none
FIMCM Provision through Powershell RRS feed

  • Question

  • I'm interested in building my own FIMCM management agent using Granfeldt's excelent PSMA extension for FIM. What I want to do is to create a smart card enrollment request ready for the enrollment (Execute) after the user has been provisioned to Active Directory.

    Now the problem comes with how to do this.. I have little pieces of information, this is is acting like my starting point: http://www.integrationtrench.com/2010/11/use-fim-cm-provision-api-from.html now the question goes, how do I configure this to work through https, remotely (FIM and FIMCM are on separate servers) and using kerberos?

    If someone has any examples or working solution already, it would be very helpful... thanks!

    Tuesday, July 22, 2014 7:02 PM

Answers

  • Just an update for this, I did accomplish what I wanted with couple of definitely not supported configuration changes:

    • Created 3 SQL views for FIMCM database (one for active smartcards, one for external requests and one for active requests that wait for enrollment already)
    • Used Granfeldt's PSMA to create FIMCM import script that checks if the user in case has a smart card or a request (either in the external requests view or in the active one) and output that in the $obj -hashtable . This way all the users that already have a card or a request made, won't get re-provisioned in the MA.
    • Created export script that uses the SQL API to create a request for smart card
    • Created sync rules in the portal to make this all happen

    This could've been done without the SQL views also, but I liked to do it with those because it just made things more clear.

    • Marked as answer by Narcoticoo Saturday, April 18, 2015 5:11 AM
    Saturday, April 18, 2015 5:11 AM

All replies

  • Ok, so I got the connectivity part working.. now what confuses me in the link above is this:

    $profileTemplates = $FindOperationsByCulture.FindAllProfileTemplates([System.Globalization.CultureInfo]::InvariantCulture,[System.Globalization.CultureInfo]::InvariantCulture)



    Why doesn't simple $FindOperationsByCulture.FindAllProfileTemplates() work? What does those System.Globalization things do? How to get this working with other methods like FindSmartCards and specially for the RequestOperations -class that can be used to do enrollment requests?
    • Edited by Narcoticoo Wednesday, July 23, 2014 9:12 AM
    Wednesday, July 23, 2014 9:09 AM
  • Any help on this one would be appreciated....
    Friday, August 1, 2014 7:55 AM
  • Sorry for the delay, was enjoying some OOF time.

    I haven't touched CM for a little while, and was planning on updating the CodePlex project for the next major release of FIM (MIM) where I expect CM will lose the .NET Remoting interface. 

    Are you doing this for an active deployment, or just tooling around?


    CraigMartin – Edgile, Inc. – http://identitytrench.com

    Monday, August 11, 2014 3:50 PM
  • I've got FIM in place and FIMCM in place and the goal here is to achieve as much as possulle through FIM sync, so that the guys who will be enroling smartcards wouldn't have to manually click so much in the FIMCM portal. I saw you already had some bits ready in Codeplex, but you haven't released the compiled solution... Would really help my case. Thanks :)
    Monday, August 11, 2014 8:57 PM
  • If you're looking to get it running through FIM Sync then I suggest using the FIM CM management agent. If you were trying to go at it from a workflow or other application integration scenario then I'd suggest the API approach, but your scenario already has good coverage by the product.

    CraigMartin – Edgile, Inc. – http://identitytrench.com

    Tuesday, August 12, 2014 1:11 AM
  • I read the documentation about how to configure the CM management agent on CLM2007, and I thought it just is way too complicated... Because, basically what I want is just Sync rules in the portal that do certain stuff for the requests in the FIMCM during the user creation. Already implemented Grandfeldt's PSMA for Exchange, Lync and Homefolder, and I thought that FIMCM would just go along with the same approach. Any chance getting the compiled version of your FIMCM PS Extensions?

    Tuesday, August 12, 2014 4:22 AM
  • Sorry to keep dodging what you want, but I have a lot of experience with the FIM CM MA and with using FIM CM programmatically.  If I had to do it for my own deployment I would probably go the programmatic route from a FIM Service workflow.  That was the goal of the code I posted to CodePlex, to provide prototype code for using PowerShell inside a FIM workflow to manage FIM CM.  Oddly the FIM PowerShell Workflow proved way more popular, so I carved that off into its own CodePlex project, and actively use it in production at multiple deployments.  The FIM CM Extensions code never made it past prototype, so has never been deployed and I expect it would require a fair bit of support to make it deployment-quality.  Unfortunately I'm not actively using FIM CM at the moment so would have a difficult time supporting anybody not willing to build from source.

    Marrying the state-based nature of FIM Sync to the request-based nature of FIM CM is a real pain, even with the PSMA.  It is a much more natural match to integrate between FIM CM and the FIM Service, since both are request-based.  Again, if you're set on integrating between FIM Sync and FIM CM today I think your best bet is with the FIM CM MA.


    CraigMartin – Edgile, Inc. – http://identitytrench.com

    Tuesday, August 12, 2014 5:51 AM
  • Wednesday, September 17, 2014 3:30 AM
  • That other thread speaks of a feature being deprecated in a future release. It is supported today, so if you really want the integration then it is probably the safest bet.


    CraigMartin – Edgile, Inc. – http://identitytrench.com

    Thursday, September 18, 2014 12:10 AM
  • I took another look at this and I think I'll go with Granfeldt's PSMA and FIMCM SQL API, much more simpler way to do the thing I want: Make the requests of smart cards to FIMCM when new users are created. After the request, the cards can be printed through FIMCM Bulk Issuance Client.

    Monday, October 13, 2014 6:26 PM
  • Just an update for this, I did accomplish what I wanted with couple of definitely not supported configuration changes:

    • Created 3 SQL views for FIMCM database (one for active smartcards, one for external requests and one for active requests that wait for enrollment already)
    • Used Granfeldt's PSMA to create FIMCM import script that checks if the user in case has a smart card or a request (either in the external requests view or in the active one) and output that in the $obj -hashtable . This way all the users that already have a card or a request made, won't get re-provisioned in the MA.
    • Created export script that uses the SQL API to create a request for smart card
    • Created sync rules in the portal to make this all happen

    This could've been done without the SQL views also, but I liked to do it with those because it just made things more clear.

    • Marked as answer by Narcoticoo Saturday, April 18, 2015 5:11 AM
    Saturday, April 18, 2015 5:11 AM