Monday, December 08, 2008 12:03 AM
Jorge
New hotfix rollup package has been released for ILM 2007 FP1 (build 3.3.1067.2)
On November 10th, Microsoft released a hotfix rollup package (build 3.3.1067.2) for ILM 2007 FP1. It resolves the following issues:
Descriptive text for the GalSync MA
You try to create a new Management Agent (MA) for the Active Directory global address list. This new MA is usually known as GalSync. When you do this, the Create Management Agent page references Microsoft Exchange Server 2007, Microsoft Exchange Server 2003, and Microsoft Exchange 2000 Server.
The Certificate Services service (Certsrv.dll) process stops responding
When multiple profile template enrollments execute at the same time, ILM may cause the Certificate Services service (Certsrv.dll) process to stop responding. This problem occurs because a deadlock condition exists between ILM and the Certificate Services service. The cause of the deadlock was corrected in this hotfix rollup package.
Access-checking methodology changed in Certificate Lifecycle Manager (CLM)
Before this release, the CLM part of ILM used Kerberos delegation to perform operations in the Active Directory directory service. Therefore, CLM acted as the end-user to access the required Active Directory server objects, such as profile templates, subscribers, and other objects. This hotfix rollup package implements an access-checking methodology in ILM. With this methodology, you do not have to enable CLM to use impersonation to become the user. Additionally, you do not have to delegate access to a particular computer that acts as the end-user or as the enrollment agent when the computer contacts Active Directory. CLM still uses delegation when it contacts the certification authority (CA) that is located on a computer that is not the one that is running CLM. With this change, CLM now impersonates the CLM Auth Agent account before you make any read or write calls to the Active Directory. The CLM Auth Agent account then verifies whether the logged-on user has permissions to read the object or to make the changes that must be made on the Active Directory object. Therefore, the CLM Auth Agent account must have additional permissions. The CLM configuration wizard does not automatically make these changes. Therefore, you must manually add these permissions.
The CLM Auth Agent account must have the following permissions:
- Read permission on all users and groups that use the portal or that are subscribers
- Read permissions on the certificate templates that are used with the profile templates
- Read and write permissions on all existing profile templates
- Permission to create a child on the profile templates container
Blogger's note: This behavior already applies to CLM "2"!
CLM cannot find the pkiEnrollmentService object when you add certificate templates to a profile template
When you try to add certificate templates to a profile template, no published certificate templates from a given CA server are found. This problem may occur when the sanitized short name of the CA differs from the sanitized name of the CA. When the CA creates the pkiEnrollmentService object in Active Directory, the CA uses the sanitized short name of the CA. Before this hotfix rollup package, CLM used the sanitized name to search for the pkiEnrollmentService object. Therefore, CLM cannot find the pkiEnrollmentService object.
Support is added for Sun ONE directory server 6.x versions
The Management Agent for Sun and Netscape directory servers was certified to support Sun ONE directory server 6.x versions. To enable this support, you must modify the registry after you install the hotfix rollup package. Follow the next steps to accomplish this.
Active Directory Management Agent does not ignore defunct classes
You add an auxiliary class to Active Directory that inherits from any class other than the top class. However, errors occur in ILM when you create an Active Directory MA or when you update the schema after you add the class. These errors occur even if the auxiliary class is marked as Inactive in the Active Directory schema. ILM build 3.3.1067.2 ignores defunct Active Directory classes
For more information please see: MS-KBQ952327_A hotfix rollup package (build 3.3.1067.2) is available for Identity Lifecycle Manager 2007 Feature Pack 1. This hotfix rollup package is superseded by the hotfix rollup package mentioned here. This has been posted for completeness purposes to the new hotfix rollup package.
Cheers,
Jorge
--------------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
--------------------------------------------------------------------------------------------------
############### Jorge's Quest For Knowledge ###############
######## http://blogs.dirteam.com/blogs/jorge/default.aspx #########
--------------------------------------------------------------------------------------------------