Live@Edu Admin Guide

Version 3.0

Live@edu Admin GuideProvisioning Windows Live IDs with Identity Lifecycle Manager and Windows Live Management Agent v3NOTE: This Admin Guide covers provisioning of account to Hotmail Only. This guide does not cover Exchange Labs provisioning

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links are provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein.Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.Copyright © 2007 Microsoft Corporation. All rights reserved.Microsoft are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Table of ContentsTable of Contents....................................................................................................................................3

Section 1: About the Live@edu Program.................................................................................................7

Why Choose Live@edu?......................................................................................................................7

About This Guide.................................................................................................................................7

What if I get stuck?..............................................................................................................................8

Technology Overview..........................................................................................................................8

Live@edu Solution Details...................................................................................................................9

List of Features....................................................................................................................................9

Terms and Definitions........................................................................................................................10

Section 2: Checklist of Items before Deployment..................................................................................12

Section 3: Reserving a Domain with Windows Live Admin Center........................................................13

Select a Domain Name.......................................................................................................................13

Assign a Domain Administrator.........................................................................................................14

Review Settings and Accept Agreement............................................................................................15

Confirm the Administrator Account...................................................................................................15

Section 4: Identity Lifecycle Manager 2007...........................................................................................18

Primary Concepts and Terminology...................................................................................................18

System Requirements........................................................................................................................18

Metadirectory....................................................................................................................................18

Data Aggregation...............................................................................................................................20

Data Synchronization.........................................................................................................................20

Data Enforcement..............................................................................................................................20

Data Source.......................................................................................................................................21

Management Agent...........................................................................................................................21

Metaverse..........................................................................................................................................21

Connector Space................................................................................................................................22

Provisioning.......................................................................................................................................22

Running a Synchronization................................................................................................................22

Extensible Management Agents........................................................................................................23

State Based System...........................................................................................................................23

Operations.........................................................................................................................................23

Disaster Recovery Plan 1 (SQL Outage)..............................................................................................24

Disaster Recovery Plan 2 (ILM Server Outage)...................................................................................24

List of Maintenance Operations........................................................................................................25

Backing up Management Agents.......................................................................................................26

Section 5: Setting up the Environment..................................................................................................29

Installation requirements..................................................................................................................29

Section 6: Creating and Configuring the Data Source Management Agent...........................................31

Configuring the Data Source Management Agent.............................................................................31

Connecting to the Student Data Source............................................................................................31

Database Management Agents.........................................................................................................31

LDAP Management Agents................................................................................................................32

File-based Management Agents........................................................................................................34

Understanding the Student Data Source Schema..............................................................................34

Management Agent Schemas............................................................................................................34

Anchor Attributes..............................................................................................................................35

Object Types and Attributes..............................................................................................................35

Select a Subset of the Source Data....................................................................................................36

Database management agents..........................................................................................................36

LDAP management agents.................................................................................................................36

File-based Management Agents........................................................................................................37

Configure Connector Filter Rules.......................................................................................................37

Refine Further by Using Filters to Select Subsets...............................................................................37

Configure Join Rules..........................................................................................................................38

Configure Projection Rules................................................................................................................39

Configure Import Attribute Flow.......................................................................................................39

Configure Deprovisioning..................................................................................................................42

Configure Extensions.........................................................................................................................43

Section 7: Installing and Configuring the Export Management Agent...................................................44

Installing the Windows Live Management Agent..............................................................................44

Create the Windows Live (Export) Management Agent....................................................................45

Passport User Attributes....................................................................................................................55

Enable Provisioning...........................................................................................................................59

Section 8: Configure XML Files...............................................................................................................63

Configure XML Settings......................................................................................................................63

Configure Offers................................................................................................................................68

Section 9: Additional Settings................................................................................................................69

Managing MX Records.......................................................................................................................69

Section 10: Running the Solution...........................................................................................................70

Data Synchronization.........................................................................................................................70

Run Profiles........................................................................................................................................71

Configure the Full Import and Full Synchronization Run Profile for the Import Management Agent 71

Configure Export Run Profile for the Windows Live Management Agent..........................................72

Delta Import and Delta Synchronization............................................................................................72

Populating the Metaverse.................................................................................................................73

Troubleshooting the Staging of the Student Data.............................................................................73

Creating Windows Live IDs................................................................................................................73

Managing the Output Files................................................................................................................74

Features of the Windows Live Management Agent...........................................................................75

Renaming of E-mail Addresses..........................................................................................................75

Deleting Windows Live IDs................................................................................................................75

Setting an Object Deletion Rule.........................................................................................................76

Attribute Interdependencies.............................................................................................................77

Active vs. Inactive student handling..................................................................................................77

Configuring Multiple Sites.................................................................................................................78

Section 11: Password Management......................................................................................................79

Create Initial Password......................................................................................................................79

Password Reset..................................................................................................................................79

Password limitations..........................................................................................................................79

ILM Password Synchronization..........................................................................................................89

Using Other Systems as the Source for Password Changes...............................................................92

Reset Password Flow.........................................................................................................................93

Recovering from a Forgotten Password.............................................................................................93

Alternate E-mail Addresses................................................................................................................94

Section 12: Troubleshooting..................................................................................................................94

ILM 2007 Failure Analysis Process Flow.............................................................................................97

For “stopped-extension-dll-exception”.............................................................................................98

For “completed-export-errors“..........................................................................................................98

Getting Support.................................................................................................................................98

Disaster Recovery Plan (ILM Server Outage).....................................................................................98

Section 13: Advanced Topics...............................................................................................................108

Student Portal Integration...............................................................................................................108

High Availability...............................................................................................................................109

Integration of Live@edu Into a Pre-existing ILM Environment........................................................109

Distribution List Management.........................................................................................................110

Appendix A: Valid Region/Country Codes............................................................................................112

Appendix B: Language Codes...............................................................................................................123

Appendix C: TimeZone Codes..............................................................................................................125

Appendix D: U.S. Region Codes...........................................................................................................139

Appendix E: Certificate Install Information..........................................................................................142

Obtaining a Certificate for your Domain..........................................................................................142

Installing the certificate on the ILM Server......................................................................................142

Installing WinHTTP Configuration Tool............................................................................................142

Installing the certificate to Windows Live Admin Center.................................................................147

Appendix F: Migrating from the SDK tools...........................................................................................156

Appendix G: Support information........................................................................................................183

Using Microsoft Premier Online.......................................................................................................184

Steps to access the Microsoft Premier Online site..........................................................................184

Steps to file a support request with Microsoft:...............................................................................184

Tracking/Updating an Incident:.......................................................................................................185

Incident Severity Definition.............................................................................................................186

Section 1: About the Live@edu ProgramThe Live@edu program was established to allow various educational institutions to provide their users an e-mail address at a custom, institution determined domain without the difficulties and costs of maintaining an in-house mail infrastructure. This e-mail address could be a for-life e-mail address since the program allows for the users to continue the use of the address with no time constraints.

The e-mail address issued by Live@edu is accessible and hosted by Windows Live Hotmail (previously known as Hotmail), the largest free e-mail provider in the world and may be accessed through http://mail.live.com as well as a myriad of other web sites. Additionally, institutions will be able to integrate with the Windows Live Hotmail interface to expose the functionality through custom education portals. This document describes the Windows Live Management Agent; an application primarily used for automating the creation, management and deletion of Windows Live IDs for use with Windows Live sites and applications. The Windows Live Management Agent is an administration tool used by universities participating in the Live@edu program. In addition to Windows Live Hotmail, the users will be able to use the Windows Live ID to sign up for services on sites such as Windows Live Spaces and Windows Live Messenger in place of using the @Live.com, @hotmail.com and @msn.com domains that are available to the general public. The technical implementation of the Windows Live Management Agent is a plug-in application to Microsoft Identity Lifecycle Manager (ILM) 2007 that allows for manipulation of Windows Live IDs for the allowed domains. Minimal configuration is required; specifically, you will be asked to decide on how the e-mail address is created and provide a temporary initial password.

Why Choose Live@edu? While there are a number of e-mail providers out there, here are some reasons that make Live@edu the right choice for educational e-mail needs:

No mail infrastructure requirement means there is no need to hire in-house support staff to setup and maintain mail servers

Familiar user interface of Live.com/Hotmail increases adoption and lowers support costs Powerful user creation and management tools Integration with your current student e-mail directory For-life e-mail address Free

About This Guide This document describes how to implement the Windows Live Management Agent for creating, managing and deleting Windows Live IDs for use with Windows Live sites and applications. The data that is used to create the accounts can be retrieved from any number of sources such as an LDAP directory, database or even a flat file. This guide describes how to setup and deploy the solution. It contains many sections that describe the details needed to configure the settings and aid you in deciding which features and functions are important to you. Additionally, various pitfalls and errors that may be encountered are discussed with the intent of assisting in avoiding or resolving any issues.

NOTE: This Admin Guide covers provisioning of account to Hotmail Only. This guide does not cover Exchange Labs provisioning

What if I get stuck? The Live@edu program is meant to simplify the long term administration associated with student, alumni and/or applicant e-mail. In addition to this document, there are several other tools to assist you in understanding this solution. Premier Online support is included free with Live@edu, including 24x7x365 phone support for critical issues and Web-based support for non-critical issues.

Technology Overview Windows Live is a suite of services and web applications that can be accessed with one Windows Live ID. To integrate the student, alumni, and/or applicant information you have at your school with the Windows Live environment, you establish communication between the source of this information and Windows Live. This is accomplished with a Microsoft application called Microsoft Identity Lifecycle Manager (ILM) 2007. ILM 2007 can gather data from the source and create, manage and delete accounts automatically once it is configured. The data source is the repository which contains information about the students whose accounts you would like to create. This data source may be Active Directory, an LDAP server, a text file, a database or any other data source supported by ILM 2007. This document will be limited to covering the first four of the sources listed above; should you need information about connecting to the other ones, please refer to the ILM 2007 documentation.

ILM 2007 is a software product that enables IT organizations to reduce the cost of managing the identity and access life cycle by providing a single view of a user's identity across the heterogeneous enterprise and through the automation of common tasks. In essence, ILM 2007 allows data sources that were never designed to talk to each to other to communicate and synchronize data. For that reason, ILM 2007 is leveraged to allow your student data source to communicate with Windows Live. The Windows Live Management Agent is a plug-in to ILM 2007 that knows how to communicate with Windows Live. Additionally, ILM 2007 has other plug-ins that know how to communicate with lot of standard places where identity information is stored such as LDAP servers, databases, etc. The other management agents allow ILM 2007 to gather the student, alumni or application information and the Windows Live Management Agent allows for the creation, eviction and modification of Windows Live IDs. Even though ILM 2007 is designed to integrate a variety of data sources, we will be working with a limited subset of the ILM 2007 functionality for the purposes of the Live@edu solution. As visualized by the diagram below, the data flow occurs in one direction. First, the data is imported from the data source (LDAP, database, etc). Then it is processed by ILM 2007 and exported to Windows Live. The result of this process is a group of Windows Live IDs that are managed based on your existing student information.

Live@edu Solution Details Now that you have a better understanding of ILM 2007 including the terminology, you can apply that knowledge to the Live@edu solution. The following section provides an overview of the basics necessary to understand Live@edu.

List of Features Here are some of the features that you can expect from the Windows Live Management Agent management agent.

Tight integration with ILM 2007 Support for multiple e-mail domains Password resets via attribute flows for member accounts Ability to suspend e-mail accounts as needed E-mail address renames/changes Support for custom portal integration Ability to re-brand web interface with a custom logo Automatic enablement of Windows Live Hotmail inboxes Password Synchronization with Active Directory Disaster Recovery

Terms and DefinitionsTerm or Acronym Definition

Anchor The anchor attribute uniquely identifies an object in the connected data source. For the MA, NetID will be utilized as the anchor.

Branding A customized user interface (UI) with logos, etc. to be displayed when the user signs in to Windows Live Hotmail, Messenger, Spaces, and other Windows Live services. Co-branding is now available through the Windows Live Admin Center.

Eviction The process of setting a user into a state in which they will be required to choose a new sign-in name that is not in the Windows Live domain on their next sign-in attempt.

Identity The entity represented by NetID. A single identity may have multiple credentials of different types associated with it.

NetID A unique identifier associated with a Windows Live ID. This is generated automatically by Windows Live

Managed Namespace A namespace that is created and controlled by a partner whose users‘ accounts are authenticated by Windows Live ID.

OfferName The OfferName is a function of the Windows Live Admin Center that controls advertising.

Partner An organization working with the management agent under appropriate contracts for a Microsoft service, such as a participant university.

Profile Personal data about a user other than their e-mail account and password (Windows Live ID), for example, first name, last name, and zip code are properties of a user‘s profile.

Provisioning The process by which the Windows Live ID service agrees a partner is authorized to set up a managed namespace. Alternatively: an ILM term used to describe the creation of an object in a Connector Space.

SOAP Simple Object Access Protocol. An HTTP/XML-based protocol by which the management agent will communicate with Windows Live Admin Center

Tertiary Namespace A namespace with three parts, such as edu01.wledutraining.com, that is derived from a top-level domain. The management agent will support tertiary namespaces.

Windows Live ID A username and password used to authenticate with Windows Live services. Synonymous with a “Passport ID”.

Section 2: Checklist of Items before Deployment The following is a high level checklist of work items that need to be completed before you are fully deployed on the Live@edu program. As you move forward on-boarding with Live@edu, you will be given more detail around each of these items.

Complete and submit the Live@edu enrollment form (https://imagine-windowslive.com/Education/Connect/Enroll/Default.aspx?). Be sure to submit the domains you plan to use to host your Live@edu email accounts

You will receive an invite via email to reserve your domain with Windows Live Admin Center (WLAC). You will receive separate invites for each domain you want to reserve.

Click on the invite and you will be redirected to the WLAC web site (http://domains.live.com). (See Section 2)

o Assign a Windows Live ID account as the domain administratoro Set the MX record as directed by WLAC and wait for WLAC to confirm the MX record

change (this needs to propagate over the internet)o Configure co-branding for your domain via the Co-branding tab in WLAC

Install Windows Server 2003 Enterprise Edition or later (See Section 4) Install SQL Server 2000 or 2005 (Enterprise or Standard Edition. SQL 2000 requires SP3) (See

Section 4) Install ILM 2007 (MIIS SP2). (See Section 4) Configure a data source management agent (See Section 5) Confirm domain reservation is complete and configured for Live@edu offers and co-branding Install WLCD MAV3 bits (See Section 5) Configure WLCDGlobalConfig and WLCDProvisioningConfig XMLs (See Section 5) Configure the WLCD export management agent (See Section 5)

NOTE: BEFORE MOVING FORWARD ALL THE ABOVE STEPS MUST BE COMPLETE

Create test accounts Verify test accounts behave as expected

o Log ino Send/receive e-mailo Ads or No Ads as expectedo Forwarding works as expected


http://domains.live.com/

https://imagine-windowslive.com/Education/Connect/Enroll/Default.aspx?

Section 3: Reserving a Domain with Windows Live Admin CenterBefore you reserve your domain, please submit your enrollment form to the Windows Live Commercial Partner Center. The enrollment form is available @ https://imagine-windowslive.com/Education/Connect/Enroll/Default.aspx.

1. To reserve a Windows Live domain, use your browser to go to the address http://admincenter.live.com and click “Get started” in window.

Select a Domain Name2. Provide your domain name or purchase a new one, then click “set up Windows Live Hotmail for

my domain” or choose “No mail for my domain” if you do not want to create e-mail inboxes. Setting up Windows Live without mail is not common.

http://admincenter.live.com/

Assign a Domain Administrator3. The next step is to assign a domain administrator to your domain. You can use an existing

Windows Live ID:

Or create a new Windows Live ID:

4. If you select to create a new Windows Live ID, you will have to complete the account creation process:

Review Settings and Accept Agreement5. After assigning your domain administrator account, confirm your domain by reviewing the

agreement applicable to your program. By clicking accept, you agree to the terms of the Live@edu agreement. To review the Live@edu terms, click the link.

Confirm the Administrator Account6. To confirm domain ownership and allow mail delivery to Hotmail, Windows Live requires an MX

record to be added at your domain registrar in charge of your DNS records.

7. If you are not pointing your MX records to Windows Live, you will need to change your CNAME record with a value from Windows Live which will validate that you own the domain.

8. Once your credentials are confirmed, you are taken to the administration page for your domain.

At this point you should notify the Windows Live Commercial Partner Center (using this e-form: https://support.live.com/default.aspx?productkey=wlpc&mkt=en-ww) that your domain(s) are registered with Windows Live Admin Center. The Windows Live Commercial Partner Center will configure your domain as a Live@edu domain and will provide you with the appropriate information for you to begin creating Live@edu accounts.

Note: You will need to confirm an administrator account for all Windows Live domains separately.

https://support.live.com/default.aspx?productkey=wlpc&mkt=en-ww

It is recommended for security purposes that you register an administrator’s Windows Live ID for each person that will be managing your domain. If you are using a certificate for authentication, the certificate will need to be uploaded for each domain and installed on each computer that will be used for administering the domain. For example, if you have 10 separate domains and 10 separate administrators, there are 10 MX records to confirm.

In order to set up multiple administrator accounts for a single domain or assign administrators for a tertiary domain, the above steps will have to be completed for each administrator added to the domain.

Section 4: Identity Lifecycle Manager 2007

Primary Concepts and Terminology ILM 2007 is a metadirectory product that has a variety of uses for data synchronization and identity management. In the case of the Live@edu program, it will be used to facilitate the management of Windows Live IDs by synchronizing data from the data source for student information and Windows Live. To further understand the role of ILM 2007 as it relates to Live@edu it is important to understand the fundamentals of this type of product.

The ILM 2007 application runs on Windows 2003 Enterprise Edition. It relies upon Microsoft SQL Server as the application data store to retain all of the settings for ILM 2007 as well as the identity data that is synchronized through it.

System Requirements Windows Server 2003 Enterprise Edition or Windows Server 2003 R2 Enterprise Edition

Microsoft .NET Framework 2.0

Microsoft SQL Server 2000 Enterprise Edition, Standard Edition, or Developer Edition with Service Pack 3a or later; or Microsoft SQL Server 2005 Enterprise Edition, Standard Edition, or Developer Edition (32-bit or 64-bit) with Service Pack 1 recommended

For a detailed list of requirements and answers to commonly asked questions, please refer to the ILM 2007 FAQ at http://www.microsoft.com/windowsserver/ilm2007/faq.mspx#EKD.

Metadirectory A metadirectory collects information from different data sources throughout an institution and then combines all or part of that information into an integrated unified view. This unified view presents all the information about an object such as a student or network resource that is contained throughout the institution. An Identity Management system may have a metadirectory at its heart and ILM 2007 is such a system. A metadirectory performs the following functions:

Connects to a variety of data sources, importing a desired subset of data from each one Combines all the information about each student or resource into a single entry Presents to the institution the unified view of all known information about each student or

resource Enforces rules as to which sources are authoritative for a given attribute and what precedence

applies where more than one source is authoritative

Microsoft currently distributes two separate versions of ILM 2007. The Live@edu version allows an institution to connect to one data source for account imports and to Windows Live for account creation. The full version of Microsoft Identity Lifecycle Manager 2007 is needed to connect to more than two data sources. The following table lists the supported management agents for the full version of

http://www.microsoft.com/windowsserver/ilm2007/faq.mspx%23EKD

Microsoft Identity Lifecycle Manager 2007. This table illustrates the capabilities of the full version of ILM 2007 to communicate with some of the types of data sources that ILM 2007 includes out of the box.

System Management Agent

Network Operating Systems and Directory Services

Microsoft Active Directory Windows Server 2003 R2, 2003, and 2000 Microsoft Active Directory Application Mode Windows Server 2003 R2 and 2003 Microsoft Windows NT 4.0 IBM Tivoli Directory Server Novell eDirectory 8.6.2, 8.7, and 8.7.x Sun Directory Server (Netscape/iPlanet/SunONE) 4.x and 5.x

Mainframe IBM Resource Access Control Facility Computer Associates eTrust ACF2 Computer Associates eTrust Top Secret

E-mail and Messaging Microsoft Exchange 2007, 2003, 2000, and 5.5 Lotus Notes 6.x, 5.0, and 4.6

Applications SAP 5.0 and 4.7 Telephone switches XML-based systems DSML-based systems

Databases Microsoft SQL Server 2005, 2000, and 7 IBM DB2 Oracle 10g, 9i, and 8i

File-Based Attribute value Pairs CSV Delimited Fixed Width Directory Services Markup Language (DSML) 2.0 LDAP Interchange Format (LDIF)

All Other Extensible Management Agent for connectivity to all other systems

If the previous table does not include your student data source, you have several options. The first is to get the data out of your data source and into a format that ILM 2007 can recognize, such as an LDIF file or delimited flat-file. Flat-files can often be the lowest common denominator between integrating two systems. You also have the possibility to build your own extensible management agent to connect to the data source.

Data Aggregation In most institutions, student information exists in many different data repositories resulting in duplication of student information; there is no single, reliable place to go for this information about a student or faculty. Directories that hold identity information are often incompatible. These incompatibilities include different naming conventions, different directory schemas, different communication protocols and different data formats. The number of places in which organizations must manage identity information increases with the addition of new systems. To solve the issues that result from identity data residing in multiple repositories you can use a metadirectory to:

Combine the data for a specific person or resource in the metadirectory, thereby creating a single entry that contains some or all of the identity information from each directory.

Present a single unified view that contains some or all of the attributes from the different directories regardless of whether the directories are compatible.

Provide a platform that can become the basis of an Identity Management (IdM) system – it contains the authoritative identity information for objects.

Data Synchronization Because an institution‘s student information is often contained in different data repositories, a change made to data in one repository is not automatically made in any of the other repositories. Making the change throughout the organization requires the administrator(s) to make the change in each directory manually. Therefore, updating data in each directory is costly, unreliable and may even present a security risk. Unmanaged identity information quickly becomes disorganized which results in identity information that is not synchronized throughout the organization. To manage changes to identity information you can use a metadirectory to:

Identify changes to identity information from many sources. Propagate those changes automatically to other directories as appropriate (i.e. as defined by

rules which have been configured to support company procedures). These changes can be modifications to attributes or to whole objects. This change detection

infrastructure keeps the directories synchronized.

Data Enforcement Data ownership issues often prevent effective coordination of an institution‘s identity information even though it may be technically possible. Certain departments maintain a strong ownership of their data. Although ownership of data is not an issue when directories remain separate, retaining ownership when data is synchronized among multiple directories becomes more challenging. To address data ownership issues you can use a metadirectory system to:

Enable administrators to define and enforce ownership relationships at the attribute level. Allow, block, or reverse changes made to identity information. If a change to data is consistent

with the ownership rules it is allowed; otherwise, it is blocked (allowing local control) or reversed.

Ensure that the departments that own the identity information in a specific directory will maintain that ownership even when that directory is synchronized with other directories in the organization.

Data Source A data source for the Live@edu solution is any place where you have student information – a directory, database, or other data repository that contains data to be integrated within ILM 2007. Data sources can be enterprise directories (Active Directory, Novell, ADAM, etc), databases (Oracle, SQL, etc), or even data in flat files, such as LDIF, DSML or delimited text.

Management Agent A management agent is a component of ILM that manages the data associated with a specific data source and connectivity to the data source. The management agent not only connects to the data source, but is responsible for managing the flow of data (inbound and outbound). There is at least one management agent for each data source. For many management agents, ILM 2007 communicates directly with the data source – these are call-based and examples of such directories are LDAP and Active Directory. For others, where a direct call is not possible, an intermediary file is used such as AVP, LDIF or fixed width – these are file-based management agents. In some cases, the situation may be more complex: there may be no management agent specifically for the data source or the data source may, for example, support a mixture of file-based and call-based activities so that a simple file-based management agent is insufficiently feature-rich. In such a case, the extensible management agent allows a developer to create code which instructs the management agent how to communicate with the data source.

Management agents are primarily configured by setting their properties within the wizard-like interface in the Identity Manager, the application that manages and configures ILM 2007. There are occasions when more complex operations are desired than those possible through the user interface (for example, combining the contents of FirstName and LastName to make a displayName); in this case, a management agent can be augmented by .dll extensions produced using Visual Basic.NET or C# or, indeed, any language making use of the .NET Common Language Runtime (CLR). It is not necessary to write code in most basic implementations of Live@edu, however remember that the capability is there if needed.

Metaverse The Metaverse is a set of tables within ILM 2007 that contain the integrated identity information from multiple data sources. All identity information about a specific student or object, which is stored in multiple data sources, is synthesized into a single entry in the metaverse. Your students will most likely have a single unique object in the metaverse representing each student.

Connector Space The connector space is a storage area and a staging area. It stores the different states that are used to decide whether information in a data source has changed, or needs to be changed. It is also where changes are staged on their way into or out of ILM 2007. Each data source has its own logical area in the connector space, which is managed by its corresponding management agent. The connector space is

essentially a mirror of the related data source, with each object in the data source having a corresponding entry in the connector space. The connector space does not contain the data source object itself, but a subset of the object‘s attributes, as defined by the management agent.

Provisioning When we think of objects in data sources, they will often be accounts, such as an Active Directory® service account. The term account is often used even for groups, resources, and so on. Provisioning is the creation of accounts in data sources (such as LDAP directories, databases, and e-mail systems). Once provisioned, the account attributes can be managed as those of any existing object. The manual creation (and removal or disabling) of accounts in several systems is administratively burdensome, prone to errors and inconsistency, and leaves potential security gaps. For Live@edu, the act of provisioning refers to the creation of a Windows Live ID account. You can use ILM 2007 to:

Automatically create accounts (objects) in directories, based on their addition in one (authoritative) directory.

Continue to manage those accounts, including removal (de-provisioning) and disablement.

Provisioning will occur within ILM 2007 to create the Windows Live IDs in the Windows Live environment. The Windows Live Management Agent will be entrusted to handle this task on behalf of ILM 2007. This management agent will take the e-mail address of the student to be provisioned from the data source, connect to the Windows Live server, create the account and then return the confirmation to ILM 2007. Similarly, should the user who has an account need to have the account evicted (deleted) from the school namespace, the management agent will again connect to the Windows Live server to evict the account.


Running a Synchronization During development, a management agent is executed by means of the user interface. In production systems, it is desirable to run management agents in sequence without user intervention, both on a scheduled basis, and occasionally in response to specific events (for example, the submission of a new student registration). Such automated execution of management agents is achieved using the WMI functions of ILM 2007 in conjunction with a scheduling agent (described in detail later).

Extensible Management Agents Management agents allow ILM 2007 to connect to a wide variety of different data sources to manipulate data from them. While most of the management agents allow for connectivity to a specific connected data source the extensible management agent has expanded the ILM 2007 connectivity options by allowing developers to build any connection they want by simply creating code within the confines of a management agent. Information is provided in the ILM 2007 developer reference help files and on MSDN.

State Based System ILM 2007 is a state-based system. There are advantages to this (particularly robustness) as well as potential disadvantages (extra processing and storage) but the actual result is a very effective and flexible compromise. ILM 2007 stores a hologram for each external object of which it is aware; this hologram represents the current view of the data stored in each data source. During a subsequent import of the data from the data source, the imported object data is compared with the hologram. If any differences are detected between the two (for example, the values for the Student Type attribute do not match, or a new or missing object is detected), a change is inferred and the change is passed to the ILM 2007 Sync Engine to be propagated through the metadirectory. In a deployed system, management agent runs are invoked by scheduled scripts, which are run either on a scheduled basis or in response to external events (perhaps a web portal could invoke a run to ensure that accounts created through the portal are created). ILM 2007 then asks for data -- it is a pull system, which avoids the need for a push agent on each data source. However, ILM 2007 can work with Delta Import (i.e. imports of only those objects that have changed; as it happens, Exports are always delta in nature). Some data sources support this already, others may be able to with some modification, yet others simply cannot support this feature. Where deltas can be used, there are considerable savings in processing time (traffic and state comparisons). Depending on how many students are being processed by the system and the frequency of the processing, designing the data source to provide ILM 2007 with delta updates may be extremely important. ILM 2007 can work entirely with Full Imports, minimizing the intrusion on data sources; additionally, it is sometimes necessary to use a Full Import (for example on initial import or when recovering from a data source failure).

Operations This section discusses common operational and maintenance related tasks that need to be performed on the ILM 2007 server to ensure the solution is backed up and stable. Additionally common troubleshooting methodology is outlined to assist in dealing with operational errors.

Backup and Restore of ILM 2007 Microsoft Identity Lifecycle Manager 2007 is composed of two primary pieces, the ILM 2007 application and the SQL server database that stores the configuration and identity information. These pieces together are used to complete the synchronization of data between the connected directories. Since there is a logical separation between the two parts of the application disaster recover needs to be approached accordingly.

ILM 2007 Application The ILM 2007 server contains the installation of the ILM 2007 application along with the rules-extensions, scripts, configuration files, log files and data files that are used to run the day to day operations. A backup of the files that are associated with the ILM server are needed to restore/fail-over the complete ILM solution on a different server. The entire directory containing the ILM installation will need to be backed up. The default directory, unless it has been modified on installation, is c:\Program Files\Microsoft Identity Integration Server.

ILM 2007 Database In addition to the ILM application and associated files the MicrosoftIdentityIntegrationServer database is stored in a SQL server. This server can be the local server that runs ILM, or another dedicated SQL server. All of the configuration and run history as well as all objects in the connector space and Metaverse are stored in this SQL server. Additionally, some of the files such as the extensions in the c:\Microsoft Identity Integration Server\Extensions folder are stored in SQL as binary entries. When a database restore is completed, these files are extracted out of the database and stored on the server. There are several methods to fail-over the ILM application.. Depending on what fails (server, servers, network, site, SQL servers due to SQL related virus, etc), it might be necessary to modify the disaster recovery plan. The following plans common scenarios for failing-over the ILM application.

Disaster Recovery Plan 1 (SQL Outage) The main focus of a SQL disaster recovery plan is to restore the SQL database on the local server or another server and then re-install ILM to point to the database (if it is on a different server). Since all of the run-history, management agent data, and Synchronization information is stored in the database, restoring the database will bring you back to the state when the backup was taken. Please refer to the ILM documentation on how to restore the MicrosoftIdentityIntegrationServer database. Specifically “Restoring Microsoft Identity Lifecycle Manager 2007” in the main help. After recovering from a SQL outage, running a full import may be necessary to refresh the data in the connector spaces.

Disaster Recovery Plan 2 (ILM Server Outage) A failure of the ILM server should not result in any data-loss however there are other critical components on the ILM servers. For example all of the source code, backup keys, operations scripts and any information in the MAData folder will be lost if restoring by reinstalling ILM. From this standpoint it is important to also have file system backups of the Microsoft Identity Integration Server folder.

If you have the encryption keys mentioned above the easiest way to recover from an ILM server outage is to reinstall ILM 2007 and the Windows Live Management Agent and point it to the existing SQL Server Database. Once you provide the encryption keys and restore the supporting files in the proper folders you should be up and running. Again, refer to “Restoring Microsoft Identity Lifecycle Manager 2007”. in the ILM 2007 help.

List of Maintenance Operations The table below provides a quick reference for those product maintenance tasks that the System Administrator should perform on a regular basis. This list summarizes the tasks that are required to maintain ILM operations. There are more best practices listed in the Help File of your ILM server.

Frequency Tasks

Daily View and examine the results of all the ILM management agent runs from the Identity Manager Operation interface (see .Identity Manager. section below).

Weekly Examine the Run History to determine if it needs to be backed up and cleared.

As needed Resolve issues reported by your customers.

As needed Understand and if needed fix all events reported in the Event Log

As needed Disconnect object incorrectly joined and make sure they are properly joined at the next synchronization cycle

As needed When bad data is found through ILM, take the proper steps to ensure that the owner of this data fixes it at the sourceBackup and clear the run history of ILM

Backing up Management AgentsOnce you have your Windows Live ILM implementation up and running, it’s a good idea to back up the management agents by exporting them in XML format.

1. To back up your management agents, highlight a management agent in the management agent window, from the Actions menu, select Export Management Agent.

2. Save the management agent configuration file to a location on your hard drive.

3. To import your MA to a new or restored ILM implementation, from the Identity Manager, click Import Management Agent.

4. Select the XML file for the management agent you want to import and click Open.

5. Verify your settings by visiting the configuration tabs in the MA, then click OK.

Section 5: Setting up the Environment

Installation requirements The following requirements must be installed prior to implementing the Live@edu solution. Please refer to the product documentation for the different products for more details.

Windows Server 2003 Enterprise Edition ILM 2007 requires Windows Server 2003 Enterprise Edition. To verify that your server meets the minimum hardware requirements and for instructions about installing Windows Server 2003, Enterprise Edition, see Installing and Upgrading the Operating System at the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=36737). Please install the latest version of Windows Server 2003 with any appropriate service packs and hot fixes.

Microsoft SQL Server 2005, or 2000, Standard or Enterprise Edition, Service Pack 3 (SP3) ILM 2007 utilizes SQL server as the back end data store. This allows ILM 2007 to retain all of the configuration settings for ILM 2007 as well as the identity information that is contained in ILM 2007. During installation ILM 2007 creates the database it will use as its data store. ILM 2007 requires SQL Server 2000 with Service Pack 3a (SP3a) or later. This means that SQL Server 2000 must be installed first and then the SQL Server 2000 Service Pack must be applied.

ILM Service Account and Security Groups ILM 2007 requires a service account to be configured to run the ILM 2007 service. When installing ILM 2007, you must create an account that will be used to run the ILM 2007 service. This account is known as the ILM service account. This account must be a domain account if the SQL Server is not installed on the ILM 2007 Server. If SQL is installed locally, the service account may be a local account.

Additionally there are five security groups that need to be configured. ILM 2007 creates three groups during installation that control which tasks in the Identity Manager users can perform. The following groups are created by ILM 2007:

MIISAdmins — Members of this group have full access to everything in the Identity Manager. MIISOperators — Members of this group have access to Operations in the Identity Manager

only. MIISOperators can run management agents, view synchronization statistics for each run, and

save the run histories to file. Members of the MIISOperators group must also be members of the MIISBrowse group to open links in the synchronization statistics.

MIISJoiners — Members of this group have access to Joiner and Metaverse Search in the Identity Manager. MIISJoiners can join or project disconnectors using Joiner, and use Metaverse Search to view object properties and disconnect objects from the Metaverse.

ILM 2007 also creates two security groups during installation that do not have access to the Identity Manager, but are used for authentication during password management operations:

http://go.microsoft.com/fwlink/?LinkId=36737

MIISBrowse — Members of this group have permission to gather information about a user's lineage when doing password reset operations with Windows Management Interface (WMI) queries.

MIISPasswordSet — Members of this group have permission to perform all operations using the password management interfaces with WMI. Members in this group inherit all MIISBrowse permissions. For more information about setting passwords using WMI, open the ILM 2007 Developer Reference.

Typically it is best to create the service account and security groups before you begin setup otherwise the person running the ILM 2007 installation will have to have rights in the domain to create the groups through the setup program. After the ILM 2007 is installed, add your user account to the MIISAdministrators group (or whatever is the name you chose for the group). Adding yourself will allow you full control of ILM 2007.

Note: You must log out and log back in before security group membership will take effect.

Microsoft Identity Lifecycle Manager 2007 To install ILM 2007, you use the ILM Install Wizard. The wizard allows you to customize the installation of ILM 2007 depending on your environment. The following list describes the options that are available in the wizard during a complete setup:

License Agreement - You must accept the terms in the license agreement to continue with the installation.

Setup Type Complete - Selecting this option allows, you to specify the values for the Store Information, the Service Account Information, and the Group Information options. The remaining options will be installed with their default values.

Store Information - You use the Store Information option to specify information about the SQL Server that will be hosting the ILM 2007 database. You can chose between a local and remote SQL Server, and between the default instance and a named instance of SQL Server.

Service Account Information - Use the Service Account Information option to specify the account to be used for the ILM 2007 service. This account must already exist.

Group Information - ILM 2007 uses five different security groups to provide different levels of access. The Group Information option is used to specify the names of these five groups. If the groups do not exist the wizard will create them. In addition to creating the groups the wizard will add the user account being used to perform the installation to the ILMAdmins group. This option is only available if you selected the Custom setup type.

When the installation is complete and before you can run the Identity Manager, you must log off and then log on again to have your new group membership (in the ILMAdmins group) take effect.

Section 6: Creating and Configuring the Data Source Management Agent

Configuring the Data Source Management Agent There are nine basic steps to configure your data source management agent. These steps will vary depending on the type of data source; however the overall concepts include the following:

1. Connecting ILM 2007 to the Student Data Source 2. Understanding the Student Data Source Schema 3. Select a Subset of the Source Data 4. Configure Connector Filter Rules 5. Configure Join Rules 6. Configure Projection Rules 7. Configure Import Attribute Flow 8. Configure Deprovisioning 9. Configure Extensions

Using these nine concepts and the details below should allow you to create a management agent that connects to you data source to get the student information.

Connecting to the Student Data Source ILM 2007 can connect to a wide range of data sources including databases (SQL Server, Oracle), directories (Active Directory, Sun ONE) and files. Depending on which data source type you are working with you will be presented with different options during the configuration of the management agent that works with that data source.

Database Management Agents Database management agents generally require a data source name (or Server name plus a Database name) and the name of the relevant table or view containing the data to be processed. A View is generally preferable to a Table as it provides a level of abstraction between source data and ILM. A View lets you pre-select both the dataset to be processed by ILM and the attributes which are available to ILM; but it also means that if the underlying table(s) change, you do not have to reconfigure ILM (you may or may not need to modify the Views concerned).

You must supply the security credentials of an account which has the appropriate permissions in the target system – i.e. it must be at least able to read the data and able to write to the database appropriately if changes are to be exported from ILM into this database.

Note: The Table or View you specify for Full Import is also written to during Export. Not all views can be written to in this way – a detail that will have to be taken into account during design. It is not common that you will need to export to the data source when implementing a basic Live@edu solution.

LDAP Management Agents LDAP management agents such eDirectory, ADAM and Sun ONE Directory Services management agents typically require the specification of a server and TCP port to which to connect as well as a security account which has the appropriate permissions to the directory concerned. Active Directory is a little more complex requiring a forest and domain and providing for preferred domain controllers. You can generally specify secure communication where available (e.g. SSL/SASL or Sign & Seal).

File-based Management Agents Because a file-based management agent does not communicate directly with its Connected Data Source, you do not connect – instead you provide the name and location of a template file.

Understanding the Student Data Source Schema Before you can identify the object types and attributes to be managed by a management agent the data sources schema must be established – a process which the management agent uses to identify which object types and attributes are available. Different management agents handle this process differently. Some data sources do not have extensible schemas in which case the management agent already knows the predefined schema for that data source.

Management Agent Schemas The following list describes schema discovery approaches for each management agent:

Management Agents that support the dynamic discovery of the source directory or database:

Active Directory Active Directory Application Mode (ADAM) Active Directory global address list (GAL) Microsoft Exchange Server 5.5 Microsoft Exchange Server 5.5 (bridgehead server) Novell eDirectory Sun ONE directory services

Microsoft SQL Server Oracle Database

Management Agents with a fixed schema that models the database structure:

Windows NT 4.0 Lotus Notes

Management Agents that require the discovery of the data in the sample file:

Delimited text file Fixed-width text file Attribute-value pair text file (AVP) Directory Services Markup Language (DSML) LDAP Directory Interface Format (LDIF)

Anchor Attributes The anchor attribute contains the unique value that links an object in the data source to its object in the connector space. Management agents can make educated assumptions about anchor attributes. Here are some examples: SQL Server management agents will offer (as a default) the primary key of the source table if it is defined, although you can override this if necessary (this default won‘t work where a view is used). You can assume that other database management agents behave like this (e.g. Oracle). With AVP, delimited or fixed width management agents you must define the anchor. It is a reasonable assumption that other text management agents behave like this. In the Active Directory management agent the DN is treated as the anchor and during account creation a unique DN will be generated. The way the management agent actually keeps track of AD accounts is through the AD GUID, although this takes place under the covers and you don‘t actually see this. In this way, a DN can be changed in AD resulting in a rename at next import. Renames cannot happen in simple anchor cases like SQL Server or AVP. Most other LDAP-based management agents behave much like this (e.g. ADAM, Sun ONE, Lotus Notes, eDirectory). LDIF and DSML management agents must contain a DN attribute and you must either define this DN as the anchor attribute or select another attribute as the anchor. The full explanation of this isn‘t appropriate here but in summary, if you have the DN as the anchor as well, it isn‘t possible for ILM to detect a rename (i.e. if the object has moved, ILM can‘t keep track of it). Renames can be recognized through special MOD DN and MOD RDN change type.

Object Types and Attributes LDAP management agents (like AD, ADAM) allow you to pick object classes and attributes from a list. With database management agents, you define a view to contain the appropriate records and fields. All of the attributes discovered are then processed. Similarly, the columns or attributes discovered in a template file will determine which attributes are imported and exported by a file-based management agent.

The object types and attributes available in the data source are reflected in the ILM system by the generation of a schema for the connector space. It is sometimes required to specify additional details for

an attribute if the management agent is not able to identify those details from the data source. Where the management agent understands its source system very well (the Active Directory management agent, for example) there is no need (or potential) to modify the attributes which will be created in the ILM system. However, for both file-based management agents and a more limited extent for database management agents, it is possible to modify the attribute details. You can specify (for example) the data type, the length of the data (minimum and maximum), whether the attribute will store a reference to another object, and whether the attribute is multi-valued.

Select a Subset of the Source Data For both fundamental design reasons and for improved performance you may wish ILM to process only a subset of the data stored in the connected data source.

Database management agents Database management agents import all the records and all the fields (columns) in the specified table or view. Intelligent design of a view as a source for the management agent will provide the appropriate data subset for the management agent.

LDAP management agents LDAP connected data sources potentially contain multiple partitions (e.g. naming contexts or domains) as well as hierarchical container structures within those partitions and LDAP management agents support the selection of subsets of both these elements. You can select one or more partitions along with one or more of the containers within each partition. You are next asked to select object classes to

process and their attributes. The management agent will then process all the objects of the selected types within the selected containers within the selected partitions.

File-based Management Agents Since a different file is typically used for export and import runs, the file to be used is specified in the run profile selection (rather than in the management agent itself). Such import files are processed in their entirety so configuration of a data subset for file-based management agents is performed by the process which generates the text file for the management agent.

Configure Connector Filter Rules A staging object that is not linked to a metaverse object is called a disconnector object. A connector filter determines whether an object should stay a disconnector object in the connector space. Thus, the connector filter prevents these objects from being further processed by the synchronization and rules engine and even disconnects objects that are already connected (with the exception of explicit connectors – those that have been manually joined). Connector filters are not required. They are used to prevent unwanted objects from being synchronized with the metaverse.

Refine Further by Using Filters to Select Subsets When we think of filters, we tend to think of subsets or data and a clear distinction needs to be made between the data subset that is imported (staged) from the data source to the connector space, as already discussed, and the subset of staged data to be held in the connector space as disconnectors. An

example of use would be where you have objects in the connector space that while not actually deleted in the data source are no longer active and therefore do not need to be represented in the metaverse. This could be filtered out at source and therefore not imported, but this may not be convenient or even achievable. Another example might be if your Active Directory included an attribute named status that was set to contain the current status of each person in the student list (such as Student, Alumni, or Applicant). You may not want to assign Windows Live IDs to Applicants since they are not yet students. A filter can be used to prevent data related to applicants from being added to the metaverse during synchronization.

Configure Join Rules Join rules determine whether there is an existing metaverse object to which to join a connector space object. If the join criterion is met the connector space object is linked to that metaverse object.

A join rule is made up of one or more conditions which compare connector space object attribute values and metaverse attribute values looking for matches. As each connector space object is considered and if all conditions are met for a given metaverse object then that object becomes a candidate for joining. If this is not the case the next rule in the specified order will be tested and so on. Unless you are integrating the Live@edu solution into an environment where you have an existing ILM 2007 installation you will most likely not need to configure a join rule. Instead you will configure a projection rule. In a disaster recovery scenario, for example, you would join disconnected object with its mail address.

Configure Projection Rules Projection rules govern the conditions under which a new metaverse object is created from a connector space object. Projection rules are responsible for determining if projection into the metaverse should occur and the appropriate object type to employ. Projection rules differ from join rules in that during a join process the metaverse is searched for existing objects; during the projection process projection rules determine whether or not a new object is created in the metaverse so that other connector space objects can link to it. Management agents apply projection rules to objects where a join has failed or join rules were not configured.

Note: At least one of your management agents must have a projection rule or you’ll never get any data in the metaverse.

You need to define a projection rule for your object type so that ILM 2007 will create the objects in the metaverse for each of the imported students (except those filtered out). You will typically choose to project your students through a declarative rule to the person object type.

Configure Import Attribute Flow ILM 2007 uses connector space objects to store data moving from and to the connected data sources during import and export operations. ILM 2007 uses metaverse objects to store the data in the metaverse. The process of moving data between connector space objects and metaverse objects is called attribute flow. Attribute flow occurs during synchronization and is governed by attribute flow rules. Attribute flow rules are scoped by data source object type and metaverse object type and can be defined with the following options:

Direct – simple flow a value from one attribute into another attribute Advanced – either a rules extension, a constant value to be flowed into an attribute in every

case, or a chosen element of a DN to be flowed into an attribute Import – from connector space to metaverse – inbound attribute flow. Export – from metaverse to connector space – outbound attribute flow.

If you want to create a custom attribute in Metaverse (for example, TempPassword), use the Metaverse Designer tool. In Identity Manager, click Metaverse Designer.

Click Add Attribute from the Attributes Action list.

Click the New attribute button, type the attribute name, select the attribute type and click the tick box next to Indexed. Click Ok. The Metaverse attribute is now ready to be used.

Import flow rules Import flow rules specify how attribute values should flow from the data source via the connector space to the metaverse. You specify the source attribute from the connected data source (data source) and the destination metaverse attribute. You will need to create flow rules for any information that is interesting to Windows Live. A prime example of this is importing the e-mail address of the students in the mail attribute in the metaverse.

Direct flow rules You can specify direct flow rules which simply copy the value from source to destination.

Advanced rules You can also specify advanced rules which allow you to specify flow calculations with rules extensions. For example, allowing the flow of a component of a distinguished name into a destination attribute as a string. Finally, a common advanced mapping type is the constant option. This allows you to specify a

string value that will flow into the metaverse object for all linked objects of this type. Advanced attribute flows are discussed in more detail in the ILM 2007 Developer Reference help file.

Configure Deprovisioning Deprovisioning is the action applied to the connector space object as a result of either the deletion of its connected metaverse object or a direct call for a deprovisioning of the connector space object from a piece of code. For Live@edu, you will want to check the box next to “Do Not Recall Attributes” and leave the radion button set to become a disconnector so that you don‘t start deleting objects from your data source.

Make them Disconnectors If the objects become disconnectors, then every time a synchronization run of the management agent is performed they are run against the filter, join and project rules, and perhaps resulting in it joining to a metaverse object again if a join rule was specified.

Make them Explicit Disconnectors If the objects become explicit disconnectors then they are not run against the filter, join and project rules, when a synchronization run of the management agent is performed, and thus will never rejoin to a new metaverse object even if a new match becomes available unless the join is performed manually with the Joiner tool.

Stage a Delete You can put the connector space object into a pending delete state; when the next export run is performed the corresponding data source object will be deleted.

Rules Extension Determine via a rules extension in which you will have to provide code to make the decision on what to do with the object.

Configure Extensions Extensions are code that is written, compiled, and configured for use with ILM 2007 that makes it possible to add functionality to the rules provided in Identity Manager. They are not necessary for a basic Live@edu implementation but allow for customized and extended functionality.

Section 7: Installing and Configuring the Export Management Agent


Installing the Windows Live Management Agent To create and manage accounts in Windows Live, ILM 2007 needs a management agent that knows how to communicate with Windows Live. This is done through the Windows Live Management Agent. Running the installation program will add the Windows Live Management Agent to the ILM 2007 installation that you just completed.

1. Locate the Windows Live Management Agent installation file (WLCDMASetup.msi) and then launch.

Create the Windows Live (Export) Management Agent Make sure you are logged into the machine as a user that is a member of the ILM administrators group.

2. Open the ILM Identity Manager console by clicking Start ->. All Programs ->. Microsoft Identity Integration Server -> Identity Manager.

3. Click Management Agents.

4. On the Actions menu on the right you will see a list of actions that you can perform on a management agent. Click Create to launch the wizard for creating a management agent.

5. Under Create Management Agent, there will be a dropdown list of all of the different installed Management Agents. The fact that each of these management agents is installed on this server means that this ILM installation could potentially connect to and communicate with each type of data source in that list. Select WLCD Management Agent (Microsoft).

6. In the Name text box enter a name that describes the use of this management agent. Click Next.

7. On the Configure Connection Information page, enter your domain administrator credentials. If you are using a certificate for authentication, click Next.

8. On the Configure Additional Parameters page, you can change the value for the name of the log file created during every export to Windows Live.

9. On the Configure Attributes page, as with the other management agent you just created, you could make further configuration changes – for example setting an anchor – but it has been done already. Accept the default settings. Click Next.

10. On the Configure Object Types page accept the default settings (as with the other management agents, there is only one type of object – evidently called PassportUser in this case, rather than person – so there is nothing to do here. Click Next.

11. On the Configure Connector Filter page accept the default settings (since the Windows Live Management Agent is export only, you will never have a requirement for a filter). Click Next.

12. On the Configure Join and Projection Rules page, accept the default settings. Join and projections rules are associated with inbound synchronization, which usually applies to imported records – we are only going to be exporting to Windows Live so there is no requirement for such rules. Click Next.

13. On the Configure Attribute Flow page you must at a minimum create a rule to export the e-mail address to Windows Live. Ensure that the Data source object type is set to PassportUser Ensure that the Metaverse object type is set to person (if applicable) Under Metaverse Attributes on the bottom right, select the mail attribute or whichever

attribute you have contributed the e-mail address of the student to from the data source Under Mapping Type in the middle, select Direct (this is the default) Under Flow Direction in the middle, select Export (ensure that Allow Nulls is unchecked) Under Data Source Attributes on the bottom left, select the SigninName attribute Click New

14. Verify that the attribute flow is configured similar to the figure below:

15. Click Next

This rule will allow the mail attribute that we contributed to the metaverse from the student data source to flow out to the SigninName in Windows Live using a direct export rule.

Passport User AttributesThe SigninName string represents the member name (e-mail address). Windows Live ID e-mails names must conform to the SMTP RFC 822 for the user name portion of the e-mail address and RFC 1035 for the domain portion. Some exceptions are made:

50 characters max

No UNICODE

First character must be a letter (must be in ASCII code range of 97-122, 65-90)

Period (ASCII 46) allowed except for the first and last characters but cannot have two adjacent periods

All other chars must be in ASCII code range of 48-57 (numbers), 65-90 (uppercase), 95 (underscore), 97-122 (lowercase)

All other characters are disallowed

Note: Configuring the SigninName is the minimum that you need to do for this management agent; however there are also other attributes that you can use to change settings or set initial account passwords. The following attributes allow you to flow the following values to specific student accounts.

Attribute Description

<dn> The distinguished name is used as an anchor.

AltEmail The user‘s alternate e-mail address. A string with a maximum length of 129 characters. Set this for the students if you know it so that they don‘t have to call the helpdesk to have the administrators of the solution reset their password if they forget it. Sets only on creation of account, not on update.

Birthdate The user‘s birth date. A string with a maximum length of 10 characters in the following format: dd:mm:yyyy. Sets only on creation of account, not on update.

Country The user‘s country. A string with a maximum length of 2 characters. Sets only on creation of account, not on update. There is a list of valid Country Codes in Appendix A.

DeleteUser A boolean value (true or false) that determines whether an account should be evicted from the managed namespace.

Export_password An attribute used by ILM for password management. Not user configurable.


FirstName A member’s given name. Sets only on creation of account, not on update.

LanguageCode The member’s language. A string with a maximum length of 5 characters. Sets only on creation of account, not on update. There is a list of valid Language Codes in Appendix B.

LastName A member’s surname Sets only on creation of account, not on update.

MailDisabled Boolean value (1 or 0) that represents if a user is blocked from logging in. A setting of 1 indicates that the user is blocked and will not be able to use his or her Windows Live ID to access any services. This might be used to lock a student out of their account while an investigation of invalid behavior takes place. Remember that evicting accounts means that the account can no longer be a member of the university namespace. Blocking a user is a reversible operation, where eviction is not.

NetID A long string representing the user‘s ID in the Windows Live system. This unique identifier will be assigned by the Live ID servers and does not need to be managed.

OfferAction A value that performs an action on an OfferName. Can be Add or Remove.

OfferName A string that represents the OfferID associated with the user, for example, US No Ads. Offers must be configured on the Microsoft system to be valid. If you are having issues with your offer, please contact the Windows Live Commercial Partner Center using this e-form: https://support.live.com/default.aspx?productkey=wlpc&mkt=en-ww

PostalCode The user‘s postal code. A string with a maximum length of 15 characters; United States only. Sets only on creation of account, not on update.

RegionCode The user‘s region. A string with a maximum length of 10 characters; United States only. Sets only on creation of account, not on update. There is a list of valid Country Codes in Appendix A.

ResetPassword A value that determines whether a user should be prompted to change their password during first login.



TempPassword The temporary initial password for a new Windows Live ID. The password must be reset by the user on initial login. There are several options for managing passwords for the accounts. If you choose to set the initial password to a known value, this is the right value to set. Otherwise you can leave this setting blank and have the Windows Live Management Agent create a password for you in which case the password would be available in the log file for you to communicate to the students. Please see the Password Management section of this document for more information.

TimeZone The user‘s time zone. This setting is important to set for the students so that features such as the calendar are properly experienced. If the time zone is not set, then the mailbox defaults to GMT. Sets only on creation of account, not on update. There is a list of valid time zones in Appendix C.

16. On the Configure Deprovisioning page, accept the default settings which should be Make them disconnectors. This will prevent your users from inadvertently getting evicted from the Windows Live namespace. Click Next.

17. If you are using password synchronization with Active Directory, click the Enable Password Management tick box, otherwise on the Configure Extensions page, click Finish.

Enable Provisioning ILM 2007 uses the term provision to describe the process that it goes through to create a new account. For ILM 2007 to be able to create new accounts in Windows Live you must first enable provisioning. Typically using ILM 2007 to provision (create) accounts requires some code to be written so that it knows how to properly create those accounts. The Live@edu installation has already taken care of this for you by placing the compiled code into the correct folder. The compiled code is referred to as a Metaverse Rules Extension. You will need to configure ILM 2007 to use that Metaverse rules extension to create accounts in Windows Live. This is done by pointing ILM 2007 to the rules extension that was installed on the machine during setup of the Windows Live Management Agent and checking the box to enable provisioning.

18. In Identity Manager, on the Tools menu, click Options

19. On the Configure Extensions dialog box, click Enable Metaverse Rules Extensions. 20. To pick the name of the Rules Extension from the list of files in the Extensions folder, click

Browse. 21. Select WLCDMVExtensionLoader.dll from the list of file names.

22. Click OK.

You should see the filename WLCDMVExtensionLoader.dll that you selected in the Rules extension name field.

23. Click Enable Provisioning Rules Extension.

24. Click OK.

Section 8: Configure XML Files

Configure XML Settings You must configure XML file settings to reflect the configuration of your environment. For the Windows Live Management Agent to be adaptable to the needs of different schools there are certain settings that need to be configured specific to each implementation. During installation, the default files were copied to the appropriate folder. The XML configuration files are located in the Extensions folder of the ILM 2007 installation path, usually C:\Program Files\Microsoft Identity Integration Server\Extensions. There are two XML files in total that may need to be configured. They are:

WLCDGlobalConfig.xml This XML file uses elements that the management agent uses to apply global account attributes and controls for a domain, such as certificate authentication, offers, and global user attributes.

The WLCDGlobalConfig.xml contains settings that apply to all Windows Live member accounts provisioned with ILM. It may be opened with Notepad as a text file for ease of viewing and editing. You will need to change values for at least the DefaultOfferName and Domain Name elements to reflect your offer and domain name assigned to you. This file resides in the ILM Extensions directory (usually c:\program files\microsoft identity integration server\extensions). Here is an example WLCD GlobalConfig XML file:

Elements An element in XML is defined as a unit of XML data, delimited by tags. An XML element can enclose other elements. The following elements make up the body of the management agent Global Configuration XML file:

Element Description

<DefaultCert> If using a certificate for authentication, the elements subject and issuer need to contain the strings for both Subject and Issuer from the Windows Live Admin Center Control Panel in the SDK menu.

<Subject> Contains a value such as [email protected], CN=sapipartner.com, O=OXFORD Computer Group, C=US copied from the Windows Live Admin Center SDK Control Panel.

<Issuer> Contains a value such as CN=Microsoft Secure Server Authority, DC=redmond, DC=corp, DC=microsoft, DC=com, copied from the Windows Live Admin Center SDK Control Panel.

<DefaultOfferName> Contains value such as “US No Ads”

<DefaultResetPassword> Controls whether members have to reset their password during the initial login experience. This element can contain the values True or False.

<Url> Contains the URL for the Windows Live Admin Center administration website for provisioning accounts, such as https://domains.live.com/service/ManageDomain2.asmx.

<Domain name=""> Contains the value of your fully qualified domain between the quotation marks, such as wledutraining.com.

<DefaultUserAttributes> Contains values for the attributes below that will be applied globally to all member accounts.

<Country> Contains a value representing a member’s country code for a domain. See Appendix A.

<LanguageCode> Contains a value representing a member’s language code for a domain. See Appendix B.

<OfferName> Contains a value representing a member’s offer, such as “US No Ads”.

<TimeZone> Contains a value representing a member’s time zone. See Appendix C.

Element Description

<PostalCode> Contains a value representing the member’s postal code.

<RegionCode> Contains a value representing the member’s region code. See Appendix D.

https://domains.live.com/service/ManageDomain2.asmx

<BirthDate> Contains a value representing a member’s default birthdate. BirthDate is in the format DD:MM:YYYY

Note: Global attributes from the XML are only set on member accounts upon account creation. Setting the attribute values after provisioning accounts will not update them.

WLCDProvisioningConfig.xml This XML file controls the settings that are relevant to ILM 2007 and how you have it configured. You will need to edit this file for the solution to work properly. This XML file is used to identify the name of your export management agent and enable account creation of Windows Live IDs in ILM 2007. Other elements may also be set in this file to identify and customize your ILM environment, such as MVEntryObject and MVEntryAttribute, if you customized them. An administrator can also use this XML file to filter domains and add custom assemblies for added functionality, or specify more than one export management agent.

You will need to enter the name of your management agent in the name element and (optionally) the MVEntryObject and the MVEntryAttribute. This file resides in the same ILM extensions directory (usually c:\program files\microsoft identity integration server\extensions) as the WLCDGlobalConfig. The following is a sample WLCDProvisioningConfig XML :

ElementsElement Description

<rules-extension-properties> Wrapper element for the contents of the file.

<account-provisioning> Wrapper element contains multiple ManagementAgent elements

<ManagementAgent> Contains several sub elements specifying the attributes to which this rule extension applies. There should be one ManagementAgent element for each Windows Live Management Agent in ILM 2007.

<Name> The name of the export management agent for connecting to Windows Live Admin Center. The XML file’s default management agent name is “Windows Live Custom Domains Management Agent”. This value should reflect the exact name of the Windows Live Management Agent as it appears in ILM 2007. It is a good idea to copy and paste from the Name field in the management agent properties window to ensure they match.

<MVEntryObject> The type of the Metaverse Entry Object containing member account information, the XML file’s default MVEntryObject is person. Usually, it is set to “person”. This value should match that used in configuring the management agent‘s attribute flow.

<MVEntryAttribute> The name of the Metaverse Entry Attribute containing member accounts, the XML file’s default MVEntryObject is mail. This is the attribute inside the object defined by MVEntryObject, which contains the e-mail address of the specified user to be exported. Usually set to mail or another attribute where you have previously set up the writing of the Windows Live e-mail address.

<Domain> The domain to which the rule extension applies. If you only have one e-mail domain that you have set up with Live@edu, this is the domain that should appear here (wledutraining.com). This attribute may be repeated.

<Filter> Contains a Boolean value, true or false, whether to filter the domain. If the tag is true, the filter limits the users to be exported to the management agent named above to only those in the domain specified by name below. In other words, anyone whose domain does not match the above will not be exported by the Windows Live Management Agent that you are currently configuring.

<Name> The domain specified for filtered exports. Only used if Filter is specified.

<add-assemblies> A node that contains multiple assembly elements and configures the Metaverse extension DLLs that are to be used by ILM 2007.

Element Description

<assembly name="WLCDMVExtension.dll"

The name of the assembly to run. You can copy and paste additional assembly names if you are running other rules extensions.

<assembly> Specifies an additional assembly linked to this rule. The name attribute of this element specifies the name of the DLL file that contains the Metaverse Rules Extension.

Note: If you have multiple Windows Live Management Agents in ILM 2007, you must create a <ManagementAgent> node with all the required data for each one.

Configure OffersOfferName and OfferAction are 2 attributes in version 3 of the Windows Live Management Agent that ensure accounts receive the Live@edu offers for your domain. All accounts must have their OfferName and OfferAction configured.

Your offer name is provided to you by the Windows Live Commercial Partner Center when they configure your domain as a Live@edu domain. Appropriate offer actions are Add and Delete.

Attribute Flow In the Attribute Flow scenario, the values for OfferName and OfferAction are stored in your source data and flowed through ILM in much the same way as e-mail address. OfferName assumes the OfferAction of Add if it is not specified.

WLCDGlobalConfigIn the Global Config scenario, the values for OfferName are included in the WLCDGlobalConfig XML file and stamped on member accounts at the time of creation.

Section 9: Additional Settings

Managing MX Records MX records specify how to route mail to your new e-mail domain. It is critical that these are modified correctly for the proper routing of mail messages to your Windows Live IDs. These records must be modified in your DNS server by the DNS server administrator.

Create DNS MX Entry For each e-mail domain, an administrator account must be created in the Windows Live Admin Center as mentioned on page 15. Once the administrator account has been confirmed, the mail service is enabled.

Add a Sender Policy Framework (SPF) Record for Each E-mail Domain To facilitate the combating of unsolicited e-mail you are encouraged to create an SPF record and add it to the DNS records of your domain. This record will allow the receivers of e-mail from your domain to be certain that the e-mail did indeed come from the domain it purports to be from. This will minimize the chance of it being filtered or rejected by the receiving mail server if that server is checking SPF records. An example of Add Sender ID TXT Record DNS Entry:

v=spf1 include:hotmail.com ~all

Optional: DNS SRV Record You must create a DNS SRV record for anyone to use instant messaging in their assigned Windows Live Managed Namespace(s) with any company that has rolled out Live Communications Server 2005 with Public IM Connectivity (PIC).

The format of that DSN SRV record is:

_sipfederationtls._tcp.<domain name> ttl class SRV 10 2 5061 federation.messenger.msn.com

For instance,

_sipfederationtls._tcp.alumni.university.edu ttl class SRV 10 2 5061 federation.messenger.msn.com

Section 10: Running the SolutionOnce the solution is installed and configured you can create the necessary run profiles and complete the solution.

Data Synchronization Data flow in ILM 2007 occurs in three phases: import, synchronization, and export. Importing is the process of retrieving data from a connected data source and storing it in the connector space. Objects must exist in the connector space to store the data being imported. If new objects are needed in the connector space they are created during the import operation. The process of creating the new objects and storing the newly imported data in the connector space is referred to as staging. Once data is staged, it is ready for inbound synchronization. Inbound synchronization is the process that adds the imported (staged) data to the Metaverse. During the import (staging) operation all data is imported into the connector space including objects that meet the filtering criteria. All filtered objects in the connector space are ignored during inbound synchronization so they do not get processed and are not added to the Metaverse. Join and projection rules are applied during inbound synchronization to create Metaverse objects as necessary and connect connector space objects to Metaverse objects. Import attribute flow rules are applied during inbound synchronization to further control exactly what data flows from the connector space to the Metaverse.

Outbound synchronization takes place at the same time as inbound synchronization and is the process of retrieving data from the Metaverse and storing it in the connector space to get it ready for export. Exporting is the process of sending data in the connector space to a connected data source. Outbound synchronization and exporting data are discussed in more detail later in this guide.

Now that the management agents are configured you can begin processing the data. ILM 2007 makes it possible for you to examine the data being processed during each phase of the data flow process. You may take advantage of this feature to familiarize yourself with the statistics and message displays that are shown during and at the completion of the runs.

Run Profiles For each management agent you can define a number of run profiles. These are used to initiate each of the three phases of data flow. Run profiles provide operating parameters to management agents each time they are run. The information in the run profile varies based on the management agent that uses it. For example, a run profile for a delimited text file management agent contains parameters indicating the name of the text file that is used as the connected data source and data indicating which phase of the data flow is to be processed.

In this document you create one run profile for each management agent. This makes it possible to process one phase of the data flow and then stop and examine the data to make sure data is flowing as expected allowing you to monitor and troubleshoot the implementation of a new deployment. Once data flow has been verified and you are confident everything is functioning properly, you can create more sophisticated run profiles that perform a number of steps at once. For the purposes of this walkthrough and to help you learn how data flows simpler individual run profiles are used for each phase of data flow rather than combining multiple phases into a more extensive run profile.

Configure the Full Import and Full Synchronization Run Profile for the Import Management Agent The first run profile is used to stage the data from the source management agent to the connector space and from there, to synchronize it with the Metaverse. ILM 2007 allows the combining of these two actions into a single run profile.

1. Open Identity Manager if necessary.

2. Make sure that Management Agents tool is active.

3. Click the name of the source management agent that you assigned to it at the time of creation.

4. In the Actions menu, choose Configure Run Profiles. The Configure Run Profiles for <management agent Name> screen opens.

5. Click New Profile… to open the Configure Run Profile screen.

6. Enter Full Import and Full Synchronization as the name of the run profile in the Name text box and click Next.

7. On the Configure Step screen specify the type of operation that will occur when this run profile is used. This is where you choose the phase of data flow that will be processed when this run profile is used. In the drop-down list, choose Full Import and Full Synchronization. This option will cause all the data in the data source to be staged in the connector space.

8. The other options on this screen are not needed in this instance. Click Next.

9. Leave the Partition set to default and click Finish.

10. Click OK to return to Identity Manager.

Configure Export Run Profile for the Windows Live Management Agent The second run profile that you will need to create is the Export run profile for the Windows Live Management Agent. This profile exports the data from the Windows Live ID connector space and sends it to the Windows Live service for processing. Examples of data that may be exported as part of an Export run of the Windows Live Management Agent include adding (provisioning) o users, eviction (removal from namespace) of users, and resetting passwords . To create the Export run profile please follow the steps above used to create the Full Import and Full Synchronization profile Create the Export profile for the Windows Live Management Agent but instead of selecting the Full Import and Full Synchronization in the drop-down list, select Export. To verify that the run profile has been created select the name you have assigned to the Windows Live Management Agent in the management agents screen and then select Run from the Actions menu. You should see a screen listing the profiles with the Export profile being listed.

Delta Import and Delta Synchronization

What are Deltas? While Full Imports and Full Synchronization runs are very thorough and will evaluate the necessary tasks on every object in the data source, it may be prudent to consider running Delta Import and Delta Synchronization runs whenever possible and running a Full Import and Full Synchronization runs occasionally (Weekends, Monthly, etc). The difference between a full and a delta run is that a full run will process every object every time, but a delta run will only process the objects that have changed since the last time a run has occurred. For example, if you have a 150,000 users in your source repository but only 15 of them are new as of today and you have performed a run yesterday a delta run will only process these 15 users and ignore the previous 150,000. However a full run will process the full 150,000 users. The delta synchronization and full synchronization run profiles only affect those objects from Management Agent connected to the data source . The Windows Live Management Agent only performs exports which are inherently deltas.

Setting up Deltas Setting up deltas is straight forward if you are using Active Directory as the .source. data store. AD inherently supports deltas by default and the only change that must be made to accommodate deltas is the creation of a run profile that explicitly uses them. Choose the .Delta Import, Delta Synchronization. step rather than the .Full Import, Full Synchronization. step when creating the profile. The deltas will automatically be created and used by the AD management agent. Should AD not be your data source, you may still be able to create deltas if your source supports it. For example, deltas have been implemented with such systems as LDAP directories, SQL servers and many others. Please see the Developer Reference in the Help menu of Identity Manager for more information on setting up and configuring deltas in various connected directories.

Populating the Metaverse Now that you are have created the appropriate Run Profiles, you will need to first populate the ILM Metaverse before you are able to create new Windows Live IDs from the data that it will contain. To populate the Metaverse run the data source management agent with a Full Import Full Synchronization run profile. This type of run should occur at regular intervals but should probably not be the standard daily run that you will want to execute. Running Full imports and full synchronization routines consumes time because every object is evaluated. In the ILM management console, on the Tools menu, click management agents, and then click the data source management agent (the name that you have previously assigned to it) to highlight it. On the Action menu click Run to display the Run management agent dialog box. Under Run profiles click the appropriate profile for Full Import, Full Synchronization (for most setups like the one discussed above, there is only one), and then click OK.

Note: If the option is available, create and run a delta import delta synchronization instead of a full import full synchronization. The “Delta Import, Delta Synchronization” profile can be run via steps similar to the ones above except with a different run profile being selected. For more information, please see Delta Import and Delta Synchronization section below.

Note: Depending upon the number of Windows Live IDs to be processed the job may execute for several seconds to several hours. ILM management agents run in a single thread and you can expect an approximate rate of 2-6 seconds per account, depending on network traffic, connectivity etc.

The end result of a management agent run will be shown at the bottom of the main window in a panel containing the end time and status. If the status indicates success, see the next section, Creating Window Live IDs. Otherwise, see the Troubleshooting section later in this guide.

Troubleshooting the Staging of the Student Data If you are having problems staging the data for the Students data source, consider the following and see the section titled Troubleshooting:

Configure the proper partition and OU information when setting up the Active Directory management agent (the .source. management agent).

Set the synchronization step Type to Full Import and Full Synchronization when you creating the Staging run profile,

Creating Windows Live IDs In the ILM management console on the Tools menu, click management agents, and then click the Windows Live Management Agent (or another name you‘ve assigned to it at the time of creation) to highlight it. On the Action menu click Run to display the Run management agent dialog box. Under Run profiles click the appropriate profile for export (for most setups, there is only one named Export), and then click OK.

The end result of a management agent run will be shown in the bottom of the main window in a panel containing, the end time and status. If the status indicates success as circled in the screen capture below see the next section, .Managing the Output Files.

As with other ILM management agents Windows Live Management Agent results are available for future reference in the Operations log. To view the Operations log click on the Tools menu of the ILM management console and then click Operations.


Managing the Output Files For a management agent run with status of “success”, or in some cases completed-export-errors, an output log will contain the details of the temporary passwords assigned to the new Windows Live IDs that were successfully processed. The location of the logs is C:\Program Files\Microsoft Identity Integration Server\MaData\<your Windows Live Management Agent name> (or adapt for your ILM installation). The file name prefix is indicated in the Additional Parameters property of the management agent, with date/time appended to complete the file name. The format of the file looks like this:

Given the sensitive nature of the file contents it is stored in a folder that is accessible only to members of the MIISAdmins security group by default and optionally the MIISOperators security group; the latter is assigned permission by a manual configuration step. This folder should also be backed up to a secondary location with restricted access. The intention of the output file is to provide the System Administrator a reference from which to produce the first-time communication of the Windows Live ID e-mail account name and password to the target user should the password not be supplied by ILM at the time of user creation. The user will be forced to change their password (and secret question/answer) at first sign on per the flow shown in Password Management later in this guide. Though the user will

change the password, the file is still considered to contain sensitive data because it contains an inventory of valid e-mail names. It is recommended to delete the file and the backup(s) 60 days after the temporary Windows Live IDs have been communicated to the users. After deletion the ILM Metaverse contains the definitive source for the e-mail names and is backed up as a standard operating procedure.

Features of the Windows Live Management Agent Besides the basic configuration of the attribute flow and XML files there are several other features of the Windows Live Management Agent that you can take advantage of.

Renaming of E-mail Addresses As the Windows Live Management Agent v3.0 allows for renaming of e-mail addresses you may perform the renames by flowing a new e-mail address into the SigninName attribute in the Windows Live Management Agent. This may be useful for cases such as the one where the e-mail address is based on the person‘s name and the name changes due to an event such as a marriage.

Note: Currently, renaming an account will result in the loss of the mailbox content for that account but retain calendar and contact information. Microsoft is building out functionality so that the account will maintain the mailbox content as well. There is not a ETA for when this functionality will be ready, however as soon as it is released the Windows Live@ Edu team will communicate to all schools in the program and update the FAQ. In the interim, it is recommended that you create new accounts instead. In order to create new accounts using Active Directory as your data source, it is required to use an anchor attribute such as employeeID instead of SigninName.

Deleting Windows Live IDs You can delete, or evict, Window Live IDs from your namespace for students who are voluntarily leaving the namespace, and whenever you need to clean up the namespace. If a member tries to sign in to an evicted account, the member will be asked to rename their Windows Live ID to something else outside the domain namespace. The member will have the ability to rename into an @hotmail.com address. Windows Live IDs that are evicted will not retain the actual e-mail in their existing accounts but they will retain their Windows Live Address Book. For Windows Live Messenger, the student will retain their contact list and all their contacts will automatically be updated to the student‘s new IM identity. The freed account name becomes available immediately for re-use as long as the password length is different.

Setting an Object Deletion Rule The Windows Live management agent needs to be configured with “Stage a Delete” in the Configure Extensions tab, then in the ILM management console on the Tools menu, click Metaverse Designer, and then click Configure Object Deletion Rule.

To enable the Windows Live ID evict feature select either the second or third option in the following dialog box.

Note: The second option is used in conjunction with your source data management agent and not with the Windows Live Management Agent. When an object is deleted from the source management agent

the Windows Live ID will be evicted from the managed namespace on the next export run. If you want to write custom code for the deletion rules select the third option and modify your rules extension code accordingly. Note that you may not, in this case, use the precompiled rules extension that ships with the management agent because it contains no deletion rules.

Attribute Interdependencies Within the Windows Live ID system, certain attributes are related to each other. For improved user experience we suggest you configure the five attributes below on all accounts. These attributes will allow students to self reset their passwords, access the calendar, and have their mail stamped with the appropriate date and time.

The values can be applied to the Windows Live ID profiles via Attribute Flow or in WLCDGlobalConfig.xml. Further information regarding these attributes can be found in the Administrators Guide appendices.

Country 2 digit alphabetic code for country. E.g. US.

PostalCode 1-15 digit numeric code for the user‘s postal code. E.g. 98052

TimeZone 1-4 digit numeric code for the uses time zone. E.g. 1119.

RegionCode 1-5 digit numeric code for the uses region (state). E.g. 5599

Birthdate 10 digit alphanumeric string for birthdate in the format of DD:MM:YYYY e.g. “31/12/1960” without the quotes.

Note: Providing some, but not all of these fields may cause errors. It is best practice to provide all.

Active vs. Inactive student handling If you wish to retire student accounts no longer active in your domain, you have a couple of options.

1. If a member should no longer part of the domain and you have object deletion rules set, you can simply delete the member from the data source. Performing this action will evict the member from the domain namespace. The member’s mailbox will be deleted but contact and calendar information remain intact.

2. If a member retains the domain account but is no longer an active student, offers for the student should be removed using attribute flow.

Configuring Multiple Sites It is a common scenario where schools have a completely different domain for either different schools within their community or different domains for students and alumni. The WLCDGlobalConfig.xml file will allow you to specify additional domains, and as long as the administrator being used to create the accounts is an administrator on both domains (or the certificate used for authentication), the accounts will be created. A sample WLCDGlobalConfig.xml configured for two domains is below:

Section 11: Password Management

Create Initial Password In order to set the initial password for the students, you must select one of the two methods. Either you can use attribute flow in ILM 2007 to set the initial password using the TempPassword attribute or you can allow the management agent to set the password for you. When you allow the management agent to create the initial password for you it is stored in the log file in the C:\Program Files\Microsoft Identity Integration Server\MaData\<export ma> folder by default.

Password Reset Two methods are available online for an individual Windows Live ID user to reset his/her own password, namely: (a) using data verification and answering the secret question, or (b) if an optional alternative e-mail was provided, a mail is sent to that address which contains a link to a site where you can change your password. The System Administrator-based password reset procedure presumes these methods have failed the end user. Before proceeding, it is required that the System Administrator has validated that the user requesting the password reset is the legitimate owner of the Windows Live ID, for example, by viewing a student ID card and ensuring that student was assigned the e-mail address for which they are requesting a password reset. Once it is determined that a System Administrator-based password is required, the password may be reset using the methods described below.

Password limitations Passwords must be at least six characters and a maximum of 16. The Windows Live ID may NOT be part of the password. For security purposes we recommend that when creating temporary passwords use 10 characters and at least one each from the following characters sets:

Lower-case chars: {abcdefghijklmnopqrstuvqxyz}

Upper-case chars: {ABCDEFGHIJKLMNOPQRSTUVWXYZ}

Numbers: {0123456789}

Special Characters: {!@#$%^*()-_=+;:,./?`~} (excluding the curly braces)

A password cannot contain part of the secret question or secret answer after an account has been activated and the secret question set. The answer to the Windows Live ID secret question helps a member reset a password in case it was forgotten. For example, if the Windows Live ID secret question is “Mother’s Birthplace” and “Seattle” is the answer, the Live ID password cannot contain “Seattle”. This restriction is not case sensitive.

Attribute Flow based Password Resets (Method 1) Resetting a lost password is as simple as changing the value for TempPassword that was set in attribute flow. On the next export run cycle, the user‘s password will be set to that value after which you can communicate the new password to the user who will be forced to change the password on next log on. In the screen shot example below, we are using a text file as our data source.

In the data source, we’ve assigned a new temporary password in a delimited text file.

After saving the file, one would perform the normal run cycle for the import and export management agents; an import to connector space from the data source management agent followed by a synchronization and finished with an export to Windows Live. Attribute flow for the delimited file management agent looks like the screen shot below, with SigninName and TempPassword importing to mail and TempPassword in the metaverse.

Delimited data source management agent’s attribute flow:

Export management agent’s attribute flow:

Below is another example of using Active Directory to flow a TempPassword. In this case, the mail attribute is set in the e-mail field on the General tab and the TempPassword is using the Notes field to flow into Metaverse.

Active Directory import management agent’s attribute flow:

Export management agent’s attribute flow:

Attribute Flow based Password Resets (Method 2) 1. Create a template delimited text or comma-separated values file that contains with 2 values

(SigninName, TempPassword) and only a comma.

2. Create a second import MA (delimited .txt or .csv) by clicking Create in the Management Agents tool.

3. Give the management agent a name and a description (optional) and click Next.

4. In Select Template File, click Browse and select the delimited text file you created in step 1.

5. In Delimited Text Format, select the tick box for Use first row for header names, select comma as the delimiter and click Next.

6. On the Configure Attributes page, set the anchor to the SigninName. Click the Set Anchor button.

7. Select the SigninName attribute from the list of available attributes, click the Add button and click OK.

8. Skip the pages for Map Object Types, Define Object Types, Configure Connector Filter and on the Configure Join and projection rules page, click the New Join Rule button.

9. Select SigninName from the Data source attribute list, set the Mapping type to direct, and select the metaverse object containing the Windows Live ID, then click Add Condition.

10. If the Metaverse attribute containing your Windows Live ID isn’t indexed in ILM, the message below may appear. You can fix this by selecting the tick box for the attribute in Metaverse Designer but it is not necessary. Click OK.

11. The condition statement for the join rule appears in the list; click OK.

12. The join rule appears in Configure Join and Projection Rules, click Next.

13. On the Configure Attribute Flow page, set up direct import attribute flow for SigninName and TempPassword, then click Next.

14. On the Configure Deprovisioning page, select the radio button next to Do not recall attributes and click Next.

15. On the Configure Extensions page, click Finish.16. Copy the template file to MaData folder in the ILM 2007 installation path. The default path is c:\

Program Files\Microsoft Identity Integration Server.

17. Create a Full Import and Full Synchronization run profile for the new management agent by selecting the management agent in ILM, clicking Configure Run Profiles as mentioned before in Section…

18. Set the hierarchy for the password reset management agent above the data source management agent by clicking the Metaverse Designer tool, selecting the metaverse object type and the TempPassword attribute and select Configure Attribute Flow Precedence from the actions menu.

19. Select the password reset management agent in the list and click the up arrow so that it takes first order of precedence and click OK.

Performing the reset1. Edit the template file with the username of the member who needs their password reset and

the new temporary password and save the changes.

2. Run a full import and synchronization on the password reset management agent. You will notice a successful join in the synchronization statistics.

3. Run an export on the Windows Live export management agent. The user will now be able to use the new temporary password to log into their account and set a new password.

ILM Password Synchronization ILM 2007 allows the synchronization of passwords set in Active Directory or other “source” systems to other target systems such as a different AD domain or in this case Windows Live. This functionality allows you to perform one-way synchronization of passwords from AD to Windows Live IDs if desired.

Using Active Directory as the Source for Password Changes If you elect to use Active Directory as the source for Password Changes to Windows Live you may use a free pre-built Microsoft solution called Password Change Notification Service (PCNS). PCNS is a mature supported solution used by enterprise customers to perform password resets; it was designed to allow for password resets to be performed between separate AD domains or even AD forests but does not require the target of the password change to be Active Directory; thus, you may set the Windows Live Management Agent as the target.

Note: Even though ILM 2007 is not a real-time system in general, the password synchronization will occur as close to real-time as possible. No running of any management agent is required for the synchronization to occur; the password will automatically be sent out as soon as it is received.

The user or an administrator initiates the password change request in AD. The password change request, including the new password, is sent to the nearest AD domain controller.

The domain controller records the password change request and notifies the password change notification filter (a PCNS DLL that monitors for change notifications).

The password change notification filter passes the request to PCNS.

PCNS verifies the password change request then authenticates the Service Principal Name (SPN) by using Kerberos and forwards the password change request in encrypted Remote Procedure Call (RPC) to the desired ILM 2007 server.

ILM 2007 validates that the source domain controller is a member of the Domain Controllers container in the source domain and then uses the domain name to locate the management agent that services that domain. It uses the user account information in the password change request to locate the corresponding object in the connector space.

ILM 2007 determines the management agents that have been configured to receive the password change (.target. management agents, in our case, Windows Live Management Agent) and if they are enabled for password synchronization propagates the password change to them.

The Windows Live Management Agent then performs the proper web service calls to reset the password in the Windows Live system.

The synchronization described above is a one-way synchronization. Should a user reset his or her password in Windows Live it will not be reset in AD. However, if the user resets the password in AD it will automatically be set in Windows Live.

Should you choose to implement password synchronization via PCNS please download the following file: http://www.microsoft.com/downloads/details.aspx?FamilyID=ae09d2f5-8ac2-4769-ab6a-48fe35a25c63&DisplayLang=en. After installation please see the Password Synchronization scenario that may be found under C:\Program Files\Microsoft Identity Integration Server\Scenarios\PasswordSynchronization or another directory similar to the one above if you had changed the installation path for ILM 2007. To set up PCNS to synchronize AD passwords to Windows Live you will need to perform the following steps. Each of these is explained in detail in the above mentioned document which should serve as your primary reference when setting up PNCS.

Install the DLL filter on each domain controller in the domain. This is accomplished by running the MSI installation file that is provided as part of the PCNS solution on each domain controller. This task may be automated using a push mechanism of your choice that supports automated installs of MSI files.

http://www.microsoft.com/downloads/details.aspx?FamilyID=ae09d2f5-8ac2-4769-ab6a-48fe35a25c63&DisplayLang=en

http://www.microsoft.com/downloads/details.aspx?FamilyID=ae09d2f5-8ac2-4769-ab6a-48fe35a25c63&DisplayLang=en

Configure the service principal name (SPN) to point to the desired ILM 2007 server. This is configured by using the SETSPN utility in Windows and only needs to be performed once on the ILM 2007 server

Configure the groups in AD that are to have their passwords synchronized. This allows you the flexibility of only synchronizing the passwords for your student users who are in AD rather than monitoring for changes from any user.

Configure the Active Directory management agent (source management agent) to allow for Password Synchronization. Once the Active Directory management agent is installed and configured begin by selecting the AD management agent, select Properties, then Configure Active Directory Partitions. In Password Synchronization, select Enable this partition as a password synchronization source. Click the Targets button and place a checkmark next to the Windows Live Management Agent that should be the target management agent for the password changes. Be sure to uncheck the box to require secure connection for password synchronization operations.

Configure the Windows Live Management Agent (target management agent) to allow for reception of password change notifications. Once Windows Live Management Agent is installed and configured begin by selecting the Windows Live Management Agent, select Properties, then Configure Extensions. In Password Management, place a checkmark in Enable Password Management. Verify that the Extension Name is filled in with PassportPasswordExtension.dll and that the radio button is set to Set and Change. Click the Targets button and uncheck the box to require secure connection for password synchronization operations.

While still on the Configure Extensions, click the settings button. Type in the CN value from the subject field of your certificate the Connect To: textbox (in most cases “sapipartner.com”), without the quotation marks. The CN value from the certificate can be found in the details tab of the certificate in the Certificates management console. Leave the password field blank (it is not necessary).

Enable Password Synchronization in ILM Options. In Identity Manager, select Tools and then Options. Place a checkbox in Enable Password Synchronization if it is not already there. This will allow your management agents to receive Password Synchronization requests from the domain controllers.

Using Other Systems as the Source for Password Changes To enable password synchronization from systems other than Active Directory you will need to programmatically capture the changes in passwords and then propagate it to ILM using the WMI interface. Examples of this may be found in the Developer Reference help file in ILM by going to mk:@MSITStore:c:\program%20files\microsoft%20identity%20integration%20server\uishell\helpfiles\mmsdev.chm::/mms/example__setting_passwords.htm or by searching for Example: Setting Passwords in the Developer Reference accessible via the Help menu in Identity Manager. The following will need to be configured in ILM 2007 to allow it to receive password change requests from your code.

Configure the Windows Live Management Agent to allow for reception of password change notifications. Once Windows Live Management Agent is installed and configured begin by selecting the Windows Live Management Agent, select Properties, then Configure Extensions. In Password Management, place a checkmark in Enable Password Management. Verify that the Extension Name is filled in with PassportPasswordExtension.dll and that the radio button is set to Set and Change.

Enable Password Synchronization in ILM Options. In Identity Manager, select Tools and then Options. Place a checkbox in Enable Password Synchronization if it is not already there. This will allow your management agents to receive Password Synchronization requests from your password change code.

Once the above steps are completed you may use the example code from the Developer Reference to send passwords to the Windows Live ID for reset.

Another option for creation of Password Reset or Change functionality is to contact Oxford Computer Group (Oxford). Oxford has a long history of creating password change and reset solutions with ILM. Oxford specializes in identity and access management and it is a Microsoft Gold Partner with offices in UK, Germany, Canada and the US. Services include: strategic and functional consulting, system integration, as well as solution and skill development.

To contact Oxford Computer group please use the following e-mail address – [email protected]

Reset Password Flow If a student forgets his/her password to their Windows Live ID there are two ways for them to reset their password online:

Send an automated reset password e-mail to an alternate e-mail address.

Enter information online including Country/Region, State, Zip Code, Secret Question and Secret Answer.

If all else fails the student can contact the appropriate school department to have the System Administrator reset his/her password using ILM 2007. Should a user lose their temporary password or forgot the one they subsequently created and are unable to complete the online password reset procedure the System Administrator should perform the following procedure to reset passwords.

Recovering from a Forgotten Password If a student forgets their password, they have to reset it before they can sign in to Windows Live again. They can reset their password by sending themselves a password reset e-mail message or by answering the secret question and entering their location information.

If the student does not already have an alternate e-mail address, the student will be prompted to enter an alternate e-mail address to make resetting passwords in the future easier. A confirmation page is displayed after a successful password reset.

Alternate E-mail AddressesWe recommend that students enter an alternate e-mail address upon first sign in to Windows Live Hotmail or any other Windows Live ID site if Windows Live Hotmail isn‘t the first one. When signing in the first time the student will be required to enter a Secret Question/Secret Answer pair. See “Appendix – First-Time User Sign-in Flow” for more information. Optionally, the student will also be asked to enter an Alternate E-mail address. If a student has an existing e-mail address in addition to the one being established by the school we highly recommend that the student enter it. Doing so allows the student to easily reset their Windows Live ID password should they later forget it without contacting the System Administrator.

For security purposes, the student will also be prompted to change their school-supplied temporary password the first time they sign in. Entering Windows Live ID Profile Information If the student does not have an alternate e-mail address they will need to enter a limited amount of Windows Live ID profile information. This needs to be done separately because a student will not be prompted to enter this information on first time login.

Go to https://account.live.com/. Sign in if prompted (authentication is required to use Account Services). In the left pane click Account Summary, and then click Add or Change your Alternate e-mail address.

On the next screen, scroll to the bottom and fill in Country/Region, State, and ZIP code. These values are required when resetting your password so make sure this information is filled in with accurate values that will be remembered and then click Save. No other values are required on this screen.

Section 12: Troubleshooting This section covers common issues that people face when they are installing the Live@edu solution.

Deprovisioning It is important to pay careful attention to the settings used by the Windows Live Management Agent for deprovisioning actions. Setting these incorrectly may result in you to inadvertently evicting users with negative consequences. The results of an accidental deletion might include the following:

Deletion of all students e-mail

Inability for the students to continue to use the e-mail address

Here are a few possible deprovisioning scenarios you may encounter and possible troubleshooting steps. All scenarios are structured around the limitation of not being able to reuse an e-mail address for 210 days after it has been evicted.

Scenario 1: Inadvertently deleting users prior to handing out e-mail addresses.

Since the e-mail addresses have not yet been distributed to the users it may be possible to change the schema of the addresses and create new addresses. For example, should a user have been

[email protected] previously, you may consider changing the schema to make it [email protected]. This will allow you to recreate the e-mail addresses.

Scenario 2: Inadvertently deleting users after handing out e-mail addresses but prior to accounts being used.

The solution for this is the same as scenario 1, if the schema change is possible. No mail or data will be lost since none is present yet.

Scenario 3: Inadvertently deleting users after handing out e-mail addresses to users. The users have started using accounts and have populated them with data.

This is not an easily recoverable scenario. You may use the solution from Scenario 1 to recreate the users but you will not be able to recover the data in the accounts such as e-mails. Additionally, if you are going to change the schema for e-mail addresses, be mindful not to change the addresses of the users who may not have been affected by the eviction as changing their address will rename their address to the new one. Microsoft may be able to assist you if you get into this situation.

Name Recycling Limitations Once a user is evicted from the namespace you may reuse their e-mail name for another account (or to re-provision this one) immediately, as long as the password for the member account is a different length than the previous password.

Note: Member accounts can only be recreated four times.

365 Day Usage Requirements Users are required to log into their Windows Live e-mail accounts every 365 days or their e-mail will be deleted due to disuse. The account will still exist and can be reactivated on demand during the next login, however the contents of the mailbox will be deleted.

Windows Live ID SigninName Limitations You must flow the full e-mail address including the domain portion to the attribute SigninName in the Windows Live Management Agent connector space. You must provide the full e-mail address in the form of [email protected] and not just James Smith.

Windows Live ID e-mails names must conform to the SMTP RFC 822 for the user name portion of the e-mail address and RFC 1035 for the domain portion. Some exceptions are made:

50 characters max

No UNICODE

First char must be a letter (must be in ASCII code range of 97-122, 65-90)

Period = (ASCII 46) allowed except for the first and last characters but cannot have two adjacent periods

All other chars must be in ASCII code range of 48-57 (numbers), 65-90 (uppercase), 95 (underscore), 97-122 (lowercase)

All other characters are disallowed

Windows Live ID Passwords Limitations Passwords must be at least six characters and a maximum of 16. The Windows Live ID may NOT be part of the password. For security purposes we recommend that when creating temporary passwords, use 10 characters and at least one each from the following characters sets:

Lower-case chars: {abcdefghijklmnopqrstuvqxyz}

Upper-case chars: {ABCDEFGHIJKLMNOPQRSTUVWXYZ}

Numbers: {0123456789}

Special Characters: {!@#$%^*()-_=+;:,./?`~} (excluding the curly braces)

.Net 2.0 and Hotfixes You must have the .Net 2.0 library installed and the latest ILM 2007 hotfixes or you will encounter .stopped-extension-dll-exception. errors. Determine which versions of the .NET Framework are installed on a computer:

2. Locate the folder that contains the .NET framework by clicking Start . Run and then pasting or typing %systemroot%\Microsoft.NET\Framework on the line. Click OK to open the folder.

3. Under that folder there should be another folder that has a name depicting each version of the .NET framework installed. Look for a folder with the version number of v2.0.50727. If you do not see this folder then you need to install the .NET framework 2.0.

4. If you do have the folder then open the v2.0.50727 folder and then locate the Mscorlib.dll file.

5. Right-click the file and then click Properties.

6. Click the Version tab and then note the file version.

7. If the version number starts with v2.0.50727.XXXX then you already have the correct version of the .NET framework installed and you should go to the Troubleshooting section in this guide for more information about troubleshooting error messages. If not (or if you haven‘t got the folder at all) then you must install the .NET 2.0 framework using the instructions below. Click OK.

The .NET framework 2.0 installation can be downloaded from http://www.microsoft.com/downloads/details.aspx?FamilyID=0856eacb-4362-4b0d-8edd-aab15c5e04f5 or by searching for .NET Framework Version 2.0 at http://download.microsoft.com. To download and start the setup follow the instructions provided on the download site.

http://download.microsoft.com/

http://www.microsoft.com/downloads/details.aspx?FamilyID=0856eacb-4362-4b0d-8edd-aab15c5e04f5

Additionally, you must install the latest ILM 2007 hotfixes to ensure that ILM 2007 will work with the .NET libraries installed. The ILM 2007 updates can be downloaded from http://www.microsoft.com/downloads/details.aspx?familyid=fa9dbb67-4654-4c94-b073-aa59676130af or by searching for ILM Hotfix at http://support.microsoft.com.

Issues Sending or Receiving E-mail If you have trouble sending or receiving mail from accounts you have created, the issues are most commonly caused by the lack of proper configuration of the MX records. Please see section Managing MX Records for more information.

Account Settings Precedence There are several places where the account settings can be changed as part of the solution. The order of precedence in which properties are assigned is as follows:

1. Mapped connector space attributes using attribute flows 2. Global config rules (using the WLCDGlobalConfig.xml file)

You should be mindful of which properties you set and where you set them since they may be overridden by a higher priority property set elsewhere.

Steps to troubleshoot the Live@edu solution depend on where the error occurs. Sometimes it is difficult to determine where to start however you can usually follow the data through the solution to determine the error condition. Start with the student data source, then move on to ILM 2007 and finally out to the Windows Live system.

ILM 2007 Failure Analysis Process Flow Start by looking at the status from the run which is normally displayed half way down the screen on the right side as displayed in the following screen.

The following table contains next steps for each run status.

Status Next Steps

<null> This is normal while the extension starts. Wait for the status to change.

in-progress Windows Live IDs are exporting. You should see the Adds being incremented while the extension is in progress.

completed-export-errors See the following .For completed-export-errors. section.

success This is normal if the extension ran without any errors. However, if you have zero Windows Live IDs added, and

http://www.microsoft.com/downloads/details.aspx?familyid=fa9dbb67-4654-4c94-b073-aa59676130af

Status Next Steps

were expecting more, you may need check that your input data source has imported the data into the Metaverse, and that your attribute flows and provisioning rules extension are correctly configured.

stopped-bad-server-credentials Check the management agent properties and ensure that you have entered a user and password in the Configure Connection Information. tab of the management agent properties.

stopped-extension-dll-exception See the following .For stopped-extension-dll-exception. section.

For “stopped-extension-dll-exception” Windows Live IDs will not be processed because the exception occurred prior to attempting the Windows Live ID export. ILM 2007 will place the errors into the application event log which you can view with the Event Viewer. To open Event Viewer click on the Start menu, click Run, and then type: eventvwr.

For “completed-export-errors“ See Managing the Output Files in this guide. Note that Windows Live IDs that succeeded will NOT be re-processed on the next export run. We recommend that you re-attempt the export before further troubleshooting. It is not unusual to have networking conditions cause a few Windows Live IDs in a large batch to fail; by retrying, you will minimize the number of failures that require investigation and there is no downside to doing so. Once you determine that the remaining failures are not due to random networking conditions you can find the cause of the error for each Windows Live ID by double-clicking on the corresponding error link as shown in right pane of the above screen shot, which brings up the detailed error report for that Windows Live ID.

Getting Support For ILM and Windows Live Management Agent support, see http://support.microsoft.com/ph/1980.

Disaster Recovery Plan (ILM Server Outage) A failure of the ILM server should not result in any data-loss however there are other critical components on the ILM servers. For example all of the source code, backup keys, operations scripts and any information in the MAData folder will be lost if restoring by reinstalling ILM. From this standpoint it is important to also have file system backups of the Microsoft Identity Integration Server folder.

If you have the encryption keys mentioned above the easiest way to recover from an ILM server outage is to reinstall ILM 2007 and the Windows Live Management Agent and point it to the existing SQL Server Database. Once you provide the encryption keys and restore the supporting files in the proper folders

http://support.microsoft.com/ph/1980

you should be up and running. Again, refer to .Restoring Microsoft Identity Lifecycle Manager 2007. in the ILM 2007 help.

In the event that the ILM server suffers a failure or the management agents and the database are deleted, the following steps must be done to restore functionality to ILM and prevent errors upon re-synchronizing the data with your data source.

1. Install ILM and appropriate software onto the server as needed depending on the severity of the failure.

2. Restore your management agents from backup XML files or set up your management agents in ILM as they were before.

3. Turn off provisioning in ILM by going to the Tools menu and selecting Options, then unchecking the Enable Provisioning Rules Extension.

4. Create a full import run profile for the data source management agent.

a. Click the New Profile button, give the run profile a name (in this case, Full Import) and click Next.

b. In Configure Step, set the type of run profile by selecting Full Import (Stage Only).

c. In Management Agent Configuration, select the Input file name if using a text management agent, otherwise skip this step and click finish.

d. Create a full synchronization run profile for the data source management agent. Follow the exact same steps as Step 4; name the profile appropriately, select Full Synchronization from the run profile type, and click Finish in Management Agent Configuration.

5. Run a full import and full sync from the data source management agent to project data into the metaverse.

6. In Identity Manager under Actions, select Run, select Full Import and click OK.7. In Identity Manager under Actions, select Run, select Full Sync and click OK.

8. In the Windows Live management agent, we have to set the domain into recovery mode and configure some parameters for the disaster recovery to work.

9. Open the Windows Live management agent and click the Configure Additional Parameters tab.

10. We need to add two parameters in this tab. Click New and add a Parameter name of Domain. In the Value field, type the name of your domain. Click OK.

11. Click new and add a Parameter name of DisasterRecoveryMode. In the Value field, type true and click OK.

12. Set a join rule on the Windows Live management agent for the SignInName attribute in Windows Live to join to the mail attribute (or whatever attribute you used in Metaverse to store member e-mail accounts).

13. In Identity Manager, in the Windows Live management agent, select the Configure Join and Projection Rules tab.

14. Click New Join Rule and select the data source attribute SigninName and Metaverse object type mail (or whatever attribute in Metaverse you’re using to store member accounts) and click Add Condition.

15. Create a template for use in the full import run profile for the Windows Live management agent.16. Navigate to the MaData folder in the installation folder for ILM. Usually this is c\Program Files\

Microsoft Identity Integration Server\MaData unless changed upon install.

17. Open the folder for the Windows Live management agent, right click and select New Text Document from the menu.

18. Give the file any name, for example, import.txt, and close the install folder window.

19. Create a full import run profile for the Windows Live management agent.20. Follow the exact same steps as Step 4; name the profile appropriately, select Full Import from

the run profile type, select the file you just created in Step 9c above and click Finish in Management Agent Configuration.

21. Create a full synchronization run profile for the Windows Live management agent.22. Follow the exact same steps as Step 4; name the profile appropriately, select Full

Synchronization from the run profile type, and click Finish in Management Agent Configuration.23. Run a full import on the Windows Live management agent. Note the number of objects.

24. Run a full synchronization on the Windows Live management agent.

25. Verify that all imported accounts are joined. There should be the same number of joins as objects from the full import (unless you’re using Active Directory or another LDAP directory as your data source; in this case, you would subtract the container objects)

26. There should be pending exports to Windows Live for all joined accounts. Randomly examine a few pending exports to make sure attributes are correctly set. For instance, do not set the ResetPassword attribute unless you want to require all users to reset their password.

27. Run an export on the Windows Live MA.28. Enable provisioning by going to the Tools menu\Options in ILM and clicking the “Enable

Provisioning Rules Extension”.29. Run a full synchronization on the data source management agent30. If any exports are pending for the Windows Live management agent after step 16, these must be

new users that were not created in Windows Live before the disaster occurred.31. Run an export to Windows Live to create the new users (if desired).

Section 13: Advanced Topics These advanced topics should be taken into consideration to extend the stability and functionality of you solution.

Student Portal Integration The following example demonstrates a method to streamline the signup process and allow your students to be responsible for creating their own accounts. Eastern Washington University has demonstrated this methodology well. ILM 2007 still needs to be part of the solution to create the accounts; however it can be wrapped with a front-end. This front-end could take the shape of an extension to your existing student portal. The following screenshots provide an example of a way to do this.

The portal integration solution would need to establish the login for the students. This login could potentially be created by the students as demonstrated below. The sign in name that the student choose would eventually make its way into a data source that ILM 2007 can read such as a SQL database or a text file. This SQL database or text file would then become the source of the student information rather than your existing student records. Additionally the temp password could be set through the portal and then provided for ILM 2007 via the database or text file.

If you need assistance with the methodology for or development of a solution that includes portal integration you can e-mail Oxford Computer Group at [email protected].

High Availability While ILM is not a real time system and thus may not be required to have a 99.999% uptime it is imperative to have the system operational whenever a “run” is required however often that may be. Because ILM is not a real-time system the normal high availability technique of clustering ILM 2007 may not appropriate. ILM 2007 is not a clustering aware application.

A desirable and recommended strategy for high availability of ILM 2007 is to maintain a cold-standby server which may be brought up at any time should the primary machine malfunction.

Integration of Live@edu Into a Pre-existing ILM Environment While many institutions are not yet using ILM 2007 for student synchronization those that are may choose to integrate the Live@edu solution into their existing ILM 2007 environments. The steps for doing so are as follows:

Ensure you have the latest .Net and ILM 2007 hotfixes, according to the perquisite requirements stated above. If you do not you need to install these before proceeding.

Ensure your source management agent for student data provides an e-mail address to the Metaverse (note the attribute the address is in). This must be the full e-mail address including the domain portion. If you intend to provide an initial password for the user the data must be provided in the Metaverse as well.

Install and configure the Windows Live Management Agent in accordance with the instructions above. Please note that you will need to create a flow from the attribute in the Metaverse that contains e-mail address you would like to provision to the SigninName attribute in the Windows Live Management Agent connector space.

Configure the Metaverse provisioning extension as follows: o Perform the steps listed in the Enable Provisioning section above noting the previously

listed DLL if any. o If you noted a DLL in the above step, please edit the file specified by the section titled

Metaverse Rules Extension XML Schema and a line with contents of <add-assemblies…> but with the noted DLL from the step above. This will allow all of your previous code to receive data from ILM 2007 as it has prior to the Live@edu changes.

Distribution List Management Distribution list management lives on the enterprise system. Once users receive their assigned e-mail addresses the school administration or faculty may have a need to send out mailings to groups or distribution lists. For example, an institution may want to group all users based on the campus they are located on and so it would create a group for each campus and mail-enable the group. It typically involves a great deal of administrative overhead to manually place individual accounts into the groups as users are created, modified or deleted. ILM 2007 can be leveraged to assist in the automated creation and maintenance of these groups. This can be automatically performed using a free Microsoft Group Management solution that is implemented in ILM 2007 (see the URL below for more information). The Group Management solution is a utility provided by Microsoft to allow the automatic population and management of group membership. This solution will allow the administrators to create criteria for groups via a web interface and then allow the solution to automatically populate the groups based on the criteria specified. This can result in the creation of groups for any data source that ILM 2007 can connect to such as (Active Directory (Exchange), Lotus Notes, Sun One, etc). For more details about the Group Management solution and links to the download, please use the following link:

http://www.microsoft.com/technet/technetmag/issues/2006/07/Automate/default.aspx

Integration of Metadata into Accounts To build these groups, you will need to provide information about the students in the Metaverse. This information could include:

Class Status (student or alumni) State City Etc

In addition to utilizing this data to automatically create distribution lists using the Group Management solution, information contained in attributes like this can assist in the general maintenance of account

http://www.microsoft.com/technet/technetmag/issues/2006/07/Automate/default.aspx%20

information. Connecting ILM 2007 to other data sources and synchronizing this type of information can greatly reduce the costs of account administration.

Appendix A: Valid Region/Country CodesCode Country

AF Afghanistan

AL Albania

DZ Algeria

AS American Samoa

AD Andorra

AO Angola

AI Anguilla

AQ Antarctica

AG Antigua and Barbuda

AR Argentina

AM Armenia

AW Aruba

AC Ascension Island

AU Australia

AT Austria

AZ Azerbaijan

BS Bahamas

BH Bahrain

BD Bangladesh

BB Barbados

BY Belarus

BE Belgium

BZ Belize

BJ Benin

BM Bermuda

BT Bhutan

BO Bolivia

BA Bosnia and Herzegovina

BW Botswana

BV Bouvet Island

BR Brazil

IO British Indian Ocean Territory

BN Brunei

BG Bulgaria

BF Burkina Faso

BI Burundi

KH Cambodia

CM Cameroon

CA Canada

CV Cape Verde

KY Cayman Islands

CF Central African Republic

TD Chad

CL Chile

CN China

CX Christmas Island

CC Cocos (Keeling) Islands

CO Colombia

KM Comoros

CD Congo (DRC)

CG Congo

CK Cook Islands

CR Costa Rica

CI Côte d'Ivoire

HR Croatia

CU Cuba

CY Cyprus

CZ Czech Republic

DK Denmark

DJ Djibouti

DM Dominica

DO Dominican Republic

EC Ecuador

EG Egypt

SV El Salvador

GQ Equatorial Guinea

ER Eritrea

EE Estonia

ET Ethiopia

FK Falkland Islands (Islas Malvinas)

FO Faroe Islands

FJ Fiji Islands

FI Finland

FR France

GF French Guiana

PF French Polynesia

TF French Southern and Antarctic Lands

GA Gabon

GM Gambia, The

GE Georgia

DE Germany

GH Ghana

GI Gibraltar

GR Greece

GL Greenland

GD Grenada

GP Guadeloupe

GU Guam

GT Guatemala

GG Guernsey

GN Guinea

GW Guinea-Bissau

GY Guyana

HT Haiti

HM Heard Island and McDonald Islands

HN Honduras

HK Hong Kong SAR

HU Hungary

IS Iceland

IN India

ID Indonesia

IR Iran

IQ Iraq

IE Ireland

IM Isle of Man

IL Israel

IT Italy

JM Jamaica

JP Japan

JO Jordan

JE Jersey

KZ Kazakhstan

KE Kenya

KI Kiribati

KR Korea

KW Kuwait

KG Kyrgyzstan

LA Laos

LV Latvia

LB Lebanon

LS Lesotho

LR Liberia

LY Libya

LI Liechtenstein

LT Lithuania

LU Luxembourg

MO Macao SAR

MK Macedonia, Former Yugoslav Republic of

MG Madagascar

MW Malawi

MY Malaysia

MV Maldives

ML Mali

MT Malta

MH Marshall Islands

MQ Martinique

MR Mauritania

MU Mauritius

YT Mayotte

MX Mexico

FM Micronesia

MD Moldova

MC Monaco

MN Mongolia

MS Montserrat

MA Morocco

MZ Mozambique

MM Myanmar

NA Namibia

NR Nauru

NP Nepal

AN Netherlands Antilles

NL Netherlands, The

NC New Caledonia

NZ New Zealand

NI Nicaragua

NE Niger

NG Nigeria

NU Niue

NF Norfolk Island

KP North Korea

MP Northern Mariana Islands

NO Norway

OM Oman

PK Pakistan

PW Palau

PS Palestinian Authority

PA Panama

PG Papua New Guinea

PY Paraguay

PE Peru

PH Philippines

PN Pitcairn Islands

PL Poland

PT Portugal

PR Puerto Rico

QA Qatar

RE Reunion

RO Romania

RU Russia

RW Rwanda

WS Samoa

SM San Marino

ST São Tomé and Príncipe

SA Saudi Arabia

SN Senegal

YU Serbia and Montenegro

SC Seychelles

SL Sierra Leone

SG Singapore

SK Slovakia

SI Slovenia

SB Solomon Islands

SO Somalia

ZA South Africa

GS South Georgia and the South Sandwich Islands

ES Spain

LK Sri Lanka

SH St. Helena

KN St. Kitts and Nevis

LC St. Lucia

PM St. Pierre and Miquelon

VC St. Vincent and the Grenadines

SD Sudan

SR Suriname

SJ Svalbard and Jan Mayen

SZ Swaziland

SE Sweden

CH Switzerland

SY Syria

TW Taiwan

TJ Tajikistan

TZ Tanzania

TH Thailand

TP Timor-Leste

TG Togo

TK Tokelau

TO Tonga

TT Trinidad and Tobago

TA Tristan da Cunha

TN Tunisia

TR Turkey

TM Turkmenistan

TC Turks and Caicos Islands

TV Tuvalu

UG Uganda

UA Ukraine

AE United Arab Emirates

UK United Kingdom

US United States

UM United States Minor Outlying Islands

UY Uruguay

UZ Uzbekistan

VU Vanuatu

VA Vatican City

VE Venezuela

VN Vietnam

VI Virgin Islands

VG Virgin Islands, British

WF Wallis and Futuna

YE Yemen

ZM Zambia

ZW Zimbabwe

Appendix B: Language CodesThese are the languages currently supported by Windows Live Hotmail.

Code Language

1025 Arabic

1046 Brazilian Portuguese

1026 Bulgarian

2052 Chinese (Simple)

1028 Chinese (Traditional)

1050 Croatian

1029 Czech

1030 Danish

1043 Dutch

1033 English

1061 Estonian

1035 Finnish

1036 French

1031 German

1032 Greek

1037 Hebrew

1038 Hungarian

1040 Italian

1041 Japanese

1042 Korean

1062 Latvian

1063 Lithuanian

1044 Norwegian

1045 Polish

2070 Portuguese

1048 Romanian

1049 Russian

2074 Serbian – Latin

1051 Slovak

1060 Slovenian

1034 Spanish

1053 Swedish

1054 Thai

1055 Turkish

1058 Ukrainian

Appendix C: TimeZone CodesTimeZone Code Location

0 Universal Time

1264 Andorra, Andorra

1191 Dubai, United Arab Emirates

1201 Kabul, Afghanistan

1078 Antigua, Antigua and Barbuda

1077 Anguilla, Anguilla

1303 Tirane, Albania

1240 Yerevan, Armenia

1093 Curacao, Netherlands Antilles

1056 Luanda, Angola

1165 Casey, Casey Station, Bailey Peninsula

1166 Mawson, Mawson Station, Holme Bay

1167 McMurdo, McMurdo, McMurdo Station, Ross Island

1168 Palmer, Palmer Station, Anvers Island

1169 South Pole, Amundsen Scott Station, South Pole

1084 Buenos Aires, E Argentina (BA, DF, SC, TF)

1086 Catamarca, Catamarca (CT)

1090 Cordoba, W Argentina (CB, SA, TM, LR, SJ, SL, NQ, RN)

1116 Jujuy, Jujuy (JY)

1125 Mendoza, Mendoza (MZ)

1145 Rosario, NE Argentina, Mendoza (MZ)

1346 Pago Pago, American Samoa

1306 Vienna, Austria

1252 Adelaide, South Australia

1253 Brisbane, Queensland, most locations

1254 Broken Hill, New South Wales

1255 Darwin, Northern Territory

1256 Hobart, Tasmania

1257 Lindeman, Queensland, Holiday Islands

1258 Lord Howe, Lord Howe Island

1259 Melbourne, Victoria

1260 Perth, Western Australia

1262 Sydney, New South Wales, most locations

1079 Aruba, Aruba

1181 Baku, Azerbaijan

1297 Sarajevo, Bosnia and Herzegowina

1081 Barbados, Barbados

1189 Dacca, Bangladesh

1269 Brussels, Belgium

1069 Ouagadougou, Burkina Faso

1300 Sofia, Bulgaria

1180 Bahrain, Bahrain

1035 Bujumbura, Burundi

1070 Porto-Novo, Benin

1242 Bermuda, Bermuda

1185 Brunei, Brunei Darussalam

1117 La Paz, Bolivia

1092 Cuiaba, SW Brazil (MT, MS)

1101 Fortaleza, NE Brazil (AP, east PA, MA, PI, CE)

1120 Maceio, ENE Brazil (AL, SE, TO)

1122 Manaus, NW Brazil (RR, west PA, AM, RO)

1133 Noronha, Fernando de Noronha

1140 Porto Acre, Acre

1148 Sao Paulo, S & SE Brazil (BA, GO, DF, MG, ES)

1131 Nassau, Bahamas

1230 Thimbu, Bhutan

1047 Gaborone, Botswana

1286 Minsk, Belarus

1082 Belize, Belize

1094 Pacific Time, Victoria, British Columbia

1095 Pacific Time, Kamloops, British Columbia

1098 Mountain Time, Edmonton, Alberta

1103 Atlantic Time, Charlottetown, P.E.I.

1110 Atlantic Time, Halifax, Nova Scotia

1113 Mountain Time, Calgary, Alberta

1114 Eastern Time, Iqaluit, Nunavut

1129 Eastern Time, Montreal, Quebec

1135 Atlantic Time, Saint John, New Brunswick

1142 Central Time, St. Vital, Manitoba

1143 Central Time, St. Boniface, Manitoba

1144 Central Time, Regina, Saskatchewan

1150 Newfoundland Time, St. John's, Newfoundland

1155 Central Time, Saskatoon, Saskatchewan

1158 Eastern Time, Toronto, Ontario

1161 Pacific Time, Vancouver, British Columbia

1162 Pacific Time, Whitehorse, Yukon Territory

1163 Central Time, Winnipeg, Manitoba

1164 Mountain Time, Yellowknife, Northwest Territories

1314 Cocos, Cocos (Keeling) Islands

1030 Bangui, Central African Republic

1034 Brazzaville, Congo

1310 Zurich, Switzerland

1024 Abidjan, CÃ´te d'Ivoire

1351 Rarotonga, Cook Islands

1324 Easter, Easter Island

1146 Santiago, Mainland

1044 Douala, Cameroon

1224 Beijing, China

1083 Bogota, Colombia

1091 Costa Rica, Costa Rica

1111 Havana, Cuba

1244 Cape Verde, Cape Verde

1313 Christmas, Christmas Island

1214 Nicosia, Cyprus

1292 Prague, Czech Republic

1267 Berlin, Germany

1043 Djibouti, Djibouti

1273 Copenhagen, Denmark

1097 Dominica, Dominica

1147 Santo Domingo, Dominican Republic

1037 Algiers, Algeria

1330 Galapagos, Galapagos Islands

1108 Guayaquil, Mainland

1302 Tallinn, Estonia

1036 Cairo, Egypt

1028 Asmera, Eritrea

1243 Canary, Canary Islands

1038 Ceuta, Ceuta, Melilla

1284 Madrid, Mainland

1026 Addis Ababa, Ethiopia

1276 Helsinki, Finland

1328 Fiji, Fiji

1251 Stanley, Falkland Islands

1337 Kosrae, Kosrae

1349 Ponape, Ponape (Pohnpei)

1356 Truk, Truk (Chuuk)

1359 Yap, Yap

1245 Faeroe, Faroe Islands

1031 Banjul, Gambia

1105 Grenada, Grenada

1228 Tbilisi, Georgia

1087 Cayenne, French Guiana

1025 Accra, Ghana

1275 Gibraltar, Gibraltar

1102 Godthab, Southwest Greenland

1149 Scoresbysund, East Greenland

1157 Thule, Northwest Greenland

1039 Conakry, Guinea

1106 Guadeloupe, Guadeloupe

1059 Malabo, Equatorial Guinea

1265 Athens, Greece

1249 South Georgia, South Georgia and The South Sandwich Islands

1107 Guatemala, Guatemala

1333 Guam, Guam

1109 Guyana, Guyana

1195 Peking, Hong Kong

1156 Tegucigalpa, Honduras

1309 Zagreb, Croatia

1138 Port-au-Prince, Haiti

1271 Budapest, Hungary

1198 Jakarta, Java, Sumatra

1199 Jayapura, Irian Jaya, Moluccas

1232 Ujung Pandang, Borneo, Celebes

1274 Dublin, Ireland

1193 Gaza, Gaza Strip

1200 Jerusalem, Jerusalem, most locations

1186 Calcutta, India

1312 Chagos, British Indian Ocean Territory

1179 Baghdad, Iraq

1229 Tehran, Iran

1248 Reykjavik, Iceland

1294 Rome, Italy

1115 Jamaica, Jamaica

1174 Amman, Jordan

1231 Tokyo, Japan

1065 Nairobi, Kenya

1184 Bishkek, Kyrgyzstan

1217 Phnom Penh, Cambodia

1326 Enderbury, Phoenix Islands

1336 Kiritimati, Line Islands

1354 Tarawa, Gilbert Islands

1315 Comoro, Comoros

1151 St Kitts, Saint Kitts and Nevis

1218 Pyeongyang, Korea, North (Democratic People's Republic of Korea)

1223 Seoul, Korea (Republic Of Korea)

1209 Kuwait, Kuwait

1088 Cayman, Cayman Islands

1173 Alma-Ata, East Kazakhstan

1176 Aqtau, West Kazakhstan

1177 Aqtobe, Central Kazakhstan

1236 Vientiane, Lao People's Republic

1183 Beirut, Lebanon

1152 St Lucia, Saint Lucia

1304 Vaduz, Liechtenstein

1188 Colombo, Sri Lanka

1064 Monrovia, Liberia

1061 Maseru, Lesotho

1307 Vilnius, Lithuania

1283 Luxembourg, Luxembourg

1293 Riga, Latvia

1073 Tripoli, Libyan Arab Jamahiriya

1037 Casablanca, Morocco

1287 Monaco, Monaco

1272 Chisinau, Moldova

1311 Antananarivo, Madagascar

1338 Kwajalein, Kwajalein

1339 Majuro, Majuro, most locations

1299 Skopje

1029 Bamako, Southwest Mali

1072 Timbuktu, Northeast Mali

1220 Yangon (Rangoon), Myanmar

1234 Ulan Bator, Mongolia

1210 Macao, Macao

1352 Saipan, Northern Mariana Islands

1123 Martinique, Martinique

1068 Nouakchott, Mauritania

1130 Montserrat, Montserrat

1285 Malta, Malta

1318 Mauritius, Mauritius

1317 Maldives, Maldives

1033 Blantyre, Malawi

1100 Pacific Time, Ensenada, most locations

1124 Mountain Time, Mazatlan

1126 Central Time, Mexico City

1159 Pacific Time, Tijuana, N. Baja California

1207 Kuala Lumpur, peninsular Malaysia

1208 Kuching, Sabah & Sarawak

1060 Maputo, Mozambique

1075 Windhoek, Namibia

1345 Noumea, New Caledonia

1067 Niamey, Niger

1344 Norfolk, Norfolk Island

1054 Lagos, Nigeria

1121 Managua, Nicaragua

1263 Amsterdam, Netherlands

1289 Oslo, Norway

1205 Katmandu, Nepal

1342 Nauru, Nauru

1343 Niue, Niue

1322 Auckland, most locations

1213 Muscat, Oman

1134 Panama, Panama

1118 Lima, Peru

1331 Gambier, Gambier Islands

1340 Marquesas, Marquesas Islands

1353 Tahiti, Society Islands

1350 Port Moresby, Papua New Guinea

1212 Manila, Philippines

1203 Karachi, Pakistan

1308 Warsaw, Poland

1127 Miquelon, St Pierre and Miquelon

1348 Pitcairn, Pitcairn

1141 Puerto Rico, Puerto Rico

1241 Azores, Azores

1280 Lisbon, mainland

1247 Madeira, Madeira Islands

1347 Palau, Palau

1080 Asuncion, Paraguay

1219 Qatar, Qatar

1320 Reunion, Reunion

1270 Bucharest, Romania

1175 Anadyr, Moscow+10 - Bering Sea

1197 Irkutsk, Moscow+05 - Lake Baikal

1278 Kaliningrad, Moscow-01 - Kaliningrad

1202 Kamchatka, Moscow+09 - Kamchatka

1206 Krasnoyarsk, Moscow+04 - Yenisei River

1211 Magadan, Moscow+08 - Magadan & Sakhalin

1288 Moscow, Moscow+00 - West Russia

1215 Novosibirsk, Moscow+03 - Novosibirsk

1216 Omsk, Moscow+03 - West Siberia

1295 Samara, Moscow+01 - Caspian Sea

1237 Vladivostok, Moscow+07 - Amur River

1238 Yakutsk, Moscow+06 - Lena River

1239 Yekaterinburg, Moscow+02 - Urals

1052 Kigali, Rwanda

1221 Riyadh, Saudi Arabia

1332 Guadalcanal, Solomon Islands

1316 Mahe, Seychelles

1051 Khartoum, Sudan

1301 Stockholm, Sweden

1225 Singapore, Singapore

1250 St Helena, St Helena

1281 Ljubljana, Slovenia

1246 Jan Mayen, Jan Mayen

1171 Longyearbyen, Svalbard

1268 Bratislava, Slovakia

1046 Freetown, Sierra Leone

1296 San Marino, San Marino

1041 Dakar, Senegal

1063 Mogadishu, Somalia

1136 Paramaribo, Suriname

1071 SÃ£o TomÃ©, SÃ£o TomÃ© and PrÃncipe

1099 El Salvador, El Salvador

1190 Damascus, Syrian Arab Republic

1062 Mbabane, Swaziland

1104 Grand Turk, Turks and Caicos Islands

1066 Ndjamena, Chad

1290 Paris, French Southern Territories

1055 Lome, Togo

1182 Bangkok, Thailand

1192 Dushanbe, Tajikistan

1327 Fakaofo, Tokelau

1178 Ashkhabad, Turkmenistan

1074 Tunis, Tunisia

1355 Tongatapu, Tonga

1277 Istanbul, Turkey

1139 Port of Spain, Trinidad and Tobago

1329 Funafuti, Tuvalu

1226 Taipei, Taiwan

1042 Dar es Salaam, Tanzania

1279 Kiev, most locations

1298 Simferopol, Crimea

1050 Kampala, Uganda

1266 Belfast, Northern Ireland

1282 London, United Kingdom

1335 Johnston, Johnston Islands

1341 Midway, Midway Islands

1357 Wake, Wake Island

1076 United States, Alaska Time

1137 United States, Arizona

1089 United States, Central Time

1132 United States, Eastern Time

1334 United States, Hawaii

1112 United States, Indiana

1096 United States, Mountain Time

1119 United States, Pacific Time

1128 Montevideo, Uruguay

1227 Tashkent, Uzbekistan

1305 Vatican, Vatican City State

1154 St Vincent, Saint Vincent and The Grenadines

1085 Caracas, Venezuela

1160 Tortola, Virgin Islands (British)

1153 St Thomas, Virgin Islands (U.S.)

1222 Saigon, Viet Nam

1325 Efate, Vanuatu

1358 Wallis, Wallis and Futuna Islands

1321 Apia, Samoa

1172 Aden, Yemen

1319 Mayotte, Mayotte

1360 Serbia and Montenegro

1049 Johannesburg, South Africa

1058 Lusaka, Zambia

1053 Kinshasa, West Democratic Republic of Congo

1057 Lubumbashi, East Democratic Republic of Congo

1048 Harare, Zimbabwe

Appendix D: U.S. Region CodesCode State

1003 Alabama

1040 Alaska

1945 Arizona

1951 Arkansas

10595903 Armed Forces Asia

10595904 Armed Forces Europe

10595905 Armed Forces Pacific

5599 California

7636 Colorado

7798 Connecticut

8831 Delaware

9130 District of Columbia

11032 Florida

12004 Georgia

13656 Hawaii

14713 Idaho

14808 Illinois

14882 Indiana

14987 Iowa

16121 Kansas

16480 Kentucky

19283 Louisiana

19840 Maine

20487 Maryland

20543 Massachusetts

21196 Michigan

21412 Minnesota

21502 Mississippi

21512 Missouri

21789 Montana

22869 Nebraska

23035 Nevada

23097 New Hampshire

23117 New Jersey

23132 New Mexico

23161 New York

23611 North Carolina

23624 North Dakota

24230 Ohio

24293 Oklahoma

24561 Oregon

25623 Pennsylvania

27664 Rhode Island

31410 South Carolina

31418 South Dakota

33025 Tennessee

33145 Texas

34626 Utah

35022 Vermont

35364 Virginia

35841 Washington

36208 West Virginia

36684 Wisconsin

36927 Wyoming

Appendix E: Certificate Install Information If you chose to use a certificate to provide your identity to Microsoft, the certificate is provided to you by the Windows Live Commercial Partner Center. You will be contacted with a password for the private key. You will need to use a workstation to properly unpack and export your certificate for use with Windows Live Admin Center.

Obtaining a Certificate for your Domain If you want to authenticate using a certificate, you need to specifically request one from the

Windows Live Commercial Partner Center using this e-form: https://support.live.com/default.aspx?productkey=wlpc&mkt=en-ww for details.

The Windows Live Commercial Partner Center will create a certificate for you and give you the exportable private key to import into your systems.

Windows Live Commercial Partner Center will transfer your certificate to you. Windows Live Commercial Partner Center will call you with the password for the private key.

Installing the certificate on the ILM ServerFollow the steps below to install the certificate provided to you by the Windows Live Commercial Partner Center on all machines that will be used to administer Windows Live IDs:

Copy your certificate to the root of your ILM Server.

In order to place the correct permissions for the ILM Service account to access the certificate, you will need to use the WinHTTP Configuration Tool, available from the Microsoft Download site at http://www.microsoft.com/downloads/details.aspx?familyid=c42e27ac-3409-40e9-8667-c748e422833f&displaylang=en.

Installing WinHTTP Configuration ToolLocate the winhttpcertcfg.msi you downloaded above and double-click to open. Click Next on the welcome screen.

http://www.microsoft.com/downloads/details.aspx?familyid=c42e27ac-3409-40e9-8667-c748e422833f&displaylang=en

http://www.microsoft.com/downloads/details.aspx?familyid=c42e27ac-3409-40e9-8667-c748e422833f&displaylang=en


Read the end-user license agreement, click the “I accept” button and click Next to continue.

Choose a Destination Folder or accept the default location and click Install Now.

The installation is complete, click Finish.

To run the program, open a command-prompt window by clicking the Start menu, selecting run and typing CMD in the open field. Click OK.

Change to the directory where you installed the tool, if using the default settings, the location is C:\Program Files\Windows Resource Kits\Tools. You will need to copy the certificate provided to you by the Windows Live Commercial Partner Center to the root of your C: drive and know the private key password.

The following example shows the command line parameters that are valid for use with this tool.

winhttpcertcfg [/?]

winhttpcertcfg [-i PFXFile | -g | -r | -l] [-a Account] [-c CertStore] [-s SubjectStr]

The following table explains the parameters for the configuration tool.

Parameter Description

-? Displays syntax information.

-i Specifies that the certificate is to be imported from a Personal Information Exchange (PFX) file. This parameter must be followed by the name of the file. When this parameter is specified, -a and -c must also be specified.

-g Specifies that access is granted to a private key. When this parameter is specified, -a, -c, and -s must also be specified.

-r Specifies that access is removed for a private key. When this parameter is specified, -a, -c, and -s must also be specified.

-l Specifies that accounts with access to a private key are listed. When this parameter is specified, -c and -s must also be specified.

-a Specifies the user account on the machine being configured. This could be a local machine or domain account, such as IWAM_TESTMACHINE, TESTUSER, or TESTDOMAIN\DOMAINUSER.

-c Specifies the location and name of the certificate store. Use LOCAL_MACHINE or CURRENT_USER to designate which registry branch to use for the location. The certificate store can be any installed on the

machine. Typical name examples are MY, Root, and TrustedPeople. The location and name of the certificate store are separated with a backward slash; for example, LOCAL_MACHINE\Root.

Note Although the CURRENT_USER branch of the registry can be specified with this parameter, extending access to private keys is primarily intended for certificates installed in a local machine certificate store that can be accessed by multiple users.

-s Specifies a case-insensitive search string for finding the first enumerated certificate with a subject name that contains this substring.

To install your certificate with the correct permissions, you will need to run the configuration tool with the following command:

winhttpcertcfg.exe -g -i c:\yourcertificatename -c LOCAL_MACHINE\My -a yourILMserviceaccount -p yourcertificatepassword

Once successfully executed, you will see a screen similar to below.

Installing the certificate to Windows Live Admin CenterOnce you have the certificate installed on the server(s) that will be used to manage Windows Live IDs, you need to export the certificate for use with Windows Live Admin Center and upload your cert to the service.

Click OK.

In the MMC, go to the File menu, select Add/Remove Snap-in

Select the snap-in for Certificates, click Add.

Select the radio button for the Certificates snap-in to manage certificates for the Computer account, click Next.

Select local computer, click Finish.

When you click Finish, the snap in appears in the MMC window. On the left side, expand Certificates (Local Computer) and select the Personal store.

In the Object type window in the right pane, click All Tasks and select From the Certificates MMC, right click the certificate in the Certificates (Local Computer)Personal Certificates store, select All Tasks and Export.

The Certificate Export Wizard appears, click Next

.

Select the radio button next to “No, do not export the private key” and click Next.

Use DER encoded X.509 (.CER), click Next.

Click the Browse button, select a location for the exported certificate, click Next.

Click Finish to complete the Certificate Export Wizard.

To upload the exported certificate to the Windows Live Admin Center, go to http://admincenter.live.com in Internet Explorer, click the Sign In button and login with your Domain Admin credentials that you established when you reserved your domain.

Click the domain you’re managing from your domains.

http://admincenter.live.com/

Click SDK.

Browse to the location where you exported the cert and click Add/Update. If Add/Update is not available, contact the Windows Live Commercial Partner Center using this e-form: https://support.live.com/default.aspx?productkey=wlpc&mkt=en-ww. To enable the feature for your domain


The certificate has been uploaded successfully.

Appendix F: Migrating from the SDK tools If you have been using one of the SDK Tools to manage your domain, you can migrate from them to ILM if you prefer.

Note: We recommend if you do this, you’re making a full move to Identity Lifecycle Manager. Do NOT use the SDK apps for account management after you migrate from them, otherwise you will encounter errors. If you add or remove accounts with the SDK tools after moving to ILM, the domain will become out of sync.

The EduExpress application contains an option to export a CSV file containing your domain’s member accounts. This file can be used to import members into ILM.

1. First, launch the EduExpress application and locate the Export Existing Member List link.

2. Clicking this link brings up a save dialog box. Save the file to a known location.

You can use this CSV file to populate Active Directory, a SQL database, a delimited text file or any other source supported by ILM. For demonstration purposes, we’ll create a delimited text file for use with ILM.

3. Create a new text file with the attributes you want to use in the header of the file. Refer to the Passport User Attributes section for more information.

4. Launch Identity Manager, click Create to create a new management agent for a data source. More information about configuring data source management agents are included in Section 5.

5. Select Delimited Text File in the Management Agent For: drop down menu. Give the management agent a name and a description (if desired).

6. In Select Template Input File, select the text file you created in step 3. Click Next.

7. In Delimited Text Format, click Use first row for header names and click Next.

8. In Configure Attributes, click the Set Anchor button to set an anchor attribute for the management agent.

9. In the Set Anchor window, click the SigninName attribute and click the Add button to construct the anchor. Click OK and click Next.

10. In Define Object Types, accept the default and click Next.

11. In Configure Connector Filter, accept the defaults by clicking Next.

12. In Configure Join and Projection rules, we want to create a projection rule for the data source management object to project members into the Metaverse. Click New Projection Rule.

13. Unless you’ve created your own object type in Metaverse, select the person metaverse object type, leave the radio button next to Declared selected, click OK and click Next.

14. In Configure Attribute Flow, we will create attribute flow for the attributes in our text file. Select an attribute in the data source attribute column, set the radio button for mapping type to Direct, set the radio button for Flow Direction to be Import, click the corresponding Metaverse Attribute and click the New button. Follow these same steps for every attribute mapping. In the example, we’re flowing our attributes like this:

Data source attribute Mapping Type Flow Direction Metaverse Object Type

FirstName Direct Import givenName

LastName Direct Import LastName

SigninName Direct Import mail

When you’re finished setting attribute flow, click Next.

15. In Configure Deprovisioning, accept the default of Make them Disconnectors by clicking Next.

16. In Configure Extensions, accept the default by clicking the Finish button.

17. Next we will configure the export management agent. In Identity Manager, click Create from under the Actions menu.

18. From the Create Management Agent drop down menu, select WLCD Management Agent (Microsoft), give the management agent a name and a description (if desired).

19. In Configure Connection Information, enter your administrator account and password into the appropriate fields. If you’re using a certificate for authentication, you can skip this step.

20. In Configure Additional Parameters, accept the defaults for now by clicking Next.

21. In Configure Attributes, accept the default settings and click Next .

22. In Define Object Types, accept the default settings and click Next.

23. In Configure Connector Filter, accept the defaults and click Next.

24. In Configure Join and Projection Rules, accept the defaults for now and click Next.

25. In Configure Attribute Flow, we will set up direct export attribute flows for the attributes we set up on the data source management agent. Select an attribute in the data source attribute column (Passport User), set the radio button for mapping type to Direct, set the radio button for Flow Direction to be Export, click the corresponding Metaverse Attribute and click the New

button. Follow these same steps for every attribute mapping. In the example, we’re flowing our attributes like this:

Data source attribute Mapping Type Flow Direction Metaverse Object Type

FirstName Direct Export givenName

LastName Direct Export LastName

SigninName Direct Export mail

When you’re finished setting attribute flow, click Next.

26. In Configure Deprovisioning, accept the defaults and click Next.

27. In Configure Extensions, uncheck Enable password management and click Finish.

28. Both management agents are now configured. Now we need to turn off provisioning in ILM so that we can sync our accounts with those existing in Windows Live. Go to ToolsOptions and remove the tick from the checkbox next to Enable Provisioning Rules Extension.

29. We need to copy the data source text file to the C:\Program Files\Microsoft Identity Integration Server\MaData\<data source management agent folder>.

30. Create a full import run profile for the data source management agent.

a. Click the New Profile button, give the run profile a name (in this case, Full Import) and click Next.

b. In Configure Step, set the type of run profile by selecting Full Import (Stage Only).

c. In Management Agent Configuration, Click the Select button to select the Input file you placed in the C:\Program Files\Microsoft Identity Integration Server\MaData\<data source management agent folder>.

d. Select the file from the list, click OK and Click Finish.

31. Create a full synchronization run profile for the data source management agent.a. Follow the exact same steps as Step 30; name the profile appropriately, select Full

Synchronization from the run profile type, and click Finish in Management Agent Configuration.

32. Run a full import and sync from the data source management agent to project data into the metaverse.

a. In Identity Manager under Actions, select Run, select Full Import and click OK.b. In Identity Manager under Actions, select Run, select Full Sync and click OK. Be sure to

note the number of projections. This number should match the number of accounts you’re synchronizing with Windows Live.

Note: If you experience the error no-start-file-access-denied, select the folder for the data source management agent (C:\Program Files\Microsoft Identity Integration Server\MaData\<data source management agent folder>), click the Security tab, click the Advanced tab and select the tick box for “Replace permission entries on all child objects with entries shown here that apply to child objects Click OK and click OK on the security dialog box below:

c. Click Yes, then OK to close the properties dialog box. This will enable the correct permissions.

33. In the Windows Live management agent, we have to set the domain into recovery mode and configure some parameters for the disaster recovery to work.

a. Open the Windows Live management agent and click the Configure Additional Parameters tab.

We need to add two parameters in this tab. Click New and add a Parameter name of Domain. In the Value field, type the name of your domain. Click OK.

b. Click new and add a Parameter name of DisasterRecoveryMode. In the Value field, type true and click OK.

34. Set a join rule on the Windows Live management agent for the SignInName attribute in Windows Live to join to the mail attribute (or whatever attribute you used in Metaverse to store member e-mail accounts).

a. In Identity Manager, in the Windows Live management agent, select the Configure Join and Projection Rules tab.

b. Click New Join Rule and select the data source attribute SigninName and Metaverse object type mail (or whatever attribute in Metaverse you’re using to store member accounts) and click Add Condition.

35. Create a template for use in the full import run profile for the Windows Live management agent.

a. Navigate to the MaData folder in the installation folder for ILM. Usually this is c\Program Files\ Microsoft Identity Integration Server\MaData unless changed upon install.

36. Open the folder for the Windows Live management agent, right click and select New Text Document from the menu.

37. Give the file any name, for example, import.txt, and close the install folder window.

38. Create a full import run profile for the Windows Live management agent.b. Follow the exact same steps as Step 30; name the profile appropriately, select Full

Import from the run profile type, select the file you just created in Step 9c above and click Finish in Management Agent Configuration.

39. Create a full synchronization run profile for the Windows Live management agent.c. Follow the exact same steps as Step 30; name the profile appropriately, select Full

Synchronization from the run profile type, and click Finish in Management Agent Configuration.

40. Run a full import on the Windows Live management agent. Note the number of objects.

41. Run a full synchronization on the Windows Live management agent.

42. Verify that all imported accounts are joined. There should be the same number of joins as objects from the full import (unless you’re using Active Directory or another LDAP directory as your data source; in this case, you would subtract the container objects)

43. There should be pending exports to Windows Live for all joined accounts. Randomly examine a few pending exports to make sure attributes are correctly set. For instance, do not set the ResetPassword attribute unless you want to require all users to reset their password.

44. Create an Export run profile on the Windows Live MA.45. Enable provisioning by going to the Tools menu\Options in ILM and clicking the “Enable

Provisioning Rules Extension”.46. Run a full synchronization on the data source management agent47. If any exports are pending for the Windows Live management agent after step 16, these must be

new users that were not created in Windows Live before the disaster occurred.48. Run an export to Windows Live to create the new users (if desired).

Appendix G: Support information

Getting Help from MicrosoftFor general Live@edu program information please refer to our Live@edu program website located here - http://www.liveatedu.com/

For additional questions regarding the program that are not addressed on the program page, or any onboarding questions please direct your inquire to the Windows Live Commercial Partner Center using this e-form: https://support.live.com/default.aspx?productkey=wlpc&mkt=en-ww.

Please refer all single user issues that involve MSN Services to http://support.live.com. This is the same support resource that is available to all global users of Windows Live services and can often resolve single user issues.

If you are experiencing an issue that impacts multiple end users, or are experiencing errors or unexpected behavior with your account provisioning tools we suggest you file a ticket with our Premier Partner Support team.

Once you have onboarded with the Live@edu program you will be provided a unique Premier Online account for your institution. Please use this Premier Online account for filing issues only directly related to the Microsoft Live@edu program.

If, after filing your support ticket, you feel that you have not received a timely response or if you would like a status update please contact the Live@edu escalation services team ([email protected]). Please provide your support ticket number when contacting this team. These tickets usually begin with the characters “SR”.

Live@edu partners who use Windows Live Services are supported by the MSN Partner Support team that is staffed time to assist you with your technical support issues regarding the Microsoft Live@edu products (e.g. ILM, Passport MA, mail delivery issues etc.)

In addition to our Partner Support staff we have an Emergency Response Team (ERT) available 24x7x365 to respond to operational support issues submitted from Live@edu partners that deal with the Windows Live Services (e.g. confirm Windows Live maintenance, latency or issues impacting login pr mail delivery, etc.) Note: technical support related issues will be addressed by the Partner Support team the next business day.

To engage our Support Professionals you will need to submit Microsoft Live@edu technical issues using the Microsoft Premier Online website. Premier Online will be the primary tool used by your support and Helpdesk personnel to submit support cases to engage Microsoft Partner Support and the Emergency Response team.

mailto:[email protected]

http://support.live.com/


http://www.liveatedu.com/

Using Microsoft Premier OnlineMicrosoft Premier Online is a secure website that requires a Windows Live ID (Passport) account, a Microsoft Premier Online Access ID and Password for login.

Steps to access the Microsoft Premier Online siteFirst if you do not already have one, you will need to create a Windows Live ID (formerly known as .NET Passport); please go to http://www.passport.net to create a Windows Live ID.

Next go to the Premier Online site (https://premier.microsoft.com) and link your Windows Live ID (formerly .NET Passport) to your Premier Online support account. For this step, you will need your Premier Online Access ID and your password:

Your unique credentials will be provided by the Live@edu Escalation services team via e-mail once you have on boarded with the Live@edu program.

Note: Please safeguard this access ID and password. Provide this information only to support and Helpdesk personnel who you authorize to open support incidents.

Steps to file a support request with Microsoft: 1. Sign into the Premier Online site. 2. Click “Submit Incident” in the left hand column (this will take you to the Submit Incident page). 3. From the “Select a Product”, drop down choose “Beta and Other Products”4. From the “Select a product version or edition” drop down scroll down and select “MSN College

& University Program”. 5. Click “Next>>”. 6. On the “Describe the problem” page, fill out the following information:

a. Title: Include <Institution Name:> The Title should be a short, clear description of the issue

b. Severity: Choose Severity C or B (tool does not allow Severity A issues to be submitted; In order to upgrade an issue to severity A you must call the Emergency Response team)

c. Details: copy and paste the following template to fill out the incident details section:

Severity of the incident e.g. number of users impacted as well as your internal issue severity level.

Detailed description of the incident. Steps to Reproduce the problem. Troubleshooting done: Full error text annd logs Other comments/additional information that might be useful to bring about the resolution

of the incident e.g. error messages, etc. Specific user accounts, if needed, that demonstrate/exhibit the problem. Note: (Never

Include the User’s Password)

https://premier.microsoft.com/

http://www.passport.net/

NOTE: Currently we provide support in English only. Submitting support incidents in languages other than English may result in delays in handling.

Computer Information: Select the Operating System. Attachments: the Computer Information section includes the ability for you to attach files,

error logs, and images to your case that may be useful to Support Professional in resolving your issue.

Contact Information: Ensure your contact information is accurate 7. Click the “Submit” button. Your incident submission is complete and a tracking number will be

provided for your case.

Once your case has been submitted, a Partner Support team member will be assigned ownership of your case and the will work with you directly to assist in resolving your issue.

Tracking/Updating an Incident: Please note that you can check the latest status of your issue(s) or add additional information at any time by logging on to the Premier Online site.

1. Sign into the Premier Online site. https://premier.microsoft.com 2. Click “View Incidents” in the left hand navigation pane. (found under the Online Services

section)3. Make sure the Schedule name is “MSN University Program” and apply any other needed view

filters.4. Click on the incident number that you are interested in.5. Review the Microsoft Support Professional’s notes and enter a response and additional notes for

the Microsoft Support Professional in the provided text box if necessary.6. If you are adding notes to the incident, update contact information if needed, and click “Send”.

https://premier.microsoft.com/

Incident Severity DefinitionWhen you submit an issue (called a support incident) to Microsoft, you will need to assign a severity level to the incident; the Severity definitions listed below will assist you in assigning the appropriate severity to an issue. NOTE: ERT may reset the Severity level as appropriate based on the issue.

Severity A: Significant business impact; significant loss or degradation of services, business process and work cannot reasonably continue. All employees, students, and alumni are affected. Our response goal for Severity A issues is one hour, followed by updates every hour or as needed.

Severity B: Moderate business impact; moderate loss or degradation of services, but work can reasonably continue in an impaired manner. Issue affect most (but not all) employees, students, and alumni. Our response time goal for Severity B issues is two hours, followed by updates every two hours or as needed.

Severity C: Minimum business impact; used for issues encountered during implementation (pre-deployment), but prior to launching the service to your students and faculty . Our response time goal for Severity C issues is 4 hours or next business day with updates as needed. NOTE: All installation and configuration issues related to Windows Live@Edu would qualify as Sev C.

Severity D is used to monitor incidents that need to remain open for long periods of time.

Live@Edu Admin Guide

Documents

Transcript of Live@Edu Admin Guide