InCommon Silver With Active Directory Domain Services Cookbook Feature-Complete

For more than a year, I’ve been leading an effort within the Committee on Institutional Cooperation (CIC – the academic wing of the Big 10, plus The University of Chicago) and a number of other InCommon participants, to define an approach to mitigating risk within Active Directory Domain Services, with the goal of achieving InCommon Silver assurance. The work on that cookbook is now largely complete. You can take a look at it here:

Whew.  That took a while to do.  I hope that at some point some school actually achieves Silver using it.

Rebuilding T-SQL Indexes From Powershell

Here is a Windows Powershell function I wrote to call a generic stored procedure that will rebuild all indexes in a database.  (I found the stored procedure here: This turns out to be extremely useful for rebuilding indexes on a SQL Server-based connected directory at the end of each run of a Microsoft Forefront Identity Manager (FIM) MA that has undergone a lot of changes.

PowerShell function:  

Function Run-RebuildIndexes

      $log.debug(“Run-RebuildIndexes for MA=”+$ma.MAName +” DBName=”+$DBName)
      $SqlConnection.ConnectionString =“Data Source=”+$SQLServerName+“;Initial Catalog=”+$DBName+“;Integrated Security=True”;
      $SqlCommand.CommandText =“DECLARE  @return_value int                                          EXEC  @return_value = [dbo].[USP_REBUILD_ALL_IDX]                                          SELECT      ‘Success’ = @return_value”;
      $SqlCommand.Connection =$SqlConnection;
      $SqlCommand.CommandType = [System.Data.CommandType]‘Text’;
      $SqlAdapter.SelectCommand =$SqlCommand;
      if ( $nRecs-gt 0 )
                  $log.Debug(“Index rebuild result code: “+$rec.Success);
T-SQL stored procedure:
USE [DBName]
/****** Object:  StoredProcedure [dbo].[USP_REBUILD_ALL_IDX]    Script Date: 01/05/2012 14:14:21 ******/
— =============================================
— Author:        <Nicholas Roy>
— Create date: <Jan 5, 2012>
— Description:   <Rebuild all indexes in database>
— =============================================
      — SET NOCOUNT ON added to prevent extra result sets from
      — interfering with SELECT statements.
      SELECT @SQL =(
      FROM sys.tables t
      JOIN sys.schemas s on t.schema_id = s.schema_id
      FOR XML PATH(),TYPE).value(‘.’,‘NVARCHAR(MAX)’)
      exec sp_executesql@SQL

Putting Two And Two Together

So in the course of my evening of NFC/ISO 14443 smartcard/platform/API “literature” review, I put Steve Yegge’s rant together with an analysis piece about what Google thinks about NFC, and came to an unfortunate conclusion.  Google’s lack of NFC APIs, combined with them being the current best hope for getting NFC-enabled, ostensibly open smartphones into the mainstream, does not bode well.  My project must be tempered with realism.

(Good) Middleware Takes Time

“The Golden Rule of Platforms, “Eat Your Own Dogfood”, can be rephrased as “Start with a Platform, and Then Use it for Everything.” You can’t just bolt it on later. Certainly not easily at any rate — ask anyone who worked on platformizing MS Office. Or anyone who worked on platformizing Amazon. If you delay it, it’ll be ten times as much work as just doing it correctly up front. You can’t cheat. You can’t have secret back doors for internal apps to get special priority access, not for ANY reason. You need to solve the hard problems up front.”  -Steve Yegge, from his now famous accidentally public-facing Google+ rant on platforms

For some time, I have argued that spending the time to do a good service-oriented architecture is the right thing to do, especially in the identity management space.  It takes a very long time to do this right, and the QA, health checks and iteration become more time-consuming than defining and writing the initial service.  The monitoring for a good SOA becomes the unit tests, mocks, etc, and you end up doing right by your customers by eating your own dogfood.  The problem is, in academic higher ed, a lot of time, there seems to be no extra time to spend.  You have to do what you can with the time and resources you have.  So you try to do the best job you can, and you try to use exiting service frameworks where you can, and make your own where none exist, if you can find the time to do it.  That’s one of the reasons I like working where I do- I think people get why services and platforms are good, which you might think is truly amazing to find in a state-funded higher ed institution.  The more amazing thing is that I think a lot of state-funded R1 universities get this, and they are getting it more all the time.  See: ShibbolethGrouper and COmanage.

It’s interesting that Google, Facebook, Amazon, Apple and even Microsoft seem to be doing “sexy” things that get a lot of attention.  But the academic research institutions are doing a ton of work here, too, and while it’s not glamorous, it’s changing the world for the better.

Weekend Identity/Convergence Stream-of-Consciousness

I’ve been wanting to get a Galaxy Nexus phone for a while- as soon as I found out it was coming to Verizon.  This summer I almost ditched Verizon for Sprint to get a Galaxy S 4G with an NFC chip in it, but held off because I knew this newer Nexus was just around the corner.  I want to mess around with the NFC feature and see if I can make it store X.509 certs and act as an ISO 14443 smart card for things like workstation logon and door access.  The secure element in the Galaxy Nexus is an NXP chip which supports a lot of different NFC protocols, but Google has been pretty open about their non-support for card emulation.  This means there’s not a built-in way to handle this stuff yet.  But then I found this:


For a while I was hoping that InfoCard would be a champion for identity selection and user-centric identity.  Now I hope it’s smartphones.  We’ll see how well this turns out.  I’ll be happy if my wallet can go away at some point.  It would be great to have payment, drivers’ license, passport, work login/door credentials, etc, all on the phone.  Some people probably think that’s a terrible idea and maybe slightly Orwellian (Dvorak:,2817,2395071,00.asp) but I think it just makes sense.  The secure elements in these phones truly are secure, until they aren’t any more.  By that time we’ll have other things to replace them, and probably lots of other things to worry about.