Issue 2
A PAM user has their NetBIOS domain name saved in the Service Database and the PAM user can log on to the Portal.
Issue 3
MIM Monitor errors occur when you use the NetBIOS name for source groups.
Issue 4
The
New-PAMGroup and
New-PAMUser cmdlets do not accept the fully qualified domain name (FQDN) of the domain.
MIM add-ins and extensions
Issue 1
The Approval buttons in the Outlook Add-in disappear in some UI interactions.
Issue 2
You receive an "Installation prerequisites not met" error message if you try to install the MIM Add-in for Outlook on a computer that has Outlook 2016 installed.
MIM Certificate Management
Issue 1
The Profile Template Settings Report displays incorrect information. It shows that
PIN Rollover is enabled and that the
Admin PIN initial value is set even if this is not true. Also if the
Diversify Admin Key setting is enabled, it is not displayed in the Profile Template Settings Report.
Issue 2
The "Support for non-FIM CM certificates requests" plug-in doesn't create profiles for external certificates that were created outside MIM Certificate Management (CM).
Issue 3
This hotfix updates the MIM CM CA module tracing and logging, which differs from CM Server application tracing in that CA modules are installed on the AD CS server.
How to use the CA modules tracingCA module tracing differs from CM Server application, because CA modules might be installed on a separate computer.
Log locationEvents can be viewed in the Microsoft\IdentityManagement\CertificateManagement\Admin log. By default, CA modules also write messages to the system folder %temp% (usually C:\Windows\TEMP). To change the log file location, specify the new path of the file in the registry. Make sure that the directory exists and is writable by the CA.
How to change logs location- Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration in the registry.
- Define a new file location in the ClmCATrace registry value.
- Restart the CA.
Trace switch for ExitModuleRegistry location:HKEY_LOCAL_MACHINE \System\CurrentControlSet\Services\CertSvc\Configuration\<CA name>\ExitModules\Clm.Exit
String name: Microsoft.Clm.ExitModule
Value data: The Value data can be one of the following: Verbose|Info|Warning|Error
Trace switch for PolicyModuleRegistry location:HKEY_LOCAL_MACHINE \System\CurrentControlSet\Services\CertSvc\Configuration\<CA name>\PolicyModules\Clm.Policy
String name: Microsoft.Clm.PolicyModule
Value data: The Value data can be one of the following values: Verbose|Info|Warning|Error
Trace switch for PolicyModule pluginsRegistry location:HKEY_LOCAL_MACHINE \System\CurrentControlSet\Services\CertSvc\Configuration\<CA name>\PolicyModules\Clm.Policy\<plugin’s name>
String name: Microsoft.Clm.PolicyModulePlugins
Value data: The Value data can be one of the following values: Verbose|Info|Warning|Error
Note Unless key is defined, default value is
Info. After the Trace Switch is changed, restart the CA.
Issue 4
The "Support for non-FIM CM certificates requests" plug-in doesn't create profiles for external certificates that were created outside the MIM CM.
Issue 5
Certificate enrollment fails when the system uses the German locale.
MIM Synchronization Service
Issue 1
An export-only file-based ECMA2 connector could not export deleted objects.
Issue 2
The
msDS-UserPasswordExpiryTimeComputed attribute is displayed as an available attribute in the
Select Attributes tab of the Active Directory Domain Services (AD DS) management agent. The
msDS-UserPasswordExpiryTimeComputed is a computed attribute in AD DS and is not detected by the import operation. As of this update, the attribute is removed from the list of available attributes in the management agent.
Issue 3
Sometimes during the "Import Server Configuration" stage in the MIM synchronization service (MIISClient), the
Import Server Configuration dialog box hangs.
Issue 4
Running more than one run profile with a synchronization task at the same time may cause data corruption.
Note A message box is displayed with a 0x8023063D error code.
Issue 5
After an authoritative restore of Active Directory objects, Active Directory Management Agent (AD MA) delta import mistakenly detects them as deleted.
Issue 6
This update adds the ability to override the default Synchronization engine behavior of changing run profile GUID after export and import of the server configuration.
Note This update adds a special registry subkey to turn on the GUIDs "keeping" mode. To enable "keeping" mode, create the following:
Registry location:HKEY_LOCAL_MACHINE\Software\Microsoft\Forefront Identity Manager\2010\Synchronization Service
String name: KeepEqualRunPrGuids
Value data: True
Issue 7
This update extends the functionality of the AD MA configuration cmdlets to be able to handle multiple partitions.
Note Set-MIISADMAConfiguration was extended with ‘–Partitions’ with a semicolon (;) separator.
UsageSet-MIISADMAConfiguration -MAName MA_NAME -Forest FORESTNAME -Credentials (Get-Credential) -Partitions "DC=contoso,DC=com; DC=ForestDnsZones,DC=contoso,DC=com"
Issue 8
This update adds a new cmdlet
Add-MIISADMARunProfileStep.
Note It adds run profile step "Full import" assigned to partition 'DC=CONTOSO,DC=COM' to the run profile with name 'ADMA_FULLIMPORT' of the management agent AD_MA. If a run profile with this name doesn’t exist, it will be created. The management agent should already exist.
Possible values of the
StepType parameter (short form or long one can be used):
- "FI", "FULL IMPORT"
- "FS", "FULL SYNCHRONIZATION"
- "FIFS", "FULL IMPORT AND FULL SYNCHRONIZATION"
- "FIDS", "FULL IMPORT AND DELTA SYNCHRONIZATION"
- "DI", "DELTA IMPORT"
- "DS", "DELTA SYNCHRONIZATION"
- "DIDS", "DELTA IMPORT AND DELTA SYNCHRONIZATION"
- "EXP","EXPORT"
UsageAdd-MIISADMARunProfileStep -MAName 'AD_MA' -Partition 'DC=CONTOSO,DC=COM' -StepType 'FI' -ProfileName 'ADMA_FULLIMPORT'
Issue 9
MmsScrpt.exe crashes because of the binary having an invalid entry point. The most common error displayed is "Access violation."
Issue 10
The
Import-MIISServerConfig PowerShell cmdlet does not allow for skipping the Management Agent during configuration import.
MIM Portal
Issue 1
This update enables customizations that have controls shown and hidden based on the state of the email enabling check box.
An additional attribute to RCDC’s configuration data is included in this update. The
Now Event element may have a
Parameters attribute. For Group RCDC for the
OnChangeEmailEnabling event, it should contain a comma-separated (case-sensitive) list of controls to show or hide.
Here is a small sample (part of RCDC) to show how it works:
<my:Control my:Name="EmailEnabling" my:TypeName="UocCheckBox"
my:Caption="%SYMBOL_EmailEnablingCaption_END%"
my:Description="%SYMBOL_EmailEnablingDescription_END%"
my:AutoPostback="true" my:RightsLevel="{Binding Source=rights,
Path=Email}">
<my:Properties>
<my:Property my:Name="Text" my:Value="%SYMBOL_EmailEnablingValue_END%"/>
</my:Properties>
<my:Events>
Note If the
Parameters attribute is not included, nothing will change versus the previous behavior.
Issue 2
This update adds the ability to fully customize the portal header.
Note Replace the portal header section with custom HTML content (by adding the
CustomPortalHeader.html file into the
Customizations folder).
Issue 3
All supported languages and cultures are localized correctly as some were reported to be localized incorrectly for some culture-specific localization settings.
Issue 4
The Portal does not verify the content of uploaded image files. However, the Portal can check the content of an image. To enable this verification, User Creation and User Editing RCDC have to be changed by adding the
Property option to the
UocFileUpload type as in the following example:
<my:Property my:Name="ValidateImage" my:Value="true"/
MIM Service
Issue 1
During the 4.3.2064.0 hotfix installation, the database upgrade fails if the FIM Service database name is not the default name of FIMService.
Issue 2
Deadlocks may occur during a request evaluation if a complex Set schema is implemented.
Issue 3
The configuration backup tool does not work in MIM.
Issue 4
FIM Management Agent (MA) Export lets you add MIM objects multivalued string attributes.
BHOLD
Issue 1
The
applicationdeletealias function is added for the BHOLD web service.
The function name with ARGs may be passed as an argument for the
ExecuteXml method.
Notes- userid and applicationid are mandatory arguments
- alias is an optional argument. Without the alias argument explicitly defined, the function deletes all aliases for an app-user pair.
Issue 2
BHOLD Core shows error in the
LogItems table upon removing roles from a parent.
Language Support
Issue 1
The New Serbian culture sr-Latn-RS is available for the following components:
- MIM Service
- MIM Clients
- Certificate management