Select the product you need help with

Service Pack 1 (build 3.3.1139.2) is available for Identity Lifecycle Manager 2007 Feature Pack 1

Article ID: 977791

SUMMARY

Service Pack 1 (SP1) is available for Microsoft Identity Lifecycle Manager (ILM) 2007 Feature Pack 1 (FP1). The build version number of SP1 is 3.3.1139.2.

Back to the top | Give Feedback

INTRODUCTION

ILM 2007 FP1 SP1 includes all the previous updates that were released for ILM 2007 FP1. These updates are described in the following Microsoft Knowledge Base (KB) articles:

946797
(http://support.microsoft.com/kb/946797/ )
A hotfix rollup package (build 3.3.1087.2) is available for Identity Lifecycle Manager 2007 Feature Pack 1
952308
(http://support.microsoft.com/kb/952308/ )
A hotfix rollup package (build 3.3.1051.2) is available for Identity Lifecycle Manager 2007 Feature Pack 1
952327
(http://support.microsoft.com/kb/952327/ )
A hotfix rollup package (build 3.3.1067.2) is available for Identity Lifecycle Manager 2007 Feature Pack 1
957181
(http://support.microsoft.com/kb/957181/ )
A hotfix rollup package (build 03.03.1080.2) is available for Identity Lifecycle Manager 2007 Feature Pack 1
960765
(http://support.microsoft.com/kb/960765/ )
A hotfix rollup package (build 3.3.1101.2) is available for Identity Lifecycle Manager 2007 Feature Pack 1
969742
(http://support.microsoft.com/kb/969742/ )
A hotfix rollup package (build 3.3.1118.02) is available for Identity Lifecycle Manager 2007 Feature Pack 1
972757
(http://support.microsoft.com/kb/972757/ )
A hotfix rollup package (build 3.3.1132.02) is available for Identity Lifecycle Manager 2007 Feature Pack 1

ILM 2007 FP1 SP1 also resolves some issues and provides features that were not previously documented in a KB article. For more information about these issues and features, see the "More information" section.

Back to the top | Give Feedback

MORE INFORMATION

Service pack information

Prerequisites

To apply this service pack, you must be running ILM 2007 FP1 build 3.3.0118.0 or a later version.

Note Unlike previous hotfix rollup packages, you do not have to uninstall earlier versions of ILM before you install this service pack if you installed a version of ILM 2007 that is earlier than 3.3.1087.2.

Restart requirement

You do not have to restart the computer after you apply this service pack.

Service pack replacement information

This service pack includes all previous hotfixes for ILM 2007 FP1.

Important Installation Information

If you are installing this service pack on a Windows Server 2003 server or on a Windows Server 2008 server, make sure to follow these steps:

Run the graphical user interface (GUI) mode setup because Silent mode setup is not supported.
Contact Microsoft Technical Support if you encounter the following situation. On a Windows Server 2003 server that is running Internet Information Services (IIS) 6, you cancel the major upgrade before it is completed. This behavior leaves the product in an undefined state.
On a Windows Server 2008 server that is running IIS 7, follow these steps to perform a successful installation:
1. Before you run the Setup program, create a backup of IIS configurations by using the following command:
  %windir%\\system32\\inetsrv\\appcmd.exe add backup “FIM CM Setup Backup”
2. Run the SP1 setup.
3. Restore the IIS configurations by using the following command:
  %windir%\\system32\\inetsrv\\appcmd.exe restore backup “FIM CM Setup Backup”

File information

The English version of this service pack has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

For Certificate Lifecycle Manager (CLM)

Collapse this tableExpand this table

File name	File version	File size	Date	Time
Clm_2007_fp1_sp1_bulkclient_full_kb977791.msi	Not Applicable	7,576,064	30-Dec-2009	11:50
Clm_2007_fp1_sp1_client_full_kb977791.msi	Not Applicable	3,682,816	30-Dec-2009	11:50
Clm_2007_fp1_sp1_full_kb977791.msi	Not Applicable	19,443,200	30-Dec-2009	11:50

For Identity Lifecycle Manager (ILM)

Collapse this tableExpand this table

File name	File version	File size	Date	Time
Ilm_2007_fp1_sp1_ent_kb977791.msi	Not Applicable	9,349,632	30-Dec-2009	11:41
Ilm_2007_fp1_sp1_msdn_kb977791.msi	Not Applicable	9,336,832	30-Dec-2009	11:41

Issues and features that relate to the ILM Certificate Management component (previously named CLM)

Issue 1

You use the Unblock a user’s smartcard link or the Find a smart card link on the Web site for managing Certificate Lifecycle Manager (CLM). In this situation, you receive the following error message on the browser page:

An operations error occurred

Additionally, you find the following exception information in the CLM log file:

Binding to directory entry. Provider:
		  Ldap, Server/Domain: ,
		  Path: CN=Profile Templates,CN=Public Key
		  Services,CN=Services,CN=Configuration,DC=MyDomain,DC=customer,DC=com
General Information 
*********************************************
Additional Info:
Error loading all profile templates.  Container path: CN=Profile
		  Templates,CN=Public Key
		  Services,CN=Services,CN=Configuration,DC=MyDomain,DC=customer,DC=com

1) Exception Information
*********************************************
Exception Type: System.DirectoryServices.DirectoryServicesCOMException
ExtendedError: 1244
ExtendedErrorMessage: 000004DC: LdapErr: DSID-0C0906DD, comment: In order to
		  perform this operation a successful bind must be completed on the
		  connection.

Issue 2

You try to delete an existing approver or initiator from a profile template workflow. In this situation, you receive the following error message on the browser page:

The security ID structure is invalid. (Exception from HRESULT: 0x80070539)
Technical Details
Type: System.Runtime.InteropServices.COMException
Source: Microsoft.Clm.Interop.activeds
Stack Trace: at Microsoft.Clm.Interop.activeds.ADsSecurityUtilityClass.ConvertSecurityDescriptor(Object varSD, Int32 lDataFormat, Int32 lOutFormat) at Microsoft.Clm.BusinessLayer.SecurityDescriptor.get_SdString() at Microsoft.Clm.Web.ProfileManagementBasePage.RemovePrincipalByName(AuthorizedUser authorizedUser, String principalName)

Issue 3

A profile template is configured to distribute a one-time password in an e-mail message to the manager of the subscriber. In this situation, you receive the following error message on the browser page:

Unable to distribute one-time secrets. Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

Additionally, you find the following exception information in the CLM log file:

Data: System.Collections.ListDictionaryInternal
TargetSite: Void InitEx(Int32, System.String, System.String, System.String, System.String)
HelpLink: NULL
Source: Microsoft.Clm.Interop.activeds

Stack Trace: at Microsoft.Clm.Interop.activeds.NameTranslateClass.InitEx(Int32 lnSetType, String bstrADsPath, String bstrUserID, String bstrDomain, String bstrPassword)

Causes of issues 1, 2, and 3

Certain CLM operations call COM interfaces that contact the Active Directory directory services. When the CLM operations call these interfaces, CLM impersonates the clmAuthAgent account. These issues occur when CLM cannot impersonate the clmAuthAgent account.

Issue 4

You have a 32-bit CLM client installed on a 64-bit computer that is running Windows Vista. When you try to perform certain operations on a smartcard, you receive the following error message. For example, you receive this error message when you try to perform the PIN Reset operation or the Unblock operation.

CLM has encountered an error while trying to change Smart Card PIN.CLM Self Service Control is not installed, please contact your Administrator. Additional error information: Automation server can’t create object.

Feature 1

The ClmUtil command adds a markexternal option to mark a certificate as "external." The following is the syntax of the markexternal option: ClmUtil.exe -markexternal -caname <DNS Name of CA Server\CA Name> -certificatehash <certificate hash>
Note You can use the certutil –cainfo command to retrieve both the Domain Name System (DNS) name of the certification authority (CA) server and the CA name. The DNS name and the CA name in the ClmUtil command are case-sensitive.

Feature that relates to the ILM Synchronization component (previously known as MIIS)

ILM 2007 FP1 SP1 now supports provisioning for Microsoft Exchange Server 2010.

You can use the GALSync management agent or a customized Active Directory management agent to perform provisioning for Exchange Server 2010. To use this feature, the following conditions must be true:

The ILM 2007 Synchronization service account must be a domain account.
The ILM 2007 Synchronization server must be joined to a domain. However, the server does not have to be joined to the domain in which the provisioning occurs.
PowerShell 2.0 must be installed on the ILM server. Additionally, PowerShell 2.0 must be installed and configured for remote access on Exchange Server 2010 Client Access Server (CAS).

For more information about how to use the GALSync management agent to perform provisioning for Exchange Server 2010, visit the following Microsoft TechNet Web site:

Provision GALSync management agent for Exchange Server 2010

(http://technet.microsoft.com/en-us/library/aa998597.aspx)

To perform provisioning of mailboxes for Exchange Server 2010, use the code that calls the ExchangeUtils.CreateMailbox method or another custom code. Make sure that you add the msExchHomeServerName attribute into the provisioning code to create a mailbox.

Note Exchange Server 2010 uses the attribute to determine the source of mail for the mailbox.

Back to the top | Give Feedback