Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2013-04-23) A Hotfix Rollup Package (Build 4.1.3441.0) Is Available For Forefront Identity Manager 2010 R2

Posted by Jorge on 2013-04-23

Microsoft has released a new hotfix rollup package for FIM 2010 R2. To download the hotfix or for more details, see: KB2832389.

Known issues in this update:

Synchronization Service
After this update is installed, rules extensions and custom management agents (MAs) that are based on Extensible MA (ECMA1 or ECMA 2.0) may not run and may produce a run status of "stopped-extension-dll-load." This issue occurs when you run such rules extensions or custom MAs after you change the configuration file for MIISServer.exe, Mmsscrpt.exe.config, or Dllhost.exe.config. For example, you edited the MIISServer.exe.config file to change the default batch size for processing sync entries for the FIM Service MA.
In this case, the synchronization engine installer for this update intentionally does not replace the configuration file to avoid deleting your previous changes. Because the configuration file is not replaced, entries that are required by this update will not be present in the files, and the synchronization engine will not load any rules extension DLLs when the engine runs a Full Import or Delta Sync run profile.
To resolve this issue, follow these steps:

  1. Make a backup copy of the MIIServer.exe.config file.
  2. Open the MIIServer.exe.config file in a text editor or in Microsoft Visual Studio.
  3. Find the <runtime> section in the MIIServer.exe.config file, and then replace the content of the <dependentAssembly> section with the following:
             <assemblyIdentity name="Microsoft.MetadirectoryServicesEx" publicKeyToken="31bf3856ad364e35" />
             <bindingRedirect oldVersion="" newVersion="" />
  4. Save the changes to the file.
    Find the Mmsscrpt.exe.config file in the same directory and the Dllhost.exe.config in the parent directory. Repeat steps 1 through 4 for these two files.
    Restart the Forefront Identity Manager Synchronization Service (FIMSynchronizationService).
    Verify that the rules extensions and custom management agents now work as expected.

Issues that are fixed or features that are added in this update

FIM Synchronization service

Issue 1

The Active Directory Management Agent (AD MA) would stop if there was an issue during Exchange provisioning. This would include data errors. After this update is installed, the AD MA will now only stop if there is a critical error it cannot recover from.

Issue 2

If several AD MAs target the same forest, the same object can appear multiple times in different MAs. When a password change came in from PCNS, the setting for the password source was not honored. This caused random requests to fail.

Issue 3

If the FIM Service MA has several reference attributes not selected in "Select Attributes", the Synchronization Service would still process these and would affect performance.

Issue 4

Doing a delta import on the FIM Service MA where there is an update to a single-valued reference attribute and the same attribute already has a change which has not yet been synchronized caused a "stopped-ma" error.

Issue 5

For ECMA2 Connectors empty reference attribute data could crash the Synchronization Service during the reference retry phase.

Issue 6

When an error is returned on an object during add in ECMA2, the interface expected the anchor to be returned. This value would not always be available in failure cases.

Issue 7

During Schema Refresh on an ECMA2 Connector, the UI did not ask for encrypted parameters, for example password. Any Connector that depends on this information to be able to connect to the server to obtain the schema would fail.

Issue 8

An export-only ECMA2 did not correctly handle errors when returned from the Connector. This resulted in an error "The image or delta doesn’t have an anchor.

Issue 9

When several exports are run without a confirming import and not all references could be exported, the Synchronization Service could report a "stopped-server" error.

Issue 10

Flowing a constant value of 0 or 1 to a number attribute by using classic attribute flows caused an error in the UI "Import Attribute Validation Error."

Issue 11

Adding a value to a reference value by using scripted code throws an error "Object reference not set to an instance of an object" because of a regression in FIM 2010 R2 SP1. This is an example of code which fails:


Issue 12

When a custom extension does not return control to the Synchronization Service in time, typically 5 minutes, the Synchronization Service crashes. For example, this problem might occur with a custom password extension during password synchronization.

Feature 1

The Synchronization Service’s contract DLL MetadirectoryServicesEx is no longer dependent on the FIM Synchronization Service. It is now possible to load an ECMA2 Connector outside the Service which enables the ability to create unit tests for these Connectors in Visual Studio.

Feature 2

This release includes ECMA2.2 which has several new features added.

This includes the following:

  • A new capabilities page and calling the capabilities later in the flow. It is now possible to ask the user for information and connect to the target directory and use that information for the Connector’s capabilities.
  • Support is added for DN as anchor for LDAP based directories and not providing the object type for update and delete operations in delta import.

    Additional details can be found on the Microsoft Developer Network (MSDN) website for ECMA2.

FIM Certificate Management

Issue 1

Windows 8 TPM-based virtual smart cards could not be provisioned because of a change in Smart Card Minidriver Specification v.7.

Issue 2

The ability to print photos is added by using ID Works. In order to print a photo, add the following to the field mappings:


Issue 3

Advanced search in Bulk Client does not work as expected when more than 1,000 results is returned from Active Directory.

Self-Service Password Reset

Issue 1

If a new password has a string that might violate the ASP.NET request validator such as "<script>", the operation would fail with the exception "A potentially dangerous Request.Form value was detected from the client". To support these characters in a new password, open the Web.config file and find the following entry:

<add key="Base64EncodePasswordFields" value="false" />

Change the value to "true". Make sure that you update this for both password registration and password reset portal servers.


Issue 1

In a special case after the bhold connector was deleted in the FIM Synchronization Service and re-created, an import would be unable to see all objects in bhold. To address this issue, run the SQL script (extract the file) that is contained inside the hotfix download package.




* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!



############### Jorge’s Quest For Knowledge #############

######### ########



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: