Microsoft KB Archive/842531

= How to obtain the latest Microsoft Identity Integration Services 2003 cumulative hotfix package =

Article ID: 842531

Article Last Modified on 5/21/2007

-

APPLIES TO


 * Microsoft Identity Integration Server 2003 Enterprise Edition

-



Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry



SUMMARY
''Microsoft has released a cumulative hotfix package for Microsoft Identity Integration Server (MIIS). This article describes the following items about this hotfix package:''

 

How to download the latest cumulative hotfix package

 

Prerequisites for applying this hotfix package

 

Whether you must restart your computer after you apply this hotfix package

 

The hotfix packages that this hotfix package replaces





INTRODUCTION
This article describes the Microsoft Identity Integration Server (MIIS) issues that are fixed in the latest MIIS hotfix rollup package. MIIS hotfix rollup packages are cumulative. Each build contains the hotfixes that are included with the earlier build. For example, build 3.1.1046.0 includes the hotfixes that are included in build 3.1.1042.0, 3.1.1036.0, 3.1.1030.0, 3.1.1026.0, 3.1.1020.0, in build 3.1.1016.0, and in release Service Pack 1 (SP1) (build 3.1.287.0).

Issues that the build 3.1.1046 hotfix package fixes
 After you apply cumulative update build 3.1.1036.0, password changes or password resets in Lotus Notes no longer function. This fix allows password changes to be successfully sent to Lotus Notes.  When you perform a Full Import in a SQL Server Management Agent-run profile step other than the first step, you may receive the following error message: Event Type: Error

Event Source: MIIServer

Event Category: Server

Event ID: 6401

Date: 2/28/2006

Time: 12:19:09 PM

User: N/A

Computer: MIIS

Description: The management agent controller encountered an unexpected error. &quot;ERR: MMS(2128): error.cpp(455): ErrorRecord: HResult: 0x80070057

Description: The parameter is incorrect. Source: Microsoft OLE DB Provider for SQL Server File: h:\nt\ds\mms\src\main\miis31_qfe\ma\oledb\import.cpp, Line: 2746

BAIL: MMS(2128): import.cpp(2746): 0x80070057 (The parameter is incorrect.)

BAIL: MMS(2128): import.cpp(1890): 0x80070057 (The parameter is incorrect.)

BAIL: MMS(2128): import.cpp(1116): 0x80070057 (The parameter is incorrect.)

ERR: MMS(2128): cntrler.cpp(2656): Unspecified MA error received: 80230808 This issue may occur in the SQL Server management agent with certain run profiles. This fix corrects the issue. </li> The CSEntry.ConnectionRule property may return &quot;Unknown&quot; or an error when it is referenced in the metaverse deletion rules or in the IMVSynchronization.ShouldDeleteFromMV method. This fix allows the CSEntry.ConnectionRule property to be called successfully from the ShouldDeleteFromMV method.</li> The IBM Directory Server management agent cannot connect to IBM Directory Server when Anonymous access is disabled on IBM Directory Server. This change was made to enable the IBM Directory Server management agent to work in the best possible way when anonymous access is disabled on IBM Directory Server. The limitation of the fix is that SASL/Digest binding will not work if anonymous access is turned off. The following list includes background information:  Bind functionality before this change: The IBM Directory Server management agent performs two anonymous reads before binding. The first read is to verify the vendor and the version of the LDAP server. The second read only occurs if digest binding is enabled and reads the realm value that is required to form the hash for the bind.</li> Bind functionality after this change: When digest binding is not enabled, the first read occurs after the bind. The second read is not required at all. When digest binding is enabled, both reads still occur anonymously because the value are needed for authentication.</li></ul>

The result is that the IBM Directory Server management agent will operate against an IBM Directory Server when anonymous reads are disabled as long as the digest bind feature is not being used. If digest binding is being used and anonymous access is disabled, the IBM Directory Server management agent’s behavior will be the same as before you apply the fix.</li></ul>

Issues that the build 3.1.1042 hotfix package fixes
  The MIIS Key Management Utility (Miiskmu.exe) crashes on startup and generates the following event message: Event Type: Information

Event Source: Application Popup

Event Category: None

Event ID: 26

Date: 12/27/2005

Time: 11:59:44 AM

User: N/A

Computer: MIIS

Description: Application popup: miiskmu.exe - Common Language Runtime Debugging Services : Application has generated an exception that could not be handled.

Process id=0x8fc (2300), Thread id=0xf74 (3956). This issue may occur if some applications, such as antivirus software, are running. This fix corrects the issue and prevents the MIIS Key Management Utility from crashing. </li> When a run profile has multiple steps, and each step has thousands of objects, the run histories take a long time to clear. This fix optimizes the &quot;clear run history&quot; query. Our testing has shown that this fix significantly improves performance.</li> Consider the following scenario. You apply MIIS 2003 build 3.1.1036. Then, you run the Lotus Notes Management Agent (MA). In this scenario, reference values that are imported in non-canonicalized form are not imported correctly and remain unresolved placeholder objects. For example, group members that are not in &quot;CN= &quot; format are not imported correctly. This fix restores the correct behavior. Reference values are correctly imported in both canonicalized form and non-canonicalized form.</li> This fix introduces the ability to specify a mail template file when you create a mail file during provisioning. To enable this functionality, we have added a new string attribute, _MMS_MailTemplateName, to the Lotus Notes MA schema. You can only set this attribute in the provisioning script. This attribute takes the name of an existing mail template file as its value. For example, this attribute may take the name mail50.ntf.

Notes  To use the _MMS_MailTemplateName attribute to set a mail template file, the template file must be located in the Domino\data directory. If the template file is located in a different directory, the export run fails, and you receive the following error message:

Remote pathname must be relative to Data Directory

This problem may occur even though the path specified in the provisioning script is actually relative to the Data directory.</li> If an error occurs while an object is being created, and the mail template file has caused the error, the user object is created but the mail file is not created.</li></ul> </li> IBM has added support for reparenting of leaf-node objects in their directory after you apply IBM Fix Pack 3. We have also added support for importing and exporting such renames to leaf-node objects in this directory when supported by IBM.</li> We have added support for the changelog format updates that were introduced by IBM Directory Server version 6.0.</li> <li>In Novell eDirectory, remote branches in the tree can run on a separate server and can use referrals from the main tree when MIIS searches for objects. Currently, if the query cannot connect to any one of the remote branch servers, the management agent (MA) stops processing the whole tree. This fix changes this behavior. The MA can continue to process the import against the tree. However, the MA logs the errors for the branches of the tree. Each container that has a search error is listed in the connection log. After the MA has tried to access all containers, the MA stops the search and returns a “stopped-connectivity” result to prevent unwanted obsoletion.</li> <li>When a Microsoft Active Directory Management Agent (ADMA) is configured to use partition-specific credentials, MIIS does not correctly parse and use the specified credentials when MIIS tries to contact a domain controller. In this configuration, when Microsoft Windows Management Instrumentation (WMI) makes a call to retrieve connector space object information by Account and by Domain, the lookup fails and not all WMI information is correctly filled in. This fix makes sure that MIIS uses the correct set of credentials for the partition.</li></ul>

Issues that the build 3.1.1036 hotfix package fixes
<ul> <li>Earlier versions of the Lotus Notes management agent use the document NoteID as the anchor attribute. However, the document NoteID is not unique across replica servers. Therefore, a Delete/Add operation occurs if the Lotus Notes management agent imports an object from a replica server other than the replica server from which the Lotus Notes management agent previously imported or from the replica server to which the Lotus Notes management agent previously exported. The fix changes the Lotus Notes management agent to use the document UNID as the anchor attribute. The document UNID is constant across all replica servers.

The fix does not support upgrading the connector space objects of an existing management agent to be UNID-based objects. However, existing management agent objects will continue to work correctly with their associated replica server. If you want the ability to fail over to replica servers, you must create a new management agent. For more information about how to build a management agent to replace the existing one, click the following article number to view the article in the Microsoft Knowledge Base:

827117 How to build a new management agent to replace an existing management agent

</li> <li>When the Lotus Notes management agent experiences a read error on an object, the management agent stops. When this problem occurs, you receive a &quot;Stopped-Server&quot; error message. This problem occurs if the Lotus Notes management agent encounters an entry that has a zero-length name field.

After you apply the fix, the management agent silently ignores the object. This behavior is the same as the behavior of the Lotus Notes client. The management agent will identify an object that has a zero-length name field and will not import the object.</li> <li>The current implementation of the Lotus Notes management agent does not handle certain cases where the Lotus Notes client path value is added in the system path variable as a substring instead of as a path component. This behavior causes the management agent to set a path every time that the management agent runs. Eventually, the path value reaches the path size limit. When this problem occurs, the following error message is logged:

Event Type: Error

Event Source: MIISServer

Event Category: Server

Event ID: 6309

Date:

Time:

User: N/A

Computer: MIIS_Server

Description: The server encountered an unexpected error while performing an operation for a management agent.

&quot;BAIL: MMS(3224): notescfg.cpp(58): 0x80070002 (The system cannot find the file specified.)

BAIL: MMS(3224): notescfg.cpp(58): 0x80070002 (The system cannot find the file specified.)

BAIL: MMS(3224): notescfg.cpp(58): 0x80070002 (The system cannot find the file specified.)

BAIL: MMS(3224): notescfg.cpp(58): 0x80070002 (The system cannot find the file specified.)

ERR: MMS(3224): notescfg.cpp(233): The environment variable PATH is too long.

BAIL: MMS(3224): notescfg.cpp(235): 0x80004005 (Unspecified error)

BAIL: MMS(3224): ma.cpp(749): 0x80004005 (Unspecified error)

BAIL: MMS(3224): cntrler.cpp(476): 0x80004005 (Unspecified error)

BAIL: MMS(3224): ma.cpp(3113): 0x80004005 (Unspecified error)&quot;

</li> <li>When you use the Lotus Notes management agent to import groups that have memberships, the import operation takes longer than expected.

After you apply the fix, the performance of the import operation improves when you import group memberships. Individual management agent performance will vary. However, the performance improvement has been significant in our testing.</li> <li>When the Lotus Notes management agent encounters data that contains duplicate attribute values, MIIS experiences a &quot;Stopped-Server&quot; error. This behavior is design. However, this behavior differs from the behavior of the Lotus Domino Administrator and of Lotus Notes. Lotus Domino Administrator and Lotus Notes are much less strict.

The original design implementation was to force critical errors in MIIS. This behavior caused the Lotus Notes management agent to clean up the data. If the management agent did not clean up the data, MIIS would treat the data as not valid. However, duplicates are allowed in Lotus Notes. This fix changes the way that MIIS treats this data. The new design implementation does not force critical errors.

The fix causes MIIS to treat duplicate attributes types as per-object read errors instead of as errors that cause &quot;Stopped-Server&quot; errors.</li> <li>When you try to import the value of an attribute on the Corporate Hierarchy Information tab of a person document, and the attribute name contains a hyphen character (-), such as &quot;Level6-2,&quot; the value is ignored. Therefore, the value is not imported into the connector space object. However, all other attribute values are imported as expected. In the management agent’s schema, the attribute names contain a hyphen character. But in the Lotus Notes directory, the corresponding field names contain an underscore character (_).

The fix corrects this issue by renaming the attributes in the management agent’s schema so that the attribute names match the corresponding field names in the Lotus Notes directory.</li> <li>When you run the Lotus Notes management agent, and the Lotus Notes directory includes attributes values that contain certain characters, such as the pipe character (|), the Lotus Notes management agent generates a read error. This problem causes the Lotus Notes management agent to fail. When this problem occurs, the following error message is logged on the MIIS server:

Event Type: Error

Event Source: MIISServer

Event Category: Server

Event ID: 6401

Date:

Time:

User: N/A

Computer: MIIS_Server

Description: The management agent controller encountered an unexpected error.

&quot;ERR: MMS(1656): libutils.cpp(9197): Unusual error code reported 0x80231110 Microsoft Identity Integration Server 3.1.1030.0&quot;

The fix causes MIIS to treat these read errors as per-object read errors instead of as errors that cause &quot;Stopped-Server&quot; errors.</li> <li>If the Lotus Notes management agent’s schema defines an attribute, such as the PasswordChangeInterval attribute, as Numeric, but the value appears in a Text field in the Lotus Notes directory, a &quot;Stopped-MA&quot; error may occur when you import the schema.

After you apply this fix, MIIS converts the Lotus Notes management agent’s schema definition from Text to Numeric when you import the schema.</li> <li>The following error message is logged on the MIIS server when MIIS processes a password change notification:

Event Type: Error

Event Source: MIISServer

Event Category: Server

Event ID: 6900

Date:

Time:

User: N/A

Computer: MIIS_Server

Description:

The server encountered an unexpected error while processing a password change notification:

&quot;BAIL: MMS(5396): pcnsmiis.cpp(75): 0x80004005 (Unspecified error)

BAIL: MMS(5396): pcnslistener.cpp(992): 0x80004005 (Unspecified error)

ERR: MMS(5396): server.cpp(9195): Partition is NULL

BAIL: MMS(5396): server.cpp(9090): 0x80004005 (Unspecified error)

This problem occurs when IIFP receives the new password. IIFP tries to look up the partition of the user object. However, the lookup operation fails. This problem typically occurs when placeholder objects appear in the connector space. These placeholder objects have the same anchor value as an incoming user object. This behavior causes MIIS to try to retrieve the domain context for the placeholder object. Therefore, MIIS returns the &quot;Partition is NULL&quot; error message.

This fix resolves this problem by causing MIIS to ignore the placeholder objects when MIIS processes password notifications.

Note Placeholder objects are special objects that IIFP uses only to reference other objects that IIFP will not own. You cannot use placeholder objects to synchronize password values.</li> <li>In MIIS 2003 Service Pack 1 (SP1), when you synchronize passwords for Novell eDirectory through the eDirectory management agent, the management agent uses the userPassword modify operation of the LDAP over SSL (LDAPS) protocol to set an eDirectory user’s password. The userPassword modify operation uses the credentials of the eDirectory management agent account, regardless of whether you use the Password Change Notification Service (PCNS) or the Password Management Web-based application.

However, the eDirectory management agent cannot set the PasswordExpirationTime and Grace Logins value for the user when the management agent resets the password. If the eDirectory password expiration policy is enabled, and you do not send the correct PasswordExpirationTime and Grace Logins values for the user, the passwordExpirationTime attribute value will always be some time in the year 1992. For example, the passwordExpirationTime attribute value may be 19920102000000Z. Therefore, the password is already expired when you set it.

This fix resolves this problem by making the following changes: <ul> <li>MIIS will set the passwordExpirationTime attribute value to the current time on the computer that is running MIIS. Additionally, MIIS will set the passwordExpirationInterval attribute value. However, MIIS will only set the passwordExpirationInterval attribute value if this attribute value is already set and the ForceChangeAtLogin attribute value is False or is not present in Microsoft Windows Management Instrumentation (WMI).</li> <li>MIIS will set the loginGraceRemaining attribute value to loginGraceLimit. However, MIIS will only set the loginGraceRemaining attribute value if this attribute value already set and the ForceChangeAtLogin attribute value is False or is not present in WMI. If the ForceChangeAtLogin attribute value is True, and if the Grace Logins option is enabled, the Grace Logins Remaining option will be set to 0.</li></ul>

Note After you apply this fix, a user may receive an “Insufficient rights” error message when the user tries to log on. This problem may occur if the account that the management agent ran under does not have permission to change the required attributes. Additionally, an external mechanism, such as a loopback adapter, may also cause problems when you use the eDirectory management agent to reset the passwords.</li> <li>When you synchronize MIIS objects into the metaverse, an unexpected error message can be generated for an object during synchronization of the management agent. This problem may occur if a metaverse single-valued attribute lineage is present in the SQL Server database and the corresponding value column is set to a NULL value. When this problem occurs, the event log message may be different. However, the unexpected error message data will be similar to the following:

The server encountered an unexpected error in the synchronization engine:

&quot;ERR: MMS(2672): mvsqlsingle.cpp(1255): We should have an ATYPE configured for this attribute: singleValueAttribute

BAIL: MMS(2672): mvsqlsingle.cpp(1256): 0x80230406 (An error has occurred at the store)

BAIL: MMS(2672): mvsqlsingle.cpp(883): 0x80230406 (An error has occurred at the store)

BAIL: MMS(2672): mvobj.cpp(227): 0x80230406 (An error has occurred at the store)

BAIL: MMS(2672): nsmvimp.cpp(232): 0x80230406 (An error has occurred at the store)

BAIL: MMS(2672): csobj.cpp(2182): 0x80230406 (An error has occurred at the store)

BAIL: MMS(2672): synccore.cpp(555): 0x80230406 (An error has occurred at the store)

BAIL: MMS(2672): synccoreimp.cpp(118): 0x80230406 (An error has occurred at the store)

BAIL: MMS(2672): synccoreimp.cpp(5816): 0x80230406 (An error has occurred at the store)

BAIL: MMS(2672): synccoreimp.cpp(2237): 0x80230406 (An error has occurred at the store)

ERR: MMS(2672): synccoreimp.cpp(2253): 0x80230406 - CS to MV to CS synchronization failed 0x80230406: [00103313]

BAIL: MMS(2672): synccoreimp.cpp(2089): 0x80230406 (An error has occurred at the store)

ERR: MMS(2672): syncmonitor.cpp(2497): SE: Rollback SQL transaction for: 0x80230406

After you apply this fix, the synchronization process will ignore the NULL attribute value until the import attribute flow tries to set that attribute. This behavior lets the synchronization process complete without generating an unexpected error message.</li> <li>MIIS may unexpectedly quit and may throw an application error message. This problem may occur if rules extensions try to access the LastContributingMA property and the management agent that is being accessed no longer exists in the system. When this problem occurs, the following error message may be logged in the Application log:

Event Type: Error

Event Source: Application

Error Event Category: (100)

Event ID: 1000

Date:

Time:

User: N/A

Computer: MIIS_Server

Description: Faulting application miiserver.exe, version 3.1.1026.0, faulting module miiserver.exe, version 3.1.1026.0, fault address 0x00115276.

After you apply this fix, MIIS will not quit. However, because the operation is not valid, you receive the following error message:

System.InvalidOperationException: The newest value was contributed by a management agent that has been deleted.

</li> <li> The Lotus Notes management agent currently does not support provisioning of the AltFullName field for registered users.

This fix lets the Lotus Notes management agent provision the AltFullName field. However, because this fix requires changes to the schema, the new behavior only works on newly created management agents. Additionally, you cannot export the existing management agent and then import it again. You must re-create the management agent. For more information about how to re-create the management agent, click the following article number to view the article in the Microsoft Knowledge Base:

827117 How to build a new management agent to replace an existing management agent

The lnschema.dsml file is the file contains the Lotus Notes schema. MIIS uses the lnschema.dsml file in the Lotus Notes management agent. This fix adds the following attributes to the lnschema.dsml file: <ul> <li>_MMS_AltFullName <ul> <li>This attribute is mandatory.</li> <li>The value of this attribute is only the name. Previously, this value used the full string.</li></ul> </li> <li>_MMS_AltFullNameLanguage <ul> <li>This attribute is mandatory.</li> <li>The value of this attribute must match the language code that is registered in the Cert.id file that MIIS uses.</li></ul> </li> <li>_MMS_AltOU <ul> <li>This attribute is optional.</li> <li>The value of this attribute is the OU value, without the &quot;OU=&quot; part of the code.</li></ul> </li></ul>

Note For these attributes to work correctly, the certifier ID that MIIS uses to create the user must be registered for the AltFullNameLanguage attribute and for the AltOU attribute that you are using. For more information about how to enable the AltFullName attribute, see the documentation for Lotus Notes.

The following code sample shows the added attributes that MIIS requires to provision the AltFullName field. //Try to provision the AltFullName field. //Replace the value with the data for the name in the alternate language. csentry[&quot;_MMS_AltFullName&quot;].Value = mventry[&quot;sn&quot;].Value + &quot; &quot; + mventry[&quot;givenName&quot;].Value; csentry[&quot;_MMS_AltFullNameLanguage&quot;].Value = &quot;es&quot;; csentry[&quot;_MMS_AltOU&quot;].Value = &quot;Spanish&quot;; </li></ul>

.

Issues that the build 3.1.1030 hotfix package fixes
<ul> <li>This fix extends the SetPassword WMI interface to accept two optional flags. The first flag requires that the user change the password at the next logon. The second flag unlocks the account if it is locked. If the flags are not specified, they use False, which is the current behavior. These changes affect only the Active Directory management agent. If any one of these flags are used for other management agents an option-not-supported message is returned by Windows Management Instrumentation (WMI).

boolean ForceChangeAtLogon

boolean UnlockAccount</li> <li>The MIIS server would incorrectly report a &quot;stopped-out-of-memory&quot; error if a management agent was configured with a join rule that referenced a multi-valued metaverse attribute that contained hyphens in its name. With this fix, the MIIS server will now function correctly when it searches the metaverse using attributes that have hyphenated names.</li> <li>In order to successfully discover objects using the Lotus Notes management agent from a Lotus Notes server, both the Full Name and the objectType attributes must be present on the object. If either are missing, a discovery error will be generated. We had additional error details to provide the NotesID value for objects that had a missing ObjectType. However, for objects that had a missing Full Name we only generated a “DN Unavailable” error with no other details. We have now added additional error details to provide the NotesID for objects missing a Full Name.</li> <li>When writing updates to a DB2 table by using the DB2 management agent, with an anchor attribute that has Decimal or Numeric datatype, MIIS returns an error on each export object:

Connected Datasource Error: [Modify] Could not get rowset Connected Datasource

Error Code: 0x80230808

The problem was specific to how the DB2 database expects the format of the where cause. This fix changes the way we structure our where clause for the DB2 management agent for attributes of these datatypes.</li></ul>

Issues that the build 3.1.1026 hotfix package fixes
<ul> <li>When you run a full import with the management agent for Lotus Notes, certain placeholder objects return the following error message:

DN Unavailable – missing object class

This error creates a condition on the management agent to require a full run with a no-start-full-import-required message. Therefore, the customer cannot run a delta import. These placeholder objects are not considered to be real objects to MIIS because the placeholder objects must have a DN attribute and an Object Type attribute. Because the placeholder objects are not real objects, this hotfix will no longer treat the placeholder objects as errors. However, this hotfix does include the placeholder objects in the filtered object count. This hotfix also makes the delta import correctly work in the presence of these placeholder objects.</li> <li>Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.After you apply a SunOne update to the SunOne server so that the nsslapd-version in cn=config is no longer set to a supported directory string, both the created management agents and the existing management agents will not import. You receive an error message that states that the SunOne system is an unsupported version. MIIS SP1 currently supports SunOne 5.2 and expects the following version format:

Sun-ONE-Directory/5.2 B2003.143.0014

After you apply this hotfix, you can connect to the following version format:

Sun Java System Directory Server/5.2_Patch_3

Additionally, other update versions can be supported by making the following registry change: <ol> <li>Click Start, click Run, type Regedt32, and then click OK.</li> <li>Locate the following registry key:

</li> <li>Click New, and then click Multi-string Value.

Value name: iPlanetMASupportedServers

Value type: (REG_MULTI_SZ)</li> <li>Set the value of the registry key to the following value:

Server/5.2_Patch_3 B2004.331.1125

</li> <li>Restart the MIIS server and client.</li></ol> </li> <li>The Database (DB) management agent returns the following error message after you try to delete a reference attribute in the database:

Export Change Not Re-Imported

Examples of the DB management agent are the management agent for Microsoft SQL Server and the management agent for Oracle. This problem occurs when you update a reference attribute that has no values for an OLE DB management agent instance. The OLE DB management agent controller had erroneous logic that stripped out this attribute, thinking of this attribute as a transient DN attribute. However, this attribute is not a transient DN attribute. The result was that the management agent did not see the attribute change. Therefore, the management agent did not push out a change to the connected DB. On a subsequent import, the error message is returned. The hotfix stops the error message from occurring because an attribute that has no values cannot have a transient DN attribute.</li> <li>When you create a new LDIF management agent, the creation process does a sample sniff of the import file. Based on the first 100 objects of a file that is larger than 200 kilobyte (KB), this sniff detects the various object classes and attributes. In some larger configurations, this sniff is not sufficient to capture all the different object class value combinations. If this behavior occurs, the next run will fail with parsing errors. To resolve this issue, apply this hotfix, and then create an XML file to enable the customization of the sample batch size to be discovered. Name the XML file FileMAUIConfig.xml. The default value in the <analyze-limit> limit is 100. This value can be modified to account for a larger sample size.

To create the FileMAUIConfig.xml file, follow these steps: <ol> <li>Use Notepad to create a file that is named FileMAUIConfig.xml.</li> <li> Paste the following contents in the file. <file-ma-ui-config>

<analyze-limit></analyze-limit>

</file-ma-ui-config> </li> <li> Add the value that you want for the <analyze-limit> tag as in the following example. <analyze-limit>500</analyze-limit> </li> <li>Save the file to the following directory:

%programfiles%\Microsoft Identity Integration Server\UIShell\XMLs

</li></ol> </li> <li>The installation of MIIS now supports Microsoft SQL Server 2000 Service Pack 4 (SP4). Before this hotfix, the installation of later hotfixes or of the full version of MIIS was not successful, and you received the following error message:

Microsoft Identity Integration Server (SP1) requires a running instance of Microsoft SQL Server with Service Pack 3 (8.00.760) or later. Install the correct SQL server version or service pack and make sure the service is running before installing Microsoft Identity Integration Server SP1.

If you are installing MIIS for the first time by using SQL Server 2000 SP4, you must install a full version of MIIS SP1 with this hotfix. We are updating all the appropriate channels. If you have problems obtaining a full version through those channels, contact Microsoft Product Support Services for help.</li></ul>

back to top

Issues that the build 3.1.1020 hotfix package fixes
<ul> <li>When you are running a management agent in synchronization mode and you are processing group objects, you unexpectedly receive the following error message on a group object in the MIIS statistics pane:

Unexpected Error

Additionally, the following error messages will be displayed in the application event log on the MIIS server:

Event Type: Error

Event Source: MIISServer

Event Category:

Server Event ID: 6312

Date:

Time:

User: N/A

Computer: MIISSRV1

Description: The server encountered an unexpected error while performing an operation for a rules extension.

&quot;BAIL: MMS(2760): tripleholo.cpp(7691): 0x80004005 (Unspecified error)

BAIL: MMS(2760): tripleholo.cpp(7201): 0x80004005 (Unspecified error)

BAIL: MMS(2760): tower.cpp(5644): 0x80004005 (Unspecified error)

BAIL: MMS(2760): csobj.cpp(4003): 0x80004005 (Unspecified error)

BAIL: MMS(2760): csobj.cpp(1461): 0x80004005 (Unspecified error)

BAIL: MMS(2760): nscsimp.cpp(4509): 0x80004005 (Unspecified error)

BAIL: MMS(2760): mvobj.cpp(1385): 0x80004005 (Unspecified error)

BAIL: MMS(2760): scriptmanagerimpl.cpp(4256): 0x80004005 (Unspecified error)

BAIL: MMS(2760): scriptmanagerimpl.cpp(4218): 0x80004005 (Unspecified error)

BAIL: MMS(2760): scripthost.cpp(3061): 0x80004005 (Unspecified error)&quot;

Event Type: Error

Event Source: MIISServer

Event Category: Server

Event ID: 6301

Date:

Time:

User: N/A

Computer: MIISSRV1

Description: The server encountered an unexpected error in the synchronization engine:

&quot;BAIL: MMS(2760): scripthost.cpp(11413): 0x80230703 (The extension threw an exception.) Microsoft.MetadirectoryServices.Impl.InternalError: 0x80004005 at Microsoft.MetadirectoryServices.Impl.ScriptHost.ThrowExceptionFromHRESULT(Int32 hr) at Microsoft.MetadirectoryServices.Impl.BaseMVServices.GetConnectorsFromServer at Microsoft.MetadirectoryServices.Impl.BaseMVServices.GetOriginalConnectors at Microsoft.MetadirectoryServices.Impl.CImageServices.IImageServices.GetOriginalConnectors at Microsoft.MetadirectoryServices.Impl.MVEntryImpl.GetCountOfOriginalConnectors at Microsoft.MetadirectoryServices.Impl.ScriptHost.InvokeMv_Provision(_OCTET octMVPreImage, _OCTET octMVDelta)

BAIL: MMS(2760): scriptmanagerimpl.cpp(1428): 0x80004005 (Unspecified error)

BAIL: MMS(1256): scriptmanagerimpl.cpp(1509): 0x80004005 (Unspecified error)

BAIL: MMS(1256): ScriptManager.h(316): 0x80004005 (Unspecified error)

BAIL: MMS(1256): provisioning.cpp(64): 0x80004005 (Unspecified error)

ERR: MMS(1256): synccoreimp.cpp(1563): 0x80004005 - provisioning failed 0x80004005

BAIL: MMS(1256): synccoreimp.cpp(1564): 0x80004005 (Unspecified error)

ERR: MMS(1256): synccoreimp.cpp(4412): 0x80004005 - MV to CS synchronization failed 0x80004005: [{8E35FB4A-24EE-4C32-8BC6-C841E5C160AB}]

BAIL: MMS(1256): synccoreimp.cpp(4415): 0x80004005 (Unspecified error)

ERR: MMS(1256): syncmonitor.cpp(2497): SE: Rollback SQL transaction for: 0x80004005 MMS(1256): SE: CS image begin MMS(1256): SE: CS image end&quot;

This problem occurs because reference attributes and renaming those reference attributes is mishandled. This hotfix improves this rename operation and helps avoid these error messages.</li> <li>When an attribute is deleted during a delta import, the SunOne management agent does not discover the attribute deletion if the attribute deletion occurs when a replace operation is performed and no value is specified. This problem occurs with the way that the SunOne change log file is currently parsed. Any replace operation that has no value is ignored. This hotfix resolves this problem by changing the way that this particular condition is read from the changelog.</li> <li>This hotfix adds functionality to the SunOne management agent by enabling a registry key. The registry key is scoped to a particular management agent instance that is identified by name. If the registry key is set for a particular management agent, the import processing of the management agent will behave differently. With the new behavior, the management agent will still strip off suffixes from any attribute that it stages. Additionally, the management agent will also filter out any attribute that does not have a suffix that is equal to the value of the registry key. If the value of the registry key is the empty string, any attribute with any suffix is filtered out.

SunOne objects likely will have some attributes that have the option that you want and some attributes that have no option at all. If the user wants all attributes, they may have to create multiple management agents to pull in all data. For example, all attributes are suffix-less, except for &quot;title&quot;, where each object has both &quot;title;lang-eng&quot; and &quot;title;lang-fr&quot;. If the user must import both the suffix-less attributes and the English titles, they must create two management agents. The first management agent has the registry option set to the empty string to pull in all suffix-less attributes. The second management agent has the registry option set to &quot;leng-eng&quot; to pull in all attributes that have the suffix &quot;lang-eng&quot;. Appropriate join and flow rules must be established to send the data from both management agents into the Metaverse.

To enable this functionality, you must follow these steps: <ol> <li>Apply this hotfix to the MIIS server.</li> <li>Add the following registry setting. The registry key to enable this behavior is located in a new parameter subkey that has been introduced to store per-management-agent-instance registry parameters. If the management agent name is &quot;MyMA&quot;, the registry key would be the following:

Within this key, you must add a REG_SZ value that is named iPlanetMAOptionFiltering. This string value should be set to the suffix that you want. The string value should be set to the empty string if you want suffix-less attributes.</li></ol> </li> <li>Before this hotfix, the account joiner did not let you create &quot;match&quot; filters where both the CS and the MV attributes were multi­valued. The account joiner did let you create filters where only one of the attributes was multivalued. After you apply this hotfix, combinations of attribute mappings that are based on multivalues versus single values are not blocked. However, some combinations are still blocked based on attribute type. Instead, a check is performed when you apply the filter and an error is reported if the CS attribute has more than one value. You experience the following behavior: <ul> <li>Multivalued CS to Single-valued MV

If the CS attribute has more than one value, an error is reported. Otherwise, behavior is the same as the single-valued CS to single-valued MV case.</li> <li>Multivalued CS to Multivalued MV

If the CS attribute has more than one value, an error is reported. Otherwise, behavior is the same as the single-valued CS to multivalued MV case.</li></ul> </li> <li>This hotfix corrects an issue in multiple management agent types. This issue occurs when you select objects to process in the connected directory. The new selections may unintentionally cancel the objects that you had previously included.</li> <li>If &quot;Full import&quot; finishes with the status &quot;completed-discovery-errors&quot;, a subsequent &quot;Delta import&quot; will stop with the status &quot;No-start-full-import-required&quot;. This means that a delta import will not run until a &quot;Full import&quot; can run without generating this error message. This problem is caused by problems in the DN caching. This hotfix resolves the problem of a full import being required in this scenario.</li> <li>When the password management Web application initializes, it determines the list of systems on which the user can set passwords. The password management Web application does this by calling the GetServerStatus function. Before the Microsoft Exchange 5.5 export provider initializes the connection, the export provider detects that the object is a top level organization and returns an E_MMS_RUN_UNSPECIFIED_MA_ERROR error code. This behavior causes several error messages to appear in the event log. These errors are harmless. However, the error messages make MIIS management more difficult. This hotfix changes the return code to E_MMS_MA_EXPORT_READ_ONLY. Then, this return code is handled up the call stack so the errors are no longer thrown. When the GetServerStatus function is called, the result is that the server is down, and password management is disabled. From the point of view of the password management Web application, nothing has changed. From the point of view of the MIIS Administrator, two events are no longer generated every time that someone navigates to the password management Web page.</li></ul>

Issues that the build 3.1.1016 hotfix package fixes
<ul> <li>This hotfix enables the Lotus Notes management agent to provision certified person objects to AIX-based Domino servers.</li> <li>This hotfix enables the Notes management agent to set a mailbox quota in megabytes (MB) during provisioning.</li> <li>This hotfix enables the Lotus Notes management agent to set during provisioning an account lifetime value in days. When this value expires, the Lotus Notes ID file expires.</li> <li>This hotfix changes the way the Lotus Notes management agent processes objects that have non-unique native Notes hierarchical canonical names. These objects are named &quot;conflict documents&quot; and occur when you configure the Notes Address Book (NAB) to enable the Replication or Save Conflict Documents option. Previously, the Lotus Notes management agent flagged one of the duplicate objects as a transient. After you apply this hotfix, the management agent recognizes the duplication and skips all conflict documents. The management agent reports these conflict documents as duplicate object errors together with details that indicate that it is caused by a conflict with the Lotus Notes Distinguished name (DN). After the conflict is resolved, subsequent delta imports picks up the resolved changes.</li> <li>This hotfix enables certain distinguished name changes in imported objects to continue without error. Previously, some distinguished name changes would fail, you received the following error message:

Unexpected error

</li> <li>This hotfix corrects an issue in multiple management agent types. This issue occurred when you selected objects to process in the connected directory. The new selections might unintentionally cancel the objects that you had previously included.</li> <li>This hotfix now includes the following attributes: <ul> <li>_MMS_UseAdminP</li> <li>_MMS_CertDaysToExpire</li> <li>_MMS_MailQuotaSizeLimit</li> <li>_MMS_MailQuotaWarningThreshold</li></ul>

These attributes are included in the list of attributes that managed by the Lotus Notes management agent. These attributes are available in Lotus Notes management agents that are created by using build 10.16 and later builds. This hotfix will not affect management agents that were created by using earlier builds.</li> <li>This hotfix expands the list of search operators that are available for Boolean attributes to include the following: <ul> <li>Is present</li> <li>Is not present</li> <li>Is true</li> <li>Is false</li></ul> </li> <li>This hotfix changes the way the SunONE/IPlanet management agent reacts to incorrectly-encoded UTF-8 strings. After you apply this hotfix, the management agent reports an error when it encounters incorrectly-encoded data from IPlanet.</li> <li>This hotfix increases performance when large subtrees are deleted in the connector space.</li> <li>This hotfix addresses problems that are experienced by the Novell eDirectory management agent when anonymous access is disabled in the eDirectory server. When you apply this hotfix, the eDirectory management agent will now work with eDirectory servers where all anonymous access has been turned off as long as the Simple Authentication and Security Layer (SASL) option is not selected. If the SASL option is enabled, the management agent must continue to read the directoryTreeName attribute anonymously before binding to know what realm value to pass in during the bind.</li> <li>This hotfix corrects a problem where you cannot back up the system state when Password Change Notification Service (PCNS) is installed on a domain controller (DC). After you apply this hotfix, you can back up the system state successfully.</li> <li>This change removes support for the Lotus Notes 4.0 server and client from MIIS. This change follows IBM's deprecation of the Lotus Notes 4.0 server and client in 2004. The minimum Lotus client and Domino server version that is required for the Lotus Notes management agent is version 5.0.</li></ul>

For more information about the MIIS SP1, visit the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?familyid=fa9dbb67-4654-4c94-b073-aa59676130af

<div class="moreinformation_section">

Download information
To obtain the hotfix package, visit the following Microsoft Download Center Web site:

http://www.microsoft.com/downloads/details.aspx?familyid=fa9dbb67-4654-4c94-b073-aa59676130af

Release Date: March 17, 2006

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to obtain Microsoft support files from online services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Note To verify that this hotfix package has been applied correctly, click Help, and then click About in MIIS. If this hotfix package has been applied correctly, the version number is 3.1.1042.0.

Prerequisites
When you apply this hotfix package, you are prompted for your MIIS 2003 installation media. Depending on how you originally installed MIIS 2003, insert the media in the See Comment or in the DVD drive, or specify a share location.

To apply this hotfix package, the currently logged-on user account must have the same SQL Server credentials as the account that was used to install the release version of MIIS 2003. Before you apply this hotfix package to your production environment, test this Service Pack in a Quality Assurance (QA) lab. Additionally, back up the MIIS 2003 SQL Server database and verify that you can fully recover your data from the backup version if this hotfix package does not apply correctly.

Restart information
Typically, you do not have to restart the server after you apply this Service Pack. However, the installer can determine whether you must restart the computer. If you must restart the computer, you are prompted to restart the computer. Frequently, you must restart the computer because the installer is trying to install a file that the computer is currently running.

Hotfix replacement information
This service pack replaces the following MIIS 2003 cumulative hotfix builds:
 * SP1 (3.1.1036.0)

<div class="references_section">