The task of provisioning of new user accounts invariably falls upon system administrators. Administrators create logins across a variety of systems, such as Active Directory (AD), Exchange, and SQL Server, when a new employee starts at the company. The equally important process of de-provisioning accounts when employees leave for pastures new often highlights the disconnect between the HR and IT departments—a system administrator might hear from the grapevine that Bob in accounts left the company three months ago but still has system access.

Identity Lifecycle Manager (ILM) 2 empowers end users to perform tasks traditionally undertaken by IT, such as resetting passwords and creating or deleting groups and users. It provides a SharePoint-based workflow where users can carry out simple tasks based on management policy rules defined in ILM. A record of who did what, and when, is maintained for auditing purposes.

How does ILM work?


ILM 2 is a complex product consisting of four main components: ILM Synchronization Service (previously called Microsoft Identity and Integration Server), which is supported by SQL Server 2008; ILM Portal, which is a SharePoint-based web portal for user and administrator access; ILM Client Components for Outlook and Windows integration; and ILM Service, a web service that interacts between the Synchronization Service and ILM Portal.

Synchronization Service is central to ILM and its function is to synchronize objects between directory services, such as AD and Novell, into a central database called the metaverse. Objects are synchronized into ILM's metaverse via connector spaces, and objects can either be synchronized back to the source directory service, or to a different directory, once processed by ILM. For instance, ILM could be used to keep passwords for user objects in sync between AD and Novell directory services, helping to simplify the logon process for users (though having one password to access all systems is convenient, this may not be acceptable in high-security environments). ILM comes with connector spaces for AD, SAP, Novell, Lotus Notes, Microsoft Exchange Server, SQL Server, and Oracle databases, to name just a few.

The most important new feature in ILM 2 is the ILM Portal, which provides access to all the product's main features, such as self-service identity and group management tools, via a web interface for both system administrators and end users. You can provision users and groups using the ILM Portal, create workflows, and modify policies. All changes are submitted to the ILM Service, which then passes requests to the ILM Synchronization Service, where the metaverse is updated.

ILM's client components integrate with Microsoft Outlook to provide group management tools, including the ability to process offline group membership or approval requests. The ILM client also integrates with Windows logon, providing an authentication gateway should users want to reset a forgotten password. Administrators can change employee data using ILM's portal. This information is then passed on by the ILM service to the synchronization service, which updates connected directories. The synchronization service is responsible for detecting new and changed records, and making the appropriate directory updates.

Installing ILM and Client Components


The system requirements for each of ILM's server components are slightly different. To install all the components on one server requires Windows Server 2008 64-bit (standard or enterprise edition), SQL Server 2008 64-bit (standard or enterprise edition), Internet Information Services 7 (IIS), .NET Framework 3.0 and 3.5 SP1, and Windows SharePoint Services 3.0 SP1. The server must have at least 2GB of available disk space and 2GB of memory. The client-side components are supported on Windows XP Professional SP3 and Windows Vista Enterprise SP1, both 32-bit and 64-bit editions, and Outlook 2007. .NET Framework 3.5 SP1 is also required on clients.

ILM in Action - Self-Service Password Resets


A prominent new feature of ILM 2 is the ability for users to reset forgotten passwords at the Windows logon prompt. Administrators can configure one or more authentication gateways where users answer a series of pre-defined questions before being given the opportunity to reset their password, or proceed to the next gateway. Inserting a smartcard can also be set as a condition for passing a gateway. When users log on for the first time, they're asked to register with the self-service password reset system by answering questions set by an administrator.

You can categorize users so that those who have access to highly sensitive information on the network have to pass more authentication gateways before being allowed to reset their password. The ability to reset passwords at the logon prompt can be disabled, and you can enable that ability in a web interface.

Identity Management for Users


ILM Portal can be customized for different categories of users to access features, such as managing distribution list (DL) membership, telephone extensions, or office numbers, which Figure 1 illustrates. The ability to manage security groups and DLs via ILM Portal provides a natural extension to the SharePoint system, with which many users will already be familiar.

Figure 1: The ILM Home screen. Click to expand.

As well as providing self-service password reset capabilities, ILM's client components integrate into Outlook with a familiar interface for managing DL membership. Requesting membership of a DL is done using the Groups menu in the top-right corner of Outlook. Requests are managed using Outlook forms where users can search for groups using standard Outlook dialogs. Approvals can also be managed by group owners using email, with voting style accept/reject buttons, as illustrated in Figure 2.

Figure 2: An ILM pending approval email. Click to expand.