Now on to FIM and I have struggled every bit as much with learning how to write workflow activities, not particularly helped by the official documentation which I can only assume is computer generated, it is so completely unhelpful. But after a recent obsessive spate I’m finally starting to get the hang of it, and this has brought me to the next fantasy activity on my list – something to generate a unique attribute, such as an AccountName.

The idea

What I want is a way to generate an attibute based on a series of rules. If I don’t get a unique value with the first (ideal) rule, then I move to the second, then the third, then if completely desperate the fourth… Hopefully I’d have found something good by then.

In an effort to reduce effort (if you can have that) this activity relies on the OOB Function activity to generate the possible strings in order of preference. So here’s what the workflow looks like configured with three possible choices:

And here is one of the Function activties, which generates a string and puts it in a WorkflowData parameter:

Developing the Activity

This activity is complicated compared to my powershell one, so I’ll just summarise the steps. A CurrentRequestActivity grabs the workflow details  from FIM, A ReadTargetActivity gets the details of the object we’re trying to modify, A WHILE loop goes through the possible options until a unique value is found (or we run out of options), Within the WHILE loop, the EnumerateResourcesActivity does the actual looking up of the proposed attribute value, to see if it’s already taken, We then have an IfElse statement to handle the lookup results: If we found a good match we write it to the target resource using an UpdateResourceActivity, If we didn’t find a match an error is thrown – this leads to a PostProcessingError in FIM. Of course you could do something else like send an email here. As well there are a bunch of code activities which smooth the way, setting up parameters and passing variables around.

The Code

I’m not going to post the whole solution this time because I’ve got all my activities in the one solution and I can’t be bothered separating it – but all the code is linked below. There are a couple of other points to add about the workflow construction:

• For the code activities I just drag them onto the surface, give them a name, and then double-click, which generates the Execute routine.
• For all the other activites I use the “Promote Bindable Properties” option to generate the code automatically – I then don’t touch the generated code at all.
• For the While and If conditions I use the “Declarative Rule Condition”. (Rules are in comments in the code, but you’ll have to add them into the WF surface yourself).

GenerateUniqueValue.vb

GenerateUniqueValueSettingsPart.vb

PS

If, like me, you’re doing this WWF development stuff for the first time, I did find this short tutorial very helpful. Despite my rubbishing the MSDN FIM documentation above, there is lots of good stuff there too, of course.

General Provisos

I will start by saying that I’m sharing this as an example and not as supported code. Please do take the time to understand it and modify it as appropriate to your environment. While I do have a production application for this coming up soon I have so far only used it in the lab and may well need to work on it more. This post will remain the place for information about the activity and I will update here if something changes.

Server Setup

If you’re planning on using Remote Powershell then, unless you have WIndows 2008R2 on both the FIM server and the remote server, you will need to make sure the prerequsites are in place. See the Enabling Remote Powershell section in this post.

About the Activity

Lookup Strings

I’ve managed to get the activity using lookup strings like [//Target/Email]. At the moment I only support //Target and //Requestor. I haven’t yet worked out how to do a nice string concatenator with a lookup button like you see on the OOB activities so you have to type the strings yourself.

Using the Activity with Local Powershell

For local powershell it is assumed that the FIM Service account has the rights to run the cmdlet/script. If you need to use a different account then I recommend using a script along with a secure password file to inject the credential.

Using the Activity with Remote Powershell

For remote powershell you also need to fill in the name of the remote server, and the username and password to use when connecting. The remote script will run within the environment of this connection account.

There are a number of points to be aware of when using this activity for remote powershell:

• The way you enter the server name appears to be relevant. When I enter the FQDN or ip address it works. When I enter a server alias I get “Access Denied”.
• If you modify the workflow you have to re-enter the password.
• Certain commands don’t work at all through remote powershell, eg., start-transcript and (apparently) the Exchange 2007 cmdlets.
• Certain commands don’t work through remote powershell when run through code, eg., write-host.
• The servers at each end must be set up to support remote powershell! If you can’t do it directly from powershell then don’t expect this activity to do it.

Error Reporting

Errors should be reported as a PostProcessingError in the Search Request page of the FIM Portal. In some cases I write extra information to the event log.

Plugins

I originally had a field to enter a powershell plugin that should be loaded before running the command. I took it out because I figured that would be better done in a script, but the code is still in there commented out if you want to put it back in.

Writing a suitable powershell script

You need to take some care with the powershell scripts you write to go with this activity. First, see the comments the Remote Powershell section above for cmdlets I know should be avoided.

The activity will return the last error thrown by the script so it’s a good idea to make the script stop on the first fatal error it encounters. Setting $ErrorActionPreference = “stop” is a start.

Also my code only understands parameters if they have a “-” at the front, like with normal powershel cmdlets. This means you must use PARAM when defining script arguments. If you use ARG it won’t work.

See below for a sample test script.

Installing

You are going to have to compile the project into the GAC yourself and then add the AIC in the FIM Portal. See here for a walkthrough.

If you don’t re-sign the project or change any names then the AIC settings are as follows:

Testing

Make a Workflow

Once you’ve installed the activity, and restarted IIS, you should be able to access it from the Workflow builder. More explanation about how to fill in the form is higher up in this post.

Create MPRs and Sets to trigger the Workflow

I made a set based on an attribute, then two MPRs on “Transition In” and “Transition Out” of the set. Then it was simple matter of toggling the appropriate attribute on a user so it transitioned in and out of the set.

Test Powershell Script

Here’s a test script I’ve been using. You can see the way I call it in the Remote Powershell picture above. If you run it locally the FIM Service account will need rights to modfy user accounts in AD.

Param($username, $modifier)

$ErrorActionPreference = "stop"

if ($username -eq "") {throw "Username parameter must be provided."}
if ($modifier -eq "") {throw "Modifier parameter must be provided."}

$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = "LDAP://mydomain.local"
$objSearcher.PageSize = 1000
$objSearcher.Filter = "(&(objectClass=user)(sAMAccountName= $username))"
$objSearcher.SearchScope = "Subtree"

$user = $objSearcher.findone()
if ($user.count -eq 0)
	{throw "No user found with username=" + $username}

$userDN = $user.path

$user = [ADSI]$userDN

$user.Put("extensionAttribute1",$modifier)
$user.SetInfo()

And finally, the code

Here’s the whole solution. I added this activity on to my existing LoggingLibrary solution so you’ll find both here.

Download here

A last word

Like I said, I’m still learning this stuff, and this activity is not in production so I may find problems. If you do have feedback please comment here.

The sticking problem is the objectClass. Typically objects in LDAP will have more than one objectClass, and the only way to set them in MIIS/ILM is in the metaverse extension code. It is no different with FIM. There is no way to set objectClass from a codeless sync rule, and you can’t set it in an export attribute flow. 

So a Metaverse extension is still the way to go. Here is an example of a provisioning rule for OpenLDAP. I am creating a posixAccount, mostly as a way of showing how to add the dependant objectClasses. Your objectClasses will no doubt vary.

I have included a couple of functions that I am using to generate a password hash and to find the next uidNumber. Note for the latter function the Terminate sub is also implicated.

Imports Microsoft.MetadirectoryServices
Imports System.DirectoryServices
Imports System.Text
Imports System.IO
Imports System.Security.Cryptography

Public Class MVExtensionObject
    Implements IMVSynchronization

    '' It is a better practise to put these constants in a lookup file
    Const OL_SERVER As String = "myldapserver.mydomain.com"
    Const OL_ROOT As String = "dc=myldap,dc=mydomain,dc=com"
    Const OL_OU_USERS As String = "ou=users,dc=myldap,dc=mydomain,dc=com"
    Const OL_UIDFILE As String = "C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\MaData\openLDAP\uidNumber.txt"
    Const OL_READ_USER As String = "cn=fimread,ou=users,dc=myldap,dc=mydomain,dc=com"
    Const OL_READ_PW As String = "password"
    Const OL_DEFAULT_GROUP As String = "1000"

    Public Sub Initialize() Implements IMVSynchronization.Initialize
        ' TODO: Add initialization code here
    End Sub

    Public Sub Terminate() Implements IMVSynchronization.Terminate
    '' Deleting this file forces a new LDAP search the next time, allowing for accounts which may have been created manually.
        If File.Exists(OL_UIDFILE) Then
            File.Delete(OL_UIDFILE)
        End If
    End Sub

    Public Sub Provision(ByVal mventry As MVEntry) Implements IMVSynchronization.Provision
        Select Case mventry.ObjectType
            Case "person"
                Provision_OpenLDAPPerson(mventry)
        End Select
    End Sub

    Sub Provision_OpenLDAPPerson(ByVal mventry As MVEntry)
        Dim ShouldExist As Boolean = False
        Dim DoesExist As Boolean
        Dim CSEntry As CSEntry
        Dim OLMA As ConnectedMA = mventry.ConnectedMAs("openLDAP")
        Dim expectedDN As ReferenceValue
        Dim Container As String

        '' Should the account exist? (Add more logic here to decide)
        ShouldExist = True

        '' Does the account already exist?
        If OLMA.Connectors.Count = 0 Then
            DoesExist = False
        Else
            DoesExist = True
        End If

        '' Generate the expected DN for the user - to use in creating or moving
        If mventry("accountName").IsPresent And ShouldExist Then
            Dim RDN As String = "cn=" & mventry("accountName").StringValue.ToLower
            expectedDN = OLMA.EscapeDNComponent(RDN).Concat(OL_OU_USERS)
        End If

        '' Take action based on values of ShouldExist and DoesExist
        If ShouldExist And DoesExist Then
            '' Check if rename needed
            If csentry.DN.ToString.ToLower <> expectedDN.ToString.ToLower Then
                csentry.DN = expectedDN
            End If

        ElseIf ShouldExist And Not DoesExist Then
            '' Create Account

            ' Set objectClasses
            Dim oc As ValueCollection
            oc = Utils.ValueCollection("inetOrgPerson")
            oc.Add("person")
            oc.Add("organizationalPerson")
            oc.Add("inetOrgPerson")
            oc.Add("posixAccount")
            oc.Add("shadowAccount")
            oc.Add("simpleSecurityObject")
            CSEntry = OLMA.Connectors.StartNewConnector("posixAccount", oc)
            CSEntry.DN = expectedDN

            ' Find next available uidNumber
            CSEntry("uidNumber").Value = = NextUidNumber(OL_SERVER, OL_ROOT).ToString

            ' Set initial password
            CSEntry("userPassword").Value = "{MD5}" & GenerateHash("INitial001")

            ' The following could also be done as export flow rules
            CSEntry("gidNumber").Value = OL_DEFAULT_GROUP
            CSEntry("sn").Value = mventry("lastName").Value
            CSEntry("givenName").Value = mventry("firstName").Value
            CSEntry("cn").Value = mventry("accountName").Value.ToLower
            CSEntry("uid").Value = mventry("accountName").Value.ToLower
            CSEntry("displayName").Value = mventry("firstName").StringValue & " " & mventry("lastName").StringValue.ToUpper

            CSEntry.CommitNewConnector()

        ElseIf Not ShouldExist And DoesExist Then
            '' Delete
            CSEntry = OLMA.Connectors.ByIndex(0)
            CSEntry.Deprovision()

        End If
    End Sub

    Public Function NextUidNumber(ByVal ldapServerName As String, ByVal searchRoot As String) As Integer
    '' The first time the function runs it finds the highest uidNumber in LDAP and stores it in a text file.
    '' On subsequent runs it retrieves the last uidNumber straight from the text file. This allows for sync runs
    '' where multiple accounts are created.
    '' The text file is deleted as part of the Terminate routine.

        Dim oSearcher As New DirectorySearcher
        Dim oResults As SearchResultCollection
        Dim oResult As SearchResult
        Dim lastuid As Integer = 0

        If File.Exists(UIDFILE) Then
            Dim fileReader As New StreamReader(UIDFILE)
            lastuid = CInt(fileReader.ReadLine)
            fileReader.Close()
        Else
            Try
                With oSearcher
                    .SearchRoot = New DirectoryEntry("LDAP://" & ldapServerName & "/" & searchRoot, _
                                                     "cn=root,dc=ldap,dc=eesp,dc=ch", "hesso_2010", AuthenticationTypes.FastBind)
                    .PropertiesToLoad.Add("uidNumber")
                    .Filter = "uidNumber=*"
                    oResults = .FindAll()
                End With

                For Each oResult In oResults
                    If oResult.GetDirectoryEntry().Properties("uidNumber").Value > lastuid Then
                        lastuid = oResult.GetDirectoryEntry().Properties("uidNumber").Value
                    End If
                Next

            Catch e As Exception
                Throw New UnexpectedDataException(e.Message)
                Return -1
            End Try
        End If

        Dim fileWriter As New StreamWriter(UIDFILE, False)
        fileWriter.WriteLine(lastuid + 1)
        fileWriter.Close()

        Return lastuid + 1
    End Function

    Private Function GenerateHash(ByVal SourceText As String) As String
        ' Returns the MD5 hash of the SourceText string.
        Dim Ue As New UTF7Encoding()
        Dim ByteSourceText() As Byte = Ue.GetBytes(SourceText)
        Dim Md5 As New MD5CryptoServiceProvider()
        Dim ByteHash() As Byte = Md5.ComputeHash(ByteSourceText)
        Return Convert.ToBase64String(ByteHash)
    End Function

End Class

The usual published .NET examples using the System.Security.Cryptography generate a completely different MD5 hash to that generated by openLDAP – and I’m not the only one to have noticed.

After much hunting around I found this thread where belcherman was the man with the answer: you have to set the encoding to UTF7. The following function does the trick:

    Private Function GenerateHash(ByVal SourceText As String) As String
        ' Returns the MD5 hash of the SourceText string.
        Dim Ue As New UTF7Encoding()
        Dim ByteSourceText() As Byte = Ue.GetBytes(SourceText)
        Dim Md5 As New MD5CryptoServiceProvider()
        Dim ByteHash() As Byte = Md5.ComputeHash(ByteSourceText)
        Return Convert.ToBase64String(ByteHash)
    End Function

  
Then, when setting the initial userPassword in your provisioning code:

        CSEntry("userPassword").Value = "{MD5}" & GenerateHash("FirstP@ssword")

Password Sync

It is simple enough to modify the openldapXMA Password Extension to set the hashed password.

In OpenLDAPUtils.cs add the C# version of the GenerateHash function I included above. (If you don’t know how to do this see http://www.developerfusion.com/tools/convert/vb-to-csharp)

Then change the SetPassword subroutine in the same file:

        public void SetPassword(string newPassword, CSEntry csentry)
        {
            DirectoryAttributeModification pwdChange = new DirectoryAttributeModification();

            pwdChange.Name = "userPassword";
            // CW: Changed to use an MD5 hash
            // pwdChange.Add(newPassword);
            pwdChange.Add("{MD5}" + GenerateHash(newPassword));
            pwdChange.Operation = DirectoryAttributeOperation.Replace;

            ModifyRequest request = new ModifyRequest(csentry.DN.ToString(), pwdChange);
            try
            {
                DirectoryResponse response = m_Ldap.SendRequest(request);
            }
            catch (Exception e)
            {
                MiisExceptionsManager.ReportErrorToMiis(e.Message);

            }

        }

What is it for?

The ReadResourceActivity is used to look up an object in the FIM Portal database and return it to your workflow. You feed it a FIM GUID through the ResourceId property and it returns you a copy of the resource’s attributes in the Resource property.

In the pictures in this post you’ll see the word “Powershell” cropping up. In fact I’m working on an activity to run powershell cmdlets and scripts and I’ve arrived at the point where I’d like to include Target and Requestor properties in cmdlet arguments. Perhaps something like this:

Add-MailboxPermission -Identity [//Target/AccountName] -User [//Requestor/AccountName] -Accessright Fullaccess

Anyway, that’s the idea, and I’ll let you know if I get there.

Adding a ReadResourceActivity

Before dragging in the ReadResourceActvity, this Workflow had only a CurrentRequestActivity and a code activity, very much like the LoggingActivity example (which I recently translated into VB.NET). I plan to use this activity to read properties about the Target of this workflow – that is, the object in FIM which is in the process of being added or modified. Later I will also add another ReadResourceActivity to get the properties of the Requestor. In this picture, all I’ve done to the ReadResourceActivity so far is to give it a name. The other properties are the initial defaults. You can actually compile and run your activity at this point, but you’ll get a PostProcessingError in FIM.

Creating DependencyProperties

The next thing you need to do is create DependencyProperties to bind to the parameters. These are something like global variables that you can use in your code, either by writing a value in, or reading a value out. The simplest thing to do here is click on the link which says Promote Bindable Properties. This will create the DependencyProperty code for you (which you should not need to touch) and will add the bindings. The one point to note here is that you lose the ability to set the list of SearchAttributes directly in this interface. If you don’t click Promote Bindable Properties then, when you click on the elipses next to SelectionAttributes,  instead of the usual dialog allowing you to select or create a DependencyProperty, you get a box where you can enter the list of attributes you want returned as part of the resource loookup. In my case however I want to dynamically change the list of SelectionAttributes based on what’s been entered in the FIM Workflow, so I prefer to go with the bound property, as pictured here.

Set Initial Values

I regret to say that this bit took me ABOLUTELY AGES to figure out. Before you can use the ReadResourceActivity you have to set the “input” properties: ResourceId is the GUID of the object you wish to search for, ActorId is the GUID of the object doing the search – so you need to pick something with the MPR-granted rights to achieve this, and SelectionAttributes is the list of attributes to return. The way I am doing this is by creating a code activity before the ReadResourceActivity. I’ll set the input properties here, the ReadResourceActivity will run, and then I’ll be able to use the resulting Resource parameter in my code that follows. All I’ve done here is to drag in the Code activity and give it a name. When I double-click it the code block is automatically created and that red exclamation mark goes away. I then fill the Sub in as shown below. Note I could also set “Me.ReadTarget_ActorId1″ to “containingWorkflow.ActorId” which would make the ReadResourceActivity run with the rights of the workflow requestor, but I thought it interesting to show how you can use a different account for some steps.

    Private Sub InitializeReadResourceActivity_ExecuteCode(ByVal sender As System.Object, ByVal e As System.EventArgs)
        '' Set the ActorID to the Built-In Administrator account
        Me.ReadTarget_ActorId1 = New Guid("7fb2b853-24f0-4498-9534-4e10589723c4")

        '' Find the TargetID and use it to set the ResourceID on the ReadTarget actvity
        Dim containingWorkflow As SequentialWorkflow = Nothing
        If Not SequentialWorkflow.TryGetContainingWorkflow(Me, containingWorkflow) Then
            Throw New InvalidOperationException("Could not get parent workflow!")
        End If
        Me.ReadTarget_ResourceId1 = containingWorkflow.TargetId

        '' Set the list of Search Attributes based on your own requirements
        Dim targetSearchAttribs As String() = Nothing
        ' Add values to the targetSearchAttribs array as required
        Me.ReadTarget_SelectionAttributes1 = targetSearchAttribs

    End Sub

Using the Resource

In any code block following the ReadResourceActivity you can use the retrieved object via the Resource property – in this case, Me.ReadTarget _Resource1. To access a particular attribute value just put it’s name in brackets as shown. Obviously, I had to include AccountName in the array Me.ReadTarget_SelectionAttributes1 when I initialized it.

Troubleshooting

Actually I’m not going to list all the errors I saw here because they were many and varied and mostly due to my complete lack of understanding about how to use this activity. Hopefully, having walked you through it here, you won’ have the same problems!

I will mention however that the “UnwillingToPerform” error I saw a few times was connected to not setting the ActorId.

The Problem

The FIM Sync Service, just like its predecessors, only stores information about the current state of objects. Run History is almost completely worthless and should be cleared regularly. However there will be times when you will be asked to trace through a series of events – perhaps leading to the CEO’s account being inadvertently disabled. At times like this it is important to be able to show that FIM was just responding appropriately to an imported data change, and not acting maliciously in some skynet-esque awakening.

However, as we know, the import and export run profiles, while allowing a log file to be dumped, then helpfully overwrite it at the next run. We need a way to hang on to that historical data.

The Proposal

If you’re already running your tasks using vbscripts it’s pretty simple to add an extra step which copies the log file off to a datestamped version in an archive location (script below).

At the same time, we can do a little manipulation to the log file to make it more readable. By inserting a couple of lines in the top of the log file it can now be used with an XML Stylesheet, allowing it to be browsed in a nice table format.

Provisos

The log file will only be archived if you run your export and import jobs via your scripts. Anything run directly from the Sync Service GUI may still produce a log file, but it won’t be archived.

Also, the timestamp is a approximate as it represents the time the log was archived, rather than the exact time specific objects were modified in a target directory. But if you archive the log straight after the Export profile runs then it should be close enough for most purposes.

log.xsl

First, you need to create a folder somewhere with the same sub-folders as your MaData folder (in the script example below, I’m using D:\FIM\MALogArchives). Then, into this new folder, create a text file called “log.xsl” and paste in the following content.

<?xml version="1.0"?>
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template match="/">
  <html>
  <body>
    <h2><xsl:value-of select="top/xmlfile-time" /></h2>
    <table border="1">
      <tr bgcolor="#0066FF">
        <th>Operation</th>
        <th>DN</th>
        <th>Attributes</th>
      </tr>
      <xsl:for-each select="top/delta">

        <!-- Start a Row -->
      <tr>

  <!-- Operation and DN Columns -->
         <xsl:choose>
         <xsl:when test = "@newdn">
           <td><font size="2">rename</font></td>
           <td><font size="2"><xsl:value-of select="@dn" /><br></br><xsl:value-of select="@newdn" /></font></td>
         </xsl:when>
         <xsl:otherwise>
           <td><font size="2"><xsl:value-of select="@operation" /></font></td>
           <td><font size="2"><xsl:value-of select="@dn" /></font></td>
         </xsl:otherwise>
        </xsl:choose>

  <!-- Attributes Column -->
        <td>
        <table border="0">

          <!-- attributes -->
        <xsl:for-each select="dn-attr">
        <tr>

          <!-- Multi-valued -->
         <xsl:if test = "@multivalued='true'">
            <xsl:choose>
            <xsl:when test = "attr/@operation='add'">
              <td bgcolor="#CCFFCC"><font size="2"><xsl:value-of select="@name" /> add</font></td>
            </xsl:when>
            <xsl:when test = "attr/@operation='delete'">
              <td bgcolor="#CC6666"><font size="2"><xsl:value-of select="@name" /> delete</font></td>
            </xsl:when>
            <xsl:otherwise>
              <td bgcolor="#CCCCFF"><font size="2"><xsl:value-of select="@name" /></font></td>
            </xsl:otherwise>
            </xsl:choose>

            <td>
              <xsl:for-each select="dn-value">
                <table border="0">
                  <xsl:choose>
                  <xsl:when test = "@operation='delete'">
                    <tr><td><font size="2">delete: <xsl:value-of select="dn" /></font></td></tr>
                  </xsl:when>
                  <xsl:when test = "@operation='add'">
                    <tr><td><font size="2">add: <xsl:value-of select="dn" /></font></td></tr>
                  </xsl:when>
                  <xsl:otherwise>
                    <tr><td><font size="2"><xsl:value-of select="dn" /></font></td></tr>
                  </xsl:otherwise>
                  </xsl:choose>
                </table>
              </xsl:for-each>
            </td>
          </xsl:if>

          <!-- Single-valued -->
           <xsl:if test = "@multivalued='false'">
             <td bgcolor="#CCCCFF"><font size="2"><xsl:value-of select="@name" /></font></td>
             <td><font size="2"><xsl:value-of select="dn-value/dn" /></font></td>
           </xsl:if>

        </tr>
        </xsl:for-each>

        <!-- Ordinary attributes -->
        <xsl:for-each select="attr">
        <tr>

          <!-- Multi-value -->
          <xsl:if test = "@multivalued='true'">
            <xsl:choose>
            <xsl:when test = "attr/@operation='add'">
              <td bgcolor="#CCFFCC"><font size="2"><xsl:value-of select="@name" /> add</font></td>
            </xsl:when>
            <xsl:when test = "attr/@operation='delete'">
              <td bgcolor="#CC6666"><font size="2"><xsl:value-of select="@name" /> delete</font></td>
            </xsl:when>
            <xsl:otherwise>
              <td bgcolor="#CCCCFF"><font size="2"><xsl:value-of select="@name" /></font></td>
            </xsl:otherwise>
            </xsl:choose>

            <td>
              <xsl:for-each select="value">
                <table border="0">
                  <xsl:choose>
                  <xsl:when test = "@operation='delete'">
                    <tr><td><font size="2">delete: <xsl:value-of select="." /></font></td></tr>
                  </xsl:when>
                  <xsl:when test = "@operation='add'">
                    <tr><td><font size="2">add: <xsl:value-of select="." /></font></td></tr>
                  </xsl:when>
                  <xsl:otherwise>
                    <tr><td><font size="2"><xsl:value-of select="." /></font></td></tr>
                  </xsl:otherwise>
                  </xsl:choose>
                </table>
              </xsl:for-each>
            </td>
          </xsl:if>

          <!-- Single-valued -->
          <xsl:if test = "@multivalued='false'">
            <xsl:if test = "@name!='unicodePwd'">
            <xsl:if test = "@name!='msExchMailboxSecurityDescriptor'">
              <td bgcolor="#CCCCFF"><font size="2"><xsl:value-of select="@name" /></font></td>
              <td><font size="2"><xsl:value-of select="value" /></font></td>
            </xsl:if>
            </xsl:if>
          </xsl:if>

        </tr>
        </xsl:for-each>

        </table>
        </td>
      </tr>
      </xsl:for-each>
    </table>
  </body>
  </html>

</xsl:template>

</xsl:stylesheet>

ArchiveLog.vbs

Now here’s a vbscript that will copy the named log file, while modifying it to work with the stylesheet.

' This script copies the export and import logs to datestamped versions
' and modifies them to work with a stylesheet called ../log.xsl.
'
'   Usage: cscript archivelog.vbs MaName LogFileName
'
'   Eg:    cscript archivelog.vbs HR import.xml
'
' Written by Carol Wapshere

Option Explicit
Const XML_STYLESHEET = "..\log.xsl"
Const MIIS_FOLDER = "C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service"
Const ARCHIVE_FOLDER = "D:\FIM\MALogArchives"
Const ForReading = 1
Const ForWriting = 2
Const ForAppending = 8
Const Unicode = -1

Dim objFS, MaName, LogName
Set objFS = CreateObject("Scripting.FileSystemObject")

If WScript.Arguments.Count <> 2 Then
  Usage
End If

MaName = WScript.Arguments.Item(0)
LogName = WScript.Arguments.Item(1)

ArchiveLog MaName, LogName

Sub ArchiveLog(MA, LogFile)

  Dim objLogFile, objArchiveFile
  Dim strLogName, strArchiveName, logTime, dateStamp, strLine

  strLogName = MIIS_FOLDER & "\MaData\" & MA & "\" & LogFile
  If objFS.FileExists(strLogName) Then
    logTime = Now()
    dateStamp = DatePart("yyyy", logTime) & TwoChars("m", logTime) &_
                                 TwoChars("d", logTime) & TwoChars("h", logTime) &_
                                 TwoChars("n", logTime) & TwoChars("s", logTime)
    strArchiveName = ARCHIVE_FOLDER & "\" & MA & "\" & Split(LogFile,".")(0) & "_" & dateStamp & ".xml"
    set objLogFile = objFS.OpenTextFile(strLogName, ForReading, false, Unicode)
    set objArchiveFile = objFS.OpenTextFile(strArchiveName, ForWriting, true, Unicode)
    objLogFile.ReadLine()
    objArchiveFile.WriteLine("<?xml version=""1.0"" encoding=""UTF-16""?>")
    objArchiveFile.WriteLine("<?xml-stylesheet type=""text/xsl"" href=""" & XML_STYLESHEET & """?>")
    objArchiveFile.WriteLine("<top>")
    objArchiveFile.WriteLine("<xmlfile-time>")
    objArchiveFile.WriteLine(logTime)
    objArchiveFile.WriteLine("</xmlfile-time>")
    objLogFile.ReadLine() 'skip mmsml
    objLogFile.ReadLine() 'skip directory-entries
    strLine = objLogFile.ReadLine()
    Do Until InStr(strLine, "</directory-entries>") > 0
       objArchiveFile.WriteLine(strLine)
       strLine = objLogFile.ReadLine()
    Loop
    objArchiveFile.WriteLine("</top>")
    objLogFile.Close()
    objArchiveFile.Close()
  End If
End Sub

Function TwoChars(dtvar, time)
  Dim i
  i = DatePart(dtvar, time)
  If i < 10 Then
   TwoChars = "0" & CStr(i)
  Else
   TwoChars = CStr(i)
  End If
End Function

Sub Usage
  Wscript.echo "Usage: cscript archivelog.vbs MaName import|export"
  Wscript.Quit
End Sub

Modify the Run scripts

Your last step is to modify your scheduled scripts to archive the import/export log directly after the task has run.

cscript AD_Export.vbs
cscript ArchiveLog.vbs "AD MA" export.xml

Project Naming

If you want to use this as a starting point to writing more workflow activities then you should start by following the document How to: Create a Custom Activity Library, making the following changes for VB.NET:

1. Obviously, wherever it says “Visual C#” or “.vc” just using the VB.NET alternatives.

2. The “Application” tab is different for VB.NET:

• For the Assembly Name I ended up with ”FIM.CustomWorkflowActivitiesLibrary”
• There is no “Default namespace” setting that I can find. Instead I set Root namespace to “FIM.CustomWorkflowActivitiesLibrary.Activities”. (This means I also had to make a change to the Namespace definition in the WebUI code, and the namespace ended up a bit different to the example document – but hey, it worked.)
• You will find the Target Framework setting under Compile -> Advanced Compile Options.

For reference, my solution ends up looking like this:

and the Object Browser shows these namespaces and classes:

Build Settings

The walkthrough tells you how to add post-build steps so you don’t need to go through the process of putting your dll in the GAC and restarting FIM each time. Again the location for the modificaion is different for VB.NET. So you need to open the Solution Properties and then go to Compile -> Build Events. Paste the following lines in to the “Post-build event command line” box:

"C:\Program Files\Microsoft SDKs\Windows\v6.0A\Bin\gacutil.exe" /i "$(TargetPath)"
net stop "Forefront Identity Manager Service"
net start "Forefront Identity Manager Service"


Adding FIM Out-of-Box Activities to the Toolbox

This section is basically the same for both VC# and VB.NET.

Note, however, that the doc says to clear all the existing workflow actions, but then later you need the Code action to still be in the Toolbox. I wouldn’t bother clearing the existing actions – just add your FIM ones.

Defining the activity sequence and properties

Here’s the RequestLoggingActivity code in VB.NET.

Imports System.Collections.Generic
Imports System.Collections.ObjectModel
Imports System.IO
Imports Microsoft.ResourceManagement.WebServices.WSResourceManagement
Imports Microsoft.ResourceManagement.Workflow.Activities

Public Class RequestLoggingActivity
    Inherits SequenceActivity

#Region "Public Workflow Properties"

    Public Shared ReadCurrentRequestActivity_CurrentRequestProperty As DependencyProperty = DependencyProperty.Register("ReadCurrentRequestActivity_CurrentRequest", GetType(Microsoft.ResourceManagement.WebServices.WSResourceManagement.RequestType), GetType(RequestLoggingActivity))

    ''' <summary>
    '''  Stores information about the current request
    ''' </summary>
    <DesignerSerializationVisibilityAttribute(DesignerSerializationVisibility.Visible)> _
    <BrowsableAttribute(True)> _
    <CategoryAttribute("Misc")> _
    Public Property ReadCurrentRequestActivity_CurrentRequest() As RequestType
        Get
            Return DirectCast(MyBase.GetValue(ReadCurrentRequestActivity_CurrentRequestProperty), Microsoft.ResourceManagement.WebServices.WSResourceManagement.RequestType)
        End Get
        Set(ByVal value As RequestType)
            MyBase.SetValue(RequestLoggingActivity.ReadCurrentRequestActivity_CurrentRequestProperty, value)
        End Set
    End Property

    ''' <summary>
    '''  Identifies the Log File Path
    ''' </summary>
    Public Shared LogFilePathProperty As DependencyProperty = DependencyProperty.Register("LogFilePath", GetType(System.String), GetType(RequestLoggingActivity))
    <Description("Please specify the Log File Path")> _
    <DesignerSerializationVisibility(DesignerSerializationVisibility.Visible)> _
    <Browsable(True)> _
    Public Property LogFilePath() As String
        Get
            Return DirectCast(MyBase.GetValue(RequestLoggingActivity.LogFilePathProperty), [String])
        End Get
        Set(ByVal value As String)
            MyBase.SetValue(RequestLoggingActivity.LogFilePathProperty, value)
        End Set
    End Property

    ''' <summary>
    '''  Identifies the Log File Name
    ''' </summary>
    Public Shared LogFileNameProperty As DependencyProperty = DependencyProperty.Register("LogFileName", GetType(System.String), GetType(RequestLoggingActivity))
    <Description("Please specify the Log File Path")> _
    <DesignerSerializationVisibility(DesignerSerializationVisibility.Visible)> _
    <Browsable(True)> _
    Public Property LogFileName() As String
        Get
            Return DirectCast(MyBase.GetValue(RequestLoggingActivity.LogFileNameProperty), [String])
        End Get
        Set(ByVal value As String)
            MyBase.SetValue(RequestLoggingActivity.LogFileNameProperty, value)
        End Set
    End Property
#End Region

#Region "Execution Logic"
    ''' <summary>
    ''' Defines to logic of the LogRequestDataToFile activity.
    ''' This code will be executed when the LogRequestDataToFile activity
    ''' becomes to active workflow.
    ''' </summary>
    ''' <param name="sender"></param>
    ''' <param name="e"></param>
    ''' <remarks></remarks>
    Private Sub LogRequestDataToFile_ExecuteCode(ByVal sender As System.Object, ByVal e As System.EventArgs)
        'Get current request from previous activity
        Dim currentRequest As RequestType = Me.ReadCurrentRequestActivity_CurrentRequest

        Try
            ' Output the Request type and object type
            Me.Log("Request Operation: " & currentRequest.Operation)
            Me.Log("Target Object Type: " & currentRequest.TargetObjectType)

            ' As UpdateRequestParameter derives from CreateRequestParameter we can simplify the code by deriving
            ' from CreateRequestParameter only.
            Dim requestParameters As ReadOnlyCollection(Of CreateRequestParameter) = currentRequest.ParseParameters(Of CreateRequestParameter)()

            ' Loop through CreateRequestParameters and print out each attribute/value pair
            Me.Log("Parameters for request: " + currentRequest.ObjectID.ToString)
            For Each requestParameter As CreateRequestParameter In requestParameters
                If requestParameter.Value IsNot Nothing Then
                    Me.Log(("     " + requestParameter.PropertyName & ": ") & requestParameter.Value.ToString())
                End If
            Next

            Dim containingWorkflow As SequentialWorkflow = Nothing
            ' In order to read the Workflow Dictionary we need to get the containing (parent) workflow
            If Not SequentialWorkflow.TryGetContainingWorkflow(Me, containingWorkflow) Then
                Throw New InvalidOperationException("Unable to get Containing Workflow")
            End If
            Me.Log("Containing Workflow Dictionary (WorkflowData):")
            ' Loop through Workflow Dictionary and log each attribute/value pair
            For Each item As KeyValuePair(Of String, Object) In containingWorkflow.WorkflowDictionary
                Me.Log(("     " & item.Key & ": ") & item.Value.ToString())
            Next
            Me.Log(vbLf & vbLf)
        Catch ex As Exception
            Me.Log("Logging Activity Exception Thrown: " & ex.Message)
        End Try
    End Sub
#End Region

#Region "Utility Functions"

    ' Prefix the current time to the message and log the message to the log file.
    Private Sub Log(ByVal message As String)
        Using log As New StreamWriter(Path.Combine(Me.LogFilePath, Me.LogFileName), True)
            'since the previous line is part of a "using" block, the file will automatically
            'be closed (even if writing to the file caused an exception to be thrown).
            'For more information see
            ' http://msdn.microsoft.com/en-us/library/yh598w02.aspx
            log.WriteLine(DateTime.Now.ToString("yyyy-MM-dd hh:mm:ss") + ": " & message)
        End Using
    End Sub

#End Region
End Class

Creating a User Interface for the Activity

Here’s the code for this section in VB.NET. Note that I have changed the Namespace definition to get round the VB.NET “Root namespace” setting working differently to the VC# “Default namespace” setting.

Imports System
Imports System.Collections.Generic
Imports System.Linq
Imports System.Text
Imports System.Web.UI.WebControls
Imports System.Workflow.ComponentModel
Imports Microsoft.IdentityManagement.WebUI.Controls
Imports Microsoft.ResourceManagement.Workflow.Activities
Imports FIM.CustomWorkflowActivitiesLibrary.Activities

Namespace WebUIs
    Class RequestLoggingActivitySettingsPart
        Inherits ActivitySettingsPart

        ''' <summary>
        ''' Called when a user clicks the Save button in the Workflow Designer.
        ''' Returns an instance of the RequestLoggingActivity class that
        ''' has its properties set to the values entered into the text box controls
        ''' used in the UI of the activity.
        ''' </summary>
        Public Overrides Function GenerateActivityOnWorkflow(ByVal workflow As SequentialWorkflow) As Activity
            If Not Me.ValidateInputs() Then
                Return Nothing
            End If
            Dim LoggingActivity As New RequestLoggingActivity()
            LoggingActivity.LogFilePath = Me.GetText("txtLogFilePath")
            LoggingActivity.LogFileName = Me.GetText("txtLogFileName")
            Return LoggingActivity
        End Function

        ''' <summary>
        ''' Called when editing the workflow activity settings.
        ''' </summary>
        Public Overrides Sub LoadActivitySettings(ByVal activity As Activity)
            Dim LoggingActivity As RequestLoggingActivity = TryCast(activity, RequestLoggingActivity)
            If LoggingActivity IsNot Nothing Then
                Me.SetText("txtLogFilePath", LoggingActivity.LogFilePath)
                Me.SetText("txtLogFileName", LoggingActivity.LogFileName)
            End If
        End Sub

        ''' <summary>
        ''' Saves the activity settings.
        ''' </summary>
        Public Overrides Function PersistSettings() As ActivitySettingsPartData
            Dim data As New ActivitySettingsPartData()
            data("LogFilePath") = Me.GetText("txtLogFilePath")
            data("LogFileName") = Me.GetText("txtLogFileName")
            Return data
        End Function

        ''' <summary>
        '''  Restores the activity settings in the UI
        ''' </summary>
        Public Overrides Sub RestoreSettings(ByVal data As ActivitySettingsPartData)
            If data IsNot Nothing Then
                Me.SetText("txtLogFilePath", DirectCast(data("LogFilePath"), String))
                Me.SetText("txtLogFileName", DirectCast(data("LogFileName"), String))
            End If
        End Sub

        ''' <summary>
        '''  Switches the activity between read only and read/write mode
        ''' </summary>
        Public Overrides Sub SwitchMode(ByVal mode As ActivitySettingsPartMode)
            Dim [readOnly] As Boolean = (mode = ActivitySettingsPartMode.View)
            Me.SetTextBoxReadOnlyOption("txtLogFilePath", [readOnly])
            Me.SetTextBoxReadOnlyOption("txtLogFileName", [readOnly])
        End Sub

        ''' <summary>
        '''  Returns the activity name.
        ''' </summary>
        Public Overrides ReadOnly Property Title() As String
            Get
                Return "Request Logging Activity"
            End Get
        End Property

        ''' <summary>
        '''  In general, this method should be used to validate information entered
        '''  by the user when the activity is added to a workflow in the Workflow
        '''  Designer.
        '''  We could add code to verify that the log file path already exists on
        '''  the server that is hosting the FIM Portal and check that the activity
        '''  has permission to write to that location. However, the code
        '''  would only check if the log file path exists when the
        '''  activity is added to a workflow in the workflow designer. This class
        '''  will not be used when the activity is actually run.
        '''  For this activity we will just return true.
        ''' </summary>
        Public Overrides Function ValidateInputs() As Boolean
            Return True
        End Function

        ''' <summary>
        '''  Creates a Table that contains the controls used by the activity UI
        '''  in the Workflow Designer of the FIM portal. Adds that Table to the
        '''  collection of Controls that defines each activity that can be selected
        '''  in the Workflow Designer of the FIM Portal. Calls the base class of
        '''  ActivitySettingsPart to render the controls in the UI.
        ''' </summary>
        Protected Overrides Sub CreateChildControls()
            Dim controlLayoutTable As Table
            controlLayoutTable = New Table()

            'Width is set to 100% of the control size
            controlLayoutTable.Width = Unit.Percentage(100.0)
            controlLayoutTable.BorderWidth = 0
            controlLayoutTable.CellPadding = 2
            'Add a TableRow for each textbox in the UI
            controlLayoutTable.Rows.Add(Me.AddTableRowTextBox("Log File Path:", "txtLogFilePath", 400, 100, False, "Enter the log file Path."))
            controlLayoutTable.Rows.Add(Me.AddTableRowTextBox("Log File Name:", "txtLogFileName", 400, 100, False, "Enter the log file Name."))
            Me.Controls.Add(controlLayoutTable)

            MyBase.CreateChildControls()
        End Sub

#Region "Utility Functions"
        'Create a TableRow that contains a label and a textbox.
        Private Function AddTableRowTextBox(ByVal labelText As [String], ByVal controlID As [String], ByVal width As Integer, ByVal maxLength As Integer, ByVal multiLine As [Boolean], ByVal defaultValue As [String]) As TableRow
            Dim row As New TableRow()
            Dim labelCell As New TableCell()
            Dim controlCell As New TableCell()
            Dim oLabel As New Label()
            Dim oText As New TextBox()

            oLabel.Text = labelText
            oLabel.CssClass = MyBase.LabelCssClass
            labelCell.Controls.Add(oLabel)
            oText.ID = controlID
            oText.CssClass = MyBase.TextBoxCssClass
            oText.Text = defaultValue
            oText.MaxLength = maxLength
            oText.Width = width
            If multiLine Then
                oText.TextMode = TextBoxMode.MultiLine
                oText.Rows = System.Math.Min(6, (maxLength + 60) \ 60)
                oText.Wrap = True
            End If
            controlCell.Controls.Add(oText)
            row.Cells.Add(labelCell)
            row.Cells.Add(controlCell)
            Return row
        End Function

        Private Function GetText(ByVal textBoxID As String) As String
            Dim textBox As TextBox = DirectCast(Me.FindControl(textBoxID), TextBox)
            Return If(textBox.Text, [String].Empty)
        End Function

        Private Sub SetText(ByVal textBoxID As String, ByVal text As String)
            Dim textBox As TextBox = DirectCast(Me.FindControl(textBoxID), TextBox)
            If textBox IsNot Nothing Then
                textBox.Text = text
            Else
                textBox.Text = ""
            End If
        End Sub

        'Set the text box to read mode or read/write mode
        Private Sub SetTextBoxReadOnlyOption(ByVal textBoxID As String, ByVal [readOnly] As Boolean)
            Dim textBox As TextBox = DirectCast(Me.FindControl(textBoxID), TextBox)
            textBox.[ReadOnly] = [readOnly]
        End Sub
#End Region

    End Class

End Namespace

Building the Assembly and Loading it into the FIM Portal

This is exactly the same for VB.NET.

Configuring the Activity in FIM

This section is a little different because of the change I was forced to make to the WebUI namespace. Also, if you’ve followed my advice about using the general-purpose library name, and not a library name just for the Logging activity, then you’re going to end up with a different DLL name as well.

Troubleshooting

See Things I’ve been learning about debugging custom workflows.

Object Browser

The first mistake I made was to get the Type Name wrong in the Activity Information Configuration (AIC) object. This turned out to be because VB.NET handles the default namespace differently to VC# and my WebUI part ended up with a completely different name than I’d expected. By using the Object Browser (opened from the View menu in Visual Studio) I could immediately see what the Type Name should have been.

Here’s a picture of what my project currently looks like:

So when configuring my AIC for the RequestLoggingActvity I set Activity Name = “FIM.CustomWorkflowActivitiesLibrary.Activities.RequestLoggingActivity” and Type Name = “FIM.CustomWorkflowActivitiesLibrary.Activities.WebUIs.RequestLoggingActivitySettingsPart”.

And when configuring an AIC for the PowershellActivity I set Activity Name = “FIM.CustomWorkflowActivitiesLibrary.Activities.PowershellActivity” and Type Name = “FIM.CustomWorkflowActivitiesLibrary.Activities.WebUIs.PowershellActivitySettingsPart”.

Enable Portal Trace Logging

I knew how to enable trace logging for the FIM Service, but until Anthony told me how, I had no idea you could get a different service trace from the Portal. Have a look at this thread on the FIM forum where he tells me how to enable it by editing the web.config file.

Attach the VS Debugger

There is an official document called Debugging Custom Activities but it misses out one crucial step. I compiled my code with full Debug selected, but I kept getting “No symbols have been loaded”. The missing step is covered in this blog post: You Don’t Need to Copy PDB Files to Debug in the GAC!

The document tells you to attach to Microsoft.ResourceManagement.Service.exe to debug the activity execution part, and to w3wp.exe to troubleshoot the UI part, but doesn’t mention that there might be a number of instances of w3wp.exe and you need to get the right one. Just attach to them in turn until your breakpoints are hittable.

Also note, if you’re getting an Access Denied message when trying to attach the debugger you need to make sure you select Managed code. This is mentioned in the documentation, but easy to miss.

I also had a problem with the compile options being set to “optimized” by default. When I attached the debugger all the variables appeared to be “Nothing” and loops were skipped straight through. After wasting several days on this I figured out that I had to go into Properties -> Compile -> Advanced Compile Options and remove the tick next to “Enable optimizations”.

Write messages into the Event Log

This is just something I like to do because it’s easy to create events and it’s a good way to track errors, or indeed as a confirmation that your code has actually run. This vb.net function can be used to create events.

Make a simple console application that you can run directly

It is more complicated to debug your code with Sharepoint and FIM in the mix so it can help to copy your code into a simpler form that you can run directly.

For the Activity code you could try copying it to a simple Console application, using hard-coded constants in place of the values that should come from the workflow activity definition in the Portal. Depending on the nature of your activity you may be able to run and test the code standalone before encorportaing it into your FIM activity.

It’s harder to test the WebUI part of the code on it’s own (at least, I don’t know how to) but you can call the WebUI part of your dll direct from a Console appliaction and run it in Visual Studio. While it doesn’t do anything it will at least show you directly any error messages.

In the following Console app there are two arguments to Activator.CreateInstance. The first is the Assembly Name string from the AIC, and the second is the Type Name string.

Module Module1

    Sub Main()
        Activator.CreateInstance("Microsoft.IdentityManagement.Activities, Version=4.0.2592.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35", "Microsoft.IdentityManagement.WebUI.Controls.PWResetActivitySettingsPart")
    End Sub

End Module

Get the Right Source Code

There are actually two OpenLDAP XMAs available on sourceforge – the original Kernel Networks one, and a more recent update of it. I wasted a lot of time trying to recompile the Kernel one before I figured out that I really needed this one.

Next – there is no point downloading the compiled version if you want to install it on FIM. You need to get the latest source code, and to do that you have to install a SVN tool (I used SlikSVN) and then run this command to retrieve the source code:

svn co https://openldap-xma.svn.sourceforge.net/svnroot/openldap-xma openldap-xma

Compile

You need to have Visual Studio 2008 installed with the Visual C# options. Then you can open the OpenLDAP XMA.sln file and the project will be converted to 2008 format.

Reference

Next you need to change the reference to the old Microsoft. MetadirectoryServices library to the new Microsoft. MetadirectoryServicesEx library. You will file the library dll in  C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Bin\Assemblies.

Build Location

To have the compiled DLL put straight in the correct location, open the Properties of the OpenLDAP XMA project, click on the Build tab, and then change the Output location to the <FIM Sync Service>\Extensions folder.

You should now be able to compile the code.

Register the MA Type

I really couldn’t be bothered to work out how to compile the installation program, so this means I had to register the new MA type myself – but actually it’s pretty easy.

In the MSIPackager\Install Files folder you will find a file called OLXMAPackage.xml. Copy this file to <FIM Sync Service>\UIShell\XMLs\PackagedMAs.

Next open regedit and locate the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\ManagementAgents. Add a new String Value called “OpenLDAP” with the value “{275E6505-9465-4460-A6EB-D1371C863858}”. (That value is taken from the XML file we just copied – I’m not sure if it ever changes in subsequent releases.)

Now, when you restart the Synchronization Service Manager, you should find the new MA type listed in the Create Wizard.

Testing so far

I am not running this in production just yet. I have successfully connected to an OpenLDAP directory (version 3), imported existing objects and provisioned and de-provisioned an inetOrgPerson. I have not yet tried the password sync.

The message was something along the lines of “account not found”, mentioning the service account which runs the FIM Service. The account is a domain account and is certainly there. I’m afraid I didn’t write down the exact wording.

I did have a backup of the database but I wanted to try a reinstall first. Annoyingly the updates had dissappeared from my Windows Update list. I could see them in the update history with a status of “Failed”, but there was no way to retry the installation.

I had searched for a downloadable version of Update 1 before and not found it. What I have now discovered is you can download these updates direct from the Microsoft Update Catalog. Just search on “Forefront Identity” and there they all are.

So first I reinstalled the Sync Service from the original RTM files. I had to manually remove the service account from the SQL Security/Logins list. There was a warning about the database version being higher than the software I was installing, but at least the install completed.

I was then able to successfully install the update that I had downloaded from the Update Catalog. This time it went through perfectly with no silly messages about accounts not found.

I also reinstalled the Portal And Service Update (without reinstalling the RTM code). It all seems to be ok now!

Addendum – reinstall of the Portal

The following day the Portal had stopped working. In the event log was the message “The Portal cannot connect to the middle tier using the web service interface.” There seem to be a number of different causes for this error, and nothing I tried was making any difference. Eventually I decided to reinstall using the existing database.

Reinstalling just the update made no difference. I tried a repair from the RTM setup – also no change. I then completely uninstalled the Service and Portal and attempted to reinstall from the RTM setup. The install would get right to then end then say that it had “ended prematurely due to an eror”, but didn’t tell me what the error was.

I figured it was probably because the database had been modified by the update, but I was trying to install an earlier version of the software. Not nearly so friendly as the Sync Service installation which just gave me a polite warning. At the moment this particular system is in the early dev stage and I haven’t been given enough diskspace for more than a single backup of each DB – and of course the backup ran overnight and overwrote my pre-update version. However, after having waited two days for the initial data load, I was very keen to keep the current database.

What worked in the end was this: I backed up and dropped the FIMService database. I then installed RTM with a fresh DB, and tested the Portal worked. I then installed the update and tested the Portal. Finally I dropped the new DB, restored the old one, and restarted the FIM sevice. Amazingly it has worked and I now have a functioning Portal with all my data!

I wonder if it will still be working tomorrow…