Article ID: 2832389 - View products that this article applies to.
A hotfix rollup package (build 4.1.3441.0) is available for Microsoft Forefront Identity Manager (FIM) 2010 R2. This hotfix rollup package resolves some issues and adds some features that are described in the "More Information" section.
Update informationA supported update is available from Microsoft Support. We recommend that all customers apply this update to their production systems.
Microsoft SupportIf this update is available for download from Microsoft Support, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix. Additionally, you can obtain the update from Microsoft Update or from Microsoft Update Catalog.
Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, go to the following Microsoft website:
http://support.microsoft.com/contactus/?ws=supportNote The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
Component update packagesThe following table contains the component update packages that are included in the download from Microsoft Support.
Collapse this tableExpand this table
Known issues in this update
FIM Synchronization ServiceAfter this update is installed, rules extensions and custom management agents (MAs) that are based on Extensible MA (ECMA1 or ECMA 2.0) may not run and may produce a run status of "stopped-extension-dll-load." This issue occurs when you run such rules extensions or custom MAs after you change the configuration file for MIIServer.exe, Mmsscrpt.exe.config, or Dllhost.exe.config. For example, you edit the MIIServer.exe.config file to change the default batch size for processing sync entries for the FIM Service MA.
In this case, the synchronization engine installer for this update intentionally does not replace the configuration file to avoid deleting your previous changes. Because the configuration file is not replaced, entries that are required by this update will not be present in the files, and the synchronization engine will not load any rules extension DLLs when the engine runs a Full Import or Delta Sync run profile.
To resolve this issue, follow these steps:
PrerequisitesTo apply this update, you must have Forefront Identity Manager 2010 R2 (build 4.1.2273.0 or a later build) installed.
Restart requirementYou must restart the computer after you apply the Add-ins and Extensions (Fimaddinsextensions_xnn_kb2832389.msp) package. Additionally, you may have to restart the server components.
Replacement informationThis update replaces the following updates:
(http://support.microsoft.com/kb/2814853/ )A hotfix rollup package (build 4.1.3419.0) is available for Forefront Identity Manager 2010 R2
(http://support.microsoft.com/kb/2772429/ )Service Pack 1 (build 4.1.3114.0) is available for Forefront Identity Manager 2010 R2
(http://support.microsoft.com/kb/2750671/ )A hotfix rollup package (build 4.1.2548.0) is available for Forefront Identity Manager 2010 R2
(http://support.microsoft.com/kb/2734159/ )A hotfix rollup package (build 4.1.2515.0) is available for Forefront Identity Manager 2010 R2
File informationThe global version of this update has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
Collapse this tableExpand this table
Issues that are fixed or features that are added in this updateThis update fixes the following issues or adds the following features that were not previously documented in the Microsoft Knowledge Base.
FIM Synchronization Service
Issue 1The Active Directory Management Agent (AD MA) would stop if there was an issue during Exchange provisioning. This would include data errors. After this update is installed, the AD MA stops only if there is a critical error from which it cannot recover.
Issue 2If several AD MAs targeted the same forest, the same object could appear multiple times in different MAs. When a password change came in from the Microsoft Password Change Notification Service PCNS), the setting for the password source was not honored. This caused random requests to fail.
Issue 3If the FIM Service MA had several reference attributes that were not selected in Select Attributes, the FIM Synchronization Service would still process these and would affect performance.
Issue 4Doing a delta import on the FIM Service MA in which there was an update to a single-valued reference attribute and in which the same attribute already had a change that had not yet been synchronized caused a "stopped-ma" error.
Issue 5For ECMA2 connectors, empty reference attribute data could crash the FIM Synchronization Service during the reference retry phase.
Issue 6When an error was returned on an object during add-in ECMA2, the interface expected the anchor to be returned. This value would not always be available in failure cases.
Issue 7During Schema Refresh on an ECMA2 connector, the UI did not ask for encrypted parameters (for example, passwords). Any ECMA2 connector that depended on this information to be able to connect to the server to obtain the schema would fail.
Issue 8An export-only ECMA2 did not correctly handle errors when they were returned from the connector. This resulted in a "The image or delta doesn't have an anchor" error.
Issue 9When several exports were run without a confirming import and not all references could be exported, the FIM Synchronization Service could report a "stopped-server" error.
Issue 10Flowing a constant value of 0 or 1 to a number attribute by using classic attribute flows caused an "Import Attribute Validation Error" error in the UI.
Issue 11Adding a value to a reference value by using scripted code threw an "Object reference not set to an instance of an object" error because of a regression in FIM 2010 R2 SP1. An example of code that fails is as follows:
Issue 12When a custom extension did not return control to the FIM Synchronization Service in time, typically 5 minutes, the Synchronization Service crashed. For example, this problem might occur with a custom password extension during password synchronization.
Feature 1The contract DLL MetadirectoryServicesEx of the FIM Synchronization Service is no longer dependent on the FIM Synchronization Service. It is now possible to load an ECMA2 cnnector outside the service. This enables the ability to create unit tests for these connectors in Visual Studio.
Feature 2This release includes ECMA2.2. This has several new features added. These include the following:
For more information, go to the Microsoft Developer Network (MSDN) website for ECMA2.
FIM certificate management
Issue 1Windows 8 TPM-based virtual smart cards could not be provisioned because of a change in Smart Card Minidriver Specification v.7.
Issue 2The ability to print photos is added by using ID Works. In order to print a photo, add the following to the field mappings:
Issue 3Advanced search in Bulk Client did not work as expected when more than 1,000 results were returned from Active Directory.
Self-service password reset
Issue 1If a new password had a string that might violate the ASP.NET request validator such as "<script>," the operation would fail with the exception "A potentially dangerous Request.Form value was detected from the client." To support these characters in a new password, open the Web.config file, and find the following entry:
<add key="Base64EncodePasswordFields" value="false" />
Change the value to "true." Make sure that you update this for both password registration and password reset portal servers.
FIM BHOLD suite
Issue 1In a special case after the BHOLD connector was deleted in the FIM Synchronization Service and re-created, an import would be unable to see all objects in BHOLD. To address this issue, run the SQL script (extract the FIMBHOLD_KB2832389.zip file) that is contained in the hotfix download package.
For information about software update terminology, see Description of the standard terminology that is used to describe Microsoft software updates