This article has been archived. It is offered "as is" and will no longer be updated.
A hotfix rollup package (build 3.3.1087.2) is available for Microsoft Identity Lifecycle Manager (ILM) 2007 Feature Pack 1 (FP1). This hotfix rollup package resolves the following issues.
Consider the following scenario. You use a custom management agent that is based on the Extensible Management Agent. You configure this management agent as Export Only. In this scenario, when a call to deprovision a connector space object in this management agent occurs, the connector space object becomes orphaned. This issue occurs if the deprovisioning rules are set to make the connector space object a disconnector object. You may also experience the following symptoms:
You cannot join the connector space object to a metaverse object.
When you view the connector space object in the Joiner, the connector space object displays no attribute values.
The Microsoft.metadirectoryservices.dll file is not strong-name signed. Therefore, you cannot build strong-name packaged management agents.
The smart card profile template does not populate the subject key identifier (SKI) as expected.
The Certificate Lifecycle Management component of ILM (also known as CLM) does not allow you to restrict certificate issuance on a specific organization unit (OU) to a single Enrollment Agent.
CLM is now supported on the Windows Server 2008 Enterprise Edition 32-bit processor architecture.
Consider the following scenario. A primary smart card and a duplicate smart card are issued. Then, you renew the certificates for the smart cards by using online certificate updates. In this scenario, the primary smart card and the duplicate smart card receive different certificates.
For detailed information about these issues, see the "More Information" section.
Service Pack information
To resolve these issues, obtain the latest service pack for Identity Lifecycle Manager 2007 Feature Pack 1.
ILM 2007 Feature Pack 1 Service Pack 1 (SP1) is available that contains fixes in this hotfix rollup and possesses a stronger compatibility with previous ILM builds. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
977791 Service Pack 1 (build 3.3.1139.2) is available for Identity Lifecycle Manager 2007 Feature Pack 1
Hotfix rollup package information
A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.
If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix.
Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:
Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
Customers requesting this hotfix package for the MSDN version of Identity Lifecycle Manager should contact Microsoft Technical Support.
To apply this hotfix rollup package, you must have Identity Lifecycle Manager 2007 Feature Pack 1 installed on the computer.
You do not have to restart the computer after you apply this hotfix rollup package.
Hotfix replacement information
This hotfix rollup package includes all the previous hotfixes for Identity Lifecycle Manager 2007 Feature Pack 1.
The English version of this hotfix rollup package has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
In this hotfix rollup package, the CLM_2007_FP1_FULL_KB946797.msp file fixes the Certificate Lifecycle component of Identity Lifecycle Manager 2007 Feature Pack 1.The ILM_2007_FP1_ENT_KB946797.msp file fixes the Identity Lifecycle component of Identity Lifecycle Manager 2007 Feature Pack 1.
Detailed information about the issues that are resolved
This issue occurs because the connector space object does not have a confirming import. Therefore, the connector space hologram for the connector space object is not created. The connector space hologram contains the information that is used for operations, such as join operations.
Before you apply this hotfix rollup package, you cannot replace the orphaned connector space object except by deleting the connector space object. This hotfix rollup package causes the connector space object to be updated by using information that confirms the export and that fills the connector space hologram.
Note This hotfix rollup package applies only to custom management agents that you create by using the Extensible Management Agent and that you configure as Export Only.
In this hotfix rollup package, the Microsoft.metadirectoryservices.dll file is changed to allow for strong-name signing of rules extensions and of data source extensions. Therefore, you may have to change the existing Microsoft Visual Studio projects to use the strongly named Microsoft.metadirectoryservices.dll file.
The ILM Synchronization Service now provides the following DLL files that define the interfaces and the types for the rules extensions and for the data source extensions:
The Microsoft.metadirectoryservices.dll file is the version that was released in earlier versions of the synchronization server. The version of the Microsoft.metadirectoryservices.dll file that is provided in this hotfix rollup package lets the existing rules extensions and the existing data source extensions continue to function without recompilation. However, when you create new rules extensions and new data source extensions or when you recompile the existing rules extensions and the existing data source extensions, references to the Microsoft.metadirectoryservices.dll file result in compiler errors. Specifically, you receive the following compiler error message when you reference this version of the Microsoft.metadirectoryservices.dll file:
Error 1 The type or namespace name Name could not be found (are you missing a using directive or an assembly reference?)
Note In this error message, Name is a placeholder for the name of a function or of a type that is found in the Microsoft.MetadirectoryServices namespace.
After you apply this hotfix rollup package or later hotfix rollup packages, you must reference the strongly named Microsoft.metadirectoryservicesex.dll file when you create new rules extensions and new data source extensions or when you recompile the existing rules extensions and the existing data source extensions. The strongly named Microsoft.metadirectoryservicesex.dll file contains the implementation that was formerly contained in the Microsoft.metadirectoryservices.dll file. The new file is functionally the same as the previous file except for strong-name signing.
When you create new Visual Studio projects from Identity Manager, the Visual Studio projects reference the new Microsoft.metadirectoryservicesex.dll file. If you create your own Visual Studio projects by using Visual Studio, you must make sure that you reference the new Microsoft.metadirectoryservicesex.dll file. If you recompile an existing Visual Studio project, you must make sure that you delete the reference to the Microsoft.metadirectoryservices.dll file and add a new reference to the Microsoft.metadirectoryservicesex.dll file.
For the existing rules extensions and for the existing data source extensions, no recompilation is required. These extensions continue to function correctly.
When you enroll a user in a profile template that is enabled for smart cards, the certificate that is issued by the profile template does not contain the SKI.
Steps to reproduce this issue
You configure a new certificate template by duplicating the Smartcard User certificate template in the certification authority (CA).
You publish the certificate template.
You create a new profile template for the certificate template that is enabled for smart cards.
You create a new profile template for the certificate template that is not enabled for smart cards.
You enroll a user in both profile templates that you created in steps 3 and 4.
Both certificates that are issued through CLM should have the SKI because both certificates are issued from the same certificate template. However, the certificate that is issued by the profile template that is enabled for smart cards does not contain the SKI. The certificate that is issued by the profile template that is not enabled for smart cards contains the SKI.
Before you apply this hotfix rollup package, CLM does not examine the CLM Enrollment Agent extended permission when a request is executed. Therefore, anyone who is an Initiate Enroll Request principal on a profile template can execute the request for all subscribers who can enroll for the profile template, regardless of his or her permissions on the user object. Companies cannot implement more granular workflow permissions. For example, companies cannot allow for the managers in a sales OU to enroll users in only that OU.
After you apply this hotfix rollup package, the person who executes a request must also have the CLM Enrollment Agent permission on the subscriber in Active Directory. This behavior lets companies use a single profile template and lets companies implement more granular workflow permissions. You can grant a requestor the CLM Enrollment Agent permission either on the user object directly or on a group of which the subscriber is a member.
CLM is now fully supported on the Windows Server 2008 Enterprise Edition 32-bit processor architecture. Installation on Windows Server 2008 requires a full setup package. This setup package is included in ILM 2007 FP1 Service Pack 1 (SP1).
Because of this issue, a file that is encrypted by the certificate on the primary smart card cannot be decrypted by using the duplicate smart card.
After you apply this hotfix rollup package, the primary smart card and the duplicate smart card receive identical certificates after you renew the certificates by using online certificate updates.
Important If you apply the CLM part of this hotfix rollup package, how CLM accesses Active Directory is changed. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
952327 A hotfix rollup package (build 3.3.1067.2) is available for Identity Lifecycle Manager 2007 Feature Pack 1
For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates
ILM, ILM FP1, MIIS, CLM, Microsoft Identity Integration Server, Microsoft Identity Lifecycle Manager, Certificate Lifecycle Manager