Release Notes

  • Article

Applies To: Forefront Identity Manager 2010

Welcome to the release notes for Microsoft® Forefront® Identity Manager (FIM) 2010. Before you install this application, we recommend that you read this entire document and the FIM 2010 installation guide. You can use these notes to guide you as you troubleshoot issues that may arise when you use FIM 2010.

  • Release Notes for Forefront Identity Manager 2010

  • Release Notes for Forefront Identity Manager Certificate Manager (FIM CM)

For an overview of FIM 2010 documentation and guidance for using it, see the Documentation Roadmap.

Release Notes for Forefront Identity Manager 2010

Instructions for Installing FIM 2010

You can find the software and hardware prerequisites information and instructions for installing FIM 2010 in the FIM 2010 Installation Guide (https://go.microsoft.com/fwlink/?LinkId=165845).

What's New in FIM 2010

The following are the features and improvements to FIM 2010 that have been added since FIM 2010 Release Candidate 1. FIM 2010 includes all updates released since FIM 2010 Release Candidate 1.

Tip

There is also a FIM FAQ Collection on the TechNet Wiki.

General

  • Adds support for Microsoft SQL Server® Failover Clusters for High Availability.

  • Adds support for taking database backups without stopping the FIM Service.

  • New Supported Platforms for FIM Certificate Management (FIM CM).

    • Windows Server® 2008 R2

    • Windows Server Datacenter edition

  • Added support for Microsoft Exchange Server 2010 for the following scenarios:

    • FIM Synchronization Service support for Active Directory® Management Agent and GAL Management Agent

    • The FIM Service sending and receiving mail

    • Microsoft Office Outlook® 2007 on Exchange 2010 sending approvals and group membership requests

Management Policy Rules

  • There are now two types of Management Policy Rules (MPR):

    • Set Transition MPR – A newly defined MPR type, a Set Transition MPR, allows for easy creation of policies that apply to set membership changes (that is, when resources enter or leave a specific set).

    • Request-based MPR – A standard MPR based on a request. During installation, if you have existing MPRs in your system, they are marked automatically as Request-Based MPRs.

    Note

    • The Run On Policy Update flag is now only applicable to the new Set Transition MPRs.

    • Temporal policy definitions require the use of the new Set Transition MPRs.

  • When defining permissions for enumeration, you no longer need to grant all the permissions for required attributes as part of a single MPR. The system now properly aggregates permissions from multiple MPRs when evaluating query permissions.

Password Reset

  • Password Reset now accepts the user principal name (UPN) as well as the fully qualified domain name (FQDN) when specifying user credentials.

Portal UI configuration

  • You can now copy and paste a vertical list from Microsoft Office Excel® to the Resource Picker input box. This is especially useful for doing bulk Adds.

  • The UOC text box now lets you check uniqueness by using a custom XPath statement that you provide.

    Note

    This operation works only in Create mode, not in Edit mode. Attempting this operation in Edit mode may cause the check to be performed when it is not intended.

Queries and requests

  • Fixes an issue where queries did not evaluate correctly if they contained three or more conditions and at least two of them used the not() operator.

Sets

  • Resolves a number of issues that resulted in incorrect dynamic set membership.

  • Removes support for the use of the != operator with multivalued attributes. XPath equality expressions on multivalued attributes must use the not() function. For example, the following XPath is not supported: /Group[Owner != /Person]. Instead, use the following XPath: /Group[not(Owner = /Person)]

  • Some set restrictions noted in previous release notes have been removed. In particular:

    • You no longer have to avoid the use of the following operators in set creation: <, <=, >, >=, endswith, startswith, nesting.

    • You are no longer limited to using only the literal = operator with multivalued operators when creating sets.

    • You can now have explicit members in a set that has a defined filter.

  • FIM 2010 now has stricter validation for supported filters. In addition, some previously supported filters are no longer supported. For more information, see Modeling Business Policy Rules with FIM (https://go.microsoft.com/fwlink/?LinkID=183691) in the FIM documentation.

Setup and prerequisites

  • In addition to existing prerequisites, FIM now also requires for installation:

    • Windows Installer 4.5 for all server components

    • For FIM Service: SQL Server 2008 Service Pack 1 (SP1)

    • For FIM Add-in for Outlook: Outlook 2007 Service Pack 2 (SP2)

Synchronization

  • Resolves a data corruption issue in Multi-Mastery scenarios in which deleted Member attributes were being added back during full synchronization of Active Directory Domain Services (AD DS) and FIM.

  • Synchronization rule error messages are now visible during synchronization previews.

  • Resolved an issue where having multiple join and projection rules causes rule corruption on a full synchronization.

  • Removes management agent (MA) support for Exchange 5.5 and Microsoft Windows NT.

  • The FIMMA now stores error messages with the operation during export. You do not have to look in the FIM Service event log anymore to see the errors.

  • You can now have several MAs that are responsible for deleting a resource, which solves a common problem where custom code still was needed for declarative provisioning.

  • Added two new declarative provisioning functions:

    • Null – This synchronization rule should not contribute a value to support not flowing values to disabled accounts.

    • ReplaceString – Find and replace a substring in another string.

  • You can now set attribute precedence between classic provisioning and codeless provisioning attribute flows.

  • Various other improvements in synchronization preview.

  • Fixed customer reported crashes in FIM Synchronization Service.

  • Fixed issues with multi-mastered attributes.

  • Added support for Exchange 2010 mailbox provisioning.

Workflows

  • Workflows are now run on a FIM Service that uses the same ExternalHostName as the FIMService that originally created the workflow. This enables the partitioning of workflow processing among servers that are dedicated to specific functionality. For example, if a FIM Service is dedicated to servicing Requests that the Synchronization Service submits, all workflows that result from Synchronization Service Requests run only on that FIM Service.

  • Resolves an issue that caused a Request’s RequestStatus attribute to retain the value “Validating” even though the Request’s operation timed out.

  • Resolves an issue in EnumerateResourcesActivity that prevented the selection of which attributes to return. Previously, regardless of the attribute selection that was specified, all attributes that were bound to the enumerated resources were returned.

  • Owner-originated requests are now autoapproved.

  • Removes DomainSynchronizationActivity and replaces it with built-in logic to support across forests group management.

Known Issues

The following topics discuss known issues in FIM 2010.

General

UOC uniqueness checking works only in Create mode

Uniqueness checking in the UOC text box works only in the Create mode, not in the Edit mode. Attempting this check in Edit mode may cause the check to be performed when it is not intended.

Searches that contain an underscore and using “starts with” may time out

When a query uses the starts with operator to search with an input that contains an underscore, the query may time out. To work around this issue, we recommend using Display Name as the search attribute, which uses the contains operator by default.

Running repair on the FIM Service does not repair SQL Server Agent jobs

When running a repair operation on the FIM Service, SQL agent jobs are not repaired, as the repair operation does not have SQL Server Agent permissions.

Template files and 3rd Party C++ files are not signed.

The template files and the 3rd party C++ files that are included in the Forefront Identity Manager 2010 binaries are not signed. The reason is, is that, these files are intended for customers to use as templates for their custom extensions. If they were signed then customers would not be able to use them after extending them. This is intentional and by design. This includes all template files and 3rd party C++ files associated with FIM Service, FIM Synchronization, and FIM Certificate Management. The following file, msvcm90.dll, which is located under C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Bin\Microsoft.VC90.CRT is a 3rd party C++ file and is also not signed.

Some 3rd Party redistributable files have invalid file version information.

The following files have invalid file version information:

File

Default Location

Description

Infragistics2.Win.v5.3.dll

C:\Program Files\Microsoft Forefront Identity Manager\2010\Certificate Management\web\bin

Does not have a valid "Company name" property.

Infragistics2.Win.v5.3.dll

C:\Program Files\Microsoft Forefront Identity Manager\2010\Certificate Management\web\bin

Does not have a valid "Product name" property.

Infragistics2.Win.v5.3.dll

C:\Program Files (x86)\Microsoft Forefront Identity Manager\2010\CM Bulk Client\Bin\

Does not have a valid "Company name" property.

Infragistics2.Win.v5.3.dll

C:\Program Files (x86)\Microsoft Forefront Identity Manager\2010\CM Bulk Client\Bin\

Does not have a valid "Product name" property.

Microsoft.Clm.Config.exe requires elevated execuction level.

The reason is that in the application manifest for Microsoft.Clm.Config.exe has been marked with a requested execution level or requireAdministrator. This means that the application runs only for administrators and requires that the application be launched with the full access token of an administrator.

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <ms_asmv2:trustInfo xmlns:ms_asmv2="urn:schemas-microsoft-com:asm.v2">
    <ms_asmv2:security>
      <ms_asmv2:requestedPrivileges>
        <ms_asmv2:requestedExecutionLevel level="requireAdministrator"></ms_asmv2:requestedExecutionLevel>
      </ms_asmv2:requestedPrivileges>
    </ms_asmv2:security>
  </ms_asmv2:trustInfo>
</assembly>

MIISkmu.exe requires elevated execution level

The reason is that the MIISkmu.exe manifest has been marked with a requested execution level or requireAdministrator. This means that the application runs only for administrators and requires that the application be launched with the full access token of an administrator. MIISkmu.exe exports the Microsoft® Forefront Identity Manager (FIM) 2010 security encryption key to a binary file.

ClmUtil.exe requires elevated execution level

The reason is that the ClmUtil.exe manifest has been marked with a requested execution level or requireAdministrator. This means that the application runs only for administrators and requires that the application be launched with the full access token of an administrator.

Microsoft.CLM.BulkClient.exe requires elevated execution level

The reason is that the Microsoft.CLM.BulkClient.exe manifest has been marked with a requested execution level or requireAdministrator. This means that the application runs only for administrators and requires that the application be launched with the full access token of an administrator.

PCNS requires a reboot when installing or uninstalling.

The reason is because, PCNS is hosted in LSASS. This means that when it is installed or uninstalled a change to Active Directory is made. Active Directory requires a reboot when changes are made here.

FIM Components do not run in Safe Mode.

The following is a list of FIM Components that do not run in Safe Mode.

  1. Password Registration – this is an IIS Service and IIS does not run in safe mode.

  2. FIM Portal – this is an IIS Service and IIS does not run in safe mode.

  3. Self-Service Password Reset Portal – this is an IIS Service and IIS does not run in safe mode.

  4. FIM Synchronization Service – this service has a dependency on SQL Server. SQL Server does not run in safe mode.

  5. FIM CM Server – this is an IIS Service and IIS does not run in safe mode.

  6. Password Change Notification Service - PCNS has a dependency on SAMs (Service Accounts Manager) service to receive notifications. SAMs does not work in Safe Mode.

SharePoint displays very generic error message

If a user browses to the FIM Portal SharePoint page, while the underlying SQL Server of SQL Server Express services that support SharePoint are down or inaccessible, then SharePoint is going to display a very generic and unhelpful page to users, The error simply state that Internet Enhanced Security is not enable. This error is controlled by SharePoint. This will not help in trying to figure out the underlying issue. If you browse to the FIM Portal and receive such a generic error verify that the SQL Server is running.

FIM Portal displays Service Not Available Error.

If a user browses to the FIM Portal, they may receive a ‘Service Not Available’ error under one or more of the following conditions:

  • The Forefront Identity Manager Service is stopped.

  • The underlying SQL Server service is stopped.

  • The SQL Server database is inaccessible.

If you browse to the FIM Portal and receive such an error check the following:

  • Verify that the Forefront Identity Manager Service is started and running.

  • Verify the underlying SQL Server service is started and running.

  • Verify that the SQL Server database is accessible from the server running the FIM Service.

For additional troubleshooting information including how to enable logging to determine if a dependent service is causing the issue see Troubleshooting FIM 2010.

Management Policy Rules

Making Advanced View modifications of MPRs may cause unexpected results in this release

Modifying MPRs through the Advanced View of the portal is not supported and may lead to unexpected results. Use the standard view for MPR resource modifications.

Connecting to unsupported versions of connected directories

If you need to connect to an older version of a connected directory that FIM 2010 does not support, then you need to continue to use ILM 2007 to connect to those directories and use something to bridge between ILM 2007 and FIM, for example Active Directory Lightweight Directory Services (AD LDS). For a complete list of supported platforms on FIM, see Management Agents in FIM 2010 (https://go.microsoft.com/fwlink/?LinkId=187625).

For SQL or Oracle (SQL 7, or Oracle versions prior to 10g), you are unable to connect to these directories by using FIM 2010. To work around this conflict, use ILM 2007 (Feature Pack 1) to move to the data to an Active Directory Application Mode (ADAM) instance or to a FIM 2010 supported version of SQL or Oracle before upgrading to FIM 2010.

Sets

General

For reference attributes that are used in set or group filters, avoid reference values that result in a circular reference

Reference attributes that are used in set or group filter definitions should not contain values that result in circular references. This may result in incorrect membership or failed requests.

Existing dynamic sets whose filters are not scoped to a specific resource type may have incorrect membership

Note

This issue only applies to upgraded installations, not clean installations of FIM 2010.

Sets with a filter that refers to an attribute that is not bound to the resource type that the filter is scoped to may have the wrong membership. For example, for the following set, the JobTitle attribute does not exist on the group type: /Group[not(JobTitle = 'IT Pro')].

Sets with a filter that is not restricted by a type outside the predicate (that is, filters that start with /*) and that include a not() statement may have the wrong membership, for example, /*[not(JobTitle = 'IT Pro')].

To resolve this issue in each case, delete and recreate the affected sets.

Dynamic set or group filters that are not scoped to a specific resource type must not include a negative condition on the ObjectID or ObjectType attribute

A filter that is not scoped to a specific resource type is one that begins with /* —for example: /*[DisplayName = ‘Test’]. These filters must not contain a condition on ObjectID or ObjectType that uses the != operator or the not() function. Using these conditions may return incorrect results.

Dynamic set or group filters that are not scoped to a specific resource type must not include a literal condition on the ObjectID attribute

A literal value is any value other than a reference to the membership of a set. Set filters that are not scoped to a specific resource type must not contain an equality expression on ObjectID where the right term in the expression is a literal value. Using such conditions may return incorrect results.

Dynamic set or group filters must not combine a condition on the ObjectID or ObjectType attribute with conditions on any other attribute using the OR operator

Users and groups

Timeouts while previewing dynamic membership of a set or group may prevent display of actual membership

When previewing dynamic members of a group or set, an error message is displayed if the request times out. If you subsequently click Preview a second time, the query may show no members in the group or set, even if they do contain members. If this happens, click Cancel to close the dialog box and retry the preview operation. If the request times out again, the administrator may need to increase the server timeout.

Synchronization

Case changes and additions of trailing spaces are not committed to the FIM Service

If you submit a change through the FIM Service Web service that modifies an existing value only by changing the case or adding trailing spaces, the new value cannot be committed. This causes the Synchronization Service to miss confirming imports. For example, changing department to Department cannot be committed. To work around this issue, submit a value that includes a change other than a change in case or a change in trailing spaces. For example, change department to department 2, and then to Department, or change department to department x, and then to department.

Schema

Custom resources with ":", "(", or ")" in the name render the FIM Portal inoperable

In this release, do not use a colon [:] or parentheses [()] in the system name of a custom resource. Creation of custom resources with these characters in the system name cause the FIM Portal to become inoperable and requires a reinstallation of the FIM Portal.

User cannot modify the StringRegex, IntegerMinimum, and IntegerMaximum values for some attributes and bindings on group and user resources

In this release, the user cannot modify the StringRegex, IntegerMinimum, and IntegerMaximum values for some attributes and bindings on groups and user resources. To work around the issue, you can temporarily add StringRegex, IntegerMinimum, or IntegerMaximum to the MPR named Administration - Schema: Administrators can change selected attributes of schema-related resources. This is to revert the changes after the modification since the MPR is there to protect against illegal modification to elements important to the system schema.

Default DisplayName and Description is not submitted during creation of BindingDescription

In this release, if the user does not modify the existing DisplayName or Description of a BindingDescription resource, the BindingDescription is created without DisplayName or Description even though in the user interface (UI) it appears that FIM 2010 has supplied a default value. The workaround is to update the DisplayName and Description after creation or supply a different value for these attributes during creation.

Custom resources with hyphens in their names do not create RCDC configuration XML correctly

You can create a custom attribute or custom resource type with a hyphen “-“ in the system name. However, if you create an RCDC for this new resource, the RCDC configuration file that is created automatically is not correct. The RCDC uses the attribute name as the control name, but the control name does not support “-“. The workaround is remove “-“ from the control names in the RCDC configuration file.

Making certain unsupported attributes required

The following attribute types are not supported:

  1. Multivalued binary

  2. Multivalued text

If you create these attributes, designate them as required, and then bind a resource to them, you will be unable to create that resource or update any existing instance of that resource in the FIM Portal UI. You will receive an error when you attempt to submit the change.

To work around the issue, either mark the attribute as not required or, if it must be required, do not expose it in the FIM Portal.

Using the Web Services API to create a resource with a multivalued Boolean attribute stops the FIM Service

In this case, after the service stops, it cannot be restarted. You must reinstall FIM.

Workflow and Request processing

Cannot create a workflowdefinition after importing XOML
  • For this release, when you import XOML, you cannot go back and edit that process to add activities. You must create a new workflowdefinition.
Groups that are not mail-enabled should not be selected as recipients for any e-mail messages
  • For this release, when selecting groups as recipients for approvals or notifications, those groups must be mail-enabled.
Notification e-mail messages without text in the subject line or the body are not sent

  • For this release, system-created notification mails must have a subject line. If the subject line is left blank, the mail is not sent even if there are valid recipients and content in the body of the message.

    Similarly, notification mails created in the system must have a mail body. If the body is left blank, the mail is not sent, even if the recipient and subject are valid.

Requests that calculate zero approvers for changes to nongroup resources may become nonresponsive
  • Requests that calculate zero approvers for changes to nongroup resources may become nonresponsive in the authorizing state. You cannot cancel these requests. Ensure that the FIM configuration calculates at least one approver for every approval.
Workflow XOMLs containing an approval activity are not generated correctly by Visual Studio
  • If a workflow containing a FIM approval activity is designed in Microsoft Visual Studio®, the approval activity in the workflow /XOML does not contain a ReceiveActivity. Instead, the workflow itself contains a ReceiveActivity. This Visual Studio–generated XOML does not function correctly in FIM. The ReceiveActivity must be contained within the approval activity in the XOML. For an illustrated example of the correct usage of the approval activity in a XOML, create a new authorization workflow containing an approval in the FIM portal, and view the XOML definition in Advanced View.
The lookup parameter does not accept nonalphanumeric characters

When creating or editing a workflow and using the lookup parameter inside an activity, you cannot select an attribute with a nonalphanumeric character such as hyphen (-) or underscore (_).

Queries

Invalid queries can return incorrect results
  • In this release, not all invalid queries are caught. Sometimes they return results even though they are incorrect. The query documentation explains what queries are possible and what to expect if you enter an incorrect expression.

Configuration Migration

Migrating configurations from an environment with upgrades to a clean install of RTM requires updating version numbers

In this release, you can only migrate configurations across the same versions of FIM. If you have a configured environment that had any upgrades applied and you want to migrate its configuration to a clean install of FIM, it is a known issue that the binding redirections and old versions of DLLs are not included in the fresh install. Without these binding redirections and old versions, the migrated configuration cannot work. To work around this issue, edit the policy.xml and schema.xml files obtained from ExportPolicy.ps1 and ExportSchema.ps1 by replacing any of the following version numbers:

  • 4.0.2560.0

  • 4.0.2570.0

  • 4.0.2574.0

  • 4.0.2587.0

with the following version number:

  • 4.0.2592.0

You can find ExportPolicy.ps1 and ExportSchema.ps1 in the FIM 2010 Configuration Migration Tool Deployment Guide.

FIM Add-ins and Extensions

During installation of Chinese (zh-TW) add-ins and extensions, duplicate entries for https: appear on the Trusted Sites selection page
  • During installation of the FIM Add-ins and Extensions for Chinese (zh-TW), duplicate options are displayed on the Trusted Sites selection page. To select https: (recommended), select the second option. To select http: (not recommended), select the third option.
German de-DE not supported in Internet Explorer 6
  • If you add German language support in IE 6, de-DE is NOT one of the options, only de. However, only de-DE is supported by FIM. If de is selected as the locale, the FIM Portal will not display in German because de is not a supported locale.

Release Notes for Forefront Identity Manager Certificate Manager (FIM CM)

Installing FIM CM

Complete installation instructions for Microsoft® Forefront Identity Manager Certificate Management (FIM CM) are located in the FIM CM Installation Guides.

Microsoft® Forefront Identity Manager Certificate Management (FIM CM) does not support multi-forest management (across forests).

Upgrade from CLM FP1

Because CLM Feature Pack (FP1) is supported only on 32-bit platforms and FIM CM is only supported on 64-bit platforms, upgrading from CLM FP1 to FIM CM is not supported. However, the CLM 2007 database can be exported and re-used in a new FIM CM deployment.

What's New in FIM CM

The following sections cover new features, but you may also want to review the FIM CM FAQ on the TechNet Wiki.

FIM CM Portal Server support for Windows Server 2008 64-Bit and Windows Server 2008 R2

The FIM CM server only supports installation on Windows Server 2008 64-Bit and Windows Server 2008 R2.

FIM CM CA modules support for Windows Server 2008 64-Bit and 32-Bit and Windows Server 2008 R2

The FIM CM certification authority (CA) modules now support installation on Windows Server 2008 R2 and 64-bit and 32-bit versions of Windows Server 2008 in addition to 32-bit versions of Windows Server 2003.

Client support for Windows 7 and Windows Vista 64-bit

The FIM CM client now supports installation on both 32-bit and 64-bit versions of Windows Vista® and Windows 7, in addition to 32-bit version of Windows XP.

Warning

Identification, Authentication and Signature (IAS) cards are not supported on Windows Vista 64-bit versions.

Updated middleware support

FIM CM adds updated support for the following middleware versions:

CLM CLM FP1 FIM CM

Axalto Access Client Software version 5.2

Axalto Access Client Software version 5.3

Gemalto Access Client v5.4

AET SafeSign Identity Client version 2.2

AET SafeSign Identity Client version 2.3

Aladdin eToken Runtime Environment version 3.65

Aladdin eToken Runtime Environment version 4.5

Aladdin eToken 5.0 32-bit

Gemplus GemSafe version 4.2 Service Pack 3 (SP3)

Gemplus GemSafe version 5.1

Gemalto Classic Client v5.1.8

Siemens HiPath SIcurity Card API version 3.1.026

Siemens HiPath SIcurity Card API version 3.2

BaseCsp v5

BaseCsp v5

For More Information

For complete FIM CM documentation, see the Forefront Identity Manager Technical Library (https://go.microsoft.com/fwlink/?LinkId=184552).

Known Issues

Installation

Server installation

  • During the installation of the FIM CM Server, if you receive the error message This application has failed to start because the application configuration is incorrect, this may indicate that Microsoft .NET Framework is not installed on that computer. Verify that the .NET Framework is installed, and run the installation again. For.NET Framework requirements, see the CM Installation and Configuration guide (https://go.microsoft.com/fwlink/?LinkID=184292).

Client installation

  • During the installation of the FIM CM Bulk Smart Card Issuance Tool or the FIM CM client, if you receive the error message This application has failed to start because the application configuration is incorrect, this may indicate that the .NET Framework is not installed on that computer.

  • The 64-bit client installs only the 64-bit binaries. It does not install the 32-bit Microsoft ActiveX® controls. If you use the 32-bit version of Windows Internet Explorer®, then you must use the 32-bit version of the client.

    Note

    On the 64-bit client operating systems, the default Internet Explorer is the 32-bit version.

  • The FIM CM client requires .NET Framework 3.5.

  • Use of SiteLock instead of Trusted Sites

    CM Client no longer requires Trusted Sites zone. Instead, the allowed site must be specified in the registry by using either a group policy or a manual setting. If nothing is specified, the CM Client does not work.

    Important

    If you are installing on Internet Explorer 7, Trusted Sites is still required, since protected mode is On in Local intranet zone by default.

    Group policy:HKCU\SOFTWARE\Policies\Microsoft\Clm\v1.0\SmartCardClient

    Manual: (fallback mechanism)HKLM\SOFTWARE\Microsoft\Clm\v1.0\SmartCardClient

    Both keys use the "SiteLock" REG_SZ value that should contain a ";" delimited list of allowed sites. Both HTTP and HTTPS are allowed.

    The record is considered a match if the domain matches the domain of the URL exactly, or if the URL is a subdomain of an exact match. For example: microsoft.com matches microsoft.com office. Microsoft.com does not match mymicrosoft.com www.microsoft.com.sales.com.

    If the domain begins with “*.” only child domains match.*.microsoft.com matches users.microsoft.com but does not match microsoft.com.

    If the domain begins with “=” only the specified domain matches.=microsoft.com matches microsoft.com but does not match www.microsoft.com.

    Note

    The wildcard character “*” matches all domains.

    CM Sitelock settings are case sensitive, meaning that the registry setting should match the case of the Service Principal Name (SPN).

Bulk Client Configuration

  • To address the following condition noted by an error message displayed when you visit a Web site that is hosted on Microsoft Internet Information Services (IIS) 7.0: HTTP Error 404.11 – URL_DOUBLE_ESCAPED, read and apply the following Knowledge Base article, Error message when you visit a Web site that is hosted on IIS 7.0: "HTTP Error 404.11 – URL_DOUBLE_ESCAPED" (https://go.microsoft.com/fwlink/?LinkId=184295).

    Note

    It is important to understand that when you enable double escaped sequences, the security level of the server that is running IIS may be decreased.

  • When the event log is full, the Bulk Client does not operate correctly. An exception is thrown when you try to log to the event log. The default settings in Windows XP do not overwrite an event log entry when the log is full. The workaround is to overwrite the event log as needed to prevent this condition.

General

  • The error Data is invalid at the root level occurs when creating requests.

    • You may receive the error Data is invalid at the root level when creating a request. If you receive this error, verify that the CNG Key Isolation service is running on the FIM CM Server computer. If it is not set to start automatically, ensure that you do so.

  • The ability to put import encryption certificates and their associated private keys on a Microsoft Smart Card Base CSP-compliant smart card is controlled through registry settings. For example, when an encryption certificate is included in the profile template, an import of an encryption certificate is required for Duplicate, Replace, or Temporary card workflows.

    If you see an error indicating that the current settings of the Base SCP provider does not allow for private key import, ensure that the appropriate DWORD registry settings are in place. These registry settings are determined by a combination of the operating system and the type of FIM CM client that is in use as described in the following list.

    If you are using a 32-bit operating system and the 32-bit FIM CM client:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider]

    • Set AllowPrivateExchangeKeyImport = 1

    • Set AllowPrivateSignatureKeyImport = 1

    If you are using a 64-bit operating system and the 64-bit FIM CM client:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider]

    • Set AllowPrivateExchangeKeyImport = 1

    • Set AllowPrivateSignatureKeyImport = 1

    If you are using a 64-bit operating system and the 32-bit FIM CM client:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider]

    1. Set AllowPrivateExchangeKeyImport = 1

    2. Set AllowPrivateSignatureKeyImport = 1

    Tip

    If you are using a 64-bit operating system, consider making both of the changes shown for 64-bit operating systems, as this will allow you to proceed regardless of the FIM client type installed.

  • Only the 32-bit version of Gemalto smart card middleware is supported on Windows Vista 64-bit and Windows 7 64-bit. Only the 32-bit version of Aladdin smart card middleware is supported on Windows Vista 64-bit. Aladdin middleware is not supported at all on Windows 7.

  • When an IT manager wants to change the number of query results displayed by the CM Web Portal, the manager needs to change the key Clm.MaxRecord in the CM web.config file.

    Setting the value to any number less than 100 is ignored and 100 is used instead.

    Note

    The default location for the Web.config file is ...\Program Files\Microsoft Forefront Identity Manager\2010\Certificate Management\web\web.config.

  • Server-side printing not supported by Word: Run-time behavior for server-side printing is exactly as currently implemented up to the point where the document is sent to Microsoft Office Word for printing. If the server-side printing selection is made, the document is saved only on the server. The document is saved in the location with the document templates but with the subscriber’s samAccountName to facilitate identification. The document name uses the following format: [domain]-[samaccountname]-[template name], for example, corp-johns-test.xml.

  • If you are using an Aladdin eToken to perform more than one operation, the token must be removed and reinserted. Only one operation can be run per eToken insertion (it does not matter if Internet Explorer is restarted). To run another operation, you have to unplug and plug back the eToken.

  • Deleting a user from AD DS breaks the CM management processes and causes many potential system malfunctions. Do not delete user accounts from AD DS.

  • KRA certificates that are received manually and their associated private keys should be imported to the FIM KRA Agent windows user profile on the Certificate Management server so they are available for the KRA account to use.

  • Default out-of-the-box implementation of ICardInitialization interface uses a certificate and its associated private key in the key diversification process. The default implementation does not support storing this certificate on an HSM.

  • The Admin key diversification certificate must always be archived. This will enable access to the smart cards that were diversified with this certificate beyond the certificate lifetime.

See Also

Other Resources

FIM User Forum
FIM FAQ Collection
FIM CM FAQ