A hotfix rollup package (build 4.1.3496.0) is available for Microsoft Forefront Identity Manager (FIM) 2010 R2. This hotfix rollup package resolves some issues and adds some features that are described in the "More Information" section.
Update informationA supported update is available from Microsoft Support. We recommend that all customers apply this update to their production systems.
Microsoft SupportIf this update is available for download from Microsoft Support, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, you should contact Microsoft Customer Service and Support to obtain the hotfix.
Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, go to the following Microsoft website: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, a hotfix is not available for that language.
Issues that are fixed or features that are added in this updateThis update fixes the following issues or adds the following features that were not previously documented in the Microsoft Knowledge Base.
FIM Service and FIM Portal
Issue 1When you create a custom solution in FIM 2010 R2, you may experience any of the following scenarios:
- Scenario 1: An authorization workflow could get stuck.
- Scenario 2: An authorization workflow could be executed again after a FIMService restart.
- Scenario 3: An authorization workflow parent request may not be set to expire.
These problems might occur if your solution has custom workflows that use the new FIM 2010 R2 feature that enables setting the ApplyAuthorizationPolicy property to True (the default value is False) on the following built-in building-block activities:
Changes to stored procedures in the FIMService database resolve scenarios 2 and 3.
To resolve scenario 1, an additional AuthorizationWaitTimeInSeconds property was added to built-in building-block activities that enables the activity to set how long the request processor should wait for authorization before it throws an AuthorizationRequiredFault error. We recommend that you set this value to 0 (zero) or a larger value.
New feature 1By using a new configuration option, you can now hide the Advanced Search link in the FIM Portal.
To enable the configuration and remove the Advanced Search link, follow these steps:
- In Administration, click Schema Management, and then click All Attributes.
- Create a new Boolean attribute that is named "HideAdvancedSearchLink."
- In All Bindings, create a new binding for the HideAdvancedSearchLink attribute to the Portal Configuration resource, and then click Finish to save the binding.
- Create a new Management Policy Rule (MPR) to allow for changes to the new binding in the portal configuration. To do this, use the following configuration for the new MPR:Display Name: Administrators can modify the HideAdvancedSearchLink attribute in the Portal Configuration resource
Specific Set of Requestors: All Administrators
Operation: Modify a single-valued attribute
Permissions: Grants permission
Target Resource Definition Before Request: All Basic Configuration Objects
Target Resource Definition After Request: All Basic Configuration Objects
Resource Attributes: Select specific attributes: HideAdvancedSearchLink
- Reset Internet Information Services (IIS), and then restart the FIM service.
- In Administration, click Portal Configuration, and then click Extended Attributes. You should see the HideAdvancedSearchLink attribute together with the other extended attributes.
- Click to select the HideAdvancedSearchLink check box, and then click Submit to enable the hiding of the Advanced Search link.
- Verify that the Advanced Search link is not available in the list views. For example, check the following list views:
- My DGs
- My DG Memberships
- Management Policy Rules
FIM Synchronization Service
Issue 1During an export on the FIM Service management agent (MA), the FIM Synchronization Service or the FIM Service may be stopped. In this case, the Synchronization Service may be unable to complete the export on a retry, and you receive the following error message:
The operation failed because the attribute cannot be found.
Issue 2In certain scenarios, the FIM Service MA may return the following error message:
This problem might occur if an unexported reference attribute was removed by another synchronization process and the result is null.
Issue 3In rare cases, an import could receive a staging error because of duplicate references in the connector space.
Issue 4In rare cases, an import could receive a staging error because an object was moved in the connected directory.
Issue 5An Extensible Connectivity 2.0 Management Agent (ECMA 2.0) connector could end up in an infinite loop. This problem may occur when the capability flag is set not to export references in the first pass. In this case, an object that has no reference attributes cannot export an attribute. This problem affects the Microsoft Azure Active Directory connector that is provided by Microsoft.
Issue 6In ECMA 2.0, an export-only attribute could end up in a bad state. This problem might occur if ECMA 2.0 could not export and therefore caused a staging error on the next import and synchronization.
Article ID: 2906832 - Last Review: Jun 20, 2014 - Revision: 1