A hotfix rollup package (build 3.3.1101.2) is available for Microsoft Identity Lifecycle Manager (ILM) 2007 Feature Pack 1.
This hotfix rollup package includes all the previous hotfixes that are described in the following articles in the Microsoft Knowledge Base:
A hotfix rollup package (build 3.3.1051.2) is available for Identity Lifecycle Manager 2007 Feature Pack 1
A hotfix rollup package (build 3.3.1067.2) is available for Identity Lifecycle Manager 2007 Feature Pack 1
A hotfix rollup package (build 3.3.1087.2) is available for Identity Lifecycle Manager 2007 Feature Pack 1
This hotfix rollup package resolves the following issues.
Fixes that involve the ILM Certificate Management component (previously named CLM)
- CLM does not evaluate permissions correctly. The clmAudit permission setting may override other permissions that were set on an object.
- When you click Find a user to view or manage their information and then use a set of search criteria that returns multiple users, a different list of users may be returned every time that you run the search.
- When you assign a 14-character personal identification number (PIN) to a smartcard, the last character is truncated.
- If the certificate for the clmAgent is replaced, any CLM operation that requires access to data that was encrypted in the database by using the previous certificate for the clmAgent will trigger errors.
Note Examples of data that was encrypted by using the clmAgent's previous certificate might include data collection items, smart card keys, and previous requests.
- Assume that you perform an online update of primary and duplicate cards that contain encryption certificates. When you use the updated cards, you cannot decrypt data that was encrypted by either of the cards before you performed the online update.
- After you use the Windows client-side profile online update control to perform an online update on a profile template, you receive the following error message:
The request contains conflicting template information 0x8009480.
Fixes that involve the ILM Synchronization component (previously named MIIS)
- The Run Management Agent dialog box does not display the selected management agent from the Operations tab. Therefore, a user may unintentionally run the wrong management agent.
- A Lotus Notes management agent does not preserve the Partition Matching configuration after it imports the server configuration.
- Special characters may be replaced when they are exported from a Lotus Notes management agent.
Detailed information about the issues that are resolved by the ILM Certificate Management component
- Before you apply this hotfix, management permissions on a request are always granted based on how the CLM Audit permission is set, not on the actual permission (for example, Enroll or Revoke). This functionality can cause unintended behavior when CLM later verifies user permissions against an incorrect security descriptor. For example, two users who have identical group memberships may receive different results when they review a request.
- CLM runs an LDAP query when it searches for users who match a certain set of criteria. If the user who is performing the search does not have permissions to one or more of the users, the results that are returned may be incorrect.
- When you assign a 14-character PIN to a smartcard, the last character is truncated.
- When the certificate for the ClmAgent expires, the certificate is replaced either manually or by running the Configuration Wizard. However, some operations that were performed by using the old certificate generate errors. This behavior occurs because CLM tries to decrypt data by using the current certificate. These errors may occur during the following operations:
The error message that is returned may include the following text:The algorithm for finding the certificate that was used for the original encryption has been updated to include every certificate in the clmAgent's MY store.
- Completing an approval workflow
- Retiring smartcards
- When a user selects Manage my Info and then views a previously issued certificate.
Note The previous clmAgent certificate must still be in the local computer certificate cache.
- When you perform online updates on primary and duplicate cards, CLM generates the same authentication certificate on both cards, but it generates different encryption certificates. Therefore, you cannot decrypt data that was encrypted by these cards before you performed the online update.
- If the clmProfileUpdate utility is run manually or automatically when a user logs on, you receive a "The request contains conflicting template information" error message in the browser window that the utility generates. If the online update must issue a new certificate for the user, CLM requests a version 2 certificate template version from the CA. If the certificate template version that is provided by the CA is version 1, this error occurs.
Detailed information about the issues that are resolved by the ILM Synchronization component
- Consider the following scenario:
In this scenario, the management agent that is selected in the Run History list does not match the management agent in the Run Management Agent dialog box. Therefore, the user may unintentionally run the wrong management agent.
- You open the Identity Manager console.
- You click the Operations tab.
- You right-click an item in the Run History list.
- You click Run to open the Run Management Agent dialog box.
- Assume that you have two ILM Sync servers. Each one has a Lotus Notes management agent. The two servers are identical except for the name of the .nsf file that you use to connect to the Domino server. In a typical scenario, one server is used for development and the other server is used for production. You export the management agent from the development server by using the management agent import and export functionality or the server configuration import and export functionality. During the import process, you are prompted to configure partition matching and to provide the .nsf file name. You provide the correct .nsf file. However, after you complete the import process, the management agent properties show the .nsf file that was exported from the other server.
- If a string attribute value contains a special character (such as ř) when the object that has that attribute value is exported to a Lotus Notes management agent, the character is replaced by a non-accented character. For example, ř is replaced by r.
Service Pack information
To resolve these issues, obtain the latest service pack for Identity Lifecycle Manager 2007 Feature Pack 1.
ILM 2007 Feature Pack 1 Service Pack 1 (SP1) is available that contains fixes in this hotfix rollup and possesses a stronger compatibility with previous ILM builds. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
Service Pack 1 (build 3.3.1139.2) is available for Identity Lifecycle Manager 2007 Feature Pack 1
A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.
If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix. Note
If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note
The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
Installation issues Note
Make sure that you read this section before you install this hotfix rollup.
This hotfix rollup package contains different .msp files to update the appropriate versions (Enterprise and MSDN, for example) of the ILM Certificate Management component and of the ILM Synchronization component.
- In the ILM Certificate Management component (previously named CLM), previous hotfix rollups updated only the files in the clm\web\bin folder, not those in the clm\bin folder. This may cause some issues. For example, the CLM service may not start in this situation. To address this issue, you must uninstall the ILM Certificate Management component and reinstall it from a build that is available from Microsoft Customer Support before you install this hotfix rollup. We will make all the necessary files and documentation publicly available, and we will update this article with the corresponding links when they are published. In the meantime, contact the ILM team at Microsoft Customer Support Services (CSS) for the full instructions.
Important If you apply the CLM part of this hotfix rollup package, the manner in which CLM accesses Active Directory is changed.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
A hotfix rollup package (build 3.3.1067.2) is available for Identity Lifecycle Manager 2007 Feature Pack 1
- In the ILM sync component (previously named MIIS), the files in the MIIS\bin folder were not replaced if an earlier hotfix rollup was applied to the original installation. The current hotfix rollup can be applied to any earlier build.
To apply this hotfix, you must have ILM 2007 FP1 installed.
You do not have to restart the computer after you apply this hotfix.
Hotfix replacement information
This hotfix does not replace any other hotfixes.
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone
tab in the Date and Time
item in Control Panel.
Collapse this tableExpand this table
|File name||File version||File size||Date||Time||Platform|
|Clm_2007_fp1_client_deved_kb960765.msp||Not Applicable||216,576||25-Mar-2009||09:23||Not Applicable|
|Clm_2007_fp1_client_full_kb960765.msp||Not Applicable||216,576||25-Mar-2009||09:23||Not Applicable|
|Clm_2007_fp1_deved_kb960765.msp||Not Applicable||4,411,904||25-Mar-2009||09:23||Not Applicable|
|Clm_2007_fp1_full_kb960765.msp||Not Applicable||3,670,528||25-Mar-2009||09:23||Not Applicable|
|Ilm_2007_fp1_ent_kb960765.msp||Not Applicable||1,343,488||25-Mar-2009||09:23||Not Applicable|
|Ilm_2007_fp1_msdn_kb960765.msp||Not Applicable||1,331,200||25-Mar-2009||09:23||Not Applicable|
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
Description of the standard terminology that is used to describe Microsoft software updates
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.
Article ID: 960765 - Last Review: October 8, 2011 - Revision: 3.0
|kbfix kbautohotfix kbsurveynew kbqfe KB960765|