Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2008-12-07) New Hotfix Rollup Package Has Been Released For ILM 2007 FP1 (Build 3.3.1067.2)

Posted by Jorge on 2008-12-07


On November 10th, Microsoft released a hotfix rollup package (build 3.3.1067.2) for ILM 2007 FP1. It resolves the following issues:

Descriptive text for the GalSync MA

You try to create a new Management Agent (MA) for the Active Directory global address list. This new MA is usually known as GalSync. When you do this, the Create Management Agent page references Microsoft Exchange Server 2007, Microsoft Exchange Server 2003, and Microsoft Exchange 2000 Server.

The Certificate Services service (Certsrv.dll) process stops responding

When multiple profile template enrollments execute at the same time, ILM may cause the Certificate Services service (Certsrv.dll) process to stop responding. This problem occurs because a deadlock condition exists between ILM and the Certificate Services service. The cause of the deadlock was corrected in this hotfix rollup package.

Access-checking methodology changed in Certificate Lifecycle Manager (CLM)

Before this release, the CLM part of ILM used Kerberos delegation to perform operations in the Active Directory directory service. Therefore, CLM acted as the end-user to access the required Active Directory server objects, such as profile templates, subscribers, and other objects. This hotfix rollup package implements an access-checking methodology in ILM. With this methodology, you do not have to enable CLM to use impersonation to become the user. Additionally, you do not have to delegate access to a particular computer that acts as the end-user or as the enrollment agent when the computer contacts Active Directory. CLM still uses delegation when it contacts the certification authority (CA) that is located on a computer that is not the one that is running CLM. With this change, CLM now impersonates the CLM Auth Agent account before you make any read or write calls to the Active Directory. The CLM Auth Agent account then verifies whether the logged-on user has permissions to read the object or to make the changes that must be made on the Active Directory object. Therefore, the CLM Auth Agent account must have additional permissions. The CLM configuration wizard does not automatically make these changes. Therefore, you must manually add these permissions.

The CLM Auth Agent account must have the following permissions:

  • Read permission on all users and groups that use the portal or that are subscribers
  • Read permissions on the certificate templates that are used with the profile templates
  • Read and write permissions on all existing profile templates
  • Permission to create a child on the profile templates container

Blogger’s note: This behavior already applies to CLM "2"!

CLM cannot find the pkiEnrollmentService object when you add certificate templates to a profile template

When you try to add certificate templates to a profile template, no published certificate templates from a given CA server are found. This problem may occur when the sanitized short name of the CA differs from the sanitized name of the CA. When the CA creates the pkiEnrollmentService object in Active Directory, the CA uses the sanitized short name of the CA. Before this hotfix rollup package, CLM used the sanitized name to search for the pkiEnrollmentService object. Therefore, CLM cannot find the pkiEnrollmentService object.

Support is added for Sun ONE directory server 6.x versions

The Management Agent for Sun and Netscape directory servers was certified to support Sun ONE directory server 6.x versions. To enable this support, you must modify the registry after you install the hotfix rollup package. Follow the next steps to accomplish this.

  • Click Start, click Run, type Regedt32, and then click OK.
  • Locate and then right-click the following registry key:
    • HKLM\SYSTEM\CurrentControlSet\Services\miiserver\Parameters
  • Click New, and then click Multi-string Value.
  • Set the following parameter values:
    • Value name: iPlanetMASupportedServers
    • Value type: (REG_MULTI_SZ)
    • Set the value of the registry key to the following value:
      • Sun-Java(tm)-System-Directory/6.3 B2008.0311.0946
      • Note: The precise format of the value may vary in different versions of Sun ONE.

Active Directory Management Agent does not ignore defunct classes

You add an auxiliary class to Active Directory that inherits from any class other than the top class. However, errors occur in ILM when you create an Active Directory MA or when you update the schema after you add the class. These errors occur even if the auxiliary class is marked as Inactive in the Active Directory schema. ILM build 3.3.1067.2 ignores defunct Active Directory classes

For more information please see: MS-KBQ952327_A hotfix rollup package (build 3.3.1067.2) is available for Identity Lifecycle Manager 2007 Feature Pack 1. This hotfix rollup package is superseded by the hotfix rollup package mentioned here. This has been posted for completeness purposes to the new hotfix rollup package.

 

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

One Response to “(2008-12-07) New Hotfix Rollup Package Has Been Released For ILM 2007 FP1 (Build 3.3.1067.2)”

  1. […] For more information please see: MS-KBQ946797_A hotfix rollup package (build 3.3.1087.2) is available for Identity Lifecycle Manager 2007 Feature Pack 1. This hotfix rollup package supersedes the hotfix rollup package mentioned here. […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: