Chat now with support
Chat mit Support

Active Roles 8.1.5 - Release Notes

Active Roles 8.1.5

Active Roles 8.1.5

Release Notes

11 April 2024, 15:27

These release notes provide information about the Active Roles 8.1.5 release. For the most recent documents and product information, see Active Roles Technical Documents on the One Identity support portal.


About this release

Active Roles 8.1.5 is a patch release with no new functionality.


The following enhancement has been implemented in Active Roles8.1.5.

Table 1: General Active Roles enhancements
Enhancement Issue ID

General security enhancements in all Active Roles components.

444729, 426064

Resolved issues

The following is a list of issues addressed in this release.

Table 2: General Active Roles resolved issues
Resolved Issue Issue ID

Previously, when upgrading Active Roles from any version to 8.1.4, the upgrade step of importing custom Script Modules could silently fail, with the failure indicated only in the upgrade log.

This issue was caused by a fix introduced in the now-deprecated Active Roles 8.1.3 release, which changed the GUID of the UpdateServicesToExecute module. This resulted in the in-place upgrade process not recognizing the module anymore as a built-in Script Module and attempting to insert it, resulting in its DN not being unique, and halting the upgrade process.

The issue was fixed by implementing a safeguard which prevents the duplication of DN values.

NOTE: Although the issue has been fixed, importing custom Script Modules during upgrade may still result in the following error generated in the build log:

Error: Violation of UNIQUE KEY constraint 'UQ_ScriptModules_distinguishedName'. Cannot insert duplicate key in object 'dbo.ScriptModules'. The duplicate key value is (CN=UpdateServicesToExecute,CN=Builtin,CN=Script Modules,CN=Configuration).

If this error occurs, verify that your custom Script Modules have been imported from your previous configuration. If not, import your previous configuration again.


Previously, Active Roles forced rebuilding dynamic groups each time a member was added to or removed from the dynamic group.

This issue is now fixed, so Active Roles now rebuilds dynamic groups only if the rebuild is triggered manually or with a Scheduled Task.


Table 3: Active Roles Console resolved issues
Resolved Issue Issue ID

Previously, when checking the group membership of hybrid Azure users, it could occur that their Advanced properties > Member Of page or their edsaAzureMemberOf attribute did not list all the groups in which the user was a member.

This issue is now fixed.


Previously, when selecting multiple hybrid users, an intrusive error message appeared and the Member Of view of the users were not created properly. The issue is now fixed.


Previously, in case of a hybrid user, the email address displayed in the Properties window of the user did not match the email address displayed in the list of OU users.

The issue has been fixed and now the correct email address appears.


Previously, attempting to run the Update Services To ExecuteOn built-in scheduled task failed, as Active Roles ran the ReauthenticatedTenantsUpdater built-in script module for the task instead of the UpdateServicesToExecute built-in script module.

This issue occurred because the GUID of the UpdateServicesToExecute built-in script module was tied to the ReauthenticatedTenantsUpdater script module. The issue was fixed by changing the GUID of the UpdateServicesToExecute built-in script module to a new unique value.

NOTE: You can only run the UpdateServicesToExecute built-in script module in a scheduled task named Update Services To ExecuteOn. Attempting to run the UpdateServicesToExecute built-in script in a scheduled task with a different name will result in an error.


Table 4: Active Roles Synchronization Service resolved issues
Resolved Issue Issue ID

Previously, the Azure AD Connector could fail finding all objects in Azure during import tasks.

This issue could occur if HttpClient timed out during Graph API requests, for example because of network issues. In such cases, the Azure AD Connector could not handle the timeout correctly.

The issue was fixed by:

  • Modifying the import process so that it stops when a timeout occurs, preventing the successful import of incomplete data.

  • Implementing a new retry policy which retries the request up to 3 times before timeout, minimizing the chance of the issue occurring.


Previously, synchronizing (adding) a group member from a plain text source to the members attribute of a group with the Azure AD Connector, the procedure failed with the following error:

Invalid property 'members'

The issue was fixed by modifying the Azure AD Connector to use the proper Graph API calls and ExchangeOnlineManagement PowerShell module cmdlets when synchronizing Azure groups.


Table 5: Active Roles Web Interface resolved issues
Resolved Issue Issue ID

Previously, when using Active Roles in a forest topology with:

  • One root domain,

  • Several child domains,

  • Active Directory Federation Services and Active Roles with federated authentication configured on one of the child domains,

Then users registered in another child domain of the forest could not log in to the Active Roles Web Interface.

This issue was fixed by making sure that if Active Roles does not find the user in the current domain, then it continues searching for them in the forest using wider referral scopes each time it fails.


Previously, when listing all attributes of an on-premises or hybrid user in the Active Roles Console or the Web Interface, users could experience performance degradation after some time.

This issue could occur if:

  • Active Roles was not connected to any Azure tenants (as the Active Roles Service still attempted fetching data from Azure AD regardless).

  • The on-premises Exchange Server was unavailable (as Active Roles still attempted to repeatedly call Exchange Server regardless).

To solve this problem, Active Roles now:

  • No longer attempts fetching data from Azure AD if Active Roles is not connected to any Azure tenants.

  • Has a 10-minute-long timeout in place in between calls to the on-premises Exchange Server if the first call attempt to Exchange Server fails.

    NOTE: The duration of this timeout cannot be modified.


Previously, authentication failed under the following conditions:

  • When using WS-Federation authentication to the Web Interface.

  • When authenticating a user from an Active Directory forest or domain that was trusted by the AD domain that Active Roles was joined to.

  • When that authenticated user in the trusted AD domain had a UPN suffix that existed in both AD domains.

The issue has been fixed.


Previously, when creating a new cloud-only or hybrid Azure user, the Create Azure Account > Usage Location field was a text box instead of a drop-down box (as in the Azure Properties page of existing Azure users).

To maintain consistency between Web Interface pages, this is fixed, and the Create Azure Account > Usage Location field is now also a drop-down box.


Knowledge Base
Benachrichtigungen und Warnmeldungen
Technische Dokumentationen
RSS Feed
Unterstützung bei der Lizenzierung
Technische Support
Alle anzeigen
Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen