FIX: The Enterprise Single Sign-On Management Agent cannot remove users from the SSO DB when users are deleted from other synchronized connector spaces in Identity Lifecycle Manager

Symptoms

If the Enterprise Single Sign-On (SSO) Management Agent (MA) is being used within Microsoft Identity Lifecycle Manager (ILM) 2007 Feature Pack 1 to integrate with Enterprise SSO, you may find that the Enterprise SSO database is not updated when user accounts are deleted in other integrated data sources.

The following is an example scenario:

If a user account is deleted in Active Directory, the matching user account is not removed from the Enterprise SSO database when the synchronization process for the management agent for Active Directory and the Enterprise SSO MA is executed within ILM. If other management agents are part of the synchronization process, the user account is deleted in the other connected data sources. The Enterprise SSO MA is the only management agent that cannot delete the user account, because it does not remove the user account from the Enterprise SSO database.

When user accounts are deleted, the Enterprise SSO MA connector space (CS) includes a placeholder object for all user accounts that were deleted in the other data sources. If you try to add a new user by using one of the previously deleted user accounts, the Enterprise SSO MA cannot add the user account and returns an exception that resembles the following:

System.Exception: Microsoft.MetadirectoryServices.ObjectAlreadyExistsException: An object with DN "distinguished name" already exists in management agent "ENTSSO MA Name".
at Microsoft.MetadirectoryServices.Impl.CSEntryImpl.CommitNewConnector()
at Microsoft.EnterpriseSingleSignOn.MVSync.Provision(MVEntry mventry)


Resolution

Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756 How to back up and restore the registry in WindowsTo resolve this problem, apply and then enable this hotfix. After you do this, the Enterprise SSO MA will correctly delete user accounts from the Enterprise SSO database when a delete notification is received during a synchronization process in ILM. Additionally, user accounts that are reused after they were previously deleted will be successfully added to the Enterprise SSO database.

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft website:

http://support.microsoft.com/contactus/?ws=supportNote The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Installation information

To enable this hotfix, follow these steps:

  1. Apply this hotfix.

  2. Update ILM 2007 Feature Pack 1. To do this, apply the hotfixes that are described in the following articles in the Microsoft Knowledge Base:

    946797 A hotfix rollup package (build 3.3.1087.2) is available for Identity Lifecycle Manager 2007 Feature Pack 1

    972757 A hotfix rollup package (build 3.3.1132.02) is available for Identity Lifecycle Manager 2007 Feature Pack 1

  3. Change to the Enterprise SSO MA XML configuration file (Entsso.xml). To do this, follow these steps:

    1. Start Identity Lifecycle Manager.

    2. Click Managements Agents.

    3. Select the Enterprise SSO MA that you are using.

    4. Click Actions, and then click Export Management Agent.

    5. Type a file name for the XML file that will be created, and then click Save.

    6. Remove the read-only attribute from the resulting XML file.

    7. Edit the XML file as follows:

      Locate the following string:

      <capabilities-mask>7b801</capabilities-mask> Change it to the following string:

      <capabilities-mask>47b801</capabilities-mask> Note In this example, the number 4 is added to 7b801.

    8. Set the read-only attribute for the resulting XML file.

    9. In Identity Lifecycle Manager, click Management Agents.

    10. Click Actions, click Update Management Agent, browse to the updated XML file, and then click Open.

      Note You must have access to the Enterprise SSO MA password during the MA update.

  4. Enable the Enterprise SSO MA update to allow for user records to be deleted by adding the EnableDeleteNotification value to the registry. To do this, follow these steps:

    1. Click Start, click Run, type regedit, and then click OK.

    2. Locate the following registry subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ENTSSO

    3. Right-click ENTSSO, point to New, and then click Key.

    4. Type MA and then press Enter.

    5. Right-click MA, point to New, and then click DWORD Value.

    6. Type EnableDeleteNotification, and then press Enter.

    7. Double-click EnableDeleteNotification, type 1 in the Value data box, and then click OK. A value of 1 enables this feature.

    8. Exit Registry Editor.


Notes about user-account deletion behavior that is expected after you apply and then enable this update

  • The Entsso.xml configuration file is located in the Extensions subfolder under the ILM Installation folder.

  • If the affiliate application is not configured in the Application name section of the Entsso.xml file under ENTSSOMA, notice the following:

    • If ENTSSOMA.deleteAll is true in the Entsso.xml file, delete the user mapping for this application. The following is an example:

      <ENTSSOMA name ="ENTSSOMA1" adma="ADMA" deleteAll="true">
      </ENTSSOMA>

    • If ENTSSOMA.deleteAll is false in the Entsso.xml file, the user mapping is not deleted. For example:

      <ENTSSOMA name ="ENTSSOMA1" adma="ADMA" deleteAll="false">
      </ENTSSOMA>

  • If the Affiliate Application is configured in the <Application name> section of the Entsso.xml file under ENTSSOMA, notice the following:

    • If the EnableDeleteNotification registry parameter is not enabled, the user mapping will not be deleted.

    • If the EnableDeleteNotification registry parameter is enabled, notice the following:

      • If ENTSSOMA.deleteAll is true, delete the user mapping for this affiliate application. The following is an example:

        <ENTSSOMA name ="ENTSSOMA1" adma="ADMA" deleteAll="true">

        <Application name="AffApp1" sourceMA="ExternalMA1" create="true"

        delete="true"/>
        </ENTSSOMA>

      • If ENTSSOMA.DeleteAll is false, notice the following:

        • If the App.DeleteOption is true (delete="true") in the Entsso.xml file, delete the user mapping for this affiliate application.

        • If the App.DeleteOption is false (delete="false") in the Entsso.xml file, the user mapping is not deleted.


File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

Enterprise SSO v4, 32-bit (x86)

File name

File version

File size

Date

Time

Platform

Microsoft.enterprisesinglesignon.managementagent.dll

6.0.305.2

67,496

28-Jan-2011

21:17

x86

Enterprise SSO v4, 64-bit (x64)

File name

File version

File size

Date

Time

Platform

Microsoft.enterprisesinglesignon.managementagent.dll

6.0.305.2

67,496

28-Jan-2011

21:17

x86

Microsoft.enterprisesinglesignon.managementagent.dll

6.0.305.2

67,496

28-Jan-2011

21:16

x86

Enterprise SSO v4.5, 32-bit (x86)

File name

File version

File size

Date

Time

Platform

Entsso.exe

6.0.4803.2

80,536

09-Sep-2013

20:01

x86

Importexport.dll

6.0.4803.2

68,256

09-Sep-2013

20:01

x86

Infocache.dll

6.0.4803.2

137,880

09-Sep-2013

20:01

x86

Microsoft.enterprisesinglesignon.managementagent.dll

6.0.4803.2

68,336

09-Sep-2013

20:00

x86

Microsoft.enterprisesinglesignon.ui2.dll

6.0.4803.2

846,544

09-Sep-2013

20:01

x86

Ssoadmin.dll

6.0.4803.2

101,016

09-Sep-2013

20:01

x86

Ssoadminserver.dll

6.0.4803.2

129,704

09-Sep-2013

20:01

x86

Ssoclient.exe

6.0.4803.2

72,344

09-Sep-2013

20:01

x86

Ssoconfig.exe

6.0.4803.2

101,016

09-Sep-2013

20:01

x86

Ssoconfigom.dll

6.0.4803.2

129,696

09-Sep-2013

20:01

x86

Ssoconfigstore.dll

6.0.4803.2

92,840

09-Sep-2013

20:00

x86

Ssocsserver.dll

6.0.4803.2

80,544

09-Sep-2013

20:00

x86

Ssocstx.dll

6.0.4803.2

68,248

09-Sep-2013

20:01

x86

Ssolookup.dll

6.0.4803.2

105,112

09-Sep-2013

20:01

x86

Ssolookupserver.dll

6.0.4803.2

133,800

09-Sep-2013

20:01

x86

Ssomanage.exe

6.0.4803.2

113,304

09-Sep-2013

20:01

x86

Ssomapper.dll

6.0.4803.2

117,400

09-Sep-2013

20:01

x86

Ssomappingserver.dll

6.0.4803.2

109,224

09-Sep-2013

20:01

x86

Ssomessage.dll

6.0.4803.2

133,792

09-Sep-2013

20:01

x86

Ssops.exe

6.0.4803.2

101,008

09-Sep-2013

20:01

x86

Ssopsadmin.dll

6.0.4803.2

96,928

09-Sep-2013

20:01

x86

Ssopshelper.dll

6.0.4803.2

101,024

09-Sep-2013

20:01

x86

Ssopsserver.dll

6.0.4803.2

191,136

09-Sep-2013

20:01

x86

Ssoservercfg.dll

6.0.4803.2

182,944

09-Sep-2013

20:01

x86

Ssosql.dll

6.0.4803.2

68,248

09-Sep-2013

20:00

x86

Ssoss.dll

6.0.4803.2

117,392

09-Sep-2013

20:01

x86

Ssox6.sql

Not Applicable

22,657

18-Jul-2013

01:44

Not Applicable

Ssox7.sql

Not Applicable

3,995

18-Jul-2013

01:44

Not Applicable

Enterprise SSO v4.5, 64-bit (x64)

File name

File version

File size

Date

Time

Platform

Entsso.exe

6.0.4803.2

80,536

09-Sep-2013

20:10

x86

Importexport.dll

6.0.4803.2

68,256

09-Sep-2013

20:10

x86

Infocache.dll

6.0.4803.2

137,880

09-Sep-2013

20:10

x86

Microsoft.enterprisesinglesignon.managementagent.dll

6.0.4803.2

68,336

09-Sep-2013

20:10

x86

Microsoft.enterprisesinglesignon.ui2.dll

6.0.4803.2

846,544

09-Sep-2013

20:10

x86

Ssoadmin.dll

6.0.4803.2

101,016

09-Sep-2013

20:10

x86

Ssoadminserver.dll

6.0.4803.2

129,704

09-Sep-2013

20:10

x86

Ssoclient.exe

6.0.4803.2

72,344

09-Sep-2013

20:10

x86

Ssoconfig.exe

6.0.4803.2

101,016

09-Sep-2013

20:10

x86

Ssoconfigom.dll

6.0.4803.2

129,696

09-Sep-2013

20:10

x86

Ssoconfigstore.dll

6.0.4803.2

92,840

09-Sep-2013

20:10

x86

Ssocsserver.dll

6.0.4803.2

80,544

09-Sep-2013

20:10

x86

Ssocstx.dll

6.0.4803.2

68,248

09-Sep-2013

20:10

x86

Ssolookup.dll

6.0.4803.2

105,112

09-Sep-2013

20:10

x86

Ssolookupserver.dll

6.0.4803.2

133,800

09-Sep-2013

20:10

x86

Ssomanage.exe

6.0.4803.2

113,304

09-Sep-2013

20:10

x86

Ssomapper.dll

6.0.4803.2

117,400

09-Sep-2013

20:10

x86

Ssomappingserver.dll

6.0.4803.2

109,224

09-Sep-2013

20:10

x86

Ssomessage.dll

6.0.4803.2

133,792

09-Sep-2013

20:10

x86

Ssops.exe

6.0.4803.2

101,008

09-Sep-2013

20:10

x86

Ssopsadmin.dll

6.0.4803.2

96,928

09-Sep-2013

20:10

x86

Ssopshelper.dll

6.0.4803.2

101,024

09-Sep-2013

20:10

x86

Ssopsserver.dll

6.0.4803.2

191,136

09-Sep-2013

20:10

x86

Ssoservercfg.dll

6.0.4803.2

182,944

09-Sep-2013

20:10

x86

Ssosql.dll

6.0.4803.2

68,248

09-Sep-2013

20:10

x86

Ssoss.dll

6.0.4803.2

117,392

09-Sep-2013

20:10

x86

Ssox6.sql

Not Applicable

22,657

18-Jul-2013

01:44

Not Applicable

Ssox7.sql

Not Applicable

3,995

18-Jul-2013

01:44

Not Applicable

Entsso.exe

6.0.4803.2

94,360

09-Sep-2013

20:08

x64

Importexport.dll

6.0.4803.2

74,400

09-Sep-2013

20:08

x64

Infocache.dll

6.0.4803.2

199,832

09-Sep-2013

20:08

x64

Microsoft.enterprisesinglesignon.managementagent.dll

6.0.4803.2

68,336

09-Sep-2013

20:08

x86

Microsoft.enterprisesinglesignon.ui2.dll

6.0.4803.2

846,544

09-Sep-2013

20:08

x86

Ssoadmin.dll

6.0.4803.2

118,936

09-Sep-2013

20:08

x64

Ssoadminserver.dll

6.0.4803.2

187,048

09-Sep-2013

20:08

x64

Ssoclient.exe

6.0.4803.2

82,584

09-Sep-2013

20:08

x64

Ssoconfig.exe

6.0.4803.2

130,200

09-Sep-2013

20:08

x64

Ssoconfigom.dll

6.0.4803.2

167,584

09-Sep-2013

20:08

x64

Ssoconfigstore.dll

6.0.4803.2

101,544

09-Sep-2013

20:08

x64

Ssocsserver.dll

6.0.4803.2

94,368

09-Sep-2013

20:08

x64

Ssocstx.dll

6.0.4803.2

63,640

09-Sep-2013

20:08

x64

Ssolookup.dll

6.0.4803.2

134,296

09-Sep-2013

20:08

x64

Ssolookupserver.dll

6.0.4803.2

183,464

09-Sep-2013

20:08

x64

Ssomanage.exe

6.0.4803.2

153,240

09-Sep-2013

20:08

x64

Ssomapper.dll

6.0.4803.2

138,904

09-Sep-2013

20:08

x64

Ssomappingserver.dll

6.0.4803.2

143,528

09-Sep-2013

20:08

x64

Ssomessage.dll

6.0.4803.2

126,112

09-Sep-2013

20:08

x64

Ssops.exe

6.0.4803.2

133,264

09-Sep-2013

20:08

x64

Ssopsadmin.dll

6.0.4803.2

106,144

09-Sep-2013

20:08

x64

Ssopshelper.dll

6.0.4803.2

110,752

09-Sep-2013

20:08

x64

Ssopsserver.dll

6.0.4803.2

269,472

09-Sep-2013

20:08

x64

Ssosql.dll

6.0.4803.2

68,248

09-Sep-2013

20:08

x86

Ssoss.dll

6.0.4803.2

161,936

09-Sep-2013

20:08

x64

Ssox6.sql

Not Applicable

22,657

18-Jul-2013

01:44

Not Applicable

Ssox7.sql

Not Applicable

3,995

18-Jul-2013

01:44

Not Applicable

Note Because of file dependencies, the most recent fix that contains these files may also contain additional files.

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×