Release Notes for Forefront Identity Manager 2010

advertisement
Release Notes
Getting Started Guide
Applies to: Microsoft® Forefront™ Identity Manager 2010 (FIM 2010)
Microsoft Corporation
Published: February 2010
Author: Brad Benefield
Editor: Margery Spears
Abstract
The latest information on FIM 2010 and FIM CM. Use these notes as a guide to troubleshoot
issues that may arise.
This document supports a preliminary release of a software product that may be changed
substantially prior to final commercial release, and is the confidential and proprietary information
of Microsoft Corporation. It is disclosed pursuant to a non-disclosure agreement between the
recipient and Microsoft. This document is provided for informational purposes only and Microsoft
makes no warranties, either express or implied, in this document. Information in this document,
including URL and other Internet Web site references, is subject to change without notice. The
entire risk of the use or the results from the use of this document remains with the user. Unless
otherwise noted, the companies, organizations, products, domain names, e-mail addresses,
logos, people, places, and events depicted in examples herein are fictitious. No association with
any real company, organization, product, domain name, e-mail address, logo, person, place, or
event is intended or should be inferred. Complying with all applicable copyright laws is the
responsibility of the user. Without limiting the rights under copyright, no part of this document may
be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by
any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose,
without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
© 2010 Microsoft Corporation. All rights reserved.
Active Directory, Active X, Forefront, Internet Explorer, Microsoft, Visual Studio, Windows,
Windows Server, Windows Vista, and Windows NT are trademarks of the Microsoft group of
companies.
All other trademarks are property of their respective owners.
Contents
Release Notes ................................................................................................................................. 5
Release Notes for Forefront Identity Manager 2010 .................................................................... 5
Instructions for Installing FIM 2010 .............................................................................................. 5
What's new in FIM 2010 ............................................................................................................... 5
General ..................................................................................................................................... 5
Management Policy Rules (MPR) ............................................................................................. 5
Password Reset ........................................................................................................................ 6
Portal UI configuration .............................................................................................................. 6
Queries and Requests .............................................................................................................. 6
Sets ........................................................................................................................................... 6
Setup and Prerequisites ........................................................................................................... 7
Synchronization ........................................................................................................................ 7
Workflows ................................................................................................................................. 8
Known Issues ............................................................................................................................... 8
General ..................................................................................................................................... 8
UOC uniqueness checking works only in create mode ......................................................... 8
Searches that contain an underscore and using “starts with” may time out ......................... 8
Management Policy Rules (MPR) ............................................................................................. 9
Making Advanced View modifications of MPRs may cause unexpected results in this
release ............................................................................................................................ 9
Sets ........................................................................................................................................... 9
General .................................................................................. Error! Bookmark not defined.
For reference attributes that are used in set or group filters, avoid reference values that
result in a circular reference ............................................................................................... 9
Existing dynamic sets whose filters are not scoped to a specific resource type may have
incorrect membership......................................................................................................... 9
Dynamic set or group filters that are not scoped to a specific resource type must not
include a negative condition on the ObjectID or ObjectType attribute ............................... 9
Dynamic set or group filters that are not scoped to a specific resource type must not
include a literal condition on the ObjectID attribute ........................................................... 9
Dynamic set or group filters must not combine a condition on the ObjectID or ObjectType
attribute with conditions on any other attribute using the OR operator ............................ 10
Users and Groups ................................................................................................................... 10
Timeouts while previewing dynamic membership of a set or group may prevent display of
actual membership ....................................................................................................... 10
Synchronization ...................................................................................................................... 10
Case changes and additions of trailing spaces are not committed to the FIM Service ... 10
Schema ................................................................................................................................... 10
User cannot modify the StringRegex, IntegerMinimum, and IntegerMaximum values for
some attributes and bindings on group and user resources ........................................ 10
Default DisplayName and Description is not submitted during creation of
BindingDescription ........................................................................................................ 10
Custom resources with hyphens in their names do not create RCDC configuration XML
correctly ........................................................................................................................ 11
Using the Web Services API to create a resource with a multivalued Boolean attribute
stops the FIM Service ................................................................................................... 11
Workflow and Request Processing ......................................................................................... 11
Cannot create a workflowdefinition after importing XOML .............................................. 11
Groups that are not mail-enabled should not be selected as recipients for any e-mail
messages ..................................................................................................................... 11
Notification e-mail messages without text in the subject line or the body are not sent ... 11
Requests that calculate zero approvers for changes to nongroup resources may become
nonresponsive .............................................................................................................. 11
Workflow XOMLs containing an approval activity are not generated correctly by Visual
Studio ............................................................................................................................ 11
The lookup parameter does not accept non-alphanumeric characters ........................... 12
Queries ................................................................................................................................... 12
Invalid queries can return incorrect results ...................................................................... 12
Configuration Migration ........................................................................................................... 12
Migrating configuration from an environment with upgrades to a clean install of RTM
requires updating version numbers .............................................................................. 12
FIM Add-ins and Extensions ................................................................................................... 13
During installation of Chinese (zh-TW), duplicate entries for https: are displayed on the
Trusted Sites selection page ........................................................................................ 13
Release Notes for Forefront Identity Manager 2010 Certificate Manager (FIM CM) ................. 13
Installing FIM CM ....................................................................................................................... 13
Upgrade from CLM FP1 ............................................................................................................. 13
What's New in FIM CM ............................................................................................................... 13
FIM CM Portal Server support for Windows Server 2008 64-Bit and Windows Server 2008
R2 ..................................................................................................................................... 13
FIM CM CA modules support for Windows Server 2008 64-Bit and 32-Bit and Windows
Server 2008 R2 ................................................................................................................ 13
Client support for Windows 7 and Windows Vista 64-bit..................................................... 13
Updated middleware support .............................................................................................. 14
For more information .................................................................................................................. 14
Known Issues ............................................................................................................................. 14
Installation ............................................................................................................................... 14
Server installation ................................................................................................................ 14
Client installation ................................................................................................................. 15
Bulk Client Configuration ........................................................................................................ 16
General ................................................................................................................................... 17
Release Notes
Welcome to the release notes for Microsoft Forefront™ Identity Manager 2010 (FIM 2010).
Before you install this application, we recommend that you read this entire document and the FIM
2010 installation guide. You can use these notes to guide you as you troubleshoot issues that
may arise when you use FIM 2010.
Release Notes for Forefront Identity Manager 2010
Release Notes for Forefront Identity Manager 2010 Certificate Manager (FIM CM)
Release Notes for Forefront Identity Manager 2010
Instructions for Installing FIM 2010
You can find the software and hardware prerequisites information and instructions for installing
FIM 2010 in the FIM 2010 Installation Guide (http://go.microsoft.com/fwlink/?LinkId=165845).
What's new in FIM 2010
The following are the features and improvements to FIM 2010 that have been added since FIM
2010 Release Candidate 1. FIM 2010 includes all updates released since FIM 2010 Release
Candidate 1.
General

Adds support for SQL Server Failover Clusters for High Availability

Adds support for taking database backups without stopping the FIM Service.

New Supported Platforms for FIM Certificate Management


Windows Server 2008 R2

Windows Server Datacenter edition
Added support for Exchange 2010 for the following scenarios:

FIM Synchronization Service support for Active Directory Management Agent and GAL
Management Agent

The FIM Service sending and receiving mail

Outlook 2007 on Exchange 2010 sending approvals and group membership requests
Management Policy Rules (MPR)

There are now two types of Management Policy Rules:
5


Set Transition MPR – A newly defined MPR type, a Set Transition MPR allows for easy
creation of Policies that apply to Set membership changes (that is, when resources enter
or leave a specific Set)

Request-based MPR – A standard MPR based on a request. During installation, if you
have existing MPRs in your system, they will be automatically marked as Request-based
MPRs

Notes
The Run On Policy Update flag is now only applicable to the new Set Transition MPRs

Temporal policy definitions require the use of the new Set Transition MPRs
When defining permissions for enumeration you no longer need to grant all the permissions
for required attributes as part of a single MPR. The system will now properly aggregate
permissions from multiple MPRs when evaluating query permissions.
Password Reset

Password Reset now accepts the user principal name (UPN) as well as the fully qualified
domain name (FQDN) when specifying user credentials.
Portal UI configuration

You can now copy and paste a vertical list from Excel to the Resource Picker input box. This
is especially useful for doing bulk Adds.

The UOC text box now lets you check uniqueness using a custom XPATH statement that you
provide.
Note
This only works in Create mode, not in Edit mode. Attempting this in Edit mode may
cause the check to be done when it’s not intended.
Queries and Requests

Fixes an issue where queries did not evaluate correctly if they contained three or more
conditions and at least two of them used the not() operator
Sets

Resolves a number of issues that resulted in incorrect dynamic set membership.
6

Removes support for the use of the != operator with multivalued attributes. Xpath equality
expressions on multivalued attributes must use the not() function. For example, the following
xpath is not supported: /Group[Owner != /Person]. Instead, use the following xpath:
/Group[not(Owner = /Person)]

Some set restrictions noted in previous release notes have been removed. In particular:


You no longer need to avoid the use of the following operators in set creation: <, <=, >,
>=, endswith, startswith, nesting.

You are no longer limited to using only the literal = operator with multi-valued operators
when creating sets.

You can now have explicit members in a set which has a defined filter.
FIM 2010 now has stricter validation for supported filters. In addition, some previously
supported filters are no longer supported. For more information, see Modeling Business
Policy Rules with FIM in the FIM documentation.
Setup and Prerequisites

In addition to existing prerequisites, FIM now also requires for installation:

Windows Installer 4.5 for all server components

For FIM Service: SQL Server 2008 SP1

For FIM Add-in for Outlook: Outlook 2007 SP2
Synchronization

Resolves a data corruption issue in Multi-Mastery scenarios in which deleted Member
attributes were being added back during full synchronization of Active Directory and FIM.

Synchronization rule error messages are now visible during synchronization previews.

Resolved an issue where having multiple join and projection rules causes rule corruption on a
full synchronization.

Removes management agent (MA) support for Exchange version 5.5 and Windows NT.

The FIMMA will now store error messages with the operation during export. You do not have
to look in the FIMService event log anymore to see the errors.

You can now have several MAs that are responsible for deleting a resource, which solves a
common problem where custom code still was needed for declarative provisioning.

Added two new Declarative provisioning functions:

Null – This Synchronization Rule should not contribute a value to support not flowing
values to disabled accounts.

ReplaceString – Find and replace a substring in another string
7

You can now set attribute precedence between classic provisioning and codeless
provisioning attribute flows.

Various other improvements in synchronization preview.

Fixed customer reported crashes in FIM Synchronization Service

Fixed issues with multi-mastered attributes

Added support for Exchange 14 mailbox provisioning
Workflows

Workflows are now run on a FIM Service that uses the same ExternalHostName as the
FIMService that originally created the workflow. This enables the partitioning of workflow
processing among servers that are dedicated to specific functionality. For example, if a FIM
Service is dedicated to servicing Requests that the Synchronization Service submits, all
workflows that result from Synchronization Service Requests will run only on that FIMService.

Resolves an issue that caused a Request’s RequestStatus attribute to retain the value
“Validating” even though the Request’s operation timed out.

Resolves an issue in EnumerateResourcesActivity that prevented the selection of which
attributes to return. Previously, regardless of the attribute selection that was specified, all
attributes that were bound to the enumerated resources were returned.

Owner-originated requests are now auto-approved.

Removes DomainSynchronizationActivity and replaces it with built-in logic to support crossforest group management.
Known Issues
The following topics discuss known issues in FIM 2010.
General
UOC uniqueness checking works only in create mode
Uniqueness checking in the UOC text box works only in the Create mode, not in the Edit mode.
Attempting this in Edit mode may cause the check to be done when it is not intended.
Searches that contain an underscore and using “starts with” may time out
When using the starts with operator to search with an input that contains an underscore, the
query may time out. To work around this issue, we recommend using Display Name as the
search attribute, which uses the contains operator by default.
8
Management Policy Rules (MPR)
Making Advanced View modifications of MPRs may cause unexpected results in this
release
Modifying MPRs through the Advanced View of the portal is not supported and may lead to
unexpected results. Use the standard view for MPR resource modifications.
Sets
For reference attributes that are used in set or group filters, avoid reference
values that result in a circular reference
Reference attributes that are used in set or group filter definitions should not contain values that
result in circular references. This may result in incorrect membership or failed requests.
Existing dynamic sets whose filters are not scoped to a specific resource
type may have incorrect membership
Note
This issue only applies to upgraded installations, not clean installations of FIM 2010.
Sets with a filter that refers to an attribute that is not bound to the resource type that the filter is
scoped to, may have the wrong membership. For example, for the following set, the JobTitle
attribute does not exist on the group type: /Group[not(JobTitle = 'IT Pro')].
Sets with a filter that is not restricted by a type outside the predicate (that is, filters that start with
/*) and that include a not() statement may have the wrong membership, for example,
/*[not(JobTitle = 'IT Pro')].
To resolve this issue in each case, delete and recreate the affected sets.
Dynamic set or group filters that are not scoped to a specific resource type
must not include a negative condition on the ObjectID or ObjectType
attribute
A filter that is not scoped to a specific resource type is one that begins with /* —for example:
/*[DisplayName = ‘Test’]. These filters must not contain a condition on ObjectID or ObjectType
that uses the != operator or the not() function. Using these conditions may return incorrect results.
Dynamic set or group filters that are not scoped to a specific resource type
must not include a literal condition on the ObjectID attribute
A literal value is any value other than a reference to the membership of a set. Set filters that are
not scoped to a specific resource type must not contain an equality expression on ObjectID where
the right term in the expression is a literal value. Using such conditions may return incorrect
results.
9
Dynamic set or group filters must not combine a condition on the ObjectID
or ObjectType attribute with conditions on any other attribute using the OR
operator
Users and Groups
Timeouts while previewing dynamic membership of a set or group may prevent display of
actual membership
When previewing dynamic members of a group or set, an error message is displayed if the
request times out. If you subsequently click Preview a second time, the query may show no
members in the group or set, even if they do contain members. If this happens, click Cancel to
close the dialog and retry the preview operation. If the request times out again, the administrator
may need to increase the server timeout.
Synchronization
Case changes and additions of trailing spaces are not committed to the FIM Service
If you submit a change through the FIM Service Web service that modifies an existing value only
by changing the case or adding trailing spaces, the new value cannot be committed. This causes
the Synchronization Service to miss confirming imports. For example, changing department to
Department cannot be committed. To work around this issue, submit a value that includes a
change other than a change in case or a change in trailing spaces. For example, change
department to department 2, and then to Department, or change department to department x,
and then to department.
Schema
User cannot modify the StringRegex, IntegerMinimum, and IntegerMaximum values for
some attributes and bindings on group and user resources
In this release, the user cannot modify the StringRegex, IntegerMinimum, and IntegerMaximum
values for some attributes and bindings on groups and user resources. To work around the issue,
you can temporarily add StringRegex, IntegerMinimum, or IntegerMaximum to the MPR named
Administration - Schema: Administrators can change selected attributes of schemarelated resources. This is to revert the changes after the modification since the MPR is there to
protect against illegal modification to elements important to the system schema.
Default DisplayName and Description is not submitted during creation of
BindingDescription
In this release, if the user does not modify the existing DisplayName or Description of a
BindingDescription resource, the BindingDescription is created without DisplayName or
Description even though in the user interface (UI) it appears that FIM 2010 has supplied a default
10
value. The work around is to update the DisplayName and Description after creation or supply a
different value for these attributes during creation.
Custom resources with hyphens in their names do not create RCDC configuration XML
correctly
You can create a custom attribute or custom resource type with a hyphen “-“ in the system name.
However, if you create an RCDC for this new resource, the RCDC configuration file that is
created automatically is not correct. The RCDC uses the attribute name as the control name, but
the control name does not support “-“. The workaround is remove “-“ from the control names in
the RCDC configuration file.
Using the Web Services API to create a resource with a multivalued Boolean attribute
stops the FIM Service
In this case, after the service stops, it cannot be restarted. You must reinstall FIM.
Workflow and Request Processing
Cannot create a workflowdefinition after importing XOML

For this release, when you import XOML, you cannot go back and edit that process to add
activities. You must create a new workflowdefinition.
Groups that are not mail-enabled should not be selected as recipients for any e-mail
messages

For this release, when selecting groups as recipients for approvals or notifications, those
groups must be mail-enabled.
Notification e-mail messages without text in the subject line or the body are not sent

For this release, system-created notification mails must have a subject line. If the subject line
is left blank, the mail is not sent even if there are valid recipients and content in the body of
the message.
Similarly, notification mails created in the system must have a mail body. If the body is left
blank, the mail is not sent, even if the recipient and subject are valid.
Requests that calculate zero approvers for changes to nongroup resources may become
nonresponsive

Requests that calculate zero approvers for changes to nongroup resources may become
nonresponsive in the authorizing state. You cannot cancel these requests. Ensure that the
FIM configuration calculates at least one approver for every approval.
Workflow XOMLs containing an approval activity are not generated correctly by Visual
Studio

If a workflow containing a FIM approval activity is designed in Microsoft Visual Studio®, the
approval activity in the workflow /XOML does not contain a ReceiveActivity. Instead, the
workflow itself contains a ReceiveActivity. This Visual Studio–generated XOML does not
11
function correctly in FIM. The ReceiveActivity must be contained within the approval activity
in the XOML. For an illustrated example of the correct usage of the approval activity in a
XOML, create a new authorization workflow containing an approval in the FIM portal, and
view the XOML definition in Advanced View.
The lookup parameter does not accept non-alphanumeric characters
When creating or editing a workflow and using the lookup parameter inside an activity, you
cannot select an attribute with a non-alphanumeric character such as hyphen (-) or underscore
(_).
Queries
Invalid queries can return incorrect results

In this release, not all invalid queries are caught. Sometimes they return results even though
they are incorrect. The query documentation explains what queries are possible and what to
expect if you enter an incorrect expression.
Configuration Migration
Migrating configuration from an environment with upgrades to a clean install of RTM
requires updating version numbers
In this release it is only supported to migrate configuration across the same versions of FIM. If
you have a configured environment that had any upgrades applied and would like to migrate its
configuration to a clean install of FIM, it is a known issue that the binding redirections and old
versions of DLLs are not included in the fresh install. Without these binding redirections and old
versions the migrated configuration will not work. To work around this issue, please edit the
policy.xml and schema.xml files obtained from ExportPolicy.ps1 and ExportSchema.ps1 by
replacing any of the following version numbers:

4.0.2560.0

4.0.2570.0

4.0.2574.0

4.0.2587.0
with the following version number:

4.0.2592.0
You can find ExportPolicy.ps1 and ExportSchema.ps1 in the FIM 2010 Configuration Migration
Tool Deployment Guide.
12
FIM Add-ins and Extensions
During installation of Chinese (zh-TW), duplicate entries for https: are displayed on the
Trusted Sites selection page

During installation of the FIM Add-ins and Extensions for Chinese (zh-TW), duplicate options
are displayed on the Trusted Sites selection page. To select https: (recommended), select
the second option. To select http: (not recommended), select the third option.
Release Notes for Forefront Identity Manager 2010
Certificate Manager (FIM CM)
Installing FIM CM
Complete installation instructions for Microsoft® Forefront Identity Manager Certificate
Management (FIM CM) are located in the FIM CM Installation Guides.
Upgrade from CLM FP1
Because CLM Feature Pack (FP1) is only supported on 32-bit platforms and FIM CM is only
supported on 64-bit platforms, upgrading from CLM FP1 to FIM CM is not supported. However,
the CLM 2007 database can be exported and re-used in a new FIM CM deployment.
What's New in FIM CM
FIM CM Portal Server support for Windows Server 2008 64-Bit and Windows
Server 2008 R2
The FIM CM server only supports installation on Windows Server® 2008 64-Bit and Windows
Server 2008 R2.
FIM CM CA modules support for Windows Server 2008 64-Bit and 32-Bit
and Windows Server 2008 R2
The FIM CM certification authority (CA) modules now support installation on Windows Server
2008 R2 and 64-bit and 32-bit versions of Windows Server 2008 in addition to 32-bit versions of
Windows Server 2003.
Client support for Windows 7 and Windows Vista 64-bit
The FIM CM client now supports installation on both 32-bit and 64-bit versions of Windows Vista
and Windows 7, in addition to 32-bit version of Windows XP.
13
Caution
Internet Authentication Service (IAS) cards are not supported on Windows Vista 64-bit
versions.
Updated middleware support
FIM CM adds updated support for the following middleware versions:
CLM
CLM FP1
FIM CM
Axalto Access Client Software
version 5.2
Axalto Access Client Software
version 5.3
Gemalto Access Client v5.4
AET SafeSign Identity Client
version 2.2
AET SafeSign Identity Client
version 2.3
Aladdin eToken Runtime
Environment version 3.65
Aladdin eToken Runtime
Environment version 4.5
Aladdin eToken 5.0 32-bit
Gemplus GemSafe version 4.2
Service Pack 3 (SP3)
Gemplus GemSafe
version 5.1
Gemalto Classic Client v5.1.8
Siemens HiPath SIcurity Card
API version 3.1.026
Siemens HiPath SIcurity Card
API version 3.2
BaseCsp v5
BaseCsp v5
For more information
For complete FIM CM documentation, see the Forefront Identity Manager Technical Library
(http://go.microsoft.com/fwlink/?LinkId=184552).
Known Issues
Installation
Server installation

During the installation of the FIM CM Server, if you receive the error message This
application has failed to start because the application configuration is incorrect, this
may indicate that Microsoft .NET Framework is not installed on that computer. Verify
that.NET Framework is installed, and run the installation again. For the .NET Framework
requirements, see the CM Installation and Configuration guide.
14

The ModifySchema.vbs and ModifySchemaOnlineUpdate.vbs must be run locally from a
domain controller and must be run by a user with schema administrator permissions.
Otherwise, the script does not complete successfully and the schema is not modified.

When installing FIM CM, you may receive the following error:
An error occurred: Problem while executing the SQL statement if not exists(select * from
master.dbo.syslogins where loginname = N’<netbios domain>\<server$>)
BEGIN
exec sp_grantlogin N’<netbios domain>\<server$>’
END
Windows NT user or group ‘<netbios domain>\<server$>’ not found.
Check the name again.
This can occur if your fully qualified domain name does not match your NetBIOS domain
name.
For additional information, including workaround, see Article 956345: CLM Configuration
Wizard error when Netbios and FQDN names.

The CA module is a managed component and the Windows Server 2008 Certificate Services
requires you to install a Windows QFE in order to maximize stability of your enterprise
certificate services and avoid a crashing issue.

For more information about the Windows QFE, see Article ID 961715: Active Directory
Certificate Services crashes during its startup process when the FIM 2010 Certificate
Management Exit Module setting is enabled on Windows Server 2008-based systems
(http://go.microsoft.com/fwlink/?LinkId=184294).

Selecting the CSP provider Microsoft DH SChannel (Cryptographic provider) on the FIM CM
server creates an error during the enrollment. We only support RSA for keys, not Diffie
Hellman or other CSPs that do not use RSA.
Client installation

During the installation of the FIM CM Bulk Smart Card Issuance Tool or the FIM CM client, if
you receive the error message This application has failed to start because the
application configuration is incorrect, this may indicate that the .NET Framework is not
installed on that computer.

The 64-bit client only installs the 64-bit binaries. It does not install the 32-bit Microsoft
Active X® controls. If you use the 32-bit version of Internet Explorer, then you must use the
32-bit version of the client.
Note
On the 64-bit client operating systems, the default Internet Explorer is the 32-bit
version.

The FIM CM client requires .NET Framework 3.5.

Use of SiteLock instead of Trusted Sites
15
CM Client no longer requires Trusted Sites zone. Instead, the allowed site must be specified
in the registry by using either a group policy or a manual setting. If nothing is specified, the
CM Client does not work.
Important
If you are installing on Internet Explorer 7, Trusted Sites is still required, since
protected mode is On in Local intranet zone by default.
Group policy:HKCU\SOFTWARE\Policies\Microsoft\Clm\v1.0\SmartCardClient
Manual: (fallback mechanism)HKLM\SOFTWARE\Microsoft\Clm\v1.0\SmartCardClient
Both keys use the "SiteLock" REG_SZ value that should contain a ";" delimited list of allowed
sites. Both HTTP and HTTPS are allowed.
The record is considered a match if the domain matches the domain of the URL exactly, or if
the URL is a subdomain of an exact match. For example:microsoft.com matches
microsoft.com office. Microsoft.com does not match mymicrosoft.com
www.microsoft.com.sales.com.
If the domain begins with “*.” only child domains match.*.microsoft.com matches
users.microsoft.com but does not match microsoft.com.
If the domain begins with “=” only the specified domain matches.=microsoft.com matches
microsoft.com but does not match www.microsoft.com.
Note
Note: The wildcard character “*” matches all domains.
Note: CM Sitelock settings are case sensitive, meaning that the registry setting should match
the case of the Service Principal Name (SPN).
Bulk Client Configuration

To address the following condition noted by an error message displayed when you visit a
Web site that is hosted on Microsoft Internet Information Services (IIS) 7.0 : HTTP Error
404.11 – URL_DOUBLE_ESCAPED, read and apply the following Knowledge Base article,
Error message when you visit a Web site that is hosted on IIS 7.0: "HTTP Error 404.11 –
URL_DOUBLE_ESCAPED" (http://go.microsoft.com/fwlink/?LinkId=184295).
Note
It is important to understand that when you enable double escaped sequences, the
security level of the server that is running IIS may be decreased.

When the event log is full, the Bulk Client does not operate correctly. An exception is thrown
when you try to log to the event log. The default settings in Windows XP do not overwrite an
event log entry when the log is full. The workaround is to overwrite the event log as needed to
prevent this condition.
16
General

The error Data is invalid at the root level occurs when creating requests.
You may receive the error Data is invalid at the root level when creating a request. If you
receive this error, verify that the CNG Key Isolation service is running on the FIM CM
Server computer. If it is not set to start automatically, ensure that you do so.

The ability to put certificates and their associated private keys on a Microsoft Smart Card
Base CSP-compliant smart card is controlled by the registry settings. Ensure that the
following registry settings are in place.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft
Base Smart Card Crypto Provider]

Set AllowPrivateExchangeKeyImport = 1

Set AllowPrivateSignatureKeyImport = 1

Only the 32-bit version of Gemalto smart card middleware is supported on Microsoft Windows
Vista 64-bit and Windows 7 64-bit. Only the 32-bit version of Aladdin smart card middleware
is supported on Microsoft Windows Vista 64-bit. Aladdin middleware is not supported at all
on Windows 7.

When an IT manager wants to change the number of query results displayed by the CM Web
Portal, the manager needs to change the key Clm.MaxRecord in the CM web.config file.
Setting the value to any number less than 100 is ignored and 100 is used instead.
Note
The default location for the Web.config file is ...\Program Files\Microsoft Forefront
Identity Manager\2010\Certificate Management\web\web.config.

Server-side printing not supported by Word: Run time behavior for server-side printing is
exactly as currently implemented up to the point where the document is sent to Microsoft
Office Word for printing. If the server-side printing selection is made, the document is only
saved on the server. The document is saved in the location with the document templates but
with the subscriber’s samAccountName to facilitate identification. The document name uses
the following pattern: [domain]-[samaccountname]-[template name], that is, corp-johnstest.xml.

If you are using an Aladdin eToken to perform more than one operation, the token must be
removed and reinserted. Only one operation can be run per eToken insertion (it does not
matter if Internet Explorer is restarted). To run another operation, you have to unplug and
plug back the eToken.

Deleting a user from AD DS breaks the CM management processes and causes many
potential system malfunctions. Do not delete user accounts from AD DS.

KRA certificates received manually and their associated private keys should be imported to
the FIM KRA Agent windows user profile on the Certificate Management server so they are
available for the KRA account to use.
17

Default out-of-the-box implementation of ICardInitialization interface leverages a certificate
and its associated private key in the key diversification process. The default implementation
does not support storing this certificate on an HSM.
18
Download