Article ID: 2832389 - View products that this article applies to.
Expand all | Collapse all

On This Page

Introduction

A hotfix rollup package (build 4.1.3441.0) is available for Microsoft Forefront Identity Manager (FIM) 2010 R2. This hotfix rollup package resolves some issues and adds some features that are described in the "More Information" section.

Update information

A supported update is available from Microsoft Support. We recommend that all customers apply this update to their production systems.

Microsoft Support

If this update is available for download from Microsoft Support, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix. Additionally, you can obtain the update from Microsoft Update or from Microsoft Update Catalog.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, go to the following Microsoft website:
http://support.microsoft.com/contactus/?ws=support
Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
Component update packages
The following table contains the component update packages that are included in the download from Microsoft Support.

Collapse this tableExpand this table
ComponentFile name
FIM 2010 R2 Add-ins and ExtensionsFIMAddinsExtensions_xnn_KB2832389.msp

Note Versions of this file are available for x86-based and x64-based versions of FIM 2010.
FIM 2010 R2 Add-ins and Extensions Language PackFIMAddinsExtensionsLP_xnn_KB2832389.msp

Note Versions of this file are available for x86-based and x64-based versions of FIM 2010.


FIM 2010 R2 Certificate Management
FIMCM_xnn_KB2832389.msp

Note Versions of this file are available for x86-based and x64-based versions of FIM 2010.
FIM 2010 R2 Certificate Management Bulk Issuance ClientFIMCMBulkClient_x86_KB2832389.msp
FIM 2010 R2 Certificate Management ClientFIMCMClient_xnn_KB2832389.msp

Note Versions of this file are available for x86-based and x64-based versions of FIM 2010.
FIM 2010 R2 Service and PortalFIMService_x64_KB2832389.msp
FIM 2010 R2 Service Portal Language PackFIMServiceLP_x64_KB2832389.msp
FIM 2010 R2 Synchronization Service FIMSyncService_x64_KB2832389.msp
SQL script file package for the FIM BHOLD suiteFIMBHOLD_KB2832389.zip

Known issues in this update

FIM Synchronization Service
After this update is installed, rules extensions and custom management agents (MAs) that are based on Extensible MA (ECMA1 or ECMA 2.0) may not run and may produce a run status of "stopped-extension-dll-load." This issue occurs when you run such rules extensions or custom MAs after you change the configuration file for MIIServer.exe, Mmsscrpt.exe.config, or Dllhost.exe.config. For example, you edit the MIIServer.exe.config file to change the default batch size for processing sync entries for the FIM Service MA.

In this case, the synchronization engine installer for this update intentionally does not replace the configuration file to avoid deleting your previous changes. Because the configuration file is not replaced, entries that are required by this update will not be present in the files, and the synchronization engine will not load any rules extension DLLs when the engine runs a Full Import or Delta Sync run profile.

To resolve this issue, follow these steps:
  1. Make a backup copy of the MIIServer.exe.config file.
  2. Open the MIIServer.exe.config file in a text editor or in Microsoft Visual Studio.
  3. Find the <runtime> section in the MIIServer.exe.config file, and then replace the content of the <dependentAssembly> section with the following:

    <dependentAssembly>
    <assemblyIdentity name="Microsoft.MetadirectoryServicesEx" publicKeyToken="31bf3856ad364e35" />
            <bindingRedirect oldVersion="3.3.0.0-4.1.2.0" newVersion="4.1.3.0" />
    </dependentAssembly

  4. Save the changes to the file.
  5. Find the Mmsscrpt.exe.config file in the same directory and the Dllhost.exe.config in the parent directory. Repeat steps 1 through 4 for these files.
  6. Restart the Forefront Identity Manager Synchronization Service (FIMSynchronizationService).
  7. Verify that the rules extensions and custom management agents now work as expected.

Prerequisites

To apply this update, you must have Forefront Identity Manager 2010 R2 (build 4.1.2273.0 or a later build) installed.

Restart requirement

You must restart the computer after you apply the Add-ins and Extensions (Fimaddinsextensions_xnn_kb2832389.msp) package. Additionally, you may have to restart the server components.

Replacement information

This update replaces the following updates:
2814853 A hotfix rollup package (build 4.1.3419.0) is available for Forefront Identity Manager 2010 R2

2772429 Service Pack 1 (build 4.1.3114.0) is available for Forefront Identity Manager 2010 R2

2750671 A hotfix rollup package (build 4.1.2548.0) is available for Forefront Identity Manager 2010 R2

2734159 A hotfix rollup package (build 4.1.2515.0) is available for Forefront Identity Manager 2010 R2

File information

The global version of this update has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

Collapse this tableExpand this table
File nameFile sizeDateTime
Fimaddinsextensionslp_x64_kb2832389.msp3,913,72818-Apr-201313:57
Fimaddinsextensionslp_x86_kb2832389.msp1,590,27218-Apr-201313:50
Fimaddinsextensions_x64_kb2832389.msp5,206,52818-Apr-201313:57
Fimaddinsextensions_x86_kb2832389.msp4,656,64018-Apr-201313:50
Fimcmbulkclient_x86_kb2832389.msp9,097,72818-Apr-201313:50
Fimcmclient_x64_kb2832389.msp5,573,63218-Apr-201313:57
Fimcmclient_x86_kb2832389.msp5,197,31218-Apr-201313:50
Fimcm_x64_kb2832389.msp31,791,61618-Apr-201313:57
Fimcm_x86_kb2832389.msp31,394,81618-Apr-201313:50
Fimservicelp_x64_kb2832389.msp12,184,57618-Apr-201313:57
Fimservice_x64_kb2832389.msp31,170,04818-Apr-201313:57
Fimsyncservice_x64_kb2832389.msp36,122,62418-Apr-201313:57
FIMBHOLD_KB2832389.zip4,09618-Apr-2013Not Applicable


More information

Issues that are fixed or features that are added in this update

This update fixes the following issues or adds the following features that were not previously documented in the Microsoft Knowledge Base.

FIM Synchronization Service

Issue 1
The Active Directory Management Agent (AD MA) would stop if there was an issue during Exchange provisioning. This would include data errors. After this update is installed, the AD MA stops only if there is a critical error from which it cannot recover.

Issue 2
If several AD MAs targeted the same forest, the same object could appear multiple times in different MAs. When a password change came in from the Microsoft Password Change Notification Service PCNS), the setting for the password source was not honored. This caused random requests to fail.

Issue 3
If the FIM Service MA had several reference attributes that were not selected in Select Attributes, the FIM Synchronization Service would still process these and would affect performance.

Issue 4
Doing a delta import on the FIM Service MA in which there was an update to a single-valued reference attribute and in which the same attribute already had a change that had not yet been synchronized caused a "stopped-ma" error.

Issue 5
For ECMA2 connectors, empty reference attribute data could crash the FIM Synchronization Service during the reference retry phase.

Issue 6
When an error was returned on an object during add-in ECMA2, the interface expected the anchor to be returned. This value would not always be available in failure cases.

Issue 7
During Schema Refresh on an ECMA2 connector, the UI did not ask for encrypted parameters (for example, passwords). Any ECMA2 connector that depended on this information to be able to connect to the server to obtain the schema would fail.

Issue 8
An export-only ECMA2 did not correctly handle errors when they were returned from the connector. This resulted in a "The image or delta doesn't have an anchor" error.

Issue 9
When several exports were run without a confirming import and not all references could be exported, the FIM Synchronization Service could report a "stopped-server" error.

Issue 10
Flowing a constant value of 0 or 1 to a number attribute by using classic attribute flows caused an "Import Attribute Validation Error" error in the UI.

Issue 11
Adding a value to a reference value by using scripted code threw an "Object reference not set to an instance of an object" error because of a regression in FIM 2010 R2 SP1. An example of code that fails is as follows:

csentry["member"].Values.Add(<string>)

Issue 12
When a custom extension did not return control to the FIM Synchronization Service in time, typically 5 minutes, the Synchronization Service crashed. For example, this problem might occur with a custom password extension during password synchronization.

Feature 1
The contract DLL MetadirectoryServicesEx of the FIM Synchronization Service is no longer dependent on the FIM Synchronization Service. It is now possible to load an ECMA2 cnnector outside the service. This enables the ability to create unit tests for these connectors in Visual Studio.

Feature 2
This release includes ECMA2.2. This has several new features added. These include the following:
  • A new capabilities page and the ability to call the capabilities later in the flow. It is now possible to ask the user for information and then connect to the target directory and use that information for the connector's capabilities.
  • Support is added for DN as anchor for LDAP-based directories and for not providing the object type for update and delete operations in a delta import.

For more information, go to the Microsoft Developer Network (MSDN) website for ECMA2.

FIM certificate management

Issue 1
Windows 8 TPM-based virtual smart cards could not be provisioned because of a change in Smart Card Minidriver Specification v.7.

Issue 2
The ability to print photos is added by using ID Works. In order to print a photo, add the following to the field mappings:

{User!attribute!binary}

Issue 3
Advanced search in Bulk Client did not work as expected when more than 1,000 results were returned from Active Directory.

Self-service password reset

Issue 1
If a new password had a string that might violate the ASP.NET request validator such as "<script>," the operation would fail with the exception "A potentially dangerous Request.Form value was detected from the client." To support these characters in a new password, open the Web.config file, and find the following entry:

<add key="Base64EncodePasswordFields" value="false" />

Change the value to "true." Make sure that you update this for both password registration and password reset portal servers.

FIM BHOLD suite

Issue 1
In a special case after the BHOLD connector was deleted in the FIM Synchronization Service and re-created, an import would be unable to see all objects in BHOLD. To address this issue, run the SQL script (extract the FIMBHOLD_KB2832389.zip file) that is contained in the hotfix download package.


References

For information about software update terminology, see Description of the standard terminology that is used to describe Microsoft software updates.

Properties

Article ID: 2832389 - Last Review: April 25, 2013 - Revision: 3.0
Applies to
  • Microsoft Forefront Identity Manager 2010 R2
Keywords: 
kbautohotfix kbqfe kbhotfixserver kbfix kbexpertiseinter kbsurveynew kbbug atdownload KB2832389

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com