ActiveRoles Server 6.9 Patch 1 (116649)

This is a supported patch for ActiveRoles Server 6.9.0.

The list of resolved issues can be found in the Resolution section.

The patch includes the following updates:

• ARS-6.9.0-Patch1.exe - Update for the Administration Service component; should be installed on the computers running Administration Service 6.9.0.
• ARSMMC-6.9.0-Patch1.exe - Update for the MMC Interface component; should be installed on the computers running MMC Interface 6.9.0.
• ARSWI-6.9.0-Patch1.exe - Update for the Web Interface component; should be installed on the computers running Web Interface 6.9.0.

Please download the hotfix from solution 133478.

This patch may receive additional testing. If you are not severely affected by the issue that this patch addresses, it is recommended that you install the next full release of Quest One ActiveRoles that includes this patch.

Resolved Issues

The following is a list of issues resolved in this patch.

Administration Service

TF00319540
Fixed: The Administration Service may load local Exchange Management assemblies even when using remote Exchange Management Shell. The issue occurs with Exchange 2010 Management Tools installed on the computer running the Administration Service.

TF00321083
Fixed: When you use the ActiveRoles console or Web Interface to configure permissions on the "Mailbox Rights" page, ActiveRoles may incorrectly apply the "Deny" option. If you choose the "Deny" option for a particular permission, the permission has the "Allow" option selected instead of "Deny" after you have saved your changes to the permissions list.

TF00321089
Fixed: When you use the ActiveRoles console or Web Interface to change the delegates list on the "Resource Policy" page for a room or equipment mailbox, ActiveRoles may fail to add a delegate if the name of the delegate's user account contains non-alphanumeric characters. In this case, the delegate is missing from the list of delegates after you have saved your changes.

TF00321094
Fixed: If ActiveRoles encounters an error when attempting to connect to Exchange Server via remote Exchange Management Shell, the error message displayed by the ActiveRoles client does not contain any information about the cause of the error. To address this issue, the error message now includes the error details received from Exchange Management Shell.

TF00322179
Fixed: If the Windows PowerShell execution policy is set to AllSigned on the computer running the Administration Service, Active Roles fails to execute PowerShell based script policies. In this case, Active Roles disregards all policies that use PowerShell scripts, without reporting any error information.

TF00322263
Fixed: The Access Rule condition builder may not display the list of suggested values for a given claim type. The issue occurs in the following scenario. You create a claim type without suggested values. Then, you modify the newly created claim type by adding suggested values. If you select that claim type in the Access Rule condition builder, and click "Value" on the right-hand operand menu, the list of suggested values is missing from the "Value" field in the "Supply a Value" dialog box that appears.

TF00323662
Fixed: When retrieving AD LDS objects (for instance, AD LDS users), ActiveRoles may not return custom virtual (edsva) attributes that were added to the corresponding object class in the ActiveRoles directory schema. The issue occurs if the virtual attribute is not specified explicitly in the search filter of the LDAP request that is used to retrieve the AD LDS object. A symptom of the issue is that the object returned by the Get-QADUser command in the ActiveRoles Management Shell does not contain custom virtual attributes specified using the "includedproperties" parameter.

TF00323665
Fixed: ActiveRoles may encounter an error condition when making changes to Exchange properties of a mail-enabled (distribution) group or mail contact. The issue occurs if you have only Exchange 2013 deployed in your Exchange organization, without any other Exchange Server versions. In this case, ActiveRoles does not need Exchange management tools on the computer running the Administration Service; however, when you attempt to modify a mail-enabled group or mail contact by using ActiveRoles, you may receive an error message stating that the requested operation requires the Exchange 2010 management tools.

TF00324511
Fixed: The locally installed PowerShell snap-in for Exchange 2010 may cause the ActiveRoles Administration Service to stop unexpectedly (crash). The issue occurs if there is a maintenance process (for example, an antivirus) on the computer running the Administration Service that "touches" files held in the Administration Service's installation folder. The root cause of the issue is that Exchange 2010 cmdlets encounter an error condition when attempting to reload the Administration Service's configuration file, due to the lack of certain functions that exist in .NET Framework 3.5 or 4.0 but are missing from .NET Framework 4.5.

TF00325443
Fixed: A conditional Access Template link may have no effect even though the link's Access Rule condition is expected to evaluate to TRUE for a given delegated admin. As a result, ActiveRoles does not apply the Access Template as expected, so the delegated admin is not given the permissions specified by that Access Template. The issue occurs if the delegated admin uses an ActiveRoles client on a computer running a pre-Windows 8 operating system.

TF00325677
Fixed: ActiveRoles does not allow you to change the "Require that all users are authenticated" option for mail users: On the "Message Delivery Restrictions" page in the ActiveRoles console or Web Interface, the "Require that all users are authenticated" check box is unavailable (grayed out).

TF00325695
Fixed: In a pure Exchange 2013 organization (no Exchange servers of an earlier version), ActiveRoles may not allow you to change the "Automatically update e-mail addresses based on e-mail address policy" option. When you select or clear the "Automatically update e-mail addresses based on e-mail address policy" check box on the "E-mail Addresses" page in the ActiveRoles console or Web Interface and attempt to apply your changes, you may receive an error message stating that the Administration Service requires Exchange 2010 Management Tools to perform this operation.

Console (MMC Interface)

TF00321704
Fixed: Unable to open the GPOADmin tool from the "Group Policy" tab in the Properties dialog box for a domain or OU in the ActiveRoles console. With GPOADmin installed on the computer running the ActiveRoles console, the "Group Policy" tab includes a button intended to open GPOADmin. However, clicking that button has no effect.

TF00321845
Fixed: An Access Rule configured to evaluate a user or device claim may have no effect if the claim type has any suggested values. The issue occurs in the following scenario. Suppose you create a claim type with a certain list of suggested values. Then, you use the ActiveRoles console to create an Access Rule, select the claim type and supply one of the suggested values. If you add a conditional Access Template link based on that Access Rule, ActiveRoles does not enable the link as expected when the current claim matches the suggested value in the Access Rule. The issue is due to incorrect configuration of the rule condition created by the ActiveRoles console in case of a claim type with suggested values.

TF00323669
Fixed: When submitting an operation for approval, the ActiveRoles console may create approval tasks that do not contain the operation reason supplied by the operation initiator. The issue occurs in the following scenario. You configure an approval rule so that the deletion or deprovisioning of objects require approval. Then, in the ActiveRoles console, you select multiple objects and apply the "Delete" or "Deprovision" command to the selection. The console prompts you to supply your operation reason, and creates multiple approval tasks, only one of which contains the operation reason you have supplied.

Web Interface

TF00322272
Fixed: When uploading a picture file for a user, group or contact, the Web Interface may encounter an error condition. The issue occurs if you choose to apply a picture file that is larger than 4 MB in size. In this case, the Web Interface returns the following error message: "Maximum request length exceeded."

TF00322275
Fixed: The Web Interface incorrectly identifies the class of object. On the "General Properties/Object" page, the "Object class" field reads "top" regardless of whether you select a user, group, computer or any other object.

TF00324218
Fixed: When deleting an object, the Web Interface encounters an error condition if the name of the OU that holds the object contains a backslash character (\). The error message reads "Unable to delete <object name>. Exception from HRESULT: 0x80005000."

TF00325314
Fixed: Incorrect behavior of the "Show indirect members" option on the "Members" page in the Web Interface: When selected and then un-selected, the "Show indirect members" check box may revert to the un-selected state if you select it again. The same issue may occur with the "Show nested groups" option on the "Member Of" page.

TF00325315
Fixed: Incorrect behavior of the "Show pending members" option on the "Members" page in the Web Interface: When selected and then un-selected, the "Show pending members" check box may revert to the un-selected state if you select it again. The same issue may occur with the "Show pending group memberships" option on the "Member Of" page.