(2013-11-23) A Hotfix Rollup Package (Build 4.1.3496.0) Is Available for Forefront Identity Manager 2010 R2
Posted by Jorge on 2013-11-23
Microsoft released a new hotfix for FIM 2010 R2 with build 4.1.3496.0. What it fixes can be found in this blog post. For additional or detailed info see MS-KBQ2906832
Issues that are fixed or features that are added in this update
FIM Service and FIM Portal
When you create a custom solution in FIM 2010 R2, you may experience any of the following scenarios:
- Scenario 1: An authorization workflow could get stuck.
- Scenario 2: An authorization workflow could be executed again after a FIMService restart.
- Scenario 3: An authorization workflow parent request may not be set to expire.
These problems might occur if your solution has custom workflows that use the new FIM 2010 R2 feature that enables setting the ApplyAuthorizationPolicy property to True (the default value is False) on the following built-in building-block activities:
Changes to stored procedures in the FIMService database resolve scenarios 2 and 3.
To resolve scenario 1, an additional AuthorizationWaitTimeInSeconds property was added to built-in building-block activities that enables the activity to set how long the request processor should wait for authorization before it throws an AuthorizationRequiredFault error. We recommend that you set this value to 0 (zero) or a larger value.
New feature 1
By using a new configuration option, you can now hide the Advanced Search link in the FIM Portal. To enable the configuration and remove the Advanced Search link, follow these steps:
- In Administration, click Schema Management, and then click All Attributes.
- Create a new Boolean attribute that is named "HideAdvancedSearchLink."
- In All Bindings, create a new binding for the HideAdvancedSearchLink attribute to the Portal Configuration resource, and then click Finish to save the binding.
- Create a new Management Policy Rule (MPR) to allow for changes to the new binding in the portal configuration. To do this, use the following configuration for the new MPR:
Display Name: Administrators can modify the HideAdvancedSearchLink attribute in the Portal Configuration resource
Specific Set of Requestors: All Administrators
Operation: Modify a single-valued attribute
Permissions: Grants permission
Target Resource Definition Before Request: All Basic Configuration Objects
Target Resource Definition After Request: All Basic Configuration Objects
Resource Attributes: Select specific attributes: HideAdvancedSearchLink
- Reset Internet Information Services (IIS), and then restart the FIM service.
- In Administration, click Portal Configuration, and then click Extended Attributes. You should see the HideAdvancedSearchLink attribute together with the other extended attributes.
- Click to select the HideAdvancedSearchLink check box, and then click Submit to enable the hiding of the Advanced Search link.
- Verify that the Advanced Search link is not available in the list views. For example, check the following list views:
- My DGs
- My DG Memberships
- Management Policy Rules
FIM Synchronization Service
During an export on the FIM Service management agent (MA), the FIM Synchronization Service or the FIM Service may be stopped. In this case, the Synchronization Service may be unable to complete the export on a retry, and you receive the following error message:
The operation failed because the attribute cannot be found.
In certain scenarios, the FIM Service MA may return the following error message:
This problem might occur if an unexported reference attribute was removed by another synchronization process and the result is null.
In rare cases, an import could receive a staging error because of duplicate references in the connector space.
In rare cases, an import could receive a staging error because an object was moved in the connected directory.
An Extensible Connectivity 2.0 Management Agent (ECMA 2.0) connector could end up in an infinite loop. This problem may occur when the capability flag is set not to export references in the first pass. In this case, an object that has no reference attributes cannot export an attribute. This problem affects the Windows Azure Active Directory connector that is provided by Microsoft.
In ECMA 2.0, an export-only attribute could end up in a bad state. This problem might occur if ECMA 2.0 could not export and therefore caused a staging error on the next import and synchronization.
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########