A hotfix rollup package (build 4.1.3496.0) is available for Forefront Identity Manager 2010 R2

A hotfix rollup package (build 4.1.3496.0) is available for Microsoft Forefront Identity Manager (FIM) 2010 R2. This hotfix rollup package resolves some issues and adds some features that are described in the "More Information" section.

Update information

A supported update is available from Microsoft Support. We recommend that all customers apply this update to their production systems.

Microsoft Support

If this update is available for download from Microsoft Support, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, you should contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, go to the following Microsoft website: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, a hotfix is not available for that language.

Component update packages

The following table contains the component update packages that are included in the download from Microsoft Support.

ComponentFile name
FIM 2010 R2 Add-ins and ExtensionsFIMAddinsExtensions_xnn_KB2906832.msp

Note Versions of this file are available for x86-based and x64-based versions of FIM 2010.
FIM 2010 R2 Add-ins and Extensions Language PackFIMAddinsExtensionsLP_xnn_KB2906832.msp

Note Versions of this file are available for x86-based and x64-based versions of FIM 2010.

FIM 2010 R2 Certificate Management

Note Versions of this file are available for x86-based and x64-based versions of FIM 2010.
FIM 2010 R2 Certificate Management Bulk Issuance ClientFIMCMBulkClient_x86_KB2906832.msp
FIM 2010 R2 Certificate Management ClientFIMCMClient_xnn_KB2906832.msp

Note Versions of this file are available for x86-based and x64-based versions of FIM 2010.
FIM 2010 R2 Service and PortalFIMService_x64_KB2906832.msp
FIM 2010 R2 Service Portal Language PackFIMServiceLP_x64_KB2906832.msp
FIM 2010 R2 Synchronization Service FIMSyncService_x64_KB2906832.msp

Known issues in this update

Synchronization Service
After this update is installed, rules extensions and custom management agents (MAs) that are based on Extensible MA (ECMA1 or ECMA 2.0) may not run and may produce a run status of "stopped-extension-dll-load." This issue occurs when you run such rules extensions or custom MAs after you change the configuration file (.config) for one of the following processes:
  • MIIServer.exe
  • Mmsscrpt.exe
  • Dllhost.exe

For example, you edited the MIIServer.exe.config file to change the default batch size for processing sync entries for the FIM Service MA.

In this case, the synchronization engine installer for this update intentionally does not replace the configuration file to avoid deleting your previous changes. Because the configuration file is not replaced, entries that are required by this update will not be present in the files, and the synchronization engine will not load any rules extension DLLs when the engine runs a Full Import or Delta Sync run profile.

To resolve this issue, follow these steps:
  1. Make a backup copy of the MIIServer.exe.config file.
  2. Open the MIIServer.exe.config file in a text editor or in Microsoft Visual Studio.
  3. Find the <runtime> section in the MIIServer.exe.config file, and then replace the content of the <dependentAssembly> section with the following:

    <dependentAssembly><assemblyIdentity name="Microsoft.MetadirectoryServicesEx" publicKeyToken="31bf3856ad364e35" />        <bindingRedirect oldVersion="" newVersion="" /></dependentAssembly

  4. Save the changes to the file.
  5. Find the Mmsscrpt.exe.config file in the same directory and the Dllhost.exe.config in the parent directory, and then repeat steps 1 through 4 for these two files.
  6. Restart the Forefront Identity Manager Synchronization Service (FIMSynchronizationService).
  7. Verify that the rules extensions and custom management agents now work as expected.

FIM Reporting
If you install FIM Reporting on a new server that has Microsoft System Center 2012 Service Manager Service Pack 1 installed, follow these steps:
  1. Install the FIM 2010 R2 SP1 FIMService component. To do this, click to clear the Reporting check box.
  2. Install this hotfix rollup to upgrade the FIM Service to build 4.1.3496.0.
  3. Run the change-mode installation for the FIM Service, and then add Reporting.

If reporting is enabled and the change-mode installation is run for the FIM Service and the FIM Portal, you must re-enable reporting. To do this in the FIM Identity Management Portal, follow these steps:
  1. On the Administration menu, click All Resources.
  2. Under All Resources, click System Configuration Settings.
  3. Click the System Configuration Settings object, and then open the properties of this object.
  4. Click Extended Attributes, and then click to select the Reporting Logging Enabled check box.
  5. Click OK, and then click Submit to save the change.


To apply this update, you must have Forefront Identity Manager 2010 R2 (build 4.1.2273.0 or a later build) installed.

Restart requirement

You must restart the computer after you apply the Add-ins and Extensions package (Fimaddinsextensions_xnn_kb2906832.msp). Additionally, you may have to restart the server components.

Replacement information

This update replaces the following updates:
2889529 A hotfix rollup package (build 4.1.3479.0) is available for Forefront Identity Manager 2010 R2

2877254 A hotfix rollup package (build 4.1.3469.0) is available for Forefront Identity Manager 2010 R2

2870703 A hotfix rollup package (build 4.1.3461.0) is available for Forefront Identity Manager 2010 R2

2849119 A hotfix rollup package (build 4.1.3451.0) is available for Forefront Identity Manager 2010 R2

2832389 A hotfix rollup package (build 4.1.3441.0) is available for Forefront Identity Manager 2010 R2

2814853 A hotfix rollup package (build 4.1.3419.0) is available for Forefront Identity Manager 2010 R2

2772429 Service Pack 1 (build 4.1.3114.0) is available for Forefront Identity Manager 2010 R2

2750671 A hotfix rollup package (build 4.1.2548.0) is available for Forefront Identity Manager 2010 R2

2734159 A hotfix rollup package (build 4.1.2515.0) is available for Forefront Identity Manager 2010 R2

File information

The global version of this update has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
File nameFile versionFile sizeDateTimePlatform
Fimaddinsextensionslp_x64_kb2906832.mspNot applicable3,917,31219-Nov-201322:11Not applicable
Fimaddinsextensionslp_x86_kb2906832.mspNot applicable1,595,39219-Nov-201321:27Not applicable
Fimaddinsextensions_x64_kb2906832.mspNot applicable5,209,60019-Nov-201322:11Not applicable
Fimaddinsextensions_x86_kb2906832.mspNot applicable4,661,24819-Nov-201321:27Not applicable
Fimcmbulkclient_x86_kb2906832.mspNot applicable9,091,58419-Nov-201321:27Not applicable
Fimcmclient_x64_kb2906832.mspNot applicable5,568,51219-Nov-201322:11Not applicable
Fimcmclient_x86_kb2906832.mspNot applicable5,197,31219-Nov-201321:27Not applicable
Fimcm_x64_kb2906832.mspNot applicable31,801,85619-Nov-201322:11Not applicable
Fimcm_x86_kb2906832.mspNot applicable31,414,78419-Nov-201321:27Not applicable
Fimservicelp_x64_kb2906832.mspNot applicable12,190,20819-Nov-201322:11Not applicable
Fimservice_x64_kb2906832.mspNot applicable31,190,01619-Nov-201322:11Not applicable
Fimsyncservice_x64_kb2906832.mspNot applicable36,195,84019-Nov-201322:11Not applicable
More information

Issues that are fixed or features that are added in this update

This update fixes the following issues or adds the following features that were not previously documented in the Microsoft Knowledge Base.

FIM Service and FIM Portal

Issue 1
When you create a custom solution in FIM 2010 R2, you may experience any of the following scenarios:
  • Scenario 1: An authorization workflow could get stuck.
  • Scenario 2: An authorization workflow could be executed again after a FIMService restart.
  • Scenario 3: An authorization workflow parent request may not be set to expire.

These problems might occur if your solution has custom workflows that use the new FIM 2010 R2 feature that enables setting the ApplyAuthorizationPolicy property to True (the default value is False) on the following built-in building-block activities:
  • CreateResourceActivity
  • UpdateResourceActivity
  • DeleteResourceActivity

Changes to stored procedures in the FIMService database resolve scenarios 2 and 3.

To resolve scenario 1, an additional AuthorizationWaitTimeInSeconds property was added to built-in building-block activities that enables the activity to set how long the request processor should wait for authorization before it throws an AuthorizationRequiredFault error. We recommend that you set this value to 0 (zero) or a larger value.

New feature 1
By using a new configuration option, you can now hide the Advanced Search link in the FIM Portal.

To enable the configuration and remove the Advanced Search link, follow these steps:
  1. In Administration, click Schema Management, and then click All Attributes.
  2. Create a new Boolean attribute that is named "HideAdvancedSearchLink."
  3. In All Bindings, create a new binding for the HideAdvancedSearchLink attribute to the Portal Configuration resource, and then click Finish to save the binding.
  4. Create a new Management Policy Rule (MPR) to allow for changes to the new binding in the portal configuration. To do this, use the following configuration for the new MPR:

    Display Name: Administrators can modify the HideAdvancedSearchLink attribute in the Portal Configuration resource
    Type: Request
    Disabled: False
    Specific Set of Requestors: All Administrators
    Operation: Modify a single-valued attribute
    Permissions: Grants permission
    Target Resource Definition Before Request: All Basic Configuration Objects
    Target Resource Definition After Request: All Basic Configuration Objects
    Resource Attributes: Select specific attributes: HideAdvancedSearchLink

  5. Reset Internet Information Services (IIS), and then restart the FIM service.
  6. In Administration, click Portal Configuration, and then click Extended Attributes. You should see the HideAdvancedSearchLink attribute together with the other extended attributes.
  7. Click to select the HideAdvancedSearchLink check box, and then click Submit to enable the hiding of the Advanced Search link.
  8. Verify that the Advanced Search link is not available in the list views. For example, check the following list views:
    • My DGs
    • My DG Memberships
    • Management Policy Rules

FIM Synchronization Service

Issue 1
During an export on the FIM Service management agent (MA), the FIM Synchronization Service or the FIM Service may be stopped. In this case, the Synchronization Service may be unable to complete the export on a retry, and you receive the following error message:

The operation failed because the attribute cannot be found.

Issue 2
In certain scenarios, the FIM Service MA may return the following error message:

Type: System.ArgumentOutOfRangeException

This problem might occur if an unexported reference attribute was removed by another synchronization process and the result is null.

Issue 3
In rare cases, an import could receive a staging error because of duplicate references in the connector space.

Issue 4
In rare cases, an import could receive a staging error because an object was moved in the connected directory.

Issue 5
An Extensible Connectivity 2.0 Management Agent (ECMA 2.0) connector could end up in an infinite loop. This problem may occur when the capability flag is set not to export references in the first pass. In this case, an object that has no reference attributes cannot export an attribute. This problem affects the Microsoft Azure Active Directory connector that is provided by Microsoft.

Issue 6
In ECMA 2.0, an export-only attribute could end up in a bad state. This problem might occur if ECMA 2.0 could not export and therefore caused a staging error on the next import and synchronization.

See the terminology that Microsoft uses to describe software updates.

Article ID: 2906832 - Last Review: 06/20/2014 15:04:00 - Revision: 2.0

  • kbautohotfix kbqfe kbhotfixserver kbfix kbexpertiseinter kbsurveynew kbbug KB2906832