Hey All, I was wondering. Suppose the exchange url which is configured to provide the FIM Service Access to it's mailbox is unavailable for a while. How does FIM handles this. It sure will log some errors in the FIM event log. But will it cache emails and resend them later? Or doesn't FIM caches unsucessfull attempts? Kind regards, Thomashttp://setspn.blogspot.com

I haven't specificaly tested to confirm this, but I have my Exchange server on a seperate VM that I leave shut down unless I plan to use it. I recall that after I restart the server I get emails that I assume were queued up while the server was offiline. I'm not sure how long they can stay pending however. If I have a chance, I'll do some testing if nobody has a definitive answer before then.Frank C. Drewes III - Senior Consultant: Oxford Computer Group

I haven't specificaly tested to confirm this, but I have my Exchange server on a seperate VM that I leave shut down unless I plan to use it. I recall that after I restart the server I get emails that I assume were queued up while the server was offiline. I'm not sure how long they can stay pending however. If I have a chance, I'll do some testing if nobody has a definitive answer before then.Frank C. Drewes III - Senior Consultant: Oxford Computer Group

Let me know how you go Frank - I have seen them queued too, but I suspect some of them may actually end up failing if the issue isn't resolved within some kind of limit. In that case, I have an idea which might be able to be applied here, providing there is some condition that can be detected by a set definition on the Request object that can fail here ...Bob Bradley (FIMBob @ http://thefimteam.com/) ... now using Event Broker 3.0 @ http://www.fimeventbroker.com/ for just-in-time delivery of FIM 2010 policy via the sync engine

Let me know how you go Frank - I have seen them queued too, but I suspect some of them may actually end up failing if the issue isn't resolved within some kind of limit. In that case, I have an idea which might be able to be applied here, providing there is some condition that can be detected by a set definition on the Request object that can fail here ...Bob Bradley (FIMBob @ http://thefimteam.com/) ... now using Event Broker 3.0 @ http://www.fimeventbroker.com/ for just-in-time delivery of FIM 2010 policy via the sync engine

Hey All, I was wondering. Suppose the exchange url which is configured to provide the FIM Service Access to it's mailbox is unavailable for a while. How does FIM handles this. It sure will log some errors in the FIM event log. But will it cache emails and resend them later? Or doesn't FIM caches unsucessfull attempts? Kind regards, Thomas http://setspn.blogspot.com I think it's using SQL Server Service Broker, which can queue the messages so that an external process can pull and send messages in an asynchronous way. SQL service broker provide isolation between the message sender and receiver. I think the FIM Service can queue the messages, and rely on the service Broker to ensure that the message reaches its destination. to have a look on the queued messages go to FIMService Database in the Service Broker and you can query the current queue rows. burn baby burn ... Idm Inferno

Hey All, I was wondering. Suppose the exchange url which is configured to provide the FIM Service Access to it's mailbox is unavailable for a while. How does FIM handles this. It sure will log some errors in the FIM event log. But will it cache emails and resend them later? Or doesn't FIM caches unsucessfull attempts? Kind regards, Thomas http://setspn.blogspot.com I think it's using SQL Server Service Broker, which can queue the messages so that an external process can pull and send messages in an asynchronous way. SQL service broker provide isolation between the message sender and receiver. I think the FIM Service can queue the messages, and rely on the service Broker to ensure that the message reaches its destination. to have a look on the queued messages go to FIMService Database in the Service Broker and you can query the current queue rows. burn baby burn ... Idm Inferno

Bob - The only VM I have handy is R2 RC (4.1.1903) - so a comparison with 2010 may be skewed, but here's what I have When I stopped my Exchange VM and performed a resource update with an action workflow consisting of a notification activity, I saw the following Request status - post processing Workflow instance - running the following event log- > WorkflowInstance '8d1b32ed-3b77-433b-ba4a-07fb3c811e27' could not send mail message in activity 'authenticationGateActivity1'. Scheduling to retry in 0.05 hours. I brought the Exchange VM back online - and in 3 minutes the email completed and the WF instance and request closed out. For the next test, I'm going to take the server offline for about 6 hours and see what happens in the morning. I'll post an update then.Frank C. Drewes III - Senior Consultant: Oxford Computer Group

Bob - The only VM I have handy is R2 RC (4.1.1903) - so a comparison with 2010 may be skewed, but here's what I have When I stopped my Exchange VM and performed a resource update with an action workflow consisting of a notification activity, I saw the following Request status - post processing Workflow instance - running the following event log- > WorkflowInstance '8d1b32ed-3b77-433b-ba4a-07fb3c811e27' could not send mail message in activity 'authenticationGateActivity1'. Scheduling to retry in 0.05 hours. I brought the Exchange VM back online - and in 3 minutes the email completed and the WF instance and request closed out. For the next test, I'm going to take the server offline for about 6 hours and see what happens in the morning. I'll post an update then.Frank C. Drewes III - Senior Consultant: Oxford Computer Group

What I was seeing: a lot of the "queued" mails went out, but a lot of them also failed with the email address being invalid or "null". At least that was the error in the FIM Event log. The error is absolutely weird as the mails sent out are typically a duet: one with the accountName & one with the PW. They both go the same receiver. From the FIM Service mailbox I could see the ones with the accountNames being sent, but the ones with the PW failed to be amonst them. Also, to be completely honest, our URL was available but was denying access. So I'm not sure whether mails get queued up then. One team did an Exchange upgrade and modified the internal/external URL behaviour resulting in the FIM service receiving a 401.http://setspn.blogspot.com

What I was seeing: a lot of the "queued" mails went out, but a lot of them also failed with the email address being invalid or "null". At least that was the error in the FIM Event log. The error is absolutely weird as the mails sent out are typically a duet: one with the accountName & one with the PW. They both go the same receiver. From the FIM Service mailbox I could see the ones with the accountNames being sent, but the ones with the PW failed to be amonst them. Also, to be completely honest, our URL was available but was denying access. So I'm not sure whether mails get queued up then. One team did an Exchange upgrade and modified the internal/external URL behaviour resulting in the FIM service receiving a 401.http://setspn.blogspot.com

Hey All, I was wondering. Suppose the exchange url which is configured to provide the FIM Service Access to it's mailbox is unavailable for a while. How does FIM handles this. It sure will log some errors in the FIM event log. But will it cache emails and resend them later? Or doesn't FIM caches unsucessfull attempts? Kind regards, Thomas http://setspn.blogspot.com I think it's using SQL Server Service Broker, which can queue the messages so that an external process can pull and send messages in an asynchronous way. SQL service broker provide isolation between the message sender and receiver. I think the FIM Service can queue the messages, and rely on the service Broker to ensure that the message reaches its destination. burn baby burn ... Idm Inferno

As an update to my previous post, I had my Exchange VM offiline for about 17 hours. After the first retry in 3 minutes, it switched to this: could not send mail message in activity 'authenticationGateActivity1'. Scheduling to retry in 2 hours. So within 2 hours after I brought the Exchange Server back online, the emails made it to their destination. The worflows and requests changed to completed status On a related note, as soon as I brought the Exchange server online, new emails went out right away, but the ones sent while the server was unavailable had to wait until the retry interval. I even tried restarting the FIM service, but that didn't reduce the retry time. As Thomas mentioned, there could be other Exchange failure scenarios i didn't test. I could try some other if anyone has some ideas for testing. But as for what I tested, the emails are queued for delivery and get delivered once the Exchange server comes back online (with the 2 hour retry of course) Frank C. Drewes III - Senior Consultant: Oxford Computer Group

This is one of the main reasons for doing notifications through SSRS instead of using the FIM Notification activity. Using SSRS and Data-Driven Subscriptions gives much more flexibility, but I haven't done the same for AuthZ WF with approvals (which also send e-mails, but are more complex than simple notifications).CraigMartin Edgile, Inc. http://identitytrench.com

Frank - thanks for your efforts in testing this, because I've not had the opportunity to test this myself to the same extent, and have wondered exactly how robust the process was. Going by your last post I gather that in the end ALL requests incorporating the (standard) FIM notification activity achieved a "Completed" status? If so, I'd like to explore further what Craig's angle is ... since I've often argued for a subscriber based model over a workflow (or even a rules extension) based email, and in the past I've often used a WSS List ECMA together with basic WSS List email subscriptions for exactly the same reason. However, now we have FIM workflows and the default notification activity which I expect 99% of implementers will just use without a second thought, I would like us to put our heads together and come up with a "best practice" in FIM for requirements that can NOT be guaranteed by this default approach. If we're going to suggest a subscriber based notification model, then I would like to have some clear bullet points to argue the scenarios in which this should be considered so that everyone can make an informed decision. The subtleties of the various use cases may not be obvious to all, especially those who are taking delivery of the solution and will need a solid argument to justify additional investment :). Bob Bradley (FIMBob @ http://www.thefimteam.com ) ... now using Event Broker 3.0 @ http://www.fimeventbroker.com/ for just-in-time delivery of FIM 2010 policy via the sync engine

While I admire the quest for best practices, we're all integrators here, and that usually means getting to done as fast as possible (sacrificing 'right or elegant' for 'good enough and quick'). Faced with a simple requirement for notifications in a use case, I'd go with FIM's notification activity. If the notification requirement became more complex, then I'd consider something else (such as SSRS). I like the SSRS model because they offer a lot of functionality and extensibility points (delivery, rendering, report hosting, report generation, etc) and the customer typically owns it already. BTW - I'm pretty sure SSRS is pronounced 'scissors'CraigMartin Edgile, Inc. http://identitytrench.com

SSRS + SSRS data processing extension built with an open-source FIM WS client or SSRS + SCSM DW model from R2? none of above is perfect, imnsho, as the first one will be very slow by design and the second one tracks changes only :( however, I'm thinking of SSRS + SCSM DW for sending notifications like expiring passwords, unapproved requests and so on... to aggreate data in one email

Totally agree that nothing is perfect, but I think SCSM DW is overkill for sending emails, so I have gone with SSRS DPE (Data Processing Extension). Also it isn't required for aggregating data in one email, SSRS easily does this with Data-Driven Subscriptions whereby it uses one query to get data for the reports, and another query to determine who to send the reports to. The result is that you can dynamically send emails (reports) to only the receipients that need the data. I'm obviously a little biased because I've done a couple of Data Processing Extensions now and am really happy with the functionality because it adds functionality to FIM with an existing feature of SQL Server. CraigMartin Edgile, Inc. http://identitytrench.com

Totally agree that nothing is perfect, but I think SCSM DW is overkill for sending emails, so I have gone with SSRS DPE (Data Processing Extension). Also it isn't required for aggregating data in one email, SSRS easily does this with Data-Driven Subscriptions whereby it uses one query to get data for the reports, and another query to determine who to send the reports to. The result is that you can dynamically send emails (reports) to only the receipients that need the data. I'm obviously a little biased because I've done a couple of Data Processing Extensions now and am really happy with the functionality because it adds functionality to FIM with an existing feature of SQL Server. CraigMartin Edgile, Inc. http://identitytrench.com

While I admire the quest for best practices, we're all integrators here, and that usually means getting to done as fast as possible (sacrificing 'right or elegant' for 'good enough and quick'). Faced with a simple requirement for notifications in a use case, I'd go with FIM's notification activity. If the notification requirement became more complex, then I'd consider something else (such as SSRS). I like the SSRS model because they offer a lot of functionality and extensibility points (delivery, rendering, report hosting, report generation, etc) and the customer typically owns it already. BTW - I'm pretty sure SSRS is pronounced 'scissors' CraigMartin – Edgile, Inc. – http://identitytrench.com Fair call Craig ... but you certainly got me thinking here on the whole FIM Best Practices thing, enough for me to post to my own long-neglected blog something that really amounts to my own PoV on the subject which is clearly off-track from this particular thread. All comments welcome of course.Bob Bradley (FIMBob @ http://thefimteam.com/) ... now using Event Broker 3.0 @ http://www.fimeventbroker.com/ for just-in-time delivery of FIM 2010 policy via the sync engine

I have gone with SSRS DPE (Data Processing Extension). One of the reasons I can't do this in my engagements is the open-source client this DPE is built with. I played a lot with your DPE and modified a client a little bit to work with multi-valued attributes - and it worked perfect. however from the support perspective I'm not allowed to use it. I was able to replace FIM WS client with a powershell DPE but it was 10 times slower than original one. So now I'm looking into SCSM DW and a method to have a full snapshot of group membership (for example) in SCSM DW datastore and not only its changes.

There's another DPE on CodePlex that doesn't use the FIM WS. Instead is just uses PowerShell, so you instead give it a PowerShell script that either calls Export-FIMConfig, or some other cmdlet of your choice. http://psdpe.codeplex.com The benefit of this one is that it translates PowerShell output (objects and properties) into DPE DataTables (rows and columns), so you could call FIM, AD, WMI (to get to FIM Sync) or practically anything you can get at with PowerShell.CraigMartin Edgile, Inc. http://identitytrench.com

Fair call Craig ... but you certainly got me thinking here on the whole FIM Best Practices thing, enough for me to post to my own long-neglected blog something that really amounts to my own PoV on the subject which is clearly off-track from this particular thread. All comments welcome of course. Bob Bradley (FIMBob @ http://thefimteam.com/) ... now using Event Broker 3.0 @ http://www.fimeventbroker.com/ for just-in-time delivery of FIM 2010 policy via the sync engine great article bob, I liked what you wrote :) I'm not great experts like you guys but I think some software solutions like FIM (or future releases) are or will be considered as a platform to build solutions on; it's not a product to have written best practices to follow, it's a platform to build divert solutions with different techniques and various methodologies.burn baby burn ... Idm Inferno

Nice article Bob (even though I may have come out as retentive ;-) in reality I fashion myself much closer to tenaciously passive aggressive). There are a lot of interesting sides to this, and those passionate about it may drive ambiguous and challenging scenenarios into best practices and lesssons learned (as I think you say in your article). This might be a fun thing to do in person at TEC as a chalk-talk or pub-event where willing participants bring their lessons learned, hopes, dreams, battle scars and drinking livers ;-)CraigMartin Edgile, Inc. http://identitytrench.com