This update resolves the following reported issues.
|Product Component||Resolved Issue||Hotfix ID||Defect ID|
|Active Roles Web Interface||Previously, Proxy Objects added to a Group in a configured Managed AD LDS Instance (ADAM) partition were not recognized in the Active Roles Web Interface when performing object searches.|
This issue is now fixed, and Proxy Objects appear properly in searches after adding them to Groups from the Members menu.
|Active Roles Synchronization Service||Previously, timeout in the Active Roles Synchronization Service was hard-coded to 6000 seconds (1 hour 40 minutes) that could cause long-running workflows to fail with a timeout error.|
The issue has been resolved by making the timeout setting modifiable. When configuring Active Roles Synchronization Service, the following registry key is created, containing the timeout value:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\One Identity\Active Roles\Configuration\SyncService\CommandTimeoutSeconds
To modify the default value of 6000 seconds, change the default value contained in the registry key.
NOTE: The value of the CommandTimeoutSeconds registry key is not part of the Synchronization Service configuration, and therefore cannot be imported or exported with the configuration. You must set it manually after each synchronization service configuration import.
|Active Roles Management Shell||Previously, running the Get-QAD* cmdlet with the -SearchRoot and -IncludeAllProperties parameters simultaneously resulted in failure.|
The issue has been resolved by removing attributes from the search that can only be searched with Base scope, but not in Subtree scope.
|Active Roles Console||Previously, Dynamic Groups were rebuilt automatically in the Active Roles Console whenever they were modified, even though they should have been rebuilt only when triggered manually, or when the scheduled tasks flagged the Dynamic Group for a rebuild.|
This issue occured because a limit of 1000 users was previously in place for running delta builds, and because the delta builds were using the same log message as the normal rebuild process.
The issue has been fixed by removing the user limit for group members to ensure that Dynamic Groups always support delta updates and modifying the log message for delta builds in the Active Roles Event Viewer.
|Active Roles Console||Previously, when creating a new User or Contact object in the Active Roles Console (also known as the MMC Interface), Active Roles rejected SMTP email addresses containing special characters with the following error message:|
You entered an invalid email address.
This issue has been resolved by adding support for the following special characters in SMTP email addresses: ! # $ % ^ & ** ~ ` ? // \\ | - _ + =
|Active Roles Web Interface||Previously, selecting the UPN claim type for Federated Authentication under the Web Interface > Authentication > Site authentication settings > Federated > Claim editor setting of Active Roles Configuration Center resulted in the Active Roles Web Interface being unable to authenticate the user.|
This issue occured because the Web Interface still used the Email claim type instead of the UPN claim type for authentication.
The issue has been resolved so that if you use the UPN claim type, the Web Interface will use UPN to authenticate the user. Likewise, if you select the EMAIL claim type, the Web Interface will use the Email and ProxyAddresses attributes to authenticate the user.
|Active Roles Management Shell||Previously, running the Get-QARSOperation -OperationID |
The issue is now solved: if you run the Get-QARSOperation -OperationID
|Active Roles Configuration Center||Previously, when specifying a fully qualified domain name (FQDN) containing either a hyphen (-) or an underscore (_) under the Configure Web Interface > Administration Service > Any Administration Service of the same configuration as this one setting of Active Roles Configuration Center, clicking Configure resulted in the following error message appearing:|
The computer name is incorrect. Supply the fully qualified domain name of the desired computer. Example: computer.domain.com
The issue has been resolved so that the FQDN of the specified computer can now contain hyphens or underscores.
|Active Roles Console||Previously, Active Roles Console contained an incorrect description for the built-in workflow Search and assign licenses to Azure users.|
The description has been corrected.
|Upgrade Configuration Wizard||Previously, when upgrading to Active Roles version 7.4, the Upgrade Configuration Wizard could return the following error message when creating the new database and checking if there was enough free space available:|
Verification Failed: Not enough disk space in configuration database server. Required disk space
This issue occured because even if you set the installation path to a different drive (and not to the drive where the SQL Server had been installed), the Upgrade Configuration wizard still checked the free space on the drive of the SQL Server.
This issue is now solved, so that the Active Roles Upgrade Configuration wizard always checks the free space of the specified drive where the installation path is set.
|Active Roles Web Interface, Active Roles Console||Previously, the Starling Two-Factor Authentication (2FA) page loaded with an error message when the TLS 1.2 protocol was enforced, and the user could not be authenticated.|
The issue is now solved: the Starling 2FA page loads correctly and the user receives the authentication text message.
|Active Roles Server||Previously, when creating PowerShell scripts containing the OnInit function commented out, the script executed the OnInit function despite being commented out, causing a delay in saving the script.|
The issue is now solved: if the OnInit function is commented out, the PowerShell script does not execute it any more.
|Active Roles Server||Previously, saving a scheduled task script containing the OnInit function to include a library script caused the script to run twice on every configured Active Roles server in the environment.|
The issue is now solved: when you save the scheduled task script, only the OnInit function is executed.
In addition, this hotfix also includes cumulatively the following fixes:
|Product Component||Resolved Issue||Hotfix ID||Defect ID|
|Active Roles Web Interface||When configuring Federated Authentication for the Web Interface, the following error message displayed after a timeout delay (5 minutes by default):|
Unable to uniquely identify the user using provided claims. Please contact your Active Roles Administrator.
This issue has been resolved and Federated Authentication now revalidates without error.
|Active Roles Console||Due to a memory leak in O365 Script Execution caused by a Microsoft PostScript call that does not deallocate memory despite a call to release all PSSessions, the Active Roles Console (also known as the MMC Interface) closed after a few hours with an out-of-memory exception when an Automation Workflow was running a script every 5 minutes. The following line of code caused the issue:|
This issue has been resolved and the memory utilization of the Active Roles server is now stable. However, the preferred solution to this issue is to update to Active Roles version 7.4.3 so that the MsOnline module is imported using Modern Authentication.
|Active Roles Synchronization||When running a deprovisioning workflow (for example, between an Azure AD and an on-premises AD), synchronization could unexpectedly stop after some time with a Compiling error log message. When that happened, the Synchronization Service had to be restarted to resume synchronization. This issue occurred because one of the required Azure AD schema DLLs could not be generated in runtime, and has been fixed by resolving the compiling error.||SOL330592||262310|
|Active Roles Web Interface||Previously, changing the primary email address domain of an O365 Group resulted in the O365 Group disappearing in Active Roles after the next synchronization. This issue occurred because Active Roles listed the O365 Groups of an Azure Tenant only by checking their primary address domain (and ignoring the value of their alias email property). This has been fixed by having Active Roles list all O365 Groups of an Azure Tenant, regardless of whether their primary domain address is specified as their primary email address or as their alias email address.||SOL330592||261389|
|Active Roles Web Interface||Textboxes affected by custom script modules may have not fit the Web Interface horizontally if the scripts have added custom user interface elements (such as buttons) to the textboxes. This issue was caused by outdated formatting settings that contained incorrect width settings for such textboxes. The problem has been fixed by implementing a maximum width value (corresponding to the width of the Active Roles Web Interface) to prevent textboxes becoming horizontally oversized.||SOL330592||260932|
|Active Roles Web Interface||Previously, when creating a new group in the Active Roles Web Interface with the Users > New Group menu, leaving the Create an Exchange e-mail address checkbox in its default unchecked state did not disable the Alias and Associated administrative group settings, resulting in the respective mailNickname and edsaAdminGroup attributes also being included in the group creation request when clicking Finish. This resulted in new groups being created with a broken Exchange state.|
This issue is now fixed, so that the Alias and Associated administrative group attributes are now grayed out when the Create an Exchange e-mail address checkbox is unchecked, and their respective mailNickname and edsaAdminGroup attributes are also not included in the group creation request in such cases.
|Active Roles Synchronization||Previously, when mapping two objects (for example, two users from two separate OUs) by their Description field, and then setting up a synchronization workflow to synchronize their descriptions and SID histories, changing the description of the first user and then running the synchronization workflow could result in the following error message:|
An error occurred while modifying the object
This issue was caused by an authentication failure of the Capture Agent, due to differences between the certificates of the Capture Agent and the Sync Service. This authentication issue has now been fixed to resolve the problem.
|Active Roles Service||Active Roles logs may have unintentionally displayed privileged credentials. This issue is now fixed.||SOL329361||258850|
|Active Roles Web Interface||Fixed poor performance in Active Roles Web Interface when opening the members of a Group in multiple tabs / sessions containing a large group membership.||SOL329361||255755|
|Active Roles Synchronization||Updated the Office 365 connector URI in the Active Roles Synchronization service to the new URI (https://outlook.office365.com/powershell-liveid/).||SOL329361||247930|
|Active Roles Service||Fixed some discrepanies observed during Tenant information updates.||SOL321020||242908|
|Active Roles Web Interface||Previously, when having a New User form with customization and extended controls set, the control value of OnGetEffectivePolicy in the script was not populated. This has been fixed.|
NOTE: You must clear the Schema cache of the Active Roles service for this fix to take effect. To clear the cache, follow Solution 3 in the Resolution section of the following Knowledge Base article:
|Active Roles Web Interface||Fixed an issue where modifying or updating Exchange Online Properties, such as the Delegate Send As Rights and Full Access permissions removed the Trustees and then added them back.||SOL321020||239177|
|Active Roles Console||Previously, users could continue working in an active session after their passwords had been reset. This has been fixed.|
NOTE: Periodically, the password of the users logged in to the Active Roles Console is checked. By default, the password check happens every 600 seconds. To modify the re-authentication interval from the default value of 600 seconds to another value, create a new ReAuthenticateInterval virtual attribute as described below. The time interval must be between 300-900 seconds. After modifying the virtual attribute, close and then reopen the Active Roles Console to apply the changes.
To create a new virtual attribute:
To modify an existing virtual attribute:
|Active Roles Web Interface||Fixed a timeout error that occurred while reading the general properties of a user object by a delegated user logged in without appropriate permissions in the Password Settings Container (CN=Password Settings Container, CN=System) under each managed domain.|
NOTE: Active Roles now give precedence to Fine-Grained Password Policy over Domain Policy while evaluating the user account and password information. The user account information and Account Policies are displayed based on the configured policy applied on the container.
To read the password expiration information from the Fine-Grained Password Policy and display the password expiration information on the Web Interface, assign the below permissions to the delegated trustee under each managed domain at the following location:
Active Directory >
The password expiration value is evaluated by default based on the Domain Policy if the below permissions are not set:
|Active Roles Management Shell||Improved the time of completing the Get-QADGroupMember command-let operation.||SOL320328||237296|
|Active Roles Service||Improved the Search filter used to find Dynamic Groups.||SOL320328||234636|
Please download the hotfix here.
Installing the hotfix
To install this hotfix