Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Hotfix rollup package (build 4.4.1459.0) is available for Microsoft Identity Manager 2016 Service Pack 1


View products that this article applies to.

Introduction

A hotfix rollup package (build 4.4.1459.0) is available for Microsoft Identity Manager (MIM) 2016 Service Pack 1. This package includes fixes and updated functionality.

↑ Back to the top


Known issue in this update

Synchronization Service

After this update is installed, rules extensions and custom management agents (MAs) that are based on Extensible MA (ECMA1 or ECMA 2.0) may not run and may produce a run status of "stopped-extension-dll-load." This issue occurs when you run such rules extensions or custom MAs after you change the configuration file (.config) for one of the following processes:

  • MIIServer.exe
  • Mmsscrpt.exe
  • Dllhost.exe

For example, you edited the MIIServer.exe.config file to change the default batch size for processing sync entries for the FIM Service MA.

In this situation, the synchronization engine installer for this update intentionally avoids replacing the configuration file to avoid deleting your previous changes. Because the configuration file is not replaced, entries that are required by this update will not be present in the files, and the synchronization engine will not load any rules extension DLLs when the engine runs a Full Import or Delta Sync run profile.

To resolve this issue, follow these steps:

  1. Make a backup copy of the MIIServer.exe.config file.
  2. Open the MIIServer.exe.config file in a text editor or in Microsoft Visual Studio.
  3. Find the <runtime> section in the MIIServer.exe.config file, and then replace the content of the <dependentAssembly> section with the following:
    <dependentAssembly>
    <assemblyIdentity name="Microsoft.MetadirectoryServicesEx" publicKeyToken="31bf3856ad364e35" />
            <bindingRedirect oldVersion="3.3.0.0-4.1.3.0" newVersion="4.1.4.0" />
    </dependentAssembly>
  4. Save the changes to the file.
  5. Find the Mmsscrpt.exe.config file in the same directory and the Dllhost.exe.config in the parent directory. Repeat steps 1 through 4 for these two files.
  6. Restart the Forefront Identity Manager Synchronization Service (FIMSynchronizationService).
  7. Verify that the rules extensions and custom management agents now work as expected.

↑ Back to the top


Update information

A supported update is available from the Microsoft Download Center. We recommend that all customers apply this update to their production systems.

download icon for contentauto  Download this update package.

Prerequisites

To apply this update, you must have Microsoft Identity Manager 2016 build 4.4.1302.0.

Restart requirement

You must restart the computer after you apply the Add-ins and Extensions (Fimaddinsextensions_xnn_KB4012498.msp) package. You may also have to restart the server components.

Replacement information

This update replaces update (build 4.4.1302.0) for Microsoft Identity Manager 2016.

File information

The global version of this update has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

File nameFile versionFile sizeDateTime
Fimaddinsextensions_x64_kb4012498.mspNot Applicable4,993,02427-Mar-201712:41
Fimaddinsextensions_x86_kb4012498.mspNot Applicable2,670,59227-Mar-201712:42
Fimcmbulkclient_x86_kb4012498.mspNot Applicable4,927,48827-Mar-201712:42
Fimcmclient_x64_kb4012498.mspNot Applicable6,144,00027-Mar-201712:42
Fimcmclient_x86_kb4012498.mspNot Applicable5,849,08827-Mar-201712:43
Fimcm_x64_kb4012498.mspNot Applicable20,885,50427-Mar-201712:42
Fimcm_x86_kb4012498.mspNot Applicable20,713,47227-Mar-201712:42
Fimservice_x64_kb4012498.mspNot Applicable25,105,14027-Mar-201712:43
Fimsyncservice_x64_kb4012498.mspNot Applicable15,962,11227-Mar-201712:43
Language packs.zipNot Applicable21,923,52727-Mar-201712:43

↑ Back to the top


Issues that are fixed or improvements that are added in this update

This update makes the following fixes and improvements that were not previously documented in the Microsoft Knowledge Base.

MIM Service

Issue 1

Authentication workflow fails with "The semaphore time out period has expired" after custom client requests AuthN token.

After you install the update, the request will complete as expected, and a clear message about a communications error is thrown into the event log.

Issue 2

Under a heavy load, there may be race condition situation when two MIM Service instances try to process the same workflow at the same time. This may cause workflow processing to fail.

After you install this update, this problem no longer occurs.

Issue 3

Set partitioning may not work if a set criteria contains a sub-condition. After you install this update, set partitioning works correctly.

Issue 4

Over time, some processing data accumulates in the MIM Service database, which may cause performance issues. This causes a problem when many Object IDs are retained in the FIM.Objects table. The SQL Server Agent job runs stored procedure FIM_DeleteExpiredSystemObjectsJob and removes expired system objects by collecting all the requests and any object references, and puts their object IDs into the ExpiredObjectKeys table.

Next, all values in the ObjectValue* tables are removed for each ID number in the ExpiredObjectKeys table. Finally, if the values in the ObjectValue* tables have indeed all been deleted, the matching row in the ExpiredObjectKeys table is also deleted. However, the object ID itself is never deleted from the fim.Objects table.

After you install the update, a new stored procedure in the debug namespace is added to clean up the database of these objects.

  • Stored Procedure Name: debug.DeleteObjectRemainders
  • Syntax: exec debug.DeleteObjectRemainders

Issue 5

After MIM SP1 clean installation, MIM Reporting or MIM Service Partitioning may not work correctly. After you install this update, both MIM Service reporting and partitioning are installed and function correctly.

Issue 6

If the FIMService database compatibility level is set to 120, SQL deadlocks may occur. After you install this update, these deadlocks no longer occur.

Improvement 1

Verbose trace logging in the MIM Service can now be enabled without forcing a restart of the service.

One new section is added to the Microsoft.ResourceManagement.Service.exe.config file to support this functionality. After you install this update, this new section is now present.

<dynamicLogging mode="true" loggingLevel="Critical" />

Logging can be set to any level between Critical and Verbose.

Two output files will be written to the installation folder for the MIM Service. It is important for the MIM Service account to have write permissions to this folder.

Folder location:

%programfiles%\Microsoft Forefront Identity Manager\2010\Service

Files written:

  • Microsoft.ResourceManagement.Service_tracelog.svclog

  • Microsoft.ResourceManagement.Service_tracelog.txt

Improvement 2

Support for System Center 2016 Service Manager and Data Warehouse is added for MIM Service Reporting.

Before this update, MIM Reporting could not install and perform with System Center 2016 Service Manager Console.

After you install this update, MIM Reporting can be installed and perform without a need to pre-install SCSM console, for any supported version of SCSM.

Synchronization Service

Issue 1

If the FIM Service management agent exports an object deletion but does not receive a confirmation of the deletion, that same object may be partly recreated in the FIMService.

After you install this update, an error will be displayed in the error list of the export run, and the recreation does not occur.

Issue 2

When the DN of an object is also the anchor, it cannot be renamed. Instead, you receive the following exception:

Unexpected-error

“The dimage has a different anchor or primary object class from what is on the hologram.”

After you install this update, the rename is processed as expected.

Issue 3

The Encryption Key Management Key (miiskmu.exe) tool may not abandon keys because of a time-out caused by a database lock.

After you install this update, the keys are processed without encountering the time-out.

Issue 4

When you run a synchronization profile step, periodic performance issues are encountered.

A fix was made to the mms_getprojected_csrefguids_noorder stored procedure to help improve performance.

Issue 5

Under certain circumstances, filter-based sync rules are applied even when they should not be.

After you install this update, the sync rule is applied only if it should be.

Issue 6

On Export for the Generic LDAP Connector, if the creation of an Audit Log file has been configured, the export run profile stops without posting a BAIL error.

After you install this update, an Export run profile step will run properly on the Generic LDAP Connector when the Audit Log File creation option is enabled.

MIM Password Reset Portal

Issue 1

When you reset a password by using the SMS authentication gate, an incorrect message is displayed to the user:

You need to click Next once you completed this call" and in next line "Call Verified:

After you install this update, the incorrect string, “Call Verified:” is removed from that dialog box.

MIM Identity Management Portal

Issue 1

Drag-and-drop users into the Remove box to delete or remove a member for group membership does not work in all circumstances.

After you install this fix, users can drag-and-drop users into the Remove box when you manage manual group memberships.

Issue 2

Local Date/Time settings being ignored for English (Australia).

After you install this update, the local date/time format settings are applied.

Issue 3

Custom controls are not initialized if we have custom event parameters in the Resource Control Display Configuration (RCDC).

After you install this fix, the custom controls are initialized as expected.

Issue 4

Error handling in the Resource Control Display Configuration is sometimes unclear.

In this update, error notifications are customized to describe the error more clearly.

Issue 5

When you use a copied link to a custom object in the Identity Management Portal, the object does not display as expected.

After you install this update, the custom object displays as expected from the copied link.

Issue 6

When you try to install the Identity Management Portal on SharePoint 2016 after you uninstall or during an update, the Portal is not installed. Additionally, you receive the following exception:

Timeout expired and error in Sharepoint log: Package name does not exist in the solution store.

Installing this update, setup will restart the SharePoint timer service to retry the failed SharePoint jobs, so setup can now complete.

Issue 7

The Approval View RCDC has incorrect symbols and displays an error.

After you install this fix, the approval view RCDC is displayed as expected, and does not throw an exception.

Issue 8

The membership buttons if custom group objects do not work correctly.

After you install this fix, the group membership buttons work as expected.

Issue 9

When you view the MIM Identity Management Portal by using the Firefox browser, object list-views, such as Users and Distribution Groups, do not display properly.

After you install this update, object list-views display as expected when you use the Firefox browser.

Issue 10

When you view the MIM Identity Management Portal by using the Internet Explorer browser, object list-views headings may not be left-aligned in the column.

After you install this update, object list-view headings display left aligned as expected.

Issue 11

When you run the MIM Portal in SharePoint 2016, the Join, Leave, Add Member, and Remove Member buttons do not work as expected on custom group object types.

After you install this update, these buttons work as expected against custom group object types.

Improvement 1

To address the fact that the default value of a Group Scope cannot be set, two optional properties were added to the UoCDropDownList and the UocRadioButtonList.

  • DefaultValue

  • Condition

DefaultValue: This is an optional property. Use this property to define a default value for the control if the control is used to create new data.

For example:

   <my:Control my:Name="My UocDropDownList" my:TypeName="UocDropDownList"
        …
         <my:Properties>
          ...
           <my:Property my:Name="DefaultValue" my:Value="MyDefault" />

Condition: Condition is optional attribute in property and it is used to specify the condition when the property is applied. The control can have several properties that use the same name but disjoint conditions.

The syntax for condition is as follows:

my:Condition="[left part] [condition] [right part]"

Notes

  • [left part] has the following options:
    • Binding Source and path
    • Simple value

  • [condition] has the following options:
    • ==

    • !=

  • [right part] has the following options:
    • Binding Source and path

    • Simple value

Example of creation different defaults for different types of group:

<my:Control my:Name="My UocDropDownList" my:TypeName="UocDropDownList"
        …
         <my:Properties>
          ...
           <my:Property my:Name="DefaultValue" my:Value=" MyDefautltForDistributionGroups" my:Condition="{Binding Source=object, Path=Type} == Distribution" />
          <my:Property my:Name="DefaultValue" my:Value=" MyDefautltForSecurityGroups " my:Condition="{Binding Source=object, Path=Type} == Security" />

Improvement 2

The name for all activity types that you created through Portal is authenticationGateActivity. After you install this update, all new ActivityType objects that are created, will have the following activity name values, according to type:

  • Authentication: authenticationActivity1… authenticationActivityN

  • Authorization: authorizationActivity1… authorizationActivityN

  • Action: actionActivity1… actionActivityN

Improvement 3

Requestor or Approver has no means to provide Justification upon creating the request or Approving/Rejecting pending request.

With this update, a justification field is added to the Create Request view, and new justification request/workflow data can be used. The following attributes are added [//Request/Justification] and [//WorkflowData/Reason] parameters.

Certificate Management

Issue 1

When enrolling for a virtual smart card, entering a pin with fewer than 8 characters returns a misleading error.

After you install this update, a relevant error is returned to the user.

Issue 2

When renewing a smartcard, a user can be caught in an infinite renew loop.

The following steps will cause this issue:

  1. The current smartcard profiles enter the renew window:

    • User receives an email from FIM CM Service asking him to complete a renew request

  2. User successfully executes the renew request and retrieves all certs renewed.

  3. Several hours later, user receives a second email from FIM CM Service.

    • This is not expected as the profile has already been renewed.

  4. The user will end in an infinite renew loop if he executes all the requests FIM CM Service creates.

After you install this update, only the correct requests are created, and there is no infinite loop.

Issue 3

If the Delta CRLs are disabled on a Certification Authority used by MIM Certificate Management, the exception ERROR_FILE_NOT_FOUND will be thrown by MIM CM.

After you install this update, no exception is thrown.

Issue 4

MIM CM does not support NonAdmin mode when you work with virtual cards. Virtual smart card could be only created by the MIM CM Client during enrollment. It is also required to have local admin rights to create a virtual smart card. So, only local admins can enroll for a new virtual smart card through MIM CM Portal.

After you install this hotfix, a new registry key will configure the MIM CM client to run in non-admin mode. Notice that the virtual smart card must be pre-created before the user can enroll their virtual smart card under the non-Admin mode settings.

To enable NonAdmin mode, change or create DWORD value NonAdmin=1 under the following registry key on a client computer:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CLM\v1.0\SmartCardClient

Issue 5

When you use the MIM CM REST API to change the smart card status to “Disabled”, an Error 501 (NotImplemented) is returned.

After you install this update, this same code will successfully disable the smart card.

PUT …/api/v1.0/requests/{reqID}/smartcards/{smartcardID}
{
   “status” : “Disabled”
}

For more information, see the Update Smartcard Status topic on the Microsoft website.

Issue 6

MIM CM Server version 4.3.1999.0 or a later version (until current hotfix) cannot work with older version of CM Clients (FIM 2010R2 and MIM).

After you install this update, MIM CM Server will work with older MIM and FIM 2010R2 CM Clients (FIM 2010R2 Clients version 4.1.3508.0 and later versions were tested).

Issue 7

"OfflineUnblock" request could not be created by using the following call from the MIM CM REST API:

https://docs.microsoft.com/en-us/microsoft-identity-manager/reference/create-request

After you install this update, this same code will successfully submit the OfflineUnblock request.

Issue 8

There is no possibility to use smart card id as a parameter when you create a "Disable"(or any other type) request by using the following call from MIM CM REST API:

https://docs.microsoft.com/en-us/microsoft-identity-manager/reference/create-request

 Only the "profile" parameter is available.

For example:

POST api/v1.0/requests
    {
        "target":"e5008CDD9E614F9BBEDC45EEEE6776F0",
        "comment":"any comment",
        "type":"Disable",
        "profiletemplateuuid":"7860DEBB-771D-464E-AAC5-2F093282CE66",
        "datacollection":[],
        "priority":"1",
        "smartcard":"49BFE09C-5590-4CC4-8A21-FB4289F4F6C8"  
     }

After you install this update, you can use the smart card id as a parameter.

Notice that the smart card id is not the same as that of the smart card serial number. Smart card id is created by the MIM CM for each active smart card.

Issue 9

MIM CM Client tracing does not log datetime. After you install this update, the date time data will be included in the client trace log.

Issue 10

Cancelling a user in the existing virtual smart cards modal dialog box can lead to an unusal and confusing error message instead of simply cancelling the operation.

After you install this update, the operation cancels the user.

Issue 11

Retire flow stops responding for TPM virtual smart cards when the NonAdmin option is set in the registry.

Issue 12

Duplicate Revocation Settings under Replace policy does not apply to a duplicated profile. After you install this update, the flow works as expected. The revocation delay is successfully copied to the duplicated profile.

Issue 13

MIM Certificate Management does not log web service exception data. After you install this update, CM now logs all web service exception data.

Improvement 1

Before this update, the only options for PIN rules in the MIM CM Modern App is MinimumPinLength.

After you install this update, the following validation settings are now available:

  • Digits

  • LowercaseLetters

  • MaxLength

  • MinLength

  • SpecialCharacte3rs

  • UppercaseCharacters

MIM Add-in for Outlook

Issue 1

The 32-bit MIM Add-in dlls (for example, OfficeintegrationShim2010.dll) are unsigned after you apply the MIM SP1 MSP update (4.4.1302.0 build).

In this update, all files are signed as expected.

↑ Back to the top


References

Learn about the terminology that Microsoft uses to describe software updates.

↑ Back to the top


Keywords: kbQFE, kbfix, kbExpertiseInter, kbsurveynew, kbBug, ATDownload

↑ Back to the top

Article Info
Article ID : 4012498
Revision : 37
Created on : 3/27/2017
Published on : 3/27/2017
Exists online : False
Views : 230