FIMSpecialist

Category: FIM Hotfixes, Service Packs & Updates

  • Forefront Identity Manager 2010 R2 hotfix rollup 4.1.3451.0 Available

    This week, Microsoft has released hotfix rollup 4.1.3451.0 for FIM 2010 R2, which you can download from KB2849119.

    This update fixes a few minor issues, detailed in the KB article, which I have kindly provided the summaries for below:

    FIM Synchronization Service

    Issue 1

    Password management operations fail because the path for the cached version of the extension .dll file is too long. This problem also affects the WebService connector that is included in Forefront Identity Manager 2010 R2.

    Issue 2

    In certain cases in which the Synchronization Service processes ancestors, memory leaks occur.

    FIM Certificate Management

    Feature 1

    This update adds the ability in the SubjectAltName policy to specify the RegisteredID alternate name in the Subject Alternate Name entry when a certificate request is issued.

    Reporting

    Issue 1

    If you have Microsoft System Center Service Manager 2012 Service Pack 1 (SP1) installed, and you try to run a change-mode installation for FIM Service and Portal, the installation fails.

    When you install FIM Reporting on a new server that has Service Manager 2012 SP1 installed, follow these steps:

    1. Install the FIM 2010 R2 SP1 FIMService component. To do this, clear the Reporting check box.

    2. Upgrade the FIMService installation to build 4.1.3451.0.

    3. Run the change-mode installation for the FIMService, and then add Reporting.

  • FIM 2010 R2 Hotfix (4.1.3441.0) Available

    On April 22, 2013, Microsoft released Hotfix 4.1.3441.0 for Forefront Identity Manager 2010 R2. This hotfix features a number of issue fixes, as well as a couple of new features around the MetadirectoryServicesEx.dll and the ECMA framework. The hotfix can be downloaded here.

    Peter Geelen (Microsoft) has updated the FIM 2010 Build Overview wiki article with a summary of the changes in this release:

    FIM Sync

    • Issues Fixed
      • AD MA) would stop if there was an issue during Exchange provisioning
      • PCNS, the setting for the password source
      • stopped-ma” error on FIMMA on delta import
      • ECMA2 Connectors empty reference attribute data could crash the Synchronization Service
      • error returned on object during add in ECMA2
      • Schema Refresh on an ECMA2 Connector
      • export-only ECMA2 did not correctly handle errors “The image or delta doesn’t have an anchor.”
      • When several exports are run without a confirming import and not all references could be exported, the Synchronization Service could report a “stopped-server” error.
      • Adding a value to a reference value by using scripted code throws an error “Object reference not set to an instance of an object” because of a regression in FIM 2010 R2 SP1
      • When a custom extension does not return control to the Synchronization Service in time, typically 5 minutes, the Synchronization Service crashes
    • New features
      • The Synchronization Service’s contract DLL MetadirectoryServicesEx is no longer dependent on the FIM Synchronization Service. It is now possible to load an ECMA2 Connector outside the Service which enables the ability to create unit tests for these Connectors in Visual Studio.
      • This release includes ECMA2.2 which has several new features added.

    FIMCM

    • Fixed
      • Windows 8 TPM-based virtual smart cards could not be provisioned because of a change in Smart Card Minidriver Specification v.7.
      • The ability to print photos is added by using ID Works.
      • Advanced search in Bulk Client does not work as expected when more than 1,000 results is returned from Active Directory.

    SSPR

    • Fixed
      • If a new password has a string that might violate the ASP.NET request validator such as “<script>”, the operation would fail with the exception “A potentially dangerous Request.Form value was detected from the client”

    BHOLD

    • Fixed
      • In a special case after the bhold connector was deleted in the FIM Synchronization Service and re-created, an import would be unable to see all objects in bhold.

    Nothing too interesting in this release, unless you were having specific problems. However, the new ECMA 2.2 release is worth checking out, as there is a new “capabilities” page during configuration. According to Microsoft, it is now possible to ask the user for information and connect to the target directory and use that information for the Connector’s capabilities. It will be interesting to see how this can be applied. Increased LDAP DN support has also been added, as well as improved handling of delete/update operations during delta imports.Additional details can be found on the Microsoft Developer Network (MSDN) website for ECMA2.

  • Microsoft Releases SharePoint User Profile, Generic LDAP and PowerShell Connectors to Connect

    On March 28, 2013, Microsoft put out Release Candidates for several new FIM Synchronization Service Connectors, including:

    • SharePoint User Profile Connector
    • Generic LDAP Connector for Open LDAP
    • PowerShell Connector

    The Release Candidate downloads are available via Microsoft Connect, along with the necessary upgrades to the FIM Sync Service, a technical reference for the SharePoint/LDAP connectors and some sample scripts (primarily SharePoint-related) for PowerShell

    These three connectors are probably three of the most-demanded connectors, and candidates for custom connectors, so it’s good to see Microsoft taking a proactive approach in developing these.

    Note that the connectors are still in Release Candidate only, so you shouldn’t be installing them in production environment yet.

  • FIM Hotfix Rollup 4.0.3684.2 Available

    On March 19, 2013, Microsoft released FIM Hotfix Rollup 4.0.3684.2 for Microsoft Forefront Identity Manager (FIM) 2010. A minor hotfix, this patch has two specific features:

    • New version (4.0.2.0) of Microsoft.MetadirectoryServicesEx.dll. It is not clear what has changed in the new version of this dll, however it mentions you may need to fix references in your Rules Extension and ECMA projects.
    • Issue fix for FIM Synchronization Service, whereby Exchange configuration options weren’t previously available on the AD MA if FIM doesn’t detect Exchange on the domain

    Paul Williams notes on his blog that the Exchange issue fix is the same issue resolved in FIM R2 build 4.1.3419.0, but applied to FIM 2010.

    This hotfix will install on any version of FIM higher than 4.0.2592.0. Note, this is a FIM 2010 hotfix, not a FIM 2010 R2 hotfix.

    For further information on the changes in this hotfix, refer to KB2819338, where you can also download the hotfix.

     

  • FIM R2 SP1: FIM Service and Portal Setup Wizard ended prematurely

    Recently, I had to perform an upgrade to FIM 2010 R2 SP1 from FIM 2010 (pre-R2) in a development environment. After a few issues performing the upgrade, I was installing  the FIM 2010 R2 SP1 Service and Portal on SharePoint Foundation 2013 and I kept running into the error: Forefront Identity Manager Service and Portal Setup Wizard ended prematurely.

    Forefront Identity Manager Service and Portal Setup Wizard ended prematurely

    Background

    Because I was upgrading directly from FIM 2010, I couldn’t use the R2 to R2 SP1 Update from KB2772429, which requires you to already be running FIM 2010 R2 build 4.1.2273.0 or later, so I had to perform an upgrade using the full installation media. My FIM Sync Service installation detected it was an upgrade and went through fine. Very pain free! However, when I installed the FIM Service and Portal, it didn’t seem to detect my existing installation. When I told it to proceed anyway, and told it to use my existing database, it didn’t install the SP1 Portal, it just uninstalled my existing Portal instead.

    This was a bit weird, but since my Portal had already been uninstalled anyway, I decided I’d give it another try, but this time take it as an opportunity to upgrade to SharePoint Foundation 2013.

    Installing FIM 2010 R2 SP1 on SharePoint Foundation 2013

    I referred to the Microsoft documentation regarding Installing FIM 2010 R2 on SharePoint Foundation 2013 and found it to be pretty pitiful. In fact, there really doesn’t seem to be any benefit to using SPF2013 with FIM unless you’re running Windows Server 2012 (no SPF2010 support until SP2), and several reasons not to (I’ll get to that in a later post) but I was committed by this stage.

    The main hurdle was that Classic Authentication has been deprecated in SPF 2013 and removed from the GUI options for creating a web application. Since FIM 2010 doesn’t support Claims-Based authentication, you have to create the web application using the SharePoint 2013 Management Shell. Of course, the “Standalone” installation method with SPF2013 pre-installs your application with Claims Based, so you first need to delete  that web application, then create another one via the Management Shell… anyway, all things for a later post.

    FIM R2 SP1: FIM Service and Portal Setup Wizard ended prematurely

    In true FIM fashion, this error is about as undescriptive as they come. So, in order to delve a little deeper, I executed the installation exceutable with verbose logging switched on:

    msiexec /i “Service and Portal.msi /L*v “c:\temp\file.log

    This time, when the installer ran, I was able to glean a bit more information:

    MSI (s) (54:1C) [14:26:22:593]: Invoking remote custom action. DLL: C:\Windows\Installer\MSI2922.tmp, Entrypoint: AddServiceToPerformanceMonitors
SFXCA: Extracting custom action to temporary directory: C:\Windows\Installer\MSI2922.tmp-\
SFXCA: Binding to CLR version v2.0.50727
Calling custom action Microsoft.IdentityManagement.ServerCustomActions!Microsoft.IdentityManagement.ServerCustomActions.CustomActions.AddServiceToPerformanceMonitors
Adding FIMService account to 'Performance Monitor Users' group
Property name = 'ServiceAccount', value = 'ourDomain\FIMService'.
DomainName='ourDomain'
AccountName='FIMService'
Domain AD found
Exception thrown by custom action:
System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.Runtime.InteropServices.COMException (0x800706BA): The RPC server is unavailable.

   at System.DirectoryServices.DirectoryEntries.Find(String name, String schemaClassName)
   at Microsoft.IdentityManagement.ServerCustomActions.CustomActions.ChangeUserMembershipInGroup(Session session, Boolean addUser)
   --- End of inner exception stack trace ---
   at System.RuntimeMethodHandle._InvokeMethodFast(Object target, Object arguments, SignatureStruct& sig, MethodAttributes methodAttributes, RuntimeTypeHandle typeOwner)
   at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object parameters, CultureInfo culture, Boolean skipVisibilityChecks)
   at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object parameters, CultureInfo culture)
   at Microsoft.Deployment.WindowsInstaller.CustomActionProxy.InvokeCustomAction(Int32 sessionHandle, String entryPoint, IntPtr remotingDelegatePtr)
CustomAction AddServiceToPerformanceMonitors returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
Action ended 14:26:25: InstallExecute. Return value 3.

    Note the three bolded bits: While trying to add the FIMService account to the Performance Monitors group, the ChangeUserMembershipInGroup method throws “The RCP Server is unavailable”. I put this information up on a post I started on Microsoft Technet and was also able to find another post by Robin Gaal over at Traxion who had been having a similar issue when upgrading to FIM 2010 R2, which I posted on to see if he could provide more detail.

    Between the two posts, the three bits of advice that came back were:

    1. Ensure you’re using a domain user and a local admin
      Well, the account I was using was a domain user, a domain admin, a local admin and domain admins were also in the local admins group. I was also running the installer as administrator. I ruled this one out pretty quickly, but was good to do a sanity check.

    2. Check for AD Security customisations 
      This one came from Glenn Zuckerman at Microsoft in reply to my Technet post, who had debugged a similar issue and found that it was caused by some AD changes made in order to lock down security in the organisation. The result of these changes was that “the ‘Authenticated Users’ group had been removed from the Pre-Windows 2000 Compatible group” – so, another permissions issue.  I had a look at our AD, but couldn’t see anything obvious that would cause any issues with performing the necessary tasks – I mean, I was able to add the user manually to that group, using the same user account performing the installation.
    3. DNS Suffix Incorrectly Configured – SUCCESS!
      Robin Gaal had previously reported in his post that this was the issue behind their installation issue and that he was able to resolve it, so I asked him for some more detail. It turns out, his situation was very similar to mine – he was installing the FIM Service and Portal into a Test/Acceptance environment, where the default server configuration was registering the server to the  production domain. The solution was as easy as going into the advanced settings for the server’s network adapter, and changing the DNS settings:
      FIM 2010 R2 SP1 DNS Settings

    Of course, when I tried this, the FIM Service and Portal installed perfectly first try, and I was even able to use and upgrade my existing database (which took almost no time at all to upgrade). Success!!

    Overall, a very frustrating installation experience – I’d planned the upgrade to take two days, which I thought was pretty generous, and it ended up taking me about 7. The good news is, I learnt a lot about installing and configuring SharePoint Foundation 2013, as well as some new tricks for debugging FIM installations. Thanks to the folks on the Technet forums for their help, particularly Robin Gaal, Glenn Zuckerman and Varun Kohli.

    FIM Service and Portal Installation Completed

  • What’s New in FIM 2010 R2 Sp1 and Release Notes

    Looks like Microsoft have uploaded the Release Notes for FIM 2010 R2 SP1 and also a “What’s New” page describing all the new features.

    Key improvements that stand out to me in this release are:

    • Improvements in the upgrade process from FIM 2010 to FIM 2010 R2, including significant performance enhancements to the database upgrade. This will only be relevant for those not yet running R2 yet.
    • Improvements mentioned in my last post on the MA’s for Active Directory Domain Services, FIM Service Management Agent, and Extensible Connectivity 2.0to with regards to importing reference (group) objects.
    • Deferred Evaluation for criteria-based groups configured in the FIM Portal – ie, a single group can be configured to evaluate only on a certain schedule.
    • ECMA 2.1 released with minor changes.
    • Minor changes to Powershell cmdlets.
    • Support for various ‘2012’ Software components – MA support for AD 2012, SQL Server 2012; Environment support for Windows Server 2012, SQL Server 2012, Visual Studio 2012 (.NET 4.5 support added), Sharepoint Foundation 2013 etc.

    Some interesting stuff in here. I’m glad to see that it appears you can update directly from FIM 2010 to R2 SP1 without upgrading to R2 first (as I’m currently in a situation where I need to do this). Will be keen to get it installed and to start playing with some of those new features!

    Source: What’s New in FIM 2010 R2 Sp1

    Source: Release Notes for FIM 2010 R2 SP1

  • FIM 2010 R2 SP1 Released!

    Am currently attending the first annual Oxford Computer Group Redmond Identity, Access & Directory Summit at Microsoft HQ. In a talk given by Andreas Kjellman a few minutes ago, he announced FIM 2010 R2 SP1 just went public – no KB or release notes, but you can download via your MSDN subscriber benefits.

    A number of benefits in the service pack, including support for 2012 releases (Sharepoint and so forth). More details sure to follow with the KN, but main benefits I see are the further enhancements to group management performance on the AD and ECMA2 MA’s. Apparently the groups went 2.4x faster on their sample set.

    Update: Spoke to Andreas again later last night – he expressed that this really is just a service pack, so don’t expect a lot of new functionality – the real focus was on providing compatibility. Probably one thing which will interest people however is that System Center 2012 is now supported for the FIM reporting, whereas pre-SP1 you were limited to System Center 2010 SP1 (and indeed, the EULA actually said you weren’t permitted to use 2012, not that it worked anyway). Anyway, I’m sure that will come in handy for some people.