Release Notes for Forefront Identity Manager 2010 R2

Welcome to the release notes for Microsoft® Forefront® Identity Manager (FIM) 2010 R2. Before you install this application, we recommend that you read this entire document and the Forefront Identity Manager 2010 R2 Deployment Guide. You can use these notes to guide you as you troubleshoot issues that may arise when you use FIM 2010 R2.

Release Notes for Forefront Identity Manager 2010 R2 – Known Issues

These release notes are broken down into 3 main areas of focus. These areas are Pre-Installation and Upgrade, Installation and Upgrade, and Post-Installation. Each of these areas is then subdivided into the various features that make up FIM 2010 R2. This will provide easy and quick reference to the features and components that pertain to you.

Area Description

Pre-Installation and Upgrade

Includes known issues that need to be understood prior to installing or upgrading to FIM 2010 R2

Installation and Upgrade

Includes known issues that may occur during installation or upgrade

Post-Installation

Includes known issues may occur once FIM 2010 R2 is installed and running.

Pre-Installation and Upgrade

This section includes known issues that can occur and must be understood prior to installing and upgrading FIM 2010 R2. These issues are broken down by feature area. If a feature area does not appear that is because there are no known issues at this time.

Feature Area Includes Information on the following components

Service and Portal – Pre-Installation and Upgrade

  • FIM Portal

  • FIM Service

  • FIM Service Database

  • Password Registration Portal

  • Password Reset Portal

  • Reporting

Service and Portal Language Packs – Pre-Installation and Upgrade

Service and Portal Language Packs

Service and Portal – Pre-Installation and Upgrade

  • FIM Service: Domain and DomainConfiguration attributes default behavior for user and groups has now been extended to all resources in FIM
    If you have used either of these attributes as part of your current implementation in FIM, this change may result in unexpected behavior and/or failed requests. If you have used either of these attributes please test prior to upgrading your production environment.

  • FIM Service Database: Custom Schedules for FIM SQL Agent jobs are overwritten during upgrade
    If you have a customized the schedules for the FIM SQL Server agent jobs, you will need to reapply your changes.

  • Password Registration Portal ,Password Reset Portal: Upgrading the SSPR portals from RC/RC Refresh to RTM is not possible.
    If you try and upgrade the SSPR portal from RC/RC Refresh to R2 RTM it will fail with an “invalid port” error. The fix for this is to uninstall the SSPR portals and install the new versions from the R2 RTM media.

  • FIM Synchronization Service: Users who installed FIM 2010 RTM from the MSDN website are un-able to upgrade the Synchronization Service.
    If you have deployed FIM 2010 RTM from the MSDN website an in-place upgrade is not supported for the Synchronization Service.  However, the database can be preserved and used in FIM 2010 R2 RTM.  To do this, you must uninstall the FIM 2010 RTM Synchronization Service and then install FIM 2010 R2 RTM using the existing database.  The uninstall and then subsequent install of FIM 2010 R2 is supported.  The FIM Service and Portal can then be upgraded using the normal method.  This only affects users who have installed FIM 2010 RTM from MSDN and only the Synchronization Service.  This is a known issue.

  • Reporting: Upgrading from FIM 2010 R2 RC/RC Refresh Reporting to FIM 2010 R2 RTM Reporting is only supported for TAP customers who deployed the schema hotfix for RC
    Only customers that have participated in the TAP program and installed the shcema hot fix for RC are supported when upgrading from FIM 2010 R2 RC/RC Refresh. To be supported you must meet the following criteria:

    1. Participated in the TAP program for FIM 2010 R2 RC

    2. Have deployed RC Reporting into production

    3. Have deployed RC using the schema hotfix

    If you meet all of the following requirements, it is recommended that you contact Microsoft Support for assistance with the upgrade.

Service and Portal Language Packs – Pre-Installation and Upgrade

  • Service and Portal Language Packs: Customers should back-up their customized RCDC symbol-value pairs for non-English languages
    It is a known bug in upgrade that those non-English string resource values will be overwritten.

    Backing up involves exporting these RCDCs. To make these customizations appear again, you will need to re-do the customizations looking at the differences between the old and new symbol value pairs.

    For more information see Considerations for Upgrading to FIM 2010 R2 in the Forefront Identity Manager 2010 Deployment Guide.

  •  

Installation and Upgrade

This section includes known issues that can occur with installation and upgrade. These issues are broken down by feature area. If a feature area does not appear that is because there are no known issues at this time.

Feature Area Includes Information on the following components

Add-ins and extensions – Installation Upgrade

  • FIM Add-in for Outlook

  • FIM Password and Authentication Extensions

Certificate Management –Installation and Upgrade

  • All Certificate Management Features

Service and Portal – Installation and Upgrade

  • FIM Portal

  • FIM Service

  • FIM Service Database

  • Password Registration Portal

  • Password Reset Portal

  • Reporting

Service and Portal Language Packs – Installation and Upgrade

  • Service and Portal Language Packs

Synchronization Service – Installation and Upgrade

  • ECMA 2.0

  • FIM Management Agent

  • Synchronization Service

Add-ins and extensions – Installation Upgrade

  • FIM Password and Authentication Extensions After installing the FIM Password and Authentication Extensions a reboot is required
    The reason is is that when these extensions are installed, changes are made to the Windows Authentication Framework. This requires a reboot. Likewise, if the FIM Password and Authentication Extensions are uninstalled, a reboot will be required.

Certificate Management –Installation and Upgrade

  • Certificate Management: FIM CM configuration fails if database name contains an apostrophe (‘)
    The FIM CM database name should not contain any apostrophe characters within it. The presence of an apostrophe in the database name causes an error when the FIM CM Configuration Wizard runs.

  • Certificate Management: FIM CM configuration fails if username or password contains an apostrophe (‘) as first or last character
    The FIM CM database username or password should not contain an apostrophe as the first or last character. The presence of an apostrophe as the first or last character causes an error when the FIM CM Configuration Wizard runs.

Service and Portal – Installation and Upgrade

  • FIM Portal: Running setup with a non-default SharePoint site URL or a SharePoint site that uses SSL will fail
    If you attempt to upgrade and are using a non-default SharePoint site URL (other than localhost) or you are using SSL on your SharePoint site the upgrade will fail. To workaround this add https://localhost into the SharePoint alternative mappings and re-run setup.

  • FIM Portal, FIM Service: Object reference not set to an instance of an object
    If you receive this error while attempting to install the FIM 2010 R2 Service and Portal, it is most likely an indication that the SQL Server service is unavailable or down. Please verify that the SQL Server service is running and the connection between the FIM Service and Portal is established and working.

  • FIM Service: Administrator must open firewall ports manually
    During a change installation, there is no option to open the firewall ports. The administrator must open the firewall ports manually.

  • Password Registration Portal: FIM Service Installer does not mask password for Self Service Password Reset accounts
    When running the FIM 2010 R2 Service and Portal MSI from the command line using the verbose log parameter (msiexec /i "Service and Portal.msi" /l*v log.txt), the REGISTRATION_ACCOUNT_PASSWORD property in the log file is not masked to “*” as it should be. This is a known issue that only occurs when verbose logging is turned on.

  • FIM Service Database: Database should use a collation that supports surrogate pair characters or searches on string attributes may return improper results
    If your environment contains string data with surrogate pair characters, you must have a SQL Database collation that supports them. Failure to do so will result in invalid search results. For more information on the available options refer to this article: https://msdn.microsoft.com/en-us/library/ms143503(v=sql.105).aspx

    After installation of the FIMService, run the following TSQL statement to determine the FIMService database collation.

    SELECT DATABASEPROPERTYEX('FimService', 'Collation') SQLCollation;
    

    A Collation that works with a large variety of environments is this one: Latin1_General_100_CI_AS

    Follow the SQL Server documentation for how to change collation if you need to do so to support your environmenthttps://msdn.microsoft.com/en-us/library/ms175835(v=sql.105)

Service and Portal Language Packs – Installation and Upgrade

  • Service and Portal Language Packs: Installing language packs from the command line may fail
    Installing language packs from the command line using the following syntax will fail:

    msiexec /i "Service and Portal Language Pack.msi" ADDLOCAL=FIMPortalLP,FIMServiceLP /l* Install.log

    To install language packs:

    • Do not use the command line. Double click the .msi to launch the installation.

      or

    • You may use the command line to install one language pack at a time, using the following format (example shown is for the Russian locale (ruRU)):

      msiexec /i "Service and Portal Language Pack.msi" ADDLOCAL=FIMPortalLP,PortalruRU,FIMServiceLP,MTruRU /l* Install.log

  • Service and Portal Language Packs: Service and Portal Language Packs are uninstallable if FIM components that depend on SharePoint are uninstalled
    If you have installed the FIM Portal Language Pack or the FIM Password Reset Portal Language Pack (the old RTM password portal, not R2 SSPR Portals) and then you uninstall all of the FIM components that depend on SharePoint (the FIM Portal and the old FIM Password Reset Portal) you will not be able to uninstall or upgrade the language pack.

    This is because both the FIM Portal and old FIM Password portal rely on SharePoint and hence store the SharePoint base site collection URL in the registry (BaseSiteCollectionUrl). The Service and Portal language packs (for FIM portal, old password portal) also rely on that key to be in the registry.

    Therefore, uninstalling the FIM components that rely on SharePoint will result in the inability to uninstall/upgrade the language packs because you lost that registry key.

    To correct this issue do the following:

    1. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Forefront Identity Manager\2010\Portal.

    2. Create a string regkey named BaseSiteCollectionUrl.

    3. Inside that key, enter the SharePoint URL at which the FIM Portal/Password Reset Portal was deployed.

    4. You can now either uninstall or upgrade the language pack.

  • Service and Portal Language Packs: Object reference not set to an instance of an object
    If you receive this error while attempting to install the FIM 2010 R2 Service and Portal Language Pack, it is most likely an indication that the SQL Server service is unavailable or down. Please verify that the SQL Server service is running and the connection between the FIM Service and Portal is established and working.

Synchronization Service – Installation and Upgrade

  • FIM MA: Interactive logon required for setting up the FIM Service Management Agent
    The FIM MA requires the interactive logon right during setup. This requirement is a Windows behavior. When the Service account impersonates the MA account, Windows will do an interactive logon to be able to load the user profile (etc). If the user isn’t allowed to login interactively you will see an access denied in the security eventlog. This is needed for all operations.

Post-Installation

This section includes known issues that can occur once FIM 2010 R2 is installed and running. These issues are broken down by feature area. If a feature area does not appear that is because there are no known issues at this time.

Feature Area Includes Information on the following components

Add-ins and extensions – Post-Installation

  1. FIM Add-in for Outlook

  2. FIM Password and Authentication Extensions

Certificate Management – Post Installation

All Certificate Management Features

Service and Portal – Post-Installation

  • FIM Portal

  • FIM Service

  • FIM Service Database

  • Password Registration Portal

  • Password Reset Portal

  • Reporting

Synchronization Service – Post-Installation

  • ECMA 2.0

  • FIM Management Agent

  • Synchronization Service

Add-ins and extensions – Post-Installation

  • FIM Add-in for Outlook Unicode is not fully supported when launching the Outlook add-in for users with names that contains Unicode characters.
    This is because of a bug in Outlook.

Certificate Management – Post Installation

  • Certificate Management: User PIN dialog may not display on IE9
    FIM CM portal users may be blocked from completing a request when the FIM CM client is unable to display the user PIN dialog. This issue occurs intermittently for IE9 users who have not yet applied the IE 9 cumulative update located at here.

  •  

Service and Portal – Post-Installation

  • FIM Portal: Double Quote in Contains Search Fails
    Entering a search string containing double quotes into a search scope that uses Contains functionality will fail with the following stack trace:

    Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException:
    Other ---> System.Data.SqlClient.SqlException: Syntax error near 'User' in the full-text search condition '""User 1"*"'

  • FIM Portal: Authentication functionality changes
    With FIM 2010 R2, the following functionality is deprecated: interactive registration for an authentication workflow from the FIM 2010 R2 Portal, and interactive authentication for a request from the FIM 2010 R2 portal.

  • FIM Portal: Wildcard character * is not supported in Filter builder

    Important

    If you create a filter that uses the * character, for example DisplayName contains * the * character will be discarded from the filter definition and the resulting expression will be considered invalid, and will fail.

  • FIM Portal: Custom resources with ":", "(", or ")" in the name render the FIM Portal inoperable
    In this release, do not use a colon [:] or parentheses [()] in the system name of a custom resource. Creation of custom resources with these characters in the system name cause the FIM 2010 R2 Portal to become inoperable and requires a reinstallation of the FIM 2010 R2 Portal.

  • FIM Portal: User cannot modify the StringRegex, IntegerMinimum, and IntegerMaximum values for some attributes and bindings on group and user resources
    In this release, the user cannot modify the StringRegex, IntegerMinimum, and IntegerMaximum values for some attributes and bindings on groups and user resources. To work around the issue, you can temporarily add StringRegex, IntegerMinimum, or IntegerMaximum to the Management Policy Rule (MPR) named Administration - Schema: Administrators can change selected attributes of schema-related resources. It is important to revert the changes after the modification since the MPR is there to protect against illegal modification to elements important to the system schema.

  • FIM Portal: Default DisplayName and Description is not submitted during creation of BindingDescription
    In this release, if the user does not modify the existing DisplayName or Description of a BindingDescription resource, the BindingDescription is created without DisplayName or Description even though in the user interface (UI) it appears that FIM 2010 has supplied a default value. The workaround is to update the DisplayName and Description after creation or supply a different value for these attributes during creation.

  • FIM Portal: Custom resources with hyphens in their names do not create RCDC configuration XML correctly
    You can create a custom attribute or custom resource type with a hyphen “-“ in the system name. However, if you create an RCDC for this new resource, the RCDC configuration file that is created automatically is not correct. The RCDC uses the attribute name as the control name, but the control name does not support “-“. The workaround is to remove “-“ from the control names in the RCDC configuration file.

  • FIM Portal: Timeouts while previewing dynamic membership of a set or group may prevent display of actual membership
    When previewing dynamic members of a group or set, an error message is displayed if the request times out. If you subsequently click Preview a second time, the query may show no members in the group or set, even if they do contain members. If this happens, click Cancel to close the dialog box and retry the preview operation. If the request times out again, the administrator may need to increase the server timeout.

  • FIM Portal: Default search operator for DisplayName has been changed to starts-with from contains
    As a result of working with a number of internal and external customers, on portal search performance we chose to change the default search operator used by the FIM Portal (Search Scopes, Identity Picker) to leverage starts-with rather than contains for the DisplayName attribute. This will impact your existing FIM Portal implementation and your FIM portal administrative searches. If you wish to return to the default search behavior for one or more search scopes, we have added the ability to configure an "Advanced Filter". Please see FIM 2010 R2 Search Changes for more information.

  • FIM Portal: ObjectPicker will not automatically resolve entered names when navigating to the next page
    When the user enters a name into an object picker and clicks the "next" button down below, the user is prompted to finish resolving names.

  • FIM Portal: Matching Usage Keywords are necessary for a search scope to appear on a given page of the site
    For example, the “Pending from Today” search scope may be expected to appear on the “Search Requests” page. The Usage Keywords for the “Pending from Today” search scope must be updated manually to include the Usage Keywords configured for the “Search Requests” page which, by default, are the following:

    • customized

    • Request

    • SearchRequests

  • FIM Portal: Disable SharePoint 2010 job: “SharePoint Foundation Search Refresh”
    The SharePoint Foundation 2010 job “SharePoint Foundation Search Refresh” will continuously generate FIM 2010 R2 event log entries. The errors can be ignored, but the FIM 2010 R2 event log will become unnecessarily cluttered. To disable the job, in SharePoint 2010 Central Administration, click Check job status, then disable the job “SharePoint Foundation Search Refresh”.

  • FIM Portal: Supplying no input for a Search Scope with the Advanced Filter configured does not produce search results
    As a work around you can type a % in to the Search box.

  • **FIM Service, FIM Portal:**Unicode not fully supported in certain cases
    The FIM 2010 R2 Portal and Service does not fully support Unicode in the case of User Names of new users created through the portal. This is to limit the format of User Names to those that can be used to create mailboxes through SharePoint.

  • FIM Service: Custom workflows, that run under the context of the requestor (Actor) may fail with permission denied
    If you encounter this error you will need to update your existing custom workflow(s) to explicitly set the ActorId and ensure that the appropriate MPRs have been configured.

  • FIM Service: Contains searches on String attributes relies on SQL Full Text Search (FTS) as part of the implementation
    The FTS parser may break the search string into multiple search tokens if any word break characters are found. This may lead to the Contains search returning invalid results. You may notice missing rows, or extra rows being returned that do not match your search string. You can use the SQL FTS parser https://technet.microsoft.com/en-us/library/cc280463(v=sql.105) to test the behavior of search strings commonly used in your environment. If you find that the SQL FTS parser is not returning the expected results, consider setting up search scopes using Starts-With instead which do not use FTS.

  • FIM Service: Starts-With, and Ends-With searches on String and Text attributes are implemented using the TSQL LIKE operator with standard SQL wildcard behaviors
    This means that the following characters %, _, [, ^ are treated as wildcards (https://msdn.microsoft.com/en-us/library/ms179859.aspx). If your use cases require these characters to be treated as literals, then you must escape them per the TSQL LIKE documentation by enclosing the wildcard character in brackets.

  • FIM Service::Running repair on the FIM Service does not repair SQL Server Agent jobs
    When running a repair operation on the FIM 2010 R2 Service, SQL agent jobs are not repaired, as the repair operation does not have SQL Server Agent permissions.

  • FIM Service: Diagnostics tracing file format has changed for FIM 2010 R2
    If you currently use data from the diagnostics tracing file, you will need to modify your tools or scripts to accommodate the new format.

  • FIM Service: The FIM Service web service contract for faults has changed
    The fault contract for FIM 2010 R2 includes additional information to support the troubleshooting enhancements in this release. You will need to regenerate the client proxy based on the updated fault contracts.

  • FIM Service: New resource type CompositeType may interfere with custom Action workflows
    A new resource type CompositeType has been introduced for A Request issued by the Build-in Synchronization Account. It may interfere with any custom Action workflows that parse request targets. To find the actual targets you will need to modify these workflows to parse the Request Parameters of a CompositeType.

  • FIM Service: UpdateRequestActivity has been removed from FIM 2010 R2
    UpdateRequestActivity has been removed from FIM 2010 R2. If you have any custom code that references UpdateRequestActivity, it will no longer compile. Moving forward, you should use UpdateResourceActivity instead.

  • FIM Service: For asynchronous exports from the FIM MA, multiple FIM Service instances will process synchronization requests
    In R2, all FIM service instances, irrespective of whether they belong to a particular service partition will process synchronization requests. In order to avoid performance impacts on specific FIM service instances and/or service partitions you will need to update the Microsoft.ResourceManagment.service.exe.config setting receiveSynchronizationRequestsEnabled as documented in the configuration file.

  • FIM Service: Do not reuse your existing Microsoft.ResourceManagement.Service.exe.config file
    Reusing an existing configuration may fail due to changes in the content of the configuration file. Please review the new configuration file contents and update manually if appropriate to do so.

  • FIM Service: A request may fail when multiple workflows attempt to modify the same single valued attribute on the same object
    The most likely scenario would be in the PostProcessing phase of a Request in which two or more Action workflows execute in parallel and they are trying to operate on the same object within a narrow time frame. The Request will fail with PostProcessingError and you will likely find this stack trace in the Event Log.

    Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException:
    Other ---> System.Data.SqlClient.SqlException: Reraised Error 50000, Level 14, State 1, Procedure
    ReRaiseException, Line 37, Message: Reraised Error 50000, Level 14, State 1, Procedure
    ReRaiseException, Line 37, Message: Reraised Error 2601, Level 14, State 1, Procedure
    UpdateResource, Line 525, Message: Cannot insert duplicate key row in object 'fim.ObjectValueString' with unique index
    'IX_ObjectValueString_ObjectKey_AttributeKey_LocaleKey-Filtered_Multivalued'.

    If your system has this issue, you should consider merging the functionality into a single workflow that can perform the operations in a synchronous manner to avoid the race conditions.

  • FIM Service: Configuration Migration Compare-FIMConfig cmdlet comparisions today are case insensitive
    When comparing settings, the Compare-FIMConfig cmdlet will not detect changes if the only difference is the case of the strings. For example if you compare the DisplayName attribute where source = "User1" and target = "user1" the tool will consider this as the same value.

  • FIM Service: Date time strings are not constructed or parsed properly when running on Windows 2008 Italian
    FIM Service expects DateTime strings to be of this format "yyyy-MM-ddTHH:mm:ss.fff" and parses them with this code: DateTime.Parse(input, CultureInfo.InvariantCulture, DateTimeStyles.AssumeUniversal);

    A customer has reported issues trying to run FIM Service on an Italian Server in which dates were represented as follows:"yyyy-MM-ddTHH.mm.ss.fff". In this case, the FIMService did not run properly and reported Exceptions like this:

    mscorlib.dll!System.DateTimeParse.Parse(string s, System.Globalization.DateTimeFormatInfo dtfi, System.Globalization.DateTimeStyles styles)
    mscorlib.dll!System.DateTime.Parse(string s, System.IFormatProvider provider, System.Globalization.DateTimeStyles styles)
    Microsoft.ResourceManagement.dll!Microsoft.ResourceManagement.Utilities.DateTimeSerializer.ReadCoordinatedUniversalTimeString(string input = "2010-02-25T09.14.12.237")

    The work-around was to change the Server to format dates per this format "yyyy-MM-ddTHH:mm:ss.fff"

  • FIM Service: Viewing an Objects' Resource page in the Portal will fail if you mark the Description attribute as Required on the Object in the FIM Schema
    When trying to view the Object's Resource page in the portal, you will end up on the ErrorPage.aspx page. To fix the problem, you must remove the Required setting, restart IIS, and then try again.

  • FIM Service: Deletion of an Attribute or ObjectType from FIM Schema must follow a specific order of steps or you will get an Unwilling to Perform exception

    Exception: Other Stack Trace: Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: Other ---> System.Data.SqlClient.SqlException: Reraised Error 50000, Level
    16, State 1, Procedure ReRaiseException, Line 37, Message: Reraised Error 50000, Level 16, State 1, Procedure ReRaiseException, Line 37, Message:
    Reraised Error 547, Level 16, State 1, Procedure PostProcessObjectTypeDescriptionUpdate, Line 90, Message: The DELETE statement conflicted with the REFERENCE constraint
    "FK_BindingInternal_ObjectTypeInternal". The conflict occurred in database "FIMService", table "fim.BindingInternal", column 'ObjectTypeKey'.

    To delete an Attribute or ObjectType from the FIM Schema, do the following:

    1. Delete all instances of any Objects that currently use those schema elements.

    2. If it is desired that the reporting data warehouse capture the deletion of the attribute or objects instances from the previous step. Run and complete an Incremental job. Failure to do this will not result in an error, however any Object changes recorded in the system since the last Incremental job will not have the history for these schema items once they are deleted.

    3. Search for any Set or Dynamic Group Filter that currently includes the FIM Schema items you plan to delete and delete the Set or Dynamic Group. If the Set is used in an MPR, you will first need to delete the MPR.

    4. Delete all Bindings that reference the FIM Schema items you plan to delete.

    5. Delete the Schema item.

  • FIM Service: Request will Fail and throw Unwilling to Perform Exception if duplicate MPRs trigger the same Action Workflow on the Request
    If 2 or more MPRs are configured to execute the same Action Workflow and get triggered on the same Request, the Request will fail with the following exception:

    Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: Other ---> System.Data.SqlClient.SqlException: Reraised Error 50000, Level 14, State 1, Procedure
    ReRaiseException, Line 37, Message: Reraised Error 2601, Level 14, State 1, Procedure
    DoProcessRequest, Line 267, Message: Cannot insert duplicate key row in object 'fim.PolicyApplication' with unique index
    'IX_PolicyApplication_RequestKey_TargetKey_WorkflowDefinitionKey'.

    To fix the problem you can use the Portal to search all enabled MPRs, locate the duplicate, and delete it.

  • **FIM Service:**Set or Dynamic Group Membership may be invalid if the Set or Dynamic Group Filter attribute contains a reference to Deleted Attributes or ObjectTypes in the FIM schema
    The system will allow deletion of Attribute and ObjectTypes from the FIM schema without detecting whether or not these items may be in-use in Set or Dynamic Group definitions. As a result, the affected Set or Dynamic Groups will have invalid membership and should be deleted. To locate the affected Sets or Dynamic Groups, use advanced search in the portal on the Filter attribute of the Sets or Dynamic Groups to find these deleted schema items and delete the affected Set or Dynamic Group objects.

  • FIM Service: synchronizationExportThrottle not supported in FIM 2010 R2
    The hotfix rollup package for build 4.0.3573.2 introduced a property, synchronizationExportThrottle, that is not supported in R2. For more information, see KB2417774. If this property exists in your FIM 2010 R2 Service configuration file, the FIM Service will fail to start. To resolve the issue, remove the property from the configuration file.

  • FIM Service: If your deployment contains multiple FIM Portal or FIMService machines and you are leveraging the FIM Approval workflow, you need to ensure that each machine can authenticate with each other
    This is done by creating a service principal name for each FIMService and then configuring each FIM Portal to use constrained delegation to each FIMService. If your deployment takes advantage of receiving Group Management and Approval Requests to the FIM Service mailbox, the FIMService that has mailbox polling enabled (there is only supposed to be 1 instance) must also be configured to use constrained delegation to each FIMService.

    Approval Responses are submitted directly by the FIM Portal and the FIM Service (receiving mail) to a Workflow Endpoint on the FIM Service that received the original Request. For example, assume your deployment has FIM Portal 1 and 2, and also FIM Service 1 and 2. A user issues a Request to join a Group on FIM Portal 1. That Request is processed by FIM Service 1 and this is where the Approval Workflow Instance lives. If the Approver approves by Email and that email response is processed by FIM Service 2, it is FIMService 2 that will try to communicate with FIMService 1 to send the Approval Response. If the same Approver went to FIM Portal 2 and approved the Request, it is the FIM Portal 2 that will communicate with FIMService 1 to send the Approval Response.

    For instructions for how to setup SPNs and constrained delegation, see the following article: https://technet.microsoft.com/en-us/library/jj134299(v=ws.10).aspx

  • **Password Registration Portal:**GateRegistration Objects can accumulate over time
    Because GateRegistration Objects can accumulate over time, periodic deletion is a recommended best practice. GateRegistration Objects may accumulate in the system that are no longer necessary due to various events in and around password reset scenarios. One such event is when an administrator updates an AuthN workflow and checks "force re-registration". When users re-register, new Gate Registration Objects are created, but the original ones are not removed. Periodic deletion of these unnecessary GateRegistration Objects would be a best practice to ensure your system maintains the minimum objects necessary to enable your scenarios.

  • **Password Registration Portal:**Communication Error: An error has occurred. Please try again, and if the problem persists, contact your help desk or system administrator. (Error 3008)
    This error can occur when a user attempts to navigate to the Password Registration Portal and the SQL Server that runs the FIMService database is down or not accessible. If you receive this error, verify that the SQL Server is running and is accessible.

    For additional troubleshooting information including how to enable logging see Troubleshooting FIM 2010.

  • **Password Reset Portal:**Communication Error: An error has occurred. Please try again, and if the problem persists, contact your help desk or system administrator. (Error 3008)
    This error can occur when a user attempts to navigate to the Password Reset Portal and the SQL Server that runs the FIMService database is down or not accessible. If you receive this error, verify that the SQL Server is running and is accessible.

    For additional troubleshooting information including how to enable logging see Troubleshooting FIM 2010.

  • Reporting: Filtering the Request History or Group History reports on an MPR name, you may receive incorrect results
    When filtering the Request History or Group History reports on an MPR name, you may receive incorrect results. While the data represented in the report is accurate, you may need to export this report to a third party format (such as Excel) and then filter it there.

  • Reporting: Certain reports may time out on large datasets
    You may experience SSRS timeouts when running reports on large data sets. The default SSRS timeout is set to 1800 seconds for all reports. You may change this timeout by navigating to the Site settings link in the upper right hand of the SSRS web interface, opening the General tab, and then changing the timeout to either no timeout or a value larger than the default 1800 seconds.

  • Reporting: Reports do not show Created Time for requests which exist before initial ETL was run
    The Created Time column will appear blank for requests which were in the system before reporting setup was completed. There is no workaround for this issue, but since the request’s committed time will be captured, you will still be able to correlate when the change was made in the FIM 2010 R2 database.

  • Reporting: When the creator of a request is not a person resource in FIM (ie, FIMService, Anonymous User), no creator is shown in the out of box reports
    Currently, if the FIM 2010 R2 service or an anonymous user issues a request in the FIM 2010 R2 portal, the creator is shown as blank in the out of box reports. This is due to the fact that these resources are not moved over as part of our ETL processes, since they are not person resources in FIM 2010 R2.

  • Reporting: Unique key constraint violation when running reporting synchronization jobs
    If you attempt to run reporting synchronization jobs on a default System Console System Manager SP1 (SCSM SP1) installation, you may receive the error “Violation of UNIQUE KEY constraint ‘idx_ManagedEntityManagedTypeId’. Cannot insert duplicate key…”. To address this issue, please make sure you have the following updates installed on your System Center Service Manager Management Server, Data Warehouse Server, and any machines that have the System Center Service Manager Console installed on them:

    1. KB2542118– System Center Service Manager Cumulative Update 2

    2. KB2542118– System Center Service Manager FIM 2010 R2 Hotfix

      Note

      You must have the SCSM Cumulative Update 2 installed before installing KB2542118.

  • Reporting: If a resource is created and deleted inside one SCDW extract batch, that resources will not show up in the SCDW
    When an instance of a resource is created and deleted inside one extract batch, the deleted instance will never be extracted from the SCSM Management Server to be moved over to the Data Warehouse. This is a known issue with the System Center Service Manager Product. You may see this issue in testing environments if you, for example, create a person in FIM 2010 R2, delete that person, and then run the SCSM ETL job. Because the creation and deletion event occur in the same ETL batch, these events do not get sent to the System Center Data Warehouse.

  • Reporting: When running on PowerShell version 1.0, running Get-Help on Import-FIMReportingReport results in an error
    You may receive the error: “Error loading help content for Import-FIMReportingReport” in certain cases when attempting to load help information for Import-FIMReportingReport. If this occurs, try the alternate method of outputting the parameter list by typing “Import-FIMReportingReport -?”. If this also fails, refer to the Deployment Guide for Forefront Identity Manger 2010 R2 – PowerShell Reference.

  • **Reporting:**Out-of-box reports may not return data with default filtering parameters
    The default end date for the out-of-box reports is defined as Todays Date in UTC + 1. As a result, running reports with the default filtering parameters may result in an empty data set, depending on what time zone the user is running in. This is a known issue that you can resolve by manually specifying the date range with which you wish to filter your report.

  • **Reporting:**Running an incremental synchronization after a large export from Active Directory may take several days to complete
    Depending on the size of the export job, the incremental synchronization process may take up to several days to complete. This is due to the large number of requests generated by the export process that are then moved over to the Data Warehouse. You may safely continue to run this incremental synchronization job without regressing performance on the FIM 2010 R2 service or other components. However, if this waiting period is unacceptable, and you would like to ignore the requests generated by the export process, please contact the product support for assistance (see How and when to Contact Microsoft Customer Service and Support).

  • **Reporting:**Data does not appear in reports even after all synchronization processes are completed
    For data consistency purposes, SCSM will not move data that has been modified in the last 30 seconds. Therefore, if you run the FIM 2010 R2 reporting synchronization processes immediately followed by the SCSM ETL jobs, the changes made in the reporting synchronization job may not appear in the Data Warehouse. You can solve this issue by either:

    • Waiting 30 seconds before starting the SCDW ETL jobs

    • Running the SCDW ETL jobs again

    Because the SCDW ETL jobs run every 20 minutes to 1 hour (depending on job type), you can be assured that data will flow to the DataMart within a 24 hour Service Level Agreement. For testing purposes, however, it is important to consider this 30 second delay when exercising certain scenarios.

  • **Reporting:**Certain Chinese Characters may cause the SCSM console to fail to load a report
    Double-byte length Chinese characters (surrogate pairs) in report data may cause the SCSM console to fail to load a report. This is caused by an issue in version 9.0.0.0 of the report viewer used by the SCSM console. To work around this issue, you can either:

    • Continue viewing the reports through the SQL Server Reporting Service (SSRS) web interface (which does not have this issue), or

    • Delete the bad data, restart the SSRS service, and attempt to view the reports via the SCSM console

  • **Reporting:**Status of requests is different for initial and incremental synchronizations
    In this release, during initial synchronization, FIM 2010 R2 Reporting moves finished requests with the final state of “completed” to the Data Warehouse, but it only moves finished requests with the final state of “committed” during incremental synchronization. This is a known issue that does not affect data integrity.

  • **Reporting:**FIM reporting initial sync moves over failed requests
    In this release, during initial synchronization, FIM 2010 R2 Reporting moves both successful and failed requests to the Data Warehouse, whereas during incremental synchronization it only moves the successful requests. This will result in a small amount of extra data being present in the Data Warehouse in certain cases. This does not affect data integrity.

Synchronization Service – Post-Installation

  • ECMA 2.0: ECMA 2.0 does not support "Multi-Partition" file based Connectors
    ECMA 2.0 does not prevent a programmer from creating a file-based "multi-partition" Connector, however, it should be noted that these scenario are not supported and may result in unexpected or 'broken' behaviors.

    Programmers should not try to use/implement the GetPartition() or GetHierarchy() interfaces when writing a file-based ECMA 2.0 connector, as they will not work properly.

  • ECMA 2.0: CustomData for OpenImportConnectionRunStep.CustomData comes from GetImportEntriesResults
    The watermark data returned in OpenImportConnectionRunStep.CustomData does not come from CloseImportConnectionResults.CustomData as would be expected. Instead, the CustomData field is coming from the GetImportEntriesResults.CustomDataThis issue would be encountered by Connector programmers when writing their connectors to have watermark data passed between MA runs.

  • ECMA 2.0: ECMA 2.0 does not allow a page/batch size of greater than 9999
    When configuring the batch size for a ECMA 2.0 based MA, you may not configure a batch size larger than 9999 objects. The UI will not allow a larger number to be configured, and there is no way to exceed this size in your Connector's configuration.

  • ECMA 2.0:: Generic Style DN's do not accept all characters
    Generic Style DN's have the same character limitations as LDAP Style DN's, even though there is no specific reason for that limitation.

  • FIM MA: Using Service Partitioning to isolate FIM MA Export load is not supported for FIM 2010 R2.
    Those customers who have more than one FIM 2010 R2 Service instance installed and who wish to control which of these FIM 2010 R2 Service instances processes the load from the FIM MA during an Export run will need to use the following setting in the FIM 2010 R2 Service configuration file, under resourceManagementService:
    receiveSynchronizationRequestsEnabled

    By default, the value is "True", meaning that that FIM 2010 R2 Service instance processes FIM MA Export requests. Setting the value to “False” would indicate that that FIM 2010 R2Service instance does not process export requests.

    Note

    Although you specify a FIM 2010 R2 Service address in the FIM MA properties in Synchronization Service Manager, all FIM 2010 R2 Service instances attached to a single FIM 2010 R2 Service database will process these requests.

  • FIM MA: A request based MPRs would not fire if the reference attribute needs to be evaluated on resource creation
    A request based MPRs would not fire if the reference attribute needs to be evaluated on resource creation. Example: A request based MPR that sends an email to a manager of the created person. An error similar to the following will be written to FIM Service eventlog.

    EXCEPTION DATA\r\n\r\nMESSAGE: Cannot deference non-instantiated attribute Manager\r\n\r\n**METHOD:System.Exception ThrowException(System.Exception)\r\n\r\n**METHOD:System.Object ResolveAttribute(System.String, Boolean, ResolverOptions, System.String ByRef)\r\n\r\n**METHOD:Void ResolveToLine(System.String)\r\n\r\n**METHOD:System.String ResolveRecipientLine(Microsoft.ResourceManagement.WFActivities.Resolver, System.String, System.Text.StringBuilder ByRef)\r\n\r\n**METHOD:Microsoft.ResourceManagement.Workflow.Runtime.MessageContent ResolveMailMessage(System.Guid, System.Guid, System.Guid, System.Collections.Generic.Dictionary`2[System.String,System.Object], System.String, System.String, System.String, System.Guid, Microsoft.ResourceManagement.Workflow.Activities.EmailResolutionOptions, System.String ByRef)\r\n\r\n**METHOD:Void ResolveMail(System.Object, System.EventArgs)\r\n\r\n**METHOD:Void RaiseEvent(System.Workflow.ComponentModel.DependencyProperty, System.Object, System.EventArgs)\r\n\r\n**METHOD:System.Workflow.ComponentModel.ActivityExecutionStatus Execute(System.Workflow.ComponentModel.ActivityExecutionContext)\r\n\r\n**METHOD:System.Workflow.ComponentModel.ActivityExecutionStatus Execute(T, System.Workflow.ComponentModel.ActivityExecutionContext)\r\n\r\n**METHOD:System.Workflow.ComponentModel.ActivityExecutionStatus Execute(System.Workflow.ComponentModel.Activity, System.Workflow.ComponentModel.ActivityExecutionContext)\r\n\r\n**METHOD:Boolean Run(System.Workflow.ComponentModel.IWorkflowCoreRuntime)\r\n\r\n**METHOD:Void Run()\r\n\r\n

    This is expected. Reference attributes are not guaranteed to be part of the original Create request.

    Workaround: The MPR should be on an update attribute instead of Create request.

  • FIM MA: FIM MA export of sets and dynamic groups filter attributes will impact performance
    Synchronization requests containing updates to set or dynamic group filters will only be processed using the single object FIM MA export behavior.

  • Synchronization Service: Changing MV Object type during runtime is not supported
    The FIM 2010 R2 code does not yet actively prohibit this so it must be stated that doing so is not supported.

  • Synchronization Service: Exception: 'Target(s): abc, Attribute Failure Code: 'RequiredValueIsMissing', Attribute Name: 'MembershipLocked''.
    The FIM Service eventlog might have the following error: Request 'ca6a8db0-c084-4783-bb9b-5be054d38a10' failed while trying to commit the changes to the database. Exception: 'Target(s): abc, Attribute Failure Code: 'RequiredValueIsMissing', Attribute Name: 'MembershipLocked''. The ‘MembershipLocked’ attribute missing happens under the following conditions.

    1. Sync engine sends an update request with attributes that got modified.

    2. The FIM MA does a quick lookup and finds the object missing in FIM Service (probably deleted through portal).

    3. The FIM MA treats the update as 'Create' request.

    4. The create request in FIM Service fails because it has missing attributes like ‘MembershipLocked’.

    Doing a delta import and delta sync followed by Export will fix the error. Sync service will understand the object as deleted from FIM Service and will not send a pending update during the next FIM MA export operation.

  • Synchronization Service: Do not reuse your existing miiserver.exe.config file
    Re-using an existing configuration may fail due to changes in the content of the configuration file. Please review the new configuration file contents and update manually if appropriate to do so.

  • Synchronization Service: Sync Service manager shows a User object deleted when linked ERE was actually deleted
    During migration from policy based sync rule to filter based sync rule, the sync engine will delete EREs which are linked to filter based sync rules. However, the Identity Manager statistics falsely show that the User linked to the ERE being deleted was deleted. The user was not, in fact deleted, it was the ERE that was deleted. Customers should only run into this problem once, when they are migrating from policy based to filter based rules. There is no action needed to be taken by the customer. The User object was not actually deleted.

  • Synchronization Service: The value of boolean type outbound scoping filter in Filter based Sync Rule is case sensitive.
    It must be all lowercase.ie. "true" or "false" If the casing is different, it will crash.