Contents

What's New in IIFP SP2

Known Issues

Fixes Included in this Service Pack

Copyright

What's New in IIFP SP2

Support for SQL Server 2005

IIFP SP2 may be installed using SQL Server 2005 to store the MicrosoftIdentityIntegrationServer SQL Server database.

Support for Visual Studio 2005

When you create a rules extension project using Identity Manager in IIFP SP2, the project will be created in Visual Studio .NET Professional 2005.

Note

If you use Visual Studio 2005 with your existing rules extensions, the extensions will be converted to a Visual Studio 2005 project and will be converted to Microsoft .NET Framework 2.0.

You will be able to run all existing rules extensions (whether they have been compiled with Microsoft .NET Framework 1.1 or Microsoft .NET Framework 2.0) on IIFP SP2 without having to recompile your projects. Note, however, that all new development and debugging work done on IIFP SP2 rules extensions will require the use of Visual Studio .NET Professional 2005, Visual Basic® 2005 (or Express Edition), Visual C#® 2005 (or Express Edition), and can no longer be done with Visual Studio .NET Professional 2003.

For more information about upgrading Visual Studio .NET Professional 2003 projects to Visual Studio .NET Professional 2005, see this MSDN article. (http://go.microsoft.com/fwlink/?LinkId=77551)

Debugging rules extensions using Visual Basic or Visual C# Express Edition
To debug rules extensions with Microsoft CLR Debugger 2005

  1. Copy the retail symbols to the <IIFP_install>\bin folder, typically C:\Program Files\Microsoft Identity Integration Server\Bin.

  2. Ensure that the rule extension .pdb file is located in the <IIFP_install>\Extensions folder along with its dll. If you don't have the .pdb file in the Extensions folder, open the rules extension with Visual C# 2005 or Visual Basic 2005 Express. Select Property Pages, then select Build, then select Advanced, then select Full for Debug.

  3. Rebuild the rules extension.

  4. Open the source file in CLR Debugger 2005 and set the breakpoints.

  5. Attach the debugger to the miiserver process.

  6. Expand the Modules window tab. Event messages will be displayed indicating if the symbol files loaded successfully. If any symbol file did not load successfully, everything will appear to work, but the breakpoint will not be hit.

To set breakpoints from the code

  1. Open the rules extension source file.

  2. Add 'using System.Diagnostics;' at the top reference section of rule extension code. Add Debugger.Breakpoint(); in the code where you want to set a breakpoint.

  3. Rebuild the rules extension.

  4. Attach the debugger to miiserver server process.

Important

Do not use the Debugger.Launch method with the Microsoft CLR Debugger 2005. Using this method will cause IIFP to freeze.

Updated management agent support:
  • The management agents for Active Directory (AD) and Active Directory Application Mode (ADAM) now support Windows Server R2.

Updated security options
  • The management agent for Active Directory (AD) now supports Secure Sockets Layer (SSL) in addition to Kerberos Sign & Seal.

  • The management agents for Active Directory and Active Directory Application Mode (ADAM) now support certificate revocation checking for SSL.

Improvements
  • Group processing is now 40% faster.

  • The Generate and Commit options in Preview allow you to view the results of synchronizing an individual object, with or without committing the change to the metadirectory.

Top of page

Known Issues

At the time of release, the following are known issues for IIFP SP2:

  • IIFP SP2 no longer supports multi-valued attribute names that contain two consecutive hyphens, for example "old--attribute". If you have attributes in the metaverse with double hyphens and upgrade to SP2 Beta 2 before removing or modifying these attributes, IIFP will not start after the upgrade. If this occurs, you must remove IIFP SP2, restore your database from backup, and reinstall your previous version of IIFP. Before upgrading to IIFP SP2, you should make sure that your metaverse does not contain attributes with consecutive double hyphens. If it does, you must remove or modify these attributes in the metaverse before upgrading.

  • When creating a rules extension project in Identity Manager, Visual Studio 2005 will report a warning if the output directory for the Visual Studio project is located under a system directory, for example \program files, where IIFP is typically installed. The warning suggests that there is a potential security risk to storing the .config file under a system directory.

    Note

    Visual Studio 2005 displays this warning regardless of whether the project includes a .config file or not.

    The warning suggests two options to deal with such a project:

    • Open the project as Read Only

    • Open the project normally.

    If you choose to open the project normally, you will be able to build the assembly. However, the warning will popup each time the project is loaded.

Top of page

Fixes Included in this Service Pack

This Service Pack contains fixes for the following issues:

  • The CSEntry.ConnectionRule property may return "Unknown" or an error when it is referenced in the metaverse deletion rules or in the IMVSynchronization.ShouldDeleteFromMV method. This Service Pack allows the CSEntry.ConnectionRule property to be called successfully from the ShouldDeleteFromMV method.

  • The IIFP Key Management Utility (Miiskmu.exe) crashes on startup and generates the following event message:

    Event Type: Information

    Event Source: Application Popup

    Event Category: None

    Event ID: 26

    Date: 12/27/2005

    Time: 11:59:44 AM

    User: N/A

    Computer: MIIS

    Description: Application popup: miiskmu.exe - Common Language Runtime Debugging Services : Application has generated an exception that could not be handled.

    Process id=0x8fc (2300), Thread id=0xf74 (3956).

    This issue may occur if some applications, such as antivirus software, are running. This Service Pack corrects the issue and prevents the IIFP Key Management Utility from crashing.

  • When a run profile has multiple steps, and each step has thousands of objects, the run histories take a long time to clear. This Service Pack optimizes the "clear run history" query, significantly improving performance.

  • This Service Pack introduces the ability to specify a mail template file when you create a mail file during provisioning. To enable this functionality, a new string attribute, _MMS_MailTemplateName, has been added to the management agent for Lotus Notes schema. You can only set this attribute in the provisioning script. This attribute takes the name of an existing mail template file as its value. For example, this attribute may take the name mail50.ntf.

    Note

    To use the _MMS_MailTemplateName attribute to set a mail template file, the template file must be located in the Domino\data directory. If the template file is located in a different directory, the export run fails, and you receive the following error message: "Remote pathname must be relative to Data Directory". This problem may occur even though the path specified in the provisioning script is actually relative to the Data directory.

    Note

    If an error occurs while an object is being created, and the mail template file has caused the error, the user object will be created but the mail file will not created.

  • When a management agent for Active Directory is configured to use partition-specific credentials, IIFP does not correctly parse and use the specified credentials when IIFP tries to contact a domain controller. In this configuration, when Microsoft Windows Management Instrumentation (WMI) makes a call to retrieve connector space object information by Account and by Domain, the lookup fails and not all WMI information is correctly filled in. This Service Pack makes sure that IIFP uses the correct set of credentials for the partition.

  • The following error message is logged on the IIFP server when IIFP processes a password change notification:

    Event Type: Error

    Event Source: MIISServer

    Event Category: Server

    Event ID: 6900

    Date: Date

    Time: Time

    User: N/A

    Computer: MIIS_Server

    Description:

    The server encountered an unexpected error while processing a password change notification:

    "BAIL: MMS(5396): pcnsmiis.cpp(75): 0x80004005 (Unspecified error)

    BAIL: MMS(5396): pcnslistener.cpp(992): 0x80004005 (Unspecified error)

    ERR: MMS(5396): server.cpp(9195): Partition is NULL

    BAIL: MMS(5396): server.cpp(9090): 0x80004005 (Unspecified error)

    This problem occurs when IIFP receives the new password. IIFP tries to look up the partition of the user object, however, the lookup operation fails. This problem typically occurs when placeholder objects appear in the connector space. These placeholder objects have the same anchor value as an incoming user object. This behavior causes IIFP to try to retrieve the domain context for the placeholder object. Therefore, IIFP returns the "Partition is NULL" error message.

    This Service Pack resolves this problem by causing IIFP to ignore the placeholder objects when IIFP processes password notifications.

    Note

    Placeholder objects are special objects that IIFP uses only to reference other objects that IIFP will not own. You cannot use placeholder objects to synchronize password values.

  • When you synchronize IIFP objects into the metaverse, an "unexpected error" message can be generated for an object during synchronization of the management agent. This problem may occur if a metaverse single-valued attribute lineage is present in the SQL Server database and the corresponding value column is set to a NULL value. When this problem occurs, the event log message may be different. However, the unexpected error message data will be similar to the following:

    The server encountered an unexpected error in the synchronization engine:

    "ERR: MMS(2672): mvsqlsingle.cpp(1255): We should have an ATYPE configured for this attribute: singleValueAttribute

    BAIL: MMS(2672): mvsqlsingle.cpp(1256): 0x80230406 (An error has occurred at the store)

    BAIL: MMS(2672): mvsqlsingle.cpp(883): 0x80230406 (An error has occurred at the store)

    BAIL: MMS(2672): mvobj.cpp(227): 0x80230406 (An error has occurred at the store)

    BAIL: MMS(2672): nsmvimp.cpp(232): 0x80230406 (An error has occurred at the store)

    BAIL: MMS(2672): csobj.cpp(2182): 0x80230406 (An error has occurred at the store)

    BAIL: MMS(2672): synccore.cpp(555): 0x80230406 (An error has occurred at the store)

    BAIL: MMS(2672): synccoreimp.cpp(118): 0x80230406 (An error has occurred at the store)

    BAIL: MMS(2672): synccoreimp.cpp(5816): 0x80230406 (An error has occurred at the store)

    BAIL: MMS(2672): synccoreimp.cpp(2237): 0x80230406 (An error has occurred at the store)

    ERR: MMS(2672): synccoreimp.cpp(2253): 0x80230406 - CS to MV to CS synchronization failed 0x80230406: [00103313]

    BAIL: MMS(2672): synccoreimp.cpp(2089): 0x80230406 (An error has occurred at the store)

    ERR: MMS(2672): syncmonitor.cpp(2497): SE: Rollback SQL transaction for: 0x80230406

    After you apply this Service Pack, the synchronization process will ignore the NULL attribute value until the import attribute flow tries to set that attribute. This behavior lets the synchronization process complete without generating an unexpected error message.

  • The MIIS 2003 service may unexpectedly stop and may throw an application error message. This problem may occur if rules extensions try to access the LastContributingMA property and the management agent that is being accessed no longer exists in the system. When this problem occurs, the following error message may be logged in the Application log:

    Event Type: Error

    Event Source: Application

    Error Event Category: (100)

    Event ID: 1000

    Date: Date

    Time: Time

    User: N/A

    Computer: MIIS_Server

    Description: Faulting application miiserver.exe, version 3.1.1026.0, faulting module miiserver.exe, version 3.1.1026.0, fault address 0x00115276.

    After you apply this Service Park, the MIIS 2003 service will not quit. However, because the operation is not valid, you will receive the following error message:

    "System.InvalidOperationException: The newest value was contributed by a management agent that has been deleted."

  • This Service Pack extends the SetPassword Windows Management Instrumentation (WMI) interface to accept two optional flags. The first flag requires that the user change their password at the next logon. The second flag unlocks the account if it is currently locked. If the flags are not specified, they use False, which is the current behavior through Service Pack 1. These changes affect only the management agent for Active Directory. If these flags are used for other management agents an "option-not-supported" message is returned by WMI. The two new flags are:

    boolean ForceChangeAtLogon
boolean UnlockAccount
  • The IIFP server incorrectly reports a "stopped-out-of-memory" error if a management agent is configured with a join rule that references a multi-valued metaverse attribute that contains hyphens in its name. After applying this Service Pack, the IIFP server will now function correctly when it searches the metaverse using attributes that have hyphenated names. However, multi-value attributes with double hyphens are not supported. For more information, see Known Issues in this document.

  • The installation of IIFP now supports Microsoft SQL Server 2000 Service Pack 4 (SP4). Before this Service Pack, the installation of previous hotfixes or of the full version of IIFP was not successful, and you received the following error message:

    "Microsoft Identity Integration Server (SP1) requires a running instance of Microsoft SQL Server with Service Pack 3 (8.00.760) or later. Install the correct SQL server version or service pack and make sure the service is running before installing Microsoft Identity Integration Server SP1."

    If you are installing IIFP for the first time by using SQL Server 2000 SP4, you must install a full version of IIFP SP2. We are updating all the appropriate channels. If you have problems obtaining a full version through those channels, contact Microsoft Product Support Services for help.

  • When you are running a management agent in synchronization mode and you are processing group objects, you may unexpectedly receive the following error message on a group object in the IIFP statistics pane:

    "Unexpected Error"

    Additionally, the following error messages will be displayed in the application event log on the IIFP server:

    Event Type: Error

    Event Source: MIIServer

    Event Category:

    Server Event ID: 6312

    Date: 07/02/2006

    Time: 00:01:50

    User: N/A

    Computer: MIISSRV1

    Description: The server encountered an unexpected error while performing an operation for a rules extension.

    "BAIL: MMS(2760): tripleholo.cpp(7691): 0x80004005 (Unspecified error)

    BAIL: MMS(2760): tripleholo.cpp(7201): 0x80004005 (Unspecified error)

    BAIL: MMS(2760): tower.cpp(5644): 0x80004005 (Unspecified error)

    BAIL: MMS(2760): csobj.cpp(4003): 0x80004005 (Unspecified error)

    BAIL: MMS(2760): csobj.cpp(1461): 0x80004005 (Unspecified error)

    BAIL: MMS(2760): nscsimp.cpp(4509): 0x80004005 (Unspecified error)

    BAIL: MMS(2760): mvobj.cpp(1385): 0x80004005 (Unspecified error)

    BAIL: MMS(2760): scriptmanagerimpl.cpp(4256): 0x80004005 (Unspecified error)

    BAIL: MMS(2760): scriptmanagerimpl.cpp(4218): 0x80004005 (Unspecified error)

    BAIL: MMS(2760): scripthost.cpp(3061): 0x80004005 (Unspecified error)

    Event Type: Error

    Event Source: MIIServer

    Event Category: Server

    Event ID: 6301

    Date: 07/02/2005

    Time: 00:01:50

    User: N/A

    Computer: MIISSRV1

    Description: The server encountered an unexpected error in the synchronization engine:

    "BAIL: MMS(2760): scripthost.cpp(11413): 0x80230703 (The extension threw an exception.) Microsoft.MetadirectoryServices.Impl.InternalError: 0x80004005 at Microsoft.MetadirectoryServices.Impl.ScriptHost.ThrowExceptionFromHRESULT(Int32 hr) at Microsoft.MetadirectoryServices.Impl.BaseMVServices.GetConnectorsFromServer() at Microsoft.MetadirectoryServices.Impl.BaseMVServices.GetOriginalConnectors() at Microsoft.MetadirectoryServices.Impl.CImageServices.IImageServices.GetOriginalConnectors() at Microsoft.MetadirectoryServices.Impl.MVEntryImpl.GetCountOfOriginalConnectors() at Microsoft.MetadirectoryServices.Impl.ScriptHost.InvokeMv_Provision(_OCTET octMVPreImage, _OCTET octMVDelta) BAIL: MMS(2760): scriptmanagerimpl.cpp(1428): 0x80004005 (Unspecified error)

    BAIL: MMS(1256): scriptmanagerimpl.cpp(1509): 0x80004005 (Unspecified error)

    BAIL: MMS(1256): ScriptManager.h(316): 0x80004005 (Unspecified error)

    BAIL: MMS(1256): provisioning.cpp(64): 0x80004005 (Unspecified error)

    ERR: MMS(1256): synccoreimp.cpp(1563): 0x80004005 - provisioning failed 0x80004005

    BAIL: MMS(1256): synccoreimp.cpp(1564): 0x80004005 (Unspecified error)

    ERR: MMS(1256): synccoreimp.cpp(4412): 0x80004005 - MV to CS synchronization failed 0x80004005: [{8E35FB4A-24EE-4C32-8BC6-C841E5C160AB}]

    BAIL: MMS(1256): synccoreimp.cpp(4415): 0x80004005 (Unspecified error)

    ERR: MMS(1256): syncmonitor.cpp(2497): SE: Rollback SQL transaction for: 0x80004005 MMS(1256): SE: CS image begin MMS(1256): SE: CS image end

    This problem occurs because the renaming of reference attributes is mishandled. This Service Pack improves the rename operation and helps avoid these error messages.

  • Prior to this Service Pack, the account joiner did not let you create "match" filters where both the connector space and the metaverse attributes were multi-valued. The account joiner did let you create filters where only one of the attributes was multi-valued. After you apply this Service Pack, combinations of attribute mappings that are based on multiple values versus single values are not blocked. However, some combinations are still blocked based on attribute type. Instead, a check is performed when you apply the filter and an error is reported if the connector space attribute has more than one value. In this case you experience the following behavior:

    • Multi-valued connector space attribute to single-valued metaverse attribute:

      If the connector space attribute has more than one value, an error is reported. Otherwise, behavior is the same as the single-valued connector space to single-valued metaverse case.

    • Multi-valued connector space attribute to multi-valued metaverse attribute:

      If the connector space attribute has more than one value, an error is reported. Otherwise, behavior is the same as the single-valued connector space to multi-valued metaverse case.

  • When you select objects to process in the connected directory, the new selections may unintentionally cancel the objects that you had previously included. This Service Pack corrects the unintended cancellations.

  • If a full import finishes with the status "completed-discovery-errors", a subsequent delta import will stop with the status "no-start-full-import-required". This means that a delta import will not run until a full import can run without generating this error message. This problem is caused by problems in the DN caching. This Service Pack resolves the problem of a full import being required in this scenario.

  • Previously, some distinguished name changes in imported objects would fail, and you would receive the following error message:

    "Unexpected error"

    This Service Pack enables certain distinguished name changes in imported objects to continue without error.

  • This Service Pack corrects an issue in multiple management agent types. This issue used to occur when you selected objects to process in the connected directory. The new selections might unintentionally cancel the objects that you had previously included.

  • This Service Pack expands the list of search operators that are available for Boolean attributes to include the following:

    • Is present

    • Is not present

    • Is true

    • Is false

  • This Service Pack increases performance when you delete large subtrees in the connector space.

  • Previously, you could not back up the system state when the Password Change Notification Service (PCNS) was installed on a domain controller. After you apply this Service Pack, you can back up the system state successfully with PCNS installed.

Top of page

Copyright

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

© 2003 - 2007 Microsoft Corporation. All rights reserved.

Microsoft, MS-DOS, Windows, Windows NT, Active Directory, and MSN are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Top of page