A hotfix rollup package (build 188.8.131.52) is available for Microsoft Identity Manager (MIM) 2016 Service Pack 1 (SP1). This rollup package resolves some issues and adds some improvements that are described in the "Issues fixed and improvements added in this update" section.
Known issues in this update
Note The MIM Synchronization Service and MIM Service MSP (installers) have been temporarily removed while we investigate an issue with the upgrade process for this hotfix rollup package. More information will be available shortly.
After you install this update, rules extensions and custom management agents (MAs) based on Extensible MA (ECMA1 or ECMA 2.0) may not run and may cause a run status of "stopped-extension-dll-load." This issue occurs when you run such rules extensions or custom MAs after you change the configuration file (.config) for one of the following processes:
For example, you edit the MIIServer.exe.config file to change the default batch size for processing sync entries for the Forefront Identity Manager (FIM) Service MA. In this situation, the synchronization engine installer for this update can't replace the configuration file to avoid deleting your previous changes. This is because if the configuration file is not replaced, entries that are required by this update are not present in the files. Therefore, the synchronization engine does not load any rules extension DLLs when the engine runs a Full Import or Delta Sync run profile.
To resolve this issue, follow these steps:
- Make a backup copy for the MIIServer.exe.config file.
- Open the MIIServer.exe.config file in a text editor or in Microsoft Visual Studio.
- Find the <runtime> section in the MIIServer.exe.config file, and then replace the content of the <dependentAssembly> section with the following content:
<assemblyIdentity name="Microsoft.MetadirectoryServicesEx" publicKeyToken="31bf3856ad364e35" />
<bindingRedirect oldVersion="184.108.40.206-220.127.116.11" newVersion="18.104.22.168" />
- Save the changes to the file.
- Find the Mmsscrpt.exe.config file in the same directory and the Dllhost.exe.config in the parent directory. Repeat steps 1 through 4 for these two files.
- Restart the Forefront Identity Manager Synchronization Service (FIM Synchronization Service).
- Verify that the rules extensions and custom management agents now work as expected.
Service and Portal Setup
The 2013 x64 Visual C++ Redistributable Packages (vcresist_x64.exe) must be installed before you run MIM Service and Portal Setup.
Note There is a problem with the Windows Installer package. A DLL required for this installation to complete could not be run. Contact your support personnel or package vendor.
To resolve this issue:
Download the Visual C++ Redistributable Package (vcredist_x64.exe) from the following Windows Download Center link.
Identity Management Portal
After you install this update, the Portal may not be displayed as expected in Internet Explorer. To resolve this issue, follow these steps:
- Close all Internet Explorer instances.
- Open the Internet Options control panel.
- Delete all history and cached files.
If this issue persists, make sure that the version of Internet Explorer is 11 or a later version. If you are running versions that are earlier than 11, there may be display inconsistencies when compared to the Portal that is displayed in version 11.
Certificate Management REST API
After upgrading MIM Certificate Management to this version, using the REST API against MIM Certificate Management causes the following exception.
Exception Type: System.IO.FileLoadException
Message: Could not load file or assembly 'Newtonsoft.Json, Version=22.214.171.124, Culture=neutral, PublicKeyToken=30ad4fe6b2a6aeed' or one of its dependencies. The located assembly's manifest definition does not match the assembly reference. (Exception from HRESULT: 0x80131040)
FileName: Newtonsoft.Json, Version=126.96.36.199, Culture=neutral, PublicKeyToken=30ad4fe6b2a6aeed
TargetSite: Void .ctor()
at System.Web.Http.HttpConfiguration..ctor(HttpRouteCollection routes)
To avoid this exception, add the following binding redirect information to the MIM Certificate Management web.config file. This should be placed directly above the </configuration> tag.
Make sure that you create a backup of the web.config file before you install this update.
<bindingRedirect oldVersion="0.0.0.0-188.8.131.52" newVersion="184.108.40.206"/>
The web.config file for the Certificate Management Portal is located in the following path:
%programfiles%\Microsoft Forefront Identity Manager\2010\Certificate Management\web
Microsoft Download Center
A supported update is available from the Microsoft Download Center. We recommend that all customers apply this update to their production systems.
To apply this update, you must have the following installed:
- Microsoft Identity Manager 2016 build 4.4.1302.0
- .NET Framework 4.6 for the following components:
- MIM Service
- MIM Portals (Identity Management, Password Reset, Password Registration)
- MIM PAM
- MIM add-ins and extensions
You must restart the computer after you apply the add-ins and extensions package (Fimaddinsextensions_xnn_KB4073679.msp). You may also have to restart the server components.
This is a cumulative update that replaces all MIM 2016 SP1 updates, from 4.4.1302.0 up to build 4.4.1749.0 for Microsoft Identity Manager 2016.
The global version of this update has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
|File name||File version||File size||Date||Time|
|LANGUAGE Packs.zip||Not applicable||119,853,706||27-June-2018||13:50|
Issues fixed and improvements added in this update
This update makes the following fixes and improvements that were not previously documented in the Microsoft Knowledge Base.
Language Pack Improvements
Language pack improvements are added in this update. For more information, see the following documentation:
Support for Group Managed Service Accounts
This update includes support for Group Managed Service Accounts for the following components:
- MIM Synchronization service (FIM Synchronization Service)
- MIM Service (FIM Service)
- MIM Password Registration
- MIM Password Reset
- PAM Monitoring Service (Pam Monitoring Service)
- PAM Component Service (Privilege Management Component Service)
- MIM Portal (because this is part of the SharePoint environment and you would, therefore, have to deploy in farm mode and Configure automatic password change in SharePoint Server)
- All Management Agents
- Microsoft Certificate Management
For more information, see the following documentation:
MIM Synchronization Service
In the release of this update, support for the following versions of Visual Studio is added for creating of Rules Extensions:
- Visual Studio 2013
- Visual Studio 2015
- Visual Studio 2017
When refreshing the Partitions for a Management Agent (Connector) in the Synchronization Service Manager (MIISClient.exe) under certain circumstances, the refreshed information isn't saved as expected when the OK button is clicked.
In this update, the updated partition information saved as expected when you click Refresh and then click OK.
When indexing an Indexable String attribute in the Metaverse Designer, if the name of the attribute is too long, an unexpected error is returned.
In this update, a more descriptive error message is now returned.
Creating a Text File management agent when the MIM Synchronization Service is installed on Windows Server 2016, some text encoding options, including Unicode, are unavailable.
In this release, the MIM text file management agents are updated to correctly interact with Windows Server 2016 code page handling.
MIM Service Management Agent
When you run an Export run profile on a MIM Service management agent, if an export error message contains an invalid character, this causes corruption in the run history entries (MIISClient.exe Operations tab), and the connector space objects that contain this export error cannot be viewed in the MIIS Client.
In this update, the invalid characters are removed from the error message before you are saved to the connector space object and run history.
Password Change Notification Service (PCNS)
Under certain circumstances, the PCNS service crashes on a Target Add operation and the service does not restart.
In this update, this crash no longer occurs.
Service and Portal
The Export-FIMConfig PowerShell cmdlet doesn’t export PAM-related configuration objects. Therefore, an MIM Service configuration migration doesn’t include the PAM-related configuration objects.
After you install this update, the "-PamConfig" argument is available to force the PAM configuration objects to be exported.
Using the Export-FIMConfig PowerShell cmdlet to export recent request objects is very difficult because a custom filter expression must be written.
In this update, the "-request" parameter has been added for the Export-FIMConfig cmdlet.
There is no visual difference between NULL and False values for Boolean attributes in the Portal.
In this update, the following changes are made:
- New MIM Boolean attributes are now set to False when an object is created.
- New MIM Boolean attributes are now set to False when you add a new Boolean attribute binding to the resource.
Important In some environments, this change in behavior could break these processes. We recommend that you test this change in your environment.
After you select to join the Customer Experience Improvement Program when you first install the MIM Service, the installation of subsequent updates to the FIM Service disables the Customer Experience Improvement Program setting.
In this update, the Customer Experience Improvement Program setting is maintained, as expected.
Some Privileged Access Management objects that use unmanaged resources are not cleared on time.
After you install this update, these objects are correctly cleaned up.
If the MIM Service account's mailbox is hosted in Exchange Online (Office 365) and an update to the MIM Service is installed, then the encrypted password for the service mailbox becomes null.
Starting in this update, the encrypted password for the MIM Service’s Exchange Online mailbox is not changed.
There is no limit to the MIM Service log file created when dynamic logging is enabled.
In this update, logic is added to switch to another file if the size limit is reached. If the size limit of the second file is reached, logging overwrites the first file. The default size limit is 1 GB.
When you install the MIM Service and Portal, the installer returns the following exception:
There was a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor.
The underlying problem occurs when you try to upgrade the FIMService database.
In this update, this problem no longer occurs.
Privileged Access Management
PAM PowerShell improvement
The following PAM-related PowerShell cmdlets are added to support the ability to add and remove members to and from a set:
PAM PRIV Password Expiration Notification
Currently, PAM doesn’t notify users when their PRIV password is about to expire. In this update, the "PwdExpirationDate" parameter is added to the PAM REST API session information.
Returning the PAM Session Information:
Approval Workflow Activity
The approval workflow activity has no way to disable self-approval. There are various scenariosin which you might want to configure an Approval activity to force approval from another approver if the request is from another approver.
In this update, the Approval workflow activity now has a Disable Self Approval check box in the activity property settings.
New-PAMRole PowerShell cmdlet
To support the ability to deny self-approval, the New-PAMRole cmdlet has a new argument to deny self-approval for the role.
Disable Auto ApproveIf Owner
The "Disable Auto Approval" attribute is also visible in the msidmPamRole object in the MIM Portal when the object is viewed in Advanced View.
Under certain circumstances, the following warning is entered in the Privileged Access Management (PAM) event log:
Exception: System.ObjectDisposedException: Cannot access a disposed object.
After you install this update, this warning no longer appears in the PAM event log.
When trying to change the PrivAccountName attribute by using the Set-PAMUser PowerShell cmdlet, the object is deleted instead of being updated in the current object.
In this update, the Set-PAMUser cmdlet can change the PrivAccountName without issue.
The Get-PamRequest cmdlet has no filter for specifying recent requests.
In this update, the "-CreatedFrom" parameter is added to this cmdlet.
The New-PamRole cmdlet doesn’t ensure that the "Available To" date is greater than the "Available From" date.
In this update, the New-PamRole cmdlet now verifies that the "available to" date is greater than the "Available From" date.
The output from the Get-PAMRole cmdlet doesn’t display the "Available From" and "Available To" values
In this update, the "Available From" and "Available To" values are returned by the Get-PAMRole PowerShell cmdlet.
The Get-PamRequest cmdlet returns requests that don’t meet the filter criteria.
In this update, the Get-PamRequest cmdlet filter is now correctly applied
When running on Windows Server 2016, the Set-PamGroup cmdlet fails.
In this update, the Set-PamGroup cmdlet can now update the Active Directory shadow principal group object.
The Remove-PamUser cmdlet fails and returns an unclear error message if the user is linked to a Role as a candidate.
In this update, client-side validation is added to the cmdlet, and the exception message is clarified.
The Remove-PamUser PowerShell cmdlet fails and returns an unclear error message if the Role is linked to a Request.
In this update, client-side validation is added to the cmdlet, and the exception message is clarified.
When running the Change-Mode setup for the FIM Service and Portal, accounts for PAM are not exposed for configuration.
- PAM Rest API account
- PAM Component service account
- PAM Monitoring service account
In this update, the Change-Mode setup allows the above accounts to be reconfigured.
MIM Identity Management Portal
Starting in MIM build 4.4.1642.0, when you try to create a navigation bar item for a URL that is copied from an MIM Portal dialog boxes by using the clipboard icon at the top of the MIM Portal dialog box, the server name is now included in the relative URL. This requires the URL to be manually modified when the configuration is migrated from one MIM instance to another.
In this update, the relative URLs no longer include the server names.
When adding free text into an Identity Picker control, the control seems to dynamically grow its width rather than wrapping the text.
In this update, the control sizing is corrected.
In the MIM Identity Management Portal, popup dialog boxes aren’t displayed correctly when viewied in Internet Explorer 10.
In this update, the popup now displays as expected in Internet Explorer 10.
In the MIM Portal popup dialog boxes, Cyrillic symbols are not displayed correctly in the title bar.
In this update, the Cyrillic symbols in the title bar text are displayed correctly.
When creating a new Action workflow definition in the MIM Portal, if the "Import Workflow Definition" option is used, and an incorrect file type is specified, the attempt to add a Synchronization Rule activity to the workflow fails.
In this update, the failed "Import Workflow Definition" property throws an exception and recovers, allowing a Synchronization Rule activity to be added to the workflow definition.
Some dialog boxes in the MIM Identity Management Portal display a double scrollbar in Internet Explorer.
In this update, the Popup windows no longer have the extra scrollbar displayed when viewed in Internet Explorer.
Add-ins and extensions
When you try to install the MIM add-in for Outlook as part of the Office 365 Office 2016 installation, an exception is returned, and the installation fails and returns an error message that states that it can’t find the following file:
Microsoft.Vbe.Interop.Forms.dll version 220.127.116.11
In this update, the MIM Add-in for Outlook includes a copy of the missing Outlook interop binaries.
Self-Service Password Reset
When you try to reset a password through Self-Service Password Reset, if the Distinguished Name of the user object whose password is being reset includes a forward slash character, the password reset operation fails. In this update, special characters in the Distinguished Name no longer prevent Self-Service Password Reset from resetting the user's password in the Active Directory.
The Self-Service Password Reset Language Pack has some sentences that are not correctly localized on the Question and Answer dialog boxes for the Question and Answer Gate. In this update, the sentences are correctly localized in the display.
When renewing a virtual smart card through the MIM CM Modern App, the user receives a Forbidden exception. This problem also occurs if the custom REST API solutions tries to renew a virtual smart card. In this update, the issue is corrected.
The Reset Smartcard PIN tool fails and returns the following error message:
"CLM has encountered an error while trying to change Smart Card PIN. Wrong number of Arguments or Invalid Property Assignment."
In this update, this issue is corrected.
When you try to install an update to the MIM Certificate Authority Modules from 4.4.1302.0 to a build that is later than 4.4.1459, the setup fails.
In this update, the setup is now able to finish successfully in this scenario.
When you use the Modern App for Renew, Enroll, and Replace operations, the request history doesn’t contain all request status items as are recorded when doing the same operation through the CertificateManagement Portal (for example, "Install Certificate").
In this update, all stages of the request are now recorded in the request history.
MIM Certificate Management (CM) Online Update doesn’t finish, and it and returns a "Record has been updated or deleted by another user" exception. This is because the Online Update tried to delete the same certificate multiple times.
In this update, the CM online Update no longer experiences this problem.
When downloading a certificate for a user by using the "Download Certificate" link in the Certificate Management Portal, the certificate download (.cer file) is too large and doesn't include the Begin Certificate and End Certificate lines.
In this update, this operation downloads the certificate as expected.
Errors are not thrown from the Microsoft.Clm.Config code, masking many possible problems.
The exception handling code is updated to improve error reporting in MIM Certificate Management.
Certificate Management Bulk Client
In this update, the MIM Certificate Management Bulk Client works with both TLS 1.1 and TLS 1.2.