(2009-06-02) New Hotfix Rollup Package Has Been Released For ILM 2007 FP1 (Build 3.3.1101.2)
Posted by Jorge on 2009-06-02
A hotfix rollup package (build 3.3.1101.2) is available for Microsoft Identity Lifecycle Manager (ILM) 2007 Feature Pack 1.
This hotfix rollup package includes all the previous hotfixes that are described in the following articles in the Microsoft Knowledge Base:
946797 (http://support.microsoft.com/kb/946797/ ) A hotfix rollup package (build 3.3.1087.2) is available for Identity Lifecycle Manager 2007 Feature Pack 1 (PERSONAL REMARK: if you need this on W2K8 contact PSS and specifically ask for the ILM package for W2K8!)
Note Make sure that you read this section before you install this hotfix rollup.
This hotfix rollup package contains different .msp files to update the appropriate versions (Enterprise and MSDN, for example) of the ILM Certificate Management component and of the ILM Synchronization component.
In the ILM Certificate Management component (previously named CLM), previous hotfix rollups updated only the files in the clmwebbin folder, not those in the clmbin folder. This may cause some issues. For example, the CLM service may not start in this situation. To address this issue, you must uninstall the ILM Certificate Management component and reinstall it from a build that is available from Microsoft Customer Support before you install this hotfix rollup. We will make all the necessary files and documentation publicly available, and we will update this article with the corresponding links when they are published. In the meantime, contact the ILM team at Microsoft Customer Support Services (CSS) for the full instructions.
Important If you apply the CLM part of this hotfix rollup package, the manner in which CLM accesses Active Directory is changed.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
- In the ILM sync component (previously named MIIS), the files in the MIISbin folder were not replaced if an earlier hotfix rollup was applied to the original installation. The current hotfix rollup can be applied to any earlier build.
This hotfix rollup package resolves the following issues.
Fixes that involve the ILM Certificate Management component (previously named CLM)
- CLM does not evaluate permissions correctly. The clmAudit permission setting may override other permissions that were set on an object.
- When you click Find a user to view or manage their information and then use a set of search criteria that returns multiple users, a different list of users may be returned every time that you run the search.
- When you assign a 14-character personal identification number (PIN) to a smartcard, the last character is truncated.
- If the certificate for the clmAgent is replaced, any CLM operation that requires access to data that was encrypted in the database by using the previous certificate for the clmAgent will trigger errors.
Note Examples of data that was encrypted by using the clmAgent’s previous certificate might include data collection items, smart card keys, and previous requests.
- Assume that you perform an online update of primary and duplicate cards that contain encryption certificates. When you use the updated cards, you cannot decrypt data that was encrypted by either of the cards before you performed the online update.
After you use the Windows client-side profile online update control to perform an online update on a profile template, you receive the following error message:
The request contains conflicting template information 0x8009480.
Fixes that involve the ILM Synchronization component (previously named MIIS)
- The Run Management Agent dialog box does not display the selected management agent from the Operations tab. Therefore, a user may unintentionally run the wrong management agent.
- A Lotus Notes management agent does not preserve the Partition Matching configuration after it imports the server configuration.
- Special characters may be replaced when they are exported from a Lotus Notes management agent.
Detailed information about the issues that are resolved by the ILM Certificate Management component
- Before you apply this hotfix, management permissions on a request are always granted based on how the CLM Audit permission is set, not on the actual permission (for example, Enroll or Revoke). This functionality can cause unintended behavior when CLM later verifies user permissions against an incorrect security descriptor. For example, two users who have identical group memberships may receive different results when they review a request.
- CLM runs an LDAP query when it searches for users who match a certain set of criteria. If the user who is performing the search does not have permissions to one or more of the users, the results that are returned may be incorrect.
- When you assign a 14-character PIN to a smartcard, the last character is truncated.
When the certificate for the ClmAgent expires, the certificate is replaced either manually or by running the Configuration Wizard. However, some operations that were performed by using the old certificate generate errors. This behavior occurs because CLM tries to decrypt data by using the current certificate. These errors may occur during the following operations:
- Completing an approval workflow
- Retiring smartcards
- When a user selects Manage my Info and then views a previously issued certificate.
The error message that is returned may include the following text:
ASN1 bad tag value met
For this hotfix to take effect, you must add the following to the Web.config file:
<!-- CLM Decryption Certificate~~~~~~~~~~~~~~
Define an optional decryption certificate. This certificate must contain
RSA public key. This certificate must be stored in the MY store of the CLM
agent user. Private key must also be accessible. If encrypted data exists
from earlier versions of CLM, and the CLM agent user has been issued a new
certificate (for example, after rerunning the Configuration Wizard), set
this value to the hash of the CLM agent's previous certificate.
<!-- hex-encoded certificate hash. -->
<add key="Clm.Decryption.Certificate.Hash" value="<Thumbprint of previous clmAgent certificate" />
We recommended that you add this tag to the "Additional Valid Certificates" section of the Web.confg file.
Note For the agent to enable this hotfix, the previous clmAgent certificate must still be in the local computer certificate cache.
- Completing an approval workflow
- When you perform online updates on primary and duplicate cards, CLM generates the same authentication certificate on both cards, but it generates different encryption certificates. Therefore, you cannot decrypt data that was encrypted by these cards before you performed the online update.
- If the clmProfileUpdate utility is run manually or automatically when a user logs on, you receive a "The request contains conflicting template information" error message in the browser window that the utility generates. If the online update must issue a new certificate for the user, CLM requests a version 2 certificate template version from the CA. If the certificate template version that is provided by the CA is version 1, this error occurs.
Detailed information about the issues that are resolved by the ILM Synchronization component
Consider the following scenario:
- You open the Identity Manager console.
- You click the Operations tab.
- You right-click an item in the Run History list.
- You click Run to open the Run Management Agent dialog box.
In this scenario, the management agent that is selected in the Run History list does not match the management agent in the Run Management Agent dialog box. Therefore, the user may unintentionally run the wrong management agent.
- You open the Identity Manager console.
- Assume that you have two ILM Sync servers. Each one has a Lotus Notes management agent. The two servers are identical except for the name of the .nsf file that you use to connect to the Domino server. In a typical scenario, one server is used for development and the other server is used for production. You export the management agent from the development server by using the management agent import and export functionality or the server configuration import and export functionality. During the import process, you are prompted to configure partition matching and to provide the .nsf file name. You provide the correct .nsf file. However, after you complete the import process, the management agent properties show the .nsf file that was exported from the other server.
- If a string attribute value contains a special character (such as ř) when the object that has that attribute value is exported to a Lotus Notes management agent, the character is replaced by a non-accented character. For example, ř is replaced by r.
For more information please see: MS-KBQ960765_A hotfix rollup package (build 3.3.1101.2) is available for Identity Lifecycle Manager 2007 Feature Pack 1.
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########