Account Provisioning Using MIIS 2003

1
Account Provisioning Using MIIS 2003
George Bryan Project Leadergrbryan_at_ufl.edu Mike
Kanofsky Technology Expertmikekano_at_ufl.edu
Presented at the Microsoft Higher Education
Conference Redmond, Washington April 27, 2005
2
Design Elements

• Architecture
• Account Management
• Network Managed By
• Organizational Unit Structure
• Auto-Groups
• Password Management

3

• 46,000 undergrads
• 15,000 faculty / staff

4
Design Elements

• Architecture
• Account provisioning design is based on Windows
  2003 Native Mode configured for Single Forest and
  Single Domain
• User accounts and groups are provisioned using
  authoritative data sources (PeopleSoft, Campus
  Registry, and Registrar)
• Schema extensions for custom attributes and
  permissions were added to Active Directory and
  the MIIS Metaverse
• MS SQL 2000 provides a staging area for all data
  sources and single authoritative data source for
  MIIS
• MIIS performs the role of broker for all user
  accounts.
• Custom .NET applications are used to maintain
  Auto-Groups.

5
Design Elements

• Account Management
• All faculty, staff and students are represented
  in Active Directory.
• Accounts are uniquely identified by their UFID
  (employeeID)
• All accounts are attributable to persons with the
  exception of authorized management and service
  accounts
• Accounts are Single credential for web,
  PeopleSoft and LAN
• Account objects are placed into Active Directory
  according to their Network Managed By
  attribute
• Source of account management data is Campus
  Registry (DB2).
• Types of account management transactions include
  create, delete, update, disable and enable
• Account transactions are processed every 15
  minutes
• Account management is global, rights management
  is local

6
Design Elements

• Network Managed By
• Network Managed By attribute controls users
  Organizational Unit
• Initially Network Managed By is set to users
  Home department according to the HR data in
  PeopleSoft
• Enables a users account to be managed by a
  department other than their Home department
• Dual appointments (users in more than one
  differing departments) must be mitigated by unit
  administrators of those departments. The CIO has
  final authority in case of discrepancy
• Security Groups can be used as an alternative to
  Network Managed By for managing user objects
• Changes to the Network Managed By attribute are
  limited to Directory Coordinators

7
Design Elements
Network Managed By Example
8
Design Elements

• Organizational Unit Structure
• Based on DepartmentID from HR tree-node data from
  PeopleSoft
• There are provisions for colleges/departments to
  customize the HR structure if necessary to
  conform to IT structure
• Edits to the HR structure must be approved at
  college level
• Types of edits are
• Custom Names Shorter names to make OUs more
  identifiable.
• Pruning Levels Compress OU levels to facilitate
  administration.
• Custom OUs Create a placeholder OU to hold
  other units.
• Custom Parents Units not directly under parent
  unit structure.
• Redirect Redirect users into a specified OU

9
Design Elements
Organizational Unit Structure with Edits
Before and
After
10
Design Elements

• Auto-Groups
• Unit Auto-Groups
• Based on Organizational Unit membership
• Student Course Auto-Groups based on student
  course data
• Permissions Assigned according to FERPA
  requirements
• Members tab on course available to unit
  administrators and faculty only
• Member of tab on student object available to
  unit administrators and faculty only
• Read Group Membership security group created
  to secure these attributes
• Administrators and Faculty held to special trust
  agreement
• Updated once daily from Student Warehouse (MS SQL
  2000)
• Custom .NET applications used to create and
  manage Auto-Groups.

11
Design Elements
Unit Auto-Groups Based on Organizational Unit
membership
Name Format _ltcollegegt-ltparent
departmentgt-ltdepartmentgt_autoGS
12
Design Elements
Student Course Groups
Course_Section_Term
Department
Course_Term
College
13
Design Elements

• Securing Student Auto-Groups
• Changes to Built-in Groups
• Remove Authenticated Users from Pre-Windows
  2000 Compatible Access
• For OU containing Student Auto-Groups
• Add a DENY for Domain Users for Read Member
  for Group objects
• Add Authenticated Users Read permissions for
  This object and all child objects
• note advanced permissions will look like
• Grant List Contents
• Grant Read All Properties
• Grant Read All Permissions
• For each group in the Student Course Auto-Groups
  OU
• Remove Read All Properties from Authenticated
  Users
• Remove Read All Properties From Self
• Add Read permissions for Read Group Members
  (users with delegated authority to read group
  membership)
• User OU permissions
• Add Read permissions for Read Group Members
  for This object and all child objects

14
Design Elements

• Securing Student Auto-Groups

Since we have created groups for each course here
at the University of Florida, viewing a users
properties via the command line (NET USER
username /domain) would yield results similar to
Note that from this one can see that the user
student-perm1 is in two courses COURSE-001 COURSE
-002
15
Design Elements

• Securing Student Auto-Groups

Also a user could enumerate all of the members of
a group using (NET GROUPS groupname /domain)
which returns
16
Design Elements

• Securing Student Auto-Groups

Our goal is to allow only administrators and
trusted unit administrators the rights to view
group memberships and user properties, while
allowing the user to look at their own
information.
Note The Member Of tab will only show Domain
Users to unprivileged users. Whereas a privileged
user will be able to see the Member Of tab, also
users can see their own group membership.
17
Design Elements

• Securing Student Auto-Groups

They can enumerate the group if they are a member
of that group and that group is not a Student
AutoGroup. Non-privileged users will get an
access denied when attempting to enumerate any
Student AutoGroup (even if they are a member of
the group).
18
Design Elements

• Securing Student Auto-Groups

Only privileged users can see the membership
19
Design Elements

• Password management policy
• Password management policy includes five security
  roles and is enforced using Single Domain
• Schema extension (GLPwdExpired) for password
  management
• Password Expiration notification script
• Passwords are managed by UF Bridges according to
  the UF password policy
• Password changes are accomplished using LDAPS
  from middleware maintained currently by Academic
  Technologies. This system will be replaced in Q4
  of this year with a web-services component we
  will maintain

20
MIIS Components

• MIIS is a State-Based system.
• State-Based systems do not expect to be
  specifically notified when their source data
  changes. Instead, they rely on knowledge of the
  state of data before and after the change, in
  order to infer that a change has taken place.

21
MIIS Components

• MIIS makes use of Holograms.
• MIIS achieves its knowledge of data changes by
  the storage of a hologram which represents the
  current view of the data stored in the
  Connected Directory (CD).
• During a subsequent check of the data in the
  connected directory, the data in the CD is read,
  and compared with the hologram. If any
  differences are detected between the two (for
  example, the values for the Job Title attribute
  do not match), a change is inferred, and the
  change is passed to the MIIS 2003 Sync Engine to
  be propagated into the Metaverse and to other
  connected directories.

22
MIIS Components

• State-Based Versus Transaction Based Systems
• State-based systems expend more resources in the
  reading of data from the CD than do event-based
  systems, but benefit from the absence of a
  requirement for laborious management of change
  messages.
• In addition, they simply require the ability to
  read from (and perhaps write to) the connected
  systems no agents are required at the CD
  systems to send and receive the change messages.

23
MIIS Components
Connected Directories
MIIS Store (UFSQL01)
Connector Spaces
Metaverse
SQL tbl_ALL_AD_DATA tbl_ALL_AD_DATA_DELTA
UF AD MA Import Email(filtered Exchange
mailNicknames)
Active Directory
24
Data Flow
I think Ill change my telephone number and
change my password.
Default-First-Site
Directory information change
Password changes Are sent immediately
PeopleSoft Portalmy.ufl.edu
GatorLink password middleware(PERL/LDAPS)
15 minute interval
Registrar Data(Student course info)
CampusRegistry(directory information
25
SQL DTS packages(Data Transformation Services)

• Harvest
• Fetch
• Backups
• Clean MIIS Logs
• Auto-Groups
• Student Groups

26
(No Transcript)
27
(No Transcript)
28
MIIS Components

• MIIS Event Schedule
• Deltas for user and group updates occur every 15
  minutes.
• Full Import and Synchronization performed each
  evening as basic maintenance before backups.

29
Microsoft Identity Integration Server 2003
Resource Tool Kit 2.0

• A set of command line and UI-based tools for
  remote administration and configuration of a
  server running Microsoft Identity Integration
  Server 2003. Requires .Net 1.1 Framework. Some
  of the tools we find most useful
• AttributeFlowViewer
• All Metaverse attribute information exported to
  an HTML file for ease of viewing.
• MASequencer
• Used to automate the order in which management
  agents are run. It can also perform stop,
  resume, or pause operations interactively on the
  management agents. MASequencer uses input from an
  XML file, which contains information about the
  management agents to be sequenced.
• MASequenceConfiguration
• Generates an XML file used as an input for
  MASequencer. You can also use MASequenceConfigura
  tion to start the sequence of management agent
  run profiles instead of masequencer.
• MIIS Service Monitor
• Polls an MIIS 2003 server at regular intervals
  and returns system statistics
• Complete description in Online Help or through
  URL listed herehttp//www.microsoft.com/windowss
  erversystem/miis2003/default.mspx
• Other Tools
• Clearmiisrunhist.vbs
• A VBS script we created that clears MIIS run
  history through WMI and keeps X number of days
  before current date.
• MIIS Document Generator
• Documenter takes the output XML files created by
  MIIS 2003 and produces a word report which
  represents documentation of your systems. It
  achieves this be producing a text file which is
  imported into a MIIS report template by a
  Microsoft Word macro and this is converted into
  the report.
• The final report can be customized using a
  control file and further enhanced using
  additional Microsoft Word documents, specifically
  you can
• Insert other Microsoft Word documents into the
  report

30
MIIS Advantages / Disadvantages

• Advantages
• Built-in reporting.
• Tight Integration with Visual Studio for
  debugging and troubleshooting.
• Expands easily to accommodate new Connected
  Directories.
• Managements Agents that port to a wide spectrum
  of platforms plus provisions for writing your own
  custom MAs.
• Out-of-the-box connectivity to most network
  operating systems (NOS), e-mail, database,
  directory, application, and even flat-file
  access.
• Saves a lot of tedious code writing.
• WMI integration allows MIIS 2003 to be interfaced
  to management consoles like Microsoft Operations
  Manager (MOM), HP OpenView, Tivoli, and other
  third-party consoles.
• Can also provide password management across
  multiple platforms.
• Disadvantages
• Cost about 8,000 per processor
• Requires Enterprise SQL. This can be offset by
  purchasing per CAL for SQL.
• Requires provisioning code. More advanced
  features require more code.
• Multi-valued Fields in SQL 2000 not supported
  currently. Can be overcome by custom code.

31
Microsoft Identity Integration Server 2003

• Resources
• Whitepapers
• http//www.microsoft.com/windowsserversystem/miis2
  003/default.mspx
• NETPRO Directory Experts Conference
• http//www.netpro.com/events/dec2005/agenda.cfm
• Microsoft Identity Integration Server Users
  Group
• MSUG_at_yahoogroups.com
• MMSUG-subscribe_at_yahoogroups.com
• MIIS 2003, Enterprise Edition Training
• http//www.sqlsoft.com/Public/Promos/MIIS2003/?Ref
  MIIS
• MIIS Alliance
• http//www.miis-alliance.com/news/050314.html
• NetPro's - Mission Control for managing MIIS
• http//www.miis-alliance.com/resources/NetPro_Miss
  ionControl_for_MIIS_datasheet.pdf

32
Additional Info

• See the UFAD web site at www.ad.ufl.edu
• Contact George Bryan (grbryan_at_ufl.edu) or Mike
  Kanofsky (mikekano_at_ufl.edu)

33
(No Transcript)
34
Multiple Password Policies

• User Security Roles Implemented in PeopleSoft
• Enforced in UFAD
• Schema extension GLPwdExpired
• GLPwdExpired comes from Portal when password is
  set.
• Backend process on SQL server resets user
  passwords to random value if they have not reset
  their password by the expiration time
• Eliminates need for multiple domains

35
Password Expiration Notification Messages
Password change notifications are sent via email.
Also, we developed a VBS Script (above) that
departments can link to via GPO. When users click
on the Yes link the are redirected to the
my.ufl.edu web portal where they can change their
password.
36
Password Notification Script
37
GatorLink Password Policy

• The GatorLink username and password is the
  University standard username and password for
  authentication for all new information systems.
  The University uses a role-based approach for
  providing access to these systems. Each person
  affiliated with UF has one or more security
  roles. Each security role has an associated
  password policy. If an individual has several
  roles, with conflicting password policies, the
  strongest policy applies.
• This policy is guided by the following
  principles
• Five levels of password policy are necessary,
  each with a different set of requirements for
  password creation and reset. (See Attachment A).
• The assignment of a password policy is based on
  an individuals security role(s) and is not an
  automatic result of an affiliation or staff
  position.
• Passwords must include three of the following
  four elementsupper case letters, lower case
  letters, digits and punctuation. Passwords may
  not contain words found in a dictionary.
• Passwords will expire during UF Help Desk
  business hours.
• GatorLink passwords and security rolesand the
  resulting association of password policy to a
  userare held in the PeopleSoft Enterprise Portal
  system (myUFL) and managed by UF Bridges

38
UFs Password Roles
39
(No Transcript)
40
Exchange 2003 Implementation

• Challenges
• Multiple Administrative Groups
• Multiple Routing Groups
• Routing Group connectors
• Multiple Recipient Policies
• Multiple Address Book Views
• Many now based on Auto-Groups
• Display Names pulled from Campus Registry
• Intelligent Message Filter

41
Exchange Administrative Groups and Routing
42
Exchange 2003 Front-end Design

• Centralized Front-ends available to all
  departments
• AEP SSL Accelerator cards used to enhance
  performance
• Additions from MessageWare
• Enhanced Address Book
• Spell Checker in Basic web client
• Design to be enhanced with ISA Server 2004 and
  Rainfinity Rainwall
• Rainwall provides High Availability Load
  Balancing for ISA Server

43
Exchange 2003 Front-end Design
44
Exchange Theme Customization
http//support.microsoft.com/default.aspx?scidkb
en-us827991 (this IIS hotfix allows users to
type only their username and not domain\username)
45
OWA Customization
http//www.msexchange.org/pages/article_p.asp?id6
28
46
MessageWare PlusPack

• Adds Spellchecker to basic client
• Enhanced Address Book Viewer

47
Account Provisioning Using MIIS 2003
Thank You Contact infoWebsite
www.ad.ufl.eduPhone (352) 273-1211 George
Bryan Project Leadergrbryan_at_ufl.edu Mike
Kanofsky Technology Expertmikekano_at_ufl.edu
Does anybody have any questions?
Presented at the Microsoft Higher Education
Conference Redmond, Washington April 27, 2005