This update makes the following fixes and improvements that were not previously documented in the Microsoft Knowledge Base.
MIM Service
Issue 1
Authentication workflow fails with "The semaphore time out period has expired" after custom client requests AuthN token.
After you install the update, the request will complete as expected, and a clear message about a communications error is thrown into the event log.
Issue 2
Under a heavy load, there may be race condition situation when two MIM Service instances try to process the same workflow at the same time. This may cause workflow processing to fail.
After you install this update, this problem no longer occurs.
Issue 3
Set partitioning may not work if a set criteria contains a sub-condition. After you install this update, set partitioning works correctly.
Issue 4
Over time, some processing data accumulates in the MIM Service database, which may cause performance issues. This causes a problem when many Object IDs are retained in the FIM.Objects table. The SQL Server Agent job runs stored procedure FIM_DeleteExpiredSystemObjectsJob and removes expired system objects by collecting all the requests and any object references, and puts their object IDs into the ExpiredObjectKeys table.
Next, all values in the ObjectValue* tables are removed for each ID number in the ExpiredObjectKeys table. Finally, if the values in the ObjectValue* tables have indeed all been deleted, the matching row in the ExpiredObjectKeys table is also deleted. However, the object ID itself is never deleted from the fim.Objects table.
After you install the update, a new stored procedure in the debug namespace is added to clean up the database of these objects.
- Stored Procedure Name: debug.DeleteObjectRemainders
- Syntax: exec debug.DeleteObjectRemainders
Issue 5
After MIM SP1 clean installation, MIM Reporting or MIM Service Partitioning may not work correctly. After you install this update, both MIM Service reporting and partitioning are installed and function correctly.
Issue 6
If the FIMService database compatibility level is set to 120, SQL deadlocks may occur. After you install this update, these deadlocks no longer occur.
Improvement 1
Verbose trace logging in the MIM Service can now be enabled without forcing a restart of the service.
One new section is added to the Microsoft.ResourceManagement.Service.exe.config file to support this functionality. After you install this update, this new section is now present.
<dynamicLogging mode="true" loggingLevel="Critical" />
Logging can be set to any level between Critical and Verbose.
Two output files will be written to the installation folder for the MIM Service. It is important for the MIM Service account to have write permissions to this folder.
Folder location:
%programfiles%\Microsoft Forefront Identity Manager\2010\Service
Files written:
Improvement 2
Support for System Center 2016 Service Manager and Data Warehouse is added for MIM Service Reporting.
Before this update, MIM Reporting could not install and perform with System Center 2016 Service Manager Console.
After you install this update, MIM Reporting can be installed and perform without a need to pre-install SCSM console, for any supported version of SCSM.
Synchronization Service
Issue 1
If the FIM Service management agent exports an object deletion but does not receive a confirmation of the deletion, that same object may be partly recreated in the FIMService.
After you install this update, an error will be displayed in the error list of the export run, and the recreation does not occur.
Issue 2
When the DN of an object is also the anchor, it cannot be renamed. Instead, you receive the following exception:
Unexpected-error
“The dimage has a different anchor or primary object class from what is on the hologram.”
After you install this update, the rename is processed as expected.
Issue 3
The Encryption Key Management Key (miiskmu.exe) tool may not abandon keys because of a time-out caused by a database lock.
After you install this update, the keys are processed without encountering the time-out.
Issue 4
When you run a synchronization profile step, periodic performance issues are encountered.
A fix was made to the mms_getprojected_csrefguids_noorder stored procedure to help improve performance.
Issue 5
Under certain circumstances, filter-based sync rules are applied even when they should not be.
After you install this update, the sync rule is applied only if it should be.
Issue 6
On Export for the Generic LDAP Connector, if the creation of an Audit Log file has been configured, the export run profile stops without posting a BAIL error.
After you install this update, an Export run profile step will run properly on the Generic LDAP Connector when the Audit Log File creation option is enabled.
MIM Password Reset Portal
Issue 1
When you reset a password by using the SMS authentication gate, an incorrect message is displayed to the user:
You need to click Next once you completed this call" and in next line "Call Verified:
After you install this update, the incorrect string, “Call Verified:” is removed from that dialog box.
MIM Identity Management Portal
Issue 1
Drag-and-drop users into the Remove box to delete or remove a member for group membership does not work in all circumstances.
After you install this fix, users can drag-and-drop users into the Remove box when you manage manual group memberships.
Issue 2
Local Date/Time settings being ignored for English (Australia).
After you install this update, the local date/time format settings are applied.
Issue 3
Custom controls are not initialized if we have custom event parameters in the Resource Control Display Configuration (RCDC).
After you install this fix, the custom controls are initialized as expected.
Issue 4
Error handling in the Resource Control Display Configuration is sometimes unclear.
In this update, error notifications are customized to describe the error more clearly.
Issue 5
When you use a copied link to a custom object in the Identity Management Portal, the object does not display as expected.
After you install this update, the custom object displays as expected from the copied link.
Issue 6
When you try to install the Identity Management Portal on SharePoint 2016 after you uninstall or during an update, the Portal is not installed. Additionally, you receive the following exception:
Timeout expired and error in Sharepoint log: Package name does not exist in the solution store.
Installing this update, setup will restart the SharePoint timer service to retry the failed SharePoint jobs, so setup can now complete.
Issue 7
The Approval View RCDC has incorrect symbols and displays an error.
After you install this fix, the approval view RCDC is displayed as expected, and does not throw an exception.
Issue 8
The membership buttons if custom group objects do not work correctly.
After you install this fix, the group membership buttons work as expected.
Issue 9
When you view the MIM Identity Management Portal by using the Firefox browser, object list-views, such as Users and Distribution Groups, do not display properly.
After you install this update, object list-views display as expected when you use the Firefox browser.
Issue 10
When you view the MIM Identity Management Portal by using the Internet Explorer browser, object list-views headings may not be left-aligned in the column.
After you install this update, object list-view headings display left aligned as expected.
Issue 11
When you run the MIM Portal in SharePoint 2016, the Join, Leave, Add Member, and Remove Member buttons do not work as expected on custom group object types.
After you install this update, these buttons work as expected against custom group object types.
Improvement 1
To address the fact that the default value of a Group Scope cannot be set, two optional properties were added to the UoCDropDownList and the UocRadioButtonList.
DefaultValue: This is an optional property. Use this property to define a default value for the control if the control is used to create new data.
For example:
<my:Control my:Name="My UocDropDownList" my:TypeName="UocDropDownList"
…
<my:Properties>
...
<my:Property my:Name="DefaultValue" my:Value="MyDefault" />
Condition: Condition is optional attribute in property and it is used to specify the condition when the property is applied. The control can have several properties that use the same name but disjoint conditions.
The syntax for condition is as follows:
my:Condition="[left part] [condition] [right part]"
Notes
- [left part] has the following options:
- Binding Source and path
Simple value
- [condition] has the following options:
- [right part] has the following options:
Binding Source and path
Simple value
Example of creation different defaults for different types of group:
<my:Control my:Name="My UocDropDownList" my:TypeName="UocDropDownList"
…
<my:Properties>
...
<my:Property my:Name="DefaultValue" my:Value=" MyDefautltForDistributionGroups" my:Condition="{Binding Source=object, Path=Type} == Distribution" />
<my:Property my:Name="DefaultValue" my:Value=" MyDefautltForSecurityGroups " my:Condition="{Binding Source=object, Path=Type} == Security" />
Improvement 2
The name for all activity types that you created through Portal is authenticationGateActivity. After you install this update, all new ActivityType objects that are created, will have the following activity name values, according to type:
Authentication: authenticationActivity1… authenticationActivityN
Authorization: authorizationActivity1… authorizationActivityN
Action: actionActivity1… actionActivityN
Improvement 3
Requestor or Approver has no means to provide Justification upon creating the request or Approving/Rejecting pending request.
With this update, a justification field is added to the Create Request view, and new justification request/workflow data can be used. The following attributes are added [//Request/Justification] and [//WorkflowData/Reason] parameters.
Certificate Management
Issue 1
When enrolling for a virtual smart card, entering a pin with fewer than 8 characters returns a misleading error.
After you install this update, a relevant error is returned to the user.
Issue 2
When renewing a smartcard, a user can be caught in an infinite renew loop.
The following steps will cause this issue:
The current smartcard profiles enter the renew window:
User successfully executes the renew request and retrieves all certs renewed.
Several hours later, user receives a second email from FIM CM Service.
The user will end in an infinite renew loop if he executes all the requests FIM CM Service creates.
After you install this update, only the correct requests are created, and there is no infinite loop.
Issue 3
If the Delta CRLs are disabled on a Certification Authority used by MIM Certificate Management, the exception ERROR_FILE_NOT_FOUND will be thrown by MIM CM.
After you install this update, no exception is thrown.
Issue 4
MIM CM does not support NonAdmin mode when you work with virtual cards. Virtual smart card could be only created by the MIM CM Client during enrollment. It is also required to have local admin rights to create a virtual smart card. So, only local admins can enroll for a new virtual smart card through MIM CM Portal.
After you install this hotfix, a new registry key will configure the MIM CM client to run in non-admin mode. Notice that the virtual smart card must be pre-created before the user can enroll their virtual smart card under the non-Admin mode settings.
To enable NonAdmin mode, change or create DWORD value NonAdmin=1 under the following registry key on a client computer:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CLM\v1.0\SmartCardClient
Issue 5
When you use the MIM CM REST API to change the smart card status to “Disabled”, an Error 501 (NotImplemented) is returned.
After you install this update, this same code will successfully disable the smart card.
PUT …/api/v1.0/requests/{reqID}/smartcards/{smartcardID}
{
“status” : “Disabled”
}
For more information, see the Update Smartcard Status topic on the Microsoft website.
Issue 6
MIM CM Server version 4.3.1999.0 or a later version (until current hotfix) cannot work with older version of CM Clients (FIM 2010R2 and MIM).
After you install this update, MIM CM Server will work with older MIM and FIM 2010R2 CM Clients (FIM 2010R2 Clients version 4.1.3508.0 and later versions were tested).
Issue 7
"OfflineUnblock" request could not be created by using the following call from the MIM CM REST API:
https://docs.microsoft.com/en-us/microsoft-identity-manager/reference/create-request
After you install this update, this same code will successfully submit the OfflineUnblock request.
Issue 8
There is no possibility to use smart card id as a parameter when you create a "Disable"(or any other type) request by using the following call from MIM CM REST API:
https://docs.microsoft.com/en-us/microsoft-identity-manager/reference/create-request
Only the "profile" parameter is available.
For example:
POST api/v1.0/requests
{
"target":"e5008CDD9E614F9BBEDC45EEEE6776F0",
"comment":"any comment",
"type":"Disable",
"profiletemplateuuid":"7860DEBB-771D-464E-AAC5-2F093282CE66",
"datacollection":[],
"priority":"1",
"smartcard":"49BFE09C-5590-4CC4-8A21-FB4289F4F6C8"
}
After you install this update, you can use the smart card id as a parameter.
Notice that the smart card id is not the same as that of the smart card serial number. Smart card id is created by the MIM CM for each active smart card.
Issue 9
MIM CM Client tracing does not log datetime. After you install this update, the date time data will be included in the client trace log.
Issue 10
Cancelling a user in the existing virtual smart cards modal dialog box can lead to an unusal and confusing error message instead of simply cancelling the operation.
After you install this update, the operation cancels the user.
Issue 11
Retire flow stops responding for TPM virtual smart cards when the NonAdmin option is set in the registry.
Issue 12
Duplicate Revocation Settings under Replace policy does not apply to a duplicated profile. After you install this update, the flow works as expected. The revocation delay is successfully copied to the duplicated profile.
Issue 13
MIM Certificate Management does not log web service exception data. After you install this update, CM now logs all web service exception data.
Improvement 1
Before this update, the only options for PIN rules in the MIM CM Modern App is MinimumPinLength.
After you install this update, the following validation settings are now available:
Digits
LowercaseLetters
MaxLength
MinLength
SpecialCharacte3rs
UppercaseCharacters
MIM Add-in for Outlook
Issue 1
The 32-bit MIM Add-in dlls (for example, OfficeintegrationShim2010.dll) are unsigned after you apply the MIM SP1 MSP update (4.4.1302.0 build).
In this update, all files are signed as expected.