Share via

FIM 2010 Build Overview

  • Article

The goal of this article is to provide an overview of the available builds for FIM as well as a short overview of the new features they introduce.

This article will not provide an overview of all solved issues.

Note

The MIM 2016 (FIM 2010 vNext) builds have been moved to http://aka.ms/mimbuilds.

 

Short URL

Bookmark this page as: http: //aka.ms/fimbuilds

 

Return to Top

See also

While this article is focussing on FIM2010, a more extensive list of build versions of the entire Identity Management stack is available at

 

Return to Top

FIM 2010 RTM

Build 4.0.2592.0 (FIM 2010 RTM)

Publication date: 2/mar/2010

  • RTM feature set

 

Build 4.0.3531.2 (Update 1): KB978864

Article ID: 978864 - Last Review: October 13, 2010 - Revision: 3.0

  • Support for theActive Directory Recycle Bin. There is a known issue which is fixed in Build 4.0.3573.2
  • Resume Full Sync
  • Post-Installation step: Delete the old “Users can create registration objects for themselves” (Action Type: Create, Modify) MPR

 

Build 4.0.3547.2: KB2028634

Article ID: 2028634 - Last Review: March 15, 2011 - Revision: 4.0

A limited set of PowerShell cmdlets are added to allow you to perform some limited editing of the Sync Service configuration.

  • The hotfix improves the performance when an object is joined to several management agents.
  • ADMAUseACLSecurity as an alternative to the DirSync permission in Active Directory.
  • ECMAAlwaysExportUnconfirmed registry key for Extensible Connectivity Management Agent (ECMA).
  • eDIR MA change to allow connection to any 8;x version without the requirement for a registry key.

 

Build 4.0.3558.2: KB2272389

Article ID: 2272389 (09-Sep-2010) - Last Review: November 11, 2010 - Revision: 3.0

  • PrivacyLink: Password Reset registration wizard can provide a link to the company data policy.
  • MinimalObjectLogging: This lets less information be logged if an error has occurred during a run.
  • Enables an outgoing synchronization rule to use a flow scope that accommodates more than two resource types.
  • An error message is written to the event log when a management agent run encounters staging errors.
  • Behavior for MA's with multiple partitions when unselecting partitions.

 

Build 4.0.3561.2 (superseded)

  • Replaced by build 4.0.3573.2

 

Build 4.0.3573.2: KB2417774

Article ID: 2417774 (21-Jan-2011) Last Review: April 27, 2011 - Revision: 7.0

  • FIM CM updated to support data encryption that uses key pairs that are stored by using a Key Storage Provider.
  • Support for running the FIM 2010 CM bulk client on Windows 7.
  • Password history policy from Active Directory Domain Services (AD DS) is applied for password reset operations in Forefront Identity Manager
  • The eDirectory MA exposes a new check box which can be checked to unlock the account during password set.
  • Approval operations can now be processed by any instance of the FIM service.
  • The filter in a comment is included within the SQL statement that executes the query. This feature improves query troubleshooting.
  • Asynchronous export mode for FIM MA

Note

However there is an issue with Build 3573.2 that if you install it without first installing update 1, it corrupts the FIMService Database and must be resolved by resorting to a backup and then applying update 1 and then Build 3573.2 or by calling Microsoft Support.

 

Build 4.0.3576.2: KB2502631

Article ID: 2502631, 02-Mar-2011 - Last Review: March 23, 2011 - Revision: 1.0

  • Use key pairs for data encryption in FIM CM. The key pairs are stored by using a key storage provider.
  • Run the FIM 2010 CM Bulk Client in Windows 7.
  • Use FIM Sync service account in the AD MA configuration.
  • Export subattributes in Sun Directory Services LDAP.

 

Build 4.0.3594.2: KB2520954

Article ID: 2520954, 11-Oct-2011 - Last Review: July 3, 2012 - Revision: 3.0

  • Adds an option to have FIM 2010 export the current time on the server to the HTTPPasswordChangeDate field during the password set operation.The FIM 2010 Active Directory Management Agent (AD MA) honors now the preferred domain controller list when passwords are exported.
  • This hotfix rollup package also updates the AD MA so that a trust relationship with the configured Active Directory forest is not required to export passwords to that forest.
  • Adds the ability to filter objects before they are imported into the AD MA connector space.
  • Adds new options to the Storechk.exe tool to enable it to remove orphaned rule fragments that are associated with an MA.
Caution
This change involves an extensive upgrade to the sync database. This upgrade can take lots of time, depending on your hardware. A progress bar is displayed during the database upgrade.
  • A new Connector (formerly Management Agent) development framework that is named Extensible Connectivity Management Agent 2.0 (ECMA2.0) is included. This is listed as a new entry in the Management Agent drop-down list.
  • The FIM Synchronization Service now supports running the Microsoft .NET Framework 4 extension code. This can be used both in rules extension and for Management Agents such as the ECMA 262 language specification version 2.0. The FIM Synchronization Service will auto detect the latest version of the .NET Framework on the server. If it is needed, you can disable the .NET Framework 4 by removing it from the Runtime section in the Miiserver.exe.config file.
  • Hotfix rollup 2520954 removed support for using the following characters as SQL wildcard characters in queries, in dynamic group filters, and in set filters. The functionality of some existing customer deployments may use these characters as wildcard characters. This update reverts the earlier change.

 

Note

FIM 2010 Update Rollup 2 (build 4.0.3606.2) contains a feature that is intended to improve Query performance in the case of certain complex queries. This “tabular functions” feature is turned off by default. The product team has discovered an issue in this feature that could return incorrect query results when the query includes at least two statements and the same attribute is referenced in the statements. We strongly advise customers NOT to turn on the Set Partition feature.

 

Build 4.0.3606.2: KB2635086

Article ID: 2635086 - Last Review: March 30, 2012 - Revision: 5.0

 

Build 4.0.3617.2: KB2688078

Article ID: 2688078 - Last Review: May 30, 2012 - Revision: 1.0

  • Fixed issues in the Sync Engine (ECMA 2.0, ECMA 1.0 and organizational unit provisioning related)
  • Fixed issues in setup (database upgrade & change/remove installation related)

 

Build 4.0.3627.2: KB2737503

  • Fixed issues in the Sync Engine
  • Fixed issues in the FIM Service MA (.net 4.0 bug, additional logging for FIM MA exceptions)
  • Adds support to configure the Query and Sets feature to treat underscores as literals instead of as SQL wildcard characters

 

Build 4.0.3644.2: KB2750673

  • Fixed DB2 MA issue when connecting to a server that is running on an IBM iSeries V6 server or a later.
  • When the FIM password reset activity does not connect to the Active Directory, the WMI components now return an error code.
  • Fixed .NET version numbers in Microsoft.MetadirectoryServicesEx.dll as changes occurred in build 4.0.3617.2, but the version number was not incremented.

 

Build 4.0.3684.2: KB2819338

  • Fixed Exchange configuration options on the Active Directory Management Agent

 

Build 4.0.3714.2: KB2887498

Article ID: 2887498 - Last Review: November 27, 2013 - Revision: 2.0

  • Issue 1: FIM synchronization cannot deprovision computer objects in Active Directory when there are other child objects, such as printers and file share objects, present on the computer object.
  • Issue 2: An export-only ECMA1 Management Agent might give the error "There is no primary object class on this image" during export of an object delete operation.

 

Build 4.0.3733.2: KB2926490

Article ID: 2926490 - Last Review: February 7, 2014 - Revision: 3.0

  • Fixed Exchange configuration options on the Active Directory Management Agent

 

Return to Top

FIM 2010 R2

Build 4.1.2273.0: FIM 2010 R2

 

Build 4.1.2515.0 (for R2): KB2734159

  • (to be completed)

 

Build 4.1.2548.0 (for R2): KB2750671

  • (to be completed)

 

Build 4.1.3114.0: KB2772429 (Service Pack 1 for FIM 2010 R2)

  • An upgrade to FIM 2010 R2 from an earlier version may be unsuccessful in certain scenarios if the imported changes from a management agent are not synchronized before the upgrade.
  • A connection to Active Directory Lightweight Directory Services (AD LDS) when SSL is enabled is unsuccessful.
  • When a connector is synced to a metaverse object that already has an un-synced connector in the same connector space, the sync on the object fails with stopped-server. In this case, the synchronization engine incorrectly considers this as an invalid state.
  • Multiple issues with ECMA 2.0 are fixed.
  • A reinstallation of the reporting components does not update the System Center registry value in the FIMService registry key (HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\FIMService).

 

Build 4.1.3419.0 (for R2): KB2814853

  • (to be completed)

 

Build 4.1.3441.0 (for R2): KB2832389

Article ID: 2832389 - Last Review: April 25, 2013 - Revision: 3.0

FIM Sync

  • Issues Fixed
    • AD MA) would stop if there was an issue during Exchange provisioning
    • PCNS, the setting for the password source
    • stopped-ma" error on FIMMA on delta import
    • ECMA2 Connectors empty reference attribute data could crash the Synchronization Service
    • error returned on object during add in ECMA2
    • Schema Refresh on an ECMA2 Connector
    • export-only ECMA2 did not correctly handle errors "The image or delta doesn't have an anchor."
    • When several exports are run without a confirming import and not all references could be exported, the Synchronization Service could report a "stopped-server" error.
    • Adding a value to a reference value by using scripted code throws an error "Object reference not set to an instance of an object" because of a regression in FIM 2010 R2 SP1
    • When a custom extension does not return control to the Synchronization Service in time, typically 5 minutes, the Synchronization Service crashes
  • New features
    • The Synchronization Service's contract DLL MetadirectoryServicesEx is no longer dependent on the FIM Synchronization Service. It is now possible to load an ECMA2 Connector outside the Service which enables the ability to create unit tests for these Connectors in Visual Studio.
    • This release includes ECMA2.2 which has several new features added.

FIMCM

  • Fixed
    • Windows 8 TPM-based virtual smart cards could not be provisioned because of a change in Smart Card Minidriver Specification v.7.
    • The ability to print photos is added by using ID Works.
    • Advanced search in Bulk Client does not work as expected when more than 1,000 results is returned from Active Directory.

SSPR

  • Fixed
    • If a new password has a string that might violate the ASP.NET request validator such as "<script>", the operation would fail with the exception "A potentially dangerous Request.Form value was detected from the client"

BHOLD

  • Fixed
    • In a special case after the bhold connector was deleted in the FIM Synchronization Service and re-created, an import would be unable to see all objects in bhold.

 

Build 4.1.3451.0 (for R2): KB2849119

 

Build 4.1.3461.0 (for R2): KB2870703

 

Build 4.1.3469.0 (for R2): KB2877254

Article ID: 2877254 - Last Review: November 27, 2013 - Revision: 2.0

 

Build 4.1.3479.0 (for R2): KB2889529

 

Build 4.1.3496.0 (for R2): KB2906832

This update fixes the following issues or adds the following features that were not previously documented in the Microsoft Knowledge Base.

FIM Service and FIM Portal

Issue 1: When you create a custom solution in FIM 2010 R2, you may experience any of the following scenarios:

  • **Scenario 1:**An authorization workflow could get stuck.
  • **Scenario 2:**An authorization workflow could be executed again after a FIMService restart
  • **Scenario 3:**An authorization workflow parent request may not be set to expire.

Changes to stored procedures in the FIMService database resolve scenarios 2 and 3.

To resolve scenario 1, an additionalAuthorizationWaitTimeInSeconds property was added to built-in building-block activities that enables the activity to set how long the request processor should wait for authorization before it throws an AuthorizationRequiredFault error. We recommend that you set this value to 0 (zero) or a larger value.

New feature 1: By using a new configuration option, you can now hide the Advanced Search link in the FIM Portal.

FIM Synchronization Service

  1. Issue 1: During an export on the FIM Service management agent (MA), the FIM Synchronization Service or the FIM Service may be stopped. In this case, the Synchronization Service may be unable to complete the export on a retry, and you receive the following error message: The operation failed because the attribute cannot be found.
  2. Issue 2: In certain scenarios, the FIM Service MA may return the following error message: Type: System.ArgumentOutOfRangeException This problem might occur if an unexported reference attribute was removed by another synchronization process and the result is null.
  3. Issue 3: In rare cases, an import could receive a staging error because of duplicate references in the connector space.
  4. Issue 4: In rare cases, an import could receive a staging error because an object was moved in the connected directory.
  5. Issue 5: An Extensible Connectivity 2.0 Management Agent (ECMA 2.0) connector could end up in an infinite loop. This problem may occur when the capability flag is set not to export references in the first pass. In this case, an object that has no reference attributes cannot export an attribute. This problem affects the Windows Azure Active Directory connector that is provided by Microsoft.
  6. Issue 6: In ECMA 2.0, an export-only attribute could end up in a bad state. This problem might occur if ECMA 2.0 could not export and therefore caused a staging error on the next import and synchronization.

 

Build 4.1.3508.0 (for R2): KB2913228

FIM Service and Portal

Issue 1

If a FIMService instance loses connection to the FIMService database, the FIMService instance may stop processing FIM Service MA export requests. This results in failed FIM Service MA exports that have a run status of stopped-server. Additionally, the following exception is logged in the Forefront Identity Manager event log: System.Data: System.InvalidOperationException: The requested operation cannot be completed because the connection has been broken.

Issue 2

Consider the following scenario:

  • A Transition Out management policy rule is using a dynamic set together with a multivalued attribute.
  • Two or more elements are removed from the attribute in a single request.
  • One of the removed elements triggers the Transition-Out ManagementPolicyRule (MPR) resource.

In this scenario, the request fails. Additionally, you receive the following exception:

Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: Other ---> System.Data.SqlClient.SqlException: Reraised Error 2627, Level 14, State 1, Procedure DoEvaluateRequestInner, Line 1073, Message: Violation of PRIMARY KEY constraint 'PK__#1B54B73__5330D0771D3CFFB1'. Cannot insert duplicate key in object 'dbo.@transitionOutapplicableRuleBuffer'.

Issue 3

When an export that is run in the FIM Service MA includes updates to the Filter attribute of multiple dynamic groups, a failed-modification-via-web-services exception may be returned. When you review the details of the exception, you find that an SQL deadlock occurred.

FIM Synchronization Service

Issue 1

If a multivalued attribute is exported and then changed directly in the target system, the change is not evaluated during delta synchronization. For example, this issue occurs in the following scenario when the Active Directory Management Agent is used:

  1. A change to proxyAddresses is exported to the Active Directory for User1.
  2. A second change is made to proxyAddresses directly in Active Directory outside the synchronization service.
  3. A Delta Import run profile is run to confirm the exported changes.

In this scenario, the next delta sync will not process the change.

Issue 2

If an exception is thrown by the Connector’s password extension during password synchronization, the Connector will be unloaded from memory. This behavior may cause high processor usage on the computer that is hosting the FIM Synchronization Service when that computer processes password synchronization if it is under load or is synchronizing passwords to multiple Connectors.

After this update is installed, exceptions of type PasswordPolicyException and PasswordIllFormedException no longer discard the password interface and unload the Connector. This lets the interface to be reused for another password operation to the connected data source. The password operation will not be retried and is removed from the queue. Any other exception will still unload the Connector and reload it at the next password operation.

 

Build 4.1.3510.0 (for R2): KB2934816

FIM Service and Portal

Issue 1

If a FIMService instance loses connection to the FIMService database, it can may stop processing FIM Service MA export requests. This results in failed FIM Service MA exports with a run status of "stopped-server." Additionally, the following exception is logged in the Forefront Identity Manager event log:

System.Data: System.InvalidOperationException: The requested operation cannot be completed because the connection has been broken.

Issue 2

You use a multivalue attribute in a dynamic set. This dynamic set is used in a Transition Out management policy rule. If two or more elements are removed from the attribute in a single request, and if of the elements triggers the Transition-Out MPR, the request fails, and you receive the following exception:

Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: Other ---> System.Data.SqlClient.SqlException: Reraised Error 2627, Level 14, State 1, Procedure DoEvaluateRequestInner, Line 1073, Message: Violation of PRIMARY KEY constraint 'PK__#1B54B73__5330D0771D3CFFB1'. Cannot insert duplicate key in object 'dbo.@transitionOutApplicableRuleBuffer'.

Issue 3

When an export run in the FIM Service MA includes updates to the Filter attribute of multiple dynamic groups, a "failed-modification-via-web-services" exception can be returned. When you review the details of the exception that is returned, you see that an SQL Deadlock occurred. FIM Synchronization Service Issue 1

In the Active Directory management agent, changes to a multivalue attribute such as proxyAddresses are not synchronized to the metaverse in the following scenario:

  1. A change to proxyAddresses is exported to the Active Directory for User1.
  2. A second change is made to proxyAddresses outside the synchronization service.
  3. A Delta Import run profile is run to confirm the exported changes.

Issue 2

After you apply this update, exceptions of typePasswordPolicyException and PasswordIllFormedException no longer discard the password interface. This enables the interface to be reused for another password operation to the connected data source.

BHOLD

Issue 1: If a regular expression policy rule is applied for an ABA role, all applied ABA roles are stuck in the pending state for the users and are never assigned.

**Issue 2:**If a user has an ABA role, and if you try to change a user attribute that is not related to the ABA role, all ABA roles are again marked for policy validation. Additionally, assigned permissions are removed and assigned back

Issue 3: When you have more than 500 permissions in BHOLD and search permissions on the Supervised Permissions tab of Default Supervisor Role, no results are returned, and you are returned to the previous page.

**Issue 4:**When you configure an attribute-based role assignment for a role and then you try to click the Show Impact link in the policies section of a role, you receive the following error message: Object reference not set to an instance of an object

**Issue 5:**The SP1 build does not let you re-create a permission that was removed from BHOLD earlier.

Issue 6: When you try to change and save a user without changing the end date, you receive the following error message: Invalid date format.

**Issue 7:**When you try to move an organization unit in the BHOLD Core Portal, you receive the following warning message: Session ID missing: The Session ID is not found in URL. You can continue working using the menu at the left

**Issue 8:**The "User by Role" report cannot be generated after the limit of 50,000 users is reached. Additionally, you receive an "Out of memory" exception.

**Issue 9:**In the BHOLD Self-Service Portal, the role information screen under the Role Requests-Current Roles tab displays no role descriptions or permission details.

**Issue 10:**When you log on as a typical end-user in the BHOLD Service Portal, the "My Roles" screen is displayed as an empty page even though the user is assigned with both "active" and "proposed" roles.

**Issue 11:**The BHOLD - Access Management agent cannot perform full imports because of an SQL time-out issue that occurs when there is a load of more than 50,000 to 100,000 users.

**Issue 12:**BHOLD cannot add permissions to a user by using the BHOLD Connector after these permissions are denied.Issue 13: When a steward in the BHOLD Attestation portal has multiple resources to attest and is working on approving or denying permissions for one user, other permissions for a different user are changed in the user interface.

 

Build 4.1.3559.0 (for R2): KB2969673

<to be completed>

 

Build 4.1.3599.0 (for R2): KB2980295

Prerequisites To apply this update, you must have Forefront Identity Manager 2010 R2 SP1 (build 4.1.3419.0 or a later build) installed.

For BHOLD deployments, you must have hotfix rollup package 2934816 (build 4.1.3510.0) installed to apply this update

Replacement information This update replaces the following updates: 

2969673 A hotfix rollup (build 4.1.3559.0) is available for Forefront Identity Manager 2010 R2

2934816 A hotfix rollup package (build 4.1.3510.0) is available for Forefront Identity Manager 2010 R2

 

FIM service and portals
Issue 1

This hotfix updates the FIM Password Reset and Password Registration Portal with additional UI changes that apply to customers who are customizing these portals in compliance with Section 508 of the U.S. Federal Rehabilitation Act.

Issue 2

When you configure a UocDropDownList control in a Resource Control Display Configuration with string values, the list of values in the control are not displayed in alphabetical order.

This fix adds the Sorted property to the UocDropDownList control. When the Sorted property is set to True, the items are sorted in alphabetical order.

Issue 3

In the FIM Identity Management Portal that has the language pack installed, the display names of approval objects are not completely translated.

BHOLD
Issue 1

Users who are in inherited supervisor roles for operational units (OUs) may not have supervisor roles in subordinate OUs.

Issue 2

Roles that are directly assigned to a user are also listed under the inherited roles node.

Issue 3

When multiple attribute-based authorization (ABA) rules that are specified in BHOLD Core assign permissions to a user, and the user's attributes change and are synched in from BHOLD FIM Provisioning Access Management Connector, the user may not receive all of his or her permissions.

Issue 4

In the BHOLD Analytics module, the impact operation is not available after a ruleset that includes a filter with a restrictive type is set. After this fix is applied, pressing the Impact button displays the impact of the rules.

Issue 5

The following error message may be logged in the Application log on a computer where BHOLD Core is installed:

Error when executing 'EXEC ProcessQueueCommand30RoleBiased' \n\n Reason System.Data.OleDb.OleDbException

Issue 6

When the FIM Integration module is being used, and the BHOLD self-service features are incorporated into the FIM portal, some column headings may appear to be truncated.

Issue 7

In BHOLD Attestation, the notification template editor toolbar buttons are not displayed correctly.

Issue 8

When you apply this hotfix, BHOLD Attestation notification email messages contain a URL that requires one fewer click by the end-user in order to navigate to the page to perform the attestation.

Issue 9

This hotfix adds a UserUpdate function to the BHOLD Core scripting web service.

FIM Synchronization Service
Issue 1

Starting with build 4.1.3508.0, audit log files on Export run profile steps do not include reference attribute values.

Certificate management
Issue 1

Assume that a certificate is enrolled by using certificate template CT1 in profile template PT1, and then CT1 is replaced by another certificate template. If CT1 is removed, the certificate is revoked, and no new certificate is created from PT1. Additionally, later renewals of the certificate fail and a cryptic error message is returned

Feature 1

Existing users in the FIM Certificate Management database, who have associated profiles and certificates, cannot be migrated to a different Active Directory user.

Build 4.1.3613.0 (for R2 SP1): KB3011057

Prerequisites To apply this update, you must have Forefront Identity Manager 2010 R2 SP1 (build 4.1.3419.0 or a later build) installed.

For BHOLD deployments, you must have hotfix rollup package 2934816 (build 4.1.3510.0) installed to apply this update.

Replacement information This update replaces the following updates: 

  • 2980295 Hotfix rollup package (build 4.1.3599.0) is available for Forefront Identity Manager 2010 R2 SP1
  • 2969673 A hotfix rollup (build 4.1.3559.0) is available for Forefront Identity Manager 2010 R2
  • 2934816 A hotfix rollup package (build 4.1.3510.0) is available for Forefront Identity Manager 2010 R2

 

Build 4.1.3627.0 (for R2): KB3022704

<to be completed>

 

Build 4.1.3634.0 (for R2): KB3048056

We recommend that all customers apply this update to their production systems.

 

Key issue fixed / feature added: Windows 2012 R2 Domain Controller Support

Supportability for Password Change Notification Service (PCNS) and Active Directory Management Agent in a Windows Server 2012 R2 domain and forest includes the following:
  • Password Change Notification Service is working correctly on Windows Server 2012 R2-based domain controllers.
  • Active Directory Management Agent for Windows 2012 R2 domain and forest correctly handles password change events.

 

> [!NOTE] > In all supported cases, the FIM Synchronization Service must be installed only on a Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012 member server.

>

It must not be installed on a Windows Server 2012 R2 member server. Only the PCNS component can be installed on a Windows Server 2012 R2 domain controller.

>

 

Build 4.1.3646.0 (for R2): KB3054196

FIM Service

When you update the criteria of a group or set, you receive a SQL error if negative conditions exceed 7 in the filter when you click View members. After you apply this update, the View Members button works as expected.

FIM Portal

Fixed:

  • FIM Credential Provider Extension for Self-Service Password Reset (SSPR), you cannot answer by using double-byte characters through the Windows Input Method Editor (IME) in the "Question and Answer" gate.
  • In the FIM Password Registration Portal, auto-focus on the first text box can cause the first registration question to be hidden from view
  • On the FIM Password Registration and Password Reset websites, autocomplete was not disabled for the logon forms
  • the Object Picker control in the FIM Identity Management Portal returns invalid results if there were special characters in the search string.

CM

Fixed: The revocation settings in a profile template can only be configured for all certificates together and not for each certificate separately.

FIM Sync

Fixed

  • The management agent for Active Directory receives a "Replication Access Denied" error when you run a Delta Import run profile step on domains that contain a read-only domain controller (RODC).

BHOLD

Fixed:

  • When you create delta-attestation campaign in BHOLD Analytics, an error message is displayed regardless of whether the campaign was created.
  • In BHOLD Attestation, user interface elements may not be available with new versions of Internet Explorer

 

Build  4.1.3671.0 (for R2): KB3092178

FIM Service

This update also fixes the following issues or adds the following features that were not previously documented in the Microsoft Knowledge Base. FIM add-ins and extensions Issue 1 This hotfix addresses an issue in the password reset window that occurs on displays that have high DPI settings when the Windows display sizing of items is set to a custom size, such as 200% or more.

FIM Certificate Management

  1. Issue 1 If you try to enroll a smart card that has the correct profile selected (and the correct adminKey), but the user PIN does not correspond to the smart card PIN policy, you receive the following error message:

    The card cannot be accessed because the wrong PIN was presented.

FIM Synchronization Service

  1. Issue 1 When you configure an ECMA2 run profile, you receive the following exception: Value of ‘10’ is not a valid value
  2. Issue 2 The Sync Engine reports a staging error during delta import when the Generic LDAP connector detects the renaming of the distinguished name for an object.
  3. Issue 3 During the export run DN modification of a user, an object is deleted from a group membership in Oracle Directory Enterprise Edition (ODSEE) instead of changing the DN LDAP.
  4. Issue 4 When you try to select an OU that contains more than 4,000 sub-OUs on the Directory Partitions tab, you receive the following error message: The administrative size limit on the server was exceeded.
  5. Issue 5 When you perform an Export, CS Search, or CS Deletion during ECMA2 Export Only, the MA displays the following error message:The image or delta doesn't have an anchor.
  6. Issue 6 The Sync Service stops responding because of high CPU usage when you stop a run profile for the ECMA connector.
  7. Issue 7 When you have characters in the SMTP address that are unsupported by Exchange Server, a GALSync Export operation stops, and you receive an ma-extension error. This triggers a provisioning loop that causes object duplication.

FIM Portal

  1. Issue 1 This hotfix addresses an issue in the FIM Portal that affects sorting a customized list view that's based on the columns specified in the ColumnsToDisplay field.
  2. Issue 2 This hotfix updates HTML elements and attributes in the password registration portal and the FIM Portal.
  3. Issue 3 The object picker does not search objects that contain special characters in their file names.
  4. Issue 4 This hotfix updates the translation into Russian of the user interface strings that relate to “Password Reset AuthN Workflow” activity.
  5. Issue 5 This hotfix addresses an issue that affects the Leave and Remove Member buttons when the group resource type is customized.
  6. Issue 6 This hotfix adds a new search scope (All Groups) to enable searching for and joining groups if the user does not know whether the group is a security group or a distribution list.

FIM Service

  1. Issue 1 This hotfix addresses an issue in which broker service conversations are not closed after an export from FIM Sync to the FIM Service database.
  2. Issue 2 When there are too many negative conditions in the Group Criteria, the SQL & FIM service stop running.
  3. Issue 3 SET filter definitions are unsuccessful during save after you upgrade to version 4.1.3634.0.
  4. Issue 4 When you use the CustomExpression option, the Concatenate operator is replaced with the "+" character. This triggers an error when it saves.
  5. Issue 5 This hotfix addresses an issue that affects FIM Service database stored procedures. Specifically, deadlocks might occur in approval workflows. This issue occurs particularly in deployments with complex or general Set definitions such as sets matching "/*" instead of with specific resource types.

BHOLD

  1. Issue 1 There's an inconsistency between the Permission name and the value if an attribute changes. After Export\Import\Export flow in FIM Sync, BHOLD receives duplicates of a renamed group and retains the original group in the database.

 

Build 4.1.3721.0 (for R2): KB3134722

This update replaces update 3092178 (build 4.1.3671.0) for Forefront Identity Manager 2010 R2. List of fixed issues:

FIM Certificate Management

  1. The Profile Template Settings Report shows incorrect information. It shows that "PIN Rollover" is enabled and that the "Admin PIN" initial value is set even if this is not true. Also, if the Diversify Admin Key setting is enabled, this is not shown in the Profile Template Settings Report.

FIM Synchronization Service

  1. The Export-only file-based ECMA2 connector fails to export deleted objects
  2. The msDS-UserPasswordExpiryTimeComputed attribute is displayed as an available attribute in the Select Attributes tab of the Active Directory Domain Services (AD DS) management agent. The msDS-UserPasswordExpiryTimeComputed is a computed attribute in AD DS, and it will not be detected by the import operation. As of this update, the attribute is removed from the list of available attributes.
  3. After an authoritative restore of Active Directory objects, AD MA delta import mistakenly detects them as deleted
  4. Sometimes during "Import Server Configuration" in the FIM synchronization service (MIISClient), the Import Server Configuration dialog box appears to hang.
  5. Running more than one run profile with a synchronization task at the same time is forbidden by documentation and may cause data corruption, but sync engine doesn't prevent it
  6. A Sync Service hang (high CPU usage) occurs when you stop a run profile for the ECMA connector
  7. In the GALSync MA, mail address validation fails unexpectedly
  8. In the GALSync MA, validating an email address from the proxyAddress attribute, prefix "SMTP:" is removed only when written by using capital letters, otherwise validation fails.

FIM add-ins and extensions

  1. The Approval buttons of the Outlook Add-in disappear during certain UI workflows.

FIM Portal

  1. This update enables customizations that have controls shown and hidden, depending on the state of the email enabling check box.
  2. During the 4.1.3671.0 hotfix installation, the database upgrade fails if the FIM Service database name is not the default name of FIMService.

FIM Service

  1. Deadlocks may occur during a request evaluation if a complex Set schema is implemented.
  2. During the installation of build 4.1.3671.0, the database upgrade fails if the FIM Service database name is not set to the default name of FIMService.

BHOLD

  1. There is no option in the UI to remove an alias. The applicationdeletealias function is added for the BHOLD web service.

    The function name with ARGs may be passed as an argument for the ExecuteXml method.

    Notes

    • userid and applicationid are mandatory arguments.
    • alias is an optional argument. Without the alias argument explicitly defined, the function deletes all aliases for an app-user pair.

  2. BHOLD Core shows error in the LogItems table upon removing roles from a parent

               

 

Build 4.1.3766.0 (for R2): KB3171318

This update replaces update 2934816 (build 4.1.3510.0) for Forefront Identity Manager 2010 R2. List of fixed issues:

FIM Certificate Management

  1. Issue 1 A smart card search takes 3.5 minutes on an idle server. Additionally, the search never ends if the server is stressed.
  2. Issue 2 The Duplicate Revocation Settings policy is replaced because some users could not set it.
  3. Issue 3 There is a redundant space in the "Profile Summary" string on the Request Complete page for some languages.

FIM Synchronization Service

  1. Issue 1 In a metaverse search and when you view the object, there is a Last Modified field. But when you sort that field, it sorts as a generic text field instead of as a date field.
  2. Issue 2 Error messages (such as Event ID 6313) are logged in the event log. Additionally, performance counters don't work.
  3. Issue 3 The Sync Service crashes when you run a Full Synchronization process that has Equal Precedence set for attributes that exist in IAF or EAF.
  4. Issue 4 When an incorrect page size (either less than the minimum or more than the maximum) is used for the run profile of the ECMA2 management agent, the size value quietly changes to the minimum or the maximum after you click Finish.
  5. Issue 5 An error message from the Management Agent cannot be parsed if it contains some special symbols. Therefore, the error message doesn't appear in the error list as expected, and a non-informative error window appears.
  6. Issue 6 You receive a "Reference to undeclared entity 'qt'" error message when you run the history process and the history text contains the "greater than" symbol (>).
  7. Issue 7 Under certain conditions, the file selection dialog box does not appear on the MA configuration wizard pages.
  8. Issue 8 A "MEMORY_ALLOCATION_FAILURE" error occurs in the Performance Monitoring tool when the performance data .dll file cannot open the process.

FIM Portal

  1. Issue 1 Multivalued labels are displayed incorrectly in a single line in the UI.

FIM Service

  1. Issue 1 During an Export process between the Synchronization and FIM Service, the msidmCompositeType request may fail if some multivalued string attribute value is changed in the scope of the Export session. This behavior affects performance.
  2. Issue 2 In SharePoint Server 2013 and later versions, if you change a workflow or update an email template by using the FIM Portal, the version is automatically updated to 4.0.0.0. This causes a system error message during processing.

BHOLD

  1. Issue 1 When you add a user to an organizational unit (OU) that has some incompatible permissions in the OUs role, all the incompatible permissions are assigned.
  2. Issue 2 Some issues are fixed for attribute-based authorization (ABA) roles that are assigned to a user when the roles have incompatible permissions.
  3. Issue 3 When you use the Access Management Connector to provision new OUs with a parent OU, all the parent OU roles are inherited but are also disabled.
  4. Issue 4 An error occurs in BHOLD during installation in Internet Information Services (IIS) 10.
  5. Issue 5 If two or more roles assigned to a user who has the same permissions as the roles, and the roles use the endDate attribute, you cannot extract a user permission that has the latest date.
  6. Issue 6An email alias is truncated if it is longer than 30 characters.

Return to Top

FIM 2010 LDAP connector

Build 4.3.1082 (for R2): KB2936070

  • Issue 1: When you try to connect to a Lightweight Directory Access Protocol (LDAP) server that has Secure Sockets Layer (SSL) protocol/Transport Layer Security (TLS) protocol enabled, the connection fails unless mutual authentication is enabled. After this update is applied, the certificate information on the connectivity page is used only when mutual authentication is enabled. If the server uses SSL/TLS, the certificate that is presented is visible on the global page.
  • Issue 2: A DN-rename operation fails for some LDAP directories during a delta import if the connected system returns more results than the configured page size on the connector can hold.
  • **Issue 3:**When a change in an attribute value involves only a change in letter case (uppercase to lowercase or vice-versa), the change fails for some LDAP directories. For example, if the attribute value is changed from “contoso” to “Contoso,” the change fails for some LDAP directories.
  • Feature 1 Added support for the following additional LDAP directories, including delta import support:
    • Open DS
    • Open DJ
    • Active Directory Lightweight Directory Services (AD LDS)
    • Active Directory Global Catalog (AD GC)

 

Return to Top

FIM 2010 Lotus Domino MA

Build 5.0.601.0: KB2784728

Article ID: 2784728 - Last Review: December 20, 2012 - Revision: 1.0

 

Build 5.3.259.0: KB2823899

Article ID: 2823899 - Last Review: April 2, 2013 - Revision: 1.0

 

Build 5.3.407.0: KB2854415

Article ID: 2854417 - Last Review: June 27, 2013 - Revision: 1.0

 

Build 5.3.520.0: KB2741896

 

Build 5.3.534.0: KB2875551

Article ID: 2875551 - Last Review: August 9, 2013 - Revision: 1.0

 

Build 5.3.721.0: KB2899874

Article ID: 2899874 - Last Review: October 28, 2013 - Revision: 1.0

 

Note

All hotfix rollups are cumulative, this means you can start from RTM and install the desired build level without having to install all previous released build versions.

 

Build 5.3.1003.0: KB2932635

Article ID: 2932635 - Last Review: February 19, 2014 - Revision: 1.0

  • Issue 1 You export group members that are other groups (also known as nested groups) to Domino. If the groups are located in the root of the directory, the membership will be incorrect. To correctly export group members in this scenario, set theEnable Creation of _Contacts object option on the global page to None.
  • Issue 2 In a Domino system where records are updated by a back-end process, some records might not appear in a full import. This behavior occurs if search indexes are out-of-date in Domino. This causes some of the records in the FIM Synchronization Service to be deleted. If you experience this problem, change the new Perform Full Import By option from the default setting of SearchtoViews.
  • Issue 3Password synchronization operations are always reported as successful even if the user is not present in Domino. An operation that fails because of a deleted user is now reported as Failed in the event log.

 

Build 1.0.0597.0910: KB3096533

  • Issue 1: A delta import does not return accented characters correctly when you use the "add, update, delete" option.
  • Issue 2: If the Domino server goes down, the objects that are trying to be read are reported as deleted. After you apply this update, the Connector stops if the Domino server stops responding.
  • Feature 1: A new option was added to use views for full import. This is a better option to use when you have a heavily used system on which entries might be locked during import.

Return to Top

FIM 2010 Powershell MA

Build 4.3.1082.0

Download from http://www.microsoft.com/en-us/download/details.aspx?id=42260

 

Build build 1.0.419.911: KB3008179

Issues that are fixed This update fixes the following issues that were not previously documented in the Microsoft Knowledge Base: Creating a PowerShell connector without using an LDAP DN style fails because of an issue in the default template. Features that are added This update adds support for Windows PowerShell 4.0.

 

Return to Top

FIM 2010 Sharepoint MA

Build 4.3.1935: KB3100358

       

Applies to

 

Return to Top

Best practices

  • Apply patches in a test or a lab environment before patching your production servers.
  • Keep all FIM solution components on the same patch level.

 

Return to Top

 

Return to Top

 

Return to Top

Additional Resources

 

Note
To provide feedback about this article, create a post on the FIM TechNet Forum.

 

Return to Top