Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2009-11-12) New hotfix Rollup Package Has Been Released For ILM 2007 FP1 (Build 3.3.1118.02)

Posted by Jorge on 2009-11-12


Hotfix rollup package (build 3.3.1118.02) is available for Microsoft Identity Lifecycle Manager (ILM) 2007 Feature Pack 1 (FP1).

INTRODUCTION

IMPORTANT WARNING BEFORE YOU TRY TO INSTALL THIS HOTFIX, YOU MUST READ THE INSTALLATION INFORMATION SECTION.

List of issues fixed

This hotfix rollup package includes all the previous hotfixes that are described in the following articles in the Microsoft Knowledge Base:

This hotfix rollup package also fixes the following issues that were not previously documented in a Microsoft Knowledge Base article:

Fixes that involve the ILM Certificate Management component (previously named CLM)

Note If you apply the ILM Certificate Management part of this hotfix rollup package and you previously used a build earlier than 3.3.1067.2,how ILM Certificate Management accesses Active Directory is changed. For more information about how ILM Certificate Management accesses Active Directory, click the following article number to view the article in the Microsoft Knowledge Base:

952327  (http://support.microsoft.com/kb/952327/ ) A hotfix rollup package (build 3.3.1067.2) is available for Identity Lifecycle Manager 2007 Feature Pack 1

  1. Access is now allowed based on membership in built-in Active Directory groups.
  2. Error message after you enter a one-time password when you use the CLM Kiosk mode: "Value does not fall within the expected range."
  3. Error message when you request a certificate: "Security ID structure is invalid."
  4. You receive an "Out of Memory" error message when you use Smartcard Application Management (AMS).
  5. You receive a "Data Type not supported" error message when you call the ExecuteOperations.SetProposedAdminPin method.
  6. When you perform online updates on a primary card and on a duplicate card, CLM generates the same authentication certificate on both cards. However, CLM generates different encryption certificates.

Fixes that involve the ILM Synchronization component (previously named MIIS)

  1. The Management Agent (MA) for eDirectory now supports version 8.8 of Novell eDirectory.
  2. The Galsync.dll file is not updated when you upgrade from the release version of ILM 2007 to ILM 2007 FP1.
  3. Metaverse values are not populated after an object was deprovisioned and then rejoined.
  4. Multivalued attributes are not imported from a Microsoft SQL Server MA if there are Unicode characters in the anchor field.
  5. When you import attributes from an Active Directory MA, empty lines are added to the ma_custom_data_xml field in the mms_partition table.
  6. Microsoft Identity Integration Server crashes when you perform an Active Directory export operation.

MORE INFORMATION

Hotfix informationA supported hotfix is available from Microsoft. However, this…

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support (http://support.microsoft.com/contactus/?ws=support)

Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Installation information

When you install this hotfix rollup package on a Windows Server 2008-based computer, you must run the installation package (.msp) from an Administrative command prompt. The following is the command to run the installation package:

msiexec /update FileName.msp

Upgrade vs. Reinstall Considerations

The original release of ILM 2007 FP1 (3.3.0118.2) included an invalid system file that affected both the Certificate Management and Synchronization components. The steps to correct this situation are described in the following sections.

ILM Certificate Management Component
If you are running a build of the ILM Certificate Management component earlier than 3.3.1087.2, then before you install this hotfix rollup, you must uninstall the program and run a full installation of build 3.3.1087.2 from a build that is available from Microsoft Customer Support. We will make all the necessary files and documentation publicly available, and we will update this article with the corresponding links when they are published.

You can verify your current build by looking at the version of one of the Microsoft.Clm.*.dll files in the Microsoft Certificate Lifecycle ManagerBin folder and the Microsoft Certificate Lifecycle ManagerwebBin folder. If the version of a Microsoft.Clm.*.dll file is earlier than 3.3.1087.2, you must uninstall the previous installation and then run a full installation of build 3.3.1087.2.
ILM Synchronization Component
To install the ILM Synchronization component, you must uninstall the previous installation on the computer, and then reinstall build 3.3.1087.2 from a package that is available from Microsoft Customer Support. This article will be updated when that package is available for public download.

Hotfix Uninstall or Rollback

The Certificate Management (CLM) part of the update can be rolled back by using Add / Remove programs in Control Panel. If you do this, you must back up the Web.config file before you uninstall the update, and then restore it after the uninstall process is completed.

Prerequisites

To apply this hotfix, you must have Identity Lifecycle Manager 2007 Feature Pack 1 installed on the computer.

Restart requirement

You do not have to restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix rollup package includes all previous hotfixes for ILM 2007 FP1.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

Certificate Lifecycle Manager (CLM)



Collapse this tableFile name

File version

File size

Date

Time

Platform

Clm_2007_fp1_bulkclient_deved_kb969742.msp

3.3.1118.2

413,696

23-Jun-2009

12:47

x86

Clm_2007_fp1_bulkclient_full_kb969742.msp

3.3.1118.2

413,696

23-Jun-2009

12:47

x86

Clm_2007_fp1_client_deved_kb969742.msp

3.3.1118.2

76,800

23-Jun-2009

12:47

x86

Clm_2007_fp1_client_full_kb969742.msp

3.3.1118.2

76,800

23-Jun-2009

12:47

x86

Clm_2007_fp1_deved_kb969742.msp

3.3.1118.2

3,573,760

23-Jun-2009

12:47

x86

Clm_2007_fp1_full_kb969742.msp

3.3.1118.2

1,774,080

23-Jun-2009

12:47

x86

Identity Lifecycle Manager (ILM)

Collapse this tableExpand this table



File name

File version

File size

Date

Time

Platform

Ilm_2007_fp1_ent_kb969742.msp

3.3.1118.2

771,072

23-Jun-2009

12:47

x86

Ilm_2007_fp1_msdn_kb969742.msp

3.3.1118.2

771,072

23-Jun-2009

12:47

x86

Back to the top

Detailed information about the issues that are resolved in the ILM Certificate Management component

  • Access is now allowed based on membership in built-in Active Directory groups.

    Because of the changes to the access-checking methodology that were introduced in the hotfix that is described in Microsoft Knowledge Base (KB) article 952327, some CLM operations, such as the results returned from a user search, no longer work in the same manner.

    When a user performs a search operation, the user must have the Active Directory read permission for all objects that are returned by an LDAP search that is generated by CLM. For simplicity, we will refer to this user as "the Manager." If the search results include a user for whom the Manager does not have the Active Directory read permission, that user is not displayed in the search results.

    However, earlier builds of CLM did not correctly evaluate the Manager’s membership in built-in groups such as the Everyone group or the Authenticated Users group. Therefore, if the Manager has the Active Directory read permission for a certain user, and that read permission was granted to the Manager because the Manager is a member of a built-in group, CLM denies access to the user object. As a result, the user object does not appear in the search result.

    Before the current build, you could avoid this problem by setting the domain to the Windows Server 2003 functional level or to a later functional level. To do this, you had to add the following setting to the CLM Web.config file:

  • <appSettings>
    

  •     <add key="Microsoft.Clm.Security.Authorization.UseS4Flag" value="true" />
    

  • </appSettings>
    

    However, the current build correctly evaluates read permissions that are granted because the Manager is a member of a built-in group.

  • Error message after you enter a one-time password when you use the CLM Kiosk mode: "Value does not fall within the expected range."

    When you use the CLM kiosk mode and you enroll in a profile template that requires a one-time password, you receive the following error message:


    Value does not fall within the expected range

    Additionally, the following exception information is logged in the log file:


    Exception Type: System.ArgumentException

    Message: Value does not fall within the expected range.

    ParamName: NULL

    Data: System.Collections.ListDictionaryInternal

    TargetSite: Void ThrowExceptionForHRInternal(Int32, IntPtr)

    HelpLink: NULL

    Source: mscorlib

    This problem occurs because CLM does not use the correct user account for Anonymous access in Internet Information Services (IIS).

  • Error message when you request a certificate: "Security ID structure is invalid."

    Consider the following scenario:

    • The CLM server, the domain controller, and the client application are on different computers.

    • IIS is configured for Windows Authentication.

    • On the client computer, you enable Integrated Windows Authentication in Internet Explorer.

    • The domain is at Windows Server 2003 functional level or to a later functional level.

    • The domain controller security setting for Network access Allow anonymous SID/name translation is disabled. This setting is located in Security Options under Local Policies.

    • In the constrained delegation configuration, the CLM server’s machine account is trusted for delegation to the rpcss service on the certification authority (CA) server.

    • In the constrained delegation configuration, the clmWebpool account is trusted for delegation to the HOST service on the CA server.

    In this scenario, when you request a certificate, you receive the following error message:


    Security ID structure is invalid.

    This problem occurs because, when CLM contacts a domain controller, CLM does not impersonate the clmAuthAgent account.

  • You receive an "Out of Memory" error message when you use Smartcard Application Management (AMS).

    When you use Smartcard Application Management (AMS) together with a Hardware Security Module (HSM) and P11 cards, you may receive "Out of Memory" error messages. These "Out of Memory" error messages occur because the P11 Library maintains a Session Pool of active sessions in the HSM. However, after a session stops, CLM does not correctly recycle the session. Because of this behavior, the session stays as an active object in the HSM until IIS is reset on the CLM Server. Therefore, if you establish multiple consecutive AMS sessions, the HSM eventually runs out of memory.

  • You receive a "Data Type not supported" error message when you call the ExecuteOperations.SetProposedAdminPin method.

    Consider the following scenario. You have a Smartcard Profile Template that uses a provider other than the Microsoft Smart Card Base CSP provider. The Administrative PIN character set is set to ASCII. When you call the ExecuteOperations.SetProposedAdminPin method in the CLM Provisioning API, you receive the following error message:


    Data Type not supported

    This problem occurs even though all characters in the AdminPIN parameter are valid ASCII characters.

    This problem occurs because the CLM ASCII character set does not contain all the characters in the ASCII standard character set. To address this situation, a new custom character set is available in this build. This custom character set enables you to specify your own character set. This custom character set can contain any characters that have decimal ASCII codes from 32 to 126 (inclusive).

  • When you perform online updates a primary card and on a duplicate card, CLM generates the same authentication certificate on both cards.

    However, the CLM generates different encryption certificates. Therefore, you cannot decrypt data that was encrypted by using these cards before you performed the online update.

    This problem was partly addressed in the hotfix that is described in KB article 960765. However, the current build addresses the following two additional problems:

    • The server-side check for online updates does not correctly detect sibling cards.

    • The client-side processing of P11 cards does not correctly recognize that the two cards should be updated.

Back to the top

Detailed information about the issues that are resolved by the ILM Synchronization component

  • The management agent for Novell eDirectory now supports version 8.8 of Novell eDirectory.

    To enable this, you have to add the following registry entry:



Collapse this tableKey

HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/miiserver/Parameters/eDirectoryMASupportedServers

Type

Multi-String (Reg_multi_sz)

Value

LDAP Agent for Novell eDirectory 8.8 SP2 (20216.43)

Note You must enter the correct version and build number when you add the registry entry.

  • The Galsync.dll file is not updated when you upgrade from the release version of ILM 2007 to ILM 2007 FP1.

    By default, every upgrade installation and hotfix rollup installation should update the Galsync.dll file and all .dll files that were installed by ILM in the Extensions folder. However, in earlier hotfix rollup packages, this behavior was inconsistent.

    Important Note If you have a customized the GalSync.dll file and then recompiled it, you should rename the file, and then reconfigure the management agent and Provisioning Rules Extensions to prevent the replacement of the customized GalSync.dll file.

  • Metaverse values are not populated after an object was deprovisioned and then rejoined.

    Consider the following scenario:

    • A user has two connectors. One connector is a projected connector which contributes the anchor attribute. The second connector is joined on the anchor attribute and contributes additional attributes. For example, the projected connector contributes the employeeID attribute. Then, the second connector is joined on the employeeID attribute.

    • In the Deprovisioning tab of the management agent configuration, the Do not recall attributes contributed by objects from this management agent when disconnected check box is not checked.

    • A new object is created in the data source of the second connector that has the same employeeID attribute. However, the object has a different DepartmentNumber value.

    • The provisioning code is configured to disconnect the current joined object and join the new object for the second connector.

    In this scenario, a synchronization operation from the second connector’s data source invokes the provisioning code and the attribute flow. The expected result is that the metaverse object is joined to the new Connector Space object and the metaverse object should contain the DepartmentNumber value. However, the actual result is that the join operation occurs but the DepartmentNumber attribute has no value. To correctly populate the DepartmentNumber value in the metaverse you have to perform a second full synchronization operation.. In the current build, the join operation, the attribute recall operation, and the repopulation operation occur on a single synchronization run.

  • Multivalued attributes are not imported from a Microsoft SQL Server management agent if there are Unicode characters in the anchor field.

    You have a SQL Server management agent that uses a primary table and a secondary table to supply multivalued attributes. If the anchor field in the primary table contains a Unicode character, the values from the secondary table are not imported.

    For example, the primary table contains a list of groups, and the group name is used as the anchor attribute. The secondary table has a list of group members. If the group name contains a "č" character, the group object will be imported. However, the members will not be imported.

  • When you import attributes from an Active Directory management agent, empty lines are added to the ma_custom_data_xml field in the mms_partition table.

    Every full or delta import operation on an Active Directory management agent incorrectly adds an empty line to the ma_custom_data_xml field in the mms_partition table in the MicrosoftIdentityIntegrationServer database. In most cases, this has no noticeable effect on ILM. However, after you run lots of Import operations, this issue causes a "stopped-out-of-memory" error.

    In the current build, the additional lines are no longer written to the table. Also, existing blank lines are removed when you run the first Import operation after you install this hotfix.

  • Microsoft Identity Integration Server crashes when you perform an Active Directory export operation.

    The Active Directory management agent Export operation calls the DSBindWithCred API. If this call fails, the management agent Export code does not handle the error that is returned from the API. This issue occurs very rarely and is not reproducible on demand. In the current build, ILM returns the following error message when this issue occurs:


    Failed to bind with credentials

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:

824684  (http://support.microsoft.com/kb/824684/ ) Description of the standard terminology that is used to describe Microsoft software updates

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.

For more information please see: MS-KBQ969742_A hotfix rollup package (build 3.3.1118.02) is available for Identity Lifecycle Manager 2007 Feature Pack 1

 

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: