Microsoft has released a MIM 2016 SP1 hotfix (22.214.171.124) that improves security, adds language definitions, logging enhancements, and a change to the way Boolean attributes are handled by the MIM Service.
If you have any questions about the MIM 2016 SP1 hotfix after reading this blog, please contact OCG.
Group Managed Service Accounts
Group managed service accounts (gMSA) are an evolutionary step on standalone managed service account (sMSA) that were introduced in Server 2008 R2. Benefits of using a gMSA include:
- Automatic password management
- Simplified service principal name (SPN) management
- Ability to delegate the management to other administrators
gMSAs provide a single identity solution for services running on a server farm, or on systems behind Network Load Balancer. By providing a gMSA solution, services can be configured for the new gMSA principal and the password management is handled by Windows.
More information on group managed service accounts can be found here.
The best thing about a Boolean is even if you are wrong, you are only off by a bit.
Prior to this hotfix when you create a binding for a Boolean attribute it was always set to Null. This was either addressed by flowing a value from the MIM Sync engine or using a workflow to populate the value at the time of object creation.
This hotfix changes that behavior so that new MIM Boolean bindings attributes are set to false. While this is a very welcome change you will certainly want to check your code, sets, dynamic groups, and workflows for anything that is checking a Boolean attribute.
Additional fixes and enhancements
The following is a list of fixes and enhancements that are of interest. This is not a complete list but rather the highlights.
- Special characters in the distinguishedName no longer prevents Self-Service Password Reset from resetting the user’s password in the Active Directory
- Visual Studio Support (Visual Studio 2013, Visual Studio 2015, Visual Studio 2017)
- Popup windows no longer have the extra scroll bar displaying when viewed in Internet Explorer
- Portal, popup dialogs aren’t displayed properly when viewing in Internet Explorer (IE) 10
- Updated Logic to Service Dynamic Logging to include circular logging
While we were testing this hotfix in our MIM development environments we noticed that there were some framing issues within Internet Explorer 11 within identity picker elements of an RCDC. We brought these issues to Microsoft and they will be addressed in an August update.
Here is an example of the issue when searching to add a user to a group.
When the search is performed the columns revert to the expected state.
While not a major issue, it is change that end users will notice when using the MIM portal and identity picker elements of an RCDC. Add this to your consideration before deploying this hotfix.
While this is just hotfix, it does change many of the inner workings of MIM and we would suggest that organizations looking to apply this hotfix contact us so that we can share our experiences applying this hotfix. We work very closely with the Microsoft Identity services team to ensure we update them with any issues that we see within the product and its updates.
Want to know more?
For more information contact us.