A hotfix rollup package (build 4.4.1642.0) is available for Microsoft Identity Manager (MIM) 2016 2016 Service Pack 1 (SP1). This rollup package resolves some issues and adds some improvements that are described in the "More Information" section.
Known issue in this update
After you install this update, rules extensions and custom management agents (MAs) based on Extensible MA (ECMA1 or ECMA 2.0) may not run and may produce a run status of "stopped-extension-dll-load." This issue occurs when you run such rules extensions or custom MAs after you change the configuration file (.config) for one of the following processes:
For example, you edit the MIIServer.exe.config file to change the default batch size for processing sync entries for the Forefront Identity Manager (FIM) Service MA. In this situation, the synchronization engine installer for this update can’t replace the configuration file to avoid deleting your previous changes. This is because if the configuration file is not replaced, entries that are required by this update are not present in the files. Therefore, the synchronization engine does not load any rules extension DLLs when the engine runs a Full Import or Delta Sync run profile.
To resolve this issue, follow these steps:
- Make a backup copy for the MIIServer.exe.config file.
- Open the MIIServer.exe.config file in a text editor or in Microsoft Visual Studio.
- Find the <runtime> section in the MIIServer.exe.config file, and then replace the content of the <dependentAssembly> section with the following content:
<assemblyIdentity name="Microsoft.MetadirectoryServicesEx" publicKeyToken="31bf3856ad364e35" />
<bindingRedirect oldVersion="184.108.40.206-220.127.116.11" newVersion="18.104.22.168" />
- Save the changes to the file.
- Find the Mmsscrpt.exe.config file in the same directory and the Dllhost.exe.config in the parent directory. Repeat steps 1 through 4 for these two files.
- Restart the Forefront Identity Manager Synchronization Service (FIMSynchronizationService).
- Verify that the rules extensions and custom management agents now work as expected.
Microsoft Download Center
A supported update is available from the Microsoft Download Center. We recommend that all customers apply this update to their production systems.
To apply this update, you must have Microsoft Identity Manager 2016 build 4.4.1302.0.
You must restart the computer after you apply the Add-ins and Extensions (Fimaddinsextensions_xnn_KB4021562.msp) package. You may also have to restart the server components.
This is a cumulative update that replaces all MIM 2016 SP1 updates up to build 4.4.1459.0 for Microsoft Identity Manager 2016.
The global version of this update has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
|File name||File version||File size||Date||Time|
Issues that are fixed or improvements that are added in this update
This update makes the following fixes and improvements that were not previously documented in the Microsoft Knowledge Base.
If the SQL Server "Always On" feature is enabled, when the primary server that hosts the FIM Service database goes down during the processing of a big requests sequence (about 500), one request always fails.
After you apply this update, the FIM Service tries to recover the request during the validating stage if an error occurs. This change does not guarantee that the request is completed. However, it makes the request more stable.
For more information about alwaysOnRetryRequestProcessingTransaction setting, see following:
- By default, this setting is disabled.
- If you try to enable this setting, an exception occurs, and two entries are made in the FIM event log that have the following conditions:
- The first entry includes the original error.
- The second entry includes the AlwaysOnRetryRequestProcessingTransaction keyword.
- This property is set in the ResourceManagementService section of the Microsoft.ResourceManagement.Service.exe.config file. For example:
<resourceManagementService externalHostName="myMIMServer" AlwaysOnRetryRequestProcessingTransaction="true" />
The Word() function does not return an empty string as documented if there are fewer words in the input string than the number that's specified to be output in the function. This function throws an exception and does not return an empty string.
After you install this update, an empty string will be returned. For more information, see Function Reference for FIM 2010.
In a dynamic group or set, if a dereferencing criterion is located beneath other criteria in the filter builder, the View Members command may return the incorrect membership.
After you install this update, the View Members button will return the correct membership.
Under certain circumstance, an AuthZ Workflow denies a request and returns the following error message:
workflow not found in state persistence store
After you install this update, the authorization workflow works as expected without throwing the error.
When a workflow runs an enumerate resource activity to query MIM, it experiences intermittent failures.
After you install this update, the enumerate resource activity no longer fails.
When you run the Import-FIMReportingSchemaDefinition PowerShell cmdlet, the following exception is returned:
Failure when making web service call
After you install this update, the Import-FIMReportingSchemaDefinition cmdlet works as expected.
Privileged Access Management (PAM)-related management policy rules and Navigation bar items are enabled even though the PAM component is not installed.
After you install this update, these objects are hidden until the PAM component is installed.
When you create a new PAM object by using PAM PowerShell cmdlets, the following warning may be enetered in the FIM event log:
Domain configuration synchronizer expected 1 DomainConfiguration objects, instead found 0 DomainConfiguration objects.
This issue occurs because there is no associated DomainConfiguration object in the FIM Service to match the domain to which the object is being added by the New-PAM* cmdlet.
After you install this update, the New-PAMDomainConfiguration cmdlet will create a corresponding DomainConfiguration object in the FIM Service, and the New-PAMForest cmdlet will create a corresponding ForestConfiguration object in the FIM Service.
A PAM scenario that has approvals does not work correctly if there’s a child domain in the managed (Corp) forest.
After you install this update, this scenario works as expected.
If an object in a connected data source is excluded from the import by using a Declared Import filter, the import filter doesn’t discover the replacement name of an object that is identified by a placeholder name in the management agent’s connector space.
After you install this update, the replacement name of the object is discovered by the import filter as expected.
Import attribute flow precedence doesn’t transfer to the next precedent object when the previous object that has a higher precedence is disconnected.
After you install this update, precedence works as expected.
The Password Reset (MIIS_CSObject.PasswordSet() method) fails if there’s no trust relationship with the target Active Directory Domain Services (AD DS).
After you install this update, this failure no longer occurs.
After you install an update to an ECMA v2 connector instance, such as an update to the Generic LDAP Connector, the property sheets may stop responding when you turn off the Connectivity tab.
After you install this update, this problem no longer occurs.
When you use the “Oracle (previously Sun) Directory Servers” management agent against a Sun-Java System Directory, the management agent tries to use LDAP paging even though the directory server doesn’t have a listed LDAP control that supports LDAP paging.
After you install this update, this issue will no longer occur.
When you dynamically change the object type of a metaverse object in the management agent rules extension code, the synchronization service may periodically crash.
After you install this update, dynamic changes between metaverse object types that previously caused the synchronization service to crash will throw an exception.
MIM Identity Management Portal
When you access the portal through Firefox browser, the filter builder doesn’t work as expected.
After you install this update, the filter builder can be used in the Firefox browser.
Portal Search renders incorrectly in some screen resolutions.
After you install this update, the Portal renders correctly.
In the Portal, the calendar control in the Advanced Search is truncated.
After you install this update, the calendar control is displayed correctly.
In some cases, the filter builder in the MIM Portal is displayed incorrectly in some modern browsers.
After you install this update, the filter builder is displayed correctly.
All MIM Portal Popups have a fixed size, and the edit controls don’t display correctly.
After you install this update, the popup dialog boxes are resizable, and the controls are displayed properly.
In some languages, the Navigation menu cuts off some menu items.
After you install this update, the Navigation bar is resizable through the Common Portal Customizations object.
When you copy a URL from a pop-up window in the MIM Portal, the URL can’t be generated to the active tab.
After you install this update, the URL from the pop-up window can be generated to the active tab directly.
MIM Password Registration Portal
When you use double-byte characters to provide answers in the Question and Answer authentication gate, a warning is added to the Password Registration Portal registration form. These characters can’t be entered when you use the MIM Windows Credential Provider Extension (logon screen) to reset passwords.
Add the option to enable and disable IME usage on the SSPR Registration form.
IME is now customizable by using the following new setting for QAGate activity in the Password Reset workflow:
Note This setting also enables copy-paste operations.
Assume that IME setting is turned on. When you input a special character, a warning is displayed at the Password Registration portal:
- When the IME setting is turned on, special characters are still not supported in Windows Client. This issue occurs only in the Password Reset portal.
- Character sets for this warning are customizable by using Unicode ranges at the \Password Registration Portal\GateResources\isIME.js file.
MIM Identity Management Portal
When you try to reset a password through Self-Service Password Reset, the answers entered in the Question and Answer gate can’t be masked until the cursor moves out of the control. After this update is applied, a registry key is added to support the complete masking of characters in the Q&A gate.
Note If the IME is enabled in the Password Registration and Password Reset portals, this setting is ignored.
In the Password Reset portal, text is always hidden when you type the answer. This helps to prevent "shoulder surfing" by others.
When the IME setting is turned on, text is displayed while you type, and hidden when the focus leaves the text box.
MIM Credential Provider Extension (SSPR)
When you use the language pack for the MIM Add-ins and Extensions client in Windows 10, the client doesn’t display in French as expected even the Windows Display Language/locale is configured to fr-CA.
After you install this update, the MIM Add-ins and Extensions language pack will try to map all similar languages to the one that is supported. For example, if the Windows Display Language is ES-CL (Spanish Chile), or any ES-**, it will try to map this to ES-ES (Spanish Spain).
If the automatic mappings doesn’t work as you want, you can use the following registry key to override the Windows Display Language setting with a specific language:
Registry Value Name: OverrideDefaultUILocale
Value Type: String Value
Location: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Forefront Identity Manager\2010\Extensions]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Forefront Identity Manager\2010\Extensions]
Note The value that is provided in the OverrideDefaultUILocale registry key should match one of the languages of the installed MIM Add-ins and Extensions language packs.
This override value takes effect only if the Windows Display Language doesn’t have an exact match to an MIM Add-ins and Extensions language pack. The following are examples of this limitation:
- If the Windows Display Language is es-ES, and you have the es-ES MIM language pack installed, you can't override this match by using another language, such as fr-FR.
- Assumne that the locale of a system is set to zh-HK, and separate SSPR localization packages are installed for zh-CN and zh-TW. By default, SSPR selects zh-CN (according to internal order). In this situation, you can add an OverrideDefaultUILocale registry key and set the value to zh-TW to force SSPR to select zh-TW. You can also install any other localization package (like fr-FR or ko-KR) and configure it by using this registry key.
Note If you have installed valid localization package for the current system locale (for example: locale es-ES and localization es-ES), other localizations can’t be selected by using the registry or any other mechanism.
The following is a list of valid values in this update:
Certificate Management Bulk Client
The Certificate Management (CM) Bulk Client requires the same CM Server version. Otherwise, it can’t do a smooth upgrade (that is, upgrade CM Server first and then the Bulk Client).
Smooth upgrade is supported since version 4.4.1642.0 (include CM Server and Bulk Client). Newer versions of CM Server can work with earlier version Bulk Client (not earlier than 4.4.1642.0). You can also upgrade from the version earlier than 4.4.1642.0. However, we recommend that you work with Microsoft Support to do this.