PILOT Live@edu Admin Guide

Provisioning Windows Live IDs with Identity Lifecycle Manager and Windows Live Management Agent v3
NOTE: This Admin Guide covers provisioning of account to Hotmail Only. This guide does not cover Exchange Labs provisioning

Version 3.0

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links are provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Copyright © 2007 Microsoft Corporation. All rights reserved. Microsoft are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

2

Table of Contents
Table of Contents................................................................................................................................. 3 Section 1: About the Live@edu Program .............................................................................................. 7 Why Choose Live@edu?................................................................................................................... 7 About This Guide ............................................................................................................................. 7 What if I get stuck? .......................................................................................................................... 8 Technology Overview....................................................................................................................... 8 Live@edu Solution Details................................................................................................................ 9 List of Features ................................................................................................................................ 9 Terms and Definitions .................................................................................................................... 10 Section 2: Checklist of Items before Deployment ............................................................................... 12 Section 3: Reserving a Domain with Windows Live Admin Center....................................................... 13 Select a Domain Name ................................................................................................................... 13 Assign a Domain Administrator ...................................................................................................... 14 Review Settings and Accept Agreement ......................................................................................... 15 Confirm the Administrator Account................................................................................................ 15 Section 4: Identity Lifecycle Manager 2007 ........................................................................................ 18 Primary Concepts and Terminology ................................................................................................ 18 System Requirements .................................................................................................................... 18 Metadirectory ................................................................................................................................ 18 Data Aggregation ........................................................................................................................... 20 Data Synchronization ..................................................................................................................... 20 Data Enforcement .......................................................................................................................... 20 Data Source ................................................................................................................................... 21 Management Agent ....................................................................................................................... 21 Metaverse...................................................................................................................................... 21 Connector Space ............................................................................................................................ 22 Provisioning ................................................................................................................................... 22 Running a Synchronization ............................................................................................................. 22 Extensible Management Agents ..................................................................................................... 23 State Based System ........................................................................................................................ 23

Operations ..................................................................................................................................... 23 Disaster Recovery Plan 1 (SQL Outage) ........................................................................................... 24 Disaster Recovery Plan 2 (ILM Server Outage) ................................................................................ 24 List of Maintenance Operations ..................................................................................................... 25 Backing up Management Agents .................................................................................................... 26 Section 5: Setting up the Environment ............................................................................................... 29 Installation requirements ............................................................................................................... 29 Section 6: Creating and Configuring the Data Source Management Agent .......................................... 31 Configuring the Data Source Management Agent ........................................................................... 31 Connecting to the Student Data Source .......................................................................................... 31 Database Management Agents ...................................................................................................... 31 LDAP Management Agents............................................................................................................. 32 File-based Management Agents ..................................................................................................... 34 Understanding the Student Data Source Schema ........................................................................... 34 Management Agent Schemas......................................................................................................... 34 Anchor Attributes .......................................................................................................................... 35 Object Types and Attributes ........................................................................................................... 35 Select a Subset of the Source Data ................................................................................................. 36 Database management agents ....................................................................................................... 36 LDAP management agents ............................................................................................................. 36 File-based Management Agents ..................................................................................................... 37 Configure Connector Filter Rules .................................................................................................... 37 Refine Further by Using Filters to Select Subsets ............................................................................ 37 Configure Join Rules ....................................................................................................................... 38 Configure Projection Rules ............................................................................................................. 39 Configure Import Attribute Flow .................................................................................................... 39 Configure Deprovisioning ............................................................................................................... 42 Configure Extensions...................................................................................................................... 43 Section 7: Installing and Configuring the Export Management Agent.................................................. 44 Installing the Windows Live Management Agent ............................................................................ 44 Create the Windows Live (Export) Management Agent .................................................................. 45 Passport User Attributes ................................................................................................................ 55

4

Enable Provisioning ........................................................................................................................ 59 Section 8: Configure XML Files ........................................................................................................... 63 Configure XML Settings .................................................................................................................. 63 Configure Offers............................................................................................................................. 68 Section 9: Additional Settings............................................................................................................. 69 Managing MX Records ................................................................................................................... 69 Section 10: Running the Solution ....................................................................................................... 70 Data Synchronization ..................................................................................................................... 70 Run Profiles.................................................................................................................................... 71 Configure the Full Import and Full Synchronization Run Profile for the Import Management Agent 71 Configure Export Run Profile for the Windows Live Management Agent ........................................ 72 Delta Import and Delta Synchronization ......................................................................................... 72 Populating the Metaverse .............................................................................................................. 73 Troubleshooting the Staging of the Student Data ........................................................................... 73 Creating Windows Live IDs ............................................................................................................. 73 Managing the Output Files ............................................................................................................. 74 Features of the Windows Live Management Agent ........................................................................ 75 Renaming of E-mail Addresses ....................................................................................................... 75 Deleting Windows Live IDs ............................................................................................................. 75 Setting an Object Deletion Rule...................................................................................................... 76 Attribute Interdependencies .......................................................................................................... 77 Active vs. Inactive student handling ............................................................................................... 77 Configuring Multiple Sites .............................................................................................................. 78 Section 11: Password Management ................................................................................................... 79 Create Initial Password................................................................................................................... 79 Password Reset .............................................................................................................................. 79 Password limitations ...................................................................................................................... 79 ILM Password Synchronization ....................................................................................................... 89 Using Other Systems as the Source for Password Changes ............................................................. 92 Reset Password Flow...................................................................................................................... 93 Recovering from a Forgotten Password .......................................................................................... 93 Alternate E-mail Addresses ............................................................................................................ 94

5

Section 12: Troubleshooting .............................................................................................................. 94 ILM 2007 Failure Analysis Process Flow .......................................................................................... 97 For stopped-extension-dll-exception ........................................................................................... 98 For completed-export-errors ...................................................................................................... 98 Getting Support ............................................................................................................................. 98 Disaster Recovery Plan (ILM Server Outage) ................................................................................... 98 Section 13: Advanced Topics ............................................................................................................ 108 Student Portal Integration............................................................................................................ 108 High Availability ........................................................................................................................... 109 Integration of Live@edu Into a Pre-existing ILM Environment ...................................................... 109 Distribution List Management ...................................................................................................... 110 Appendix A: Valid Region/Country Codes ......................................................................................... 112 Appendix B: Language Codes ........................................................................................................... 123 Appendix C: TimeZone Codes ........................................................................................................... 125 Appendix D: U.S. Region Codes ........................................................................................................ 139 Appendix E: Certificate Install Information ....................................................................................... 142 Obtaining a Certificate for your Domain ....................................................................................... 142 Installing the certificate on the ILM Server ................................................................................... 142 Installing WinHTTP Configuration Tool ......................................................................................... 142 Installing the certificate to Windows Live Admin Center ............................................................... 147 Appendix F: Migrating from the SDK tools ........................................................................................ 156 Appendix G: Support information .................................................................................................... 183 Using Microsoft Premier Online ................................................................................................... 184 Steps to access the Microsoft Premier Online site ........................................................................ 184 Steps to file a support request with Microsoft: ............................................................................. 184 Tracking/Updating an Incident: .................................................................................................... 185 Incident Severity Definition .......................................................................................................... 186

6

Section 1: About the Live@edu Program
The Live@edu program was established to allow various educational institutions to provide their users an e-mail address at a custom, institution determined domain without the difficulties and costs of maintaining an in-house mail infrastructure. This e-mail address could be a for-life e-mail address since the program allows for the users to continue the use of the address with no time constraints. The e-mail address issued by Live@edu is accessible and hosted by Windows Live Hotmail (previously known as Hotmail), the largest free e-mail provider in the world and may be accessed through http://mail.live.com as well as a myriad of other web sites. Additionally, institutions will be able to integrate with the Windows Live Hotmail interface to expose the functionality through custom education portals. This document describes the Windows Live Management Agent; an application primarily used for automating the creation, management and deletion of Windows Live IDs for use with Windows Live sites and applications. The Windows Live Management Agent is an administration tool used by universities participating in the Live@edu program. In addition to Windows Live Hotmail, the users will be able to use the Windows Live ID to sign up for services on sites such as Windows Live Spaces and Windows Live Messenger in place of using the @Live.com, @hotmail.com and @msn.com domains that are available to the general public. The technical implementation of the Windows Live Management Agent is a plug-in application to Microsoft Identity Lifecycle Manager (ILM) 2007 that allows for manipulation of Windows Live IDs for the allowed domains. Minimal configuration is required; specifically, you will be asked to decide on how the e-mail address is created and provide a temporary initial password. Why Choose Live@edu? While there are a number of e-mail providers out there, here are some reasons that make Live@edu the right choice for educational e-mail needs: y y y y y y No mail infrastructure requirement means there is no need to hire in-house support staff to setup and maintain mail servers Familiar user interface of Live.com/Hotmail increases adoption and lowers support costs Powerful user creation and management tools Integration with your current student e-mail directory For-life e-mail address Free

About This Guide This document describes how to implement the Windows Live Management Agent for creating, managing and deleting Windows Live IDs for use with Windows Live sites and applications. The data that is used to create the accounts can be retrieved from any number of sources such as an LDAP directory, database or even a flat file. This guide describes how to setup and deploy the solution. It contains many sections that describe the details needed to configure the settings and aid you in deciding which features and functions are important to you. Additionally, various pitfalls and errors that may be encountered are discussed with the intent of assisting in avoiding or resolving any issues.

7

NOTE: This Admin Guide covers provisioning of account to Hotmail Only. This guide does not cover Exchange Labs provisioning

What if I get stuck? The Live@edu program is meant to simplify the long term administration associated with student, alumni and/or applicant e-mail. In addition to this document, there are several other tools to assist you in understanding this solution. Premier Online support is included free with Live@edu, including 24x7x365 phone support for critical issues and Web-based support for non-critical issues. Technology Overview Windows Live is a suite of services and web applications that can be accessed with one Windows Live ID. To integrate the student, alumni, and/or applicant information you have at your school with the Windows Live environment, you establish communication between the source of this information and Windows Live. This is accomplished with a Microsoft application called Microsoft Identity Lifecycle Manager (ILM) 2007. ILM 2007 can gather data from the source and create, manage and delete accounts automatically once it is configured. The data source is the repository which contains information about the students whose accounts you would like to create. This data source may be Active Directory, an LDAP server, a text file, a database or any other data source supported by ILM 2007. This document will be limited to covering the first four of the sources listed above; should you need information about connecting to the other ones, please refer to the ILM 2007 documentation. ILM 2007 is a software product that enables IT organizations to reduce the cost of managing the identity and access life cycle by providing a single view of a user's identity across the heterogeneous enterprise and through the automation of common tasks. In essence, ILM 2007 allows data sources that were never designed to talk to each to other to communicate and synchronize data. For that reason, ILM 2007 is leveraged to allow your student data source to communicate with Windows Live. The Windows Live Management Agent is a plug-in to ILM 2007 that knows how to communicate with Windows Live. Additionally, ILM 2007 has other plug-ins that know how to communicate with lot of standard places where identity information is stored such as LDAP servers, databases, etc. The other management agents allow ILM 2007 to gather the student, alumni or application information and the Windows Live Management Agent allows for the creation, eviction and modification of Windows Live IDs. Even though ILM 2007 is designed to integrate a variety of data sources, we will be working with a limited subset of the ILM 2007 functionality for the purposes of the Live@edu solution. As visualized by the diagram below, the data flow occurs in one direction. First, the data is imported from the data source (LDAP, database, etc). Then it is processed by ILM 2007 and exported to Windows Live. The result of this process is a group of Windows Live IDs that are managed based on your existing student information.

8

Live@edu Solution Details Now that you have a better understanding of ILM 2007 including the terminology, you can apply that knowledge to the Live@edu solution. The following section provides an overview of the basics necessary to understand Live@edu. List of Features Here are some of the features that you can expect from the Windows Live Management Agent management agent. y y y y y y y y y y Tight integration with ILM 2007 Support for multiple e-mail domains Password resets via attribute flows for member accounts Ability to suspend e-mail accounts as needed E-mail address renames/changes Support for custom portal integration Ability to re-brand web interface with a custom logo Automatic enablement of Windows Live Hotmail inboxes Password Synchronization with Active Directory Disaster Recovery

9

Terms and Definitions Term or Acronym Definition Anchor The anchor attribute uniquely identifies an object in the connected data source. For the MA, NetID will be utilized as the anchor. A customized user interface (UI) with logos, etc. to be displayed when the user signs in to Windows Live Hotmail, Messenger, Spaces, and other Windows Live services. Co-branding is now available through the Windows Live Admin Center. The process of setting a user into a state in which they will be required to choose a new sign-in name that is not in the Windows Live domain on their next sign-in attempt. The entity represented by NetID. A single identity may have multiple credentials of different types associated with it. A unique identifier associated with a Windows Live ID. This is generated automatically by Windows Live A namespace that is created and controlled by a partner whose users accounts are authenticated by Windows Live ID. The OfferName is a function of the Windows Live Admin Center that controls advertising. An organization working with the management agent under appropriate contracts for a Microsoft service, such as a participant university. Personal data about a user other than their e-mail account and password (Windows Live ID), for example, first name, last name, and zip code are properties of a user s profile.

Branding

Eviction

Identity

NetID

Managed Namespace

OfferName

Partner

Profile

Provisioning

The process by which the Windows Live ID service agrees a partner is authorized to set up a managed namespace. Alternatively: an ILM term used to describe the creation of an object in a Connector Space. Simple Object Access Protocol. An HTTP/XML-based protocol by which the management agent will communicate with Windows Live Admin Center A namespace with three parts, such as edu01.wledutraining.com, that is

SOAP

Tertiary Namespace

10

Term or Acronym

Definition derived from a top-level domain. The management agent will support tertiary namespaces.

Windows Live ID

A username and password used to authenticate with Windows Live services. Synonymous with a Passport ID .

11

Section 2: Checklist of Items before Deployment
The following is a high level checklist of work items that need to be completed before you are fully deployed on the Live@edu program. As you move forward on-boarding with Live@edu, you will be given more detail around each of these items. Complete and submit the Live@edu enrollment form (https://imaginewindowslive.com/Education/Connect/Enroll/Default.aspx?). Be sure to submit the domains you plan to use to host your Live@edu email accounts You will receive an invite via email to reserve your domain with Windows Live Admin Center (WLAC). You will receive separate invites for each domain you want to reserve. Click on the invite and you will be redirected to the WLAC web site (http://domains.live.com). (See Section 2) o Assign a Windows Live ID account as the domain administrator o Set the MX record as directed by WLAC and wait for WLAC to confirm the MX record change (this needs to propagate over the internet) o Configure co-branding for your domain via the Co-branding tab in WLAC Install Windows Server 2003 Enterprise Edition or later (See Section 4) Install SQL Server 2000 or 2005 (Enterprise or Standard Edition. SQL 2000 requires SP3) (See Section 4) Install ILM 2007 (MIIS SP2). (See Section 4) Configure a data source management agent (See Section 5) Confirm domain reservation is complete and configured for Live@edu offers and co-branding Install WLCD MAV3 bits (See Section 5) Configure WLCDGlobalConfig and WLCDProvisioningConfig XMLs (See Section 5) Configure the WLCD export management agent (See Section 5) NOTE: BEFORE MOVING FORWARD ALL THE ABOVE STEPS MUST BE COMPLETE Create test accounts Verify test accounts behave as expected o Log in o Send/receive e-mail o Ads or No Ads as expected o Forwarding works as expected

NOTE: This Admin Guide covers provisioning of account to Hotmail Only. This guide does not cover Exchange Labs provisioning

12

Section 3: Reserving a Domain with Windows Live Admin Center
Before you reserve your domain, please submit your enrollment form to the Live@edu Ed Desk (eddesk@microsoft.com). The enrollment form is available @ https://imaginewindowslive.com/Education/Connect/Enroll/Default.aspx. 1. To reserve a Windows Live domain, use your browser to go to the address http://admincenter.live.com and click Get started in window.

Select a Domain Name 2. Provide your domain name or purchase a new one, then click set up Windows Live Hotmail for my domain or choose No mail for my domain if you do not want to create e-mail inboxes. Setting up Windows Live without mail is not common.

13

Assign a Domain Administrator 3. The next step is to assign a domain administrator to your domain. You can use an existing Windows Live ID:

Or create a new Windows Live ID:

4. If you select to create a new Windows Live ID, you will have to complete the account creation process:

14

Review Settings and Accept Agreement 5. After assigning your domain administrator account, confirm your domain by reviewing the agreement applicable to your program. By clicking accept, you agree to the terms of the Live@edu agreement. To review the Live@edu terms, click the link.

Confirm the Administrator Account 6. To confirm domain ownership and allow mail delivery to Hotmail, Windows Live requires an MX record to be added at your domain registrar in charge of your DNS records.

15

7. If you are not pointing your MX records to Windows Live, you will need to change your CNAME record with a value from Windows Live which will validate that you own the domain.

8. Once your credentials are confirmed, you are taken to the administration page for your domain.

At this point you should notify the Live@edu Ed-Desk (ed-desk@microsoft.com) that your domain(s) are registered with Windows Live Admin Center. The Ed-Desk will configure your domain as a Live@edu domain and will provide you with the appropriate information for you to begin creating Live@edu accounts. Note: You will need to confirm an administrator account for all Windows Live domains separately. It is recommended for security purposes that you register an administrator s Windows Live ID for each person that will be managing your domain. If you are using a certificate for authentication, the

16

certificate will need to be uploaded for each domain and installed on each computer that will be used for administering the domain. For example, if you have 10 separate domains and 10 separate administrators, there are 10 MX records to confirm. In order to set up multiple administrator accounts for a single domain or assign administrators for a tertiary domain, the above steps will have to be completed for each administrator added to the domain.

17

Section 4: Identity Lifecycle Manager 2007
Primary Concepts and Terminology ILM 2007 is a metadirectory product that has a variety of uses for data synchronization and identity management. In the case of the Live@edu program, it will be used to facilitate the management of Windows Live IDs by synchronizing data from the data source for student information and Windows Live. To further understand the role of ILM 2007 as it relates to Live@edu it is important to understand the fundamentals of this type of product. The ILM 2007 application runs on Windows 2003 Enterprise Edition. It relies upon Microsoft SQL Server as the application data store to retain all of the settings for ILM 2007 as well as the identity data that is synchronized through it. System Requirements y Windows Server 2003 Enterprise Edition or Windows Server 2003 R2 Enterprise Edition y y Microsoft .NET Framework 2.0 Microsoft SQL Server 2000 Enterprise Edition, Standard Edition, or Developer Edition with Service Pack 3a or later; or Microsoft SQL Server 2005 Enterprise Edition, Standard Edition, or Developer Edition (32-bit or 64-bit) with Service Pack 1 recommended

For a detailed list of requirements and answers to commonly asked questions, please refer to the ILM 2007 FAQ at http://www.microsoft.com/windowsserver/ilm2007/faq.mspx#EKD. Metadirectory A metadirectory collects information from different data sources throughout an institution and then combines all or part of that information into an integrated unified view. This unified view presents all the information about an object such as a student or network resource that is contained throughout the institution. An Identity Management system may have a metadirectory at its heart and ILM 2007 is such a system. A metadirectory performs the following functions: y y y y Connects to a variety of data sources, importing a desired subset of data from each one Combines all the information about each student or resource into a single entry Presents to the institution the unified view of all known information about each student or resource Enforces rules as to which sources are authoritative for a given attribute and what precedence applies where more than one source is authoritative

Microsoft currently distributes two separate versions of ILM 2007. The Live@edu version allows an institution to connect to one data source for account imports and to Windows Live for account creation. The full version of Microsoft Identity Lifecycle Manager 2007 is needed to connect to more than two data sources. The following table lists the supported management agents for the full version of

18

Microsoft Identity Lifecycle Manager 2007. This table illustrates the capabilities of the full version of ILM 2007 to communicate with some of the types of data sources that ILM 2007 includes out of the box. System Network Operating Systems and Directory Services Management Agent Microsoft Active Directory Windows Server 2003 R2, 2003, and 2000 Microsoft Active Directory Application Mode Windows Server 2003 R2 and 2003 Microsoft Windows NT 4.0 IBM Tivoli Directory Server Novell eDirectory 8.6.2, 8.7, and 8.7.x Sun Directory Server (Netscape/iPlanet/SunONE) 4.x and 5.x IBM Resource Access Control Facility Computer Associates eTrust ACF2 Computer Associates eTrust Top Secret Microsoft Exchange 2007, 2003, 2000, and 5.5 Lotus Notes 6.x, 5.0, and 4.6 SAP 5.0 and 4.7 Telephone switches XML-based systems DSML-based systems Microsoft SQL Server 2005, 2000, and 7 IBM DB2 Oracle 10g, 9i, and 8i Attribute value Pairs CSV Delimited Fixed Width Directory Services Markup Language (DSML) 2.0 LDAP Interchange Format (LDIF) Extensible Management Agent for connectivity to all other systems

Mainframe

E-mail and Messaging

Applications

Databases

File-Based

All Other

If the previous table does not include your student data source, you have several options. The first is to get the data out of your data source and into a format that ILM 2007 can recognize, such as an LDIF file or delimited flat-file. Flat-files can often be the lowest common denominator between integrating two

19

systems. You also have the possibility to build your own extensible management agent to connect to the data source. Data Aggregation In most institutions, student information exists in many different data repositories resulting in duplication of student information; there is no single, reliable place to go for this information about a student or faculty. Directories that hold identity information are often incompatible. These incompatibilities include different naming conventions, different directory schemas, different communication protocols and different data formats. The number of places in which organizations must manage identity information increases with the addition of new systems. To solve the issues that result from identity data residing in multiple repositories you can use a metadirectory to: y y y Combine the data for a specific person or resource in the metadirectory, thereby creating a single entry that contains some or all of the identity information from each directory. Present a single unified view that contains some or all of the attributes from the different directories regardless of whether the directories are compatible. Provide a platform that can become the basis of an Identity Management (IdM) system it contains the authoritative identity information for objects.

Data Synchronization Because an institution s student information is often contained in different data repositories, a change made to data in one repository is not automatically made in any of the other repositories. Making the change throughout the organization requires the administrator(s) to make the change in each directory manually. Therefore, updating data in each directory is costly, unreliable and may even present a security risk. Unmanaged identity information quickly becomes disorganized which results in identity information that is not synchronized throughout the organization. To manage changes to identity information you can use a metadirectory to: y y y Identify changes to identity information from many sources. Propagate those changes automatically to other directories as appropriate (i.e. as defined by rules which have been configured to support company procedures). These changes can be modifications to attributes or to whole objects. This change detection infrastructure keeps the directories synchronized.

Data Enforcement Data ownership issues often prevent effective coordination of an institution s identity information even though it may be technically possible. Certain departments maintain a strong ownership of their data. Although ownership of data is not an issue when directories remain separate, retaining ownership when data is synchronized among multiple directories becomes more challenging. To address data ownership issues you can use a metadirectory system to: y Enable administrators to define and enforce ownership relationships at the attribute level.

20

y

y

Allow, block, or reverse changes made to identity information. If a change to data is consistent with the ownership rules it is allowed; otherwise, it is blocked (allowing local control) or reversed. Ensure that the departments that own the identity information in a specific directory will maintain that ownership even when that directory is synchronized with other directories in the organization.

Data Source A data source for the Live@edu solution is any place where you have student information a directory, database, or other data repository that contains data to be integrated within ILM 2007. Data sources can be enterprise directories (Active Directory, Novell, ADAM, etc), databases (Oracle, SQL, etc), or even data in flat files, such as LDIF, DSML or delimited text. Management Agent A management agent is a component of ILM that manages the data associated with a specific data source and connectivity to the data source. The management agent not only connects to the data source, but is responsible for managing the flow of data (inbound and outbound). There is at least one management agent for each data source. For many management agents, ILM 2007 communicates directly with the data source these are call-based and examples of such directories are LDAP and Active Directory. For others, where a direct call is not possible, an intermediary file is used such as AVP, LDIF or fixed width these are file-based management agents. In some cases, the situation may be more complex: there may be no management agent specifically for the data source or the data source may, for example, support a mixture of file-based and call-based activities so that a simple file-based management agent is insufficiently feature-rich. In such a case, the extensible management agent allows a developer to create code which instructs the management agent how to communicate with the data source. Management agents are primarily configured by setting their properties within the wizard-like interface in the Identity Manager, the application that manages and configures ILM 2007. There are occasions when more complex operations are desired than those possible through the user interface (for example, combining the contents of FirstName and LastName to make a displayName); in this case, a management agent can be augmented by .dll extensions produced using Visual Basic.NET or C# or, indeed, any language making use of the .NET Common Language Runtime (CLR). It is not necessary to write code in most basic implementations of Live@edu, however remember that the capability is there if needed. Metaverse The Metaverse is a set of tables within ILM 2007 that contain the integrated identity information from multiple data sources. All identity information about a specific student or object, which is stored in multiple data sources, is synthesized into a single entry in the metaverse. Your students will most likely have a single unique object in the metaverse representing each student.

21

Connector Space The connector space is a storage area and a staging area. It stores the different states that are used to decide whether information in a data source has changed, or needs to be changed. It is also where changes are staged on their way into or out of ILM 2007. Each data source has its own logical area in the connector space, which is managed by its corresponding management agent. The connector space is essentially a mirror of the related data source, with each object in the data source having a corresponding entry in the connector space. The connector space does not contain the data source object itself, but a subset of the object s attributes, as defined by the management agent. Provisioning When we think of objects in data sources, they will often be accounts, such as an Active Directory® service account. The term account is often used even for groups, resources, and so on. Provisioning is the creation of accounts in data sources (such as LDAP directories, databases, and e-mail systems). Once provisioned, the account attributes can be managed as those of any existing object. The manual creation (and removal or disabling) of accounts in several systems is administratively burdensome, prone to errors and inconsistency, and leaves potential security gaps. For Live@edu, the act of provisioning refers to the creation of a Windows Live ID account. You can use ILM 2007 to: y y Automatically create accounts (objects) in directories, based on their addition in one (authoritative) directory. Continue to manage those accounts, including removal (de-provisioning) and disablement.

Provisioning will occur within ILM 2007 to create the Windows Live IDs in the Windows Live environment. The Windows Live Management Agent will be entrusted to handle this task on behalf of ILM 2007. This management agent will take the e-mail address of the student to be provisioned from the data source, connect to the Windows Live server, create the account and then return the confirmation to ILM 2007. Similarly, should the user who has an account need to have the account evicted (deleted) from the school namespace, the management agent will again connect to the Windows Live server to evict the account.

NOTE: This Admin Guide covers provisioning of account to Hotmail Only. This guide does not cover Exchange Labs provisioning

Running a Synchronization During development, a management agent is executed by means of the user interface. In production systems, it is desirable to run management agents in sequence without user intervention, both on a scheduled basis, and occasionally in response to specific events (for example, the submission of a new student registration). Such automated execution of management agents is achieved using the WMI functions of ILM 2007 in conjunction with a scheduling agent (described in detail later).

22

Extensible Management Agents Management agents allow ILM 2007 to connect to a wide variety of different data sources to manipulate data from them. While most of the management agents allow for connectivity to a specific connected data source the extensible management agent has expanded the ILM 2007 connectivity options by allowing developers to build any connection they want by simply creating code within the confines of a management agent. Information is provided in the ILM 2007 developer reference help files and on MSDN. State Based System ILM 2007 is a state-based system. There are advantages to this (particularly robustness) as well as potential disadvantages (extra processing and storage) but the actual result is a very effective and flexible compromise. ILM 2007 stores a hologram for each external object of which it is aware; this hologram represents the current view of the data stored in each data source. During a subsequent import of the data from the data source, the imported object data is compared with the hologram. If any differences are detected between the two (for example, the values for the Student Type attribute do not match, or a new or missing object is detected), a change is inferred and the change is passed to the ILM 2007 Sync Engine to be propagated through the metadirectory. In a deployed system, management agent runs are invoked by scheduled scripts, which are run either on a scheduled basis or in response to external events (perhaps a web portal could invoke a run to ensure that accounts created through the portal are created). ILM 2007 then asks for data -- it is a pull system, which avoids the need for a push agent on each data source. However, ILM 2007 can work with Delta Import (i.e. imports of only those objects that have changed; as it happens, Exports are always delta in nature). Some data sources support this already, others may be able to with some modification, yet others simply cannot support this feature. Where deltas can be used, there are considerable savings in processing time (traffic and state comparisons). Depending on how many students are being processed by the system and the frequency of the processing, designing the data source to provide ILM 2007 with delta updates may be extremely important. ILM 2007 can work entirely with Full Imports, minimizing the intrusion on data sources; additionally, it is sometimes necessary to use a Full Import (for example on initial import or when recovering from a data source failure). Operations This section discusses common operational and maintenance related tasks that need to be performed on the ILM 2007 server to ensure the solution is backed up and stable. Additionally common troubleshooting methodology is outlined to assist in dealing with operational errors. Backup and Restore of ILM 2007 Microsoft Identity Lifecycle Manager 2007 is composed of two primary pieces, the ILM 2007 application and the SQL server database that stores the configuration and identity information. These pieces together are used to complete the synchronization of data between the connected directories. Since there is a logical separation between the two parts of the application disaster recover needs to be approached accordingly.

23

ILM 2007 Application The ILM 2007 server contains the installation of the ILM 2007 application along with the rulesextensions, scripts, configuration files, log files and data files that are used to run the day to day operations. A backup of the files that are associated with the ILM server are needed to restore/fail-over the complete ILM solution on a different server. The entire directory containing the ILM installation will need to be backed up. The default directory, unless it has been modified on installation, is c:\Program Files\Microsoft Identity Integration Server. ILM 2007 Database In addition to the ILM application and associated files the MicrosoftIdentityIntegrationServer database is stored in a SQL server. This server can be the local server that runs ILM, or another dedicated SQL server. All of the configuration and run history as well as all objects in the connector space and Metaverse are stored in this SQL server. Additionally, some of the files such as the extensions in the c:\Microsoft Identity Integration Server\Extensions folder are stored in SQL as binary entries. When a database restore is completed, these files are extracted out of the database and stored on the server. There are several methods to fail-over the ILM application.. Depending on what fails (server, servers, network, site, SQL servers due to SQL related virus, etc), it might be necessary to modify the disaster recovery plan. The following plans common scenarios for failing-over the ILM application. Disaster Recovery Plan 1 (SQL Outage) The main focus of a SQL disaster recovery plan is to restore the SQL database on the local server or another server and then re-install ILM to point to the database (if it is on a different server). Since all of the run-history, management agent data, and Synchronization information is stored in the database, restoring the database will bring you back to the state when the backup was taken. Please refer to the ILM documentation on how to restore the MicrosoftIdentityIntegrationServer database. Specifically Restoring Microsoft Identity Lifecycle Manager 2007 in the main help. After recovering from a SQL outage, running a full import may be necessary to refresh the data in the connector spaces. Disaster Recovery Plan 2 (ILM Server Outage) A failure of the ILM server should not result in any data-loss however there are other critical components on the ILM servers. For example all of the source code, backup keys, operations scripts and any information in the MAData folder will be lost if restoring by reinstalling ILM. From this standpoint it is important to also have file system backups of the Microsoft Identity Integration Server folder. If you have the encryption keys mentioned above the easiest way to recover from an ILM server outage is to reinstall ILM 2007 and the Windows Live Management Agent and point it to the existing SQL Server Database. Once you provide the encryption keys and restore the supporting files in the proper folders you should be up and running. Again, refer to Restoring Microsoft Identity Lifecycle Manager 2007 . in the ILM 2007 help.

24

List of Maintenance Operations The table below provides a quick reference for those product maintenance tasks that the System Administrator should perform on a regular basis. This list summarizes the tasks that are required to maintain ILM operations. There are more best practices listed in the Help File of your ILM server. Frequency Daily Tasks View and examine the results of all the ILM management agent runs from the Identity Manager Operation interface (see .Identity Manager. section below). Examine the Run History to determine if it needs to be backed up and cleared. Resolve issues reported by your customers. Understand and if needed fix all events reported in the Event Log Disconnect object incorrectly joined and make sure they are properly joined at the next synchronization cycle When bad data is found through ILM, take the proper steps to ensure that the owner of this data fixes it at the sourceBackup and clear the run history of ILM

Weekly As needed As needed As needed

As needed

25

Backing up Management Agents Once you have your Windows Live ILM implementation up and running, it s a good idea to back up the management agents by exporting them in XML format. 1. To back up your management agents, highlight a management agent in the management agent window, from the Actions menu, select Export Management Agent.

26

2. Save the management agent configuration file to a location on your hard drive.

3. To import your MA to a new or restored ILM implementation, from the Identity Manager, click Import Management Agent.

27

4. Select the XML file for the management agent you want to import and click Open.

5. Verify your settings by visiting the configuration tabs in the MA, then click OK.

28

Section 5: Setting up the Environment
Installation requirements The following requirements must be installed prior to implementing the Live@edu solution. Please refer to the product documentation for the different products for more details. Windows Server 2003 Enterprise Edition ILM 2007 requires Windows Server 2003 Enterprise Edition. To verify that your server meets the minimum hardware requirements and for instructions about installing Windows Server 2003, Enterprise Edition, see Installing and Upgrading the Operating System at the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=36737). Please install the latest version of Windows Server 2003 with any appropriate service packs and hot fixes. Microsoft SQL Server 2005, or 2000, Standard or Enterprise Edition, Service Pack 3 (SP3) ILM 2007 utilizes SQL server as the back end data store. This allows ILM 2007 to retain all of the configuration settings for ILM 2007 as well as the identity information that is contained in ILM 2007. During installation ILM 2007 creates the database it will use as its data store. ILM 2007 requires SQL Server 2000 with Service Pack 3a (SP3a) or later. This means that SQL Server 2000 must be installed first and then the SQL Server 2000 Service Pack must be applied. ILM Service Account and Security Groups ILM 2007 requires a service account to be configured to run the ILM 2007 service. When installing ILM 2007, you must create an account that will be used to run the ILM 2007 service. This account is known as the ILM service account. This account must be a domain account if the SQL Server is not installed on the ILM 2007 Server. If SQL is installed locally, the service account may be a local account. Additionally there are five security groups that need to be configured. ILM 2007 creates three groups during installation that control which tasks in the Identity Manager users can perform. The following groups are created by ILM 2007: y y y MIISAdmins Members of this group have full access to everything in the Identity Manager. MIISOperators Members of this group have access to Operations in the Identity Manager only. MIISOperators can run management agents, view synchronization statistics for each run, and save the run histories to file. Members of the MIISOperators group must also be members of the MIISBrowse group to open links in the synchronization statistics. MIISJoiners Members of this group have access to Joiner and Metaverse Search in the Identity Manager. MIISJoiners can join or project disconnectors using Joiner, and use Metaverse Search to view object properties and disconnect objects from the Metaverse.

y

ILM 2007 also creates two security groups during installation that do not have access to the Identity Manager, but are used for authentication during password management operations:

29

y

y

MIISBrowse Members of this group have permission to gather information about a user's lineage when doing password reset operations with Windows Management Interface (WMI) queries. MIISPasswordSet Members of this group have permission to perform all operations using the password management interfaces with WMI. Members in this group inherit all MIISBrowse permissions. For more information about setting passwords using WMI, open the ILM 2007 Developer Reference.

Typically it is best to create the service account and security groups before you begin setup otherwise the person running the ILM 2007 installation will have to have rights in the domain to create the groups through the setup program. After the ILM 2007 is installed, add your user account to the MIISAdministrators group (or whatever is the name you chose for the group). Adding yourself will allow you full control of ILM 2007. Note: You must log out and log back in before security group membership will take effect. Microsoft Identity Lifecycle Manager 2007 To install ILM 2007, you use the ILM Install Wizard. The wizard allows you to customize the installation of ILM 2007 depending on your environment. The following list describes the options that are available in the wizard during a complete setup: y y License Agreement - You must accept the terms in the license agreement to continue with the installation. Setup Type Complete - Selecting this option allows, you to specify the values for the Store Information, the Service Account Information, and the Group Information options. The remaining options will be installed with their default values. Store Information - You use the Store Information option to specify information about the SQL Server that will be hosting the ILM 2007 database. You can chose between a local and remote SQL Server, and between the default instance and a named instance of SQL Server. Service Account Information - Use the Service Account Information option to specify the account to be used for the ILM 2007 service. This account must already exist. Group Information - ILM 2007 uses five different security groups to provide different levels of access. The Group Information option is used to specify the names of these five groups. If the groups do not exist the wizard will create them. In addition to creating the groups the wizard will add the user account being used to perform the installation to the ILMAdmins group. This option is only available if you selected the Custom setup type.

y

y y

When the installation is complete and before you can run the Identity Manager, you must log off and then log on again to have your new group membership (in the ILMAdmins group) take effect.

30

Section 6: Creating and Configuring the Data Source Management Agent
Configuring the Data Source Management Agent There are nine basic steps to configure your data source management agent. These steps will vary depending on the type of data source; however the overall concepts include the following: 1. 2. 3. 4. 5. 6. 7. 8. 9. Connecting ILM 2007 to the Student Data Source Understanding the Student Data Source Schema Select a Subset of the Source Data Configure Connector Filter Rules Configure Join Rules Configure Projection Rules Configure Import Attribute Flow Configure Deprovisioning Configure Extensions

Using these nine concepts and the details below should allow you to create a management agent that connects to you data source to get the student information. Connecting to the Student Data Source ILM 2007 can connect to a wide range of data sources including databases (SQL Server, Oracle), directories (Active Directory, Sun ONE) and files. Depending on which data source type you are working with you will be presented with different options during the configuration of the management agent that works with that data source. Database Management Agents Database management agents generally require a data source name (or Server name plus a Database name) and the name of the relevant table or view containing the data to be processed. A View is generally preferable to a Table as it provides a level of abstraction between source data and ILM. A View lets you pre-select both the dataset to be processed by ILM and the attributes which are available to ILM; but it also means that if the underlying table(s) change, you do not have to reconfigure ILM (you may or may not need to modify the Views concerned).

31

You must supply the security credentials of an account which has the appropriate permissions in the target system i.e. it must be at least able to read the data and able to write to the database appropriately if changes are to be exported from ILM into this database. Note: The Table or View you specify for Full Import is also written to during Export. Not all views can be written to in this way a detail that will have to be taken into account during design. It is not common that you will need to export to the data source when implementing a basic Live@edu solution. LDAP Management Agents LDAP management agents such eDirectory, ADAM and Sun ONE Directory Services management agents typically require the specification of a server and TCP port to which to connect as well as a security account which has the appropriate permissions to the directory concerned. Active Directory is a little more complex requiring a forest and domain and providing for preferred domain controllers. You can generally specify secure communication where available (e.g. SSL/SASL or Sign & Seal).

32

33

File-based Management Agents Because a file-based management agent does not communicate directly with its Connected Data Source, you do not connect instead you provide the name and location of a template file.

Understanding the Student Data Source Schema Before you can identify the object types and attributes to be managed by a management agent the data sources schema must be established a process which the management agent uses to identify which object types and attributes are available. Different management agents handle this process differently. Some data sources do not have extensible schemas in which case the management agent already knows the predefined schema for that data source. Management Agent Schemas The following list describes schema discovery approaches for each management agent: Management Agents that support the dynamic discovery of the source directory or database: y y y y y y y Active Directory Active Directory Application Mode (ADAM) Active Directory global address list (GAL) Microsoft Exchange Server 5.5 Microsoft Exchange Server 5.5 (bridgehead server) Novell eDirectory Sun ONE directory services

34

y y

Microsoft SQL Server Oracle Database

Management Agents with a fixed schema that models the database structure: y y Windows NT 4.0 Lotus Notes

Management Agents that require the discovery of the data in the sample file: y y y y y Delimited text file Fixed-width text file Attribute-value pair text file (AVP) Directory Services Markup Language (DSML) LDAP Directory Interface Format (LDIF)

Anchor Attributes The anchor attribute contains the unique value that links an object in the data source to its object in the connector space. Management agents can make educated assumptions about anchor attributes. Here are some examples: SQL Server management agents will offer (as a default) the primary key of the source table if it is defined, although you can override this if necessary (this default won t work where a view is used). You can assume that other database management agents behave like this (e.g. Oracle). With AVP, delimited or fixed width management agents you must define the anchor. It is a reasonable assumption that other text management agents behave like this. In the Active Directory management agent the DN is treated as the anchor and during account creation a unique DN will be generated. The way the management agent actually keeps track of AD accounts is through the AD GUID, although this takes place under the covers and you don t actually see this. In this way, a DN can be changed in AD resulting in a rename at next import. Renames cannot happen in simple anchor cases like SQL Server or AVP. Most other LDAP-based management agents behave much like this (e.g. ADAM, Sun ONE, Lotus Notes, eDirectory). LDIF and DSML management agents must contain a DN attribute and you must either define this DN as the anchor attribute or select another attribute as the anchor. The full explanation of this isn t appropriate here but in summary, if you have the DN as the anchor as well, it isn t possible for ILM to detect a rename (i.e. if the object has moved, ILM can t keep track of it). Renames can be recognized through special MOD DN and MOD RDN change type. Object Types and Attributes LDAP management agents (like AD, ADAM) allow you to pick object classes and attributes from a list. With database management agents, you define a view to contain the appropriate records and fields. All of the attributes discovered are then processed. Similarly, the columns or attributes discovered in a template file will determine which attributes are imported and exported by a file-based management agent. The object types and attributes available in the data source are reflected in the ILM system by the generation of a schema for the connector space. It is sometimes required to specify additional details for

35

an attribute if the management agent is not able to identify those details from the data source. Where the management agent understands its source system very well (the Active Directory management agent, for example) there is no need (or potential) to modify the attributes which will be created in the ILM system. However, for both file-based management agents and a more limited extent for database management agents, it is possible to modify the attribute details. You can specify (for example) the data type, the length of the data (minimum and maximum), whether the attribute will store a reference to another object, and whether the attribute is multi-valued.

Select a Subset of the Source Data For both fundamental design reasons and for improved performance you may wish ILM to process only a subset of the data stored in the connected data source. Database management agents Database management agents import all the records and all the fields (columns) in the specified table or view. Intelligent design of a view as a source for the management agent will provide the appropriate data subset for the management agent. LDAP management agents LDAP connected data sources potentially contain multiple partitions (e.g. naming contexts or domains) as well as hierarchical container structures within those partitions and LDAP management agents support the selection of subsets of both these elements. You can select one or more partitions along with one or more of the containers within each partition. You are next asked to select object classes to

36

process and their attributes. The management agent will then process all the objects of the selected types within the selected containers within the selected partitions.

File-based Management Agents Since a different file is typically used for export and import runs, the file to be used is specified in the run profile selection (rather than in the management agent itself). Such import files are processed in their entirety so configuration of a data subset for file-based management agents is performed by the process which generates the text file for the management agent. Configure Connector Filter Rules A staging object that is not linked to a metaverse object is called a disconnector object. A connector filter determines whether an object should stay a disconnector object in the connector space. Thus, the connector filter prevents these objects from being further processed by the synchronization and rules engine and even disconnects objects that are already connected (with the exception of explicit connectors those that have been manually joined). Connector filters are not required. They are used to prevent unwanted objects from being synchronized with the metaverse. Refine Further by Using Filters to Select Subsets When we think of filters, we tend to think of subsets or data and a clear distinction needs to be made between the data subset that is imported (staged) from the data source to the connector space, as already discussed, and the subset of staged data to be held in the connector space as disconnectors. An

37

example of use would be where you have objects in the connector space that while not actually deleted in the data source are no longer active and therefore do not need to be represented in the metaverse. This could be filtered out at source and therefore not imported, but this may not be convenient or even achievable. Another example might be if your Active Directory included an attribute named status that was set to contain the current status of each person in the student list (such as Student, Alumni, or Applicant). You may not want to assign Windows Live IDs to Applicants since they are not yet students. A filter can be used to prevent data related to applicants from being added to the metaverse during synchronization.

Configure Join Rules Join rules determine whether there is an existing metaverse object to which to join a connector space object. If the join criterion is met the connector space object is linked to that metaverse object. A join rule is made up of one or more conditions which compare connector space object attribute values and metaverse attribute values looking for matches. As each connector space object is considered and if all conditions are met for a given metaverse object then that object becomes a candidate for joining. If this is not the case the next rule in the specified order will be tested and so on. Unless you are integrating the Live@edu solution into an environment where you have an existing ILM 2007 installation you will most likely not need to configure a join rule. Instead you will configure a projection rule. In a disaster recovery scenario, for example, you would join disconnected object with its mail address.

38

Configure Projection Rules Projection rules govern the conditions under which a new metaverse object is created from a connector space object. Projection rules are responsible for determining if projection into the metaverse should occur and the appropriate object type to employ. Projection rules differ from join rules in that during a join process the metaverse is searched for existing objects; during the projection process projection rules determine whether or not a new object is created in the metaverse so that other connector space objects can link to it. Management agents apply projection rules to objects where a join has failed or join rules were not configured.

Note: At least one of your management agents must have a projection rule or you ll never get any data in the metaverse. You need to define a projection rule for your object type so that ILM 2007 will create the objects in the metaverse for each of the imported students (except those filtered out). You will typically choose to project your students through a declarative rule to the person object type. Configure Import Attribute Flow ILM 2007 uses connector space objects to store data moving from and to the connected data sources during import and export operations. ILM 2007 uses metaverse objects to store the data in the metaverse. The process of moving data between connector space objects and metaverse objects is called attribute flow. Attribute flow occurs during synchronization and is governed by attribute flow rules. Attribute flow rules are scoped by data source object type and metaverse object type and can be defined with the following options:

39

y y y y

Direct simple flow a value from one attribute into another attribute Advanced either a rules extension, a constant value to be flowed into an attribute in every case, or a chosen element of a DN to be flowed into an attribute Import from connector space to metaverse inbound attribute flow. Export from metaverse to connector space outbound attribute flow.

If you want to create a custom attribute in Metaverse (for example, TempPassword), use the Metaverse Designer tool. In Identity Manager, click Metaverse Designer.

40

Click Add Attribute from the Attributes Action list.

Click the New attribute button, type the attribute name, select the attribute type and click the tick box next to Indexed. Click Ok. The Metaverse attribute is now ready to be used.

Import flow rules Import flow rules specify how attribute values should flow from the data source via the connector space to the metaverse. You specify the source attribute from the connected data source (data source) and the destination metaverse attribute. You will need to create flow rules for any information that is interesting to Windows Live. A prime example of this is importing the e-mail address of the students in the mail attribute in the metaverse. Direct flow rules You can specify direct flow rules which simply copy the value from source to destination. Advanced rules You can also specify advanced rules which allow you to specify flow calculations with rules extensions. For example, allowing the flow of a component of a distinguished name into a destination attribute as a string. Finally, a common advanced mapping type is the constant option. This allows you to specify a

41

string value that will flow into the metaverse object for all linked objects of this type. Advanced attribute flows are discussed in more detail in the ILM 2007 Developer Reference help file.

Configure Deprovisioning Deprovisioning is the action applied to the connector space object as a result of either the deletion of its connected metaverse object or a direct call for a deprovisioning of the connector space object from a piece of code. For Live@edu, you will want to check the box next to Do Not Recall Attributes and leave the radion button set to become a disconnector so that you don t start deleting objects from your data source. Make them Disconnectors If the objects become disconnectors, then every time a synchronization run of the management agent is performed they are run against the filter, join and project rules, and perhaps resulting in it joining to a metaverse object again if a join rule was specified. Make them Explicit Disconnectors If the objects become explicit disconnectors then they are not run against the filter, join and project rules, when a synchronization run of the management agent is performed, and thus will never rejoin to a new metaverse object even if a new match becomes available unless the join is performed manually with the Joiner tool. Stage a Delete You can put the connector space object into a pending delete state; when the next export run is performed the corresponding data source object will be deleted.

42

Rules Extension Determine via a rules extension in which you will have to provide code to make the decision on what to do with the object.

Configure Extensions Extensions are code that is written, compiled, and configured for use with ILM 2007 that makes it possible to add functionality to the rules provided in Identity Manager. They are not necessary for a basic Live@edu implementation but allow for customized and extended functionality.

43

Section 7: Installing and Configuring the Export Management Agent

NOTE: This Admin Guide covers provisioning of account to Hotmail Only. This guide does not cover Exchange Labs provisioning

Installing the Windows Live Management Agent To create and manage accounts in Windows Live, ILM 2007 needs a management agent that knows how to communicate with Windows Live. This is done through the Windows Live Management Agent. Running the installation program will add the Windows Live Management Agent to the ILM 2007 installation that you just completed. 1. Locate the Windows Live Management Agent installation file (WLCDMASetup.msi) and then launch.

44

Create the Windows Live (Export) Management Agent Make sure you are logged into the machine as a user that is a member of the ILM administrators group. 2. Open the ILM Identity Manager console by clicking Start ->. All Programs ->. Microsoft Identity Integration Server -> Identity Manager. 3. Click Management Agents. 4. On the Actions menu on the right you will see a list of actions that you can perform on a management agent. Click Create to launch the wizard for creating a management agent.

45

5. Under Create Management Agent, there will be a dropdown list of all of the different installed Management Agents. The fact that each of these management agents is installed on this server means that this ILM installation could potentially connect to and communicate with each type of data source in that list. Select WLCD Management Agent (Microsoft).

46

6. In the Name text box enter a name that describes the use of this management agent. Click Next.

47

7. On the Configure Connection Information page, enter your domain administrator credentials. If you are using a certificate for authentication, click Next.

48

8. On the Configure Additional Parameters page, you can change the value for the name of the log file created during every export to Windows Live.

49

9. On the Configure Attributes page, as with the other management agent you just created, you could make further configuration changes for example setting an anchor but it has been done already. Accept the default settings. Click Next.

50

10. On the Configure Object Types page accept the default settings (as with the other management agents, there is only one type of object evidently called PassportUser in this case, rather than person so there is nothing to do here. Click Next.

51

11. On the Configure Connector Filter page accept the default settings (since the Windows Live Management Agent is export only, you will never have a requirement for a filter). Click Next.

52

12. On the Configure Join and Projection Rules page, accept the default settings. Join and projections rules are associated with inbound synchronization, which usually applies to imported records we are only going to be exporting to Windows Live so there is no requirement for such rules. Click Next.

53

13. On the Configure Attribute Flow page you must at a minimum create a rule to export the e-mail address to Windows Live. y Ensure that the Data source object type is set to PassportUser y Ensure that the Metaverse object type is set to person (if applicable) y Under Metaverse Attributes on the bottom right, select the mail attribute or whichever attribute you have contributed the e-mail address of the student to from the data source y Under Mapping Type in the middle, select Direct (this is the default) y Under Flow Direction in the middle, select Export (ensure that Allow Nulls is unchecked) y Under Data Source Attributes on the bottom left, select the SigninName attribute y Click New 14. Verify that the attribute flow is configured similar to the figure below:

15. Click Next This rule will allow the mail attribute that we contributed to the metaverse from the student data source to flow out to the SigninName in Windows Live using a direct export rule.

54

Passport User Attributes The SigninName string represents the member name (e-mail address). Windows Live ID e-mails names must conform to the SMTP RFC 822 for the user name portion of the e-mail address and RFC 1035 for the domain portion. Some exceptions are made: y y y y 50 characters max No UNICODE First character must be a letter (must be in ASCII code range of 97-122, 65-90) Period (ASCII 46) allowed except for the first and last characters but cannot have two adjacent periods All other chars must be in ASCII code range of 48-57 (numbers), 65-90 (uppercase), 95 (underscore), 97-122 (lowercase) All other characters are disallowed

y

y

Note: Configuring the SigninName is the minimum that you need to do for this management agent; however there are also other attributes that you can use to change settings or set initial account passwords. The following attributes allow you to flow the following values to specific student accounts. Attribute <dn> AltEmail Description The distinguished name is used as an anchor. The user s alternate e-mail address. A string with a maximum length of 129 characters. Set this for the students if you know it so that they don t have to call the helpdesk to have the administrators of the solution reset their password if they forget it. Sets only on creation of account, not on update. The user s birth date. A string with a maximum length of 10 characters in the following format: dd:mm:yyyy. Sets only on creation of account, not on update. The user s country. A string with a maximum length of 2 characters. Sets only on creation of account, not on update. There is a list of valid Country Codes in Appendix A. A boolean value (true or false) that determines whether an account should be evicted from the managed namespace. An attribute used by ILM for password management. Not user configurable.

Birthdate

Country

DeleteUser

Export_password

55

Attribute FirstName LanguageCode

Description A member s given name. Sets only on creation of account, not on update. The member s language. A string with a maximum length of 5 characters. Sets only on creation of account, not on update. There is a list of valid Language Codes in Appendix B. A member s surname Sets only on creation of account, not on update. Boolean value (1 or 0) that represents if a user is blocked from logging in. A setting of 1 indicates that the user is blocked and will not be able to use his or her Windows Live ID to access any services. This might be used to lock a student out of their account while an investigation of invalid behavior takes place. Remember that evicting accounts means that the account can no longer be a member of the university namespace. Blocking a user is a reversible operation, where eviction is not. A long string representing the user s ID in the Windows Live system. This unique identifier will be assigned by the Live ID servers and does not need to be managed. A value that performs an action on an OfferName. Can be Add or Remove. A string that represents the OfferID associated with the user, for example, US No Ads. Offers must be configured on the Microsoft system to be valid. If you are having issues with your offer, please contact the Live@edu Ed-Desk (eddesk@microsoft.com) The user s postal code. A string with a maximum length of 15 characters; United States only. Sets only on creation of account, not on update. The user s region. A string with a maximum length of 10 characters; United States only. Sets only on creation of account, not on update. There is a list of valid Country Codes in Appendix A. A value that determines whether a user should be prompted to change their password during first login.

LastName MailDisabled

NetID

OfferAction OfferName

PostalCode

RegionCode

ResetPassword

56

Attribute TempPassword

Description The temporary initial password for a new Windows Live ID. The password must be reset by the user on initial login. There are several options for managing passwords for the accounts. If you choose to set the initial password to a known value, this is the right value to set. Otherwise you can leave this setting blank and have the Windows Live Management Agent create a password for you in which case the password would be available in the log file for you to communicate to the students. Please see the Password Management section of this document for more information. The user s time zone. This setting is important to set for the students so that features such as the calendar are properly experienced. If the time zone is not set, then the mailbox defaults to GMT. Sets only on creation of account, not on update. There is a list of valid time zones in Appendix C.

TimeZone

57

16. On the Configure Deprovisioning page, accept the default settings which should be Make them disconnectors. This will prevent your users from inadvertently getting evicted from the Windows Live namespace. Click Next.

58

17. If you are using password synchronization with Active Directory, click the Enable Password Management tick box, otherwise on the Configure Extensions page, click Finish.

Enable Provisioning ILM 2007 uses the term provision to describe the process that it goes through to create a new account. For ILM 2007 to be able to create new accounts in Windows Live you must first enable provisioning. Typically using ILM 2007 to provision (create) accounts requires some code to be written so that it knows how to properly create those accounts. The Live@edu installation has already taken care of this for you by placing the compiled code into the correct folder. The compiled code is referred to as a Metaverse Rules Extension. You will need to configure ILM 2007 to use that Metaverse rules extension to create accounts in Windows Live. This is done by pointing ILM 2007 to the rules extension that was installed on the machine during setup of the Windows Live Management Agent and checking the box to enable provisioning.

59

18. In Identity Manager, on the Tools menu, click Options

60

19. On the Configure Extensions dialog box, click Enable Metaverse Rules Extensions. 20. To pick the name of the Rules Extension from the list of files in the Extensions folder, click Browse. 21. Select WLCDMVExtensionLoader.dll from the list of file names.

22. Click OK. You should see the filename WLCDMVExtensionLoader.dll that you selected in the Rules extension name field.

61

23. Click Enable Provisioning Rules Extension.

24. Click OK.

62

Section 8: Configure XML Files
Configure XML Settings You must configure XML file settings to reflect the configuration of your environment. For the Windows Live Management Agent to be adaptable to the needs of different schools there are certain settings that need to be configured specific to each implementation. During installation, the default files were copied to the appropriate folder. The XML configuration files are located in the Extensions folder of the ILM 2007 installation path, usually C:\Program Files\Microsoft Identity Integration Server\Extensions. There are two XML files in total that may need to be configured. They are: WLCDGlobalConfig.xml This XML file uses elements that the management agent uses to apply global account attributes and controls for a domain, such as certificate authentication, offers, and global user attributes. The WLCDGlobalConfig.xml contains settings that apply to all Windows Live member accounts provisioned with ILM. It may be opened with Notepad as a text file for ease of viewing and editing. You will need to change values for at least the DefaultOfferName and Domain Name elements to reflect your offer and domain name assigned to you. This file resides in the ILM Extensions directory (usually c:\program files\microsoft identity integration server\extensions). Here is an example WLCD GlobalConfig XML file:

63

Elements An element in XML is defined as a unit of XML data, delimited by tags. An XML element can enclose other elements. The following elements make up the body of the management agent Global Configuration XML file: Element <DefaultCert> Description If using a certificate for authentication, the elements subject and issuer need to contain the strings for both Subject and Issuer from the Windows Live Admin Center Control Panel in the SDK menu. Contains a value such as E=ed-desk@microsoft.com, CN=sapipartner.com, O=OXFORD Computer Group, C=US copied from the Windows Live Admin Center SDK Control Panel. Contains a value such as CN=Microsoft Secure Server Authority, DC=redmond, DC=corp, DC=microsoft, DC=com, copied from the Windows Live Admin Center SDK Control Panel. Contains value such as US No Ads Controls whether members have to reset their password during the initial login experience. This element can contain the values True or False. Contains the URL for the Windows Live Admin Center administration website for provisioning accounts, such as https://domains.live.com/service/ManageDomain2.asmx. Contains the value of your fully qualified domain between the quotation marks, such as wledutraining.com. Contains values for the attributes below that will be applied globally to all member accounts. Contains a value representing a member s country code for a domain. See Appendix A. Contains a value representing a member s language code for a domain. See Appendix B. Contains a value representing a member s offer, such as US No Ads . Contains a value representing a member s time zone. See Appendix C.

<Subject>

<Issuer>

<DefaultOfferName> <DefaultResetPassword>

<Url>

<Domain name="">

<DefaultUserAttributes>

<Country>

<LanguageCode>

<OfferName> <TimeZone>

64

Element <PostalCode> <RegionCode>

Description Contains a value representing the member s postal code. Contains a value representing the member s region code. See Appendix D. Contains a value representing a member s default birthdate. BirthDate is in the format DD/MM/YYYY

<BirthDate>

Note: Global attributes from the XML are only set on member accounts upon account creation. Setting the attribute values after provisioning accounts will not update them.

65

WLCDProvisioningConfig.xml This XML file controls the settings that are relevant to ILM 2007 and how you have it configured. You will need to edit this file for the solution to work properly. This XML file is used to identify the name of your export management agent and enable account creation of Windows Live IDs in ILM 2007. Other elements may also be set in this file to identify and customize your ILM environment, such as MVEntryObject and MVEntryAttribute, if you customized them. An administrator can also use this XML file to filter domains and add custom assemblies for added functionality, or specify more than one export management agent. You will need to enter the name of your management agent in the name element and (optionally) the MVEntryObject and the MVEntryAttribute. This file resides in the same ILM extensions directory (usually c:\program files\microsoft identity integration server\extensions) as the WLCDGlobalConfig. The following is a sample WLCDProvisioningConfig XML :

66

Elements Element <rules-extension-properties> <account-provisioning> <ManagementAgent>

Description Wrapper element for the contents of the file. Wrapper element contains multiple ManagementAgent elements Contains several sub elements specifying the attributes to which this rule extension applies. There should be one ManagementAgent element for each Windows Live Management Agent in ILM 2007. The name of the export management agent for connecting to Windows Live Admin Center. The XML file s default management agent name is Windows Live Custom Domains Management Agent . This value should reflect the exact name of the Windows Live Management Agent as it appears in ILM 2007. It is a good idea to copy and paste from the Name field in the management agent properties window to ensure they match. The type of the Metaverse Entry Object containing member account information, the XML file s default MVEntryObject is person. Usually, it is set to person . This value should match that used in configuring the management agent s attribute flow. The name of the Metaverse Entry Attribute containing member accounts, the XML file s default MVEntryObject is mail. This is the attribute inside the object defined by MVEntryObject, which contains the e-mail address of the specified user to be exported. Usually set to mail or another attribute where you have previously set up the writing of the Windows Live e-mail address. The domain to which the rule extension applies. If you only have one e-mail domain that you have set up with Live@edu, this is the domain that should appear here (wledutraining.com). This attribute may be repeated. Contains a Boolean value, true or false, whether to filter the domain. If the tag is true, the filter limits the users to be exported to the management agent named above to only those in the domain specified by name below. In other words, anyone whose domain does not match the above will not be exported by the Windows Live Management Agent that you are currently configuring.

<Name>

<MVEntryObject>

<MVEntryAttribute>

<Domain>

<Filter>

67

Element <Name>

Description The domain specified for filtered exports. Only used if Filter is specified. A node that contains multiple assembly elements and configures the Metaverse extension DLLs that are to be used by ILM 2007.

<add-assemblies>

<assembly The name of the assembly to run. You can copy and paste additional name="WLCDMVExtension.dll" assembly names if you are running other rules extensions.

<assembly>

Specifies an additional assembly linked to this rule. The name attribute of this element specifies the name of the DLL file that contains the Metaverse Rules Extension.

Note: If you have multiple Windows Live Management Agents in ILM 2007, you must create a <ManagementAgent> node with all the required data for each one. Configure Offers OfferName and OfferAction are 2 attributes in version 3 of the Windows Live Management Agent that ensure accounts receive the Live@edu offers for your domain. All accounts must have their OfferName and OfferAction configured. Your offer name is provided to you by the Live@edu Ed-Desk (ed-desk@microsoft.com) when they configure your domain as a Live@edu domain. Appropriate offer actions are Add and Delete. Attribute Flow In the Attribute Flow scenario, the values for OfferName and OfferAction are stored in your source data and flowed through ILM in much the same way as e-mail address. OfferName assumes the OfferAction of Add if it is not specified. WLCDGlobalConfig In the Global Config scenario, the values for OfferName are included in the WLCDGlobalConfig XML file and stamped on member accounts at the time of creation.

68

Section 9: Additional Settings
Managing MX Records MX records specify how to route mail to your new e-mail domain. It is critical that these are modified correctly for the proper routing of mail messages to your Windows Live IDs. These records must be modified in your DNS server by the DNS server administrator. Create DNS MX Entry For each e-mail domain, an administrator account must be created in the Windows Live Admin Center as mentioned on page 15. Once the administrator account has been confirmed, the mail service is enabled. Add a Sender Policy Framework (SPF) Record for Each E-mail Domain To facilitate the combating of unsolicited e-mail you are encouraged to create an SPF record and add it to the DNS records of your domain. This record will allow the receivers of e-mail from your domain to be certain that the e-mail did indeed come from the domain it purports to be from. This will minimize the chance of it being filtered or rejected by the receiving mail server if that server is checking SPF records. An example of Add Sender ID TXT Record DNS Entry:
v=spf1 include:hotmail.com ~all

Optional: DNS SRV Record You must create a DNS SRV record for anyone to use instant messaging in their assigned Windows Live Managed Namespace(s) with any company that has rolled out Live Communications Server 2005 with Public IM Connectivity (PIC). The format of that DSN SRV record is:
_sipfederationtls._tcp.<domain name> ttl class SRV 10 2 5061 federation.messenger.msn.com

For instance,
_sipfederationtls._tcp.alumni.university.edu ttl class SRV 10 2 5061 federation.messenger.msn.com

69

Section 10: Running the Solution
Once the solution is installed and configured you can create the necessary run profiles and complete the solution. Data Synchronization Data flow in ILM 2007 occurs in three phases: import, synchronization, and export. Importing is the process of retrieving data from a connected data source and storing it in the connector space. Objects must exist in the connector space to store the data being imported. If new objects are needed in the connector space they are created during the import operation. The process of creating the new objects and storing the newly imported data in the connector space is referred to as staging. Once data is staged, it is ready for inbound synchronization. Inbound synchronization is the process that adds the imported (staged) data to the Metaverse. During the import (staging) operation all data is imported into the connector space including objects that meet the filtering criteria. All filtered objects in the connector space are ignored during inbound synchronization so they do not get processed and are not added to the Metaverse. Join and projection rules are applied during inbound synchronization to create Metaverse objects as necessary and connect connector space objects to Metaverse objects. Import attribute flow rules are applied during inbound synchronization to further control exactly what data flows from the connector space to the Metaverse. Outbound synchronization takes place at the same time as inbound synchronization and is the process of retrieving data from the Metaverse and storing it in the connector space to get it ready for export. Exporting is the process of sending data in the connector space to a connected data source. Outbound synchronization and exporting data are discussed in more detail later in this guide.

70

Now that the management agents are configured you can begin processing the data. ILM 2007 makes it possible for you to examine the data being processed during each phase of the data flow process. You may take advantage of this feature to familiarize yourself with the statistics and message displays that are shown during and at the completion of the runs. Run Profiles For each management agent you can define a number of run profiles. These are used to initiate each of the three phases of data flow. Run profiles provide operating parameters to management agents each time they are run. The information in the run profile varies based on the management agent that uses it. For example, a run profile for a delimited text file management agent contains parameters indicating the name of the text file that is used as the connected data source and data indicating which phase of the data flow is to be processed. In this document you create one run profile for each management agent. This makes it possible to process one phase of the data flow and then stop and examine the data to make sure data is flowing as expected allowing you to monitor and troubleshoot the implementation of a new deployment. Once data flow has been verified and you are confident everything is functioning properly, you can create more sophisticated run profiles that perform a number of steps at once. For the purposes of this walkthrough and to help you learn how data flows simpler individual run profiles are used for each phase of data flow rather than combining multiple phases into a more extensive run profile. Configure the Full Import and Full Synchronization Run Profile for the Import Management Agent The first run profile is used to stage the data from the source management agent to the connector space and from there, to synchronize it with the Metaverse. ILM 2007 allows the combining of these two actions into a single run profile. 1. Open Identity Manager if necessary. 2. Make sure that Management Agents tool is active. 3. Click the name of the source management agent that you assigned to it at the time of creation. 4. In the Actions menu, choose Configure Run Profiles. The Configure Run Profiles for <management agent Name> screen opens. 5. Click New Profile to open the Configure Run Profile screen. 6. Enter Full Import and Full Synchronization as the name of the run profile in the Name text box and click Next. 7. On the Configure Step screen specify the type of operation that will occur when this run profile is used. This is where you choose the phase of data flow that will be processed when this run profile is used. In the drop-down list, choose Full Import and Full Synchronization. This option will cause all the data in the data source to be staged in the connector space.

71

8. The other options on this screen are not needed in this instance. Click Next. 9. Leave the Partition set to default and click Finish. 10. Click OK to return to Identity Manager. Configure Export Run Profile for the Windows Live Management Agent The second run profile that you will need to create is the Export run profile for the Windows Live Management Agent. This profile exports the data from the Windows Live ID connector space and sends it to the Windows Live service for processing. Examples of data that may be exported as part of an Export run of the Windows Live Management Agent include adding (provisioning) o users, eviction (removal from namespace) of users, and resetting passwords . To create the Export run profile please follow the steps above used to create the Full Import and Full Synchronization profile Create the Export profile for the Windows Live Management Agent but instead of selecting the Full Import and Full Synchronization in the drop-down list, select Export. To verify that the run profile has been created select the name you have assigned to the Windows Live Management Agent in the management agents screen and then select Run from the Actions menu. You should see a screen listing the profiles with the Export profile being listed. Delta Import and Delta Synchronization What are Deltas? While Full Imports and Full Synchronization runs are very thorough and will evaluate the necessary tasks on every object in the data source, it may be prudent to consider running Delta Import and Delta Synchronization runs whenever possible and running a Full Import and Full Synchronization runs occasionally (Weekends, Monthly, etc). The difference between a full and a delta run is that a full run will process every object every time, but a delta run will only process the objects that have changed since the last time a run has occurred. For example, if you have a 150,000 users in your source repository but only 15 of them are new as of today and you have performed a run yesterday a delta run will only process these 15 users and ignore the previous 150,000. However a full run will process the full 150,000 users. The delta synchronization and full synchronization run profiles only affect those objects from Management Agent connected to the data source . The Windows Live Management Agent only performs exports which are inherently deltas. Setting up Deltas Setting up deltas is straight forward if you are using Active Directory as the .source. data store. AD inherently supports deltas by default and the only change that must be made to accommodate deltas is the creation of a run profile that explicitly uses them. Choose the .Delta Import, Delta Synchronization. step rather than the .Full Import, Full Synchronization. step when creating the profile. The deltas will automatically be created and used by the AD management agent. Should AD not be your data source, you may still be able to create deltas if your source supports it. For example, deltas have been implemented with such systems as LDAP directories, SQL servers and many others. Please see the Developer Reference in the Help menu of Identity Manager for more information on setting up and configuring deltas in various connected directories.

72

Populating the Metaverse Now that you are have created the appropriate Run Profiles, you will need to first populate the ILM Metaverse before you are able to create new Windows Live IDs from the data that it will contain. To populate the Metaverse run the data source management agent with a Full Import Full Synchronization run profile. This type of run should occur at regular intervals but should probably not be the standard daily run that you will want to execute. Running Full imports and full synchronization routines consumes time because every object is evaluated. In the ILM management console, on the Tools menu, click management agents, and then click the data source management agent (the name that you have previously assigned to it) to highlight it. On the Action menu click Run to display the Run management agent dialog box. Under Run profiles click the appropriate profile for Full Import, Full Synchronization (for most setups like the one discussed above, there is only one), and then click OK. Note: If the option is available, create and run a delta import delta synchronization instead of a full import full synchronization. The Delta Import, Delta Synchronization profile can be run via steps similar to the ones above except with a different run profile being selected. For more information, please see Delta Import and Delta Synchronization section below. Note: Depending upon the number of Windows Live IDs to be processed the job may execute for several seconds to several hours. ILM management agents run in a single thread and you can expect an approximate rate of 2-6 seconds per account, depending on network traffic, connectivity etc. The end result of a management agent run will be shown at the bottom of the main window in a panel containing the end time and status. If the status indicates success, see the next section, Creating Window Live IDs. Otherwise, see the Troubleshooting section later in this guide. Troubleshooting the Staging of the Student Data If you are having problems staging the data for the Students data source, consider the following and see the section titled Troubleshooting: y Configure the proper partition and OU information when setting up the Active Directory management agent (the .source. management agent). Set the synchronization step Type to Full Import and Full Synchronization when you creating the Staging run profile,

y

Creating Windows Live IDs In the ILM management console on the Tools menu, click management agents, and then click the Windows Live Management Agent (or another name you ve assigned to it at the time of creation) to highlight it. On the Action menu click Run to display the Run management agent dialog box. Under Run profiles click the appropriate profile for export (for most setups, there is only one named Export), and then click OK.

73

The end result of a management agent run will be shown in the bottom of the main window in a panel containing, the end time and status. If the status indicates success as circled in the screen capture below see the next section, .Managing the Output Files. As with other ILM management agents Windows Live Management Agent results are available for future reference in the Operations log. To view the Operations log click on the Tools menu of the ILM management console and then click Operations.

NOTE: This Admin Guide covers provisioning of account to Hotmail Only. This guide does not cover Exchange Labs provisioning

Managing the Output Files For a management agent run with status of success , or in some cases completed-export-errors, an output log will contain the details of the temporary passwords assigned to the new Windows Live IDs that were successfully processed. The location of the logs is C:\Program Files\Microsoft Identity Integration Server\MaData\<your Windows Live Management Agent name> (or adapt for your ILM installation). The file name prefix is indicated in the Additional Parameters property of the management agent, with date/time appended to complete the file name. The format of the file looks like this:

Given the sensitive nature of the file contents it is stored in a folder that is accessible only to members of the MIISAdmins security group by default and optionally the MIISOperators security group; the latter is assigned permission by a manual configuration step. This folder should also be backed up to a secondary location with restricted access. The intention of the output file is to provide the System

74

Administrator a reference from which to produce the first-time communication of the Windows Live ID e-mail account name and password to the target user should the password not be supplied by ILM at the time of user creation. The user will be forced to change their password (and secret question/answer) at first sign on per the flow shown in Password Management later in this guide. Though the user will change the password, the file is still considered to contain sensitive data because it contains an inventory of valid e-mail names. It is recommended to delete the file and the backup(s) 60 days after the temporary Windows Live IDs have been communicated to the users. After deletion the ILM Metaverse contains the definitive source for the e-mail names and is backed up as a standard operating procedure. Features of the Windows Live Management Agent Besides the basic configuration of the attribute flow and XML files there are several other features of the Windows Live Management Agent that you can take advantage of. Renaming of E-mail Addresses As the Windows Live Management Agent v3.0 allows for renaming of e-mail addresses you may perform the renames by flowing a new e-mail address into the SigninName attribute in the Windows Live Management Agent. This may be useful for cases such as the one where the e-mail address is based on the person s name and the name changes due to an event such as a marriage. Note: Currently, renaming an account will result in the loss of the mailbox content for that account but retain calendar and contact information. Microsoft is building out functionality so that the account will maintain the mailbox content as well. There is not a ETA for when this functionality will be ready, however as soon as it is released the Windows Live@ Edu team will communicate to all schools in the program and update the FAQ. In the interim, it is recommended that you create new accounts instead. In order to create new accounts using Active Directory as your data source, it is required to use an anchor attribute such as employeeID instead of SigninName. Deleting Windows Live IDs You can delete, or evict, Window Live IDs from your namespace for students who are voluntarily leaving the namespace, and whenever you need to clean up the namespace. If a member tries to sign in to an evicted account, the member will be asked to rename their Windows Live ID to something else outside the domain namespace. The member will have the ability to rename into an @hotmail.com address. Windows Live IDs that are evicted will not retain the actual e-mail in their existing accounts but they will retain their Windows Live Address Book. For Windows Live Messenger, the student will retain their contact list and all their contacts will automatically be updated to the student s new IM identity. The freed account name becomes available immediately for re-use as long as the password length is different.

75

Setting an Object Deletion Rule The Windows Live management agent needs to be configured with Stage a Delete in the Configure Extensions tab, then in the ILM management console on the Tools menu, click Metaverse Designer, and then click Configure Object Deletion Rule.

To enable the Windows Live ID evict feature select either the second or third option in the following dialog box.

Note: The second option is used in conjunction with your source data management agent and not with the Windows Live Management Agent. When an object is deleted from the source management agent

76

the Windows Live ID will be evicted from the managed namespace on the next export run. If you want to write custom code for the deletion rules select the third option and modify your rules extension code accordingly. Note that you may not, in this case, use the precompiled rules extension that ships with the management agent because it contains no deletion rules. Attribute Interdependencies Within the Windows Live ID system, certain attributes are related to each other. For improved user experience we suggest you configure the five attributes below on all accounts. These attributes will allow students to self reset their passwords, access the calendar, and have their mail stamped with the appropriate date and time. The values can be applied to the Windows Live ID profiles via Attribute Flow or in WLCDGlobalConfig.xml. Further information regarding these attributes can be found in the Administrators Guide appendices. Country PostalCode TimeZone 2 digit alphabetic code for country. E.g. US. 1-15 digit numeric code for the user s postal code. E.g. 98052 1-4 digit numeric code for the uses time zone. E.g. 1119.

RegionCode 1-5 digit numeric code for the uses region (state). E.g. 5599 Birthdate 10 digit alphanumeric string for birthdate in the format of DD:MM:YYYY e.g. 31/12/1960 without the quotes.

Note: Providing some, but not all of these fields may cause errors. It is best practice to provide all. Active vs. Inactive student handling If you wish to retire student accounts no longer active in your domain, you have a couple of options. 1. If a member should no longer part of the domain and you have object deletion rules set, you can simply delete the member from the data source. Performing this action will evict the member from the domain namespace. The member s mailbox will be deleted but contact and calendar information remain intact. 2. If a member retains the domain account but is no longer an active student, offers for the student should be removed using attribute flow.

77

Configuring Multiple Sites It is a common scenario where schools have a completely different domain for either different schools within their community or different domains for students and alumni. The WLCDGlobalConfig.xml file will allow you to specify additional domains, and as long as the administrator being used to create the accounts is an administrator on both domains (or the certificate used for authentication), the accounts will be created. A sample WLCDGlobalConfig.xml configured for two domains is below:

78

Section 11: Password Management
Create Initial Password In order to set the initial password for the students, you must select one of the two methods. Either you can use attribute flow in ILM 2007 to set the initial password using the TempPassword attribute or you can allow the management agent to set the password for you. When you allow the management agent to create the initial password for you it is stored in the log file in the C:\Program Files\Microsoft Identity Integration Server\MaData\<export ma> folder by default. Password Reset Two methods are available online for an individual Windows Live ID user to reset his/her own password, namely: (a) using data verification and answering the secret question, or (b) if an optional alternative email was provided, a mail is sent to that address which contains a link to a site where you can change your password. The System Administrator-based password reset procedure presumes these methods have failed the end user. Before proceeding, it is required that the System Administrator has validated that the user requesting the password reset is the legitimate owner of the Windows Live ID, for example, by viewing a student ID card and ensuring that student was assigned the e-mail address for which they are requesting a password reset. Once it is determined that a System Administrator-based password is required, the password may be reset using the methods described below. Password limitations Passwords must be at least six characters and a maximum of 16. The Windows Live ID may NOT be part of the password. For security purposes we recommend that when creating temporary passwords use 10 characters and at least one each from the following characters sets: y y y y Lower-case chars: {abcdefghijklmnopqrstuvqxyz} Upper-case chars: {ABCDEFGHIJKLMNOPQRSTUVWXYZ} Numbers: {0123456789} Special Characters: {!@#$%^*()-_=+;:,./?`~} (excluding the curly braces)

Attribute Flow based Password Resets (Method 1) Resetting a lost password is as simple as changing the value for TempPassword that was set in attribute flow. On the next export run cycle, the user s password will be set to that value after which you can communicate the new password to the user who will be forced to change the password on next log on. In the screen shot example below, we are using a text file as our data source. In the data source, we ve assigned a new temporary password in a delimited text file.

79

After saving the file, one would perform the normal run cycle for the import and export management agents; an import to connector space from the data source management agent followed by a synchronization and finished with an export to Windows Live. Attribute flow for the delimited file management agent looks like the screen shot below, with SigninName and TempPassword importing to mail and TempPassword in the metaverse. Delimited data source management agent s attribute flow:

Export management agent s attribute flow:

Below is another example of using Active Directory to flow a TempPassword. In this case, the mail attribute is set in the e-mail field on the General tab and the TempPassword is using the Notes field to flow into Metaverse.

80

Active Directory import management agent s attribute flow:

Export management agent s attribute flow:

Attribute Flow based Password Resets (Method 2) 1. Create a template delimited text or comma-separated values file that contains with 2 values (SigninName, TempPassword) and only a comma.

2. Create a second import MA (delimited .txt or .csv) by clicking Create in the Management Agents tool.

81

3. Give the management agent a name and a description (optional) and click Next.

82

4. In Select Template File, click Browse and select the delimited text file you created in step 1.

5. In Delimited Text Format, select the tick box for Use first row for header names, select comma as the delimiter and click Next.

83

6. On the Configure Attributes page, set the anchor to the SigninName. Click the Set Anchor button.

7. Select the SigninName attribute from the list of available attributes, click the Add button and click OK.

84

8. Skip the pages for Map Object Types, Define Object Types, Configure Connector Filter and on the Configure Join and projection rules page, click the New Join Rule button.

9. Select SigninName from the Data source attribute list, set the Mapping type to direct, and select the metaverse object containing the Windows Live ID, then click Add Condition.

85

10. If the Metaverse attribute containing your Windows Live ID isn t indexed in ILM, the message below may appear. You can fix this by selecting the tick box for the attribute in Metaverse Designer but it is not necessary. Click OK.

11. The condition statement for the join rule appears in the list; click OK.

12. The join rule appears in Configure Join and Projection Rules, click Next.

86

13. On the Configure Attribute Flow page, set up direct import attribute flow for SigninName and TempPassword, then click Next.

14. On the Configure Deprovisioning page, select the radio button next to Do not recall attributes and click Next.

15. On the Configure Extensions page, click Finish. 16. Copy the template file to MaData folder in the ILM 2007 installation path. The default path is c:\Program Files\Microsoft Identity Integration Server.

87

17. Create a Full Import and Full Synchronization run profile for the new management agent by selecting the management agent in ILM, clicking Configure Run Profiles as mentioned before in Section 18. Set the hierarchy for the password reset management agent above the data source management agent by clicking the Metaverse Designer tool, selecting the metaverse object type and the TempPassword attribute and select Configure Attribute Flow Precedence from the actions menu.

19. Select the password reset management agent in the list and click the up arrow so that it takes first order of precedence and click OK.

Performing the reset 1. Edit the template file with the username of the member who needs their password reset and the new temporary password and save the changes.

88

2. Run a full import and synchronization on the password reset management agent. You will notice a successful join in the synchronization statistics. 3. Run an export on the Windows Live export management agent. The user will now be able to use the new temporary password to log into their account and set a new password. ILM Password Synchronization ILM 2007 allows the synchronization of passwords set in Active Directory or other source systems to other target systems such as a different AD domain or in this case Windows Live. This functionality allows you to perform one-way synchronization of passwords from AD to Windows Live IDs if desired. Using Active Directory as the Source for Password Changes If you elect to use Active Directory as the source for Password Changes to Windows Live you may use a free pre-built Microsoft solution called Password Change Notification Service (PCNS). PCNS is a mature supported solution used by enterprise customers to perform password resets; it was designed to allow for password resets to be performed between separate AD domains or even AD forests but does not require the target of the password change to be Active Directory; thus, you may set the Windows Live Management Agent as the target.

89

90

Note: Even though ILM 2007 is not a real-time system in general, the password synchronization will occur as close to real-time as possible. No running of any management agent is required for the synchronization to occur; the password will automatically be sent out as soon as it is received. y The user or an administrator initiates the password change request in AD. The password change request, including the new password, is sent to the nearest AD domain controller. The domain controller records the password change request and notifies the password change notification filter (a PCNS DLL that monitors for change notifications). The password change notification filter passes the request to PCNS. PCNS verifies the password change request then authenticates the Service Principal Name (SPN) by using Kerberos and forwards the password change request in encrypted Remote Procedure Call (RPC) to the desired ILM 2007 server. ILM 2007 validates that the source domain controller is a member of the Domain Controllers container in the source domain and then uses the domain name to locate the management agent that services that domain. It uses the user account information in the password change request to locate the corresponding object in the connector space. ILM 2007 determines the management agents that have been configured to receive the password change (.target. management agents, in our case, Windows Live Management Agent) and if they are enabled for password synchronization propagates the password change to them. The Windows Live Management Agent then performs the proper web service calls to reset the password in the Windows Live system.

y

y y

y

y

y

The synchronization described above is a one-way synchronization. Should a user reset his or her password in Windows Live it will not be reset in AD. However, if the user resets the password in AD it will automatically be set in Windows Live. Should you choose to implement password synchronization via PCNS please download the following file: http://www.microsoft.com/downloads/details.aspx?FamilyID=ae09d2f5-8ac2-4769-ab6a48fe35a25c63&DisplayLang=en. After installation please see the Password Synchronization scenario that may be found under C:\Program Files\Microsoft Identity Integration Server\Scenarios\PasswordSynchronization or another directory similar to the one above if you had changed the installation path for ILM 2007. To set up PCNS to synchronize AD passwords to Windows Live you will need to perform the following steps. Each of these is explained in detail in the above mentioned document which should serve as your primary reference when setting up PNCS. y Install the DLL filter on each domain controller in the domain. This is accomplished by running the MSI installation file that is provided as part of the PCNS solution on each domain controller. This task may be automated using a push mechanism of your choice that supports automated installs of MSI files.

91

y

Configure the service principal name (SPN) to point to the desired ILM 2007 server. This is configured by using the SETSPN utility in Windows and only needs to be performed once on the ILM 2007 server Configure the groups in AD that are to have their passwords synchronized. This allows you the flexibility of only synchronizing the passwords for your student users who are in AD rather than monitoring for changes from any user. Configure the Active Directory management agent (source management agent) to allow for Password Synchronization. Once the Active Directory management agent is installed and configured begin by selecting the AD management agent, select Properties, then Configure Active Directory Partitions. In Password Synchronization, select Enable this partition as a password synchronization source. Click the Targets button and place a checkmark next to the Windows Live Management Agent that should be the target management agent for the password changes. Be sure to uncheck the box to require secure connection for password synchronization operations. Configure the Windows Live Management Agent (target management agent) to allow for reception of password change notifications. Once Windows Live Management Agent is installed and configured begin by selecting the Windows Live Management Agent, select Properties, then Configure Extensions. In Password Management, place a checkmark in Enable Password Management. Verify that the Extension Name is filled in with PassportPasswordExtension.dll and that the radio button is set to Set and Change. Click the Targets button and uncheck the box to require secure connection for password synchronization operations. While still on the Configure Extensions, click the settings button. Put the Site ID in the Connect To: textbox and put the default cert SKI in the User: textbox. The Site ID and cert SKI can be obtained from the PassportMA_GlobalConfig.xml file. Set the password to the word = blank (it is not necessary). Enable Password Synchronization in ILM Options. In Identity Manager, select Tools and then Options. Place a checkbox in Enable Password Synchronization if it is not already there. This will allow your management agents to receive Password Synchronization requests from the domain controllers.

y

y

y

y

y

Using Other Systems as the Source for Password Changes To enable password synchronization from systems other than Active Directory you will need to programmatically capture the changes in passwords and then propagate it to ILM using the WMI interface. Examples of this may be found in the Developer Reference help file in ILM by going to mk:@MSITStore:c:\program%20files\microsoft%20identity%20integration%20server\uishell\helpfiles\m msdev.chm::/mms/example__setting_passwords.htm or by searching for Example: Setting Passwords in the Developer Reference accessible via the Help menu in Identity Manager. The following will need to be configured in ILM 2007 to allow it to receive password change requests from your code.

92

y

Configure the Windows Live Management Agent to allow for reception of password change notifications. Once Windows Live Management Agent is installed and configured begin by selecting the Windows Live Management Agent, select Properties, then Configure Extensions. In Password Management, place a checkmark in Enable Password Management. Verify that the Extension Name is filled in with PassportPasswordExtension.dll and that the radio button is set to Set and Change. Enable Password Synchronization in ILM Options. In Identity Manager, select Tools and then Options. Place a checkbox in Enable Password Synchronization if it is not already there. This will allow your management agents to receive Password Synchronization requests from your password change code.

y

Once the above steps are completed you may use the example code from the Developer Reference to send passwords to the Windows Live ID for reset. Another option for creation of Password Reset or Change functionality is to contact Oxford Computer Group (Oxford). Oxford has a long history of creating password change and reset solutions with ILM. Oxford specializes in identity and access management and it is a Microsoft Gold Partner with offices in UK, Germany, Canada and the US. Services include: strategic and functional consulting, system integration, as well as solution and skill development. To contact Oxford Computer group please use the following e-mail address info@oxfordcomputergroup.com Reset Password Flow If a student forgets his/her password to their Windows Live ID there are two ways for them to reset their password online: y y Send an automated reset password e-mail to an alternate e-mail address. Enter information online including Country/Region, State, Zip Code, Secret Question and Secret Answer.

If all else fails the student can contact the appropriate school department to have the System Administrator reset his/her password using ILM 2007. Should a user lose their temporary password or forgot the one they subsequently created and are unable to complete the online password reset procedure the System Administrator should perform the following procedure to reset passwords. Recovering from a Forgotten Password If a student forgets their password, they have to reset it before they can sign in to Windows Live again. They can reset their password by sending themselves a password reset e-mail message or by answering the secret question and entering their location information. If the student does not already have an alternate e-mail address, the student will be prompted to enter an alternate e-mail address to make resetting passwords in the future easier. A confirmation page is displayed after a successful password reset.

93

Alternate E-mail Addresses We recommend that students enter an alternate e-mail address upon first sign in to Windows Live Hotmail or any other Windows Live ID site if Windows Live Hotmail isn t the first one. When signing in the first time the student will be required to enter a Secret Question/Secret Answer pair. See Appendix First-Time User Sign-in Flow for more information. Optionally, the student will also be asked to enter an Alternate E-mail address. If a student has an existing e-mail address in addition to the one being established by the school we highly recommend that the student enter it. Doing so allows the student to easily reset their Windows Live ID password should they later forget it without contacting the System Administrator. For security purposes, the student will also be prompted to change their school-supplied temporary password the first time they sign in. Entering Windows Live ID Profile Information If the student does not have an alternate e-mail address they will need to enter a limited amount of Windows Live ID profile information. This needs to be done separately because a student will not be prompted to enter this information on first time login. y Go to https://account.live.com/. Sign in if prompted (authentication is required to use Account Services). In the left pane click Account Summary, and then click Add or Change your Alternate email address. On the next screen, scroll to the bottom and fill in Country/Region, State, and ZIP code. These values are required when resetting your password so make sure this information is filled in with accurate values that will be remembered and then click Save. No other values are required on this screen.

y

Section 12: Troubleshooting
This section covers common issues that people face when they are installing the Live@edu solution. Deprovisioning It is important to pay careful attention to the settings used by the Windows Live Management Agent for deprovisioning actions. Setting these incorrectly may result in you to inadvertently evicting users with negative consequences. The results of an accidental deletion might include the following: y y Deletion of all students e-mail Inability for the students to continue to use the e-mail address

Here are a few possible deprovisioning scenarios you may encounter and possible troubleshooting steps. All scenarios are structured around the limitation of not being able to reuse an e-mail address for 210 days after it has been evicted. Scenario 1: Inadvertently deleting users prior to handing out e-mail addresses. Since the e-mail addresses have not yet been distributed to the users it may be possible to change the schema of the addresses and create new addresses. For example, should a user have been

94

Adam.Smith@university.edu previously, you may consider changing the schema to make it A.Smith@university.edu. This will allow you to recreate the e-mail addresses. Scenario 2: Inadvertently deleting users after handing out e-mail addresses but prior to accounts being used. The solution for this is the same as scenario 1, if the schema change is possible. No mail or data will be lost since none is present yet. Scenario 3: Inadvertently deleting users after handing out e-mail addresses to users. The users have started using accounts and have populated them with data. This is not an easily recoverable scenario. You may use the solution from Scenario 1 to recreate the users but you will not be able to recover the data in the accounts such as e-mails. Additionally, if you are going to change the schema for e-mail addresses, be mindful not to change the addresses of the users who may not have been affected by the eviction as changing their address will rename their address to the new one. Microsoft may be able to assist you if you get into this situation. Name Recycling Limitations Once a user is evicted from the namespace you may reuse their e-mail name for another account (or to re-provision this one) immediately, as long as the password for the member account is a different length than the previous password. Note: Member accounts can only be recreated four times. 365 Day Usage Requirements Users are required to log into their Windows Live e-mail accounts every 365 days or their e-mail will be deleted due to disuse. The account will still exist and can be reactivated on demand during the next login, however the contents of the mailbox will be deleted. Windows Live ID SigninName Limitations You must flow the full e-mail address including the domain portion to the attribute SigninName in the Windows Live Management Agent connector space. You must provide the full e-mail address in the form of James.Smith@university.com and not just James Smith. Windows Live ID e-mails names must conform to the SMTP RFC 822 for the user name portion of the email address and RFC 1035 for the domain portion. Some exceptions are made: y y y y 50 characters max No UNICODE First char must be a letter (must be in ASCII code range of 97-122, 65-90) Period = (ASCII 46) allowed except for the first and last characters but cannot have two adjacent periods

95

y

All other chars must be in ASCII code range of 48-57 (numbers), 65-90 (uppercase), 95 (underscore), 97-122 (lowercase) All other characters are disallowed

y

Windows Live ID Passwords Limitations Passwords must be at least six characters and a maximum of 16. The Windows Live ID may NOT be part of the password. For security purposes we recommend that when creating temporary passwords, use 10 characters and at least one each from the following characters sets: y y y y Lower-case chars: {abcdefghijklmnopqrstuvqxyz} Upper-case chars: {ABCDEFGHIJKLMNOPQRSTUVWXYZ} Numbers: {0123456789} Special Characters: {!@#$%^*()-_=+;:,./?`~} (excluding the curly braces)

.Net 2.0 and Hotfixes You must have the .Net 2.0 library installed and the latest ILM 2007 hotfixes or you will encounter .stopped-extension-dll-exception. errors. Determine which versions of the .NET Framework are installed on a computer: 2. Locate the folder that contains the .NET framework by clicking Start . Run and then pasting or typing %systemroot%\Microsoft.NET\Framework on the line. Click OK to open the folder. 3. Under that folder there should be another folder that has a name depicting each version of the .NET framework installed. Look for a folder with the version number of v2.0.50727. If you do not see this folder then you need to install the .NET framework 2.0. 4. If you do have the folder then open the v2.0.50727 folder and then locate the Mscorlib.dll file. 5. Right-click the file and then click Properties. 6. Click the Version tab and then note the file version. 7. If the version number starts with v2.0.50727.XXXX then you already have the correct version of the .NET framework installed and you should go to the Troubleshooting section in this guide for more information about troubleshooting error messages. If not (or if you haven t got the folder at all) then you must install the .NET 2.0 framework using the instructions below. Click OK. The .NET framework 2.0 installation can be downloaded from http://www.microsoft.com/downloads/details.aspx?FamilyID=0856eacb-4362-4b0d-8eddaab15c5e04f5 or by searching for .NET Framework Version 2.0 at http://download.microsoft.com. To download and start the setup follow the instructions provided on the download site.

96

Additionally, you must install the latest ILM 2007 hotfixes to ensure that ILM 2007 will work with the .NET libraries installed. The ILM 2007 updates can be downloaded from http://www.microsoft.com/downloads/details.aspx?familyid=fa9dbb67-4654-4c94-b073-aa59676130af or by searching for ILM Hotfix at http://support.microsoft.com. Issues Sending or Receiving E-mail If you have trouble sending or receiving mail from accounts you have created, the issues are most commonly caused by the lack of proper configuration of the MX records. Please see section Managing MX Records for more information. Account Settings Precedence There are several places where the account settings can be changed as part of the solution. The order of precedence in which properties are assigned is as follows: 1. Mapped connector space attributes using attribute flows 2. Global config rules (using the WLCDGlobalConfig.xml file) You should be mindful of which properties you set and where you set them since they may be overridden by a higher priority property set elsewhere. Steps to troubleshoot the Live@edu solution depend on where the error occurs. Sometimes it is difficult to determine where to start however you can usually follow the data through the solution to determine the error condition. Start with the student data source, then move on to ILM 2007 and finally out to the Windows Live system. ILM 2007 Failure Analysis Process Flow Start by looking at the status from the run which is normally displayed half way down the screen on the right side as displayed in the following screen.

The following table contains next steps for each run status. Status <null> Next Steps This is normal while the extension starts. Wait for the status to change. Windows Live IDs are exporting. You should see the Adds being incremented while the extension is in progress. See the following .For completed-export-errors. section.

in-progress

completed-export-errors

97

Status success

Next Steps This is normal if the extension ran without any errors. However, if you have zero Windows Live IDs added, and were expecting more, you may need check that your input data source has imported the data into the Metaverse, and that your attribute flows and provisioning rules extension are correctly configured. Check the management agent properties and ensure that you have entered a user and password in the Configure Connection Information. tab of the management agent properties. See the following .For stopped-extension-dllexception. section.

stopped-bad-server-credentials

stopped-extension-dll-exception

For stopped-extension-dll-exception Windows Live IDs will not be processed because the exception occurred prior to attempting the Windows Live ID export. ILM 2007 will place the errors into the application event log which you can view with the Event Viewer. To open Event Viewer click on the Start menu, click Run, and then type: eventvwr. For completed-export-errors See Managing the Output Files in this guide. Note that Windows Live IDs that succeeded will NOT be reprocessed on the next export run. We recommend that you re-attempt the export before further troubleshooting. It is not unusual to have networking conditions cause a few Windows Live IDs in a large batch to fail; by retrying, you will minimize the number of failures that require investigation and there is no downside to doing so. Once you determine that the remaining failures are not due to random networking conditions you can find the cause of the error for each Windows Live ID by double-clicking on the corresponding error link as shown in right pane of the above screen shot, which brings up the detailed error report for that Windows Live ID. Getting Support For ILM and Windows Live Management Agent support, see http://support.microsoft.com/ph/1980. Disaster Recovery Plan (ILM Server Outage) A failure of the ILM server should not result in any data-loss however there are other critical components on the ILM servers. For example all of the source code, backup keys, operations scripts and any information in the MAData folder will be lost if restoring by reinstalling ILM. From this standpoint it is important to also have file system backups of the Microsoft Identity Integration Server folder.

98

If you have the encryption keys mentioned above the easiest way to recover from an ILM server outage is to reinstall ILM 2007 and the Windows Live Management Agent and point it to the existing SQL Server Database. Once you provide the encryption keys and restore the supporting files in the proper folders you should be up and running. Again, refer to .Restoring Microsoft Identity Lifecycle Manager 2007. in the ILM 2007 help. In the event that the ILM server suffers a failure or the management agents and the database are deleted, the following steps must be done to restore functionality to ILM and prevent errors upon resynchronizing the data with your data source. 1. Install ILM and appropriate software onto the server as needed depending on the severity of the failure. 2. Restore your management agents from backup XML files or set up your management agents in ILM as they were before.

99

3. Turn off provisioning in ILM by going to the Tools menu and selecting Options, then unchecking the Enable Provisioning Rules Extension.

4. Create a full import run profile for the data source management agent.

100

a. Click the New Profile button, give the run profile a name (in this case, Full Import) and click Next.

b. In Configure Step, set the type of run profile by selecting Full Import (Stage Only).

101

c. In Management Agent Configuration, select the Input file name if using a text management agent, otherwise skip this step and click finish.

d. Create a full synchronization run profile for the data source management agent. Follow the exact same steps as Step 4; name the profile appropriately, select Full Synchronization from the run profile type, and click Finish in Management Agent Configuration. 5. Run a full import and full sync from the data source management agent to project data into the metaverse. 6. In Identity Manager under Actions, select Run, select Full Import and click OK. 7. In Identity Manager under Actions, select Run, select Full Sync and click OK.

102

8. In the Windows Live management agent, we have to set the domain into recovery mode and configure some parameters for the disaster recovery to work. 9. Open the Windows Live management agent and click the Configure Additional Parameters tab.

10. We need to add two parameters in this tab. Click New and add a Parameter name of Domain. In the Value field, type the name of your domain. Click OK.

11. Click new and add a Parameter name of DisasterRecoveryMode. In the Value field, type true and click OK.

103

12. Set a join rule on the Windows Live management agent for the SignInName attribute in Windows Live to join to the mail attribute (or whatever attribute you used in Metaverse to store member e-mail accounts). 13. In Identity Manager, in the Windows Live management agent, select the Configure Join and Projection Rules tab.

14. Click New Join Rule and select the data source attribute SigninName and Metaverse object type mail (or whatever attribute in Metaverse you re using to store member accounts) and click Add Condition.

104

15. Create a template for use in the full import run profile for the Windows Live management agent. 16. Navigate to the MaData folder in the installation folder for ILM. Usually this is c\Program Files\ Microsoft Identity Integration Server\MaData unless changed upon install.

17. Open the folder for the Windows Live management agent, right click and select New Text Document from the menu.

105

18. Give the file any name, for example, import.txt, and close the install folder window.

19. Create a full import run profile for the Windows Live management agent. 20. Follow the exact same steps as Step 4; name the profile appropriately, select Full Import from the run profile type, select the file you just created in Step 9c above and click Finish in Management Agent Configuration. 21. Create a full synchronization run profile for the Windows Live management agent. 22. Follow the exact same steps as Step 4; name the profile appropriately, select Full Synchronization from the run profile type, and click Finish in Management Agent Configuration. 23. Run a full import on the Windows Live management agent. Note the number of objects.

24. Run a full synchronization on the Windows Live management agent.

106

25. Verify that all imported accounts are joined. There should be the same number of joins as objects from the full import (unless you re using Active Directory or another LDAP directory as your data source; in this case, you would subtract the container objects) 26. There should be pending exports to Windows Live for all joined accounts. Randomly examine a few pending exports to make sure attributes are correctly set. For instance, do not set the ResetPassword attribute unless you want to require all users to reset their password. 27. Run an export on the Windows Live MA. 28. Enable provisioning by going to the Tools menu\Options in ILM and clicking the Enable Provisioning Rules Extension . 29. Run a full synchronization on the data source management agent 30. If any exports are pending for the Windows Live management agent after step 16, these must be new users that were not created in Windows Live before the disaster occurred. 31. Run an export to Windows Live to create the new users (if desired).

107

Section 13: Advanced Topics
These advanced topics should be taken into consideration to extend the stability and functionality of you solution. Student Portal Integration The following example demonstrates a method to streamline the signup process and allow your students to be responsible for creating their own accounts. Eastern Washington University has demonstrated this methodology well. ILM 2007 still needs to be part of the solution to create the accounts; however it can be wrapped with a front-end. This front-end could take the shape of an extension to your existing student portal. The following screenshots provide an example of a way to do this.

108

The portal integration solution would need to establish the login for the students. This login could potentially be created by the students as demonstrated below. The sign in name that the student choose would eventually make its way into a data source that ILM 2007 can read such as a SQL database or a text file. This SQL database or text file would then become the source of the student information rather than your existing student records. Additionally the temp password could be set through the portal and then provided for ILM 2007 via the database or text file.

If you need assistance with the methodology for or development of a solution that includes portal integration you can e-mail Oxford Computer Group at info@oxfordcomputergroup.com. High Availability While ILM is not a real time system and thus may not be required to have a 99.999% uptime it is imperative to have the system operational whenever a run is required however often that may be. Because ILM is not a real-time system the normal high availability technique of clustering ILM 2007 may not appropriate. ILM 2007 is not a clustering aware application. A desirable and recommended strategy for high availability of ILM 2007 is to maintain a cold-standby server which may be brought up at any time should the primary machine malfunction. Integration of Live@edu Into a Pre-existing ILM Environment While many institutions are not yet using ILM 2007 for student synchronization those that are may choose to integrate the Live@edu solution into their existing ILM 2007 environments. The steps for doing so are as follows:

109

y y

y

y

Ensure you have the latest .Net and ILM 2007 hotfixes, according to the perquisite requirements stated above. If you do not you need to install these before proceeding. Ensure your source management agent for student data provides an e-mail address to the Metaverse (note the attribute the address is in). This must be the full e-mail address including the domain portion. If you intend to provide an initial password for the user the data must be provided in the Metaverse as well. Install and configure the Windows Live Management Agent in accordance with the instructions above. Please note that you will need to create a flow from the attribute in the Metaverse that contains e-mail address you would like to provision to the SigninName attribute in the Windows Live Management Agent connector space. Configure the Metaverse provisioning extension as follows: o Perform the steps listed in the Enable Provisioning section above noting the previously listed DLL if any. o If you noted a DLL in the above step, please edit the file specified by the section titled Metaverse Rules Extension XML Schema and a line with contents of <add-assemblies > but with the noted DLL from the step above. This will allow all of your previous code to receive data from ILM 2007 as it has prior to the Live@edu changes.

Distribution List Management Distribution list management lives on the enterprise system. Once users receive their assigned e-mail addresses the school administration or faculty may have a need to send out mailings to groups or distribution lists. For example, an institution may want to group all users based on the campus they are located on and so it would create a group for each campus and mail-enable the group. It typically involves a great deal of administrative overhead to manually place individual accounts into the groups as users are created, modified or deleted. ILM 2007 can be leveraged to assist in the automated creation and maintenance of these groups. This can be automatically performed using a free Microsoft Group Management solution that is implemented in ILM 2007 (see the URL below for more information). The Group Management solution is a utility provided by Microsoft to allow the automatic population and management of group membership. This solution will allow the administrators to create criteria for groups via a web interface and then allow the solution to automatically populate the groups based on the criteria specified. This can result in the creation of groups for any data source that ILM 2007 can connect to such as (Active Directory (Exchange), Lotus Notes, Sun One, etc). For more details about the Group Management solution and links to the download, please use the following link: http://www.microsoft.com/technet/technetmag/issues/2006/07/Automate/default.aspx Integration of Metadata into Accounts To build these groups, you will need to provide information about the students in the Metaverse. This information could include: y y y Class Status (student or alumni) State

110

y y

City Etc

In addition to utilizing this data to automatically create distribution lists using the Group Management solution, information contained in attributes like this can assist in the general maintenance of account information. Connecting ILM 2007 to other data sources and synchronizing this type of information can greatly reduce the costs of account administration.

111

Appendix A: Valid Region/Country Codes
Code AF AL DZ AS AD AO AI AQ AG AR AM AW AC AU AT AZ BS BH BD BB BY BE Country Afghanistan Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Ascension Island Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium

112

BZ BJ BM BT BO BA BW BV BR IO BN BG BF BI KH CM CA CV KY CF TD CL CN CX

Belize Benin Bermuda Bhutan Bolivia Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory Brunei Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island

113

CC CO KM CD CG CK CR CI HR CU CY CZ DK DJ DM DO EC EG SV GQ ER EE ET FK

Cocos (Keeling) Islands Colombia Comoros Congo (DRC) Congo Cook Islands Costa Rica Côte d'Ivoire Croatia Cuba Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands (Islas Malvinas)

114

FO FJ FI FR GF PF TF GA GM GE DE GH GI GR GL GD GP GU GT GG GN GW GY HT

Faroe Islands Fiji Islands Finland France French Guiana French Polynesia French Southern and Antarctic Lands Gabon Gambia, The Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti

115

HM HN HK HU IS IN ID IR IQ IE IM IL IT JM JP JO JE KZ KE KI KR KW KG LA

Heard Island and McDonald Islands Honduras Hong Kong SAR Hungary Iceland India Indonesia Iran Iraq Ireland Isle of Man Israel Italy Jamaica Japan Jordan Jersey Kazakhstan Kenya Kiribati Korea Kuwait Kyrgyzstan Laos

116

LV LB LS LR LY LI LT LU MO MK MG MW MY MV ML MT MH MQ MR MU YT MX FM MD

Latvia Lebanon Lesotho Liberia Libya Liechtenstein Lithuania Luxembourg Macao SAR Macedonia, Former Yugoslav Republic of Madagascar Malawi Malaysia Maldives Mali Malta Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova

117

MC MN MS MA MZ MM NA NR NP AN NL NC NZ NI NE NG NU NF KP MP NO OM PK PW

Monaco Mongolia Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands Antilles Netherlands, The New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island North Korea Northern Mariana Islands Norway Oman Pakistan Palau

118

PS PA PG PY PE PH PN PL PT PR QA RE RO RU RW WS SM ST SA SN YU SC SL SG

Palestinian Authority Panama Papua New Guinea Paraguay Peru Philippines Pitcairn Islands Poland Portugal Puerto Rico Qatar Reunion Romania Russia Rwanda Samoa San Marino São Tomé and Príncipe Saudi Arabia Senegal Serbia and Montenegro Seychelles Sierra Leone Singapore

119

SK SI SB SO ZA GS ES LK SH KN LC PM VC SD SR SJ SZ SE CH SY TW TJ TZ TH

Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and the South Sandwich Islands Spain Sri Lanka St. Helena St. Kitts and Nevis St. Lucia St. Pierre and Miquelon St. Vincent and the Grenadines Sudan Suriname Svalbard and Jan Mayen Swaziland Sweden Switzerland Syria Taiwan Tajikistan Tanzania Thailand

120

TP TG TK TO TT TA TN TR TM TC TV UG UA AE UK US UM UY UZ VU VA VE VN VI

Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tristan da Cunha Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu Uganda Ukraine United Arab Emirates United Kingdom United States United States Minor Outlying Islands Uruguay Uzbekistan Vanuatu Vatican City Venezuela Vietnam Virgin Islands

121

VG WF YE ZM ZW

Virgin Islands, British Wallis and Futuna Yemen Zambia Zimbabwe

122

Appendix B: Language Codes
These are the languages currently supported by Windows Live Hotmail. Code Language 1025 Arabic 1046 Brazilian Portuguese 1026 Bulgarian 2052 Chinese (Simple) 1028 Chinese (Traditional) 1050 Croatian 1029 Czech 1030 Danish 1043 Dutch 1033 English 1061 Estonian 1035 Finnish 1036 French 1031 German 1032 Greek 1037 Hebrew 1038 Hungarian 1040 Italian 1041 Japanese 1042 Korean 1062 Latvian

123

1063 Lithuanian 1044 Norwegian 1045 Polish 2070 Portuguese 1048 Romanian 1049 Russian 2074 Serbian Latin 1051 Slovak 1060 Slovenian 1034 Spanish 1053 Swedish 1054 Thai 1055 Turkish 1058 Ukrainian

124

Appendix C: TimeZone Codes
TimeZone Code 0 1264 1191 1201 1078 1077 1303 1240 1093 1056 1165 1166 1167 1168 1169 1084 1086 1090 1116 1125 1145 1346 Location Universal Time Andorra, Andorra Dubai, United Arab Emirates Kabul, Afghanistan Antigua, Antigua and Barbuda Anguilla, Anguilla Tirane, Albania Yerevan, Armenia Curacao, Netherlands Antilles Luanda, Angola Casey, Casey Station, Bailey Peninsula Mawson, Mawson Station, Holme Bay McMurdo, McMurdo, McMurdo Station, Ross Island Palmer, Palmer Station, Anvers Island South Pole, Amundsen Scott Station, South Pole Buenos Aires, E Argentina (BA, DF, SC, TF) Catamarca, Catamarca (CT) Cordoba, W Argentina (CB, SA, TM, LR, SJ, SL, NQ, RN) Jujuy, Jujuy (JY) Mendoza, Mendoza (MZ) Rosario, NE Argentina, Mendoza (MZ) Pago Pago, American Samoa

125

1306 1252 1253 1254 1255 1256 1257 1258 1259 1260 1262 1079 1181 1297 1081 1189 1269 1069 1300 1180 1035 1070 1242 1185

Vienna, Austria Adelaide, South Australia Brisbane, Queensland, most locations Broken Hill, New South Wales Darwin, Northern Territory Hobart, Tasmania Lindeman, Queensland, Holiday Islands Lord Howe, Lord Howe Island Melbourne, Victoria Perth, Western Australia Sydney, New South Wales, most locations Aruba, Aruba Baku, Azerbaijan Sarajevo, Bosnia and Herzegowina Barbados, Barbados Dacca, Bangladesh Brussels, Belgium Ouagadougou, Burkina Faso Sofia, Bulgaria Bahrain, Bahrain Bujumbura, Burundi Porto-Novo, Benin Bermuda, Bermuda Brunei, Brunei Darussalam

126

1117 1092 1101 1120 1122 1133 1140 1148 1131 1230 1047 1286 1082 1094 1095 1098 1103 1110 1113 1114 1129 1135 1142 1143

La Paz, Bolivia Cuiaba, SW Brazil (MT, MS) Fortaleza, NE Brazil (AP, east PA, MA, PI, CE) Maceio, ENE Brazil (AL, SE, TO) Manaus, NW Brazil (RR, west PA, AM, RO) Noronha, Fernando de Noronha Porto Acre, Acre Sao Paulo, S &amp; SE Brazil (BA, GO, DF, MG, ES) Nassau, Bahamas Thimbu, Bhutan Gaborone, Botswana Minsk, Belarus Belize, Belize Pacific Time, Victoria, British Columbia Pacific Time, Kamloops, British Columbia Mountain Time, Edmonton, Alberta Atlantic Time, Charlottetown, P.E.I. Atlantic Time, Halifax, Nova Scotia Mountain Time, Calgary, Alberta Eastern Time, Iqaluit, Nunavut Eastern Time, Montreal, Quebec Atlantic Time, Saint John, New Brunswick Central Time, St. Vital, Manitoba Central Time, St. Boniface, Manitoba

127

1144 1150 1155 1158 1161 1162 1163 1164 1314 1030 1034 1310 1024 1351 1324 1146 1044 1224 1083 1091 1111 1244 1313 1214

Central Time, Regina, Saskatchewan Newfoundland Time, St. John's, Newfoundland Central Time, Saskatoon, Saskatchewan Eastern Time, Toronto, Ontario Pacific Time, Vancouver, British Columbia Pacific Time, Whitehorse, Yukon Territory Central Time, Winnipeg, Manitoba Mountain Time, Yellowknife, Northwest Territories Cocos, Cocos (Keeling) Islands Bangui, Central African Republic Brazzaville, Congo Zurich, Switzerland Abidjan, Côte d'Ivoire Rarotonga, Cook Islands Easter, Easter Island Santiago, Mainland Douala, Cameroon Beijing, China Bogota, Colombia Costa Rica, Costa Rica Havana, Cuba Cape Verde, Cape Verde Christmas, Christmas Island Nicosia, Cyprus

128

1292 1267 1043 1273 1097 1147 1037 1330 1108 1302 1036 1028 1243 1038 1284 1026 1276 1328 1251 1337 1349 1356 1359 1245

Prague, Czech Republic Berlin, Germany Djibouti, Djibouti Copenhagen, Denmark Dominica, Dominica Santo Domingo, Dominican Republic Algiers, Algeria Galapagos, Galapagos Islands Guayaquil, Mainland Tallinn, Estonia Cairo, Egypt Asmera, Eritrea Canary, Canary Islands Ceuta, Ceuta, Melilla Madrid, Mainland Addis Ababa, Ethiopia Helsinki, Finland Fiji, Fiji Stanley, Falkland Islands Kosrae, Kosrae Ponape, Ponape (Pohnpei) Truk, Truk (Chuuk) Yap, Yap Faeroe, Faroe Islands

129

1031 1105 1228 1087 1025 1275 1102 1149 1157 1039 1106 1059 1265 1249

Banjul, Gambia Grenada, Grenada Tbilisi, Georgia Cayenne, French Guiana Accra, Ghana Gibraltar, Gibraltar Godthab, Southwest Greenland Scoresbysund, East Greenland Thule, Northwest Greenland Conakry, Guinea Guadeloupe, Guadeloupe Malabo, Equatorial Guinea Athens, Greece South Georgia, South Georgia and The South Sandwich Islands Guatemala, Guatemala Guam, Guam Guyana, Guyana Peking, Hong Kong Tegucigalpa, Honduras Zagreb, Croatia Port-au-Prince, Haiti Budapest, Hungary Jakarta, Java, Sumatra

1107 1333 1109 1195 1156 1309 1138 1271 1198

130

1199 1232 1274 1193 1200 1186 1312 1179 1229 1248 1294 1115 1174 1231 1065 1184 1217 1326 1336 1354 1315 1151 1218

Jayapura, Irian Jaya, Moluccas Ujung Pandang, Borneo, Celebes Dublin, Ireland Gaza, Gaza Strip Jerusalem, Jerusalem, most locations Calcutta, India Chagos, British Indian Ocean Territory Baghdad, Iraq Tehran, Iran Reykjavik, Iceland Rome, Italy Jamaica, Jamaica Amman, Jordan Tokyo, Japan Nairobi, Kenya Bishkek, Kyrgyzstan Phnom Penh, Cambodia Enderbury, Phoenix Islands Kiritimati, Line Islands Tarawa, Gilbert Islands Comoro, Comoros St Kitts, Saint Kitts and Nevis Pyeongyang, Korea, North (Democratic People's Republic of Korea)

131

1223 1209 1088 1173 1176 1177 1236 1183 1152 1304 1188 1064 1061 1307 1283 1293 1073 1037 1287 1272 1311 1338 1339 1299

Seoul, Korea (Republic Of Korea) Kuwait, Kuwait Cayman, Cayman Islands Alma-Ata, East Kazakhstan Aqtau, West Kazakhstan Aqtobe, Central Kazakhstan Vientiane, Lao People's Republic Beirut, Lebanon St Lucia, Saint Lucia Vaduz, Liechtenstein Colombo, Sri Lanka Monrovia, Liberia Maseru, Lesotho Vilnius, Lithuania Luxembourg, Luxembourg Riga, Latvia Tripoli, Libyan Arab Jamahiriya Casablanca, Morocco Monaco, Monaco Chisinau, Moldova Antananarivo, Madagascar Kwajalein, Kwajalein Majuro, Majuro, most locations Skopje

132

1029 1072 1220 1234 1210 1352 1123 1068 1130 1285 1318 1317 1033 1100 1124 1126 1159 1207 1208 1060 1075 1345 1067 1344

Bamako, Southwest Mali Timbuktu, Northeast Mali Yangon (Rangoon), Myanmar Ulan Bator, Mongolia Macao, Macao Saipan, Northern Mariana Islands Martinique, Martinique Nouakchott, Mauritania Montserrat, Montserrat Malta, Malta Mauritius, Mauritius Maldives, Maldives Blantyre, Malawi Pacific Time, Ensenada, most locations Mountain Time, Mazatlan Central Time, Mexico City Pacific Time, Tijuana, N. Baja California Kuala Lumpur, peninsular Malaysia Kuching, Sabah &amp; Sarawak Maputo, Mozambique Windhoek, Namibia Noumea, New Caledonia Niamey, Niger Norfolk, Norfolk Island

133

1054 1121 1263 1289 1205 1342 1343 1322 1213 1134 1118 1331 1340 1353 1350 1212 1203 1308 1127 1348 1141 1241 1280 1247

Lagos, Nigeria Managua, Nicaragua Amsterdam, Netherlands Oslo, Norway Katmandu, Nepal Nauru, Nauru Niue, Niue Auckland, most locations Muscat, Oman Panama, Panama Lima, Peru Gambier, Gambier Islands Marquesas, Marquesas Islands Tahiti, Society Islands Port Moresby, Papua New Guinea Manila, Philippines Karachi, Pakistan Warsaw, Poland Miquelon, St Pierre and Miquelon Pitcairn, Pitcairn Puerto Rico, Puerto Rico Azores, Azores Lisbon, mainland Madeira, Madeira Islands

134

1347 1080 1219 1320 1270 1175 1197 1278 1202 1206 1211 1288 1215 1216 1295 1237 1238 1239 1052 1221 1332 1316 1051 1301

Palau, Palau Asuncion, Paraguay Qatar, Qatar Reunion, Reunion Bucharest, Romania Anadyr, Moscow+10 - Bering Sea Irkutsk, Moscow+05 - Lake Baikal Kaliningrad, Moscow-01 - Kaliningrad Kamchatka, Moscow+09 - Kamchatka Krasnoyarsk, Moscow+04 - Yenisei River Magadan, Moscow+08 - Magadan &amp; Sakhalin Moscow, Moscow+00 - West Russia Novosibirsk, Moscow+03 - Novosibirsk Omsk, Moscow+03 - West Siberia Samara, Moscow+01 - Caspian Sea Vladivostok, Moscow+07 - Amur River Yakutsk, Moscow+06 - Lena River Yekaterinburg, Moscow+02 - Urals Kigali, Rwanda Riyadh, Saudi Arabia Guadalcanal, Solomon Islands Mahe, Seychelles Khartoum, Sudan Stockholm, Sweden

135

1225 1250 1281 1246 1171 1268 1046 1296 1041 1063 1136 1071 1099 1190 1062 1104 1066 1290 1055 1182 1192 1327 1178 1074

Singapore, Singapore St Helena, St Helena Ljubljana, Slovenia Jan Mayen, Jan Mayen Longyearbyen, Svalbard Bratislava, Slovakia Freetown, Sierra Leone San Marino, San Marino Dakar, Senegal Mogadishu, Somalia Paramaribo, Suriname São Tomé, São Tomé and PrÃncipe El Salvador, El Salvador Damascus, Syrian Arab Republic Mbabane, Swaziland Grand Turk, Turks and Caicos Islands Ndjamena, Chad Paris, French Southern Territories Lome, Togo Bangkok, Thailand Dushanbe, Tajikistan Fakaofo, Tokelau Ashkhabad, Turkmenistan Tunis, Tunisia

136

1355 1277 1139 1329 1226 1042 1279 1298 1050 1266 1282 1335 1341 1357 1076 1137 1089 1132 1334 1112 1096 1119 1128 1227

Tongatapu, Tonga Istanbul, Turkey Port of Spain, Trinidad and Tobago Funafuti, Tuvalu Taipei, Taiwan Dar es Salaam, Tanzania Kiev, most locations Simferopol, Crimea Kampala, Uganda Belfast, Northern Ireland London, United Kingdom Johnston, Johnston Islands Midway, Midway Islands Wake, Wake Island United States, Alaska Time United States, Arizona United States, Central Time United States, Eastern Time United States, Hawaii United States, Indiana United States, Mountain Time United States, Pacific Time Montevideo, Uruguay Tashkent, Uzbekistan

137

1305 1154 1085 1160 1153 1222 1325 1358 1321 1172 1319 1360 1049 1058 1053 1057 1048

Vatican, Vatican City State St Vincent, Saint Vincent and The Grenadines Caracas, Venezuela Tortola, Virgin Islands (British) St Thomas, Virgin Islands (U.S.) Saigon, Viet Nam Efate, Vanuatu Wallis, Wallis and Futuna Islands Apia, Samoa Aden, Yemen Mayotte, Mayotte Serbia and Montenegro Johannesburg, South Africa Lusaka, Zambia Kinshasa, West Democratic Republic of Congo Lubumbashi, East Democratic Republic of Congo Harare, Zimbabwe

138

Appendix D: U.S. Region Codes
Code 1003 1040 1945 1951 10595903 10595904 10595905 5599 7636 7798 8831 9130 11032 12004 13656 14713 14808 14882 14987 16121 16480 19283 State Alabama Alaska Arizona Arkansas Armed Forces Asia Armed Forces Europe Armed Forces Pacific California Colorado Connecticut Delaware District of Columbia Florida Georgia Hawaii Idaho Illinois Indiana Iowa Kansas Kentucky Louisiana

139

19840 20487 20543 21196 21412 21502 21512 21789 22869 23035 23097 23117 23132 23161 23611 23624 24230 24293 24561 25623 27664 31410 31418 33025

Maine Maryland Massachusetts Michigan Minnesota Mississippi Missouri Montana Nebraska Nevada New Hampshire New Jersey New Mexico New York North Carolina North Dakota Ohio Oklahoma Oregon Pennsylvania Rhode Island South Carolina South Dakota Tennessee

140

33145 34626 35022 35364 35841 36208 36684 36927

Texas Utah Vermont Virginia Washington West Virginia Wisconsin Wyoming

141

Appendix E: Certificate Install Information
If you chose to use a certificate to provide your identity to Microsoft, the certificate is provided to you by the Live@edu Ed Desk (ed-desk@microsoft.com). You will be contacted with a password for the private key. You will need to use a workstation to properly unpack and export your certificate for use with Windows Live Admin Center. Obtaining a Certificate for your Domain y If you want to authenticate using a certificate, you need to specifically request one from the Live@edu Ed-Desk, contact ed-desk@microsoft.com for details. y The Live@edu Ed-desk will create a certificate for you and give you the exportable private key to import into your systems. y Live@edu Ed-desk will transfer your certificate to you. y Live@edu Ed-desk will call you with the password for the private key. Installing the certificate on the ILM Server Follow the steps below to install the certificate provided to you by the Live@edu Ed-desk on all machines that will be used to administer Windows Live IDs: Copy your certificate to the root of your ILM Server. In order to place the correct permissions for the ILM Service account to access the certificate, you will need to use the WinHTTP Configuration Tool, available from the Microsoft Download site at http://www.microsoft.com/downloads/details.aspx?familyid=c42e27ac-3409-40e9-8667c748e422833f&displaylang=en. Installing WinHTTP Configuration Tool Locate the winhttpcertcfg.msi you downloaded above and double-click to open. Click Next on the welcome screen.

142

Read the end-user license agreement, click the I accept button and click Next to continue.

Choose a Destination Folder or accept the default location and click Install Now.

143

The installation is complete, click Finish.

To run the program, open a command-prompt window by clicking the Start menu, selecting run and typing CMD in the open field. Click OK.

Change to the directory where you installed the tool, if using the default settings, the location is C:\Program Files\Windows Resource Kits\Tools. You will need to copy the certificate provided to you by the Live@edu Ed Desk (ed-desk@microsoft.com) to the root of your C: drive and know the private key password. The following example shows the command line parameters that are valid for use with this tool. winhttpcertcfg [/?] winhttpcertcfg [-i PFXFile | -g | -r | -l] [-a Account] [-c CertStore] [-s SubjectStr]

144

The following table explains the parameters for the configuration tool. Parameter Description -? -i Displays syntax information. Specifies that the certificate is to be imported from a Personal Information Exchange (PFX) file. This parameter must be followed by the name of the file. When this parameter is specified, -a and -c must also be specified. Specifies that access is granted to a private key. When this parameter is specified, -a, -c, and -s must also be specified. Specifies that access is removed for a private key. When this parameter is specified, -a, -c, and -s must also be specified. Specifies that accounts with access to a private key are listed. When this parameter is specified, -c and -s must also be specified. Specifies the user account on the machine being configured. This could be a local machine or domain account, such as IWAM_TESTMACHINE, TESTUSER, or TESTDOMAIN\DOMAINUSER. Specifies the location and name of the certificate store. Use LOCAL_MACHINE or CURRENT_USER to designate which registry branch to use for the location. The certificate store can be any installed on the machine. Typical name examples are MY, Root, and TrustedPeople. The location and name of the certificate store are separated with a backward slash; for example, LOCAL_MACHINE\Root. Note Although the CURRENT_USER branch of the registry can be specified with this parameter, extending access to private keys is primarily intended for certificates installed in a local machine certificate store that can be accessed by multiple users. -s Specifies a case-insensitive search string for finding the first enumerated certificate with a subject name that contains this substring.

-g

-r

-l

-a

-c

To install your certificate with the correct permissions, you will need to run the configuration tool with the following command: winhttpcertcfg.exe -g -i c:\yourcertificatename -c LOCAL_MACHINE\My -a yourILMserviceaccount -p yourcertificatepassword

145

Once successfully executed, you will see a screen similar to below.

146

Installing the certificate to Windows Live Admin Center Once you have the certificate installed on the server(s) that will be used to manage Windows Live IDs, you need to export the certificate for use with Windows Live Admin Center and upload your cert to the service.

Click OK.

147

In the MMC, go to the File menu, select Add/Remove Snap-in

Select the snap-in for Certificates, click Add.

148

Select the radio button for the Certificates snap-in to manage certificates for the Computer account, click Next.

Select local computer, click Finish.

149

When you click Finish, the snap in appears in the MMC window. On the left side, expand Certificates (Local Computer) and select the Personal store.

In the Object type window in the right pane, click All Tasks and select From the Certificates MMC, right click the certificate in the Certificates (Local Computer) Personal Certificates store, select All Tasks and

Export.

150

The Certificate Export Wizard appears, click Next

. Select the radio button next to No, do not export the private key and click Next.

151

Use DER encoded X.509 (.CER), click Next.

Click the Browse button, select a location for the exported certificate, click Next.

Click Finish to complete the Certificate Export Wizard.

152

To upload the exported certificate to the Windows Live Admin Center, go to http://admincenter.live.com in Internet Explorer, click the Sign In button and login with your Domain Admin credentials that you established when you reserved your domain.

Click the domain you re managing from your domains.

153

Click SDK.

Browse to the location where you exported the cert and click Add/Update. If Add/Update is not available, contact the Live@edu Ed Desk (ed-desk@microsoft.com). To enable the feature for your domain

154

The certificate has been uploaded successfully.

155

Appendix F: Migrating from the SDK tools
If you have been using one of the SDK Tools to manage your domain, you can migrate from them to ILM if you prefer. Note: We recommend if you do this, you re making a full move to Identity Lifecycle Manager. Do NOT use the SDK apps for account management after you migrate from them, otherwise you will encounter errors. If you add or remove accounts with the SDK tools after moving to ILM, the domain will become out of sync. The EduExpress application contains an option to export a CSV file containing your domain s member accounts. This file can be used to import members into ILM. 1. First, launch the EduExpress application and locate the Export Existing Member List link.

156

2. Clicking this link brings up a save dialog box. Save the file to a known location.

You can use this CSV file to populate Active Directory, a SQL database, a delimited text file or any other source supported by ILM. For demonstration purposes, we ll create a delimited text file for use with ILM. 3. Create a new text file with the attributes you want to use in the header of the file. Refer to the Passport User Attributes section for more information.

157

4. Launch Identity Manager, click Create to create a new management agent for a data source. More information about configuring data source management agents are included in Section 5.

158

5. Select Delimited Text File in the Management Agent For: drop down menu. Give the management agent a name and a description (if desired).

6. In Select Template Input File, select the text file you created in step 3. Click Next.

159

7.

In Delimited Text Format, click Use first row for header names and click Next.

8.

In Configure Attributes, click the Set Anchor button to set an anchor attribute for the management agent.

160

9. In the Set Anchor window, click the SigninName attribute and click the Add button to construct the anchor. Click OK and click Next.

10. In Define Object Types, accept the default and click Next.

161

11. In Configure Connector Filter, accept the defaults by clicking Next.

12. In Configure Join and Projection rules, we want to create a projection rule for the data source management object to project members into the Metaverse. Click New Projection Rule.

162

13. Unless you ve created your own object type in Metaverse, select the person metaverse object type, leave the radio button next to Declared selected, click OK and click Next.

163

14. In Configure Attribute Flow, we will create attribute flow for the attributes in our text file. Select an attribute in the data source attribute column, set the radio button for mapping type to Direct, set the radio button for Flow Direction to be Import, click the corresponding Metaverse Attribute and click the New button. Follow these same steps for every attribute mapping. In the example, we re flowing our attributes like this: Data source attribute FirstName LastName SigninName Mapping Type Flow Direction Metaverse Object Type Direct Direct Direct Import Import Import givenName LastName mail

When you re finished setting attribute flow, click Next.

164

15. In Configure Deprovisioning, accept the default of Make them Disconnectors by clicking Next.

16. In Configure Extensions, accept the default by clicking the Finish button.

165

17. Next we will configure the export management agent. In Identity Manager, click Create from under the Actions menu.

166

18. From the Create Management Agent drop down menu, select WLCD Management Agent (Microsoft), give the management agent a name and a description (if desired).

167

19. In Configure Connection Information, enter your administrator account and password into the appropriate fields. If you re using a certificate for authentication, you can skip this step.

20. In Configure Additional Parameters, accept the defaults for now by clicking Next.

168

21. In Configure Attributes, accept the default settings and click Next .

22. In Define Object Types, accept the default settings and click Next.

169

23. In Configure Connector Filter, accept the defaults and click Next.

24. In Configure Join and Projection Rules, accept the defaults for now and click Next.

25. In Configure Attribute Flow, we will set up direct export attribute flows for the attributes we set up on the data source management agent. Select an attribute in the data source attribute column (Passport User), set the radio button for mapping type to Direct, set the radio button for Flow Direction to be Export, click the corresponding Metaverse Attribute and click the New

170

button. Follow these same steps for every attribute mapping. In the example, we re flowing our attributes like this: Data source attribute FirstName LastName SigninName Mapping Type Flow Direction Metaverse Object Type Direct Direct Direct Export Export Export givenName LastName mail

When you re finished setting attribute flow, click Next.

171

26. In Configure Deprovisioning, accept the defaults and click Next.

27. In Configure Extensions, uncheck Enable password management and click Finish.

172

28. Both management agents are now configured. Now we need to turn off provisioning in ILM so that we can sync our accounts with those existing in Windows Live. Go to Tools Options and remove the tick from the checkbox next to Enable Provisioning Rules Extension.

29. We need to copy the data source text file to the C:\Program Files\Microsoft Identity Integration Server\MaData\<data source management agent folder>.

173

30. Create a full import run profile for the data source management agent.

174

a. Click the New Profile button, give the run profile a name (in this case, Full Import) and click Next.

b. In Configure Step, set the type of run profile by selecting Full Import (Stage Only).

175

c. In Management Agent Configuration, Click the Select button to select the Input file you placed in the C:\Program Files\Microsoft Identity Integration Server\MaData\<data source management agent folder>.

d. Select the file from the list, click OK and Click Finish.

31. Create a full synchronization run profile for the data source management agent. a. Follow the exact same steps as Step 30; name the profile appropriately, select Full Synchronization from the run profile type, and click Finish in Management Agent Configuration. 32. Run a full import and sync from the data source management agent to project data into the metaverse.

176

a. In Identity Manager under Actions, select Run, select Full Import and click OK. b. In Identity Manager under Actions, select Run, select Full Sync and click OK. Be sure to note the number of projections. This number should match the number of accounts you re synchronizing with Windows Live.

Note: If you experience the error no-start-file-access-denied, select the folder for the data source management agent (C:\Program Files\Microsoft Identity Integration Server\MaData\<data source management agent folder>), click the Security tab, click the Advanced tab and select the tick box for Replace permission entries on all child objects with entries shown here that apply to child objects Click OK and click OK on the security dialog box below:

c. Click Yes, then OK to close the properties dialog box. This will enable the correct permissions.

177

33. In the Windows Live management agent, we have to set the domain into recovery mode and configure some parameters for the disaster recovery to work. a. Open the Windows Live management agent and click the Configure Additional Parameters tab.

We need to add two parameters in this tab. Click New and add a Parameter name of Domain. In the Value field, type the name of your domain. Click OK.

b. Click new and add a Parameter name of DisasterRecoveryMode. In the Value field, type true and click OK.

178

34. Set a join rule on the Windows Live management agent for the SignInName attribute in Windows Live to join to the mail attribute (or whatever attribute you used in Metaverse to store member e-mail accounts). a. In Identity Manager, in the Windows Live management agent, select the Configure Join and Projection Rules tab.

b. Click New Join Rule and select the data source attribute SigninName and Metaverse object type mail (or whatever attribute in Metaverse you re using to store member accounts) and click Add Condition.

35. Create a template for use in the full import run profile for the Windows Live management agent.

179

a. Navigate to the MaData folder in the installation folder for ILM. Usually this is c\Program Files\ Microsoft Identity Integration Server\MaData unless changed upon install.

36. Open the folder for the Windows Live management agent, right click and select New Text Document from the menu.

37. Give the file any name, for example, import.txt, and close the install folder window.

180

38. Create a full import run profile for the Windows Live management agent. b. Follow the exact same steps as Step 30; name the profile appropriately, select Full Import from the run profile type, select the file you just created in Step 9c above and click Finish in Management Agent Configuration. 39. Create a full synchronization run profile for the Windows Live management agent. c. Follow the exact same steps as Step 30; name the profile appropriately, select Full Synchronization from the run profile type, and click Finish in Management Agent Configuration. 40. Run a full import on the Windows Live management agent. Note the number of objects.

181

41. Run a full synchronization on the Windows Live management agent.

42. Verify that all imported accounts are joined. There should be the same number of joins as objects from the full import (unless you re using Active Directory or another LDAP directory as your data source; in this case, you would subtract the container objects) 43. There should be pending exports to Windows Live for all joined accounts. Randomly examine a few pending exports to make sure attributes are correctly set. For instance, do not set the ResetPassword attribute unless you want to require all users to reset their password. 44. Create an Export run profile on the Windows Live MA. 45. Enable provisioning by going to the Tools menu\Options in ILM and clicking the Enable Provisioning Rules Extension . 46. Run a full synchronization on the data source management agent 47. If any exports are pending for the Windows Live management agent after step 16, these must be new users that were not created in Windows Live before the disaster occurred. 48. Run an export to Windows Live to create the new users (if desired).

182

Appendix G: Support information
Getting Help from Microsoft For general Live@edu program information please refer to our Live@edu program website located here - http://www.liveatedu.com/ For additional questions regarding the program that are not addressed on the program page, or any onboarding questions please direct your inquire to the Live@edu Education Business desk (eddesk@microsoft.com) Please refer all single user issues that involve MSN Services to http://support.live.com. This is the same support resource that is available to all global users of Windows Live services and can often resolve single user issues. If you are experiencing an issue that impacts multiple end users, or are experiencing errors or unexpected behavior with your account provisioning tools we suggest you file a ticket with our Premier Partner Support team. Once you have onboarded with the Live@edu program you will be provided a unique Premier Online account for your institution. Please use this Premier Online account for filing issues only directly related to the Microsoft Live@edu program. If, after filing your support ticket, you feel that you have not received a timely response or if you would like a status update please contact the Live@edu escalation services team (edues@microsoft.com). Please provide your support ticket number when contacting this team. These tickets usually begin with the characters SR . Live@edu partners who use Windows Live Services are supported by the MSN Partner Support team that is staffed time to assist you with your technical support issues regarding the Microsoft Live@edu products (e.g. ILM, Passport MA, mail delivery issues etc.) In addition to our Partner Support staff we have an Emergency Response Team (ERT) available 24x7x365 to respond to operational support issues submitted from Live@edu partners that deal with the Windows Live Services (e.g. confirm Windows Live maintenance, latency or issues impacting login pr mail delivery, etc.) Note: technical support related issues will be addressed by the Partner Support team the next business day. To engage our Support Professionals you will need to submit Microsoft Live@edu technical issues using the Microsoft Premier Online website. Premier Online will be the primary tool used by your support and Helpdesk personnel to submit support cases to engage Microsoft Partner Support and the Emergency Response team.

183

Using Microsoft Premier Online Microsoft Premier Online is a secure website that requires a Windows Live ID (Passport) account, a Microsoft Premier Online Access ID and Password for login. Steps to access the Microsoft Premier Online site First if you do not already have one, you will need to create a Windows Live ID (formerly known as .NET Passport); please go to http://www.passport.net to create a Windows Live ID. Next go to the Premier Online site (https://premier.microsoft.com) and link your Windows Live ID (formerly .NET Passport) to your Premier Online support account. For this step, you will need your Premier Online Access ID and your password: Your unique credentials will be provided by the Live@edu Escalation services team via e-mail once you have on boarded with the Live@edu program. Note: Please safeguard this access ID and password. Provide this information only to support and Helpdesk personnel who you authorize to open support incidents. Steps to file a support request with Microsoft: 1. Sign into the Premier Online site. 2. Click Submit Incident in the left hand column (this will take you to the Submit Incident page). 3. From the Select a Product , drop down choose Beta and Other Products 4. From the Select a product version or edition drop down scroll down and select MSN College & University Program . 5. Click Next>> . 6. On the Describe the problem page, fill out the following information: a. Title: Include <Institution Name:> The Title should be a short, clear description of the issue b. Severity: Choose Severity C or B (tool does not allow Severity A issues to be submitted; In order to upgrade an issue to severity A you must call the Emergency Response team) c. Details: copy and paste the following template to fill out the incident details section: Severity of the incident e.g. number of users impacted as well as your internal issue severity level. y y y y y y Detailed description of the incident. Steps to Reproduce the problem. Troubleshooting done: Full error text annd logs Other comments/additional information that might be useful to bring about the resolution of the incident e.g. error messages, etc. Specific user accounts, if needed, that demonstrate/exhibit the problem. Note: (Never Include the User s Password)

184

NOTE: Currently we provide support in English only. Submitting support incidents in languages other than English may result in delays in handling. Computer Information: Select the Operating System. Attachments: the Computer Information section includes the ability for you to attach files, error logs, and images to your case that may be useful to Support Professional in resolving your issue. y Contact Information: Ensure your contact information is accurate 7. Click the Submit button. Your incident submission is complete and a tracking number will be provided for your case. y y Once your case has been submitted, a Partner Support team member will be assigned ownership of your case and the will work with you directly to assist in resolving your issue. Tracking/Updating an Incident: Please note that you can check the latest status of your issue(s) or add additional information at any time by logging on to the Premier Online site. 1. Sign into the Premier Online site. https://premier.microsoft.com 2. Click View Incidents in the left hand navigation pane. (found under the Online Services section) 3. Make sure the Schedule name is MSN University Program and apply any other needed view filters. 4. Click on the incident number that you are interested in. 5. Review the Microsoft Support Professional s notes and enter a response and additional notes for the Microsoft Support Professional in the provided text box if necessary. 6. If you are adding notes to the incident, update contact information if needed, and click Send .

185

Incident Severity Definition When you submit an issue (called a support incident) to Microsoft, you will need to assign a severity level to the incident; the Severity definitions listed below will assist you in assigning the appropriate severity to an issue. NOTE: ERT may reset the Severity level as appropriate based on the issue.

Severity A: Significant business impact; significant loss or degradation of services, business process and work cannot reasonably continue. All employees, students, and alumni are affected. Our response goal for Severity A issues is one hour, followed by updates every hour or as needed. Severity B: Moderate business impact; moderate loss or degradation of services, but work can reasonably continue in an impaired manner. Issue affect most (but not all) employees, students, and alumni. Our response time goal for Severity B issues is two hours, followed by updates every two hours or as needed. Severity C: Minimum business impact; used for issues encountered during implementation (predeployment), but prior to launching the service to your students and faculty. Our response time goal for Severity C issues is 4 hours or next business day with updates as needed. NOTE: All installation and configuration issues related to Windows Live@Edu would qualify as Sev C. Severity D is used to monitor incidents that need to remain open for long periods of time.

186

Sign up to vote on this title
UsefulNot useful