Certificate Management MA version does not Match Forefront Identity Manager RC1 Certificate Management Version

Article ID: 2005585 - View products that this article applies to.
Expand all | Collapse all

Symptoms

Note: The content of this article has been updated to use the new name for the Certificate Lifecycle Manager.  In MicrosoftÒ ForefrontÔ Identity Manager 2010 RC1 (FIM 2010 RC1), the component is named Certificate Management.

In general, the version of the Certificate Management Management Agent (CM MA) should match the version number of FIM Certificate Management (FIM CM).  However, there may be cases when this is not possible, such as if the CM MA is upgraded to fix a bug. 

When attempting to install and run the CM MA when the version of the CM MA and FIM CM do not match, the MA will fail with the error extension-dll-exception and the following entries will appear in the event log:

Error      10/30/2008 3:22:44 PM  MIIServer            6801       (3)

The extensible extension returned an unsupported error in MIIS.

 The stack trace is:

  "Microsoft.MetadirectoryServices.ExtensibleExtensionException: Could not load file or assembly 'Microsoft.Clm.Shared, Version=4.0.2173.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies. The located assembly's manifest definition does not match the assembly reference. (Exception from HRESULT: 0x80131040)

Error      10/30/2008 3:22:44 PM  MIIServer WF     8041       None

There was an error in endImportCode_ExecuteCode.Type: System.IO.FileLoadException

Message: Could not load file or assembly 'Microsoft.Clm.Shared, Version=4.0.2173.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies. The located assembly's manifest definition does not match the assembly reference. (Exception from HRESULT: 0x80131040)

Where Microsoft.Clm.Shared may be Microsoft.Clm.Shared, Microsoft.Clm.Common or Microsoft.Clm.BusinessLayer and 4.0.2173.0 may be the CM MA version or the FIM CM version.

Cause

This is caused by a mismatch of assembly versions between the Certificate Management management agent and FIM Certificate Management.

Resolution

Create bind-redirection statements on both the FIM Synchronization Service machine as well as the FIM Certificate Management machine.  Please see the More Information section for details.

More Information

 

Solution

It is possible to run the CM MA when it’s version does not match FIM CM by adding binding redirects to the .NET configuration files on both the FIM CM and FIM Synchronization machines.

There are three files that are used by both FIM CM and the CM MA:

·         Microsoft.Clm.Common

·         Microsoft.Clm.Shared

·         Microsoft.Clm.BusinessLayer

These files are installed on the FIM CM machines with FIM CM.  These files are installed on the FIM Synchronization machine by the CM MA.  When the versions of these files are not matched, the data sent between the CM MA and the FIM CM machines cannot be encoded and decoded properly. 

By adding binding redirects on both the FIM CM and FIM Synchronization Service servers, you can allow mismatched version of the file to interoperate.  On the FIM CM machine, you must direct the CM MA version of the FIM CM version.  On the FIM Synchronization machine, you must redirect the FIM CM version to the CM MA version.

Binding Redirect

When you build a .NET Framework application against a strong-named assembly, the application uses that version of the assembly at run time by default, even if a new version is available. However, you can configure the application to run against a newer version of the assembly.

You can redirect more than one assembly version by including multiple bindingRedirect elements in a dependentAssembly element of the.NET configuration.

Explicit assembly binding redirection in an application configuration file requires a security permission. This applies to redirection of .NET Framework assemblies and assemblies from third parties. The permission is granted by setting the BindingRedirects flag on the SecurityPermission Class.

For more information on Binding redirect, see this MSDN article: http://msdn.microsoft.com/en-us/library/eftw1fys.aspx

FIM Synchronization Configuration File

On the FIM Synchronization machine, the CM MA runs in a separate process from the FIM Synchcronization Service.  As a result, the .NET System configuration file must include the binding redirects for the CM MA.  The default location for this file is C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\machine.config.  (For ILM 2007 the path is:  C:\Windows\Microsoft.Net\Framework\v2.0.50727\Config\Machine.config )

To configure the CM MA to allow a mismatch between the CM MA and FIM CM version, add a binding redirect for Microsoft.Clm.Common, Microsoft.Clm.Shared and Microsoft.Clm.BusinessLayer to redirect from the FIM CM version number to the CM MA version number.

For example, if you installed FIM CM version 4.0.2173.0 and wanted to use CM MA version 4.0.2175.0, enter the following entries to the machine.config  file:

<!-- Binding redirects for mis-matched CM MA/CM versions -->

<runtime>
      <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
            <dependentAssembly>
                  <assemblyIdentity name="Microsoft.Clm.Common"
                              publicKeyToken="31bf3856ad364e35"
                              culture="neutral" />
                  <bindingRedirect oldVersion="4.0.2173.0"
                                   newVersion="4.0.2175.0"/>
            </dependentAssembly>
            <dependentAssembly>
                  <assemblyIdentity name="Microsoft.Clm.Shared"
                                    publicKeyToken="31bf3856ad364e35"
                                    culture="neutral" />
                  <bindingRedirect oldVersion="4.0.2173.0"
                                   newVersion="4.0.2175.0"/>
            </dependentAssembly>
            <dependentAssembly>
                  <assemblyIdentity name="Microsoft.Clm.BusinessLayer"
                                  publicKeyToken="31bf3856ad364e35"
                                  culture="neutral" />
                  <bindingRedirect oldVersion="4.0.2173.0"
                                  newVersion="4.0.2175.0"/>
            </dependentAssembly>
      </assemblyBinding>
</runtime>

FIM CM Configuration File

On the FIM CM server, the CM MA runs in the FIM CM web application process.  As a result, the FIM CM Web configuration file must include the binding redirects for the CM MA.  The CM MA web configuration file is installed by FIM CM and the the default location for the file is C:\Program Files\Microsoft Forefront Identity Manager\2010\Certificate Management\web\Web.config.  (For ILM 2007 , the path is:  C:\Program Files\Microsoft Certificate Lifecycle Manager\web\Web.config)

To configure the CM MA to allow a mismatch between the CM MA and FIM CM version, add a binding redirect for Microsoft.Clm.Common, Microsoft.Clm.Shared and Microsoft.Clm.BusinessLayer to redirect from the CM MA version number of the FIM CM version number.

For example, if you installed FIM CM version 4.0.2173.0 and wanted to use CM MA version 4.0.2175.0, enter the following entries to the web.config file:

<!-- Binding redirects for mis-matched CM MA/CM versions -->
<runtime>
      <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
            <dependentAssembly>
                  <assemblyIdentity name="Microsoft.Clm.Common"
                                    publicKeyToken="31bf3856ad364e35"
                                    culture="neutral" />
                  <bindingRedirect oldVersion="4.0.2175.0"
                                    newVersion="4.0.2173.0"/>
            </dependentAssembly>
            <dependentAssembly>
                  <assemblyIdentity name="Microsoft.Clm.Shared"
                                    publicKeyToken="31bf3856ad364e35"
                                    culture="neutral" />
                  <bindingRedirect oldVersion="4.0.2175.0"
                                    newVersion="4.0.2173.0"/>
            </dependentAssembly>
            <dependentAssembly>
                  <assemblyIdentity name="Microsoft.Clm.BusinessLayer"
                                    publicKeyToken="31bf3856ad364e35"
                                    culture="neutral" />
                  <bindingRedirect oldVersion="4.0.2175.0"
                                   newVersion="4.0.2173.0"/>
            </dependentAssembly>
      </assemblyBinding>
</runtime>

 

Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

Properties

Article ID: 2005585 - Last Review: November 13, 2009 - Revision: 1.0
APPLIES TO
  • Microsoft Identity Lifecycle Manager 2007
Keywords: 
KB2005585

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com