Introduction
A hotfix rollup package (build 4.1.3613.0) is available for Microsoft Forefront Identity Manager (FIM) 2010 R2 Service Pack 1 (SP1). This hotfix rollup resolves some issues and adds some features that are described in the "More Information" section.
Update information
A supported update is available from Microsoft Support. We recommend that all customers apply this update to their production systems.
Microsoft Support
If this update is available for download from Microsoft Support, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix. Additionally, you can obtain the update from Microsoft Update or from Microsoft Update Catalog.
Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, go to the following Microsoft website:http://support.microsoft.com/contactus/?ws=supportNote The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
Known issues in this update
-
Synchronization Service
After you install this update, rule extensions and custom management agents that are based on Extensible MA (ECMA1 or ECMA 2.0) may not run and may generate a run status of "stopped-extension-dll-load." This issue occurs when you run such rule extensions or custom management agents after you change the configuration file (.config) for one of the following processes:-
MIIServer.exe
-
Mmsscrpt.exe
-
Dllhost.exe
For example, assume that you edited the MIIServer.exe.config file to change the default batch size for processing sync entries for the FIM Service management agent. To avoid deleting your previous changes in this situation, the synchronization engine installer for this update does not replace the configuration file. Because the configuration file is not replaced, entries that are required by this update are not present in the files, and the synchronization engine does not load any rule extension DLL files when the engine runs a Full Import or Delta Sync run profile.
To resolve this issue, follow these steps:-
Make a backup copy of the MIIServer.exe.config file.
-
Open the MIIServer.exe.config file in a text editor or in Microsoft Visual Studio.
-
Find the <runtime> section in the MIIServer.exe.config file, and then replace the contents of the <dependentAssembly> section with the following:
<dependentAssembly>
<assemblyIdentity name="Microsoft.MetadirectoryServicesEx" publicKeyToken="31bf3856ad364e35" /> <bindingRedirect oldVersion="3.3.0.0-4.1.3.0" newVersion="4.1.4.0" /> </dependentAssembly -
Save the changes to the file.
-
Find the Mmsscrpt.exe.config file in the same directory and the Dllhost.exe.config in the parent directory. Repeat steps 1–4 for these two files.
-
Restart the Forefront Identity Manager Synchronization Service (FIMSynchronizationService).
-
Verify that the rule extensions and custom management agents now work as expected.
-
-
FIM Reporting
If you install FIM Reporting on a new server that has Microsoft System Center 2012 Service Manager SP1 installed, follow these steps:-
Install the FIM 2010 R2 SP1 FIMService component. To do this, clear the Reporting check box.
-
Install this hotfix rollup to upgrade the FIM Service to build 4.1.3599.0.
-
Run the change-mode installation for the FIM Service, and then add Reporting.
If reporting is enabled and the change-mode installation is run for FIM Service and Portal, you must be re-enable reporting. To do this in the FIM Identity Management Portal, follow these steps:
-
On the Administration menu, click All Resources.
-
Under All Resources, click System Configuration Settings.
-
Click the System Configuration Settings object, and then open the Properties of this object.
-
Click Extended Attributes, and then select the Reporting Logging Enabled check box.
-
Click OK, and then click Submit to save the change.
-
Prerequisites
To apply this update, you must have Forefront Identity Manager 2010 R2 SP1 (build 4.1.3419.0 or a later build) installed.2934816 (build 4.1.3510.0) installed to apply this update.
For BHOLD deployments, you must have hotfix rollup packageRestart requirement
You must restart the computer after you apply the Add-ins and Extensions (Fimaddinsextensions_xnn_kb2980295.msp) package. You may also have to restart the server components.
Replacement information
This update replaces the following updates: 2980295Â Hotfix rollup package (build 4.1.3599.0) is available for Forefront Identity Manager 2010 R2 SP12969673 A hotfix rollup (build 4.1.3559.0) is available for Forefront Identity Manager 2010 R22934816 A hotfix rollup package (build 4.1.3510.0) is available for Forefront Identity Manager 2010 R2
Issues that are fixed or features that are added in this update
This update fixes the following issues or adds the following features that were not previously documented in the Microsoft Knowledge Base.
BHOLD Attestation
Issue 1
Symptoms: When a steward is added to an in-progress campaign, the steward receives the "New entries for Steward" email. Changes after the fix: When a steward is added to an in-progress campaign, the steward receives the "Instance Start" email.ÂBHOLD Core
Issue 1
Symptoms: When a user has conflicting ABA roles, and the user’s "EndDate" field is changed through the BHOLD Core UI, the user may be assigned an incorrect role. Changes after the fix: Changing the user’s "EndDate" field does not affect any other ABA role attributes.BHOLD Core and FIM provisioning
Issue 1
When you use the Access Management Connector, and an import is performed immediately following an export that caused ABA role membership changes, the import may indicate that users have fewer permissions than are assigned by either their previous or new role memberships. After you install this fix: If an import is performed immediately following an export that caused ABA role membership changes, the import indicates that users have the permissions assigned by either their previous or new role memberships. After queue processing is completed, the import indicates that users have the permissions that are assigned by their new role memberships. Issue 2 In some deployments, deletion of multiple groups through the Access Management Connector is not successful if there are two or more pending exports. After you install the fix, the deletion of multiple groups through the Access Management Connector is successful. Issue 3 In some deployments, export of changes through the Access Management Connector to OU objects that specify a new parent OU do not take effect. After you install the fix: A Parent OU can be changed from root to any other OU through the Access Management Connector.FIM Service and IdentityManagement Portal
Issue 1Registry keys and configuration file settings in FIM 2010
Some text that is displayed in the FIM Portal and added to email templates always uses the English language. For example, this issue occurs in the Display Name of Approval objects. After you install the fix: The string translation for objects that are created by the FIM Service in the FIM Service database is performed according to the FIM Service account locale that was in effect when the object was created. Note that this functionality is not affected by the client browser locale. To change the language that is used for string translation to a setting other than English, log on to each computer where the FIM Service is installed as the FIM Service account, and then set the locale for this account through Control Panel. Issue 2 Creating synchronization rules in the FIM IdentityManagement Portal fails to load connected system object types in the External System Resource Type drop-down list. This behavior may occur if the size of the connector instance definition (ma-data) is larger than the 14 MB default WCF message size limit in the ResourceManagementClient configuration. This size is configured by using the maxReceivedMessageSizeInBytes property of the ResourceManagementClient. Before you apply this fix, maxReceivedMessageSizeInBytes values that are configured in the web.config for the IdentityManagement Portal are ignored in favor of the default setting. After you apply this fix, the maxReceivedMessageSizeInBytes setting is applied. Note that this setting is case-sensitive. For more information about this setting, go to the following Microsoft website:ÂFIM Certificate Management
Issue 1
Online certificate updates are failing because of a constraint violation. Issue 2 The FIM Certificate Management (CM) exit module does not honor the CT_FLAG_DONOTPERSISTINDB flag on a certificate. This may cause many certificates to be written to the FIM CM database. This, in turn, causes performance issues. After you install this fix, the FIM CM exit module honors the CT_FLAG_DONOTPERSISTINDB flag on certificates, and those certificates are not written to the FIM CM database.FIM Clients (Portal, Outlook, Windows logon)
Issue 1
After you install the FIM Windows logon extension, and then you (or a user) try to log on to the computer through a remote desktop, you must enter your credentials two times. After you apply the fix, remote desktop logons work as expected.Synchronization Service
Issue 1
The Synchronization Service crashes during an Export run profile run on a SQL Server management agent. Issue 2 When you run a Delta Import on the FIM Service management agent, the MIIServer.exe process terminates with a CLR_EXCEPTION_SYSTEM.APPDOMAINUNLOADEDEXCEPTION exception. After you install this fix, the race condition that triggers this exception no longer occurs. Issue 3 If a synchronization rule uses the NULL() function in an incoming attribute flow rule, returning NULL() is seen as a value instead of being blank, and attribute precedence does not continue to the next precedent incoming attribute flow. After you apply this fix, attribute flow precedence on incoming attribute flow rules that use the NULL() function works as expected.Password Change Notification Service (PCNS)
Issue 1
The following error message is logged:6914 The connection from a password notification source failed because it is not a Domain Controller service account.
After you install this fix, adding a backslash character to a domain name causes the function to return the domain controller Security Identifier (SID) instead of an empty user SID.
File information
Hotfix release build numbers
Forefront Identity Manager |
4.1.3613.0 |
BHOLD |
5.0.2836.0 |
Access Management Connector |
5.0.2836.0 |
File attributes
The global version of this update has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
Name |
Date |
Time |
Size (Bytes) |
---|---|---|---|
AccessManagementConnector.msi |
11/14/14 |
13:17 |
671744 |
BholdAnalytics 5.0.2836.0_Release.msi |
11/14/14 |
13:05 |
2703360 |
BholdAttestation 5.0.2836.0_Release.msi |
11/14/14 |
13:53 |
3211264 |
BholdCore 5.0.2836.0_Release.msi |
11/14/14 |
12:54 |
5017600 |
BholdFIMIntegration 5.0.2836.0_Release.msi |
11/14/14 |
13:29 |
3530752 |
BholdModelGenerator 5.0.2836.0_Release.msi |
11/14/14 |
14:05 |
3256320 |
BholdReporting 5.0.2836.0_Release.msi |
11/14/14 |
13:41 |
1990656 |
FIMAddinsExtensionsLP_x64_KB3011057.msp |
11/11/14 |
6:15 |
3929088 |
FIMAddinsExtensionsLP_x86_KB3011057.msp |
11/11/14 |
6:05 |
1593344 |
FIMAddinsExtensions_x64_KB3011057.msp |
11/11/14 |
6:15 |
5206528 |
FIMAddinsExtensions_x86_KB3011057.msp |
11/11/14 |
6:05 |
4662784 |
FIMCMBulkClient_x86_KB3011057.msp |
11/11/14 |
6:05 |
9094656 |
FIMCMClient_x64_KB3011057.msp |
11/11/14 |
6:15 |
5575168 |
FIMCMClient_x86_KB3011057.msp |
11/11/14 |
6:05 |
5191168 |
FIMCM_x64_KB3011057.msp |
11/11/14 |
6:16 |
33455104 |
FIMCM_x86_KB3011057.msp |
11/11/14 |
6:05 |
33074176 |
FIMServiceLP_x64_KB3011057.msp |
11/11/14 |
6:15 |
12233728 |
FIMService_x64_KB3011057.msp |
11/11/14 |
6:16 |
31240192 |
FIMSyncService_x64_KB3011057.msp |
11/11/14 |
6:16 |
36235264 |