Article ID: 946797
A hotfix rollup package (build 3.3.1087.2) is available for Microsoft Identity Lifecycle Manager (ILM) 2007 Feature Pack 1 (FP1). This hotfix rollup package resolves the following issues.
Issue 1Consider the following scenario. You use a custom management agent that is based on the Extensible Management Agent. You configure this management agent as Export Only. In this scenario, when a call to deprovision a connector space object in this management agent occurs, the connector space object becomes orphaned. This issue occurs if the deprovisioning rules are set to make the connector space object a disconnector object. You may also experience the following symptoms:
Issue 2The Microsoft.metadirectoryservices.dll file is not strong-name signed. Therefore, you cannot build strong-name packaged management agents.
Issue 3The smart card profile template does not populate the subject key identifier (SKI) as expected.
Issue 4The Certificate Lifecycle Management component of ILM (also known as CLM) does not allow you to restrict certificate issuance on a specific organization unit (OU) to a single Enrollment Agent.
Issue 5CLM is now supported on the Windows Server 2008 Enterprise Edition 32-bit processor architecture.
Issue 6Consider the following scenario. A primary smart card and a duplicate smart card are issued. Then, you renew the certificates for the smart cards by using online certificate updates. In this scenario, the primary smart card and the duplicate smart card receive different certificates.
For detailed information about these issues, see the "More Information" section.
Service Pack informationTo resolve these issues, obtain the latest service pack for Identity Lifecycle Manager 2007 Feature Pack 1.
ILM 2007 Feature Pack 1 Service Pack 1 (SP1) is available that contains fixes in this hotfix rollup and possesses a stronger compatibility with previous ILM builds. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/977791/ )Service Pack 1 (build 3.3.1139.2) is available for Identity Lifecycle Manager 2007 Feature Pack 1
Hotfix rollup package informationA supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.
If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix.
Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:
http://support.microsoft.com/contactus/?ws=supportNote The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
Customers requesting this hotfix package for the MSDN version of Identity Lifecycle Manager should contact Microsoft Technical Support.
PrerequisitesTo apply this hotfix rollup package, you must have Identity Lifecycle Manager 2007 Feature Pack 1 installed on the computer.
Restart requirementYou do not have to restart the computer after you apply this hotfix rollup package.
Hotfix replacement informationThis hotfix rollup package includes all the previous hotfixes for Identity Lifecycle Manager 2007 Feature Pack 1.
File informationThe English version of this hotfix rollup package has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
Certificate Lifecycle Management component of Identity Lifecycle Manager 2007 Feature Pack 1
Collapse this tableExpand this table
Identity Lifecycle Management component of Identity Lifecycle Manager 2007 Feature Pack 1
Collapse this tableExpand this table
In this hotfix rollup package, the CLM_2007_FP1_FULL_KB946797.msp file fixes the Certificate Lifecycle component of Identity Lifecycle Manager 2007 Feature Pack 1. The ILM_2007_FP1_ENT_KB946797.msp file fixes the Identity Lifecycle component of Identity Lifecycle Manager 2007 Feature Pack 1.
Detailed information about the issues that are resolved
Issue 1This issue occurs because the connector space object does not have a confirming import. Therefore, the connector space hologram for the connector space object is not created. The connector space hologram contains the information that is used for operations, such as join operations.
Before you apply this hotfix rollup package, you cannot replace the orphaned connector space object except by deleting the connector space object. This hotfix rollup package causes the connector space object to be updated by using information that confirms the export and that fills the connector space hologram.
Note This hotfix rollup package applies only to custom management agents that you create by using the Extensible Management Agent and that you configure as Export Only.
Issue 2In this hotfix rollup package, the Microsoft.metadirectoryservices.dll file is changed to allow for strong-name signing of rules extensions and of data source extensions. Therefore, you may have to change the existing Microsoft Visual Studio projects to use the strongly named Microsoft.metadirectoryservices.dll file.
The ILM Synchronization Service now provides the following DLL files that define the interfaces and the types for the rules extensions and for the data source extensions:
Note In this error message, Name is a placeholder for the name of a function or of a type that is found in the Microsoft.MetadirectoryServices namespace.
Error 1 The type or namespace name Name could not be found (are you missing a using directive or an assembly reference?)
After you apply this hotfix rollup package or later hotfix rollup packages, you must reference the strongly named Microsoft.metadirectoryservicesex.dll file when you create new rules extensions and new data source extensions or when you recompile the existing rules extensions and the existing data source extensions. The strongly named Microsoft.metadirectoryservicesex.dll file contains the implementation that was formerly contained in the Microsoft.metadirectoryservices.dll file. The new file is functionally the same as the previous file except for strong-name signing.
When you create new Visual Studio projects from Identity Manager, the Visual Studio projects reference the new Microsoft.metadirectoryservicesex.dll file. If you create your own Visual Studio projects by using Visual Studio, you must make sure that you reference the new Microsoft.metadirectoryservicesex.dll file. If you recompile an existing Visual Studio project, you must make sure that you delete the reference to the Microsoft.metadirectoryservices.dll file and add a new reference to the Microsoft.metadirectoryservicesex.dll file.
For the existing rules extensions and for the existing data source extensions, no recompilation is required. These extensions continue to function correctly.
Issue 3When you enroll a user in a profile template that is enabled for smart cards, the certificate that is issued by the profile template does not contain the SKI.
Steps to reproduce this issue
Issue 4Before you apply this hotfix rollup package, CLM does not examine the CLM Enrollment Agent extended permission when a request is executed. Therefore, anyone who is an Initiate Enroll Request principal on a profile template can execute the request for all subscribers who can enroll for the profile template, regardless of his or her permissions on the user object. Companies cannot implement more granular workflow permissions. For example, companies cannot allow for the managers in a sales OU to enroll users in only that OU.
After you apply this hotfix rollup package, the person who executes a request must also have the CLM Enrollment Agent permission on the subscriber in Active Directory. This behavior lets companies use a single profile template and lets companies implement more granular workflow permissions. You can grant a requestor the CLM Enrollment Agent permission either on the user object directly or on a group of which the subscriber is a member.
Issue 5CLM is now fully supported on the Windows Server 2008 Enterprise Edition 32-bit processor architecture. Installation on Windows Server 2008 requires a full setup package. This setup package is included in ILM 2007 FP1 Service Pack 1 (SP1).
Issue 6Because of this issue, a file that is encrypted by the certificate on the primary smart card cannot be decrypted by using the duplicate smart card.
After you apply this hotfix rollup package, the primary smart card and the duplicate smart card receive identical certificates after you renew the certificates by using online certificate updates.
Important If you apply the CLM part of this hotfix rollup package, how CLM accesses Active Directory is changed. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
952327For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/952327/ )A hotfix rollup package (build 3.3.1067.2) is available for Identity Lifecycle Manager 2007 Feature Pack 1
(http://support.microsoft.com/kb/824684/ )Description of the standard terminology that is used to describe Microsoft software updates