A hotfix rollup package (build 4.5.412.0) is available for Microsoft Identity Manager (MIM) 2016 Service Pack 1 (SP1). This rollup package resolves some issues and adds some improvements that are described in the "Issues fixed and improvements added in this update" section.
Known issues in this update
Groups Management Issue
When you open a group that has no displayed owner populated in the MIM portal, a popup is raised and you receive the following error message:
Please select a displayed owner among the owners above.
After you close the popup, the window freezes at the Loading status and you cannot manage groups any longer.
After you install this update, rules extensions and custom management agents (MAs) that are based on Extensible MA (ECMA1 or ECMA 2.0) may not run and may cause a run status of "stopped-extension-dll-load." This issue occurs when you run such rules extensions or custom MAs after you change the configuration file (.config) for one of the following processes:
For example, you edit the MIIServer.exe.config file to change the default batch size for processing sync entries for the Forefront Identity Manager (FIM) Service MA. In this situation, the synchronization engine installer for this update can't replace the configuration file to avoid deleting your previous changes. This is because if the configuration file isn't replaced, entries that are required by this update don't exist in the files. Therefore, the synchronization engine does not load any rules extension DLLs when the engine runs a Full Import or Delta Sync run profile.
To fix this issue, follow these steps:
- Back up the MIIServer.exe.config file.
- Open the MIIServer.exe.config file in a text editor or in Microsoft Visual Studio.
- Find the <runtime> section in the MIIServer.exe.config file, and then replace the content of the <dependentAssembly> section with the following content:
<assemblyIdentity name="Microsoft.MetadirectoryServicesEx" publicKeyToken="31bf3856ad364e35" />
<bindingRedirect oldVersion="126.96.36.199-188.8.131.52" newVersion="184.108.40.206" />
- Save the changes to the file.
- Find the Mmsscrpt.exe.config file in the same folder and the Dllhost.exe.config in the parent folder. Repeat steps 1 through 4 for these files.
- Restart the Forefront Identity Manager Synchronization Service (FIMSynchronizationService).
- Verify that the rules extensions and custom management agents now work as expected.
Service Configuration File Update
After you install the MIM Service hotfix, the Microsoft.Resourcemanagement.Service.exe.config file section that has .NET redirection is overwritten. Non-MIM .dll entries must be manually re-added. For example, MIM WAL library redirections are lost.
SSPR SMS Gateway with Azure MFA Server
MIM SSPR OTP SMS Gateway settings in Authentication workflow (OTP Token length and message text) are ignored by the Azure MFA on-premises server. The server has a hardcoded OTP token length of 6. Workflows fail if the OTP Token length is other than 6. To send a message text in a user-preferred language, you can create profiles for users in Azure MFA server, and update them outside of MIM.
Internet Explorer Support
In this update, the MIM Portal is updated to use the latest jQuery library.
Note If you are using a version of Internet Explorer that is earlier than version 11, popups may not work as expected in the MIM Portal.
After you install this update, clear the browser cache to force the reload of the cached JS libraries.
Service and Portal Setup
The 2013 x64 Visual C++ Redistributable Packages (Vcresist_x64.exe) must be installed before you run MIM Service and Portal Setup.
Associated error message:
There is a problem with the Windows Installer package. A DLL required for this installation to complete could not be run. Contact your support personnel or package vendor.
Download the Visual C++ Redistributable Package (Vsresist_x64.exe) from the following Windows Download Center link.
Identity Management Portal
After you install this update, the Portal may not be displayed as expected in Internet Explorer. To fix this issue, follow these steps:
- Close all Internet Explorer instances.
- Open the Internet Options item in Control Panel.
- Delete all browsing history and cached files.
If this issue persists, make sure that the version of Internet Explorer is 11 or a later version. If you are running versions that are earlier than 11, there may be display inconsistencies compared to the Portal that is displayed in version 11.
The jQuery library is updated to the latest version in MIM hotfix build 4.5.412.0. Internet Explorer versions 8 through 10 are no longer supported by the MIM Portal. If you are using Internet Explorer, we recommend that you update to version 11 for use together with the MIM Portal.
Synchronization Rule Update Issue
In MIM builds 4.5.286.0 and 4.5.412.0 (this update), outbound synchronization rules that are configured to use a scoping filter may experience a problem after a change is made to the MIM Service management agent instance.
When a synchronization is run, "sync-rule-validation-parsing-error" synchronization error messages are returned.
Steps to reproduce the issue:
- In the Synchronization Service Manager (MIISClient.exe), make a change to the configuration of the MIM Service management agent instance.
Note This can be any type of change: Attribute flow rules, filter rules, connection settings, and so on.
- Run a Delta Import and then run a Delta Synchronization on the MIM Service management agent.
The scoping filter-based synchronization rules will be updated to set all Boolean attributes to false, no matter what attribute value was previously set. This causes the sync-rule-validation-parsing-error exceptions to be returned.
To work around this problem after you make a change to the MIM Service management agent configuration, run a Full Import (Stage Only) run profile on the MIM Service management agent.
Microsoft Download Center
A supported update is available from the Microsoft Download Center. We recommend that all customers apply this update to their production systems.
To apply this update, you must have the following installed:
- The 2013 x64 Visual C++ Redistributable Packages (vsresist_x64.exe) (must be installed before you run MIM Service and Portal Setup)
- Microsoft Identity Manager 2016 build 4.4.1302.0
- .NET Framework 4.6 for the following components:
- MIM Service
- MIM Portals (Identity Management, Password Reset, Password Registration)
- MIM PAM
- MIM add-ins and extensions
You must restart the computer after you apply the add-ins and extensions package (Mimaddinsextensions_x(64/86)_kb4489646.msp). You may also have to restart the server components.
This is a cumulative update that replaces all MIM 2016 SP1 updates, from 4.4.1302.0 through build 4.5.286.0 for Microsoft Identity Manager 2016.
The global version of this update has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
|File name||File version||File size||Date||Time|
Issues fixed and improvements added in this update
Service and Portal
TLS 1.2 support is added to the MIM Service and Portal installer. This update will install if TLS 1.2 is the only enabled protocol *. After you install this update, the change-mode setup of the MIM Service and Portal will succeed by having only TLS 1.2 enabled and SQL OLE DB driver installed.
Dynamic logging in the MIM Service is logging too much data by default. After you install this update, the default level of logging (AllSwitch) is set to Warning in the Microsoft.ResourceManagement.Service.exe.config file.
When you run an export on the MIM Service management agent, if the management agent stops before the export finishes, the MIM Service continues to process the changes that were put into the export SQL Broker queue.
After you install this update, if the MIM Service management agent export stops prior to completion, the MIM Service stops processing the exported changes that remain in the SQL Broker queue.
This applies only to asynchronous export operations. This problem doesn’t exist for the Synchronous export operations.
Under certain circumstances, the MIM Service does not terminate a workflow instance in a loop if the associated request was already denied.
Exception thrown in the Forefront Identity Manager event log:
Reraised Error 50000, Level 16, State 1, Procedure ReRaiseException, Line 37, Message: Reraised Error 50000, Level 16, State 1, Procedure DoUpdateRequest, Line 255, Message: RequestSqlOperationException: This operation is not allowed on RequestKey 13808 because it is already in a final state.
Transaction count after EXECUTE indicates a mismatching number of BEGIN and COMMIT statements. Previous count = 1, current count = 0.
After you install this update, this problem no longer occurs.
On MIM builds 220.127.116.11 and later builds, if you try to delete a binding in the MIM Service schema that binds a Boolean attribute to a resource type, the delete request fails.
After you install this update, the binding can be deleted.
Trying to update the service account for the MIM Service by running a change-mode installation in quiet mode at the command prompt fails to change the service account.
After you install this update, this operation will succeed.
When you process approvals for requests that provide a Justification and Reason, neither the Justification nor Reason text can be included in an email notification from a workflow.
After you install this update, you can use the following to include these attribute values in the Notification email templates:
Starting in build 4.5.286.0, an attempt to add attribute flow rules to a synchronization rule in the MIM Service or Portal may prevent the attribute flow rule from being added. The request to add the attribute flow succeeds, but the attribute flow isn’t actually saved to the object. This may not occur in all situations.
After you install this update, this problem no longer occurs.
Privileged Access Management
Users in the following scenarios are not removed from Shadow Principal Groups by PAM, as expected:
- Users that have an escape character in the distinguishedName in Active Directory
- Users that were were migrated from a domain that is running on a Windows 2012 domain functional level or earlier
For users that have an escape character in the distinguishedName in Active Directory, such as for a comma that is included in the CN value, PAM doesn’t remove this user from the Shadow Principal Group on request expiration.
After you install this update, the user is removed from the Shadow Principal Group, as expected.
Privileged Access Management (PAM) doesn’t update a member's "time to live" (TTL) for Shadow Principal Groups when a request is made to extend an existing request.
To reproduce this problem:
- Generate a new PAM request through a sample Portal or by running the new-pamrequest cmdlet in PowerShell.
- Try to extend the request through a sample portal or by running new-pamrequest.
After you install this update, PAM updates the member’s TTL for Shadow Principal Groups when a request is made to extend an existing request.
When you use the REST API to call to return historic data on PAM elevation requests, if the MIM request that created the PAM request is expired and deleted from the database, the API call returns an exception.
Running get-PAMRequest to return the same data returns the request without an error, but also has no Request Status value.
The reason for the exception is that the PAMRequest status is taken directly from the parent MIM Request Status. If that MIM request has been deleted from the database, there’s no status to return.
After you install this update, the REST API call returns the PAM request information without the Request Status data.
MIM Identity Management Portal
jQuery library is updated to version 3.3.1 in the MIM Portal to improve security (see this discussion on GitHub about jQuery).
The MIM Service schema is updated to add a PageTitle attribute for page customizations. This value is displayed on the CustomizedObjects.aspx page if the PageTitle attribute is populated in the ResourceType definition. See examples in the following screenshots.
The Contact objects page before build 4.5.412.0
After you install build 4.5.412.0, do the following:
- Create an MPR to grant permissions to edit page titles.
- Define a value for the Page Title on a ResourceType object.
- Run IISReset in an administrative Command Prompt window.
To see the resulting change, navigate to the MIM Portal, and view the Contacts page again.
When you edit workflow activity properties in the Workflow Designer in the MIM Portal, every change that is made in the activity properties causes the page to scroll to the top of the workflow activity edit view.
After you install this update, this problem no longer occurs.
When you use a custom UocIdentityPicker control in a Resource Control Display Configuration (RCDC) for a custom object type, sorting the returned objects in the search results dialog box on a custom attribute may cause the following to occur:
- The number of returned objects changes
- The returned objects do not sort as expected
After you install this hotfix, this sorting issue doesn’t occur, although the following exceptions apply:
Filters that allow sorting on both common attributes plus the attributes that are bound to this resource type:
- /ResourceType[Some Condition]
- /Some hierarchy/ResourceType
- /Some hierarchy/ResourceType[Some Condition]
This particular fix does not work for filters that resemble the following examples:
In cases in which the filter is defined so that it isn’t covered by this change, MIM supports the current behavior of sorting common attributes only (attributes that are bound to the "resource" resource type).
When you paste user information into a UocIdentityPicker control, if the information is formatted in the standard Outlook email and name format, an exception is returned. The exception flags unsupported characters in the text. If you click OK in the exception window, the value is cleared from the UocIdentityPicker control.
Outlook email format example:
Joe User <email@example.com>
After you install this update, the UocIdentityPicker control successfully parses user names pasted in this format.
Note After you paste a value that is formatted as in the previous example, if you press Ctrl+Z to undo the paste, a popup exception is returned. This indicates that there are unsupported characters. Instead of using Ctrl+Z to delete the value, use the Delete or Backspace key.
Starting in MIM build 18.104.22.168, when custom RCDC controls are configured to have localized strings, the resources are displayed in mixed languages.
A customized RCDC uses the German language (local DE-DE and DE-CH, Germany-Switzerland). After you upgrade to 22.214.171.124, these RCDCs are no longer displayed correctly. Instead, they show a mixture of English and German text.
After you install this update, the RCDCs display as expected.
Trying to set data collection items in a request fails if you submit the request by using the REST API.
After you install this update, the data collection items can be set as expected on a request.
When you enroll a virtual smart card by using the MIM CM REST API, and you use a custom application or the MIM CM Modern App, the host name of the computer on which the virtual smart card was enrolled isn’t registered in the MIM CM request as expected.
After you install this update, the computer host name is recorded in the request as expected.
When you try to install the 4.5.286.0 update to the MIM CM Bulk Client, the installation fails and returns the following exception:
The installation program has encountered an unexpected error. The error code is 2711.
This issue is fixed in this hotfix update. The MIM CM Bulk Client will now successfully update.
When you use the MIM CM Bulk Client to query for requests in build 126.96.36.199, the comments for the requests are not returned as expected.
After you install this update, the comments for each request is returned to the bulk client as expected.
The Active Directory Domain Services management agent now supports discovery and import of the msDS-GroupManagedServiceAccount object type.
In MIM build 4.5.286.0, a MIM management agent export may return the following exception:
Fault Reason: The endpoint could not dispatch the request.\r\n\r\nFault Details: <DispatchRequestFailures xmlns="http://schemas.microsoft.com/2006/11/ResourceManagement" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><DispatchRequestAdministratorDetails><FailureMessage>Exception: Other
Stack Trace: Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: Other ---> System.Data.SqlClient.SqlException: Reraised Error 50000, Level 13, State 1, Procedure ReRaiseException, Line 37, Message: Reraised Error 50000, Level 13, State 1, Procedure ReRaiseException, Line 37, Message: Reraised Error 1205, Level 13, State 51, Procedure GenerateRequestOutput, Line 2147, Message: Transaction (Process ID 88) was deadlocked on lock resources with another process and has been chosen as the deadlock victim. Rerun the transaction.
at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection)
at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj)
at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)
at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString)
at System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async)
at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, DbAsyncResult result)
at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method)
at System.Data.SqlClient.SqlCommand.ExecuteReader(CommandBehavior behavior, String method)
at Microsoft.ResourceManagement.Data.DataAccess.DoRequestCreation(RequestType request, Guid cause, Guid requestMarker, Boolean doEvaluation, Int16 serviceId, Int16 servicePartitionId)
--- End of inner exception stack trace ---
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(UniqueIdentifier requestor, UniqueIdentifier targetIdentifier, OperationType operation, String businessJustification, List`1 requestParameters, CultureInfo locale, Boolean isChildRequest, Guid cause, Boolean doEvaluation, Nullable`1 serviceId, Nullable`1 servicePartitionId, UniqueId messageIdentifier, UniqueIdentifier requestContextIdentifier, Boolean maintenanceMode)
at Microsoft.ResourceManagement.WebServices.RequestDispatcher.CreateRequest(UniqueIdentifier requestor, UniqueIdentifier targetIdentifier, OperationType operation, String businessJustification, List`1 requestParameters, CultureInfo locale, Boolean isChildRequest, Guid cause, Boolean doEvaluation, Nullable`1 serviceId, Nullable`1 servicePartitionId, UniqueId messageIdentifier)
at Microsoft.ResourceManagement.WebServices.ResourceManagementService.Create(Message request)</FailureMessage><DispatchRequestFailureSource>Other</DispatchRequestFailureSource><AdditionalTextDetails>Request could not be dispatched.</AdditionalTextDetails></DispatchRequestAdministratorDetails><CorrelationId>fc548590-4306-4e1a-bb93-074f51f6757d</CorrelationId></DispatchRequestFailures>
After you install this update, this problem no longer occurs.