FIX: The Enterprise Single Sign-On Management Agent cannot remove users from the SSO DB when users are deleted from other synchronized connector spaces in Identity Lifecycle Manager

Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756 How to back up and restore the registry in Windows

To resolve this problem, apply and then enable this hotfix. After you do this, the Enterprise SSO MA will correctly delete user accounts from the Enterprise SSO database when a delete notification is received during a synchronization process in ILM. Additionally, user accounts that are reused after they were previously deleted will be successfully added to the Enterprise SSO database.

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft website: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Installation information

To enable this hotfix, follow these steps:

1. Apply this hotfix.
2. Update ILM 2007 Feature Pack 1. To do this, apply the hotfixes that are described in the following articles in the Microsoft Knowledge Base:
   946797 A hotfix rollup package (build 3.3.1087.2) is available for Identity Lifecycle Manager 2007 Feature Pack 1
   
   972757 A hotfix rollup package (build 3.3.1132.02) is available for Identity Lifecycle Manager 2007 Feature Pack 1
   
   
3. Change to the Enterprise SSO MA XML configuration file (Entsso.xml). To do this, follow these steps:
   1. Start Identity Lifecycle Manager.
   2. Click Managements Agents.
   3. Select the Enterprise SSO MA that you are using.
   4. Click Actions, and then click Export Management Agent.
   5. Type a file name for the XML file that will be created, and then click Save.
   6. Remove the read-only attribute from the resulting XML file.
   7. Edit the XML file as follows:
      
      Locate the following string:
      <capabilities-mask>7b801</capabilities-mask>
      Change it to the following string:
      <capabilities-mask>47b801</capabilities-mask>
      Note In this example, the number 4 is added to 7b801.
      
      
   8. Set the read-only attribute for the resulting XML file.
   9. In Identity Lifecycle Manager, click Management Agents.
   10. Click Actions, click Update Management Agent, browse to the updated XML file, and then click Open.
       
       Note You must have access to the Enterprise SSO MA password during the MA update.
       
4. Enable the Enterprise SSO MA update to allow for user records to be deleted by adding the EnableDeleteNotification value to the registry. To do this, follow these steps:
   1. Click Start, click Run, type regedit, and then click OK.
   2. Locate the following registry subkey:
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ENTSSO
   3. Right-click ENTSSO, point to New, and then click Key.
   4. Type MA and then press Enter.
   5. Right-click MA, point to New, and then click DWORD Value.
   6. Type EnableDeleteNotification, and then press Enter.
   7. Double-click EnableDeleteNotification, type 1 in the Value data box, and then click OK. A value of 1 enables this feature.
   8. Exit Registry Editor.

Notes about user-account deletion behavior that is expected after you apply and then enable this update

• The Entsso.xml configuration file is located in the Extensions subfolder under the ILM Installation folder.
• If the affiliate application is not configured in the Application name section of the Entsso.xml file under ENTSSOMA, notice the following:
  • If ENTSSOMA.deleteAll is true in the Entsso.xml file, delete the user mapping for this application. The following is an example:
    <ENTSSOMA name ="ENTSSOMA1" adma="ADMA" deleteAll="true">
    </ENTSSOMA>
  • If ENTSSOMA.deleteAll is false in the Entsso.xml file, the user mapping is not deleted. For example:
    <ENTSSOMA name ="ENTSSOMA1" adma="ADMA" deleteAll="false">
    </ENTSSOMA>
• If the Affiliate Application is configured in the <Application name> section of the Entsso.xml file under ENTSSOMA, notice the following:
  • If the EnableDeleteNotification registry parameter is not enabled, the user mapping will not be deleted.
  • If the EnableDeleteNotification registry parameter is enabled, notice the following:
    • If ENTSSOMA.deleteAll is true, delete the user mapping for this affiliate application. The following is an example:
      <ENTSSOMA name ="ENTSSOMA1" adma="ADMA" deleteAll="true">
      
      <Application name="AffApp1" sourceMA="ExternalMA1" create="true"
      
      delete="true"/>
      </ENTSSOMA>
    • If ENTSSOMA.DeleteAll is false, notice the following:
      • If the App.DeleteOption is true (delete="true") in the Entsso.xml file, delete the user mapping for this affiliate application.
      • If the App.DeleteOption is false (delete="false") in the Entsso.xml file, the user mapping is not deleted.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

Enterprise SSO v4, 32-bit (x86)

Enterprise SSO v4, 64-bit (x64)

Enterprise SSO v4.5, 32-bit (x86)

Enterprise SSO v4.5, 64-bit (x64)

Note Because of file dependencies, the most recent fix that contains these files may also contain additional files.