Microsoft Identity Lifecycle Manager 2007 Product Overview and FAQ

Identity Lifecycle Manager (ILM) 2007 enables IT organizations to reduce the cost of managing the
identity and access life cycle by providing a single view of a user's identity across the heterogeneous
enterprise and through the automation of common tasks. ILM 2007 builds on the metadirectory and
user provisioning capabilities in Microsoft Identity Integration Server (MIIS) 2003 and adds new
capabilities for managing strong credentials such as smartcards, providing an integrated approach
that pulls together metadirectory, certificate and password management, and user provisioning
across Windows® and other enterprise systems.
ILM 2007 simplifies the process of matching and managing identity records from disparate data
repositories, and prevents anomalies, such as active records for employees who have left the
organization. ILM 2007 provides IT with a policy framework to control and track the identity and
access data that helps manage compliance. It also includes self-help tools for end users, enabling IT
to improve efficiency by securely delegating many tasks to end users. Another key feature of ILM
2007 is that it includes a Windows-based certificate management solution that integrates with the
Windows Server 2003 operating system and Active Directory® to provide a turnkey solution for
managing the end-to-end life cycle of smart cards and digital certificates for the Windows Server
2003 Certificate Authority.

Key Benefits
ILM 2007 is designed to simplify and automate some of the most costly aspects of Identity Lifecycle
Management. ILM 2007 enables organization to:
Synchronize Identity Information. Organizations that have many different directories and
other data repositories such as a Human Resources (HR) data repository, mainframe systems,
or databases, can use ILM 2007 to synchronize user accounts and attributes in all of those
systems, including synchronization of passwords. Directory synchronization saves time and
money that is currently spent on keeping data consistent and enforcing data ownership
rules.
Provision and Deprovision Users. In many organizations, information about new employees is
entered in a HR database first. Then, the IT department creates user accounts, mailboxes,
and other identity information in different database systems. ILM 2007 automatically creates
these user accounts, mailboxes, and other identity information in target systems in real-time
so new employees are productive immediately, and also ensures that corporate resource
access is instantly revoked for employees who leave the organization.
Manage Certificates and Smart Cards. ILM 2007 includes a workflow and policy based
solution that enables organizations to easily manage the life cycle of digital certificates and
smart cards. ILM 2007 leverages Active Directory Directory Services and Active Directory
Certificate Services to provision digital certificates and smart cards, with automated
workflow to manage the entire life cycle of certificate-based credentials. ILM 2007
significantly lowers the costs associated with digital certificates and smart cards by enabling
organizations to more efficiently deploy, manage, and maintain a certificate-based
infrastructure. It also streamlines the provisioning, configuration, and management of digital
certificates and smart cards, while increasing security through strong, multifactor
authentication technology.
Key Benefits of ILM 2007

Feature Benefit

Synchronize Organizations benefit from improved IT productivity and reduced administrative

Identity costs as identity data is kept up to date across an enterprise without manual
Information updates.

Provision User End users can be more productive by accessing needed systems faster while
Key Benefits of ILM 2007

Feature Benefit

Accounts corporate security is improved as employees' access to systems is automatically

terminated when they leave. Administrators benefit from having these processes
automated which improves their own productivity and helps to lower
administrative costs.

Manage ILM 2007 reduces the costs associated with digital certificates and smart cards by
Certificates and enabling organizations to more efficiently deploy, manage, and maintain a
Smart Cards certificate-based infrastructure. IT benefits through streamlined provisioning,
deprovisioning, configuration, and auditing of digital certificates and smart cards,
along with increased security through the use of strong, multi-factor
authentication technology.

Connectivity Capabilities
ILM 2007 creates and distributes an integrated view of identity information from multiple data
sources. Broad connectivity capabilities give you the power to connect to the plethora of disparate
identity information sources in your company-all without the need to install software of any kind on
the target systems.
Connectivity Capabilities of ILM 2007

Type of System Management Agents

Network Operating Systems and
Directory Services
Microsoft Active Directory Windows Server 2003 R2, 2003,
and 2000
Microsoft Active Directory Application Mode Windows Server
2003 R2 and 2003
Microsoft Windows NT 4.0
IBM Tivoli Directory Server
Novell eDirectory 8.6.2, 8.7, and 8.7.x
Sun Directory Server (Netscape/iPlanet/SunONE) 4.x and 5.x

Mainframe IBM Resource Access Control Facility

Computer Associates eTrust ACF2
Computer Associates eTrust Top Secret

Email and Messaging Microsoft Exchange 2007, 2003, 2000, and 5.5
Lotus Notes 6.x, 5.0, and 4.6

Applications SAP 5.0 and 4.7

Telephone switches
XML-based systems
DSML-based systems

Databases Microsoft SQL Server 2005, 2000, and 7

IBM DB2
Oracle 10g, 9i, and 8i

File-Based Attribute value Pairs

CSV
Delimited
Fixed Width
Connectivity Capabilities of ILM 2007

Type of System Management Agents

Directory Services Markup Language (DSML) 2.0

LDAP Interchange Format (LDIF)

All Other Extensible Management Agent for connectivity to all other

systems
How Identity Lifecycle Manager 2007 Works

ILM 2007 has two central components, one that includes metadirectory and user provisioning
capabilities and another for certificate and smart card management.
Identity Synchronization and User Provisioning
The identity synchronization and user provisioning component of ILM 2007 manages identity
information across multiple stores by aggregating this information in a central repository called the
metaverse. Management agents serve as connectors that translate data from these connected stores
to the metaverse. For example, the e-mail system can be linked to its HR database through the
metaverse. When an employee joining the organization is added to the HR database, ILM 2007 can
automatically provision that employee to the e-mail system. Each employee's attributes, from the e-
mail system and the HR database, are imported into the connector space through management
agents.
The e-mail system can then use individual attributes, from the employee entry that originated in the
HR database, such as the employee telephone number. If an employee's telephone number changes
in the HR database, the new number will automatically be propagated to the e-mail system.
Certificate and Smart Card Management
ILM 2007 also provides sophisticated credential management features to Windows Server 2003
Certificate Authorities (CA) by acting as an administrative proxy. Once installed within an
organization, all digital certificate and smartcard management functions pass through ILM 2007. The
certificate management solution in ILM 2007 consists of three components:
1) Server component: Provides a Web interface and is the focal point of administrative functions.
2) Certificate Authority plug-in: Communicates with the server, controls the behavior of the CA(s),
and provide rich logging and auditing in a central location.
3) Client-side components:
• Smartcard Self Service Control, which provides certificate management capabilities.
• Smartcard Personalization Control, which provides Java card management.
• Bulk Smartcard Issuance Tool, which is an application for centralized large scale smart card
deployment scenarios.
Q&A
 How does ILM 2007 relate to MIIS 2003?
ILM 2007 includes and enhances the functionality of MIIS 2003. By integrating the
metadirectory and user provisioning features of MIIS 2003 with a management solution for
strong credentials, ILM is a powerful solution for managing the entire identity life cycle of
users and credentials.
What is Certificate Lifecycle Manager?
Certificate Lifecycle Manager (CLM) is a policy- and workflow-driven technology that helps
organizations manage the lifecycle of digital certificates and smart cards. This technology is
being released as a key component of ILM 2007.
How can I obtain Certificate Lifecycle Manager?
Certificate Lifecycle Manager will be made available as part of ILM 2007. By acquiring ILM
2007 you will gain all of the features and technologies of CLM.
What languages will ILM 2007 be available in?
ILM 2007 will initially be released in English only. Language packs for the certificate
management functionality will be released at a later date. Certificate management language
packs are planned for the following languages: German, French, Spanish, Japanese, Chinese,
Italian, Dutch, and Portuguese.

System Requirements
. Required Software

Windows Server ILM 2007 requires Windows Server 2003, Enterprise Edition, and Windows
2003 Server 2003 client access licenses (CALs).

SQL Server ILM 2007 requires SQL Server 2005 or 2000, Enterprise or Standard Edition,
Service Pack 3 (SP3).

Required Hardware

• 1 GHz processor or faster processor recommended; Pentium 4 recommended

• 512 MB of RAM or higher; 1 GB or more recommended

• 350 MB of available hard-disk space or more for the default installation. An additional 1
GB of available hard-disk space is recommended for the log file.

• 8 GB of available hard-disk space on the partition that contains the database files for ILM
2007 metadirectory services and user provisioning

• CD-ROM or DVD-ROM drive

• Super VGA (1024 x 768) or higher-resolution monitor recommended

• Keyboard and mouse or compatible pointing device

• At least one network interface card (NIC) is required. If a private network is used, the
head node requires at least two NICs, and each compute node requires at least one NIC.
Each node may also require a high-speed NIC for a Message Passing Interface (MPI)
network.

• Certificate and smart card management hardware requirements: CLM-compatible smart

card(s) and smart card reader(s)

Detailed Software Requirements

Metadirectory services • Windows Server 2003 Enterprise Edition or Windows Server
and user provisioning 2003 R2 Enterprise Edition
server requirements
• Microsoft .NET Framework 2.0

• Microsoft SQL Server 2000 Enterprise Edition, Standard Edition,

or Developer Edition with Service Pack 3a or later; or Microsoft
SQL Server 2005 Enterprise Edition, Standard Edition, or
Developer Edition (32-bit or 64-bit) with Service Pack 1
recommended

Certificate and smart • An Active Directory infrastructure with a domain controller

card management
server requirements • One (minimum) Windows Server 2003 Enterprise Edition
certification authority (CA) installed as an Enterprise CA

• The certificate and smart card management server component

can be installed on a computer running: Windows Server 2003
Enterprise Edition with Service Pack 1 or later; or Windows
Server 2003 Datacenter Edition with Service Pack 1 or later

• Microsoft .NET Framework 2.0

Certificate and smart • Operating system (one of the following):

card management client
requirements • Windows XP Professional with Service Pack 2 or later

• Windows 2000 Professional with Service Pack 4 or later

• Web browser (one of the following):

• Internet Explorer 6.x with Service Pack 1 or later

• Internet Explorer 7.x

• Vendor middleware (one of the following):

• Microsoft Base Cryptographic Service Provider with vendor-
specific mini-driver

• Legacy cryptographic service provider (CSP) with PKCS11-

compatible vendor middleware

Supported PKCS11- • Axalto Access Client Software version 5.2

compatible card
vendors • AET SafeSign Identity Client version 2.2

• Aladdin eToken Runtime Environment version 3.65

• Gemplus GemSafe version 4.2 service pack 3

• Siemens HiPath SIcurity Card API version 3.1.026

Can SQL Server run on the same server on which ILM 2007 is running?
 Yes, SQL Server may be run on the same server on which ILM 2007 is running. Typically,
performance is enhanced when SQL Server and ILM 2007 run on the same server.
Can the server-side certificate management components of ILM 2007 run on the same
server as the ILM 2007 metadirectory and user provisioning components?
Yes. All of the server-side components of ILM 2007 may run on the same server. However,
depending on the security requirements on your environment and the processing required
by your ILM 2007 server configuration, you may find it beneficial to run the components on
different servers.
When are CALs needed in ILM 2007?
You must acquire and assign a user CAL for each user person for whom the software Identity
Lifecycle Manager 2007 issues or manages one or more digital certificates. Otherwise, you do
not need user CALs only to access instances of the server software. Furthermore, the only
types of CALs available with ILM 2007 are user CALs. Device CALs are not available.
Is there an external connector license available for ILM 2007? If not, when will it be
available?
An ILM 2007 external connector license is not available for ILM 2007 at this time.
How do I license SQL Server for use with ILM 2007?
Please consult the SQL Server Product site in the Shop for up-to-date information on how
SQL Server is licensed, including answers to frequently asked questions.
Do I need to purchase a new SQL Server license to run ILM 2007?
No. You may use a copy of SQL Server that you have already licensed. ILM 2007 does not
require a copy for its own exclusive use. It may be shared with other applications.
A.
Upgrading from Microsoft Identity Integration Server (MIIS) 2003
Is there an upgrade path from MIIS 2003 to ILM 2007?
. Setup for ILM 2007 is designed to perform upgrades where appropriate. For example, ILM 2007
Volume License can upgrade an existing MIIS 2003 installation, Identity Integration Feature Pack
(IIFP), ILM 2007 Evaluation Edition, and ILM 2007 MSDN. IIFP cannot upgrade anything except a
previous IIFP. ILM 2007 MSDN cannot upgrade anything except a previous MIIS 2003 MSDN, etc.
Below is a matrix that shows the upgrade paths available.

Upgrade paths for MIIS 2003, IIFP, and ILM 2007 Versions

Product Being
Installed

Preexisting Product MIIS 2003 MIIS 2003 IIFP ILM ILM 2007 ILM 2007
SP2 SP2 2007 MSDN Evaluation
Web
Upgrade

MIIS Yes Yes No Yes No No

MIIS MSDN Yes No No Yes Yes No

MIIS Evaluation Yes No No Yes No No

IIFP Yes No Yes Yes No No

Q.A.
Management Agents
 Which management agents or connectors will be available with ILM 2007?
. Connectivity Capabilities of ILM 2007

Type of System Management Agents

Network operating systems and
directory services
Microsoft Active Directory Windows Server 2003 R2, 2003,
and 2000
Microsoft Active Directory Application Mode Windows
Server 2003 R2 and 2003
Microsoft Windows NT 4.0
IBM Tivoli Directory Server
Novell eDirectory 8.6.2, 8.7, and 8.7.x
Sun Directory Server (Netscape/iPlanet/SunONE) 4.x and
5.x

Mainframe IBM Resource Access Control Facility

Computer Associates eTrust ACF2
Computer Associates eTrust Top Secret

E-mail and messaging Microsoft Exchange 2003, 2000, and 5.5

Lotus Notes 6.x, 5.0, and 4.6

Applications SAP 5.0 and 4.7

Telephone switches
XML-based systems
DSML-based systems

Databases Microsoft SQL Server 2005, 2000, and 7

IBM DB2
Oracle 10g, 9i, and 8i

File-based1 Attribute value Pairs

CSV
Delimited
Fixed Width
Directory Services Markup Language (DSML) 2.0
LDAP Interchange Format (LDIF)

All other Extensible Management Agent for connectivity to all other

systems

1 These file formats allow for integration with a variety of applications, databases, telephone
switches, X.500 systems, and metadirectory products or underlying systems that can produce a
file.

What smart card platforms are supported by ILM 2007?

Smart card platforms are supported indirectly through the middleware used to interface to
the card. The middleware controls which specific cards are supported by it. ILM 2007
supports two forms of middleware: BaseCSP and PKCS#11. Any BaseCSP smart card module
that conforms to the BaseCSP specification is supported by ILM 2007. ILM 2007 support for
PKCS#11 includes support for the following vendors:
• 1. Axalto Client Software (ACS) v 5.2
• 2. AET SafeSign v2.1
 • 3. Aladdin eToken RTE 3.6
• 4. Gemplus GemSafe v4.2
• 5. Siemens HiPath SIcurity Card API v3.1.026

Identity Lifecycle Manager Roadmap

What is Identity Lifecycle Manager "2"?
ILM "2" will extend the functionality of ILM 2007 with new capabilities that will:
o Empower people with integrated end-user self-service tools in Office and Windows.
o Put IT in control through a robust delegation model and business process framework.
o Improve operational efficiency by automating common identity lifecycle
management tasks and empowering end users with self-help solutions.
o In addition, Microsoft is implementing ILM "2" on a common set of services—
including workflow, delegation, Web services APIs, and logging—that customers and
independent software vendors can use to customize and extend the functionality in
ILM "2".
What are the key differences between ILM 2007 and ILM "2"?
ILM "2" extends the functionality of ILM 2007 with new capabilities focused on empowering
end users to manage aspects of their digital identities through tools they are comfortable
with, such as Office and Windows. ILM "2" provides a series of solutions for management of
users, access, credentials, and policies that empower end users with self-service while
ensuring that IT is firmly in control. Microsoft is also implementing ILM "2" on a common set
of services—including workflow, delegation, Web services APIs, and audit logs—that
customers and ISVs can use to extend the core product functionality.
When can I get a beta of ILM "2"?
Microsoft plans to release a beta of ILM "2" in mid-2007.