Symptoms
If the Enterprise Single Sign-On (SSO) Management Agent (MA) is being used within Microsoft Identity Lifecycle Manager (ILM) 2007 Feature Pack 1 to integrate with Enterprise SSO, you may find that the Enterprise SSO database is not updated when user accounts are deleted in other integrated data sources.
The following is an example scenario: If a user account is deleted in Active Directory, the matching user account is not removed from the Enterprise SSO database when the synchronization process for the management agent for Active Directory and the Enterprise SSO MA is executed within ILM. If other management agents are part of the synchronization process, the user account is deleted in the other connected data sources. The Enterprise SSO MA is the only management agent that cannot delete the user account, because it does not remove the user account from the Enterprise SSO database. When user accounts are deleted, the Enterprise SSO MA connector space (CS) includes a placeholder object for all user accounts that were deleted in the other data sources. If you try to add a new user by using one of the previously deleted user accounts, the Enterprise SSO MA cannot add the user account and returns an exception that resembles the following:System.Exception: Microsoft.MetadirectoryServices.ObjectAlreadyExistsException: An object with DN "distinguished name" already exists in management agent "ENTSSO MA Name".
at Microsoft.MetadirectoryServices.Impl.CSEntryImpl.CommitNewConnector() at Microsoft.EnterpriseSingleSignOn.MVSync.Provision(MVEntry mventry)
Resolution
Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in WindowsTo resolve this problem, apply and then enable this hotfix. After you do this, the Enterprise SSO MA will correctly delete user accounts from the Enterprise SSO database when a delete notification is received during a synchronization process in ILM. Additionally, user accounts that are reused after they were previously deleted will be successfully added to the Enterprise SSO database.
Hotfix information
A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.
If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix. Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft website:http://support.microsoft.com/contactus/?ws=supportNote The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
Installation information
To enable this hotfix, follow these steps:
-
Apply this hotfix.
-
Update ILM 2007 Feature Pack 1. To do this, apply the hotfixes that are described in the following articles in the Microsoft Knowledge Base:
946797 A hotfix rollup package (build 3.3.1087.2) is available for Identity Lifecycle Manager 2007 Feature Pack 1972757 A hotfix rollup package (build 3.3.1132.02) is available for Identity Lifecycle Manager 2007 Feature Pack 1
-
Change to the Enterprise SSO MA XML configuration file (Entsso.xml). To do this, follow these steps:
-
Start Identity Lifecycle Manager.
-
Click Managements Agents.
-
Select the Enterprise SSO MA that you are using.
-
Click Actions, and then click Export Management Agent.
-
Type a file name for the XML file that will be created, and then click Save.
-
Remove the read-only attribute from the resulting XML file.
-
Edit the XML file as follows:
Locate the following string:<capabilities-mask>7b801</capabilities-mask> Change it to the following string:
<capabilities-mask>47b801</capabilities-mask> Note In this example, the number 4 is added to 7b801.
-
Set the read-only attribute for the resulting XML file.
-
In Identity Lifecycle Manager, click Management Agents.
-
Click Actions, click Update Management Agent, browse to the updated XML file, and then click Open.
Note You must have access to the Enterprise SSO MA password during the MA update.
-
-
Enable the Enterprise SSO MA update to allow for user records to be deleted by adding the EnableDeleteNotification value to the registry. To do this, follow these steps:
-
Click Start, click Run, type regedit, and then click OK.
-
Locate the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ENTSSO
-
Right-click ENTSSO, point to New, and then click Key.
-
Type MA and then press Enter.
-
Right-click MA, point to New, and then click DWORD Value.
-
Type EnableDeleteNotification, and then press Enter.
-
Double-click EnableDeleteNotification, type 1 in the Value data box, and then click OK. A value of 1 enables this feature.
-
Exit Registry Editor.
-
Notes about user-account deletion behavior that is expected after you apply and then enable this update
-
The Entsso.xml configuration file is located in the Extensions subfolder under the ILM Installation folder.
-
If the affiliate application is not configured in the Application name section of the Entsso.xml file under ENTSSOMA, notice the following:
-
If ENTSSOMA.deleteAll is true in the Entsso.xml file, delete the user mapping for this application. The following is an example:
<ENTSSOMA name ="ENTSSOMA1" adma="ADMA" deleteAll="true">
</ENTSSOMA> -
If ENTSSOMA.deleteAll is false in the Entsso.xml file, the user mapping is not deleted. For example:
<ENTSSOMA name ="ENTSSOMA1" adma="ADMA" deleteAll="false">
</ENTSSOMA>
-
-
If the Affiliate Application is configured in the <Application name> section of the Entsso.xml file under ENTSSOMA, notice the following:
-
If the EnableDeleteNotification registry parameter is not enabled, the user mapping will not be deleted.
-
If the EnableDeleteNotification registry parameter is enabled, notice the following:
-
If ENTSSOMA.deleteAll is true, delete the user mapping for this affiliate application. The following is an example:
<ENTSSOMA name ="ENTSSOMA1" adma="ADMA" deleteAll="true">
<Application name="AffApp1" sourceMA="ExternalMA1" create="true" delete="true"/> </ENTSSOMA> -
If ENTSSOMA.DeleteAll is false, notice the following:
-
If the App.DeleteOption is true (delete="true") in the Entsso.xml file, delete the user mapping for this affiliate application.
-
If the App.DeleteOption is false (delete="false") in the Entsso.xml file, the user mapping is not deleted.
-
-
-
File information
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
Enterprise SSO v4, 32-bit (x86)
File name |
File version |
File size |
Date |
Time |
Platform |
---|---|---|---|---|---|
Microsoft.enterprisesinglesignon.managementagent.dll |
6.0.305.2 |
67,496 |
28-Jan-2011 |
21:17 |
x86 |
Enterprise SSO v4, 64-bit (x64)
File name |
File version |
File size |
Date |
Time |
Platform |
---|---|---|---|---|---|
Microsoft.enterprisesinglesignon.managementagent.dll |
6.0.305.2 |
67,496 |
28-Jan-2011 |
21:17 |
x86 |
Microsoft.enterprisesinglesignon.managementagent.dll |
6.0.305.2 |
67,496 |
28-Jan-2011 |
21:16 |
x86 |
Enterprise SSO v4.5, 32-bit (x86)
File name |
File version |
File size |
Date |
Time |
Platform |
---|---|---|---|---|---|
Entsso.exe |
6.0.4803.2 |
80,536 |
09-Sep-2013 |
20:01 |
x86 |
Importexport.dll |
6.0.4803.2 |
68,256 |
09-Sep-2013 |
20:01 |
x86 |
Infocache.dll |
6.0.4803.2 |
137,880 |
09-Sep-2013 |
20:01 |
x86 |
Microsoft.enterprisesinglesignon.managementagent.dll |
6.0.4803.2 |
68,336 |
09-Sep-2013 |
20:00 |
x86 |
Microsoft.enterprisesinglesignon.ui2.dll |
6.0.4803.2 |
846,544 |
09-Sep-2013 |
20:01 |
x86 |
Ssoadmin.dll |
6.0.4803.2 |
101,016 |
09-Sep-2013 |
20:01 |
x86 |
Ssoadminserver.dll |
6.0.4803.2 |
129,704 |
09-Sep-2013 |
20:01 |
x86 |
Ssoclient.exe |
6.0.4803.2 |
72,344 |
09-Sep-2013 |
20:01 |
x86 |
Ssoconfig.exe |
6.0.4803.2 |
101,016 |
09-Sep-2013 |
20:01 |
x86 |
Ssoconfigom.dll |
6.0.4803.2 |
129,696 |
09-Sep-2013 |
20:01 |
x86 |
Ssoconfigstore.dll |
6.0.4803.2 |
92,840 |
09-Sep-2013 |
20:00 |
x86 |
Ssocsserver.dll |
6.0.4803.2 |
80,544 |
09-Sep-2013 |
20:00 |
x86 |
Ssocstx.dll |
6.0.4803.2 |
68,248 |
09-Sep-2013 |
20:01 |
x86 |
Ssolookup.dll |
6.0.4803.2 |
105,112 |
09-Sep-2013 |
20:01 |
x86 |
Ssolookupserver.dll |
6.0.4803.2 |
133,800 |
09-Sep-2013 |
20:01 |
x86 |
Ssomanage.exe |
6.0.4803.2 |
113,304 |
09-Sep-2013 |
20:01 |
x86 |
Ssomapper.dll |
6.0.4803.2 |
117,400 |
09-Sep-2013 |
20:01 |
x86 |
Ssomappingserver.dll |
6.0.4803.2 |
109,224 |
09-Sep-2013 |
20:01 |
x86 |
Ssomessage.dll |
6.0.4803.2 |
133,792 |
09-Sep-2013 |
20:01 |
x86 |
Ssops.exe |
6.0.4803.2 |
101,008 |
09-Sep-2013 |
20:01 |
x86 |
Ssopsadmin.dll |
6.0.4803.2 |
96,928 |
09-Sep-2013 |
20:01 |
x86 |
Ssopshelper.dll |
6.0.4803.2 |
101,024 |
09-Sep-2013 |
20:01 |
x86 |
Ssopsserver.dll |
6.0.4803.2 |
191,136 |
09-Sep-2013 |
20:01 |
x86 |
Ssoservercfg.dll |
6.0.4803.2 |
182,944 |
09-Sep-2013 |
20:01 |
x86 |
Ssosql.dll |
6.0.4803.2 |
68,248 |
09-Sep-2013 |
20:00 |
x86 |
Ssoss.dll |
6.0.4803.2 |
117,392 |
09-Sep-2013 |
20:01 |
x86 |
Ssox6.sql |
Not Applicable |
22,657 |
18-Jul-2013 |
01:44 |
Not Applicable |
Ssox7.sql |
Not Applicable |
3,995 |
18-Jul-2013 |
01:44 |
Not Applicable |
Enterprise SSO v4.5, 64-bit (x64)
File name |
File version |
File size |
Date |
Time |
Platform |
---|---|---|---|---|---|
Entsso.exe |
6.0.4803.2 |
80,536 |
09-Sep-2013 |
20:10 |
x86 |
Importexport.dll |
6.0.4803.2 |
68,256 |
09-Sep-2013 |
20:10 |
x86 |
Infocache.dll |
6.0.4803.2 |
137,880 |
09-Sep-2013 |
20:10 |
x86 |
Microsoft.enterprisesinglesignon.managementagent.dll |
6.0.4803.2 |
68,336 |
09-Sep-2013 |
20:10 |
x86 |
Microsoft.enterprisesinglesignon.ui2.dll |
6.0.4803.2 |
846,544 |
09-Sep-2013 |
20:10 |
x86 |
Ssoadmin.dll |
6.0.4803.2 |
101,016 |
09-Sep-2013 |
20:10 |
x86 |
Ssoadminserver.dll |
6.0.4803.2 |
129,704 |
09-Sep-2013 |
20:10 |
x86 |
Ssoclient.exe |
6.0.4803.2 |
72,344 |
09-Sep-2013 |
20:10 |
x86 |
Ssoconfig.exe |
6.0.4803.2 |
101,016 |
09-Sep-2013 |
20:10 |
x86 |
Ssoconfigom.dll |
6.0.4803.2 |
129,696 |
09-Sep-2013 |
20:10 |
x86 |
Ssoconfigstore.dll |
6.0.4803.2 |
92,840 |
09-Sep-2013 |
20:10 |
x86 |
Ssocsserver.dll |
6.0.4803.2 |
80,544 |
09-Sep-2013 |
20:10 |
x86 |
Ssocstx.dll |
6.0.4803.2 |
68,248 |
09-Sep-2013 |
20:10 |
x86 |
Ssolookup.dll |
6.0.4803.2 |
105,112 |
09-Sep-2013 |
20:10 |
x86 |
Ssolookupserver.dll |
6.0.4803.2 |
133,800 |
09-Sep-2013 |
20:10 |
x86 |
Ssomanage.exe |
6.0.4803.2 |
113,304 |
09-Sep-2013 |
20:10 |
x86 |
Ssomapper.dll |
6.0.4803.2 |
117,400 |
09-Sep-2013 |
20:10 |
x86 |
Ssomappingserver.dll |
6.0.4803.2 |
109,224 |
09-Sep-2013 |
20:10 |
x86 |
Ssomessage.dll |
6.0.4803.2 |
133,792 |
09-Sep-2013 |
20:10 |
x86 |
Ssops.exe |
6.0.4803.2 |
101,008 |
09-Sep-2013 |
20:10 |
x86 |
Ssopsadmin.dll |
6.0.4803.2 |
96,928 |
09-Sep-2013 |
20:10 |
x86 |
Ssopshelper.dll |
6.0.4803.2 |
101,024 |
09-Sep-2013 |
20:10 |
x86 |
Ssopsserver.dll |
6.0.4803.2 |
191,136 |
09-Sep-2013 |
20:10 |
x86 |
Ssoservercfg.dll |
6.0.4803.2 |
182,944 |
09-Sep-2013 |
20:10 |
x86 |
Ssosql.dll |
6.0.4803.2 |
68,248 |
09-Sep-2013 |
20:10 |
x86 |
Ssoss.dll |
6.0.4803.2 |
117,392 |
09-Sep-2013 |
20:10 |
x86 |
Ssox6.sql |
Not Applicable |
22,657 |
18-Jul-2013 |
01:44 |
Not Applicable |
Ssox7.sql |
Not Applicable |
3,995 |
18-Jul-2013 |
01:44 |
Not Applicable |
Entsso.exe |
6.0.4803.2 |
94,360 |
09-Sep-2013 |
20:08 |
x64 |
Importexport.dll |
6.0.4803.2 |
74,400 |
09-Sep-2013 |
20:08 |
x64 |
Infocache.dll |
6.0.4803.2 |
199,832 |
09-Sep-2013 |
20:08 |
x64 |
Microsoft.enterprisesinglesignon.managementagent.dll |
6.0.4803.2 |
68,336 |
09-Sep-2013 |
20:08 |
x86 |
Microsoft.enterprisesinglesignon.ui2.dll |
6.0.4803.2 |
846,544 |
09-Sep-2013 |
20:08 |
x86 |
Ssoadmin.dll |
6.0.4803.2 |
118,936 |
09-Sep-2013 |
20:08 |
x64 |
Ssoadminserver.dll |
6.0.4803.2 |
187,048 |
09-Sep-2013 |
20:08 |
x64 |
Ssoclient.exe |
6.0.4803.2 |
82,584 |
09-Sep-2013 |
20:08 |
x64 |
Ssoconfig.exe |
6.0.4803.2 |
130,200 |
09-Sep-2013 |
20:08 |
x64 |
Ssoconfigom.dll |
6.0.4803.2 |
167,584 |
09-Sep-2013 |
20:08 |
x64 |
Ssoconfigstore.dll |
6.0.4803.2 |
101,544 |
09-Sep-2013 |
20:08 |
x64 |
Ssocsserver.dll |
6.0.4803.2 |
94,368 |
09-Sep-2013 |
20:08 |
x64 |
Ssocstx.dll |
6.0.4803.2 |
63,640 |
09-Sep-2013 |
20:08 |
x64 |
Ssolookup.dll |
6.0.4803.2 |
134,296 |
09-Sep-2013 |
20:08 |
x64 |
Ssolookupserver.dll |
6.0.4803.2 |
183,464 |
09-Sep-2013 |
20:08 |
x64 |
Ssomanage.exe |
6.0.4803.2 |
153,240 |
09-Sep-2013 |
20:08 |
x64 |
Ssomapper.dll |
6.0.4803.2 |
138,904 |
09-Sep-2013 |
20:08 |
x64 |
Ssomappingserver.dll |
6.0.4803.2 |
143,528 |
09-Sep-2013 |
20:08 |
x64 |
Ssomessage.dll |
6.0.4803.2 |
126,112 |
09-Sep-2013 |
20:08 |
x64 |
Ssops.exe |
6.0.4803.2 |
133,264 |
09-Sep-2013 |
20:08 |
x64 |
Ssopsadmin.dll |
6.0.4803.2 |
106,144 |
09-Sep-2013 |
20:08 |
x64 |
Ssopshelper.dll |
6.0.4803.2 |
110,752 |
09-Sep-2013 |
20:08 |
x64 |
Ssopsserver.dll |
6.0.4803.2 |
269,472 |
09-Sep-2013 |
20:08 |
x64 |
Ssosql.dll |
6.0.4803.2 |
68,248 |
09-Sep-2013 |
20:08 |
x86 |
Ssoss.dll |
6.0.4803.2 |
161,936 |
09-Sep-2013 |
20:08 |
x64 |
Ssox6.sql |
Not Applicable |
22,657 |
18-Jul-2013 |
01:44 |
Not Applicable |
Ssox7.sql |
Not Applicable |
3,995 |
18-Jul-2013 |
01:44 |
Not Applicable |
Note Because of file dependencies, the most recent fix that contains these files may also contain additional files.
Status
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.