Upgrade your Internet Experience
Microsoft.com
Welcome Sign in
Identity Lifecycle Manager TechCenter
Click to Rate and Give Feedback
TechNet
TechNet Library
Getting Started
 ILM "2" (Release Candidate) Release...

  Switch on low bandwidth view
ILM "2" (Release Candidate) Release Notes

Updated: November 3, 2008

Welcome to the release notes for Microsoft® Identity Lifecycle Manager "2" (ILM "2") Release Candidate (RC). Before you install this application, we recommended that you read this entire document and the ILM "2" installation guide. You can use these notes to guide you as you troubleshoot issues that arise when you use ILM "2".

Before You Begin

Before evaluating ILM "2", please be aware of the following limitations of this release:

  • This release is focused on introducing additional ILM "2" features not included in earlier releases and improving features included in the previous release. This release is intended for limited evaluation by customers. Performance and stress are not optimized in this release. Heavily loading the system in this release could result in timeouts or other performance issues.

Instructions for Installing ILM "2"

You can find the software and hardware prerequisites information and instructions for installing ILM "2" in the ILM "2" installation guide included in the download package.

Known Issues

The following topics discuss known issues in ILM "2".

General

Upgrading from ILM 2007 to ILM "2" may reveal incompatible metaverse schema

  • When upgrading from ILM 2007 to ILM "2", the existing metaverse schema may conflict with the new ILM "2" metaverse schema. During the creation of the management agent for ILM, a schema upgrade dialog will appear. Make sure to read the entire schema upgrade dialog as some entries, such as warnings and errors, may appear at the bottom of the Update Status list box. A summary of the steps to take during upgrade is available at the bottom of the list box.

Understanding the Purpose of the Synchronization Account

  • During setup, you enter the account the ILM management agent (MA) uses to connect to the ILM Core Services. The purpose of this account is to be able to identify the synchronization engine when it is exporting to the core services through the web services. When the synchronization engine is exporting, all authentication (AuthN) and authorization (AuthZ) workflows are ignored and only action workflows will run.
    If you have a connected system that is authoritative and is creating objects in ILM "2", the export cannot be subject to AuthN or AuthZ. Since the change already is committed in the connected system, any decision made in an AuthZ workflow cannot easily be reflected as an action by the synchronization engine.
    Subsequently, the account used for the ILM MA should be considered as a trusted account you should and not use it to access the ILM Portal. If you do all requests made through the ILM Portal with this account will skip AuthN and AuthZ.
    There might be other scenarios where a similar behavior is needed for other trusted accounts.
    If you later have to change to use another account, the setting is stored in the file Microsoft.ResourceManagement.Service.exe.config. You must restart ILM Common Service after the change is made.

ILM Portal frame renders but no data is displayed if the ILM Service cannot be reached

  • If Windows® SharePoint® Services cannot communicate with the ILM Service, the ILM portal frame will render but no other data will be displayed and no error message appears. This can happen, if the ILM Service is not started or TCP port 526 is blocked. Other communications errors can cause this same behavior. To resolve this issue, ensure that the ILM Service is running and that the Windows SharePoint Services portal can communicate with the ILM Service.

Editing a custom object can result in a blank page upon submission

  • When editing a custom object, clicking Submit may result in a blank page being shown in the ILM Portal, depending on the circumstances. Any time you click Submit in the ILM Portal to submit a request, there are three possible outcomes:
    • The submission succeeds and the request is completed.
    • The submission succeeds but the request is not completed. For example, the request may be denied, or could be pending approval.
    • The submission fails.
    When editing a custom object, in all the above cases the operation is performed correctly. However, status information may not be properly displayed in the second and third cases. Instead, a blank page is shown. To view the status of the request, click Manage My Requests on the ILM Portal home page. 

Manually updating SQL statistics after bulk load

  • If you bulk load, either through the ILM MA or via the Web service protocol, a large collection of objects into the ILM "2" system, you might experience significant performance degradation immediately afterward. This happens because the SQL Server has not yet updated its statistics for the new objects. You can force an update of statistics by running the following SQL commands:
    USE MSILM:
GO
UPDATE STATISTICS ObjectsInternal WITH FULLSCAN;
GO

Performance degradation may occur on Windows 2008 Servers with Hyper-V™ installed

  • If Hyper-V is installed on the Windows Server 2008 server where ILM "2" is installed, the performance ILM "2" may be degraded. If ILM "2" appears to be running slow, try uninstalling Hyper-V.

Advanced View not supported for Request and Approval Objects

  • In this release of ILM "2", the Advanced View for the Request and Approval objects is not available. Clicking on Advanced View for those objects will result in an error.

When using Windows Server 2008 and not connected to the internet, the user will experience significant delays when trying to perform most tasks.

  • When using Win2k8 and not connected to the internet, the user will experience significant delays when trying to perform most tasks in the ILM Portal. To workaround this issue:
    1. Click Start, click Run, type Regedit and click OK.
    2. Click LOCAL_MACHINE, then SOFTWARE, (wow6432node), then Microsoft, then Windows, the CurrentVersion, then Internet Settings.
    3. Double click CodeBaseSearchPath, and in Value Data, remove <http://activex.microsoft.com/objects/ocget.dll>, so that the remaining value is CODEPATH;
    4. Click LOCAL_MACHINE, then SOFTWARE, then Wow6432Node, then Microsoft, then Windows, the CurrentVersion, then Internet Settings.
    5. Double click CodeBaseSearchPath, and in Value Data, remove <http://activex.microsoft.com/objects/ocget.dll>, so that the remaining value is CODEPATH;
noteNote
For more information about this issue, see this Knowledge Base article.

ILM Portal buttons won’t work if browser security disables JavaScript

  • When using the ILM Portal in Windows Server 2008, the controls or buttons will not work unless the browser security settings for Internet Explorer are set to enable JavaScript.

Compiling Rules and Data Source Extensions

  • In ILM "2" RC, a change has been made to MicrosoftMetadirectoryServers.dll to allow strong-name signing of Rules and Data Source Extensions. As a result, you may need to change existing Visual Studio projects.
    The ILM "2" Synchronization Service now ships with two Dynamic Linked Libraries (DLLs) that define the interfaces and types for Rules and Data Source Extensions. The first is the version shipped in previous version of the Synchronization Server, MicrosoftMetadirectoryServices.dll. The version of this DLL shipped with ILM "2" RC will allow existing Rules and Data Source Extensions to continue to function normally without recompilation. However, when creating new or recompiling existing Rules and Data Source Extensions, references to this DLL will result in compiler errors. Specifically, you will see the following compiler error when referencing MicrosoftMetadirectoryServices.dll from ILM "2" RC:
    • Error 1 The type or namespace name<name>could not be found (are you missing a using directive or an assembly reference?)
    Where <name> is the name of a function or type found in the Microsoft.MetadirectoryServices namespace.
    Starting with ILM "2" RC you must reference the strong-signed DLL, MicrosoftMetadirectoryServicesEx.dll, when creating new or recompiling existing Rules and Data Source Extensions. This DLL contains the implementation that was formerly contained in MicrosoftMetadirectoryServices.dll. The new DLL is functionally equivalent to the previous DLL with the exception of strong-name signing.
    When creating new Visual Studio projects using Identity Manager, these projects will reference the new DLL, MicrosoftMetadirectoryServicesEx.dll. If you are creating your own Visual Studio projects, make sure to reference the new DLL, MicrosoftMetadirectoryServicesEx.dll, when you would have referenced the previous DLL, MicrosoftMetadirectoryServices.dll. If you are re-compiling an existing Visual Studio project, make sure to delete the reference to MicrosoftMetadirectoryServices.dll and add a new reference to MicrosoftMetadirectoryServicesEx.dll.
    For existing Rules and Data Source Extensions, no recompilation is required; these extensions will continue to function normally.

Setup

Unable to install against an existing database

  • In this release, you will receive an error if you attempt to install ILM "2" in the following scenarios:
    • Reinstall an existing ILM "2" server
    • Install a scaleout ILM "2" server
    To workaround this issue, complete the following steps:
    1. Backup your existing MSILM database.
    2. Delete the MSILM database from the server.
    3. Install the ILM "2" server.
    4. Restore your MSILM database from backup.

Install only one language from the server language pack

  • For this release, when installing the ILM "2" Server Language Pack, select either Japanese to install, or German, but not both. If both languages are installed, modifications to localized attribute values in ILM "2" may not be processed correctly.

ILM Sharepoint Portal and ILM Service must be installed on the same server for localized installations

  • If you are installing ILM "2" RC with ILM "2" Language Packs, you must install the ILM Portal and the ILM Service on the same physical server.

When trying to download the Active X client for ILM “2” Authentication, the links to download the client are broken

  • When trying to download the Active X client for ILM "2" Authentication, the links to download the client are broken. You can fix the links by running the following steps:
    1. Navigate to C:\%ProgramFiles%\Common Files\Microsoft Shared\Web Server Extensions\12\template\layouts\MSILM2.
    2. Create two folders under \MSILM2, PasswordManagementClient and PasswordManagementClient(x86).
    3. Copy the 32-bit signed client msi file to PasswordManagementClient(x86) and rename it to ilm-client.msi, and the 64-bit signed client msi file to PasswordManagementClient and rename it to ilm-client.msi.
    This creates the following two files that need to exist for the links to work:
    • C:\%ProgramFiles%\Common Files\Microsoft Shared\Web Server Extensions\12\template\layouts\MSILM2\PasswordManagementClient(x86)\ilm-client.msi
    • C:\%ProgramFiles%\Common Files\Microsoft Shared\Web Server Extensions\12\template\layouts\MSILM2\PasswordManagementClient\ilm-client.msi

Management Policy Rules (MPR)

Removing permissions rules can render the ILM Portal nonfunctional

  • Deleting or modifying the default permissions rules in the system can leave the ILM Portal nonfunctional. ILM Portal pages are dependent on the user’s read access to the objects and attributes defined in the default rules. Carefully consider the effect of any permission rule changes before applying them and keep a record of the changes so you can revert them if necessary.

Removing the Administrators Set or associated permission rules can lead to system lockout

  • Removing the default administrative set or associated permissions can lead to system lockout, making it impossible to further grant permissions in the system. In extreme situations, the permission rule changes will require a system re-install. It is recommended that you do not delete or modify the administrative set or permission rules. Carefully consider the effect of any permission rule changes before applying them and keep a record of the changes so you can revert them if necessary.

Users require the Read permission to be able to modify objects and their attributes through the ILM Portal

  • To grant the permission for users to modify objects and their values, the users need to be granted both the Modify and the Read permission on the target objects.

Do not delete or modify the permission rule “Anyone can read configuration objects”

  • The ILM Portal requires this rule. Its removal can render the ILM Portal nonfunctional.

“Replace” operation is not supported for the ActionParameter attribute in a Management Policy Rule (MPR)

  • The ILM "2" service does not support using the “Replace” operation in the Modify requests for the ActionParameter attribute of a MPR. Use “Add” and “Delete” operations instead to update the value of this attribute.

Sets

Cannot change a set with existing dynamic membership to a set with only explicit membership

  • In this release, if you try to change a set with existing dynamic membership to a set with only explicit membership it will appear to succeed in the IML Portal UI. However, the underlying set will be calculated based on the last-modified filter. The workaround is to delete the set and re-create a new set that only contains explicit membership.

Creating Large Groups or Sets May Timeout at Higher Scales

  • Depending on the size of your ILM Service Database, creating a Set or Group with thousands of members will sometimes cause a timeout through the ILM Portal. This has been observed in Sets or Groups that have a direct membership of over 10,000 objects. Editing a Set or Group that results in thousands of members being added to it will result in the same behavior.
    Users should refrain from creating Sets or Groups with large memberships, however if it is absolutely necessary then you should adjust the timeout values within the ILM resource management service configuration file beyond the 58 second timeout to longer values as needed to complete the creation of the Set or Group.

Filters At Scale Should Avoid the NOT and Contains Operator

  • At large scaled environment, that is, 10,000 users or more, the effects of performing queries or creating Sets or Groups with specific filter types becomes more pronounced. In general, filters with a single clause using a NOT condition will result in extremely poor query performance. If the NOT operator is to be used, it should be done in conjunction with other clauses which use other non-negation operators.
    Additionally, the Contains operator should be avoided when performing queries or creating Sets or Groups. When possible, use exact equality matching (is) or starts with, as Contains is known to cause a sever performance degradation in query performance. Again, if the Contains operator must be used, it is recommended to be used in conjunction with additional equality based clauses which will appropriately scope down the result set upon which the Contains operator will be evaluated.

Cannot use any attribute other than ObjectID to reference the members of a set

  • In this release, when creating a set it is not possible to include a condition that uses any attribute other than ObjectID to verify if an object is a member of another set. For example, the following Xpath filter, which identifies all people whose manager is in the specified set, is not supported as a set filter:

    /Person[Manager = membersof('11111111-1111-1111-1111-111111111111')].

    However, the following xpath filter, which identifies all people who themselves are in the specified set, is supported as a set filter:

    /Person[ObjectID = membersof('11111111-1111-1111-1111-111111111111')].

Users and Groups

User and Group objects can be searched only by display name

  • Searching for a user or group by its account name or any other attribute other than display name, will not retrieve the user or group, even if the object is in the system. For this release, ILM "2" can only search by display name. To work around this issue, search by display name.

Unable to process Put message on group operation

  • When performing an operation, such as add or remove member, on an owner approved group, you may receive the message Unable to process Put message. This is caused by an intermittent condition that occurs when multiple workflows run simultaneously for the same request. Subsequent attempts to perform the same operation will likely succeed without issue.

Updating the membership of a static group may require multiple database operations

  • Updating the membership of a static group may require multiple database operations which consume several hundred milliseconds per group member. As a result, a client may receive a timed out indication in response to a request to update a group, even when the request is still being processed by the server.

Domain configuration objects must have the value of the NetBIOS name of the domain

  • All domain configuration objects should have the value of the Domain attribute expressed as the NetBIOS name of the domain, such as “MyDomain”.

Synchronization

MIISOperators and MIISJoiners cannot run Identity Manager

  • Members of the MIISOperators and MIISJoiners security groups cannot run Identity Manager. To work around this issue, open Identity Manager as a member of the MIISAdmins group.

Server address must be changed if synchronization engine is not installed on the same server as the web server

  • The server address the ILM MA uses to contact the web service for export can be found in the miiserver.exe.config file. This will be set to localhost by default and must be changed if the synchronization engine is not located on the same server as the web server.

Exports should be run on the ILM MA to make sure that deletion of the ILM MA connector space does not result in orphaned metaverse objects

  • Deleting the ILM MA connector space will (CS) result in existing metaverse (MV) objects being disconnected from their associated ILM MA application store objects. It is important that before running a deletion of the ILM MA CS that all newly provisioned objects in that connector space are exported to the ILM application store. If this does not happen then upon the next full synchronization of the ILM MA the CS objects will not be rejoined to their associated MV object as per the ILM MA object type mappings.

The schema for the ILM MA must be refreshed when new objects are added

  • When you create a new custom object and add it to the synchronization filter object, the ILM MA will show a stopped-error message during import. The schema must be refreshed on the management agent before running an import.

Additional permissions required for management agent for Lotus Notes

  • To create a management agent for Lotus Notes you must first grant additional permissions.
    1. Click Start, Programs, Administrative Tools, then Component Services.
    2. Expand Component Services, click Computers, My Computer, then DCOM Config.
    3. Right-click Microsoft Metadirectory Notes Utility Component and click Properties.
    4. Click Security, and in Launch and Activation Permissions, make sure that Customize is selected, and click Edit.
      • If the Domino server is installed locally, select the MIISAdmins group and allow Local Launch and Local Activation.
      • If the Domino server is installed remotely, select the MIISAdmins group and allow Remote Launch and Remote Activation.
    5. Click OK twice.

Add mandatory attributes to custom objects

  • To flow objects in the ILM MA between the ILM object store and the metaverse two attributes must be added to the custom object: DisplayName and CSObjectID. Those attributes must also be setup to flow in the management agent.

The ILM MA Account requires read access to miisserver.exe

  • In order to run properly, the ILM MA account requires Read access to miisserver.exe. Without Read access, you may see cd-error for all ILM MA operations, or stopped-server for all ILM MA import and export operations. To ensure that the ILM MA account has the correct access:
    • Use the Synchronization service account for the ILM MA account, or
    • Add the ILM MA account to the MIISAdmins security group.

Changes made in the ILM “2” Core Services tier are not visible for 60 seconds

  • All changes done in the ILM "2" Core Services tier, such as creating a user or adding a user to a group, are not visible to the Synch Engine and the ILM MA for 60 seconds. This value should be left to its default for all testing to make sure data is consistent. If, for demo purposes, you need to change this value you can create a registry entry with ILMTimeOffset and of type REG DWORD in the path HKLM\SOFTWARE\Microsoft\Microsoft Identity Integration Server. Set the value to the number of seconds the ILM MA should wait when reading the delta change-log. Ensure that the ILM MA account has read access to this registry key.

Date and Time fields warning appears when exporting object with DateTime attribute

  • When a confirming import is run on the ILM MA after exporting an object with a DateTime attributed filled in, it shows a warning about an exported change not being re-imported for DateTime fields.

Limit file path length to 160 characters

  • The synchronization engine will fail to load extension DLLs with a file path length greater than 160 characters.

Join rules for MV object type "Any" do not work

  • When creating Join rules in a management agent, the selection of the metaverse object type "Any" will not be processed by the server. Instead, create a series of projection rules, one for each metaverse object type.

Cannot create a bi-directional Synchronization Rule in the Synchronization Rule Designer

  • In this release, it is not possible to create a Synchronization Rule that contains both inbound as well as outbound attribute flows in the Synchronization Rule Designer. To address scenarios where data needs to be flowed both to and from a connected system, you must create two Synchronization Rules; one Synchronization Rule will contain the outbound attribute flows and the other will contain the inbound attribute flows.

Cannot edit the "Allow Nulls" option of an existing attribute flow in the Synchronization Rule Designer

  • In this release it is not possible to edit the Allow Nulls advanced option for an existing attribute flow in the Synchronization Rule Designer. If you wish to modify the Allow Nulls option for an attribute flow that has already been saved, you must delete the attribute flow and re-create it with the desired Allow Nulls option.

Functions and Reference attributes may not be used as existence flows

  • When you create a Synchronization Rule, and mark a flow as being an Existence Flow, it will cause the synchronization engine to use that flow as criteria for creating detected rule entries (DREs) objects relating to that Synchronization Rule. In this release, only direct flows between non-reference attributes can be used as an Existence Flow.

Removing all of the existing criteria from a synchronization rule will not delete any existing detected rule entries (DREs) created for that sync rule

  • For this release, if you un-check all existing flows within a synchronization rule any DREs already created for that synchronization rule will not be removed as expected.
    To remove unwanted DREs, add a single existing flow which will always return false. Upon the next full synchronization, this will invalidate all existing DRE objects for that synchronization rule.

Source value must be of the same data type as the destination attribute in an attribute flow

  • It is not possible to flow a value of one type to a destination attribute of a different type. For example, it is not possible to flow a constant string value to an attribute that is an integer data type. The workaround is to concatenate the source value with an empty string in the sync rule designer. This will wrap the string in a function, and it will work as expected. An exception to this is when trying to flow a constant string with the value "true" or "false" to a Boolean destination attribute. This attribute flow will be permitted. The restriction on mismatched source and destination data types also applies to multi-valued and single valued attributes. It is not possible to create an attribute flow that flows a single value attribute to a multi-valued attribute and vice versa. For example, it is not possible to flow the Description attribute in ILM to the Description attribute on Groups in Active Directory.

Unambiguous join results in unexpected error

  • For this release, if there are two objects that both match the relationship criteria (known as join in ILM 2007), an "unexpected error" is returned.

Do not change the MA in a Synchronization Rule if there are Detected Rule Entries associated with it

  • In a Synchronization Rule it is possible to configure detection of the rule when it is applied in the connected system. This results in Detected Rule Entries (DRE) being created by the Synchronization Engine as a confirmation. In this release, if you have DREs associated with a Synchronization Rule and later change the MA in the Synchronization Rule, the DREs will appear as orphans in the Synchronization Engine. These are “false positives” and do not correctly represent the current state. To work around this issue, delete the synchronization rule and create a new one rather than changing the MA once the rule is in use.

Synchronization Rules listed several times

  • Synchronization Rules will show up in the attribute precedence screen in Identity Manager. In this release, sometimes the same synchronization rule will be listed several times in this screen. There is no reason to reorder the synchronization rules since the precedence for them is set through the ILM Portal.

Cannot flow a hardcoded string to a reference attribute

  • In this release, it is not possible to flow a hardcoded string to a reference attribute. For example, the homeMDB attribute in Active Directory (AD DS) might be the same value in a test environment. The workaround is to concatenate the value with an empty string in the sync rule designer. This will wrap the string in a function, and it will work as expected.

Synchronization Rule cannot see all management agents

  • When creating a Synchronization Rule, all management agents may not be displayed depending on the order that the components were installed. To ensure that the Synchronization Rule designer is able to see all management agents, open Identity Manager, navigate to the Management Agent tab, edit the properties of the Identity Lifecycle Manager management agent, and update the connection password.

Certain attributes cannot be used as part of existence test flows

  • When creating an outbound synchronization rule, only attribute flows which are direct, non-reference, non-function based flows may be used as part of the existence tests. Additionally, no flows which reference or use Synchronization Rule parameters can be used as part of an existence test. The ILM Portal currently allows the definition of these invalid conditions and if done so, the synchronization engine will simply ignore these flows.

ERP MA (SAP MA) must run in 32-bit mode

  • When you are installing the ERP MA (SAP MA) you need to make sure that the MA is set to run in 32-bit mode. On the property page of the SAP MA in Identity Manager, in Architecture, select x86. You also need to make sure the service account the ILM Synchronization service is using has read and write access to %WinDir%\temp.

ERP MA (SAP MA) UI Tool requires additional permissions

  • When running the ERP MA UI Tool the Logged in User will require the following privileges:
    • Full Control to the folder the the proxy file and configuration files are saved.
    • Read access to the registry key HKLM\System\CurrentControlSet\Services\miiserver\Parameters

Schema

Default values for integer attributes are not submitted during object creation

  • If you create an object with integer attributes, you may see that the value of the integer attribute is not submitted during creation if you simply enter the default value. Similarly, if you create a new integer attribute for an object and specify the default value for that attribute in the object’s configuration file when you create an object with this attribute it will not be submitted. To workaround this issue, when you create the object, select a value other than the default, then change it back to the default after the object is created.

Schema Validation

  • ILM "2" server does not enforce basic schema validation. This includes the following behavior:
    • You can create a new Person object that does not have an account name, even though the Account Name attribute is required for the Person object type. It is important to note that this behavior may break mail approval or synchronization scenarios. To avoid synchronization problems it is advised to enter the user account information correctly in the ILM Portal.

Deleting multiple objects in the ILM Portal

  • If you delete multiple objects in the ILM Portal, you may receive an unhandled exception error, and the deletion process may not complete. If this happens, repeat the deletion operation for the objects that were not deleted in the earlier attempt.

Creating an object with a multi-valued Boolean attribute will stop the ILM Service

  • Creating an object through Web Services with a multi-valued boolean attribute will cause the ILM Service to stop working. The service cannot be re-started and must be reinstalled.

Creating a required binding does not affect existing objects

  • In this release, creating a new required attribute binding for an object type will not affect existing instances of that object type.

  • In addition, a binding can be changed from not required to required when there are no existing instances of the related object type. However, you can still create instances of the object type that do not enforce the required binding.

Workflow and Request Processing

Must manually edit a workflow definition (XOML) files for manually created workflows

  • It is possible to create a Workflow Definition (XOML) in Visual Studio and upload it. Before uploading the XOML you must be manually edit the file since VS will insert an additional tag. In the XOML file, locate and remove the x:Class attribute. Failure to do this will make the Workflow invalid and it will not run.

Do not map authorization workflows to approvals and schema

  • For this release, do not map authorization workflows to approvals and schema.

All users that may trigger provisioning workflows must have rights to create Expected Rule Entry objects and modify the Expected Rules List of objects

  • In this release, the Synchronization Rule Activity operates in the context of the user that performs the operation which triggers it. This activity requires rights to create Expected Rule Entry objects as well as rights to modify the Expected Rules List attribute of all the objects that it needs to add Synchronization Rules to. In order to allow the provisioning workflows to successfully complete, all users must be granted rights to create Expected Rule Entry objects as well as rights to modify the Expected Rules List of all objects. This will require the creation of a set of all Expected Rule Entry objects and a Management Policy Rule granting rights to all users to create objects in this set. Also required will be a Management Policy Rule that grants rights to all users to modify the Expected Rules List of all objects.
    As a security measure, it is recommended that an approval workflow be attached to the Management Policy Rules that grant users rights to create Expected Rule Entry objects and modify Expected Rules Lists. This would enable a workflow operating in the user's context to perform the required operation, but would prevent a non-privileged user from directly modifying the Expected Rules List or creating an Expected Rule Entry.

Workflow definition edits are not saved when editing is started by clicking the Lookup button

  • When opening a saved workflow definition in the ILM Portal the Lookup button is enabled and will allow you to change the value without selecting Edit first. If the value is changed in the Lookup and you then select Edit to save the change, an error will appear. To avoid receiving an error, select edit before trying to make a change to the activity.

Request objects are not affected by Management Policy Rules

  • Management Policy Rules are normally used to run workflows when an object changes state. The Request object is managed by the system and is used to determine the Management Policy Rules that should be run. In this release, state changes on the Request object will not trigger the Management Policy Rules and associated workflows.

Outgoing e-mail notifications will be lost if the mail server isn't available

  • If the mail server isn't available when the notification or approval activity tries to send an e-mail notification the e-mail and its content will be lost. There is no retry of the e-mail attempt.

User alias and domain\user are not resolved in e-mail activities

  • Activities that send e-mails are expecting either an e-mail address or a Lookup reference to the people on the To line. The useralias and domain\userid formats are not valid.

Notification e-mails without text in the subject line are not sent

  • For this release, system-created notification mails must have a subject line. If the subject line is left blank the mail will not be sent, even if there are valid recipients and content in the body of the mail.

Notification mails created in the system must have a mail body

  • For this release, notification mails created in the system must have a mail body. If the body is left blank, the mail will not be sent, even if the recipient and subject are valid.

Do not delete workflows that are shipped with ILM “2”

  • The following workflows are shipped with ILM "2" and should not be deleted:
    • /Person/AuthNWFRegistered Workflow
      This workflow is used by password reset and has no activities.
    • Approval Expiration Workflow

    • Domain / DomainConfiguration Synchronization Workflow

    • Expiration Notification Workflow
      This workflow will send a notification e-mail to the owner of an object 14 days before the object is set to expire.
    • Create Forest Configuration Sets Workflow

    • Expiration Workflow
      This workflow will delete all objects where the expiration date has passed. The activity cannot be rendered in the designer for this workflow.
    • Owner Approval Workflow
      This workflow will run for all requests to join a group that are marked for owner approval.
    • Group Validation Workflow
      This workflow will run for all group creations and will validate some basic attribute settings.
    • Filter Validation Workflow for Administrators
      This workflow will restrict the attributes available in an Advanced search filter.
    • Filter Validation Workflow for Non-Administrators
      This workflow will restrict the attributes available in an Advanced search filter.

Password Reset

Authorization workflows and Password Reset

  • In this release, it is recommended that you do not attach an Authorization workflow to a password reset operation. A sample scenario is attaching an Approval workflow to a password reset Management Policy Rule. If a user tries to reset their password and an approval is required, there is no user interface to inform the user that this is the case.

Mapping multiple Action activities to Password Reset

  • For this release, it is recommended that you do not attach a workflow that contains more than one Action activity to a password reset operation. A sample scenario is attaching a second AD DS Password Reset activity to a password reset Management Policy Rule. This scenario is not supported.

Required default workflow for password reset registration

  • In this release; it is recommended that you do not delete the workflow titled /Person/AuthNWFRegistered Process. This workflow is required for registration to work.

ProxyServer does not handle exceptions due to missing SQM files during actual password reset

  • To successfully perform password reset from a client computer, do not delete the SQM files. The SQM files are sqmapi.dll and Microsoft.ResourceManagement.Sqm.dll

Set default logging level to "Warning"

  • It is recommended that you set the default logging level to Warning and the default log file size to 2 megabytes on the client computer that hosts the password reset client. By doing this, the size of the log file is greatly reduced.

User in domain A cannot register or reset their password from a machine joined to domain B in the same Forest

  • If you have installed the client components of ILM "2" on a machine joined to a domain different from the one the current user is on, the current user will not be able to use that machine to register for password reset.

Proxy Service crashes on XP during registration if an exception occurs

  • If the client proxy service is crashing during the registration for password reset, check the log file and clear if necessary.

Adding / Removing / Changing Order of Activities in an Existing Workflow

  • In this release, when adding, removing, or changing the order of AuthN Activities in an existing workflow, it is recommended that the option to require re-registration is checked. Users that attempt to authenticate for password reset after an activity has been added or removed to a workflow, but before they have re-registered, may encounter undesired effects.

Queries

Invalid queries can return incorrect results

  • In this release, not all invalid queries are caught; sometimes they return results, though they are incorrect. It is important to follow the query documentation to see what is possible and what is expected if you enter an incorrect expression.

ILM Add-in for Outlook 2007

User requests via e-mail may not be processed if user has multiple exchange e-mail accounts

  • User messages to ILM "2" sent via the ILM Add-in for Outlook, such as group management requests and approval responses, may not be processed if the user has multiple e-mail accounts in Exchange—for example, ssmith@fabrikam.com and ssmith@corp.fabrikam.com. To ensure user messages can be processed by ILM "2", each ILM user should have only one Exchange e-mail address.

The number of members added or removed from groups in a single request must be limited

  • When requesting to add or remove members from groups using the ILM 2 Add-in for Outlook 2007, the number of members and groups in a single request must be limited. In this release, the sum of number of members to be added or removed, plus 2x the number of groups, must not exceed 50. For example, a single a request may add up to 10 users to 20 groups, or up to 30 users to 10 groups.

Using multiple Outlook clients simultaneously with one Exchange account may cause problems with the ILM Add-in

  • In this release, if you use multiple Outlook clients simultaneously with one Exchange account, you may experience problems with the ILM Add-in. To resolve this issue, close all of the Outlook clients; and then use only one Outlook client per Exchange mailbox.

Notification e-mail from ILM indicates that errors occurred when a request sent from the ILM Add-in requires an approval.

  • In this release, when a user sends a group membership request from the ILM Add-in, such as a request to join a group, and that request requires an approval in order to be completed, an e-mail message will be sent to the requestor which includes the text, “Your request was received, but some errors occurred in processing it… Permission is required.” This indicates that ILM requires permission from another user in order to complete the request; it does not indicate a failure in receiving the request. ILM can process the request successfully once the approver approves or rejects the request.

Exchange and ILM must have the same e-mail address for a user or group in order for requests to succeed from Outlook Integration.

  • In order for requests from the ILM Add-in for Outlook 2007 to succeed, the value for the e-mail address attribute for a user or group must be exactly the same in ILM and Exchange for any user or group specified in the request.
    For example, if a user's e-mail address in Exchange is mmeyers@mydomain.fabrikam.com, the e-mail attribute for that user in ILM must be exactly mmeyers@mydomain.fabrikam.com.
Tags What's this?: Add a tag
Community Content   What is Community Content?
Add new content RSS  Annotations
OCGet Locations      Brad Turner - ILM MVP   |   Edit   |   Show History

There are two locations to correct the ocget.dll issue:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings

Correct the CodeBaseSearchPath in both locations so that it reflects: CODEBASE;

Tags What's this?: Add a tag
Flag as ContentBug
© 2009 Microsoft Corporation. All rights reserved. Terms of Use  |  Trademarks  |  Privacy Statement
Page view tracker