A hotfix rollup package (build 4.0.3594.2) is available for Forefront Identity Manager 2010

Installation information

• If you upgrade any of the FIM server components, you must also upgrade the following server components:

  • The FIM Certificate Management (CM) certification authority (CA) components to the same version as the FIM CM server.

  • The FIM Service to the same version as the FIM Synchronization Service.

• To avoid a Bulk Client failure, you must also upgrade the FIM CM server and the FIM CA server modules to the same version if you upgrade the FIM 2010 CM Bulk Client.

Prerequisites

To apply this hotfix rollup, you must have Microsoft Forefront Identity Manager (FIM) 2010 installed.

Restart information

You must restart the computer after you apply the Add-ins and Extensions hotfix rollup package. Additionally, you may have to restart the server components.

Registry information

To use one of the fixes in this hotfix rollup, you must change the registry. For more information, see the "More Information" section.

Replacement information

This hotfix rollup package replaces the following hotfix rollup packages:

2502631 A hotfix rollup package (build 4.0.3576.2) is available for Forefront Identity Manager 2010

2417774 A hotfix rollup package (build 4.0.3573.2) is available for Forefront Identity Manager 2010
2272389 A hotfix rollup package (build 4.00.3558.02) is available for Forefront Identity Manager 2010

2028634 A hotfix rollup package (build 4.0.3547.2) is available for Microsoft Forefront Identity Manager (FIM) 2010
978864 Update Package 1 for Microsoft Forefront Identity Manager (FIM) 2010

File information

The global version of this hotfix rollup installs files that have the attributes that are listed in the following tables. The dates and the times for these files are listed in Coordinated Universal Time (UTC). The dates and the times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and the times may change when you perform certain operations on the files.

Issue 1

Assume that you perform an operation that accesses the SQL database when the Microsoft SQL Server connection pooling feature is enabled in the FIM server. For example, you run a query or a request. If the operation times out for any reason, a future operation on the same thread may fail until that thread is removed from the SQL connection pool. An error message that resembles the following is displayed in the FIM Service Application event log, in the RequestStatusDetails property for a request, or in the WorkflowStatusDetails property of a workflow instance:

Additionally, the time stamp is the same as the time when the operation fails.

Issue 1

An ExpectedRulesEntry (ERE) object is associated to a child synchronization rule of a Metaverse object. If the ERE object has a Remove action, deprovisioning of the object is also being triggered. Then, the behavior causes the deletion of the Metaverse object.

Issue 2

Fixes an access violation when a custom extension calls a COM+ object.

Issue 3

An earlier hotfix introduced a special Extensible Connectivity Management Agent (ECMA) mode to keep unconfirmed exports in escrow instead of awaiting confirmation. An issue with that hotfix causes delta sync to add new items that are not merged with an escrowed export into a pending export. After you install the hotfix that is mentioned in this article, if the ECMAAlwaysExportUnconfirmed registry entry is set to 1, the escrowed and pending changes are merged.

Issue 4

Fixes an SQL query construction issue that occurs during an import. This issue affects a DB2 database that uses a non-Unicode character set.

Issue 5

Fixes many "Export not reimported" errors that might occur because of errors in SQL.

Issue 6

Improves the performance of all Sync Engine operations.

Note This change involves an extensive upgrade to the sync database. This upgrade can take lots of time, depending on your hardware. A progress bar is displayed during the database upgrade.

Issue 7

A password reset that uses the ADMAEnforcePasswordPolicy registry setting fails when the user is in the Administrator group but is not an administrator.

Feature 1

Adds an option to have FIM 2010 export the current time on the server to the HTTPPasswordChangeDate field during the password set operation. The time stamp is stored as a TimeDate data type.

To enable this behavior, set the following registry subkey to a nonzero DWORD Value:

SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\Parameters\NotesMAExportPwdTimestamp

Feature 2

The FIM 2010 Active Directory Management Agent (AD MA) does not honor the preferred domain controller list when passwords are exported. This is an issue for customers who require password changes to flow to a specific set of domain controllers. This hotfix rollup package changes the AD MA to use the preferred domain controller list first. If the preferred domain controller list does not exist, the domain controller locator service will identify a domain controller for password export operations. Additionally, you can still force password operations to use the primary domain controller by setting the following registry subkey:

Subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FIMSynchronizationService\Parameters\PerMAInstance\<MA_name>

Value:
ADMAUsePDCForPasswordOperations (REG_DWORD, 1 = True, 0 = False)
This hotfix rollup package also updates the AD MA so that a trust relationship with the configured Active Directory forest is not required to export passwords to that forest.

Feature 3

Adds the ability to filter objects before they are imported into the AD MA connector space.

Issue 1

Fixes an issue that would sometimes cause incorrect Set calculations. This resulted in lots of set corrections. Also revised the Sets Correction job so that it does not change special sets that are maintained by another system maintenance job.

Issue 2

Revised the FIM "Query and Sets" features to correctly treat percent signs, underscores, and opening brackets as literals instead of as SQL wildcard characters.



The approved character sets for strings that are used in FIM attribute values are defined in the attribute and binding schema in the FIM service. The syntax for representing an XPath filter is documented on MSDN in the following "FIM XPath Filter Dialect" article:

http://msdn.microsoft.com/en-us/library/ee652287.aspxSome customers may have included characters that SQL defines as query wildcard characters, such as the percent character, in FIM searches and Set filters. In this case, the customers intended FIM to treat the characters as SQL wildcard characters. This is not a documented or supported feature of the product. In some cases, customers may be able to achieve the intended functionality by removing the wildcard and by using a “contains” query/filter instead.



Existing Set resources that have filters that contain SQL wildcard characters may not continue to function as the filters functioned before this hotfix was applied. Also, a filter that contains wildcard characters and that continued to function as expected after the hotfix was applied may function differently if the administrator later updates the filter definition.

Customers who used characters that SQL defined as query wildcard characters must check and revise their Set filters either before or after they upgrade to this hotfix. Customers should consider the impact of Set membership changes on Set transition MPRs. And, customers may want to temporarily disable MPRs or update workflow definitions while they change their Set filters to avoid unintentionally triggering provisioning or deprovisioning operations during Set definition maintenance.

Issue 1

Enables the random number generator in the server key generation function.

Issue 2

Improves the performance when enrolling a smartcard that has not previously been used with FIM Certificate Management (CM).

Issue 1

Fixes an issue in which the FIM synchronization service configuration for synchronization rules and codeless provisioning was not correctly written to the FIM Service database.

Issue 1

Fixes an issue with SQL Server deadlocks that might occur during periods of high concurrency of requests or approvals.

Issue 2

Fixes an issue in which unexpected data in the FIM Service database could result in the FIM MA causing the Synchronization service to fail during import, and a stopped-server error occurred.

Issue 3

Fixes an issue when you add or remove a value for a multivalued string attribute. If the request was subject to authorization such as request reevaluation, the request would fail after approval.

Issue 4

Some ExpectedRuleEntry objects and DetectedRuleEntry objects in FIM 2010 can become "orphaned" over time. When a DetectedRuleEntry object is not referenced in the DetectedRulesList of any object in the system, that object is determined to be orphaned. Similarly, when an ExpectedRuleEntry object is not referenced in the ExpectedRulesList of any object in the system, that object is also determined to be orphaned.

These orphaned objects have no functional impact on FIM. However, over time, these orphaned objects can cause a decrease in performance for both FIM operations and Sync operations that are related to FIM, such as import or export by using the FIM MA.

A pruning stored procedure, [debug].[DeleteOrphanedRulesByType], was added to the [debug] namespace of the FimService database. This stored procedure must be run separately for the DetectedRuleEntry object and the ExpectedRuleEntry object. The stored procedure also has a "reportOnly" mode, and this mode can be used to determine the presence and number of orphaned DetectedRuleEntry and ExpectedRuleEntry objects in the system.

The @ruleType parameter expects one of the following well-known values:

• N'Detected' for DetectedRuleEntry objects

• N'Expected' for ExpectedRuleEntry objects

To determine the number of orphaned objects in the system, run the stored procedure in "reportOnly" mode as follows.

    DECLARE
       @deletedRulesFound  BIT;
        EXEC [debug].[DeleteOrphanedRulesByType] @ruleType=N'CHANGE_ME', @reportOnly=1, @deletedRulesFound=@deletedRulesFound OUTPUT;

To loop through and actually delete orphaned objects in the system, run the stored procedure as follows. @deletionLimit=1000 instructs the procedure to stop when it has deleted 1,000 objects. If there are more than 1,000 orphaned objects in the system, either run the procedure multiple times (recommended) or increase the deletionLimit value.

    DECLARE 
       @deletedRulesFound  BIT,
       @startDateTime      DATETIME,
       @endDateTime        DATETIME;
    SELECT @deletedRulesFound = -1;         
    WHILE @deletedRulesFound <> 0
    BEGIN
        SELECT @startDateTime  = CURRENT_TIMESTAMP;
        EXEC [debug].[DeleteOrphanedRulesByType] @ruleType=N'CHANGE_ME', @deletionLimit=1000, @reportOnly=0, @deletedRulesFound=@deletedRulesFound OUTPUT;
        SELECT @endDateTime    = CURRENT_TIMESTAMP;
        SELECT @startDateTime AS [StartTime], @endDateTime AS [EndTime], @deletedRulesFound AS [WereDeletedRulesFound];
    END