Bobel's Active Directory, Identity, Access & SaaS Blog » Bob Bobel

Automatically Provisoning and Deprovison Postini

Bob Bobel — Thu, 02 Sep 2010 12:07:45 +0000

Today our team uploaded an Policy Extension to the ActiveRoles community for Postini! This policy will both provision and deprovision Postini gateway accounts when the associated Active Directory account is updated. To use this policy you simply download the policy, install it in ActiveRoles Server then configure the policy with your Postini account details. The new policy is free for ActiveRoles customers and you can download the the new policy here: DOWNLOAD NOW

ActiveRoles Change History showing Postini Provsioning

Visual Studio Lightswitch

Bob Bobel — Thu, 05 Aug 2010 17:50:29 +0000

This has been needed for the past 20 years and now Microsoft has finally stepped up to the plate and will cover the gap between tech savy business users and developers. I can not tell you how many Access Databases, Monster Excel Spreadsheets and Microsoft Word Macro’s I’ve seen/written/replaced over the past 25 years but it is in the hundreds. Most of these were started for the right reasons, even though Microsoft office probably wasn’t the best platform. The challenge is simple to articulate – I’m a business user, I don’t have a staff of developers, I know enough to be dangerous and I want to keep my paycheck. Microsoft Access was pretty close – but it couldn’t make the leap and required some pretty specific knowledge.

Microsoft announced Visual Studio Lightswitch at the VS Live conference – a solution designed to bridge that gap. The application is a part of Microsoft Development Platform Visual Studio and promises to allow the savvy business user to build apps for desktops or cloud delivery by pulling data from Databases, SharePoint as well as integrate with Microsoft’s Cloud solution; Azure. It seems obvious that since this is part of Visual Studio when the app gets too big for the business user, I’m guessing (and I hope it does this) the app can be put into the hands of a experienced developer. This will probably drive the developer’s crazy, but it certainly will be fun to watch.

PING Identity’s Cloud Identity Conference

Bob Bobel — Tue, 20 Jul 2010 20:03:59 +0000

I’ve had the good fortune to find myself at the Ping Identity Cloud Identity Conference. The conference, as the name inplies, is dedicated to dealing with Identity in a SaaS world and all the interesting challenges that happen when identity traverses or is moved into the Internet.

Today I’m sitting through one of Ping’s Experts (Ian Barnett) who is going through how organizations can implement SAML for a host of reasons. One interesting conversation that came up was around the differences between SAML and OpenID and how their origins put them on a similar path but for different reasons.

A similar discusssion arose around Microsof’t's ADFS 2.0 and SAML 2.0 and there was certainly more than a little confusion about how the two do or do not interoperate effectivly.

Apple Bumper – they are kidding right?

Bob Bobel — Fri, 16 Jul 2010 22:39:55 +0000

I like the apple touch phones, but a bumper is stupid – just fix the problem.

I’m glad I’m now a HTC droid man.

http://www.cnn.com/2010/TECH/mobile/07/16/consumer.reports.iphone.case/index.html?eref=igoogle_cnn

Use PowerShell to easly find Obsolete Accounts

Bob Bobel — Thu, 15 Jul 2010 15:14:21 +0000

One of the great new capabilities new to ActiveRoles AD CMDLETS version 1.4 is the ability to define criteria for how you want to identify obsolete or inactive accounts. You define the criteria as an “InactiveAccountsPolicy” that can be called from the Get-QADUser cmdlet to list accounts matching the obsolete policy then delete, disable or if you own ActiveRoles Server execute the Deprovisoning policy.

Set-QADInactiveAccountsPolicy

Set the current user preference on what accounts to consider inactive by default.

Syntax

Set-QADInactiveAccountsPolicy [-AccountExpiredPeriod ] [-PasswordNotChangedPeriod ] [-AccountNotLoggedOnPeriod ]

Parameters

AccountExpiredPeriod

Use this parameter to specify the number of days after which an expired account is considered inactive by default. Thus, an account is considered inactive if the account remains in the expired state for more days than specified by this parameter.

AccountNotLoggedOnPeriod

Use this parameter to specify the period, in days, that an account is not used to log on, after which the account is considered inactive by default. Thus, an account is considered inactive if no successful logons to that account occur for more days than specified by this parameter.

PasswordNotChangedPeriod

Use this parameter to specify the password age, in days, after which an account is considered inactive by default. Thus, an account is considered inactive if the password of the account remains unchanged for more days than specified by this parameter.

Detailed Description

Use this cmdlet to specify the default conditions that must be met for a user or computer account to be considered inactive. The inactivity conditions are specific to the current user, and have an effect on the cmdlets that support the Inactive parameter (such as Get-QADUser or Get-QADComputer). If no account-inactivity related parameters other than Inactive are supplied, then the Inactive parameter retrieves the accounts that meet the conditions defined by this cmdlet. To view the inactivity conditions that are currently in effect, use the Get-QADInactiveAccountsPolicy cmdlet.

Get-QADInactiveAccountsPolicyView the current user preference on what accounts to consider inactive by default.

Syntax

Get-QADInactiveAccountsPolicy

Detailed Description

Use this cmdlet to examine the settings that were specified by using Set-QADInactiveAccountsPolicy, and are in effect for the current user session. These settings specify the default conditions that must be met for a user or computer account to be considered inactive. The inactivity conditions are specific to the current user, and have an effect on the cmdlets that support the Inactive parameter (such as Get-QADUser or Get-QADComputer). If no account-inactivity related parameters other than Inactive are supplied, then the Inactive parameter retrieves the accounts that meet the conditions defined by the AccountExpiredPeriod, AccountNotLoggedOnPeriod, and PasswordNotChangedPeriod settings that you can examine using this cmdlet. For details regarding each of these settings, see the corresponding parameter description for the Set-QADInactiveAccountsPolicy cmdlet.

Set-QADInactiveAccountsPolicy

AD CMDLETS 1.4 now live!

Bob Bobel — Thu, 15 Jul 2010 14:07:16 +0000

The 1.4 version of the ActiveRoles AD CMDLETS went live a few moments ago and you can download them here http://www.quest.com/powershell/activeroles-server.aspx.

Microsoft KIN – RIP

Bob Bobel — Thu, 01 Jul 2010 19:16:27 +0000

I was surprised to read on Engadget that Microsoft killed its entire KIN phone line, less than two months after launch. To me this is scary that a company like Microsoft has struggled to figure out the mobile market despite having Apple and Google showing them how it should be done. Well, Kin is now in a far better place with Microsoft BOB and Microsoft Clipit – may they all rest in peace.

http://www.engadget.com/2010/06/30/what-killed-the-kin/

ActiveRoles User’s Groups Denmark & Sweeden

Bob Bobel — Thu, 01 Jul 2010 14:23:56 +0000

Following up on our UG in Boston, Berlin, Toronto and Los Angeles, last week I had the tremendous opportunity to help our regional offices in Copenhagen Denmark and Stockholm Sweden hold their first ActiveRoles User’s Groups. Both events were held in the Quest regional offices and were well attended by both existing customers and those new to ActiveRoles. I look forward to next year’s events! I need to make a special thank you to Christian Dinesen for being the moderator of the User’s groups as well as my official tour guide in the evening. There was a royal wedding taking place the day after I left Stockholm, but I did get to see some of the wedding entertainers practicing their acrobatics. I recorded the following video with my Droid Incredible.

Google Apps goes mutli-domain

Bob Bobel — Wed, 23 Jun 2010 18:13:12 +0000

Google Apps was limited in that it didn’t support multiple domains so admins had to do all sorts of workarounds to accommodate this scenario. By adding support for users from different domains with different name spaces that share a common instance of Google Apps. (See the picture from the Google Blog below)

Google Apps Blog

Review, Droid HTC Incredible, My First Week

Bob Bobel — Fri, 11 Jun 2010 13:51:30 +0000

Friday of last week I brought my wife home from the hospital where she had undergone surgery for errant gall stones. When I got back to the house there was a shipping tag saying I missed my delivery company and that they had a package waiting for me at the local pickup – I just knew it was my Android phone. Fortunately, the delivery offices were open until 10pm so despite it being late in the day (and Friday) I still was able to pickup my package. Based on the dates Verizon had given me I actually ended up getting the package a week earlier than expected and I wouldn’t have the phone for the weekend to get used to moving off Windows Mobile.

I walked out to my car and climbed in the driver’s seat. Next to me was a younger couple and the guy had a box that was strangely similar in size to mine, but I quickly forgot about that and decided to concentrate on using my keys to cut though the tape on my box. Inside that dirty brown box was a smaller white box that held my new droid incredible. I quickly opened the smaller box carefully lifted the phone out and and without regard to the instructions I pushed the power button; nothing happened. Realizing my mistake I quickly rummaged through the box to find the battery that they never would have shipped pre-installed in the phone.

After fumbling around figuring out how to open the phone and inserting the bright red battery (very cool btw) - I closed the phone, held my breath and pushed the ON button. I now know it was at that moment my mobile life changed for good. I wasn’t sure about the best way to “migrate” from Windows Mobile so I decided to just use the device for a phone until I came up with a plan to switch over my email. That plan lasted less than 2 hours before I made the leap and started having my email directed to my Incredible – and out of the box it is working extremely well.

I have been using my HTC Incredible relentlessly for the past week and while I am still getting used to some aspects of the phone I would not hesitate to recomend this phone to anyone considering it – the phone is more than incredible – it is awesome.

Death of the Incandescent bulb

Bob Bobel — Thu, 10 Jun 2010 21:11:13 +0000

Another sign that LED lighting is revolutionizing the lighting industry as Toshiba halted its 120 year history of producing incandescent bulbs to concentrait on LED technology. It is interesting because just last year several major cities were discussing outlawing incandescent bulbs and Australia aparently is actually begining regulation of them.

http://www.computerworld.com/s/article/9171999/Lights_out_on_incandescent_bulb_production_at_Toshiba

Droid Incredible, Verizon 3 Week Backorder

Bob Bobel — Tue, 18 May 2010 13:36:04 +0000

So I went to the Verizon store yesterday and after a twenty minute wait for help – I ordered my Droid Incredible. About half way through doing the paper work I was told the phones were on three weeks back-order. When I asked if there was a loaner phone available there was not – the Verizon rep simply said the phones are just that popular. While I don’t like the wait, I am happy that my decision to switch from Windows Mobile after using it for six years was the right decision; a tough decision – but the right one. My old phone was the VZ 6800 built by HTC – this has been a good phone so I expect that the HTC built Incredible will also be a good phone.

AD CMDLETS Version 1.4 (Early look)

Bob Bobel — Tue, 18 May 2010 13:23:30 +0000

In late June or early July, a new version of the Active Directory PowerShell CMDLETS will be released. I wanted to give everyone a teaser about the new features to be added.

Here you go!

-        Certificate management
-        Support for cross-domain group membership
-        inactive accounts enumeration
-        single command to search in multiple containers
-        progress indication
-        proxy addresses management

Stay tuned and I will blog with more details around each feature over the next several weeks.

Federation Service 2.0, now Shipping

Bob Bobel — Thu, 06 May 2010 07:07:31 +0000

ADFS 2.0 (Active Directory Federation Services) was released to the public May 5th, 2010 and announced on the “Geneva team blog.” You can download the package from the Microsoft download site and install for free on Windows Server. Stuart Kwan gives a brief overview of ADFS 2.0 capabilities in a new channel 9 video produced by Microsoft. Why is this important? ADFS 2.0 is a big step forward for Microsoft in their delivery of a new paradigm Identity and Access capabilities within software products based on “claims” rather than traditional Kerberos authentication.

Lacking in the previous version, SAML 2.0 is now officially supported by ADFS 2.0. SAML is the authentication protocol we used to create our Just-in-Time provisioning example I blogged about earlier this week (see JIT Provisioning). With ADFS 2.0 providers can be built for any application that uses either SAML or Claims. SAML is used by Salesforce.com, Google Apps, Service Now, Postini and many other SaaS/cloud services while Claims are now supported in SharePoint 2010 and will be introduced into many additional Microsoft applications.

Just-in-Time Access Provisioning

Bob Bobel — Fri, 30 Apr 2010 04:56:04 +0000

While I was in college I worked summers for a glass company. My job was in the engineering drafting department where I drafted furnace parts, conveyor belts and paint bands that hides the goo they use to stick your windshield to your car. During this time American automakers struggling cope with the explosion of Japanese imported cars. Japanese cars had a reputation of low cost and good quality, but the Japanese automakers also had a secret weapon that made them more efficient – Just-in-Time manufacturing.

Just-in-Time manufacturing is a simple concept – rather than keep all the unassembled car parts in expensive warehouses, have them delivered to the factory at the time they are needed to assemble a car. This idea stuck with me and has been rattling around in the back of my mind for the past twenty years. Dell later used a similar concept steal market share away from IBM and Gateway who were building huge numbers of PCs and storing them until they were sold – while Dell built PCs that were already sold.

A project I have been working on for the past year or so was applying Just-in-Time concept to the process of granting users access to applications or data. The idea is that when a user attempts to access a resource for which they have not been granted access – the access attempt kicks of a self-service process or an automatic grant of access.

While I have seen other applications perform similar activities, many people have seen Microsoft SharePoint’s basic request access feature. The challenge I see with SharePoint is that it only allows generic requests that don’t allow the user to select the level of access they wish nor does it tell the user the state of their access request. Both are needed and both must be components of any more complete solution. A more complete solution must also provide access to more than just SharePoint; files, folders and applications access are also desperately needed.

Today, we posted a technical preview of Just-in-Time Access Provisioning called the ActiveRoles AuthX Provider The provider not only integrates authentication using SAML between AD users and Google Apps, it also can trigger a self-service access request through ActiveRoles if the user does not yet have an account. Once the request is approved a Google account is created. The next time the user points his/her browser to Google Apps URL the Provider seamlessly authenticates the user by doing an account mapping of AD user to the Google account and creates a SAML token that automatically signs the user into their Google Apps account. We created a 2 minute video showing the process so you can see how this works. The video was a little long and choppy at some points so I cut it down to about 2 minutes.

Video:ActiveRoles Access Provider