The Experts Conference for Directory & Identity
Session Abstracts

Virtual Directory Servers have many uses, most of them deal with virtualizing the access to the data. In this presentation we analyze a customer case scenario where the logic capabilities, available in many Virtual Directory Server products, were used to add business logic to the way that data was presented to accessing client applications.

A major Power company in Europe is using its LDAP infrastructure as a X509 certificate store, that is accessed by a variety of client applications including the Microsoft Office Outlook 2003 email client and Adode Acrobat PDF authoring tool. The main roadblock for this deployment was the fact that the LDAP directory contained multiple certificates for specific users, creating confusion in the aforementioned tools, which expect a single certificate per user entry, and will blindly use the first one delivered, without checking if there are others available.

Using the logic capabilities of a Virtual Directory Server the data presented to client applications could be enhanced to improve the handling of certificates. Firstly, certificates that were returned in results could be checked and removed from the result if they had already expired. The *Usages* of the certificate could also be scanned to determine whether or not KeyEncipherment had been set as a value, so that only the correct certificate would be returned for use by the application. Finally, if multiple valid certificates were stored for a user, the Virtual Directory Server processing engine could re-order the certificates so that the most current certificate was presented first, ensuring that the most current certificate was the most likely to be used by the client application.

Returning unused attributes or unwanted data stored within an entry is inefficient and can affect the functioning of a client application, particularly if a directory is being used to store data in a way that a client application is not expecting. The processing logic within a Virtual Directory Server can be employed to weed out unwanted or unused attributes within an entry, so that the data presented for an entry is filtered before it reaches the client application.

Other processing functionality within the Virtual Directory Server could also be taken advantage of to control the presentation of data, and streamline the solution. Notably, Adobe Encryption and Microsoft Outlook make use of a syntax in their LDAP requests that sacrifices efficiency in exchange for broader product and data organization support, resulting in complex filters that lead to time-consuming search requests. Using common Virtual Directory Server processing capabilities, filters could be substituted on-the-fly to work more efficiently with the existing repository.

Servers are set up, and nobody to federate with! Microsoft IT deployed Active Directory Federation Services in early 2005 and has been rapidly pushing the adoption of ADFSv1 (Windows Server 2003 R2) and ADFSv1.1 (Windows Server 2008) internally ever since. Come hear the technology, legal, process, and general challenges and benefits of Microsoft’s internal deployment. The session will cover where Microsoft has been, where they’re at, where they see the future of federation internally as they enter the CardSpace and federated identity era.

This session covers recommended best practices for implementing a virtual directory within an identity management infrastructure. We’ll cover topics critical to all virtual directory deployments such as: understanding your data/requirements, caching of data, data replication needs, general architecture, high availability, static groups/dynamic groups and application integration.

One of the great benefits of using Geneva for authentication is the potential for cross-platform interoperability. In this session Matt Steele, Program Manager on the Microsoft Federated Identity team will discuss the protocol support in Geneva and the interoperability issues that can occur. Matt will also walk through the Geneva interoperability testing that has been done my Microsoft and others, and demonstrate federation and SSO interoperability with SAP.

Many customers make use of separate Identity Management environments for Development, Test, QA and Production in their organizations. We demonstrate how configuration changes to a FIM system can be simply deployed between such environments, including the production of appropriate tracking reports. Such an approach can lead to significant operational savings, particularly for large or complex environments.

The Directory Services team has delivered a rich set of features in Windows Server 2008 R2. This session provides an opportunity to ask questions and discuss those features in detail directly with the product group. This moderator lead discussion is an opportunity to discuss features, ask questions and provide the product group with the customer feedback that is essential to planning future releases of Microsoft Directory Service.

Since the beginning, when Active Directory was first released with Windows 2000 Server, the methods and means for object recovery in AD have evolved and improved each time a new version of Windows was released. In time, the technology made it more easy to recover objects and prevent the loss of data after recovery. We will start this session with an introduction to object recovery related topics, followed by an explanation of all object recovery methods in all versions of AD after an accidental (mass) deletion, including what’s new in Windows Server 2008 R2 (Windows 7). This session will finish with some recommendations around object recovery. In addition to showing and explaining the different object recovery methods 1 demo will be included.

Since the beginning, when Active Directory was first released with Windows 2000 Server, the methods and means for object recovery in AD have evolved and improved each time a new version of Windows was released. In time, the technology made it more easy to recover objects and prevent the loss of data after recovery. We will start this session with an introduction to object recovery related topics, followed by an explanation of all object recovery methods in all versions of AD after an accidental (mass) deletion, including what’s new in Windows Server 2008 R2 (Windows 7). This session will finish with some recommendations around object recovery. In addition to showing and explaining the different object recovery methods 3 demos will be included.

In this very technical session, we’ll take a deep dive into the architecture of the ESE engine, the different components that compose the engine, how they interrelate and store data. We will cover transactional logging, buffer cache management, B+ trees, space management, and the underlying database physical format.

Do you have questions about FIM 2010? Are you wondering if FIM 2010 will satisfy your organizations specific needs. Or do you have thoughts for new features that you would like to bring to the product team’s attention? Come to this free-form discussion with Alex Weinert, Group Program Manager for FIM.

Many organizations have completed the move from ILM 2007 to FIM 2010. Learn from the experts about the traps to avoid and tricks you can use to ensure a successful FIM 2010 deployment. Topics include planning your migration, migrating from ILM 2007 to FIM 2010, designing an appropriate FIM 2010 topology, and cleaning up existing design problems during the migration.

In many organizations, Active Directory and Exchange support personnel are often the top of the escalation chain for Wintel support in general. In this session we’ll look at a number of scenarios that will demonstrate tried and tested troubleshooting methodologies and toolsets. Many of these scenarios are extremely frequent Wintel problems that are often also frequent PSS calls. This is a demo heavy talk – we’ll use sample applications written specifically for this session as well as data from actual customer issues to troubleshoot live.

The premise of this session is twofold. The primary goal is to teach Active Directory architects and administrators how to interpret complex network diagrams and configuration information and to transform it into a site topology that efficiently uses the network. The second goal of the session is to teach the audience the basics of the three most common WAN technologies as they relate to their data.

It is a compelling option to deploy RODCs in the DMZ – they help to reduce the costs of managing another AD forest in the DMZ and simplify overall management of the DMZ. This was the key reason for HP to leverage RODCs quite to the surprise of Microsoft at the time. There are even more challenges as to how RODCs work “under the hood” that need to be understood when deploying RODCs in the DMZ, which would be covered by this talk. We’ll also cover the benefits and downsides of deploying RODCs compared to traditional methods of authenticating users to resources in the DMZ – and help to clarify that RODCs in the DMZ is not the right solution for everyone. This session builds on Monday’s session Tales from Deployment of RODCs in Large Enterprises.

There are many ways to play programmatically with AD. We have VBScript and ADSI interface, we have .NET and PowerShell. If ADSI is there and S.DS is there why bother ourselves with learning another namespace like S.DS.P? This session will present sort of a deep dive into S.DS.P namespace. During this session advantages of S.DS.P namespace usage over other namespaces available in .NET will be discussed and backed up with some performance test results and coding examples. We’ll also show you how to do basic and a bit more advanced tasks using S.DS.P and how to leverage S.DS.P capabilities in real life as a .NET developer or just as AD administrator who has happened to write some code. We will try to convince you that in .NET world S.DS.P is your real friend when it comes to .NET LDAP programming!

Deploying Win2008 with RODCs at large scale requires a good amount of planning and has already caused a few surprises (at HP and other companies of similar size), some of this is related to being able to manage the required replication policies sufficiently well – and what happens if you don’t. This session assumes that the audience is well versed in the basics of how the RODC works.

Windows Server 2008 R2 delivers some highly anticipated features for Active Directory administrators. This session will provide a tour of the new Administrative Center and the new capabilities it leverages provided through the PowerShell for Active Directory Module. The ever-popular Recycle Bin will be discussed in detail along with Offline Domain Join, the Best Practice Analyzer, Managed Service Accounts, DSRM Password Synchronization, Functional Level rollback and Authentication Mechanism Assurance.  The session will provide the information necessary to evaluate and understand each feature included in Active Directory in Windows Server 2008 R2.     

FIM 2010 RC1 should be shipping about the time of TEC 2009 EMEA, and it includes many improvements and new features. Find out about what’s new in RC1 including architectural changes, performance improvements, and simplified administration and operations. We will also discuss how to migrate from FIM 2010 RC0 to RC1, and how to move from a test environment to production.

Do you want to influence the future of Active Directory? This highly interactive discussion-based session, focused entirely on future product direction, provides a unique opportunity to share real-world requirements, shape the next releases of Active Directory, and understand how your priorities align with the priorities of other TEC attendees.  Members of Microsoft's Directory Services product team will be on hand to absorb your feedback first-hand and provide insight into the Windows product planning process.

Forefront Identity Manager includes a powerful workflow solution based on the Windows Workflow Foundation (WF). The flexibility of this system provides a solid foundation for developing workflows that can meet any business need. Attendees of this session will leave with a deep understanding of WF and several examples of Enterprise-class workflows suitable for their environment. Tips for making your workflows manageable, flexible and scalable will also be given.

In addition to its new provisioning and workflow capabilities, Forefront Identity Manager provides a comprehensive audit trail of identity-related transactions. This session will discuss what sort of actions are audited (and which ones are not), how to get the audit data from Forefront Identity Manager and how to build the reports you need to maintain regulatory compliance and provide diagnostic and troubleshooting support.

With Codeless Provisioning, Microsoft Forefront Identity Manager introduces a new feature that enables you to implement your complete identity integration business logic without the need of developing rules extension source code. We’ll will focus on how the architectural components are used “in action” and how to troubleshoot an environment if something is not working. Additionally, this session will discuss the boundaries of Codeless Provisioning to demonstrate scenarios where rules extension development may still be required. The goal of this presentation is to explain to you all aspects of codeless provisioning including related features in a digestible manner. After attending this presentation, you will have a solid understanding of all aspects of codeless provisioning, which will enable you to effectively implement this feature in your scenarios and troubleshoot common issues.

ILM projects are about managing identity and permissions across the enterprise. As ILM (or any other such solution) becomes the authoritative source of identity information, additional requirements to track its activities or to keep history of changes in the systems arise. Another often raised customer requirement is just to track history of attributes of identity for auditing purposes. ILM 2007 out of the box is not very good on those tasks, Forefront Identity Manager brings changes but … During this session, we will show how logging and auditing can be approached in ILM projects using just ILM and its extensible architecture. What possibilities we have, what are the pros and cons of different approaches and methods and what can and can’t be done in this area will all be covered. Can we achieve the level of auditing required which will be useful when we are talking about compliance? This session will discuss these topics and also will present changes that Forefront Identity Manager introduce into auditing space.

With all the buzz around Role Based Access Control last years, everybody surely knows roles are good. But what would be the complete feature set of a full-blown RBAC solution? Can you implement RBAC in real life on top of the coming Forefront Identity Manager platform? Is the technology really ready for this? Join the session to find out! Learn how you can stretch Forefront Identity Manager beyond its limits with custom data objects and workflow activities to build the complete solution. And - last but not least - share your thoughts with your peers on how you can approach design and deployment of the role system for the enterprise.

The identity management community is examining opportunities for more abstract, interoperable identity capabilities. Initiatives like the Identity Services Work Group (ISWG) are establishing requirements and developing a set of business-driven scenarios to describe what capabilities are required and how these would work together within and between organizations. These requirements and business scenarios are intended to catalyze action within the industry and standards bodies to address current interoperability challenges.
This session will examine the current state of identity services and share insights on the following topics:

• Business requirements and use case scenarios for identity services
• Remapping identity infrastructure into services
• Interoperability challenges, industry standards, and where attention is needed
• Preparing for identity services

How you can manage multiple structures (like Business structures from HR or specific structures from Active Directory or Unix) in FIM? We will show how is FIM able to manage these structures and the assigned users. Our experts will answer these questions with examples from typical IDM architectures.

ILM includes rudimentary support for provisioning mailboxes in Exchange 2007. This session will describe an enterprise-class solution for provisioning Exchange 2007 mailboxes with MIIS, ILM, or Forefront Identity Manager. The solution supports mailbox provisioning based on user location and places new mailboxes based on Exchange server capacity or utilization. This session is a must for anyone looking to manage their Exchange mailboxes with ILM.

Speaker: Martin Kuppinger

Here's an overlooked problem that causes many headaches: Once a user is authenticated, how will you now handle authorisation? Authorisation, like authentication, should be delegated, and not handled by applications themselves. But how so? The fact that this is not really done today causes unneccesary risks and large potholes not only in SOA environments. Felix looks at different approaches, best practises, and initiatives that currently exist around externalising authorisation and application security, plus an overview where he thinks all of this is heading.