CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
43.3%
A hotfix rollup package (build 4.4.1749.0) is available for Microsoft Identity Manager (MIM) 2016 Service Pack 1 (SP1). This rollup package resolves some issues and adds some improvements that are described in the βMore Informationβ section.
After you install this update, rules extensions and custom management agents (MAs) based on Extensible MA (ECMA1 or ECMA 2.0) may not run and may produce a run status of βstopped-extension-dll-load.β This issue occurs if you run such rules extensions or custom MAs after you change the configuration (.config) file for one of the following processes:
After you install this update, the Portal may not be displayed as expected in Internet Explorer. To resolve this issue, follow these steps:
A supported update is available from the Microsoft Download Center. We recommend that all customers apply this update to their production systems.Download the update for Microsoft Identity Manager 2016 SP1 (KB4050936) now
To apply this update, you must have Microsoft Identity Manager 2016 build 4.4.1302.0.
You must restart the computer after you apply the Add-ins and Extensions (Fimaddinsextensions_xnn_KB4050936.msp) package. You may also have to restart the server components.
This is a cumulative update that replaces all MIM 2016 SP1 updates up to build 4.4.1642.0 for Microsoft Identity Manager 2016.
The global version of this update has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.File name | File version | File size | Date | Time |
---|---|---|---|---|
Fimaddinsextensions_x64_kb4050936.msp | Not applicable | 5,033,984 | 30-Nov-2017 | 01:52 |
Fimaddinsextensions_x86_kb4050936.msp | Not applicable | 2,686,976 | 30-Nov-2017 | 01:53 |
Fimcmbulkclient_x86_kb4050936.msp | Not applicable | 5,251,072 | 30-Nov-2017 | 01:53 |
Fimcmclient_x64_kb4050936.msp | Not applicable | 6,152,192 | 30-Nov-2017 | 01:53 |
Fimcmclient_x86_kb4050936.msp | Not applicable | 5,857,280 | 30-Nov-2017 | 01:53 |
Fimcm_x64_kb4050936.msp | Not applicable | 21,073,920 | 30-Nov-2017 | 01:53 |
Fimcm_x86_kb4050936.msp | Not applicable | 20,905,984 | 30-Nov-2017 | 01:53 |
Fimservice_x64_kb4050936.msp | Not applicable | 30,584,832 | 30-Nov-2017 | 01:53 |
Fimsyncservice_x64_kb4050936.msp | Not Applicable | 16,011,264 | 30-Nov-2017 | 01:54 |
This update makes the following fixes and improvements that were not previously documented in the Microsoft Knowledge Base.
This update fixes a security vulnerability in Microsoft Identity Manager 2016 SP1 Service and Portal. Before this update, the vulnerability could be exploited when a user visits a specially crafted object in the MIM Service through the MIM Portal by using a web browser. This situation would be relevant in environments where an attacker could cause the creation of objects in MIM or a connected directory that is synchronized to MIM. Depending on the browser settings, the vulnerability could allow for Cross-Site Scripting or Dynamic Execution of JavaScript in the userβs web browser. After installation of this update, viewing the object does not affect the web browser execution.
When you update to build 4.4.1459.0, you may experience a database upgrade failure. A foreign key constraint violation exception is recorded in the database upgrade log. This might occur if the MIM SP1 language pack has been installed.This update adds a new logic so that you wonβt experience the same problem.
When you execute self-service password reset requests, the MIM Service randomly stops. After you install this update, this issue no longer happens.
The New-PAMDomainConfiguration PowerShell cmdlet sets an incorrect value for domain trust configuration. After you install this update, the quarantine value reflects the value from the domain trust. For example:Before you install this update, theNew-PAMDomainConfigurationcmdlet setsquarantine=yes on the domain configuration object in the FIMService database even if the definition is defined as follows:Netdom trust corp_domain /Quarantine:no domain priv_domainAfter you install this update, the quarantine value will be set tono as expected.
Email notification request fails and returns a PostProcessingError status. Example error message:
System.InvalidOperationException: This unknown request parameter cannot be processed. at Microsoft.ResourceManagement.Utilities.ExceptionManager.ThrowException(Exception exception) at Microsoft.ResourceManagement.WFActivities.Resolver.ConstructAllChangesActionTable(String parameters) at Microsoft.ResourceManagement.WFActivities.Resolver.ResolveAttribute(String match, Boolean isFunctoidArg, ResolverOptions resolveOptions, String& attributeName) at Microsoft.ResourceManagement.WFActivities.Resolver.ResolveEvaluatorWithoutAntiXSS(String match, ResolverOptions resolveOptions) at Microsoft.ResourceManagement.WFActivities.Resolver.ResolveEvaluatorForWithAntiXSS(String match, ResolverOptions resolveOptions) at Microsoft.ResourceManagement.WFActivities.Resolver.ReplaceMatches(String input, Boolean useAntiXssEncoding, ResolverOptions resolveOptions) at Microsoft.ResourceManagement.Workflow.Hosting.EmailNotificationServiceImpl.ResolveMailMessage(Guid requestId, Guid targetId, Guid actorId, Dictionary2 workflowDictionary, String toLine, String ccLine, String bccLine, Guid emailTemplateIdentifier, EmailResolutionOptions options, String& failedToResolvePrincipals) at Microsoft.ResourceManagement.Workflow.Activities.EmailNotificationActivity.ResolveMail(Object sender, EventArgs e) at System.Workflow.ComponentModel.Activity.RaiseEvent(DependencyProperty dependencyEvent, Object sender, EventArgs e) at System.Workflow.Activities.CodeActivity.Execute(ActivityExecutionContext executionContext) at System.Workflow.ComponentModel.ActivityExecutor
1.Execute(T activity, ActivityExecutionContext executionContext) at System.Workflow.ComponentModel.ActivityExecutor`1.Execute(Activity activity, ActivityExecutionContext executionContext)at System.Workflow.ComponentModel.ActivityExecutorOperation.Run(IWorkflowCoreRuntime workflowCoreRuntime) at System.Workflow.Runtime.Scheduler.Run()
After you install this update, this problem no longer occurs.
Under certain circumstances, set calculations do not reflect the correct membership. This problem may occur if an attribute is used in a dynamic set or group filter, and then the binding for that attribute is deleted. After you install this update, you can no longer delete a binding for an attribute if that is referenced in a dynamic set or group filter.
The MIM Service does not work for the Request Approval scenario for Exchange Online to which users can respond through the MIM Add-in for Outlook.This update adds support for the MIM Service account to log on to Exchange Web Services for Exchange Online.
The msidmPhoneGatePhoneNumber attribute without a country code does not use theDefaultCountryCodevalue in MFASettings.xml if the first digits in the phone number match a country code.In this update, the application is optionally forced to apply a default country code. The**DefaultCountryCode **value in the MFASettings.xml file now has an option to use regex to force application of the default country code. For example:<DefaultCountryCode forceApplyToNumberRegex=β^380[0-9]{9}β>380</DefaultCountryCode> 380 - countrycode{9} - phonenumber without countrycode length
Some dynamic set definitions canβt be evaluated by the FIMService for set membership transition until the βFIM_TemporalEventsJobβ SQL Server Agent job is run.After you install this update, these set memberships can be updated dynamically without having to rely on βFIM_TemporalEventsJobβ to process them.
Synchronization rules donβt let you create attribute flow rules for attributes whose names include the hash mark or pound sign (#).After you install this update, the attributes whose names include the pound sign can be successfully used in attribute flow rules.
An exception is displayed in the main screen of the Identity Management Portal, and a Close button also appears. However, the button has no functionality. After you install this update, theClose button is no longer displayed.
Buttons are displayed incorrectly in the Delete Itemwindow. This issue occurs in Internet Explorer, Firefox, and Chrome. After you install this update, the buttons are displayed correctly.
The Lookup button overlaps theResource Pickerbutton on anApproval activity window in the Authorization workflow. This issue occurs in Internet Explorer, Firefox, and Chrome. After you install this update, this problem no longer occurs.
In the Groupproperties popup window, the button area overlaps the listview navigation controls on theDelete Memberscontrol. This issue occurs in Internet Explorer, Firefox, and Chrome. After you install this update, this problem no longer occurs.
Multiple display problems occur, including the following:
When you use the filter builder (such as Advanced Search) in various areas of the product, the filter builder stops responding if the OK button on a select value dialog box is clicked without an object first being selected in the add statement area.A new logic is added to the Portal in this update to prevent you from clicking theOK button if no object is selected.
The New Attribute flow window in a synchronization rule edit dialog box does not work as expected in Google Chrome.After you install this update, theNew Attribute flow window is rendered as expected in Chrome.
In an object management screen (such as Distribution Groups), if multiple objects are selected by using the check box, and the objects have very long display names, the Selected Itemsdialog box at the bottom of the screen resizes by width and not height. This causes the control to be extended past the right edge of the screen. This issue occurs in Chrome.After you install this update, the Selected Itemsdialog box resizes vertically so that the control does not extend past the end of the browser screen.
In an object management or list screen (such as Distribution Groups), the Selected Itemscontrol may move up the screen to be directly under the last object thatβs listed in the table list. This issue occurs in Internet Explorer after you create several new objects of that object type, and then refresh the page.After you install this update, the Selected Items control stays at the bottom of the window as expected.
The filter builder (such as advanced search) in the Safari browser is nonfunctional.After you install this update, the filter builder works in the Safari browser.
When there are multiple words (including at least one thatβs very long) in portal dialog boxes that display attribute values, the shorter words are distributed throughout the cell with lots of white space in between instead of being left-aligned. After you install this update, the information in the attribute display cell is left-aligned.
In some browser versions, the Selected Itemsitem isnβt updated when the item selection is changed.After you install this update, the Selected Itemsitem is updated as expected.
Dialog tabs and the Copy to Clipboard button on a popup window are not highlighted when you browse to them by using the Tab key. After you install this update, the dialog tabs and**Copy to Clipboard **button****are highlighted when you browse to them by using the Tab key.
In Internet Explorer 10, when you view an object grid display (such as Distribution Groups), the βFind the distribution groups you want using the search aboveβ banner overlays part of the button ribbon instead of being displayed in the middle of the dialog box. After you install this update, this banner is displayed in the middle of the screen as expected.
After you install an update to the MIM Portal, the display of the Portal in Internet Explorer fails. To resolve this issue, delete the Internet Explorer cache through the Internet Options control panel.After you install this update, the Internet Explorer display works as expected. The correct .css files are loaded for the current Portal assembly version, and the .css files replace those in the Internet Explorer cache.
When you use the Advanced Search in the Firefox browser, pressing the Enter key on an attribute value field returns an error. After you install this update, pressing the Enter key in an attribute value field does not return an error in the Firefox browser.
A request originator (certificate manager) canβt abandon a request thatβs duplicated somehow or just forgotten by a user who has Execution permissions.This update introduces check boxes in all profile template policies. This enables request originators (certificate managers) to abandon requests if the policy type has no Execution permission.
When you try to renew the TPM Virtual Smart Card certificate from the Modern App, a forbidden exception is returned. After you install this update, the Virtual Smart Card renewal succeeds without the forbidden exception.
In some smart card related activities, existing connections to the CertificateManagement database are left open unexpectedly. After you install this update, these connections are closed.
When you try to install an update to MIM Certificate Management (CM) before the MIM CM Configuration Wizard is run, the update fails and generates an exception that seems to be unrelated to the problem.Starting in this update, the Certificate Manager update installer checks against the system to verify that the Configuration Wizard has been run. If the wizard did not run, an error message is returned that states that the Configuration Wizard must be run before you install the update, and the installation is canceled.
The MIM CM Configuration Wizard displays incorrect product version information, and the logo isnβt displayed correctly. After you install this update, the Configuration Wizard displays the correct information.
The exported data for an MIM Certificate Management report differs from the report data. The column data does not always match the column headings.After you install this update, the exported report data is correct.
Learn about the terminology that Microsoft uses to describe software updates.
__
Third-party information disclaimer
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
43.3%