Hotfix rollup information
A supported hotfix rollup is available from Microsoft. However, this hotfix rollup is intended to correct only the problem that described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix rollup.
If the hotfix rollup is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix. Note
If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft website: Note
The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
- If you upgrade any of the FIM server components, you must also upgrade the following server components:
- The FIM Certificate Management (CM) certification authority (CA) components to the same version as the FIM CM server.
- The FIM Service to the same version as the FIM Synchronization Service.
- To avoid a Bulk Client failure, you must also upgrade the FIM CM server and the FIM CA server modules to the same version if you upgrade the FIM 2010 CM Bulk Client.
To apply this hotfix rollup, you must have Microsoft Forefront Identity Manager (FIM) 2010 installed.
You must restart the computer after you apply the Add-ins and Extensions hotfix rollup package. Additionally, you may have to restart the server components.
To use one of the fixes in this hotfix rollup, you must change the registry. For more information, see the "More Information" section.
This hotfix rollup package replaces the following hotfix rollup packages:
A hotfix rollup package (build 4.0.3576.2) is available for Forefront Identity Manager 2010 2417774
A hotfix rollup package (build 4.0.3573.2) is available for Forefront Identity Manager 2010 2272389
A hotfix rollup package (build 4.00.3558.02) is available for Forefront Identity Manager 20102028634
A hotfix rollup package (build 4.0.3547.2) is available for Microsoft Forefront Identity Manager (FIM) 2010 978864
Update Package 1 for Microsoft Forefront Identity Manager (FIM) 2010
The global version of this hotfix rollup installs files that have the attributes that are listed in the following tables. The dates and the times for these files are listed in Coordinated Universal Time (UTC). The dates and the times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and the times may change when you perform certain operations on the files.
For all supported versions of Forefront Identity Manager 2010
|File name||File version||File size||Date||Time|
|CM Bulk Client.zip||Not Applicable||10,228,107||15-Oct-2011||21:41|
Fixed issues in Workflow Engine
Assume that you perform an operation that accesses the SQL database when the Microsoft SQL Server connection pooling feature is enabled in the FIM server. For example, you run a query or a request. If the operation times out for any reason, a future operation on the same thread may fail until that thread is removed from the SQL connection pool. An error message that resembles the following is displayed in the FIM Service Application event log, in the RequestStatusDetails
property for a request, or in the WorkflowStatusDetails
property of a workflow instance:
Cannot enlist in the transaction because a local transaction is in progress on the connection.
Additionally, the time stamp is the same as the time when the operation fails.
Fixed issues in Sync Engine
(ERE) object is associated to a child synchronization rule of a Metaverse
object. If the ERE object has a Remove
action, deprovisioning of the object is also being triggered. Then, the behavior causes the deletion of the Metaverse
Fixes an access violation when a custom extension calls a COM+ object.
An earlier hotfix introduced a special Extensible Connectivity Management Agent (ECMA) mode to keep unconfirmed exports in escrow instead of awaiting confirmation. An issue with that hotfix causes delta sync to add new items that are not merged with an escrowed export into a pending export. After you install the hotfix that is mentioned in this article, if the ECMAAlwaysExportUnconfirmed registry entry is set to 1, the escrowed and pending changes are merged.
Fixes an SQL query construction issue that occurs during an import. This issue affects a DB2 database that uses a non-Unicode character set.
Fixes many "Export not reimported" errors that might occur because of errors in SQL.
Improves the performance of all Sync Engine operations.Note
This change involves an extensive upgrade to the sync database. This upgrade can take lots of time, depending on your hardware. A progress bar is displayed during the database upgrade.
A password reset that uses the ADMAEnforcePasswordPolicy registry setting fails when the user is in the Administrator group but is not an administrator.
Adds an option to have FIM 2010 export the current time on the server to the HTTPPasswordChangeDate
field during the password set operation. The time stamp is stored as a TimeDate
To enable this behavior, set the following registry subkey to a nonzero DWORD Value:
The FIM 2010 Active Directory Management Agent (AD MA) does not honor the preferred domain controller list when passwords are exported. This is an issue for customers who require password changes to flow to a specific set of domain controllers. This hotfix rollup package changes the AD MA to use the preferred domain controller list first. If the preferred domain controller list does not exist, the domain controller locator service will identify a domain controller for password export operations. Additionally, you can still force password operations to use the primary domain controller by setting the following registry subkey:
ADMAUsePDCForPasswordOperations (REG_DWORD, 1 = True, 0 = False)
This hotfix rollup package also updates the AD MA so that a trust relationship with the configured Active Directory forest is not required to export passwords to that forest.
Adds the ability to filter objects before they are imported into the AD MA connector space.
Fixed issues in Sets and Query
Fixes an issue that would sometimes cause incorrect Set calculations. This resulted in lots of set corrections. Also revised the Sets Correction job so that it does not change special sets that are maintained by another system maintenance job.
Revised the FIM "Query and Sets" features to correctly treat percent signs, underscores, and opening brackets as literals instead of as SQL wildcard characters.
The approved character sets for strings that are used in FIM attribute values are defined in the attribute and binding schema in the FIM service. The syntax for representing an XPath filter is documented on MSDN in the following "FIM XPath Filter Dialect" article:
Some customers may have included characters that SQL defines as query wildcard characters, such as the percent character, in FIM searches and Set filters. In this case, the customers intended FIM to treat the characters as SQL wildcard characters. This is not a documented or supported feature of the product. In some cases, customers may be able to achieve the intended functionality by removing the wildcard and by using a “contains” query/filter instead.
Existing Set resources that have filters that contain SQL wildcard characters may not continue to function as the filters functioned before this hotfix was applied. Also, a filter that contains wildcard characters and that continued to function as expected after the hotfix was applied may function differently if the administrator later updates the filter definition.
Customers who used characters that SQL defined as query wildcard characters must check and revise their Set filters either before or after they upgrade to this hotfix. Customers should consider the impact of Set membership changes on Set transition MPRs. And, customers may want to temporarily disable MPRs or update workflow definitions while they change their Set filters to avoid unintentionally triggering provisioning or deprovisioning operations during Set definition maintenance.
Fixed issues in Certificate Management
Enables the random number generator in the server key generation function.
Improves the performance when enrolling a smartcard that has not previously been used with FIM Certificate Management (CM).
Fixed issues in FIM Management Agent (MA)
Fixes an issue in which the FIM synchronization service configuration for synchronization rules and codeless provisioning was not correctly written to the FIM Service database.
Fixed issues in FIM Service
Fixes an issue with SQL Server deadlocks that might occur during periods of high concurrency of requests or approvals.
Fixes an issue in which unexpected data in the FIM Service database could result in the FIM MA causing the Synchronization service to fail during import, and a stopped-server error occurred.
Fixes an issue when you add or remove a value for a multivalued string attribute. If the request was subject to authorization such as request reevaluation, the request would fail after approval.
objects and DetectedRuleEntry
objects in FIM 2010 can become "orphaned" over time. When a DetectedRuleEntry
object is not referenced in the DetectedRulesList of any object in the system, that object is determined to be orphaned. Similarly, when an ExpectedRuleEntry
object is not referenced in the ExpectedRulesList of any object in the system, that object is also determined to be orphaned.
These orphaned objects have no functional impact on FIM. However, over time, these orphaned objects can cause a decrease in performance for both FIM operations and Sync operations that are related to FIM, such as import or export by using the FIM MA.
A pruning stored procedure, [debug].[DeleteOrphanedRulesByType], was added to the [debug] namespace of the FimService database. This stored procedure must be run separately for the DetectedRuleEntry
object and the ExpectedRuleEntry
object. The stored procedure also has a "reportOnly" mode, and this mode can be used to determine the presence and number of orphaned DetectedRuleEntry
objects in the system.
parameter expects one of the following well-known values:
- N'Detected' for DetectedRuleEntry objects
- N'Expected' for ExpectedRuleEntry objects
To determine the number of orphaned objects in the system, run the stored procedure in "reportOnly" mode as follows.
DECLARE @deletedRulesFound BIT; EXEC [debug].[DeleteOrphanedRulesByType] @ruleType=N'CHANGE_ME', @reportOnly=1, @deletedRulesFound=@deletedRulesFound OUTPUT;
To loop through and actually delete orphaned objects in the system, run the stored procedure as follows. @deletionLimit=1000 instructs the procedure to stop when it has deleted 1,000 objects. If there are more than 1,000 orphaned objects in the system, either run the procedure multiple times (recommended) or increase the deletionLimit value.
DECLARE @deletedRulesFound BIT, @startDateTime DATETIME, @endDateTime DATETIME; SELECT @deletedRulesFound = -1; WHILE @deletedRulesFound <> 0 BEGIN SELECT @startDateTime = CURRENT_TIMESTAMP; EXEC [debug].[DeleteOrphanedRulesByType] @ruleType=N'CHANGE_ME', @deletionLimit=1000, @reportOnly=0, @deletedRulesFound=@deletedRulesFound OUTPUT; SELECT @endDateTime = CURRENT_TIMESTAMP; SELECT @startDateTime AS [StartTime], @endDateTime AS [EndTime], @deletedRulesFound AS [WereDeletedRulesFound]; END