Adding PCNS to an ECMA2.0

One of my favourite tools that comes with working at Oxford Computer Group is an ECMA2 called the “delta generator” – at it’s simplest it’s a faster version of the FIM SQL management agent, but it’s got a few extra tricks up its sleeve that make it an common tool to reach for whenever I’m working on a project.

This time, I’ve been asked to add a password hash to an existing SQL database and to treat the connector as a PCNS target.

Initially I thought it wouldn’t be a problem until I got into FIM to configure myself a Password extension and was faced with the Extensions page of the MA Properties:


As you can see, I’ve checked the ‘Enable Password Management’ box however this has defaulted to the delta generator DLL rather than allowing me to insert my own code.

Usually this wouldn’t be a problem – most of the time I’ve either built the ECMA2 myself or its source is part of the project, however this is one of our stock tools and creating a custom version would cause no end of downstream issues – especially as this tool sometimes crops up several times on the same FIM configuration and I really don’t want to have a password extension for one part of the project cropping up on management agents for other systems – or the overhead of trying to manage any future updates to delta generator back into the new connector.

In order to work around this, I built myself a brand new ECMA2 and added a reference to the original delta generator – the interfaces call for public methods and no parameters on the constructor so in theory it should be fairly simple to create my own instance of the delta generator within my ECMA and pass parameters back and forth between FIM and the underlying code as follows:

From here, I added the core interfaces one at a time, passing in any parameters and returning any values from the delta generator back out to FIM – for example, the CallExport interface is implemented as follows:

Working back from the interfaces exposed from the original Management Agent, it should be relatively simple to stand up matching interfaces on the Wrapper MA and fill in the blanks in the same manner as above – passing the values back and forth between the FIM and the core DLL.

Once this was working (and tested) I added the IMAExtensible2Password interface (this one isn’t automatically provided by the template generator for some reason) and started to implement the new Password Extension methods.

While these are a major improvement over the original Password Extension as you can access the same set of configuration parameters used by the hosting Management Agent, it quickly became obvious that I was missing a key detail that was unique to the Password Extension – the name of the certificate to use for encryption and signing.

Fortunately as well as wrapping up the existing DLL, because the Parameters are passed back from the original delta generator via our wrapper, it is possible to inject additional items – as far as FIM is concerned, it is still retrieving a legitimate collection of parameters to query the user for.

Once compiled and built, this wrapper can now be dropped into place within the Management Agent in place of the delta generator and refreshing it’s interfaces brings the new Password capabilities into play:


This time, visiting the Configure Extensions page and enabling password management still refers back to the ECMA2 DLL however this time, the correct Password Extension is in place to be able to perform the required updates:


Posted in Certificate, ECMA 2.0, FIM, Snippets | Tagged , , , , , , , , , , | Leave a comment

ECMA 2.0 – Changing Capabilities

I’m working on a project at the moment that requires an MA that writes out it’s major operations (Add, Update, Delete) into separate CSV files – in theory this should be a fairly straight forward Export Only ECMA 2.0 to build and to be honest it’s not been too big a deal.

Until of course, I noticed I’d got the capabilities section wrong in the code and thought I’d quickly amend the appropriate setting – in this case the MAExportType and refresh the interfaces. That all appeared to be working fine until I attempted (after a couple of syncs to update the data in the connector space) to delete the connector space so I could repopulate it and generate fresh exports.

At this point I started getting reports of objects without an anchor in the connector space and the whole MA got itself tangled – I still haven’t been able to remove it fully as there are still a small number of mangled objects lurking in the connector space – fortunately in the development environment I can rename it so it’s not in the way and clean it up later but it’s certainly something I’m glad I didn’t encounter in production.

Obviously the thing to do is if you update your MA’s capabilities give some serious thought to deleting and recreating the entire MA rather than just going for the refresh – it may be that other settings aren’t as sensitive but I’d want to validate that in a lab setting and it’s probably safest just to avoid the possibility entirely.

Posted in ECMA 2.0, FIM, Troubleshooting | Tagged , , , , , , , | Leave a comment


I was helping a colleague work on a deployment this week and we needed to change the attribute in the target system we were working on. Naturally there was a rule extension in place that needed updating as well so we dutifully opened up the code and changed that as well – which is where things started to get strange.

Everything compiled as expected but when we went to the FIM console and previewed one of our users, it failed with an E_MMS_SCHEMA_CLASS_NOT_FOUND error.

This worried me for two reasons – one, it’s not an error I remember seeing before, and slightly more worryingly, when I went to google to see if I could find anything out about it, there apparently aren’t any results!


After running down a few false leads (it’s not my project and there were a few custom libraries and tools in place) we managed to link this back to a fault in our code – it worked out that we had two similarly named attributes in place, EmailAddress and EmailAddresses and had referred to the wrong one when we were adding and removing values.

Simple enough to fix but an odd error that appears to be thrown if you try to access the Values collection of a single value attribute – although hopefully next time I encounter the error I’ll at least have a clue what I’ve done wrong!

Posted in FIM, Troubleshooting | Tagged , , , | Leave a comment

Working with FIM Exports

We’ve all been there – you run one little export-fimconfig cmdlet and next thing you know you’ve got a ton of data to process – and given the number of cross links between the different FIM objects you know it’s just not going to be pretty.

In an attempt to make it a little easier for myself, I’m currently experimenting with some PowerShell that converts the results from the Export cmdlet into a hashtable so I can access it more easily – rather than trying to navigate my way through the ResourceManagementAttributes collection, it’s much easier to just go directly to the named property I’m looking for:

becomes the far more palettable:

So – what’s the secret to this? it’s a simple block of code that iterates all of the available fim objects and converts them into a collection of hashtables (using the ObjectID as the master key so we can then lookup objects when we’re following references)

The script I’m playing with looks along the lines of:

Essentially all this does is iterate through every object that is passed into it, and for this object retrieve all of the attribute-value pairs it contains. This is then loaded into a hashtable, which is then stored using the ObjectID as a master key.

This version is extended slightly to have additional lists of object types, bindings and attributes for an experimental “FIM schema to HTML” convertor I’m playing with – but at it’s heart it’s fairly simple.

Once it’s processed the objects to read in, then it’s relatively simple to either look up a reference or work with objects just by stepping through them and checking the attributes quickly and cleanly.

for example, the following code writes to a file ($ofile) a table for each attribute – but will attempt to use a DisplayName for a linked object rather than the unique identifier (not that they’re easier to read or anything!) – the key snippet that retrieves the displayname from a reference is as simple as: $all[$id][“DisplayName”]

I’ve uploaded the schema writer as well – it is very experimental but may prove useful to someone out there!.

Posted in FIM, Powershell, Snippets, Tools | Tagged , , , , , | Leave a comment

Tricky Permissions / When MPR go bad

I’ve reached that special time of the project when it’s time to kick the tyres and test things before releasing an update onto the unsuspecting client and as I’m going back through the test scripts using a number of user accounts was very surprised when one of my RCDC suddenly stopped allowing me to add or remove values to one of my attributes – not by blocking access to the identity picker or locking it to prevent it from being edited, but by throwing an ‘Unable to process your request’ error once you’ve clicked Ok to complete the change.


Naturally I checked the various Requests and could see a Denied Status along with the MPR that was correctly firing to give me the results.



Once I checked the MPR I was more than a little confused as the attribute involved was listed in the ‘Target Resources’ list and when I attempted to edit the user the RCDC was being correctly displayed!

It was only when I went back a tab and checked the ‘Requests and Operations’ that I noticed what was causing the problem – while I’d set the MPR to grant permission and rights over the key attribute, what I’d neglected to do is set the rights to allow values to be added or removed to a multi-value attribute.


It seems that even though the MPR doesn’t actually grant rights to manage a multi-valued attribute, the fact that I’d allowed a single-valued attribute to be edited combined with the correct attribute being listed in the target resources was enough to trick the RCDC into displaying and operating as though the user actually did hold permission to perform an update.

Fortunately this one’s an easy fix, but it was a fraught hour tracing everything through before I spotted it.

Posted in facepalm, FIM, Testing, Troubleshooting | Tagged , , , , , , , , , , | Leave a comment

VMware Upgrades

I’ve been a fan of VMware pretty much since workstation was first released and use it on both my windows and mac environments (mainly because unlike the competition I can move a VM I’ve been working with on my laptop onto my home server and know that it can be used pretty much immediately without any conversion and visa versa)

So, although I expect it to “just work” when I started moving to the latest versions of fusion and vmware workstation, I was thwarted – my VMs would no longer start up with an error of “This virtual machine’s policies are too old to be run by this version of VMware Workstation. Contact your system administrator.”

The good news is that a little surgery inside the VM folder to remove it’s .vmpl file and remove the policy lines from within the .vmx file

printers.enabled = “TRUE”
extendedConfigFile = “Live_at_FIM.vmxf”
policy.vm.mvmtid = “52 62 b3 21 92 c6 0e 24-11 16 c1 09 1f 54 64 b6”
policy.vm.managedVMTemplate = “TRUE”
policy.vm.managedVM = “FALSE”

and it all starts working again as normal – I’m just a little disappointed that I’ve needed to go and start hacking about inside the VM for something that was working perfectly before I started the upgrade – and that I’ve now got to go and do this across a library of virtual machines so that I don’t get tripped up by this in 3 months time when I go back to an older project.

Posted in Troubleshooting | Tagged | Leave a comment

Feeling Lazy

I’m currently working on a project where I need to toggle transitions into a set – not an uncommon requirement, but one where I’m getting tired of using the GUI to locate my current “volunteer” user and set the required attributes to true in order to transition the user into the set, before repeating the process to transition them back out by going back into the GUI, retrieving the correct user, locating the attribute and clearing the checkbox.

As I’m feeling lazy (and it’s something I’ve been meaning to do for a while) I’ve put together a quick powershell script to locate the user and then do these operations for me – setting the nominated attribute to be true, before immediately setting it back to false.

[wpfilebase tag=file path=’toggle_bool.ps1′ /]

Posted in FIM, Powershell, Snippets, Testing, Tools | Tagged , , , , , , , , , , | Leave a comment

Pesky Internal Database

I’ve spotted this one a couple of times recent – on different systems and not both ones I’m responsible for looking after (it’s always good to know it’s not purely my fault!) where after a reboot the FIM service isn’t available.

When looking into the Event Log for information, there is a large number of errors raised by the both the FIM Service and WSS (we’re looking at a very substantial number as this appears to be retried every second or so and generates multiple eventlog entries) – the key issue being that WSS is unable to connect to SQL.

Naturally I’ve checked my SQL instance and found it running safely however when I remembered that the Windows Internal Database is also SQL based and checked that – it turns out that for some reason this service was not started (even though it was set to  automatic) – a quick restart on this and FIM returns to normal operation.

Posted in FIM, Troubleshooting | Tagged , , , , , , | Leave a comment


Fortunately it’s not a frequent occurrence, but once in a while I need to update multiple workflow’s at the same time – and today, that clocked in at around 34 new versions of DLLs.

Rather than attempt to script a batch that individually called gacutil.exe (I’m guaranteed to either miss one or forget to update it later) I’ve turned to a couple of lines of very simple powershell:

Fortunately I’ve already named all of the DLL with a common prefix (saves accidentally re-gaccing something I probably shouldn’t!) this goes ahead and reupdates the GAC as needed.

Once quick restart of the FIM Service / IISReset and all the changes are good to go!

Posted in Snippets | Leave a comment