Speaker : Spencer Harbar
Almost all the features of SharePoint have to deal with Identity management and the User Profiles. Identity Management is only 10% about technology. One of the primary consideration when talking about Identity Management is “who owns” the data. The other is the quality of the data. Is the data clean or up to date. Another important consideration is, for example, the Active Directory data quality. Sometimes as well, data is stores in lagacy or LOB systems. Also, access to Identity Management data has to be controlled, but for external systems, the question of authorization and authentication comes in the game.
It is really important to work closely with the DS admins as they are at the center of such project. Communication is therefore key. Also, several permissions are needed for the synchronization.
An issue so far was a misunderstanding of the UPA architecture and its features and design constraints are driving the deployment options. 4 key areas that need to be careful with : Security, Privacy, Policy, Operations. Several services are in the scope of UPA : SQL, Distributed Cache, Search, Managed Metadata, Business Data Connectivity.
The goals of the new Profile Sync in SP2013 are performance improvements and a wider compatibility. As an example, for a directory with more and 100’000 users or groups can be imported in 60 hours instead of 2 weeks previously.
Several synchronization “modes” : AD import, UP Sync and custom code synchronization.
Can filter on users and groups (object selection) using LDAP queries (inclusion based, UPS has exclusion based filters). Requires one connection per domain. Support shadow accounts and it is possible to do property mapping as well as account mappings between AD and FBA or others. Replication of AD changes is still needed, but improves the import. There is no cross forest Contact resolution, mapping to SP system properties is not supported. Embedding profile with data from BDC is not possible. Mapping properties with multi-values is not possible. When an AD configuration is changing (schema), a full import is required as well as a purge after the import. The full import can’t be scheduled. AD connections are stored in the Profile DB, whereas the UPS stores them in the Sync DB. Mappings and filters are not moved.
Provisioning UPA and UPS is done in the Manage Service Applications and with PowerShell, but with PS, there is still the default schema issue. Two workarounds : logon the machine using the Farm account, or to change manually the data in the database (not supported).
Some profile properties are automatically in the taxonomy when provisioning the Managed Metadata Service. Indeed, MMS is leveraged by the User Profile import. In order to start the User Profile Service Application, the Farm account has to be put in the Local Admins group. Therefore a warning, complaining that the Farm account is in the admin group, will be displayed in the SP Health analyzer. The recommendation is to enable Netbios if the FQDN and Netbios domain name don’t match, right after the UPSA provisioning.
Planning is the key to success. Remember that if data are rubbish, it will not be better once imported. Health of the AD is very important.
The web front-end servers are still making direct TDS calls to the SQL Server.
The opinions expressed herein are my own personal opinions and do not represent
my employer's view in any way.