Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

FIX: The Enterprise Single Sign-On Management Agent cannot remove users from the SSO DB when users are deleted from other synchronized connector spaces in Identity Lifecycle Manager


View products that this article applies to.

Symptoms

If the Enterprise Single Sign-On (SSO) Management Agent (MA) is being used within Microsoft Identity Lifecycle Manager (ILM) 2007 Feature Pack 1 to integrate with Enterprise SSO, you may find that the Enterprise SSO database is not updated when user accounts are deleted in other integrated data sources.

The following is an example scenario:

If a user account is deleted in Active Directory, the matching user account is not removed from the Enterprise SSO database when the synchronization process for the management agent for Active Directory and the Enterprise SSO MA is executed within ILM. If other management agents are part of the synchronization process, the user account is deleted in the other connected data sources. The Enterprise SSO MA is the only management agent that cannot delete the user account, because it does not remove the user account from the Enterprise SSO database.

When user accounts are deleted, the Enterprise SSO MA connector space (CS) includes a placeholder object for all user accounts that were deleted in the other data sources. If you try to add a new user by using one of the previously deleted user accounts, the Enterprise SSO MA cannot add the user account and returns an exception that resembles the following:
System.Exception: Microsoft.MetadirectoryServices.ObjectAlreadyExistsException: An object with DN "distinguished name" already exists in management agent "ENTSSO MA Name".
at Microsoft.MetadirectoryServices.Impl.CSEntryImpl.CommitNewConnector()
at Microsoft.EnterpriseSingleSignOn.MVSync.Provision(MVEntry mventry)

↑ Back to the top


Resolution

Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
To resolve this problem, apply and then enable this hotfix. After you do this, the Enterprise SSO MA will correctly delete user accounts from the Enterprise SSO database when a delete notification is received during a synchronization process in ILM. Additionally, user accounts that are reused after they were previously deleted will be successfully added to the Enterprise SSO database.

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft website: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Installation information

To enable this hotfix, follow these steps:
  1. Apply this hotfix.
  2. Update ILM 2007 Feature Pack 1. To do this, apply the hotfixes that are described in the following articles in the Microsoft Knowledge Base:
    946797 A hotfix rollup package (build 3.3.1087.2) is available for Identity Lifecycle Manager 2007 Feature Pack 1

    972757 A hotfix rollup package (build 3.3.1132.02) is available for Identity Lifecycle Manager 2007 Feature Pack 1

  3. Change to the Enterprise SSO MA XML configuration file (Entsso.xml). To do this, follow these steps:
    1. Start Identity Lifecycle Manager.
    2. Click Managements Agents.
    3. Select the Enterprise SSO MA that you are using.
    4. Click Actions, and then click Export Management Agent.
    5. Type a file name for the XML file that will be created, and then click Save.
    6. Remove the read-only attribute from the resulting XML file.
    7. Edit the XML file as follows:

      Locate the following string:
      <capabilities-mask>7b801</capabilities-mask>
      Change it to the following string:
      <capabilities-mask>47b801</capabilities-mask>
      Note In this example, the number 4 is added to 7b801.

    8. Set the read-only attribute for the resulting XML file.
    9. In Identity Lifecycle Manager, click Management Agents.
    10. Click Actions, click Update Management Agent, browse to the updated XML file, and then click Open.

      Note You must have access to the Enterprise SSO MA password during the MA update.
  4. Enable the Enterprise SSO MA update to allow for user records to be deleted by adding the EnableDeleteNotification value to the registry. To do this, follow these steps:
    1. Click Start, click Run, type regedit, and then click OK.
    2. Locate the following registry subkey:
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ENTSSO
    3. Right-click ENTSSO, point to New, and then click Key.
    4. Type MA and then press Enter.
    5. Right-click MA, point to New, and then click DWORD Value.
    6. Type EnableDeleteNotification, and then press Enter.
    7. Double-click EnableDeleteNotification, type 1 in the Value data box, and then click OK. A value of 1 enables this feature.
    8. Exit Registry Editor.

Notes about user-account deletion behavior that is expected after you apply and then enable this update

  • The Entsso.xml configuration file is located in the Extensions subfolder under the ILM Installation folder.
  • If the affiliate application is not configured in the Application name section of the Entsso.xml file under ENTSSOMA, notice the following:
    • If ENTSSOMA.deleteAll is true in the Entsso.xml file, delete the user mapping for this application. The following is an example:
      <ENTSSOMA name ="ENTSSOMA1" adma="ADMA" deleteAll="true">
      </ENTSSOMA>
    • If ENTSSOMA.deleteAll is false in the Entsso.xml file, the user mapping is not deleted. For example:
      <ENTSSOMA name ="ENTSSOMA1" adma="ADMA" deleteAll="false">
      </ENTSSOMA>
  • If the Affiliate Application is configured in the <Application name> section of the Entsso.xml file under ENTSSOMA, notice the following:
    • If the EnableDeleteNotification registry parameter is not enabled, the user mapping will not be deleted.
    • If the EnableDeleteNotification registry parameter is enabled, notice the following:
      • If ENTSSOMA.deleteAll is true, delete the user mapping for this affiliate application. The following is an example:
        <ENTSSOMA name ="ENTSSOMA1" adma="ADMA" deleteAll="true">

        <Application name="AffApp1" sourceMA="ExternalMA1" create="true"

        delete="true"/>
        </ENTSSOMA>
      • If ENTSSOMA.DeleteAll is false, notice the following:
        • If the App.DeleteOption is true (delete="true") in the Entsso.xml file, delete the user mapping for this affiliate application.
        • If the App.DeleteOption is false (delete="false") in the Entsso.xml file, the user mapping is not deleted.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

Enterprise SSO v4, 32-bit (x86)
File nameFile versionFile sizeDateTimePlatform
Microsoft.enterprisesinglesignon.managementagent.dll6.0.305.267,49628-Jan-201121:17x86
Enterprise SSO v4, 64-bit (x64)
File nameFile versionFile sizeDateTimePlatform
Microsoft.enterprisesinglesignon.managementagent.dll6.0.305.267,49628-Jan-201121:17x86
Microsoft.enterprisesinglesignon.managementagent.dll6.0.305.267,49628-Jan-201121:16x86
Enterprise SSO v4.5, 32-bit (x86)
File nameFile versionFile sizeDateTimePlatform
Entsso.exe6.0.4803.280,53609-Sep-201320:01x86
Importexport.dll6.0.4803.268,25609-Sep-201320:01x86
Infocache.dll6.0.4803.2137,88009-Sep-201320:01x86
Microsoft.enterprisesinglesignon.managementagent.dll6.0.4803.268,33609-Sep-201320:00x86
Microsoft.enterprisesinglesignon.ui2.dll6.0.4803.2846,54409-Sep-201320:01x86
Ssoadmin.dll6.0.4803.2101,01609-Sep-201320:01x86
Ssoadminserver.dll6.0.4803.2129,70409-Sep-201320:01x86
Ssoclient.exe6.0.4803.272,34409-Sep-201320:01x86
Ssoconfig.exe6.0.4803.2101,01609-Sep-201320:01x86
Ssoconfigom.dll6.0.4803.2129,69609-Sep-201320:01x86
Ssoconfigstore.dll6.0.4803.292,84009-Sep-201320:00x86
Ssocsserver.dll6.0.4803.280,54409-Sep-201320:00x86
Ssocstx.dll6.0.4803.268,24809-Sep-201320:01x86
Ssolookup.dll6.0.4803.2105,11209-Sep-201320:01x86
Ssolookupserver.dll6.0.4803.2133,80009-Sep-201320:01x86
Ssomanage.exe6.0.4803.2113,30409-Sep-201320:01x86
Ssomapper.dll6.0.4803.2117,40009-Sep-201320:01x86
Ssomappingserver.dll6.0.4803.2109,22409-Sep-201320:01x86
Ssomessage.dll6.0.4803.2133,79209-Sep-201320:01x86
Ssops.exe6.0.4803.2101,00809-Sep-201320:01x86
Ssopsadmin.dll6.0.4803.296,92809-Sep-201320:01x86
Ssopshelper.dll6.0.4803.2101,02409-Sep-201320:01x86
Ssopsserver.dll6.0.4803.2191,13609-Sep-201320:01x86
Ssoservercfg.dll6.0.4803.2182,94409-Sep-201320:01x86
Ssosql.dll6.0.4803.268,24809-Sep-201320:00x86
Ssoss.dll6.0.4803.2117,39209-Sep-201320:01x86
Ssox6.sqlNot Applicable22,65718-Jul-201301:44Not Applicable
Ssox7.sqlNot Applicable3,99518-Jul-201301:44Not Applicable
Enterprise SSO v4.5, 64-bit (x64)
File nameFile versionFile sizeDateTimePlatform
Entsso.exe6.0.4803.280,53609-Sep-201320:10x86
Importexport.dll6.0.4803.268,25609-Sep-201320:10x86
Infocache.dll6.0.4803.2137,88009-Sep-201320:10x86
Microsoft.enterprisesinglesignon.managementagent.dll6.0.4803.268,33609-Sep-201320:10x86
Microsoft.enterprisesinglesignon.ui2.dll6.0.4803.2846,54409-Sep-201320:10x86
Ssoadmin.dll6.0.4803.2101,01609-Sep-201320:10x86
Ssoadminserver.dll6.0.4803.2129,70409-Sep-201320:10x86
Ssoclient.exe6.0.4803.272,34409-Sep-201320:10x86
Ssoconfig.exe6.0.4803.2101,01609-Sep-201320:10x86
Ssoconfigom.dll6.0.4803.2129,69609-Sep-201320:10x86
Ssoconfigstore.dll6.0.4803.292,84009-Sep-201320:10x86
Ssocsserver.dll6.0.4803.280,54409-Sep-201320:10x86
Ssocstx.dll6.0.4803.268,24809-Sep-201320:10x86
Ssolookup.dll6.0.4803.2105,11209-Sep-201320:10x86
Ssolookupserver.dll6.0.4803.2133,80009-Sep-201320:10x86
Ssomanage.exe6.0.4803.2113,30409-Sep-201320:10x86
Ssomapper.dll6.0.4803.2117,40009-Sep-201320:10x86
Ssomappingserver.dll6.0.4803.2109,22409-Sep-201320:10x86
Ssomessage.dll6.0.4803.2133,79209-Sep-201320:10x86
Ssops.exe6.0.4803.2101,00809-Sep-201320:10x86
Ssopsadmin.dll6.0.4803.296,92809-Sep-201320:10x86
Ssopshelper.dll6.0.4803.2101,02409-Sep-201320:10x86
Ssopsserver.dll6.0.4803.2191,13609-Sep-201320:10x86
Ssoservercfg.dll6.0.4803.2182,94409-Sep-201320:10x86
Ssosql.dll6.0.4803.268,24809-Sep-201320:10x86
Ssoss.dll6.0.4803.2117,39209-Sep-201320:10x86
Ssox6.sqlNot Applicable22,65718-Jul-201301:44Not Applicable
Ssox7.sqlNot Applicable3,99518-Jul-201301:44Not Applicable
Entsso.exe6.0.4803.294,36009-Sep-201320:08x64
Importexport.dll6.0.4803.274,40009-Sep-201320:08x64
Infocache.dll6.0.4803.2199,83209-Sep-201320:08x64
Microsoft.enterprisesinglesignon.managementagent.dll6.0.4803.268,33609-Sep-201320:08x86
Microsoft.enterprisesinglesignon.ui2.dll6.0.4803.2846,54409-Sep-201320:08x86
Ssoadmin.dll6.0.4803.2118,93609-Sep-201320:08x64
Ssoadminserver.dll6.0.4803.2187,04809-Sep-201320:08x64
Ssoclient.exe6.0.4803.282,58409-Sep-201320:08x64
Ssoconfig.exe6.0.4803.2130,20009-Sep-201320:08x64
Ssoconfigom.dll6.0.4803.2167,58409-Sep-201320:08x64
Ssoconfigstore.dll6.0.4803.2101,54409-Sep-201320:08x64
Ssocsserver.dll6.0.4803.294,36809-Sep-201320:08x64
Ssocstx.dll6.0.4803.263,64009-Sep-201320:08x64
Ssolookup.dll6.0.4803.2134,29609-Sep-201320:08x64
Ssolookupserver.dll6.0.4803.2183,46409-Sep-201320:08x64
Ssomanage.exe6.0.4803.2153,24009-Sep-201320:08x64
Ssomapper.dll6.0.4803.2138,90409-Sep-201320:08x64
Ssomappingserver.dll6.0.4803.2143,52809-Sep-201320:08x64
Ssomessage.dll6.0.4803.2126,11209-Sep-201320:08x64
Ssops.exe6.0.4803.2133,26409-Sep-201320:08x64
Ssopsadmin.dll6.0.4803.2106,14409-Sep-201320:08x64
Ssopshelper.dll6.0.4803.2110,75209-Sep-201320:08x64
Ssopsserver.dll6.0.4803.2269,47209-Sep-201320:08x64
Ssosql.dll6.0.4803.268,24809-Sep-201320:08x86
Ssoss.dll6.0.4803.2161,93609-Sep-201320:08x64
Ssox6.sqlNot Applicable22,65718-Jul-201301:44Not Applicable
Ssox7.sqlNot Applicable3,99518-Jul-201301:44Not Applicable
Note Because of file dependencies, the most recent fix that contains these files may also contain additional files.

↑ Back to the top


Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top


Keywords: kbautohotfix, kbqfe, kbhotfixserver, kbfix, kbexpertiseinter, kbsurveynew, kbbug, kb

↑ Back to the top

Article Info
Article ID : 2465272
Revision : 1
Created on : 1/7/2017
Published on : 4/18/2011
Exists online : False
Views : 320