Forefront Identity Manager 2010 R2 build 4.1.3496.0 released

Today, Thursday November 21st, saw Microsoft release a new hotfix rollup package (build 4.1.3496.0) for Forefront Identity Manager 2010 R2.  The official documentation for this build can be found on the Microsoft support website under knowledgebase (KB) article 2906832.  Download link is here.  This build supersedes 4.1.3479.0.

The hotfix contains one (1) FIM Service update, one (1) new FIM Service feature and six (6) FIM Synchronization Service updates.

This is a very important build for me and for any of you working with the Azure Active Directory (AAD) Connector, i.e. those of you working on multi-forest or complex Office 365 engagements where the DirSync appliance isn’t a good fit.  The export-loop bug that has meant that your batch size is down to one and performance is atrocious is fixed…no more 3 day exports or worries!  I’ve already deployed at two customers (more next week) and can confirm that the issue is fixed.  And the great news is that this is an ECMA2 bug so if you’ve had similar issues with the PowerShell MA or your own, that problem now goes away…no more silly batch sizes, yippee!  Smile

This is also a very cool build because we finally have the ability to hide the Advanced Search button from users in the FIM Portal!  That might also deserve a woo-hoo!  Winking smile

Full details of each update, duplicated from the KB for posterity, follow.  Hit the KB for the known issues and other details.

FIM Service and Portal

Issue 1

When you create a custom solution in FIM2010 R2, you may experience any of the following scenarios:

  • Scenario 1 An Authorization Workflow could get stuck
  • Scenario 2 An Authorization Workflow could be executed again after a FIMService restart
  • Scenario 3 An Authorization Workflow parent Request may not be set to Expire

These problems might occur if your solution has custom workflow’s that use the new FIM2010 R2 feature which enables setting the ApplyAuthorizationPolicy property to True (the default value is False) on the following built-in building block activities:

  • CreateResourceActivity
  • UpdateResourceActivity
  • DeleteResourceActivity

Changes to stored procedures in the FIMService database corrects scenario 2 and scenario 3.

To resolve scenario 1, an additional AuthorizationWaitTimeInSeconds property was added to built-in building block activities that enables the activity to set the time that the request processor should wait for authorization before throwing an AuthorizationRequiredFault error. We recommend to set this value to 0 or to a larger value.

New Feature 1

With a new configuration option, it is now possible to hide the Advanced Search link in the FIM Portal.

To enable the configuration and remove the Advanced Search link, follow these steps:

  1. Go to Administration, click Schema Management, and then click All Attributes.
  2. Create a new Boolean attribute named HideAdvancedSearchLink.
  3. Go to All Bindings and create a new binding for the HideAdvancedSearchLink attribute to the Portal Configuration resource. Click Finish to save the binding.
  4. Create a new Management Policy Rule (MPR) to allow for changes to the new binding in the portal configuration. To do this, use the following configuration for the new MPR: 

    Display Name: Administrators can modify the HideAdvancedSearchLink in the Portal Configuration resource
    Type: Request
    Disabled: False
    Specific Set of Requestors: All Administrators
    Operation: Modify a single-valued attribute
    Permissions: Grants permission
    Target Resource Definition Before Request: All Basic Configuration Objects
    Target Resource Definition After Request: All Basic Configuration Objects
    Resource Attributes: Select specific attributes: HideAdvancedSearchLink


  5. Reset Internet Information Services (IIS) and then restart the FIM service.
  6. Go to Administration, click Portal Configuration, and then click Extended Attributes. You should see the HideAdvancedSearchLink attribute together with the other extended attributes.
  7. Click to select the HideAdvancedSearchLink check box and then click Submit to enable the hiding of the Advanced Search link.
  8. Verify that the Advanced Search link is not available in the list views, such as “My DGs”, “My DG Memberships”, and “Management Policy Rules”.

FIM Synchronization Service

Issue 1

During an export on the FIM Service Management Agent (MA), if either the FIM Synchronization or the FIM Service is stopped, then in some cases the Synchronization Service may be unable to complete the export on a retry. In this case, you receive the following error message:

The operation failed because the attribute cannot be found.

Issue 2

In certain scenarios, the FIM Service MA may return the following error message:

Type: System.ArgumentOutOfRangeException

This problem might occur if an unexported reference attribute was removed by another synchronization process and the result is null.

Issue 3

In a rare case, an import could receive a staging error because of duplicate references in the connector space.

Issue 4

In a rare case, an import could receive a staging error because of a move of an object in the connected directory.

Issue 5

An Extensible Connectivity Management Agent 2.0 (ECMA2.0) connector could end up in an infinite loop when the capability flag is set not to export references in the first pass and an object that has no reference attributes could not export an attribute. This problem affects the Windows Azure Active Directory connector provided by Microsoft.

Issue 6

In ECMA2.0, an export-only attribute could end up in a bad state. This problem might occur if ECMA2.0 could not export and caused a staging error on the next import and synchronization.


About Paul Williams

IT consultant working for Microsoft specialising in Identity Management and Directory Services.
This entry was posted in FIM, FIM 2010 R2, Hotfix, News and tagged , , , , , , , . Bookmark the permalink.

2 Responses to Forefront Identity Manager 2010 R2 build 4.1.3496.0 released

  1. Pingback: Windows Azure Active Directory Connector part 1: when, where and why | Yet another identity management blog

  2. Pingback: Forefront Identity Manager 2010 R2 build 4.1.3508.0 released | Yet another identity management blog

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s