Hotfix rollup package (build 4.3.2195.0) is available for Microsoft Identity Manager 2016

Introduction
A hotfix rollup package (build 4.3.2195.0) is available for Microsoft Identity Manager (MIM) 2016. This package resolves some issues and adds some features that are described in the "More Information" section.

Update information

A supported update is available from Microsoft Support. We recommend that all customers apply this update to their production systems.

Microsoft Support

If this update is available for download from Microsoft Support, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix. Additionally, you can obtain the update from Microsoft Update or from Microsoft Update Catalog.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, go to the following Microsoft website: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Known issues in this update

Synchronization Service

After this update is installed, rules extensions and custom management agents (MAs) that are based on Extensible MA (ECMA1 or ECMA 2.0) may not run and may produce a run status of "stopped-extension-dll-load." This issue occurs when you run such rules extensions or custom MAs after you change the configuration file (.config) for one of the following processes:
  • MIIServer.exe
  • Mmsscrpt.exe
  • Dllhost.exe
For example, you edited the MIIServer.exe.config file to change the default batch size for processing sync entries for the FIM Service MA.

In this case, the synchronization engine installer for this update intentionally does not replace the configuration file to avoid deleting your previous changes. Because the configuration file is not replaced, entries that are required by this update will not be present in the files, and the synchronization engine will not load any rules extension DLLs when the engine runs a Full Import or Delta Sync run profile.

To resolve this issue, follow these steps:
  1. Make a backup copy of the MIIServer.exe.config file.
  2. Open the MIIServer.exe.config file in a text editor or in Microsoft Visual Studio.
  3. Find the <runtime> section in the MIIServer.exe.config file, and then replace the content of the <dependentAssembly> section with the following:

    <dependentAssembly><assemblyIdentity name="Microsoft.MetadirectoryServicesEx" publicKeyToken="31bf3856ad364e35" />        <bindingRedirect oldVersion="3.3.0.0-4.1.3.0" newVersion="4.1.4.0" /></dependentAssembly>
  4. Save the changes to the file.
  5. Find the Mmsscrpt.exe.config file in the same directory and the Dllhost.exe.config in the parent directory. Repeat steps 1 through 4 for these two files.
  6. Restart the Forefront Identity Manager Synchronization Service (FIMSynchronizationService).
  7. Verify that the rules extensions and custom management agents now work as expected.

Prerequisites

To apply this update, you must have Microsoft Identity Manager 2016 build 4.3.1935.0 or a later build installed.

For BHOLD deployments of the BHOLD FIM Integration module or Access Management Connector, you must have this hotfix rollup (4.3.2195.0) installed on your MIM servers before apply any update to the BHOLD modules.

Restart requirement

You must restart the computer after you apply the Add-ins and Extensions (Fimaddinsextensions_xnn_kb3134725.msp) package. Additionally, you may have to restart the server components.

Replacement information

This update replaces update 3092179 (build 4.3.2064.0) for Microsoft Identity Manager 2016.

File information

The global version of this update has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

File NameDateTimeFile Size (Bytes)
AccessManagementConnector.msi12-Feb-201609:43671,744
Add-ins and extensions.zip21-Apr-201613:2525,346,203
BholdAnalytics 5.0.3355.0_Release.msi12-Feb-201609:322,707,456
BholdAttestation 5.0.3355.0_Release.msi12-Feb-201610:203,280,896
BholdCore 5.0.3355.0_Release.msi12-Feb-201609:215,021,696
BholdFIMIntegration 5.0.3355.0_Release.msi12-Feb-201609:563,534,848
BholdModelGenerator 5.0.3355.0_Release.msi12-Feb-201610:313,252,224
BholdReporting 5.0.3355.0_Release.msi12-Feb-201610:071,998,848
FIMAddinsExtensions_x64_KB3134725.msp20-Apr-201621:492,555,904
FIMAddinsExtensions_x86_KB3134725.msp20-Apr-201616:312,293,760
FIMCMBulkClient_x86_KB3134725.msp20-Apr-201616:314,722,688
FIMCMClient_x64_KB3134725.msp20-Apr-201621:495,722,112
FIMCMClient_x86_KB3134725.msp20-Apr-201616:315,492,736
FIMCM_x64_KB3134725.msp20-Apr-201621:4918,313,216
FIMCM_x86_KB3134725.msp20-Apr-201616:3118,157,568
FIMService_x64_KB3134725.msp20-Apr-201621:4919,267,584
FIMSyncService_x64_KB3134725.msp20-Apr-201621:4914,893,056
LANGUAGE Packs.zip21-Apr-201613:40132,805,849


More information

Issues that are fixed or features that are added in this update

This update fixes the following issues or adds the following features that were not previously documented in the Microsoft Knowledge Base.

Privileged Access Management (PAM)

Issue 1
Some group memberships may not be removed by the MIM component service after the PAM request expiration period. This hotfix addresses removal of expired group memberships.

Note If you use PAM, this is an important update and should be installed in all environments.

Issue 2
A PAM user has their NetBIOS domain name saved in the Service Database and the PAM user can log on to the Portal.
Issue 3
MIM Monitor errors occur when you use the NetBIOS name for source groups.
Issue 4
The New-PAMGroup and New-PAMUser cmdlets do not accept the fully qualified domain name (FQDN) of the domain.

MIM add-ins and extensions

Issue 1
The Approval buttons in the Outlook Add-in disappear in some UI interactions.

Issue 2
You receive an "Installation prerequisites not met" error message if you try to install the MIM Add-in for Outlook on a computer that has Outlook 2016 installed.


MIM Certificate Management

Issue 1
The Profile Template Settings Report displays incorrect information. It shows that PIN Rollover is enabled and that the Admin PIN initial value is set even if this is not true. Also if the Diversify Admin Key setting is enabled, it is not displayed in the Profile Template Settings Report.

Issue 2
The "Support for non-FIM CM certificates requests" plug-in doesn't create profiles for external certificates that were created outside MIM Certificate Management (CM).

Issue 3
This hotfix updates the MIM CM CA module tracing and logging, which differs from CM Server application tracing in that CA modules are installed on the AD CS server.

How to use the CA modules tracing

CA module tracing differs from CM Server application, because CA modules might be installed on a separate computer.

Log location

Events can be viewed in the Microsoft\IdentityManagement\CertificateManagement\Admin log. By default, CA modules also write messages to the system folder %temp% (usually C:\Windows\TEMP). To change the log file location, specify the new path of the file in the registry. Make sure that the directory exists and is writable by the CA.

How to change logs location
  1. Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration in the registry.
  2. Define a new file location in the ClmCATrace registry value.
  3. Restart the CA.

Trace switch for ExitModule
Registry location:
HKEY_LOCAL_MACHINE \System\CurrentControlSet\Services\CertSvc\Configuration\<CA name>\ExitModules\Clm.Exit

String name: Microsoft.Clm.ExitModule
Value data: The Value data can be one of the following: Verbose|Info|Warning|Error


Trace switch for PolicyModule
Registry location:
HKEY_LOCAL_MACHINE \System\CurrentControlSet\Services\CertSvc\Configuration\<CA name>\PolicyModules\Clm.Policy

String name: Microsoft.Clm.PolicyModule
Value data: The Value data can be one of the following values: Verbose|Info|Warning|Error


Trace switch for PolicyModule plugins
Registry location:
HKEY_LOCAL_MACHINE \System\CurrentControlSet\Services\CertSvc\Configuration\<CA name>\PolicyModules\Clm.Policy\<plugin’s name>

String name: Microsoft.Clm.PolicyModulePlugins
Value data: The Value data can be one of the following values: Verbose|Info|Warning|Error


Note Unless key is defined, default value is Info. After the Trace Switch is changed, restart the CA.

Issue 4
The "Support for non-FIM CM certificates requests" plug-in doesn't create profiles for external certificates that were created outside the MIM CM.

Issue 5
Certificate enrollment fails when the system uses the German locale.

MIM Synchronization Service

Issue 1
An export-only file-based ECMA2 connector could not export deleted objects.

Issue 2
The msDS-UserPasswordExpiryTimeComputed attribute is displayed as an available attribute in the Select Attributes tab of the Active Directory Domain Services (AD DS) management agent. The msDS-UserPasswordExpiryTimeComputed is a computed attribute in AD DS and is not detected by the import operation. As of this update, the attribute is removed from the list of available attributes in the management agent.

Issue 3
Sometimes during the "Import Server Configuration" stage in the MIM synchronization service (MIISClient), the Import Server Configuration dialog box hangs.

Issue 4
Running more than one run profile with a synchronization task at the same time may cause data corruption.

Note A message box is displayed with a 0x8023063D error code.

Issue 5
After an authoritative restore of Active Directory objects, Active Directory Management Agent (AD MA) delta import mistakenly detects them as deleted.

Issue 6
This update adds the ability to override the default Synchronization engine behavior of changing run profile GUID after export and import of the server configuration.

Note This update adds a special registry subkey to turn on the GUIDs "keeping" mode. To enable "keeping" mode, create the following:
Registry location:
HKEY_LOCAL_MACHINE\Software\Microsoft\Forefront Identity Manager\2010\Synchronization Service

String name: KeepEqualRunPrGuids
Value data: True


Issue 7
This update extends the functionality of the AD MA configuration cmdlets to be able to handle multiple partitions.

Note Set-MIISADMAConfiguration was extended with ‘–Partitions’ with a semicolon (;) separator.

Usage
Set-MIISADMAConfiguration -MAName MA_NAME -Forest FORESTNAME -Credentials (Get-Credential) -Partitions "DC=contoso,DC=com; DC=ForestDnsZones,DC=contoso,DC=com"


Issue 8
This update adds a new cmdlet Add-MIISADMARunProfileStep.

Note It adds run profile step "Full import" assigned to partition 'DC=CONTOSO,DC=COM' to the run profile with name 'ADMA_FULLIMPORT' of the management agent AD_MA. If a run profile with this name doesn’t exist, it will be created. The management agent should already exist.

Possible values of the StepType parameter (short form or long one can be used):
  • "FI", "FULL IMPORT"
  • "FS", "FULL SYNCHRONIZATION"
  • "FIFS", "FULL IMPORT AND FULL SYNCHRONIZATION"
  • "FIDS", "FULL IMPORT AND DELTA SYNCHRONIZATION"
  • "DI", "DELTA IMPORT"
  • "DS", "DELTA SYNCHRONIZATION"
  • "DIDS", "DELTA IMPORT AND DELTA SYNCHRONIZATION"
  • "EXP","EXPORT"

Usage
Add-MIISADMARunProfileStep -MAName 'AD_MA' -Partition 'DC=CONTOSO,DC=COM' -StepType 'FI' -ProfileName 'ADMA_FULLIMPORT'

Issue 9
MmsScrpt.exe crashes because of the binary having an invalid entry point. The most common error displayed is "Access violation."

Issue 10
The Import-MIISServerConfig PowerShell cmdlet does not allow for skipping the Management Agent during configuration import.

MIM Portal

Issue 1
This update enables customizations that have controls shown and hidden based on the state of the email enabling check box.

An additional attribute to RCDC’s configuration data is included in this update. The Now Event element may have a Parameters attribute. For Group RCDC for the OnChangeEmailEnabling event, it should contain a comma-separated (case-sensitive) list of controls to show or hide.

Here is a small sample (part of RCDC) to show how it works:
<my:Control my:Name="EmailEnabling" my:TypeName="UocCheckBox" my:Caption="%SYMBOL_EmailEnablingCaption_END%" my:Description="%SYMBOL_EmailEnablingDescription_END%" my:AutoPostback="true" my:RightsLevel="{Binding Source=rights, Path=Email}">        <my:Properties>         <my:Property my:Name="Text" my:Value="%SYMBOL_EmailEnablingValue_END%"/>        </my:Properties>        <my:Events>

Note If the Parameters attribute is not included, nothing will change versus the previous behavior.

Issue 2
This update adds the ability to fully customize the portal header.

Note Replace the portal header section with custom HTML content (by adding the CustomPortalHeader.html file into the Customizations folder).

Issue 3
All supported languages and cultures are localized correctly as some were reported to be localized incorrectly for some culture-specific localization settings.

Issue 4
The Portal does not verify the content of uploaded image files. However, the Portal can check the content of an image. To enable this verification, User Creation and User Editing RCDC have to be changed by adding the Property option to the UocFileUpload type as in the following example:
<my:Property my:Name="ValidateImage" my:Value="true"/


MIM Service

Issue 1
During the 4.3.2064.0 hotfix installation, the database upgrade fails if the FIM Service database name is not the default name of FIMService.

Issue 2
Deadlocks may occur during a request evaluation if a complex Set schema is implemented.

Issue 3
The configuration backup tool does not work in MIM.

Issue 4
FIM Management Agent (MA) Export lets you add MIM objects multivalued string attributes.

BHOLD

Issue 1
The applicationdeletealias function is added for the BHOLD web service.

The function name with ARGs may be passed as an argument for the ExecuteXml method.

Notes
  • userid and applicationid are mandatory arguments
  • alias is an optional argument. Without the alias argument explicitly defined, the function deletes all aliases for an app-user pair.

Issue 2
BHOLD Core shows error in the LogItems table upon removing roles from a parent.

Language Support

Issue 1
The New Serbian culture sr-Latn-RS is available for the following components:
  • MIM Service
  • MIM Clients
  • Certificate management

References
Learn about the terminology Microsoft uses to describe software updates.
Properties

Article ID: 3134725 - Last Review: 04/22/2016 15:32:00 - Revision: 6.0

Microsoft Identity Manager 2016

  • kbqfe kbsurveynew kbautohotfix kbhotfixserver kbfix kbexpertiseinter kbbug atdownload KB3134725
Feedback