Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

A hotfix rollup package (build 4.0.3547.2) is available for Microsoft Forefront Identity Manager (FIM) 2010


View products that this article applies to.

INTRODUCTION

A hotfix rollup package (build 4.0.3547.2) is available for Microsoft Forefront Identity Manager (FIM) 2010. The hotfix rollup package resolves some issues and adds some features that are described in the "More Information" section. 

↑ Back to the top


Resolution

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Website: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

To apply this hotfix, you must have Forefront Identity Manager (FIM) 2010 installed.

Registry information

To use the hotfix, you do not have to change the registry.

Restart requirement

You must restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace a previously released hotfix.

File information

The global version of this hotfix installs files that have the attributes that are listed in the following tables. The dates and the times for these files are listed in Coordinated Universal Time (UTC). The dates and the times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and the times may change when you perform certain operations on the files.
File nameFile versionFile sizeDateTime
Fimaddinsextensionslp_x64_kb2028634.mspNot applicable3,126,78413-Jul-201009:53
Fimaddinsextensionslp_x86_kb2028634.mspNot applicable2,892,80013-Jul-201009:32
Fimaddinsextensions_x64_kb2028634.mspNot applicable2,809,34413-Jul-201009:53
Fimaddinsextensions_x86_kb2028634.mspNot applicable2,452,48013-Jul-201009:32
Fimcmbulkclient_x86_kb2028634.mspNot applicable2,227,71213-Jul-201009:32
Fimcmclient_x64_kb2028634.mspNot applicable5,793,28013-Jul-201009:53
Fimcmclient_x86_kb2028634.mspNot applicable5,127,68013-Jul-201009:32
Fimcm_x64_kb2028634.mspNot applicable10,083,84013-Jul-201009:53
Fimpcns_x64_kb2028634.mspNot applicable136,70413-Jul-201009:53
Fimpcns_x86_kb2028634.mspNot applicable118,27213-Jul-201009:32
Fimservicelp_x64_kb2028634.mspNot applicable4,608,00013-Jul-201009:53
Fimservice_x64_kb2028634.mspNot applicable16,441,34413-Jul-201009:53
Fimsyncservice_x64_kb2028634.mspNot applicable20,679,68013-Jul-201009:53

Component update file information

Component update packages

The following table contains the component update packages that are available for download.
ComponentFilename
FIM 2010 Add-ins and ExtensionsFIMAddinsExtensions_x86_KB2028634.msp
FIMAddinsExtensions_x64_KB2028634.msp
FIM 2010 Add-ins and Extensions Language PackFIMAddinsExtensionsLP_x86_KB2028634.msp
FIMAddinsExtensionsLP_x64_KB2028634.msp
FIM 2010 Certificate ManagementFIMCM_x64_KB2028634.msp
FIM 2010 Certificate Management Bulk Issuance
Client
FIMCMBulkClient_x86_KB2028634.msp
FIM 2010 Certificate Management ClientFIMCMClient_x86_KB2028634.msp
FIMCMClient_x64_KB2028634.msp
FIM 2010 Service and PortalFIMService_x64_KB2028634.msp
FIM 2010 Service Portal Language PackFIMServiceLP_x64_KB2028634.msp
FIM 2010 Synchronization Service FIMSyncService_x64_KB2028634.msp
FIM 2010 Password Change Notification ServiceFIMPCNS_x86_KB2028634.msp
FIMPCNS_x64_KB2028634.msp

↑ Back to the top


More Information

Fixed issues in Certificate Management

Issue 1

↑ Back to the top



The FIM 2010 Certificate Manager (CM) auto enroll policy module cannot be used with Cluster CA when database replication is enabled.
This issue occurs because the database connection is encrypted by using data protection API (DPAPI). When the database is replicated to another node, the connection cannot be decrypted.

↑ Back to the top


The requests that are submitted by the Online Update Service cannot update the target attribute in Active Directory.

↑ Back to the top


The certificate template object identifier (also known as OID) that is specified in an external online update request is ignored in the FIM 2010 CM. Then, when online update requests are submitted externally, all certificates are updated. This issue occurs even if the policy settings dictate that the initiator selects which certificate to update and a certificate OID is specified in the construction of the external request.

↑ Back to the top


Fixed issues in Declarative Provisioning

ssue 1

↑ Back to the top


When a structural class or auxiliary class is added to an object in a connected system, the attributes associated with the class are not displayed in the Synchronization Rule user interface.

↑ Back to the top


Fixed issues in Sync Engine

Issue 1

↑ Back to the top


By default a run stops after 5000 errors.

This hotfix changes the behavior so that warnings do not count against the error limit. 
Issue 2
A Sun ONE Directory may write a delta change log inconsistently. The Sync Engine detects this state and throws the “stopped-change-log-out-of-order” error. Additionally, it requires a full import before a delta import can be run again on the Sun One Management Agent (MA).
Issue 3
The Active Directory Management Agent (AD MA) incorrectly reports "success" for a newly provisioned user on which the password policy is not met. This issue results in an "exported-change-not-reimported" warning during the next import because Active Directory would correctly disable the user.
Issue 4
If you have a CaseSensitiveString attribute in Active Directory, the attribute type is not correctly detected and cannot be configured in Declarative Provisioning.
Issue 5
When you try to create a new eDirectory MA that connects to an eDirectory 8.8, you receive the following error message:

The management agent run was ended as there were unspecified agent errors.

The issue occurs because the eDirectory 8.8 is not detected correctly after the eDirectory schema is extended. For example, the eDirectory 8.8 is not detected correctly after you add the SecureLogin type in the schema. .  
Issue 6
When a calculated group is imported from the FIM Service MA and has static members added because of misconfiguration, Sync Engine crashes. Therefore, a placeholder takeover occurs without any object type set.
Issue 7
The AD MA does not have a check box to enable an account to be unblocked when a password is synchronized.

Issue 8
GALSync cannot recognize the new Exchange Dynamic Distribution List type.
Issue 9
When you perform a search for an object in a connector space for an Export-only ECMA, you receive the following error message:

Image or delta does not have an anchor.
Issue 10
If you configure synchronization rules and set dependencies between them after initial configuration, you can end up in a situation where configuration from before the dependency was set is still being applied and objects are disconnected.

With this hotfix the Synchronization Service does not process those settings.
Issue 11
The FIM MA cannot be created when metaverse attributes have a hyphen character ( - ) in their name and the database is upgraded from Identity Lifecycle Manager (ILM) 2007 or Identity Integration Server (MIIS) 2003 Service Pack 2 (SP2).
Issue 12
The Exchange Serer 2010 PowerShell cmdlets causes the FIM Sync Service to crash when the cmdlets time out.

In order to prevent external applications from causing issues to the FIM Sync Service, the cmdlets now run in an external process after you apply the hotfix.
Issue 13
When you define scoping filters by using declarative provisioning, the filter is always evaluated to "false" if an attribute value is missing. This issue makes it difficult to construct filters by using clauses that contains "not" to try to catch bad data.

After you apply the hotfix, an attribute that contains no value (null) is evaluated as if the attribute is an empty string.

↑ Back to the top


Fixed issues in Workflow Engine

Issue 1

↑ Back to the top


During FIM startup, a single failure to create an instance of the WorkflowServiceHost class can cause other workflows not to be re-hydrated. This behavior may cause workflows being stuck in the PostProcessing stage.
Issue 2
When you create an object that depends on one or more other objects, the Configuration Migration tool may not map references to objects in the target system.

↑ Back to the top


Features in Sync Engine

Feature 1

↑ Back to the top


A limited set of PowerShell cmdlets are added to allow you to perform some limited editing of the Sync Service configuration.
For more information about these PowerShell cmdlets, visit the following Microsoft Website:
Feature 2
The hotfix improves the performance when an object is joined to several management agents, with an average of 10% better performance rate for 5 management agents.
Feature 3
When you import from Active Directory, you must have been granted the DirSync permission. If you have at least a Windows Server 2003 Domain Controller that you can target, you can take advantage of a new feature that uses usual access control lists (ACLs) in Active Directory and does not require DirSync permissions. By setting the ADMAUseACLSecurity registry key, the AD MA uses AD ACLs instead.

For more information about the registry settings for FIM 2010, visit the following Microsoft TechNet website:If you enable the ADMAUseACLSecurity registry key, make sure that the account that is used by the AD MA has read permissions to all locations. By default, a regular user has read permissions to all objects except deleted objects. If an object cannot be read any longer it is treated as a deleted object.
Feature 4
Assume that you are developing a call-based extensible connectivity management agent (ECMA). You expect that the MA will continue exporting the same change until the change is confirmed by an import. Then, when you have an unreliable target for the data, the data might not be committed successfully even if the call returns success. You will notice this during a delta import on which the information that you read back is not what you sent.

To enable this behavior on the ECMA, you can set the ECMAAlwaysExportUnconfirmed registry key. For more information about the registry key, visit the following Microsoft TechNet website: 
Feature 5
The hotfix changes the eDir MA so that the MA enables connection to any 8.x version without the requirement to add a registry key.

Features in User Interface

This hotfix rollup package updates localization for strings that are changed in FIM 2010 Update 1 (version 4.0.3531.2).

↑ Back to the top


References

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:

824684 Description of the standard terminology that is used to describe Microsoft software updates

↑ Back to the top


Keywords: kbautohotfix, kbqfe, kbhotfixserver, kbfix, kbinfo, kbexpertiseadvanced, kb

↑ Back to the top

Article Info
Article ID : 2028634
Revision : 2
Created on : 4/10/2020
Published on : 4/10/2020
Exists online : False
Views : 256