Archive for the ‘Forefront Identity Manager (FIM) Certificate Management’ Category

(2013-05-12) Forefront Identity Manager 2010 R2 Developer Reference Guides

Posted by Jorge on 2013-05-12

Through the following links you can find the Developer Reference Guides for both FIM 2010 R2 and the Bhold Suite

Forefront Identity Manager 2010 R2 Service Developer Reference

The FIM 2010 R2 Service includes solutions for management of users, access, credentials, and policies. FIM 2010 R2 Service improves operational efficiency by automating common identity lifecycle management tasks and providing self-help solutions to end users. It provides self-service identity and access management capabilities such as password reset. It can be extended through the use of web service APIs, modifying the object schema, and creating custom workflows and activities. New to the Forefront Identity Manager 2010 R2 Service is the use of the SSPR SMS provide which provides a solution for sending one-time passwords to mobile phones.

Forefront Identity Manager 2010 R2 Synchronization Service Developer Reference

FIM 2010 R2 Synchronization Service provides identity synchronization and user provisioning across multiple directories. FIM 2010 R2 Synchronization Service now includes an updated extensible management agent framework that allows for the development of management agents that can access directories and data repositories not provided by the out-of-the box management agents.

Forefront Identity Manager 2010 R2 BHOLD Developer Reference

Microsoft BHOLD Suite extends the capabilities of FIM 2010 R2 by adding role-based access control to FIM 2010 R2, enabling organizations to define user roles and to control access to sensitive data and applications in a way that is appropriate for those roles. BHOLD Suite includes services and tools that simplify the modeling of the role relationships within the organization, map those roles to rights, and to verify that the role definitions and associated rights are correctly applied to users. These capabilities are fully integrated with FIM 2010, providing a seamless experience for end users and IT staff alike. BHOLD also provides a Web service API, which developers may use to create custom applications that can interact with BHOLD. These applications can be developed creating any .NET language or by using Active Server Pages and vbscript.

Forefront Identity Manager 2010 R2 Certificate Management Developer

FIM also provides sophisticated credential management features to both Windows Server and 3rd party certification authorities (CAs) by acting as an administrative proxy. Once installed within an organization, all digital certificate and smartcard management functions pass through FIM

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: http://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Design Guides, Forefront Identity Manager (FIM) bHold, Forefront Identity Manager (FIM) Certificate Management, Forefront Identity Manager (FIM) Portal, Forefront Identity Manager (FIM) Sync | Leave a Comment »

(2013-04-23) A Hotfix Rollup Package (Build 4.1.3441.0) Is Available For Forefront Identity Manager 2010 R2

Posted by Jorge on 2013-04-23

Microsoft has released a new hotfix rollup package for FIM 2010 R2. To download the hotfix or for more details, see: KB2832389.

Known issues in this update:

Synchronization Service
After this update is installed, rules extensions and custom management agents (MAs) that are based on Extensible MA (ECMA1 or ECMA 2.0) may not run and may produce a run status of "stopped-extension-dll-load." This issue occurs when you run such rules extensions or custom MAs after you change the configuration file for MIISServer.exe, Mmsscrpt.exe.config, or Dllhost.exe.config. For example, you edited the MIISServer.exe.config file to change the default batch size for processing sync entries for the FIM Service MA.
In this case, the synchronization engine installer for this update intentionally does not replace the configuration file to avoid deleting your previous changes. Because the configuration file is not replaced, entries that are required by this update will not be present in the files, and the synchronization engine will not load any rules extension DLLs when the engine runs a Full Import or Delta Sync run profile.
To resolve this issue, follow these steps:

Make a backup copy of the MIIServer.exe.config file.
Open the MIIServer.exe.config file in a text editor or in Microsoft Visual Studio.
Find the <runtime> section in the MIIServer.exe.config file, and then replace the content of the <dependentAssembly> section with the following:
<dependentAssembly>
<assemblyIdentity name="Microsoft.MetadirectoryServicesEx" publicKeyToken="31bf3856ad364e35" />
<bindingRedirect oldVersion="3.3.0.0-4.1.2.0" newVersion="4.1.3.0" />
</dependentAssembly>
Save the changes to the file.
Find the Mmsscrpt.exe.config file in the same directory and the Dllhost.exe.config in the parent directory. Repeat steps 1 through 4 for these two files.
Restart the Forefront Identity Manager Synchronization Service (FIMSynchronizationService).
Verify that the rules extensions and custom management agents now work as expected.

Issues that are fixed or features that are added in this update

FIM Synchronization service

Issue 1

The Active Directory Management Agent (AD MA) would stop if there was an issue during Exchange provisioning. This would include data errors. After this update is installed, the AD MA will now only stop if there is a critical error it cannot recover from.

Issue 2

If several AD MAs target the same forest, the same object can appear multiple times in different MAs. When a password change came in from PCNS, the setting for the password source was not honored. This caused random requests to fail.

Issue 3

If the FIM Service MA has several reference attributes not selected in "Select Attributes", the Synchronization Service would still process these and would affect performance.

Issue 4

Doing a delta import on the FIM Service MA where there is an update to a single-valued reference attribute and the same attribute already has a change which has not yet been synchronized caused a "stopped-ma" error.

Issue 5

For ECMA2 Connectors empty reference attribute data could crash the Synchronization Service during the reference retry phase.

Issue 6

When an error is returned on an object during add in ECMA2, the interface expected the anchor to be returned. This value would not always be available in failure cases.

Issue 7

During Schema Refresh on an ECMA2 Connector, the UI did not ask for encrypted parameters, for example password. Any Connector that depends on this information to be able to connect to the server to obtain the schema would fail.

Issue 8

An export-only ECMA2 did not correctly handle errors when returned from the Connector. This resulted in an error "The image or delta doesn’t have an anchor.

Issue 9

When several exports are run without a confirming import and not all references could be exported, the Synchronization Service could report a "stopped-server" error.

Issue 10

Flowing a constant value of 0 or 1 to a number attribute by using classic attribute flows caused an error in the UI "Import Attribute Validation Error."

Issue 11

Adding a value to a reference value by using scripted code throws an error "Object reference not set to an instance of an object" because of a regression in FIM 2010 R2 SP1. This is an example of code which fails:

csentry["member"].Values.Add(<string>)

Issue 12

When a custom extension does not return control to the Synchronization Service in time, typically 5 minutes, the Synchronization Service crashes. For example, this problem might occur with a custom password extension during password synchronization.

Feature 1

The Synchronization Service’s contract DLL MetadirectoryServicesEx is no longer dependent on the FIM Synchronization Service. It is now possible to load an ECMA2 Connector outside the Service which enables the ability to create unit tests for these Connectors in Visual Studio.

Feature 2

This release includes ECMA2.2 which has several new features added.

This includes the following:

A new capabilities page and calling the capabilities later in the flow. It is now possible to ask the user for information and connect to the target directory and use that information for the Connector’s capabilities.
Support is added for DN as anchor for LDAP based directories and not providing the object type for update and delete operations in delta import.

Additional details can be found on the Microsoft Developer Network (MSDN) website for ECMA2.

FIM Certificate Management

Issue 1

Windows 8 TPM-based virtual smart cards could not be provisioned because of a change in Smart Card Minidriver Specification v.7.

Issue 2

The ability to print photos is added by using ID Works. In order to print a photo, add the following to the field mappings:

{User!attribute!binary}

Issue 3

Advanced search in Bulk Client does not work as expected when more than 1,000 results is returned from Active Directory.

Self-Service Password Reset

Issue 1

If a new password has a string that might violate the ASP.NET request validator such as "<script>", the operation would fail with the exception "A potentially dangerous Request.Form value was detected from the client". To support these characters in a new password, open the Web.config file and find the following entry:

Change the value to "true". Make sure that you update this for both password registration and password reset portal servers.

FIM BHOLD suite

Issue 1

In a special case after the bhold connector was deleted in the FIM Synchronization Service and re-created, an import would be unable to see all objects in bhold. To address this issue, run the SQL script (extract the FIMBHOLD_KB2832389.zip file) that is contained inside the hotfix download package.

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: http://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Forefront Identity Manager (FIM) Certificate Management, Forefront Identity Manager (FIM) Portal, Forefront Identity Manager (FIM) Sync, Updates, Updates, Updates | Leave a Comment »

(2013-02-19) A Hotfix Rollup Package (Build 4.1.3419.0) Is Available For Forefront Identity Manager 2010 R2

Posted by Jorge on 2013-02-19

Microsoft has released a new hotfix rollup package for FIM 2010 R2. To download the hotfix or for more details, see: KB2814853.

This update fixes the following issues that were not previously documented in the Microsoft Knowledge Base.

FIM Synchronization service

Issue 1

In some cases, the Exchange configuration options on the Active Directory Management Agent do not appear. These options will now always be visible even if Exchange is not detected in the source directory.

Issue 2

When Exchange post-processing PowerShell cmdlets are run during export on the Active Directory Management Agent, the host process can stop for many reasons. In this case, the Active Directory Management Agent continues the export but does not try to run the Exchange cmdlets. With the changed behavior in this fix, the export run is now stopped so that the process can be restarted from where it ended.

Issue 3

The Synchronization service crashes in certain scenarios when references to newly created objects are exported into ECMA2 Connector (also known as "reference retry").

Issue 4

An ECMA1/XMA with call-based export crashes the Synchronization service. This problem occurs in some scenarios in which the following conditions are true:

Reference attributes are constantly rejected by the target directory.
The Synchronization service is trying to determine which value is causing the problem. It does this by trying to export a multivalued reference attribute as several individual changes (known as "fourth pass reference retry").

Issue 5

A full import might be stuck at the "Completing-Obsoletions" stage if the obsoletion of an object cascades into the obsoletion of related objects.

FIM service and portal

Issue 1

If a user who has access to advanced pages for a group (typically, an administrator) made a change to the object in this view, the group would contain invalid members. If the user was trying to delete the group, the system would be in a state in which no additional requests could be processed.

Posted in Forefront Identity Manager (FIM) Certificate Management, Forefront Identity Manager (FIM) Portal, Forefront Identity Manager (FIM) Sync, Updates, Updates, Updates | 1 Comment »

(2013-01-16) Technical References For FIM 2010 R2 And BHold

Posted by Jorge on 2013-01-16

Through the following links you can find the technical references for both FIM 2010 R2 and the Bhold Suite.

(2013-01-12) Service Pack 1 For Forefront Identity Manager 2010 R2 And BHold Has Been Released

Posted by Jorge on 2013-01-12

Microsoft has released service pack 1 for both Forefront Identity Manager 2010 R2 and BHold. The build number is 4.1.3114.0. It appears you can only download it from MSDN and/or TechNet. Be aware though that both MSDN and Technet contain two versions of SP1. One version is integrated with the base FIM 2010 R2 installation which should only be used for new installs and one version should only be used for existing installs. For Bhold only one version exists, and that’s the one integrated with the base BHold installation. There appears to be no update for both PCNS and the BPA.

The KB number is KB2772429, however at the time of writing there is no article yet with detailed information. Most likely this KB article will be made available at a later moment.

The upgrade is quite straightforward. I just upgrade my test environment (everything on one machine). I started with the FIM Synchronization Service (service needs to be stopped before the upgrade), then the FIM Certificate Management Service, then the FIM Service/Portal (service needs to be stopped before the upgrade)followed by all available FIM Client components. If the FIM Portal URL is different from the site collection URL, make sure you can access the site collection URL prior to the upgrade of FIM Service/Portal.

(2012-09-10) A Hotfix Rollup Package (Build 4.1.2548.0) Is Available For Forefront Identity Manager 2010 R2

Posted by Jorge on 2012-11-10

Microsoft has released a new hotfix rollup package for FIM 2010 R2.

This hotfix fixes a number of issued. More interestingly it fixes an issue that was introduced by the previous hotfix. The previous hotfix rollup package (Build 4.1.2515.0) changes information in the Microsoft.MetadirectoryServicesEx.dll assembly file but does not change the file version number. Therefore, the file version numbers are mismatched when you try to update the file from version 4.1.2273.0 to version 4.1.2515.0.

After applying this hotfix check if all custom code (rules extension DLLs and activities) works as expected, just to be sure! If not, then recompile it.

For more detailed see: http://support.microsoft.com/?id=2750671

Issues that are fixed and features that are added in this update

General

Issue

This hotfix addresses an issue in which the digital signature on files that are produced and signed by Microsoft will expire prematurely, as described in Microsoft Security Advisory 2749655

(http://technet.microsoft.com/en-us/security/advisory/2749655)

FIM Synchronization Service

Issue 1

Assume that FIM 2010 R2 evaluates the IIF function of an outbound synchronization rule as "Null." For example, FIM 2010 R2 evaluates the IIF function to the jobTitle attribute, and the jobTitle attribute of the metaverse (MV) object has no value. In this situation, the corresponding attribute of the connector space object is not deleted as expected during the synchronization process.

Issue 2

When the ExchangeUtils:CreateMailbox method receives the logon SID for an account, the method requires administrator permissions in Active Directory.

FIM Service

New feature

When the FIM password reset activity does not connect to Active Directory, the Windows Management Instrumentation (WMI) components return a code. The code explains the reason for this failure.

FIM Reporting

Issue

When you perform the "Transform.Common" job when FIM 2010 is operating under a heavy load, the job fails because of a time-out. The time-out occurs when the computer processes the TransformEntityRelatesToEntityFact module.

Common Component (Microsoft.MetadirectoryServicesEx.dll)

Issue

Hotfix rollup build 4.1.2515.2 changes information in the Microsoft.MetadirectoryServicesEx.dll assembly file but does not change the file version number. Therefore, the file version numbers are mismatched when you try to update the file from version 4.1.2273.0 to version 4.1.2515.0.
When this issue occurs, you may experience the following symptoms:

You cannot load and run a custom management agent.
You cannot create a new FIM service management agent.

Notes

After you apply this hotfix rollup, the version of the Microsoft.MetadirectoryServicesEx.dll assembly file is 4.0.3.0.
The Microsoft.MetadirectoryServicesEx.dll assembly file is included in both the FIM Synchronization service and the FIM Service setup files.

Posted in Forefront Identity Manager (FIM) Certificate Management, Forefront Identity Manager (FIM) Portal, Forefront Identity Manager (FIM) Sync | Leave a Comment »

(2012-06-03) FIM 2010 R2 TEST LAB Guides

Posted by Jorge on 2012-06-03

As mentioned earlier, FIM 2010 R2 has RTMed. In addition to that and the release of the documentation (which you can also find links to in that post), Microsoft also released TEST LAB Guides that help you setup the different features in a test lab.

The following TEST LAB Guides are available for FIM 2010 R2:

(2012-06-02) FIM 2010 R2 And Bhold Suite Have RTMed!

Posted by Jorge on 2012-06-02

Today, FIM 2010 R2 AND the bHold Suite see the RTM light! YES, cool!

On MSDN, get that through the following link: https://msdn.microsoft.com/en-US/subscriptions/securedownloads/#ProductFamilyId=400

On TechNet, get that through the following link: https://technet.microsoft.com/en-US/subscriptions/securedownloads/#ProductFamilyId=400

You can get the language packs through the following link: Microsoft® Forefront™ Identity Manager 2010 R2 Language Packs

For product documentation, see:

The following post contains all kinds of links to TEST LAB GUIDES for FIM 2010 R2.

UPDATE 2012-06-25:

ORIGINAL SOURCE FOR THE TEXT BELOW: Forefront Identity Manager 2010 R2 Now Available

Forefront Identity Manager (FIM) 2010 R2 is now generally available! FIM 2010 R2 adds many new capabilities to help organizations handle the growing complexity of managing identity and permissions across heterogeneous systems. We feel that 2010 R2 is the best FIM release yet – and wanted to review just a few of the new capabilities you’ll find inside.

Improved Self-service Password Reset
A cornerstone of the FIM 2010 experience has always been enabling end users to manage their own identity – a key part of which is making it possible to reset passwords. Password resets can be an incredibly expensive burden for helpdesks – with some studies showing the cost as high as $10 per reset! They also bring their share of user frustration, with password policies that vary across systems and delays in helpdesk response. First introduced as part of FIM 2010, Self Service Password Reset (SSPR) has been significantly improved for FIM 2010 R2. Now with an improved enrollment process, deploying SSPR is easier than ever. We’ve also extended the password reset portal to work with many of the most popular web browsers available (including Internet Explorer, of course!), and now support extranet-based reset experiences as well. Together, the browser-based reset and extranet support mean that your users can resolve password issues wherever they are, from nearly any device.

Role Based Access Control
Microsoft acquired BHOLD Software in 2011 as part of our ongoing commitment to deliver the comprehensive set of tools our customers need to tackle their identity challenges. As part of the FIM 2010 R2 release, the BHOLD software is extended to all FIM 2012 R2 customers. Any customer purchasing FIM 2010 R2, or currently under Software Assurance is now licensed to take advantage of the many capabilities within the Microsoft BHOLD Suite.
The Microsoft BHOLD Suite allows customers to easily define and manage access based on user roles. Roles are mapped to multiple permissions across many systems, simplifying access privileges from the user perspective. This capability also helps ensure that access rights are maintained over time – even during position, location, and responsibility changes. Once in place, the BHOLD Suite can be used to help demonstrate compliance with organizational and industry/governmental regulations, saving valuable time.

But Wait, There’s More!
In case that wasn’t enough, there are many other areas in which FIM 2010 R2 offers improved functionality.

In response to popular demand, we’re happy to say that we’ve made significant improvements to the reporting engine. FIM 2012 R2 now leverages the System Center Service Manager Data Warehouse to store and display reports. Since the System Center Service Manager Data Warehouse is built around SQL Server Reporting Services (SSRS), reports may be run through that interface as well.
To more easily connect your third-party business applications, we’ve made the new WebServices Connector available on the Microsoft Download Center. The WebServices Connector is used to connect to SAP ECC 5/6, Oracle PeopleSoft, and Oracle eBusiness. It is an optional component for FIM 2010 Update 2 and FIM 2010 R2 and can be used on either version.
You’ll also see lots of improvements in the areas of performance, simplified deployment and troubleshooting, better documentation, and more language support.

Hopefully I’ve conveyed just a bit about how excited we are about this latest release of FIM 2010 R2. Now that we’ve given you a snapshot of what to expect, please check out http://www.microsoft.com/fim for more information — and download an evaluation version of FIM 2010 R2!

Josh Heller
Sr. Product Manager
Forefront Identity Manager

(2011-11-24) Forefront Identity Manager 2010 R2 Release Candidate Now Available

Posted by Jorge on 2011-11-24

Mark Wahl writes on the Microsoft Server and Cloud Platform Blog about the release and availability of Forefront Identity Manager 2010 R2.

SOURCE: Forefront Identity Manager 2010 R2 Release Candidate Now Available

<QUOTE SOURCE=”Forefront Identity Manager 2010 R2 Release Candidate Now Available”>

Microsoft is pleased to announce the availability of Forefront Identity Manager 2010 R2 release candidate. It is available for download from Microsoft Connect, as described below.

This release candidate includes new and updated features for FIM 2010 R2:

Historical reporting using integration to the System Center Service Manager data warehouse
Web-based Self-Service Password Reset
Scale and performance improvements
Outlook® 2010 support for the FIM add-ins and extensions and SharePoint® 2010 support for the FIM Portal

In particular, this release candidate introduces numerous functional improvements, including:

New authentication gates for self-service password reset
Additional reports
Extensible Connectivity Management Agent 2

For complete information, see the Release Notes and feature-specific documents.

If you have already joined the FIM 2010 Community Evaluation Program or downloaded the beta, you can obtain FIM 2010 R2 RC from the FIM 2010 Connect web site. The downloads link is in the left column.

To join the program and download the software, click here. Once you answer the survey questions, the Connect site will auto-approve your access.

Thanks,

Mark Wahl

Principal Program Manager

</QUOTE SOURCE=”Forefront Identity Manager 2010 R2 Release Candidate Now Available”>

Posted in Beta/RC Stuff, Forefront Identity Manager (FIM) Certificate Management, Forefront Identity Manager (FIM) Portal, Forefront Identity Manager (FIM) Sync | Leave a Comment »

(2011-10-24) A Hotfix Rollup Package (Build 4.0.3594.2) Is Available For Forefront Identity Manager 2010

Posted by Jorge on 2011-10-24

This hotfix rollup package both resolves issues and also introduces new features. I have not tried myself yet, but I’m particularly interested in “issue 2” mentioned in the “Fixed Issues In Sets And Query”

SOURCE: http://support.microsoft.com/kb/2520954

Fixed issues in Workflow Engine

* Issue 1

Assume that you perform an operation that accesses the SQL database when the Microsoft SQL Server connection pooling feature is enabled in the FIM server. For example, you run a query or a request. If the operation times out for any reason, a future operation on the same thread may fail until that thread is removed from the SQL connection pool. An error message that resembles the following is displayed in the FIM Service Application event log, in the RequestStatusDetails property for a request, or in the WorkflowStatusDetails property of a workflow instance:

Cannot enlist in the transaction because a local transaction is in progress on the connection.

Additionally, the time stamp is the same as the time when the operation fails.

Fixed issues in Sync Engine

* Issue 1

An ExpectedRulesEntry (ERE) object is associated to a child synchronization rule of a Metaverse object. If the ERE object has a Remove action, deprovisioning of the object is also being triggered. Then, the behavior causes the deletion of the Metaverse object.

* Issue 2

Fixes an access violation when a custom extension calls a COM+ object.

* Issue 3

An earlier hotfix introduced a special Extensible Connectivity Management Agent (ECMA) mode to keep unconfirmed exports in escrow instead of awaiting confirmation. An issue with that hotfix causes delta sync to add new items that are not merged with an escrowed export into a pending export. After you install the hotfix that is mentioned in this article, if the ECMAAlwaysExportUnconfirmed registry entry is set to 1, the escrowed and pending changes are merged.

* Issue 4

Fixes an SQL query construction issue that occurs during an import. This issue affects a DB2 database that uses a non-Unicode character set.

* Issue 5

Fixes many "Export not reimported" errors that might occur because of errors in SQL.

* Issue 6

Improves the performance of all Sync Engine operations.

Note This change involves an extensive upgrade to the sync database. This upgrade can take lots of time, depending on your hardware. A progress bar is displayed during the database upgrade.

* Issue 7

A password reset that uses the ADMAEnforcePasswordPolicy registry setting fails when the user is in the Administrator group but is not an administrator.

* Feature 1

Adds an option to have FIM 2010 export the current time on the server to the HTTPPasswordChangeDate field during the password set operation. The time stamp is stored as a TimeDate data type.

To enable this behavior, set the following registry subkey to a nonzero DWORD Value: HKLM\

SYSTEM\CurrentControlSet\Services\FIMSynchronizationService\Parameters\NotesMAExportPwdTimestamp

* Feature 2

The FIM 2010 Active Directory Management Agent (AD MA) does not honor the preferred domain controller list when passwords are exported. This is an issue for customers who require password changes to flow to a specific set of domain controllers. This hotfix rollup package changes the AD MA to use the preferred domain controller list first. If the preferred domain controller list does not exist, the domain controller locator service will identify a domain controller for password export operations. Additionally, you can still force password operations to use the primary domain controller by setting the following registry subkey:

Subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FIMSynchronizationService\Parameters\PerMAInstance\<MA_name>

Value: UsePDCForPasswordOperations (REG_DWORD, 1 = True, 0 = False)

This hotfix rollup package also updates the AD MA so that a trust relationship with the configured Active Directory forest is not required to export passwords to that forest.

* Feature 3

Adds the ability to filter objects before they are imported into the AD MA connector space.

* Feature 4

Adds new options to the Storechk.exe tool to enable it to remove orphaned rule fragments that are associated with an MA. To do this, you can run the tool by using the following command-line options:

Storechk.exe -sync –repair

Fixed issues in Sets and Query

* Issue 1

Fixes an issue that would sometimes cause incorrect Set calculations. This resulted in lots of set corrections. Also revised the Sets Correction job so that it does not change special sets that are maintained by another system maintenance job.

* Issue 2

Revised the FIM "Query and Sets" features to treat underscores and percent signs as literals instead of as SQL wildcard characters.

Fixed issues in Certificate Management

* Issue 1

Enables the random number generator in the server key generation function.

* Issue 2

Improves the performance when enrolling a smartcard that has not previously been used with FIM Certificate Management (CM).

Fixed issues in FIM Management Agent (MA)

* Issue 1

Fixes an issue in which the FIM synchronization service configuration for synchronization rules and codeless provisioning was not correctly written to the FIM Service database.

Fixed issues in FIM Service

* Issue 1

Fixes an issue with SQL Server deadlocks that might occur during periods of high concurrency of requests or approvals.

* Issue 2

Fixes an issue in which unexpected data in the FIM Service database could result in the FIM MA causing the Synchronization service to fail during import, and a stopped-server error occurred.

* Issue 3

Fixes an issue when you add or remove a value for a multivalued string attribute. If the request was subject to authorization such as request reevaluation, the request would fail after approval.

* Issue 4

Some ExpectedRuleEntry objects and DetectedRuleEntry objects in FIM 2010 can become "orphaned" over time. When a DetectedRuleEntry object is not referenced in the DetectedRulesList of any object in the system, that object is determined to be orphaned. Similarly, when an ExpectedRuleEntry object is not referenced in the ExpectedRulesList of any object in the system, that object is also determined to be orphaned.

These orphaned objects have no functional impact on FIM. However, over time, these orphaned objects can cause a decrease in performance for both FIM operations and Sync operations that are related to FIM, such as import or export by using the FIM MA.

A pruning stored procedure, [debug].[DeleteOrphanedRulesByType], was added to the [debug] namespace of the FimService database. This stored procedure must be run separately for the DetectedRuleEntry object and the ExpectedRuleEntry object. The stored procedure also has a "reportOnly" mode, and this mode can be used to determine the presence and number of orphaned DetectedRuleEntry and ExpectedRuleEntry objects in the system.

The @ruleType parameter expects one of the following well-known values:

N’Detected’ for DetectedRuleEntry objects

N’Expected’ for ExpectedRuleEntry objects

To determine the number of orphaned objects in the system, run the stored procedure in "reportOnly" mode as follows.

DECLARE
  @deletedRulesFound  BIT;
  EXEC [debug].[DeleteOrphanedRulesByType] @ruleType=N'CHANGE_ME', @reportOnly=1, @deletedRulesFound=@deletedRulesFound OUTPUT;

To loop through and actually delete orphaned objects in the system, run the stored procedure as follows. @deletionLimit=1000 instructs the procedure to stop when it has deleted 1,000 objects. If there are more than 1,000 orphaned objects in the system, either run the procedure multiple times (recommended) or increase the deletionLimit value.

DECLARE 
  @deletedRulesFound  BIT,
  @startDateTime      DATETIME,
  @endDateTime        DATETIME;
  SELECT @deletedRulesFound = -1;         
    WHILE @deletedRulesFound <> 0
    BEGIN
      SELECT @startDateTime  = CURRENT_TIMESTAMP;
      EXEC [debug].[DeleteOrphanedRulesByType] @ruleType=N'CHANGE_ME', @deletionLimit=1000, @reportOnly=0, @deletedRulesFound=@deletedRulesFound OUTPUT;
      SELECT @endDateTime    = CURRENT_TIMESTAMP;
      SELECT @startDateTime AS [StartTime], @endDateTime AS [EndTime], @deletedRulesFound AS [WereDeletedRulesFound];
    END

Cheers,

Jorge

* DISCLAIMER: http://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Forefront Identity Manager (FIM) Certificate Management, Forefront Identity Manager (FIM) Portal, Forefront Identity Manager (FIM) Sync | Leave a Comment »

« Previous Entries

Jorge's Quest For Knowledge!

All about Windows Server, ADDS, ADFS & ILM/FIM (It is just like an addiction, The more you have, the more you want to have!)

Profiles

Statistics

Other Cool Blogs

Interesting Places To Visit

The Knowledge Archives

RSS Links

Email Subscription

Categories

Archive for the ‘Forefront Identity Manager (FIM) Certificate Management’ Category

(2013-05-12) Forefront Identity Manager 2010 R2 Developer Reference Guides

(2013-04-23) A Hotfix Rollup Package (Build 4.1.3441.0) Is Available For Forefront Identity Manager 2010 R2

(2013-02-19) A Hotfix Rollup Package (Build 4.1.3419.0) Is Available For Forefront Identity Manager 2010 R2

(2013-01-16) Technical References For FIM 2010 R2 And BHold

(2013-01-12) Service Pack 1 For Forefront Identity Manager 2010 R2 And BHold Has Been Released

(2012-09-10) A Hotfix Rollup Package (Build 4.1.2548.0) Is Available For Forefront Identity Manager 2010 R2

(2012-06-03) FIM 2010 R2 TEST LAB Guides

(2012-06-02) FIM 2010 R2 And Bhold Suite Have RTMed!

(2011-11-24) Forefront Identity Manager 2010 R2 Release Candidate Now Available

(2011-10-24) A Hotfix Rollup Package (Build 4.0.3594.2) Is Available For Forefront Identity Manager 2010

All about Windows Server, ADDS, ADFS & ILM/FIM (It is just like an addiction, The more you have, the more you want to have!)

Profiles

Statistics

Other Cool Blogs

Interesting Places To Visit

The Knowledge Archives

RSS Links

Email Subscription

Categories

Archive for the ‘Forefront Identity Manager (FIM) Certificate Management’ Category

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this: