Hotfix informationA supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.
If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.
Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Website: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
PrerequisitesTo apply this hotfix, you must have Forefront Identity Manager (FIM) 2010 installed.
Registry informationTo use the hotfix, you do not have to change the registry.
Restart requirementYou must restart the computer after you apply this hotfix.
Hotfix replacement informationThis hotfix does not replace a previously released hotfix.
File informationThe global version of this hotfix installs files that have the attributes that are listed in the following tables. The dates and the times for these files are listed in Coordinated Universal Time (UTC). The dates and the times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and the times may change when you perform certain operations on the files.
|File name||File version||File size||Date||Time|
Component update file information
Component update packagesThe following table contains the component update packages that are available for download.
|FIM 2010 Add-ins and Extensions||FIMAddinsExtensions_x86_KB2028634.msp |
|FIM 2010 Add-ins and Extensions Language Pack||FIMAddinsExtensionsLP_x86_KB2028634.msp|
|FIM 2010 Certificate Management||FIMCM_x64_KB2028634.msp|
|FIM 2010 Certificate Management Bulk Issuance|
|FIM 2010 Certificate Management Client||FIMCMClient_x86_KB2028634.msp|
|FIM 2010 Service and Portal||FIMService_x64_KB2028634.msp|
|FIM 2010 Service Portal Language Pack||FIMServiceLP_x64_KB2028634.msp|
|FIM 2010 Synchronization Service||FIMSyncService_x64_KB2028634.msp|
|FIM 2010 Password Change Notification Service||FIMPCNS_x86_KB2028634.msp|
Fixed issues in Certificate Management
The FIM 2010 Certificate Manager (CM) auto enroll policy module cannot be used with Cluster CA when database replication is enabled.
This issue occurs because the database connection is encrypted by using data protection API (DPAPI). When the database is replicated to another node, the connection cannot be decrypted.
Fixed issues in Declarative Provisioning
Fixed issues in Sync Engine
This hotfix changes the behavior so that warnings do not count against the error limit.
Issue 2A Sun ONE Directory may write a delta change log inconsistently. The Sync Engine detects this state and throws the “stopped-change-log-out-of-order” error. Additionally, it requires a full import before a delta import can be run again on the Sun One Management Agent (MA).
Issue 3The Active Directory Management Agent (AD MA) incorrectly reports "success" for a newly provisioned user on which the password policy is not met. This issue results in an "exported-change-not-reimported" warning during the next import because Active Directory would correctly disable the user.
Issue 4If you have a CaseSensitiveString attribute in Active Directory, the attribute type is not correctly detected and cannot be configured in Declarative Provisioning.
Issue 5When you try to create a new eDirectory MA that connects to an eDirectory 8.8, you receive the following error message:
Issue 6When a calculated group is imported from the FIM Service MA and has static members added because of misconfiguration, Sync Engine crashes. Therefore, a placeholder takeover occurs without any object type set.
Issue 7The AD MA does not have a check box to enable an account to be unblocked when a password is synchronized.
Issue 8GALSync cannot recognize the new Exchange Dynamic Distribution List type.
Issue 9When you perform a search for an object in a connector space for an Export-only ECMA, you receive the following error message:
Issue 10If you configure synchronization rules and set dependencies between them after initial configuration, you can end up in a situation where configuration from before the dependency was set is still being applied and objects are disconnected.
With this hotfix the Synchronization Service does not process those settings.
Issue 11The FIM MA cannot be created when metaverse attributes have a hyphen character ( - ) in their name and the database is upgraded from Identity Lifecycle Manager (ILM) 2007 or Identity Integration Server (MIIS) 2003 Service Pack 2 (SP2).
Issue 12The Exchange Serer 2010 PowerShell cmdlets causes the FIM Sync Service to crash when the cmdlets time out.
In order to prevent external applications from causing issues to the FIM Sync Service, the cmdlets now run in an external process after you apply the hotfix.
Issue 13When you define scoping filters by using declarative provisioning, the filter is always evaluated to "false" if an attribute value is missing. This issue makes it difficult to construct filters by using clauses that contains "not" to try to catch bad data.
After you apply the hotfix, an attribute that contains no value (null) is evaluated as if the attribute is an empty string.
Fixed issues in Workflow Engine
Issue 2When you create an object that depends on one or more other objects, the Configuration Migration tool may not map references to objects in the target system.
Features in Sync Engine
For more information about these PowerShell cmdlets, visit the following Microsoft Website:
Feature 2The hotfix improves the performance when an object is joined to several management agents, with an average of 10% better performance rate for 5 management agents.
Feature 3When you import from Active Directory, you must have been granted the DirSync permission. If you have at least a Windows Server 2003 Domain Controller that you can target, you can take advantage of a new feature that uses usual access control lists (ACLs) in Active Directory and does not require DirSync permissions. By setting the ADMAUseACLSecurity registry key, the AD MA uses AD ACLs instead.
For more information about the registry settings for FIM 2010, visit the following Microsoft TechNet website:ADMAUseACLSecurity registry key, make sure that the account that is used by the AD MA has read permissions to all locations. By default, a regular user has read permissions to all objects except deleted objects. If an object cannot be read any longer it is treated as a deleted object.
Feature 4Assume that you are developing a call-based extensible connectivity management agent (ECMA). You expect that the MA will continue exporting the same change until the change is confirmed by an import. Then, when you have an unreliable target for the data, the data might not be committed successfully even if the call returns success. You will notice this during a delta import on which the information that you read back is not what you sent.
To enable this behavior on the ECMA, you can set the ECMAAlwaysExportUnconfirmed registry key. For more information about the registry key, visit the following Microsoft TechNet website: