Below are the issues fixed or added, full detail available in KB article above
Issues that are fixed or features that are added in this update
This update fixes the following issues or adds the following features that were not previously documented in the Microsoft Knowledge Base.
FIM Service and Portal
If a FIMService instance loses connection to the FIMService database, it can may stop processing FIM Service MA export requests. This results in failed FIM Service MA exports with a run status of “stopped-server.” Additionally, the following exception is logged in the Forefront Identity Manager event log:
System.Data: System.InvalidOperationException: The requested operation cannot be completed because the connection has been broken.
You use a multivalue attribute in a dynamic set. This dynamic set is used in a Transition Out management policy rule. If two or more elements are removed from the attribute in a single request, and if of the elements triggers the Transition-Out MPR, the request fails, and you receive the following exception:
Microsoft.ResourceManagement.WebServices.Exceptions.UnwillingToPerformException: Other —> System.Data.SqlClient.SqlException: Reraised Error 2627, Level 14, State 1, Procedure DoEvaluateRequestInner, Line 1073, Message: Violation of PRIMARY KEY constraint ‘PK__#1B54B73__5330D0771D3CFFB1’. Cannot insert duplicate key in object ‘dbo.@transitionOutApplicableRuleBuffer’.
When an export run in the FIM Service MA includes updates to the Filter attribute of multiple dynamic groups, a “failed-modification-via-web-services” exception can be returned. When you review the details of the exception that is returned, you see that an SQL Deadlock occurred.
FIM Synchronization Service
In the Active Directory management agent, changes to a multivalue attribute such as proxyAddresses are not synchronized to the metaverse in the following scenario:
- A change to proxyAddresses is exported to the Active Directory for User1.
- A second change is made to proxyAddresses outside the synchronization service.
- A Delta Import run profile is run to confirm the exported changes.
If an exception is thrown by the management agent’s password extension during password synchronization, the password interface at which the exception was thrown is discarded. This can cause high processor usage on the computer that is hosting the FIM Synchronization Service when the computer processes password synchronization to multiple management agents.
After you apply this update, exceptions of type PasswordPolicyException and PasswordIllFormedException no longer discard the password interface. This enables the interface to be reused for another password operation to the connected data source.
If a regular expression policy rule is applied for an ABA role, all applied ABA roles are stuck in the pending state for the users and are never assigned.
If a user has an ABA role, and if you try to change a user attribute that is not related to the ABA role, all ABA roles are again marked for policy validation. Additionally, assigned permissions are removed and assigned back.
When you have more than 500 permissions in BHOLD and search permissions on the Supervised Permissions tab of Default Supervisor Role, no results are returned, and you are returned to the previous page.
When you configure an attribute-based role assignment for a role and then you try to click the Show Impact link in the policies section of a role, you receive the following error message:
Object reference not set to an instance of an object
The SP1 build does not let you re-create a permission that was removed from BHOLD earlier.
When you try to change and save a user without changing the end date, you receive the following error message:
Invalid date format
When you try to move an organization unit in the BHOLD Core Portal, you receive the following warning message:
Session ID missing: The Session ID is not found in URL. You can continue working using the menu at the left
The “User by Role” report cannot be generated after the limit of 50,000 users is reached. Additionally, you receive an “Out of memory” exception.
In the BHOLD Self-Service Portal, the role information screen under the Role Requests-Current Roles tab displays no role descriptions or permission details.
When you log on as a typical end-user in the BHOLD Service Portal, the “My Roles” screen is displayed as an empty page even though the user is assigned with both “active” and “proposed” roles.
The BHOLD – Access Management agent cannot perform full imports because of an SQL time-out issue that occurs when there is a load of more than 50,000 to 100,000 users.
BHOLD cannot add permissions to a user by using the BHOLD Connector after these permissions are denied.
When a steward in the BHOLD Attestation portal has multiple resources to attest and is working on approving or denying permissions for one user, other permissions for a different user are changed in the user interface.