Hotfix Rollup information
A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.
If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix. Note
If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note
The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.Notes
- If you upgrade any of the FIM server components, you must also upgrade the following server components:
- The FIM Certificate Management (CM) certification authority (CA) components to the same version as the FIM CM server.
- The FIM Service to the same version as the FIM Synchronization Service.
- To avoid a Bulk Client failure, you must also upgrade the FIM CM server and FIM CA server modules to the same version if you upgrade the FIM 2010 CM Bulk Client.
To apply this hotfix rollup package, you must have Forefront Identity Manager (FIM) 2010 installed.
You must restart the computer after you apply the Add-ins and Extensions
hotfix rollup package. Additionally, you may have to restart the server components.
Hotfix replacement information
This hotfix rollup package replaces the following hotfix rollup packages:
A hotfix rollup package (build 4.0.3573.2) is available for Forefront Identity Manager 2010
A hotfix rollup package (build 4.0.3558.2) is available for Microsoft Forefront Identity Manager (FIM) 2010
A hotfix rollup package (build 4.0.3547.2) is available for Microsoft Forefront Identity Manager (FIM) 2010
Update Package 1 for Microsoft Forefront Identity Manager (FIM) 2010
The global version of this hotfix installs files that have the attributes that are listed in the following tables. The dates and the times for these files are listed in Coordinated Universal Time (UTC). The dates and the times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and the times may change when you perform certain operations on the files.
For all supported versions of FIM 2010
|File name||File version||File size||Date||Time|
|Fim cm bulk client.zip||Not applicable||10,229,616||15-Mar-2011||09:01|
Resolved issues and features that are related to Certificate ManagementIssue 1
When the FIM CM Update Service and CM policy modules do not have the same version, the FIM CM auto-enroll policy module may process requests incorrectly.Issue 2
If you use the FIM Certificate Management (CM) Client to set the ALLOW_SSO
parameter to YES
in the PIN
rule for smart cards, you receive an error message that resembles the following:
The supplied PIN is incorrect.
To resolve this issue, you must install the update for the Forefront Identity Manager (FIM) CM server before you install the update for the FIM Certificate Management Client.Feature 1
This hotfix rollup package adds support that uses key pairs for data encryption in FIM CM. The key pairs are stored by using a key storage provider.Feature 2
This hotfix rollup package adds support that lets you run the FIM 2010 CM Bulk Client in Windows 7.
Resolved issues and features that are related to Synchronization ServiceIssue 1
When a Management Agent (MA) is running in 32-bit mode, password reset operations do not work. For example, this issue occurs when you run an out-of-box SAP MA.Issue 2
The performance of the SQL MA is slow. After you install this package, indexing operations are improved, and the performance of the SQL MA is 25 percent faster.Issue 3
When you try to rename an object that is re-created in the Sync Engine, you receive an error message that resembles the following:
trying to add with different anchor
When a metaverse object is removed, you receive the following exception if a detected rule entry (DRE) is not removed:
Additionally, you receive an error message that resembles the following in the Sync Engine:
The server encountered an unexpected error while performing an operation for a rules extension.
If the service account for FIM Sync is the same account that is used by an Active Directory MA (AD MA), the service account can be used for connecting to AD by leaving the password empty in the AD MA. Additionally, you do not have to update the password for the account in the AD MA when the password of the service account is changed.Note
Do not use this feature when you use the AD MA for Exchange provisioning.Feature 2
This hotfix adds support to let you export subattributes in Sun Directory Services LDAP.
Subattributes are managed in a second MA. The primary MA imports and exports all attributes except subattributes. If there are several subattributes that are in relation to an attribute, additional MAs may be necessary.
All object operations that are add or delete operations are performed from the primary MA only.
To configure the second MA to use subattributes, create the iPlanetMAOptionExporting
DWORD registry entry in the following registry subkey, and then set the value of the registry entry to 1
When the iPlanetMAOptionFiltering
registry entry is defined and is not set to an empty string, the new export feature is enabled.
For more information about the iPlanetMAOptionFiltering
registry entry, click the following article number to view the article in the Microsoft Knowledge Base:
How to obtain the latest Microsoft Identity Integration Services 2003 cumulative hotfix package
If the value of iPlanetMAOptionFiltering
registry entry is not defined, or if the value is an empty string, the new export feature is disabled.
When the new export feature is enabled, all attributes except objectClass
are exported by appending a semicolon and the value of the iPlanetMAOptionFiltering
registry entry to the attributes. Other functionality remains the same, and errors for attributes that do not contain options are handled the same.
The filtering and exporting options are intended for a secondary instance of Sun MA. A join rule is required to make sure that multiple CS representations of a Sun directory object are joined to the same MV object. A join rule on the second MA is defined by using the DN
attribute. The primary MA must be configured to move from this attribute to an attribute in the metaverse.
Resolved issues that are related to the FIM PortalIssue 1
Consider the following scenario:
- You try to find users by using the Object Picker.
- You put the cursor into the text box by pressing Home or by using the mouse.
In this scenario, you receive an Internet Explorer script error.Issue 2
If you add multiple items into the Object Picker, you may receive an error.
Resolved issues and features that are related to FIM ServiceIssue 1
When you approve multiple requests by using a batch operation, the batch operation may time out.Issue 2
You run a stored procedure to process lots of requests that contain some collateral requests or to process some requests that contain lots of collateral requests. In this scenario, the procedure may stop responding. Additionally, the FIM SQL server or the computer that is running FIM service may use the CPU excessively. For example, this issue may occur when the stored procedure tries to cancel a collateral request. Issue 3
When a string attribute that has multiple values is changed, an error may occur if the Sets are defined by using the starts-with
When an object type that is referenced in Set filters is deleted or re-created, the Set memberships may be incorrect. After you apply this hotfix rollup package, the object types that are referenced in Set filters cannot be deleted.Issue 5
When multiple concurrent requests involve object set transitions, the requests may fail. This issue occurs because a duplicate key SQL exception is generated.
Resolved issue that is related to FIM Service MAIssue 1
When you run a delta import on the FIM service MA, the following exception occurs:
Additionally, you receive an error that resembles the following:
Delta Import cannot be run as the change log has been detected to be in a corrupted state.
Also, the following event is logged in the Application log:
Log Name: Application
Event ID: 6500
Task Category: None
Computer: <computer name>
The description for Event ID 6500 from source FIMSynchronizationService cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
Resolved issue that is related to SetupIssue 1
After you install a hotfix that is a newer version than FIM 2010 version 4.0.3568.2, a FIM MA failure occurs if Update package 1 for FIM 2010 release version (build 4.0.3531.2) is not already installed.
Therefore, this issue occurs after you install hotfix 2417774 (build 4.0.3573.2) on the release version directly.
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.