar to the ones above except with a different run profile being selected. For more information,
please see Delta Import and Delta Synchronization section below.
Note: Depending upon the number of Windows Live IDs to be processed the job may execute for
several seconds to several hours. ILM management agents run in a single thread and you can expect
an approximate rate of 2-6 seconds per account, depending on network traffic, connectivity etc.
The end result of a management agent run will be shown at the bottom of the main window in a panel
containing the end time and status. If the status indicates success, see the next section, Creating
Window Live IDs. Otherwise, see the Troubleshooting section later in this guide.
Configure the proper partition and OU information when setting up the Active Directory
management agent (the .source. management agent).
Set the synchronization step Type to Full Import and Full Synchronization when you creating the
Staging run profile,
As with other ILM management agents Windows Live Management Agent results are available for future
reference in the Operations log. To view the Operations log click on the Tools menu of the ILM
management console and then click Operations.
NOTE: This Admin Guide covers provisioning of account to Hotmail Only. This guide does not
cover Exchange Labs provisioning
Given the sensitive nature of the file contents it is stored in a folder that is accessible only to members
of the MIISAdmins security group by default and optionally the MIISOperators security group; the latter
is assigned permission by a manual configuration step. This folder should also be backed up to a
secondary location with restricted access. The intention of the output file is to provide the System
Administrator a reference from which to produce the first-time communication of the Windows Live ID
e-mail account name and password to the target user should the password not be supplied by ILM at
the time of user creation. The user will be forced to change their password (and secret question/answer)
at first sign on per the flow shown in Password Management later in this guide. Though the user will
change the password, the file is still considered to contain sensitive data because it contains an
inventory of valid e-mail names. It is recommended to delete the file and the backup(s) 60 days after the
temporary Windows Live IDs have been communicated to the users. After deletion the ILM Metaverse
contains the definitive source for the e-mail names and is backed up as a standard operating procedure.
Note: Currently, renaming an account will result in the loss of the mailbox content for that
account but retain calendar and contact information. Microsoft is building out functionality so
that the account will maintain the mailbox content as well. There is not a ETA for when this
functionality will be ready, however as soon as it is released the Windows Live@ Edu team will
communicate to all schools in the program and update the FAQ. In the interim, it is
recommended that you create new accounts instead. In order to create new accounts using
Active Directory as your data source, it is required to use an anchor attribute such as
employeeID instead of SigninName.
To enable the Windows Live ID evict feature select either the second or third option in the following
dialog box.
Note: The second option is used in conjunction with your source data management agent and not with
the Windows Live Management Agent. When an object is deleted from the source management agent
the Windows Live ID will be evicted from the managed namespace on the next export run. If you want
to write custom code for the deletion rules select the third option and modify your rules extension
code accordingly. Note that you may not, in this case, use the precompiled rules extension that ships
with the management agent because it contains no deletion rules.
Attribute Interdependencies
Within the Windows Live ID system, certain attributes are related to each other. For improved user
experience we suggest you configure the five attributes below on all accounts. These attributes will
allow students to self reset their passwords, access the calendar, and have their mail stamped with the
appropriate date and time.
The values can be applied to the Windows Live ID profiles via Attribute Flow or in
WLCDGlobalConfig.xml. Further information regarding these attributes can be found in the
Administrators Guide appendices.
TimeZone 1-4 digit numeric code for the uses time zone. E.g. 1119.
RegionCod 1-5 digit numeric code for the uses region (state). E.g. 5599
e
Birthdate 10 digit alphanumeric string for birthdate in the format of DD:MM:YYYY e.g. “31/12/1960”
without the quotes.
Note: Providing some, but not all of these fields may cause errors. It is best practice to provide all.
1. If a member should no longer part of the domain and you have object deletion rules set, you can
simply delete the member from the data source. Performing this action will evict the member
from the domain namespace. The member’s mailbox will be deleted but contact and calendar
information remain intact.
2. If a member retains the domain account but is no longer an active student, offers for the
student should be removed using attribute flow.
Configuring Multiple Sites
It is a common scenario where schools have a completely different domain for either different schools
within their community or different domains for students and alumni. The WLCDGlobalConfig.xml file
will allow you to specify additional domains, and as long as the administrator being used to create the
accounts is an administrator on both domains (or the certificate used for authentication), the accounts
will be created. A sample WLCDGlobalConfig.xml configured for two domains is below:
Section 11: Password Management
Create Initial Password
In order to set the initial password for the students, you must select one of the two methods. Either you
can use attribute flow in ILM 2007 to set the initial password using the TempPassword attribute or you
can allow the management agent to set the password for you. When you allow the management agent
to create the initial password for you it is stored in the log file in the C:\Program Files\Microsoft Identity
Integration Server\MaData\<export ma> folder by default.
Password Reset
Two methods are available online for an individual Windows Live ID user to reset his/her own password,
namely: (a) using data verification and answering the secret question, or (b) if an optional alternative e-
mail was provided, a mail is sent to that address which contains a link to a site where you can change
your password. The System Administrator-based password reset procedure presumes these methods
have failed the end user. Before proceeding, it is required that the System Administrator has validated
that the user requesting the password reset is the legitimate owner of the Windows Live ID, for
example, by viewing a student ID card and ensuring that student was assigned the e-mail address for
which they are requesting a password reset. Once it is determined that a System Administrator-based
password is required, the password may be reset using the methods described below.
Password limitations
Passwords must be at least six characters and a maximum of 16. The Windows Live ID may NOT be part
of the password. For security purposes we recommend that when creating temporary passwords use 10
characters and at least one each from the following characters sets:
Numbers: {0123456789}
A password cannot contain part of the secret question or secret answer after an account has been
activated and the secret question set. The answer to the Windows Live ID secret question helps a
member reset a password in case it was forgotten. For example, if the Windows Live ID secret question
is “Mother’s Birthplace” and “Seattle” is the answer, the Live ID password cannot contain “Seattle”. This
restriction is not case sensitive.
After saving the file, one would perform the normal run cycle for the import and export management
agents; an import to connector space from the data source management agent followed by a
synchronization and finished with an export to Windows Live. Attribute flow for the delimited file
management agent looks like the screen shot below, with SigninName and TempPassword importing to
mail and TempPassword in the metaverse.
Below is another example of using Active Directory to flow a TempPassword. In this case, the mail
attribute is set in the e-mail field on the General tab and the TempPassword is using the Notes field to
flow into Metaverse.
Active Directory import management agent’s attribute flow:
5. In Delimited Text Format, select the tick box for Use first row for header names, select comma
as the delimiter and click Next.
6. On the Configure Attributes page, set the anchor to the SigninName. Click the Set Anchor
button.
7. Select the SigninName attribute from the list of available attributes, click the Add button and
click OK.
8. Skip the pages for Map Object Types, Define Object Types, Configure Connector Filter and on
the Configure Join and projection rules page, click the New Join Rule button.
9. Select SigninName from the Data source attribute list, set the Mapping type to direct, and select
the metaverse object containing the Windows Live ID, then click Add Condition.
10. If the Metaverse attribute containing your Windows Live ID isn’t indexed in ILM, the message
below may appear. You can fix this by selecting the tick box for the attribute in Metaverse
Designer but it is not necessary. Click OK.
11. The condition statement for the join rule appears in the list; click OK.
12. The join rule appears in Configure Join and Projection Rules, click Next.
13. On the Configure Attribute Flow page, set up direct import attribute flow for SigninName and
TempPassword, then click Next.
14. On the Configure Deprovisioning page, select the radio button next to Do not recall attributes
and click Next.
19. Select the password reset management agent in the list and click the up arrow so that it takes
first order of precedence and click OK.
The user or an administrator initiates the password change request in AD. The password change
request, including the new password, is sent to the nearest AD domain controller.
The domain controller records the password change request and notifies the password change
notification filter (a PCNS DLL that monitors for change notifications).
PCNS verifies the password change request then authenticates the Service Principal Name (SPN) by
using Kerberos and forwards the password change request in encrypted Remote Procedure Call
(RPC) to the desired ILM 2007 server.
ILM 2007 validates that the source domain controller is a member of the Domain Controllers
container in the source domain and then uses the domain name to locate the management agent
that services that domain. It uses the user account information in the password change request to
locate the corresponding object in the connector space.
ILM 2007 determines the management agents that have been configured to receive the password
change (.target. management agents, in our case, Windows Live Management Agent) and if they are
enabled for password synchronization propagates the password change to them.
The Windows Live Management Agent then performs the proper web service calls to reset the
password in the Windows Live system.
The synchronization described above is a one-way synchronization. Should a user reset his or her
password in Windows Live it will not be reset in AD. However, if the user resets the password in AD it
will automatically be set in Windows Live.
Should you choose to implement password synchronization via PCNS please download the following file:
http://www.microsoft.com/downloads/details.aspx?FamilyID=ae09d2f5-8ac2-4769-ab6a-
48fe35a25c63&DisplayLang=en. After installation please see the Password Synchronization scenario
that may be found under C:\Program Files\Microsoft Identity Integration
Server\Scenarios\PasswordSynchronization or another directory similar to the one above if you had
changed the installation path for ILM 2007. To set up PCNS to synchronize AD passwords to Windows
Live you will need to perform the following steps. Each of these is explained in detail in the above
mentioned document which should serve as your primary reference when setting up PNCS.
Install the DLL filter on each domain controller in the domain. This is accomplished by running the
MSI installation file that is provided as part of the PCNS solution on each domain controller. This task
may be automated using a push mechanism of your choice that supports automated installs of MSI
files.
Configure the service principal name (SPN) to point to the desired ILM 2007 server. This is
configured by using the SETSPN utility in Windows and only needs to be performed once on the ILM
2007 server
Configure the groups in AD that are to have their passwords synchronized. This allows you the
flexibility of only synchronizing the passwords for your student users who are in AD rather than
monitoring for changes from any user.
Configure the Active Directory management agent (source management agent) to allow for
Password Synchronization. Once the Active Directory management agent is installed and configured
begin by selecting the AD management agent, select Properties, then Configure Active Directory
Partitions. In Password Synchronization, select Enable this partition as a password synchronization
source. Click the Targets button and place a checkmark next to the Windows Live Management
Agent that should be the target management agent for the password changes. Be sure to uncheck
the box to require secure connection for password synchronization operations.
Configure the Windows Live Management Agent (target management agent) to allow for reception
of password change notifications. Once Windows Live Management Agent is installed and
configured begin by selecting the Windows Live Management Agent, select Properties, then
Configure Extensions. In Password Management, place a checkmark in Enable Password
Management. Verify that the Extension Name is filled in with PassportPasswordExtension.dll and
that the radio button is set to Set and Change. Click the Targets button and uncheck the box to
require secure connection for password synchronization operations.
While still on the Configure Extensions, click the settings button. Type in the CN value from the
subject field of your certificate the Connect To: textbox (in most cases “sapipartner.com”), without
the quotation marks. The CN value from the certificate can be found in the details tab of the
certificate in the Certificates management console. Leave the password field blank (it is not
necessary).
Enable Password Synchronization in ILM Options. In Identity Manager, select Tools and then
Options. Place a checkbox in Enable Password Synchronization if it is not already there. This will
allow your management agents to receive Password Synchronization requests from the domain
controllers.
Enable Password Synchronization in ILM Options. In Identity Manager, select Tools and then
Options. Place a checkbox in Enable Password Synchronization if it is not already there. This will
allow your management agents to receive Password Synchronization requests from your password
change code.
Once the above steps are completed you may use the example code from the Developer Reference to
send passwords to the Windows Live ID for reset.
Another option for creation of Password Reset or Change functionality is to contact Oxford Computer
Group (Oxford). Oxford has a long history of creating password change and reset solutions with ILM.
Oxford specializes in identity and access management and it is a Microsoft Gold Partner with offices in
UK, Germany, Canada and the US. Services include: strategic and functional consulting, system
integration, as well as solution and skill development.
To contact Oxford Computer group please use the following e-mail address –
info@oxfordcomputergroup.com
Enter information online including Country/Region, State, Zip Code, Secret Question and Secret
Answer.
If all else fails the student can contact the appropriate school department to have the System
Administrator reset his/her password using ILM 2007. Should a user lose their temporary password or
forgot the one they subsequently created and are unable to complete the online password reset
procedure the System Administrator should perform the following procedure to reset passwords.
If the student does not already have an alternate e-mail address, the student will be prompted to enter
an alternate e-mail address to make resetting passwords in the future easier. A confirmation page is
displayed after a successful password reset.
Alternate E-mail Addresses
We recommend that students enter an alternate e-mail address upon first sign in to Windows Live
Hotmail or any other Windows Live ID site if Windows Live Hotmail isn‘t the first one. When signing in
the first time the student will be required to enter a Secret Question/Secret Answer pair. See “Appendix
– First-Time User Sign-in Flow” for more information. Optionally, the student will also be asked to enter
an Alternate E-mail address. If a student has an existing e-mail address in addition to the one being
established by the school we highly recommend that the student enter it. Doing so allows the student to
easily reset their Windows Live ID password should they later forget it without contacting the System
Administrator.
For security purposes, the student will also be prompted to change their school-supplied temporary
password the first time they sign in. Entering Windows Live ID Profile Information If the student does
not have an alternate e-mail address they will need to enter a limited amount of Windows Live ID profile
information. This needs to be done separately because a student will not be prompted to enter this
information on first time login.
On the next screen, scroll to the bottom and fill in Country/Region, State, and ZIP code. These values
are required when resetting your password so make sure this information is filled in with accurate
values that will be remembered and then click Save. No other values are required on this screen.
Deprovisioning
It is important to pay careful attention to the settings used by the Windows Live Management Agent for
deprovisioning actions. Setting these incorrectly may result in you to inadvertently evicting users with
negative consequences. The results of an accidental deletion might include the following:
Here are a few possible deprovisioning scenarios you may encounter and possible troubleshooting
steps. All scenarios are structured around the limitation of not being able to reuse an e-mail address for
210 days after it has been evicted.
Since the e-mail addresses have not yet been distributed to the users it may be possible to change the
schema of the addresses and create new addresses. For example, should a user have been
Adam.Smith@university.edu previously, you may consider changing the schema to make it
A.Smith@university.edu. This will allow you to recreate the e-mail addresses.
Scenario 2: Inadvertently deleting users after handing out e-mail addresses but prior to accounts being
used.
The solution for this is the same as scenario 1, if the schema change is possible. No mail or data will be
lost since none is present yet.
Scenario 3: Inadvertently deleting users after handing out e-mail addresses to users. The users have
started using accounts and have populated them with data.
This is not an easily recoverable scenario. You may use the solution from Scenario 1 to recreate the
users but you will not be able to recover the data in the accounts such as e-mails. Additionally, if you are
going to change the schema for e-mail addresses, be mindful not to change the addresses of the users
who may not have been affected by the eviction as changing their address will rename their address to
the new one. Microsoft may be able to assist you if you get into this situation.
Windows Live ID e-mails names must conform to the SMTP RFC 822 for the user name portion of the e-
mail address and RFC 1035 for the domain portion. Some exceptions are made:
50 characters max
No UNICODE
First char must be a letter (must be in ASCII code range of 97-122, 65-90)
Period = (ASCII 46) allowed except for the first and last characters but cannot have two adjacent
periods
All other chars must be in ASCII code range of 48-57 (numbers), 65-90 (uppercase), 95 (underscore),
97-122 (lowercase)
Numbers: {0123456789}
2. Locate the folder that contains the .NET framework by clicking Start . Run and then pasting or
typing %systemroot%\Microsoft.NET\Framework on the line. Click OK to open the folder.
3. Under that folder there should be another folder that has a name depicting each version of
the .NET framework installed. Look for a folder with the version number of v2.0.50727. If you
do not see this folder then you need to install the .NET framework 2.0.
4. If you do have the folder then open the v2.0.50727 folder and then locate the Mscorlib.dll file.
6. Click the Version tab and then note the file version.
7. If the version number starts with v2.0.50727.XXXX then you already have the correct version of
the .NET framework installed and you should go to the Troubleshooting section in this guide for
more information about troubleshooting error messages. If not (or if you haven‘t got the folder
at all) then you must install the .NET 2.0 framework using the instructions below. Click OK.
You should be mindful of which properties you set and where you set them since they may be
overridden by a higher priority property set elsewhere.
Steps to troubleshoot the Live@edu solution depend on where the error occurs. Sometimes it is difficult
to determine where to start however you can usually follow the data through the solution to determine
the error condition. Start with the student data source, then move on to ILM 2007 and finally out to the
Windows Live system.
The following table contains next steps for each run status.
For “stopped-extension-dll-exception”
Windows Live IDs will not be processed because the exception occurred prior to attempting the
Windows Live ID export. ILM 2007 will place the errors into the application event log which you can view
with the Event Viewer. To open Event Viewer click on the Start menu, click Run, and then type:
eventvwr.
For “completed-export-errors“
See Managing the Output Files in this guide. Note that Windows Live IDs that succeeded will NOT be re-
processed on the next export run. We recommend that you re-attempt the export before further
troubleshooting. It is not unusual to have networking conditions cause a few Windows Live IDs in a large
batch to fail; by retrying, you will minimize the number of failures that require investigation and there is
no downside to doing so. Once you determine that the remaining failures are not due to random
networking conditions you can find the cause of the error for each Windows Live ID by double-clicking
on the corresponding error link as shown in right pane of the above screen shot, which brings up the
detailed error report for that Windows Live ID.
Getting Support
For ILM and Windows Live Management Agent support, see http://support.microsoft.com/ph/1980.
If you have the encryption keys mentioned above the easiest way to recover from an ILM server outage
is to reinstall ILM 2007 and the Windows Live Management Agent and point it to the existing SQL Server
Database. Once you provide the encryption keys and restore the supporting files in the proper folders
you should be up and running. Again, refer to .Restoring Microsoft Identity Lifecycle Manager 2007. in
the ILM 2007 help.
In the event that the ILM server suffers a failure or the management agents and the database are
deleted, the following steps must be done to restore functionality to ILM and prevent errors upon re-
synchronizing the data with your data source.
1. Install ILM and appropriate software onto the server as needed depending on the severity of the
failure.
2. Restore your management agents from backup XML files or set up your management agents in
ILM as they were before.
3. Turn off provisioning in ILM by going to the Tools menu and selecting Options, then unchecking
the Enable Provisioning Rules Extension.
4. Create a full import run profile for the data source management agent.
a. Click the New Profile button, give the run profile a name (in this case, Full Import) and
click Next.
b. In Configure Step, set the type of run profile by selecting Full Import (Stage Only).
c. In Management Agent Configuration, select the Input file name if using a text
management agent, otherwise skip this step and click finish.
d. Create a full synchronization run profile for the data source management agent. Follow
the exact same steps as Step 4; name the profile appropriately, select Full
Synchronization from the run profile type, and click Finish in Management Agent
Configuration.
5. Run a full import and full sync from the data source management agent to project data into the
metaverse.
6. In Identity Manager under Actions, select Run, select Full Import and click OK.
7. In Identity Manager under Actions, select Run, select Full Sync and click OK.
8. In the Windows Live management agent, we have to set the domain into recovery mode and
configure some parameters for the disaster recovery to work.
9. Open the Windows Live management agent and click the Configure Additional Parameters tab.
10. We need to add two parameters in this tab. Click New and add a Parameter name of Domain.
In the Value field, type the name of your domain. Click OK.
11. Click new and add a Parameter name of DisasterRecoveryMode. In the Value field, type true and
click OK.
12. Set a join rule on the Windows Live management agent for the SignInName attribute in
Windows Live to join to the mail attribute (or whatever attribute you used in Metaverse to store
member e-mail accounts).
13. In Identity Manager, in the Windows Live management agent, select the Configure Join and
Projection Rules tab.
14. Click New Join Rule and select the data source attribute SigninName and Metaverse object type
mail (or whatever attribute in Metaverse you’re using to store member accounts) and click Add
Condition.
15. Create a template for use in the full import run profile for the Windows Live management agent.
16. Navigate to the MaData folder in the installation folder for ILM. Usually this is c\Program Files\
Microsoft Identity Integration Server\MaData unless changed upon install.
17. Open the folder for the Windows Live management agent, right click and select New Text
Document from the menu.
18. Give the file any name, for example, import.txt, and close the install folder window.
19. Create a full import run profile for the Windows Live management agent.
20. Follow the exact same steps as Step 4; name the profile appropriately, select Full Import from
the run profile type, select the file you just created in Step 9c above and click Finish in
Management Agent Configuration.
21. Create a full synchronization run profile for the Windows Live management agent.
22. Follow the exact same steps as Step 4; name the profile appropriately, select Full
Synchronization from the run profile type, and click Finish in Management Agent Configuration.
23. Run a full import on the Windows Live management agent. Note the number of objects.
High Availability
While ILM is not a real time system and thus may not be required to have a 99.999% uptime it is
imperative to have the system operational whenever a “run” is required however often that may be.
Because ILM is not a real-time system the normal high availability technique of clustering ILM 2007 may
not appropriate. ILM 2007 is not a clustering aware application.
A desirable and recommended strategy for high availability of ILM 2007 is to maintain a cold-standby
server which may be brought up at any time should the primary machine malfunction.
Ensure you have the latest .Net and ILM 2007 hotfixes, according to the perquisite requirements
stated above. If you do not you need to install these before proceeding.
Ensure your source management agent for student data provides an e-mail address to the
Metaverse (note the attribute the address is in). This must be the full e-mail address including
the domain portion. If you intend to provide an initial password for the user the data must be
provided in the Metaverse as well.
Install and configure the Windows Live Management Agent in accordance with the instructions
above. Please note that you will need to create a flow from the attribute in the Metaverse that
contains e-mail address you would like to provision to the SigninName attribute in the Windows
Live Management Agent connector space.
Configure the Metaverse provisioning extension as follows:
o Perform the steps listed in the Enable Provisioning section above noting the previously
listed DLL if any.
o If you noted a DLL in the above step, please edit the file specified by the section titled
Metaverse Rules Extension XML Schema and a line with contents of <add-assemblies…>
but with the noted DLL from the step above. This will allow all of your previous code to
receive data from ILM 2007 as it has prior to the Live@edu changes.
http://www.microsoft.com/technet/technetmag/issues/2006/07/Automate/default.aspx
Class
Status (student or alumni)
State
City
Etc
In addition to utilizing this data to automatically create distribution lists using the Group Management
solution, information contained in attributes like this can assist in the general maintenance of account
information. Connecting ILM 2007 to other data sources and synchronizing this type of information can
greatly reduce the costs of account administration.
Appendix A: Valid Region/Country Codes
Code Country
AF Afghanistan
AL Albania
DZ Algeria
AS American Samoa
AD Andorra
AO Angola
AI Anguilla
AQ Antarctica
AR Argentina
AM Armenia
AW Aruba
AC Ascension Island
AU Australia
AT Austria
AZ Azerbaijan
BS Bahamas
BH Bahrain
BD Bangladesh
BB Barbados
BY Belarus
BE Belgium
BZ Belize
BJ Benin
BM Bermuda
BT Bhutan
BO Bolivia
BW Botswana
BV Bouvet Island
BR Brazil
BN Brunei
BG Bulgaria
BF Burkina Faso
BI Burundi
KH Cambodia
CM Cameroon
CA Canada
CV Cape Verde
KY Cayman Islands
TD Chad
CL Chile
CN China
CX Christmas Island
CO Colombia
KM Comoros
CD Congo (DRC)
CG Congo
CK Cook Islands
CR Costa Rica
CI Côte d'Ivoire
HR Croatia
CU Cuba
CY Cyprus
CZ Czech Republic
DK Denmark
DJ Djibouti
DM Dominica
DO Dominican Republic
EC Ecuador
EG Egypt
SV El Salvador
GQ Equatorial Guinea
ER Eritrea
EE Estonia
ET Ethiopia
FO Faroe Islands
FJ Fiji Islands
FI Finland
FR France
GF French Guiana
PF French Polynesia
GA Gabon
GM Gambia, The
GE Georgia
DE Germany
GH Ghana
GI Gibraltar
GR Greece
GL Greenland
GD Grenada
GP Guadeloupe
GU Guam
GT Guatemala
GG Guernsey
GN Guinea
GW Guinea-Bissau
GY Guyana
HT Haiti
HN Honduras
HU Hungary
IS Iceland
IN India
ID Indonesia
IR Iran
IQ Iraq
IE Ireland
IM Isle of Man
IL Israel
IT Italy
JM Jamaica
JP Japan
JO Jordan
JE Jersey
KZ Kazakhstan
KE Kenya
KI Kiribati
KR Korea
KW Kuwait
KG Kyrgyzstan
LA Laos
LV Latvia
LB Lebanon
LS Lesotho
LR Liberia
LY Libya
LI Liechtenstein
LT Lithuania
LU Luxembourg
MO Macao SAR
MG Madagascar
MW Malawi
MY Malaysia
MV Maldives
ML Mali
MT Malta
MH Marshall Islands
MQ Martinique
MR Mauritania
MU Mauritius
YT Mayotte
MX Mexico
FM Micronesia
MD Moldova
MC Monaco
MN Mongolia
MS Montserrat
MA Morocco
MZ Mozambique
MM Myanmar
NA Namibia
NR Nauru
NP Nepal
AN Netherlands Antilles
NL Netherlands, The
NC New Caledonia
NZ New Zealand
NI Nicaragua
NE Niger
NG Nigeria
NU Niue
NF Norfolk Island
KP North Korea
MP Northern Mariana Islands
NO Norway
OM Oman
PK Pakistan
PW Palau
PS Palestinian Authority
PA Panama
PY Paraguay
PE Peru
PH Philippines
PN Pitcairn Islands
PL Poland
PT Portugal
PR Puerto Rico
QA Qatar
RE Reunion
RO Romania
RU Russia
RW Rwanda
WS Samoa
SM San Marino
SA Saudi Arabia
SN Senegal
SC Seychelles
SL Sierra Leone
SG Singapore
SK Slovakia
SI Slovenia
SB Solomon Islands
SO Somalia
ZA South Africa
ES Spain
LK Sri Lanka
SH St. Helena
LC St. Lucia
SD Sudan
SR Suriname
SZ Swaziland
SE Sweden
CH Switzerland
SY Syria
TW Taiwan
TJ Tajikistan
TZ Tanzania
TH Thailand
TP Timor-Leste
TG Togo
TK Tokelau
TO Tonga
TA Tristan da Cunha
TN Tunisia
TR Turkey
TM Turkmenistan
TV Tuvalu
UG Uganda
UA Ukraine
UK United Kingdom
US United States
UY Uruguay
UZ Uzbekistan
VU Vanuatu
VA Vatican City
VE Venezuela
VN Vietnam
VI Virgin Islands
YE Yemen
ZM Zambia
ZW Zimbabwe
Appendix B: Language Codes
These are the languages currently supported by Windows Live Hotmail.
Cod Language
e
1025 Arabic
1026 Bulgarian
1050 Croatian
1029 Czech
1030 Danish
1043 Dutch
1033 English
1061 Estonian
1035 Finnish
1036 French
1031 German
1032 Greek
1037 Hebrew
1038 Hungarian
1040 Italian
1041 Japanese
1042 Korean
1062 Latvian
1063 Lithuanian
1044 Norwegian
1045 Polish
2070 Portuguese
1048 Romanian
1049 Russian
1051 Slovak
1060 Slovenian
1034 Spanish
1053 Swedish
1054 Thai
1055 Turkish
1058 Ukrainian
Appendix C: TimeZone Codes
TimeZone Code Location
0 Universal Time
1090 Cordoba, W Argentina (CB, SA, TM, LR, SJ, SL, NQ, RN)
1299 Skopje
1040 Alaska
1945 Arizona
1951 Arkansas
5599 California
7636 Colorado
7798 Connecticut
8831 Delaware
11032 Florida
12004 Georgia
13656 Hawaii
14713 Idaho
14808 Illinois
14882 Indiana
14987 Iowa
16121 Kansas
16480 Kentucky
19283 Louisiana
19840 Maine
20487 Maryland
20543 Massachusetts
21196 Michigan
21412 Minnesota
21502 Mississippi
21512 Missouri
21789 Montana
22869 Nebraska
23035 Nevada
24230 Ohio
24293 Oklahoma
24561 Oregon
25623 Pennsylvania
33025 Tennessee
33145 Texas
34626 Utah
35022 Vermont
35364 Virginia
35841 Washington
36684 Wisconsin
36927 Wyoming
Appendix E: Certificate Install Information
If you chose to use a certificate to provide your identity to Microsoft, the certificate is provided to you
by the Windows Live Commercial Partner Center. You will be contacted with a password for the private
key. You will need to use a workstation to properly unpack and export your certificate for use with
Windows Live Admin Center.
In order to place the correct permissions for the ILM Service account to access the certificate, you will
need to use the WinHTTP Configuration Tool, available from the Microsoft Download site at
http://www.microsoft.com/downloads/details.aspx?familyid=c42e27ac-3409-40e9-8667-
c748e422833f&displaylang=en.
Choose a Destination Folder or accept the default location and click Install Now.
The installation is complete, click Finish.
To run the program, open a command-prompt window by clicking the Start menu, selecting run and
typing CMD in the open field. Click OK.
Change to the directory where you installed the tool, if using the default settings, the location is
C:\Program Files\Windows Resource Kits\Tools. You will need to copy the certificate provided to you by
the Windows Live Commercial Partner Center to the root of your C: drive and know the private key
password.
The following example shows the command line parameters that are valid for use with this tool.
winhttpcertcfg [/?]
winhttpcertcfg [-i PFXFile | -g | -r | -l] [-a Account] [-c CertStore] [-s SubjectStr]
The following table explains the parameters for the configuration tool.
Parameter Description
-i Specifies that the certificate is to be imported from a Personal Information Exchange (PFX) file.
This parameter must be followed by the name of the file. When this parameter is specified, -a
and -c must also be specified.
-g Specifies that access is granted to a private key. When this parameter is specified, -a, -c, and -s
must also be specified.
-r Specifies that access is removed for a private key. When this parameter is specified, -a, -c, and -s
must also be specified.
-l Specifies that accounts with access to a private key are listed. When this parameter is specified,
-c and -s must also be specified.
-a Specifies the user account on the machine being configured. This could be a local machine or
domain account, such as IWAM_TESTMACHINE, TESTUSER, or TESTDOMAIN\DOMAINUSER.
-c Specifies the location and name of the certificate store. Use LOCAL_MACHINE or
CURRENT_USER to designate which registry branch to use for the location. The certificate store
can be any installed on the machine. Typical name examples are MY, Root, and TrustedPeople.
The location and name of the certificate store are separated with a backward slash; for example,
LOCAL_MACHINE\Root.
Note Although the CURRENT_USER branch of the registry can be specified with this parameter,
extending access to private keys is primarily intended for certificates installed in a local machine
certificate store that can be accessed by multiple users.
-s Specifies a case-insensitive search string for finding the first enumerated certificate with a
subject name that contains this substring.
To install your certificate with the correct permissions, you will need to run the configuration tool with
the following command:
Click OK.
In the MMC, go to the File menu, select Add/Remove Snap-in
In the Object type window in the right pane, click All Tasks and select From the Certificates MMC, right
click the certificate in the Certificates (Local Computer)Personal Certificates store, select All Tasks
and Export.
The Certificate Export Wizard appears, click Next
Select the radio button next to “No, do not export the private key” and click Next.
Use DER encoded X.509 (.CER), click Next.
Click the Browse button, select a location for the exported certificate, click Next.
Browse to the location where you exported the cert and click Add/Update. If Add/Update is not
available, contact the Windows Live Commercial Partner Center using this e-form:
https://support.live.com/default.aspx?productkey=wlpc&mkt=en-ww. To enable the feature for your
domain
The certificate has been uploaded successfully.
Appendix F: Migrating from the SDK tools
If you have been using one of the SDK Tools to manage your domain, you can migrate from them to ILM
if you prefer.
Note: We recommend if you do this, you’re making a full move to Identity Lifecycle Manager. Do NOT
use the SDK apps for account management after you migrate from them, otherwise you will encounter
errors. If you add or remove accounts with the SDK tools after moving to ILM, the domain will become
out of sync.
The EduExpress application contains an option to export a CSV file containing your domain’s member
accounts. This file can be used to import members into ILM.
1. First, launch the EduExpress application and locate the Export Existing Member List link.
2. Clicking this link brings up a save dialog box. Save the file to a known location.
You can use this CSV file to populate Active Directory, a SQL database, a delimited text file or any other
source supported by ILM. For demonstration purposes, we’ll create a delimited text file for use with
ILM.
3. Create a new text file with the attributes you want to use in the header of the file. Refer to the
Passport User Attributes section for more information.
4. Launch Identity Manager, click Create to create a new management agent for a data source.
More information about configuring data source management agents are included in Section 5.
5. Select Delimited Text File in the Management Agent For: drop down menu. Give the
management agent a name and a description (if desired).
6. In Select Template Input File, select the text file you created in step 3. Click Next.
7. In Delimited Text Format, click Use first row for header names and click Next.
8. In Configure Attributes, click the Set Anchor button to set an anchor attribute for the
management agent.
9. In the Set Anchor window, click the SigninName attribute and click the Add button to construct
the anchor. Click OK and click Next.
10. In Define Object Types, accept the default and click Next.
11. In Configure Connector Filter, accept the defaults by clicking Next.
12. In Configure Join and Projection rules, we want to create a projection rule for the data source
management object to project members into the Metaverse. Click New Projection Rule.
13. Unless you’ve created your own object type in Metaverse, select the person metaverse object
type, leave the radio button next to Declared selected, click OK and click Next.
14. In Configure Attribute Flow, we will create attribute flow for the attributes in our text file. Select
an attribute in the data source attribute column, set the radio button for mapping type to Direct,
set the radio button for Flow Direction to be Import, click the corresponding Metaverse
Attribute and click the New button. Follow these same steps for every attribute mapping. In
the example, we’re flowing our attributes like this:
Data source attribute Mapping Type Flow Direction Metaverse Object Type
16. In Configure Extensions, accept the default by clicking the Finish button.
17. Next we will configure the export management agent. In Identity Manager, click Create from
under the Actions menu.
18. From the Create Management Agent drop down menu, select WLCD Management Agent
(Microsoft), give the management agent a name and a description (if desired).
19. In Configure Connection Information, enter your administrator account and password into the
appropriate fields. If you’re using a certificate for authentication, you can skip this step.
20. In Configure Additional Parameters, accept the defaults for now by clicking Next.
21. In Configure Attributes, accept the default settings and click Next .
22. In Define Object Types, accept the default settings and click Next.
23. In Configure Connector Filter, accept the defaults and click Next.
24. In Configure Join and Projection Rules, accept the defaults for now and click Next.
25. In Configure Attribute Flow, we will set up direct export attribute flows for the attributes we set
up on the data source management agent. Select an attribute in the data source attribute
column (Passport User), set the radio button for mapping type to Direct, set the radio button for
Flow Direction to be Export, click the corresponding Metaverse Attribute and click the New
button. Follow these same steps for every attribute mapping. In the example, we’re flowing
our attributes like this:
Data source attribute Mapping Type Flow Direction Metaverse Object Type
27. In Configure Extensions, uncheck Enable password management and click Finish.
28. Both management agents are now configured. Now we need to turn off provisioning in ILM so
that we can sync our accounts with those existing in Windows Live. Go to ToolsOptions and
remove the tick from the checkbox next to Enable Provisioning Rules Extension.
29. We need to copy the data source text file to the C:\Program Files\Microsoft Identity Integration
Server\MaData\<data source management agent folder>.
30. Create a full import run profile for the data source management agent.
a. Click the New Profile button, give the run profile a name (in this case, Full Import) and
click Next.
b. In Configure Step, set the type of run profile by selecting Full Import (Stage Only).
c. In Management Agent Configuration, Click the Select button to select the Input file you
placed in the C:\Program Files\Microsoft Identity Integration Server\MaData\<data
source management agent folder>.
d. Select the file from the list, click OK and Click Finish.
31. Create a full synchronization run profile for the data source management agent.
a. Follow the exact same steps as Step 30; name the profile appropriately, select Full
Synchronization from the run profile type, and click Finish in Management Agent
Configuration.
32. Run a full import and sync from the data source management agent to project data into the
metaverse.
a. In Identity Manager under Actions, select Run, select Full Import and click OK.
b. In Identity Manager under Actions, select Run, select Full Sync and click OK. Be sure to
note the number of projections. This number should match the number of accounts
you’re synchronizing with Windows Live.
Note: If you experience the error no-start-file-access-denied, select the folder for the data source
management agent (C:\Program Files\Microsoft Identity Integration Server\MaData\<data source
management agent folder>), click the Security tab, click the Advanced tab and select the tick box for
“Replace permission entries on all child objects with entries shown here that apply to child objects Click
OK and click OK on the security dialog box below:
c. Click Yes, then OK to close the properties dialog box. This will enable the correct
permissions.
33. In the Windows Live management agent, we have to set the domain into recovery mode and
configure some parameters for the disaster recovery to work.
a. Open the Windows Live management agent and click the Configure Additional
Parameters tab.
We need to add two parameters in this tab. Click New and add a Parameter name of Domain. In the
Value field, type the name of your domain. Click OK.
b. Click new and add a Parameter name of DisasterRecoveryMode. In the Value field, type
true and click OK.
34. Set a join rule on the Windows Live management agent for the SignInName attribute in
Windows Live to join to the mail attribute (or whatever attribute you used in Metaverse to store
member e-mail accounts).
a. In Identity Manager, in the Windows Live management agent, select the Configure Join
and Projection Rules tab.
b. Click New Join Rule and select the data source attribute SigninName and Metaverse
object type mail (or whatever attribute in Metaverse you’re using to store member
accounts) and click Add Condition.
35. Create a template for use in the full import run profile for the Windows Live management agent.
a. Navigate to the MaData folder in the installation folder for ILM. Usually this is
c\Program Files\ Microsoft Identity Integration Server\MaData unless changed upon
install.
36. Open the folder for the Windows Live management agent, right click and select New Text
Document from the menu.
37. Give the file any name, for example, import.txt, and close the install folder window.
38. Create a full import run profile for the Windows Live management agent.
b. Follow the exact same steps as Step 30; name the profile appropriately, select Full
Import from the run profile type, select the file you just created in Step 9c above and
click Finish in Management Agent Configuration.
39. Create a full synchronization run profile for the Windows Live management agent.
c. Follow the exact same steps as Step 30; name the profile appropriately, select Full
Synchronization from the run profile type, and click Finish in Management Agent
Configuration.
40. Run a full import on the Windows Live management agent. Note the number of objects.
41. Run a full synchronization on the Windows Live management agent.
42. Verify that all imported accounts are joined. There should be the same number of joins as
objects from the full import (unless you’re using Active Directory or another LDAP directory as
your data source; in this case, you would subtract the container objects)
43. There should be pending exports to Windows Live for all joined accounts. Randomly examine a
few pending exports to make sure attributes are correctly set. For instance, do not set the
ResetPassword attribute unless you want to require all users to reset their password.
44. Create an Export run profile on the Windows Live MA.
45. Enable provisioning by going to the Tools menu\Options in ILM and clicking the “Enable
Provisioning Rules Extension”.
46. Run a full synchronization on the data source management agent
47. If any exports are pending for the Windows Live management agent after step 16, these must be
new users that were not created in Windows Live before the disaster occurred.
48. Run an export to Windows Live to create the new users (if desired).
Appendix G: Support information
Getting Help from Microsoft
For general Live@edu program information please refer to our Live@edu program website located here
- http://www.liveatedu.com/
For additional questions regarding the program that are not addressed on the program page, or any
onboarding questions please direct your inquire to the Windows Live Commercial Partner Center using
this e-form: https://support.live.com/default.aspx?productkey=wlpc&mkt=en-ww.
Please refer all single user issues that involve MSN Services to http://support.live.com. This is the same
support resource that is available to all global users of Windows Live services and can often resolve
single user issues.
If you are experiencing an issue that impacts multiple end users, or are experiencing errors or
unexpected behavior with your account provisioning tools we suggest you file a ticket with our Premier
Partner Support team.
Once you have onboarded with the Live@edu program you will be provided a unique Premier Online
account for your institution. Please use this Premier Online account for filing issues only directly related
to the Microsoft Live@edu program.
If, after filing your support ticket, you feel that you have not received a timely response or if you would
like a status update please contact the Live@edu escalation services team ( edues@microsoft.com).
Please provide your support ticket number when contacting this team. These tickets usually begin with
the characters “SR”.
Live@edu partners who use Windows Live Services are supported by the MSN Partner Support team
that is staffed time to assist you with your technical support issues regarding the Microsoft Live@edu
products (e.g. ILM, Passport MA, mail delivery issues etc.)
In addition to our Partner Support staff we have an Emergency Response Team (ERT) available
24x7x365 to respond to operational support issues submitted from Live@edu partners that deal with
the Windows Live Services (e.g. confirm Windows Live maintenance, latency or issues impacting login pr
mail delivery, etc.) Note: technical support related issues will be addressed by the Partner Support team
the next business day.
To engage our Support Professionals you will need to submit Microsoft Live@edu technical issues using
the Microsoft Premier Online website. Premier Online will be the primary tool used by your support and
Helpdesk personnel to submit support cases to engage Microsoft Partner Support and the Emergency
Response team.
Using Microsoft Premier Online
Microsoft Premier Online is a secure website that requires a Windows Live ID (Passport) account, a
Microsoft Premier Online Access ID and Password for login.
Next go to the Premier Online site ( https://premier.microsoft.com) and link your Windows Live ID
(formerly .NET Passport) to your Premier Online support account. For this step, you will need your
Premier Online Access ID and your password:
Your unique credentials will be provided by the Live@edu Escalation services team via e-mail once you
have on boarded with the Live@edu program.
Note: Please safeguard this access ID and password. Provide this information only to support and
Helpdesk personnel who you authorize to open support incidents.
Severity of the incident e.g. number of users impacted as well as your internal issue severity level.
Once your case has been submitted, a Partner Support team member will be assigned ownership of your
case and the will work with you directly to assist in resolving your issue.
Tracking/Updating an Incident:
Please note that you can check the latest status of your issue(s) or add additional information at any
time by logging on to the Premier Online site.
Severity A: Significant business impact; significant loss or degradation of services, business process and
work cannot reasonably continue. All employees, students, and alumni are affected. Our response goal
for Severity A issues is one hour, followed by updates every hour or as needed.
Severity B: Moderate business impact; moderate loss or degradation of services, but work can
reasonably continue in an impaired manner. Issue affect most (but not all) employees, students, and
alumni. Our response time goal for Severity B issues is two hours, followed by updates every two hours
or as needed.
Severity C: Minimum business impact; used for issues encountered during implementation (pre-
deployment), but prior to launching the service to your students and faculty. Our response time goal
for Severity C issues is 4 hours or next business day with updates as needed. NOTE: All installation and
configuration issues related to Windows Live@Edu would qualify as Sev C.
Severity D is used to monitor incidents that need to remain open for long periods of time.