Sunday, June 7, 2009

Introducing the FIM Query Tool

I've had a bit of downtime recently, so I decided to make good on a statement that I made to my colleagues at lunch one day, "I should create an interface for querying the ILM2 web service." Well, I just polished off a first draft and published it to CodePlex. Please take it for a test drive, kick the tires, and leave me some feedback!

FIM Query Tool

As I mention on the CodePlex site, this tool is a Windows Forms front end to the ILM2 enumeration client. It's intended to be a one-stop shop for testing XPath filters on the ILM2 web service. And although it's called 'FIM Query Tool', it's currently written for the only available version of FIM, which is ILM2 RC0. Obviously, I'm expecting this tool to evolve with the technology.

Here's a first glance at the tool.

There are a few bells & whistles on this first draft. First, it populates the object & attribute lists when you first run it, but then it caches those lists so that subsequent sessions are faster. If you create a new object or attribute, you can always refresh the schema with the corresponding buttons.

Next, it uses the extensions formerly known as TEIMO (now called MS-WSTIM) to filter the attributes returned from the web service, so that you can cut down on the SOAP message size and save a bit of time on each query.

The tool displays the results in a table, and although it's not obvious in this first draft, you can use Ctrl-A, Ctrl-C to copy all the cells so that you can paste them into Excel. The tool also gives you the raw XML for your perusing pleasure, as well as some verbose messages on separate tabs.

Finally, you can choose to dereference GUIDs when displaying the output. This means that it will resolve GUIDs to their display names, but if you choose this option, you'll get a warning that performance may be poor.

Now let me mention the biggest limitation of the first draft: there's no filter builder to help you with the XPath syntax. Thus, you're sort of on your own when typing up the XPath filter that you'd like to test. I do give you the underlying attribute name when you skate your mouse over the attributes in the list. I hope this helps you out for now.

One quick note on the application settings. You can find all of the settings in the FIMQueryTool.exe.config file. For example, the enumeration endpoint is set to http://localhost:526/... If you have a different URL for your server/port, you'll have to update this in the config file. Note that I set the SOAP message size to the max (maxReceivedMessageSize="0x7fffffff"), but you may want to tweak other settings like WsEnumerationDefaultPull (batch size).

Oh! I forgot to mention that since this project is on CodePlex, you have access to the source code. Enjoy! Try not to blow anything up. :)

As I mentioned, please download it, try it out, and leave me feedback either through the Discussions section of the CodePlex project or on this blog.


  1. Hi,

    I have tried to run this on my environment but it seems to fail on the authentication part ?

    System.ServiceModel.Security.SecurityNegotiationException: SOAP security negotiation with 'http://{hostname}:5725/ResourceManagementService/Enumeration' for target 'http://{hostname}:5725/ResourceManagementService/Enumeration' failed. See inner exception for more details. ---> System.ComponentModel.Win32Exception: The Security Support Provider Interface (SSPI) negotiation failed

    I have updated the .config file as below

    Is there anything else should I be aware of ? Thanks again for the great tool !

    1. Hi Calvinz360,

      Here are a few questions to help you troubleshoot. Which version of FIM are you running? Do you have any trouble accessing the FIM Portal with the same account that you're trying to run the FQT? In the configuration file, what did you use for {hostname}; was it "localhost", servername, or FQDN? Have you tried running the FQT as administrator?


    2. Hi Joe,

      1. Which version of FIM are you running?
      - FIM 2010
      2. Do you have any trouble accessing the FIM Portal with the same account that you're trying to run the FQT?
      - Accessing with my standard account works fine
      3. In the configuration file, what did you use for {hostname}; was it "localhost", servername, or FQDN?
      - I tried using localhost directly on the server itself, servername from my workstation. Both did not worked unfortunately. I have yet to try using FQDN. I configured it both on (app.config and FIMQueryTool.exe.config) is that correct ?
      4. Have you tried running the FQT as administrator?
      Yes, I did

      On top of this, I was using Quest Powershell to perform similar queries towards FIM portal without any issues on the same account. It shouldn't be configured using the service account correct ?

    3. This comment has been removed by the author.

    4. Hi again Calvinz360,

      Thanks for answering those questions. I Googled that error message, and it sounds like you may have overlooked the SPN/UPN? Did you modify these lines in the config file to set the DOMAIN\username of your FIM Service service account?

      <userPrincipalName value="FIMTEST\svc_fimws"/>


    5. Hi Joe,

      On my first try, I replaced the UPN value with Domain\Username as per your specification but that didn't work out. Hence I tried with the other format which is username@domain FQDN and that worked flawlessly ;)

    6. Great! Thanks for your feedback! Enjoy!