Chatta subito con l'assistenza
Chat con il supporto

Active Roles 8.2 - Release Notes

Resolved issues

The following is a list of issues addressed in this release.

Table 6: Add-on Manager resolved issues
Resolved Issue Issue ID

Previously, attempting to load Active Roles Add-on Manager in the Active Roles Console resulted in the Active Roles Console hanging for several minutes, then failing to properly display Add-on Manager.

The issue was caused by a character encoding problem during the Add-on Manager registration process, and was fixed by adjusting the related loading settings.

 426052
Table 7: Active Roles Service resolved issues
Resolved Issue Issue ID

Previously, in environments where multiple Active Roles service instances were configured, if the Execute on setting of the Dynamic Group Checker built-in scheduled task has been set to its default All servers value instead of a specific service in the Active Roles Console, then the value of the edsaDGOriginatingService attribute of dynamic groups was set to Unknown.

Because of this:

  • The Dynamic Group Updater built-in scheduled task could not update and rebuild the memberships of dynamic groups.

  • If the dynamic groups were updated so that their edsaDGOriginatingService attribute was set to a specific Active Roles service, the Dynamic Group Updater scheduled task reverted the value of the attribute to Unknown.

This issue is fixed, so that selecting All servers for the Execute on setting of the Dynamic Group Checker scheduled task now correctly assigns the Active Roles service instance running the scheduled task, allowing the Dynamic Group Updater scheduled task to correctly rebuild the membership list of dynamic groups.

449923

Previously, Active Roles kept the entries of deprovisioning and undo deprovisioning operations in the change history database indefinitely, even if a Change Tracking Cleanup scheduled task was configured to delete older change tracking log entries. Keeping Deprovision and UndoDeprovision entries indefinitely caused the leftover data to grow in size over time.

This issue is now fixed, so the Deprovision and UndoDeprovision entries of the management history database are now also deleted during cleanup.

 399889

Previously, if you had any temporal group membership changes (such as adding or removing a temporal member from a group) scheduled to occur, upgrading to a new version of Active Roles resulted in the scheduled temporal group membership change not being performed.

This issue is now fixed, so starting from version 8.2, Active Roles will perform scheduled temporal group membership changes even after upgrading to a newer Active Roles version.

319037

Table 8: Configuration Center resolved issues
Resolved Issue Issue ID

Previously, importing a configuration database from a previous Active Roles version created on a different computer resulted in the following error, when configuring the settings of the Source database step in the Import configuration wizard:

Object reference not set to an instance of an object.

This issue is now fixed.

406609

Previously, when importing an existing configuration, even if you specified an encryption key backup file in the Import of Encrypted Data step of the Import configuration wizard, the wizard displayed the following warning:

Unable to retrieve the Active Roles data encryption key from the source database. If you have a backup of the encryption key for the source database, then, after data import is complete, you can use Restore-AREncryptionKey to restore the key from the backup to the destination database.

This issue occurred because despite specifying the encryption key backup file, the wizard always tried to import the encryption key directly from the source database.

This issue is now fixed, and the wizard reads the encryption key from the backup file when specified.

 315646
Table 9: Active Roles Collector and Report Pack resolved issues
Resolved Issue Issue ID

Fixed a crash that previously occurred when launching the Active Roles Collector and Report Pack.

 394394
Table 10: Console (MMC Interface) resolved issues
Resolved Issue Issue ID

Previously, the Deleted Objects container did not appear if additional Active Directory features (for example, Privileged Access Management) were enabled.

This issue is now fixed, and the Deleted Objects container appears regardless of the number of AD features enabled in your environment.

455321

Previously, during undo deprovisioning, if a virtual attribute could not be restored because it had been deleted and no longer existed, undo deprovisioning failed.

The issue is now fixed: if a virtual attribute cannot be restored because it was deleted, in the undo deprovisioning report, an error message will appear for that virtual attribute. After the other virtual attributes are restored, the remaining undo deprovisioning actions will be performed.

449231

Previously, approving a workflow caused it to fail with the following error message:

Activity name: approvalActivity1
Activity type: ActiveRoles.Workflow.Activities.ApprovalActivity
This activity has terminated this workflow instance.
Approval rule activity has terminated this workflow instance.
Administrative Policy returned an error.
Specified method is not supported.

The issue was caused by the integrated Change Auditor. When an approver accepted a workflow request, the Active Roles Service attempted to set the dynamic directory control value of the Change Auditor in sub-requests (sent by the Active Roles Service) where they were not applicable, causing the workflow operation to run into an error.

The issue is now resolved.

447794

Previously, when delegating any permission using an Access Template related to moving objects, permission precedence was not honored, which caused policy errors and did not reflect original Active Directory functionality.

The issue is now fixed, and the following permission precedence is now honored, the first being the highest precedence:

  1. Explicit Deny

  2. Explicit Allow

  3. Inherited Deny

  4. Inherited Allow

440163

Previously, if an approval workflow was pending approval, assigning either the subject AD object or the approver group of the request to a different Organizational Unit resulted in the following error when attempting to approve the workflow:

Administration Service encountered an error when retrieving properties of the object. Directory object not found.

This error occurred because Active Roles always attempted to find the subject AD object or the approver group of the workflow via their DN, which changed if the object was moved to a different Organizational Unit.

This issue was fixed by improving the fault tolerance of approver search operations.

437535

Previously, Active Directory users who had permissions to run Active Roles workflows could modify AD objects via workflows, even if they had no permission to any AD objects.

This issue was fixed by adding a new check in the Access Check policy to verify the permissions of the workflow's parent initiator. Now, if the user has permission to run workflows but no permission to the objects that would be modified by running that workflow, the workflow activity will fail with an error message in the Active Roles Console and/or the Web Interface.

432430

To prevent potential memory leaks, the following built-in Script Modules in the Configuration/Script Modules/Builtin/ container were updated to use the $context.O365RemoveAllModulesSessions() method:

  • Create Office 365 Shared Mailboxes

  • Enabling Azure Roles

  • Sample Azure Hybrid Migration

  • Search Azure Users and Assign License

432381

Previously, when querying Azure users in a Managed Unit with the edsvaOnPremisesSyncEnabled attribute as the filtering condition, filtering did not work and the query did not return any results.

The issue is now fixed.

420919

Previously, if a hybrid Azure user was added to cloud-only groups, the deprovisioning procedure did not remove the hybrid user from cloud-only distribution groups (and potentially from other subsequent cloud-only groups). However, all other deprovisioning steps (such as deactivating the Azure user) continued. The Active Roles Console and Web Interface also did not notify users about the partial deprovisioning failure.

This issue is now fixed, and group membership removal now works correctly for all supported cloud-only Azure group types that were assigned manually to the user. The edsvaAzureUserDeprovisionMemberOfList attribute was also updated to include more structured information about the removed role assignments.

424099

Previously, when configuring the membership rules of a Managed Unit, the Include Group Members > Select objects window incorrectly listed not just groups, but Azure users as well. Selecting an Azure user and saving your change then resulted in a This Managed Unit has invalid membership rules error.

This issue was fixed by making sure that Azure users are no longer listed in the Include Group Members > Select objects window, and that you can only select groups.

402761

Previously, when adding members to a room mailbox with the Properties > Resource Information > Resource in-policy requests > Selected recipients setting, deleting an added user either via Active Roles or system-provided Active Directory tools resulted in Active Roles failing to load the list of added users.

This issue occurred because Active Roles Console could not load the list of assigned users due to the null value of deleted users, and was fixed by filtering out deleted users from the list.

390095

Previously, if you linked one or more Access Templates to an Azure tenant, changing the Azure tenant type in the Active Roles Configuration Center resulted in the Access Templates losing all their directory object links to the modified Azure tenant.

This issue is now fixed.

386340

Previously, Active Roles scheduled tasks were affected by two issues:

  • Creating a new scheduled task during Daylight Savings Time (DST) or Standard Time could result in the scheduled task running continuously.

  • Switching the Active Roles server from DST to Standard Time (or the opposite) could result in the configured scheduled tasks not running and becoming unscheduled.

These issues were caused by:

  • An incorrect method of converting local time to UTC.

  • An incorrect comparison of local time with UTC.

  • An incorrect way to determine the Standard Time period.

These issues are now fixed, so task scheduling now works correctly, and Active Roles determines DST and Standard Time periods properly.

 258338
Table 11: Synchronization Service resolved issues
Resolved Issue Issue ID

Previously, the Microsoft 365 Connector (formerly known as the Office 365 Connector) could fail with a Task was cancelled error message when importing M365 data.

This issue could occur if HttpClient timed out during Graph API requests, for example because of network issues. In such cases, the Microsoft 365 Connector could not handle the timeout correctly.

The issue was fixed by implementing a new retry policy which retries the request up to 3 times before timeout, minimizing the chance of the issue occurring.

435112

Previously, attempting to synchronize the telephoneNumber AD attribute of a hybrid Azure user to the BusinessPhones Azure AD attribute failed with the following error if the BusinessPhones attribute was empty:

Invalid value specified for property 'businessPhones' of resource 'User'.

This issue is now fixed.

426228

Previously, the Microsoft 365 Connector could only retrieve a single service plan instead of the complete list of service plans. For example, in case of an Enterprise license containing 30 service plans, the connector retrieved only the first service plan.

This issue is now fixed, so the Microsoft 365 Connector retrieves all service plans of a license plan.

426028

Fixed a performance issue affecting sync workflows between One Identity Manager and Active Roles Synchronization Service if Active Roles was connected to any Azure tenants.

424016

Previously, attempting to synchronize (add) a group member from a plain-text source to the members attribute of a group with the Azure AD Connector failed with the following error:

Invalid property 'members'.

This error occurred because the Azure AD Connector was not prepared to handle modifying various group types: while certain Azure groups can be modified via Graph API, others can only be modified via the ExchangeOnlineManagement PowerShell module.

The issue was solved by updating the Azure AD Connector to properly identify the member attribute to synchronize and the type of Azure group to update.

414643

Previously, when checking the history of any sync workflow where GUIDs were synchronized (such as Active Directory object GUIDs, Azure user IDs, or Microsoft 365 user object IDs), opening the list of processed objects then copy-pasting any GUID into the GUID filter resulted in an empty processed object list.

This issue is now fixed.

 319664
Table 12: Web Interface resolved issues
Resolved Issue Issue ID

Previously, in the Exchange admin center, after logging in to your tenant, when you added a mail-enabled security group as a member to a distribution group, then in the Active Roles Web Interface, you navigated to the distribution group and opened its Members, the following error message appeared:

Error: Object reference not set to an instance of an object.

The issue is now resolved, so in the Web Interface, opening the Members list of a distribution group that contains a mail-enabled security group as a member does not cause any errors.

NOTE: The Active Roles Web Interface does not support the listing of mail-enabled security groups in the Members list of distribution groups.

459648

Previously, if you have specified a value of 150,000 KB (or higher) for the Shared Mailboxes > Email settings > Sent message maximum size or Received message maximum size setting, the text box of these settings showed a different value than what you have set for them.

This issue has been fixed.

456672

Previously, when clicking Menu > Choose columns, moving an advanced attribute from the Hidden columns list to the Displayed columns list and saving it, the previously hidden advanced attribute still did not appear in a new column for users.

The issue is resolved: columns added to the Displayed columns list are displayed for users, and you can also remove previously added columns individually.

449966

Previously, when a group was assigned to the managedBy attribute of another group and adding a member to this first group required approval, the subgroup members of the managedBy group were not notified of the approval task. Consequently, the task did not appear among the approval tasks on the Self-Service Site of the Web Interface for members of subgroups.

The issue is now resolved by expanding the approval task so that members of subgroups within the group designated in the managedBy attribute are now included.

432073

Previously, when creating a hybrid Azure user, the Create Azure Account form was not validated against the policies that administrators set, and let users proceed even if the policies failed.

The issue is now fixed by adding the option to customize or skip validation to every form that validates policies.

420648

Previously, when using the Customization > Directory Objects > user - (My Account) > Create New Command menu of the Active Roles Self-Service Portal, saving and reloading your changes, then opening the new command via the User Profile Editor resulted in the page of the new command appearing in a nested Active Roles Self-Service Portal instance.

This issue was fixed by removing all unnecessary elements from the custom command page, so that no element appears twice on the page.

409603

Previously, after creating a new hybrid Azure user, the Azure Properties > Settings > Usage Location field of the user was always empty, even if a usage location was specified when creating the user. Selecting a value from the Azure Properties > Settings > Usage Location drop-down and saving the change then fixed the problem.

This issue is now fixed, so that the configured usage location appears in the Azure Properties > Settings > Usage Location drop-down immediately after creating the user.

393882

Previously, when selecting an AD LDS user, the Web Interface returned an Unable to load contents error instead of listing the available user management actions.

This issue is now fixed, and the list of actions is populated correctly.

386102

Previously, when using an approval workflow to extend the expiration time of the accountExpires parameter for users, the notification email and the workflow form showed the old and new expiration times in a non-human readable LDAP format until double-clicking the values.

This issue was fixed by implementing a converter to show the expiration times in a readable date and time format by default.

324293

Previously, users who had the Users - Help Desk Access Template assigned to them could not perform bulk password resets when selecting multiple users at once. Instead, they could reset passwords for single users only.

The issue was fixed by adding the edsva-Bulk-Operation-Object-List (Write Bulk Operation Objects) permission to the Users - Help Desk Access Template.

320823

Previously, if a user was assigned to a group with a temporary membership, attempting to assign the same group membership again to the user via the Member of > Add command resulted in Active Roles overwriting the temporary group membership of the user. This behavior differed from the Active Roles Console, which returned an error message in this scenario.

To ensure that the Web Interface works the same as the Active Roles Console, the Web Interface was updated to filter out already added elements, and return the following message when attempting to assign the user again to the same group:

The object <group-name> is already in the list and cannot be added for the second time.

289342

Known issues

The following is a list of issues, including those attributed to third-party products, known to exist at the time of release.

Table 13: General known issues
Known Issue Issue ID

Due to RSTS connection limitations, federated authentication must be enabled for only one Active Roles instance. If you try to configure federated authentication for multiple Active Roles instances, the connection to the Active Roles database will break in the previously configured Active Roles instance.

466692

If you create a dynamic membership group in an Azure US Government tenant, attempting to check the dynamic membership rules of the group on Azure Portal can result in a No access error message appearing with error code 403.

If this happens, then the configured dynamic rules will not work, and Active Roles will not allocate the users who meet the criteria of the dynamic rules.

458338

If you have a new Active Roles service account with the minimum required permissions, in theActive Roles Console, in Active Directory > <domain-name> - Deleted Objects, opening the Advanced Properties of a deleted object and selecting the Show all possible attributes check box results in an error message and stops the Active Roles Service.

Workaround

One Identity recommends adding your service account as a member of the Domain Admins group.

275523

Activating the EnableAntiForgery key (<add key="EnableAntiForgery" value="true"/> in web.config) may cause the following error message:

Session timeout due to inactivity. Please reload the page to continue.

Workaround

Update the IgnoreValidation key in the<appSettings> section by adding a property value in lowercase:

  1. Open IIS Manager.

  2. In the left pane, under Connections, expand the tree view to Sites > Default Web Site.

  3. Under Default Web Site, click on the Active Roles application (ARWebAdmin by default).

  4. Double-click Configuration Editor.

  5. From the Section drop-down, select appSettings.

  6. Find the IgnoreForValidation key.

  7. Append the comma-separated value to IgnoreForValidation, for example: lowercasecontrolname.

  8. In the right pane, under Actions, click Apply.

  9. Recycle the App pool.

91977

Table 14: Add-on Manager known issues

Known Issue

Defect ID

After installing an add-on that creates Web Interface customization items, the Web Interface may not display the customization items created by the add-on.

Workaround

In the Web Interface, click Reload.

179835

After installing an add-on that creates a virtual attribute, the virtual attribute may not appear in the Advanced Properties dialog of the affected object.

Workaround

After installing the add-on, reconnect to the Administration Service.

180508

After installing an add-on that creates a virtual attribute and a Web Interface customization item using that virtual attribute, an error may occur when opening any Web Interface site.

Workaround

Restart Internet Information Services (IIS) on the web server running the Web Interface (for example, by running the iisreset command in the Windows command prompt).

If there is a replication group in your Active Roles environment, do the following:

  1. After the changes are propagated to all replication partners, click Reload in the Web Interface.

  2. If the Web Interface does not open, enter the following in the address bar of your browser to reload the Web Interface:

    <site url>/customization/metadata-Reload.aspx?ReloadFromWorkingCopy=1

  3. After the changes are propagated to all replication partners, restart Internet Information Services (IIS) on the web server running the Web Interface (for example, by running the iisreset command in the Windows command prompt).

180524

When you use Add-on Manager to uninstall an add-on, the following error may occur:

Object 'objectDN' was not found.

This error can occur if the add-on modifies an existing object during installation, and then the modified object is deleted by a user after the add-on has been installed.

Workaround

Uninstall the add-on from the command line using the /ForceUninstall parameter. For example:

AddOnManager.exe /UninstallAddon /AddonName:"my-addon" /ForceUninstall /Service:"servicename" /User:"domain\user" /Password:"password"

180700

After uninstalling an add-on that creates a virtual attribute and a Web Interface customization item that uses that virtual attribute, the Web Interface customization item created by the add-on may not be removed, and the Web Interface may return the following error:

An error occurred during the last operation.

Workaround

Perform the following steps:

  1. In the Web Interface, click the Reload command.

    If the Web Interface does not open, reload the Web Interface by entering the following URL in the address bar of your browser:

    <site url>/customization/metadata-Reload.aspx?ReloadFromWorkingCopy=1

    NOTE: If there is a replication group in your Active Roles environment, reload the Web Interface only after the changes are propagated to all replication partners.

  1. Restart Internet Information Services (IIS) on the web server running the Web Interface (for example, by running the iisreset command in the Windows command prompt).

    NOTE: If there is a replication group in your Active Roles environment, restart IIS only after the changes are propagated to all replication partners.

180721

After installing an add-on that creates Web Interface customization items, the Web Interface customization items created by the add-on may not appear.

This issue may occur if you provide an incorrect user name and password for reloading Web Interface sites.

Workaround

In the Web Interface, click the Reload command.

180808

When you install Add-on Manager from the command-line, you may encounter the following error:

Command line option syntax error. Type Command /? for Help.

This error may occur if one or several parameters of the command contain more than 255 characters.

Workaround

Edit the command-line parameters (for example, the path to a file) so that each parameter is not longer than 255 characters.

183252

Table 15: Configuration Center known issues
Known Issue Issue ID

If you want to add an Azure tenant to Active Roles and you authenticate the procedure with a user account that is a member in multiple organizations, adding the tenant can fail with the following error:

Object reference not set to an instance of an object. Cannot index into a null array.

This issue can occur if the user account you use for authentication resides as an external account in your organization, as Active Roles always attempts to connect and authenticate towards tenants with users that are members of your current organization.

Workaround

To solve this problem, perform any of the following steps:

  • If your account is a member of any organizations where you do not need membership, leave those organizations via the Azure Portal. If you cannot leave those organizations yourself, contact Microsoft for assistance.

  • Delegate Global Admin rights to a different account, or create a new Global Admin account. Then, use that account for logging in when adding the Azure tenant in the Active Roles Configuration Center.

457501

Following an in-place upgrade, claims settings configured previously in the Web Interface > Authentication > Site authentication settings > Configure claims window will be reset to the default UPN, EMAIL and SID claims.

Because of this, if you have previously configured any claims before upgrading Active Roles, you must reconfigure your claims settings.

455729

During an in-place upgrade, the connection attempt can fail with the following error message:

The target principal name is incorrect.

This issue is caused by a change introduced in Microsoft OLE DB Driver for SQL Server 19, a third-party prerequisite since Active Roles 8.2. Previous versions of OLE DB Driver allowed you to reference an SQL Server without specifying the full server name. However, starting from Microsoft OLE DB Driver for SQL Server 19, this is no longer possible, as the SQL Server name must match the principal name referenced by the OLE DB Driver certificate.

Workaround

To solve this problem, perform any of the following steps:

  • In the Change Active Roles Database wizard (available via the Administration Service > Active Roles databases > Change option), specify the full SQL Server name that matches the principal.

  • Create an alias for the SQL Server name that points to the valid principal.

  • Issue a new valid certificate that matches the SQL Server name.

427573

If you change an Active Roles database to an existing or pre-created blank Azure SQL database with the Change Active Roles Database wizard (available via the Administration Service > Active Roles databases > Change option), then saving and configuring the new Active Roles database settings returns the following error message, with the configured database settings appearing as not applied:

Unable to create a backup copy of the database encryption key for this Administration Service. Details: A parameter cannot be found that matches parameter name 'MultiSubnetFailoverSupport'.

However, this is a visual issue only, as the wizard can actually change the configuration to the specified Azure SQL database.

Workaround

Check if Active Roles has actually changed the database settings to the specified Azure SQL database:

  1. Close and reopen the Active Roles Configuration Center.

  2. Navigate to Administration Service > Active Roles databases.

455466

If you upgrade Active Roles to a newer version, starting the Active Roles Configuration Center to perform the in-place upgrade can fail with the following error messages:

  • Connect failed: The system cannot find the file specified.

  • Delegate to an instance method cannot have null 'this'.

At the same time, Active Roles logs the following error in the Event Viewer:

Critical error occurred upon starting Active Roles Administration Service. Details: Database <active-roles-database> on SQL Server <sql-server-name> is unavailable.

This issue occurs if the SQL Server that Active Roles uses is not already running when attempting to start the Active Roles Configuration Center after a restart to perform the upgrade process. The issue is more likely to occur if the SQL Server and Active Roles are installed on the same machine.

Workaround

To avoid this issue from occuring:

  • Install SQL Server and Active Roles on different machines.

  • Make sure that the SQL Server installation that Active Roles uses is up and running before starting the upgrade process.

If you have your SQL Server and Active Roles installed on the same machine, and the error occurs, close and reopen the Active Roles Configuration Center after the SQL Server started running.

448694

When configured for Groups and Contacts, the Office 365 and Azure Tenant Selection policy displays additional tabs.

229031

Tenant selection supports selecting only a single tenant.

229030

In the Starling Connect Connection Settings link, clicking Next displays progress, but the functionality is not affected, so the button is not required.

126892

Table 16: Console (MMC Interface) known issues
Known Issue Issue ID

Listing all attributes of an Azure hybrid user by selecting the Show all possible attributes check box might take too much time (approximately 30-50 seconds).

447201

The format of the edsaAzureSubscribedSKUs attribute for hybrid Active Directory users has changed between Active Roles 7.6 and 8.0. As a result of this change, from Active Roles 8.1, in the Active Roles Console, you cannot modify this attribute to assign licenses to hybrid AD users.

Workaround

To automate assigning licenses to hybrid AD users using a workflow

  1. Create a new, example hybrid user for the purpose of copying its edsaAzureSubscribedSKUs attribute, with the license(s) that you need.

  2. Copy the value of this edsaAzureSubscribedSKUs attribute.

  3. To automate assigning licenses to hybrid users using a workflow, in that workflow, paste this previously copied value as the edsaAzureSubscribedSKUs attribute.

For more information, see Workflows in the Active Roles Administration Guide.

440896

If you configure a Managed Unit with an Include by Query rule, the following condition operators cannot query Azure objects due to Graph API limitations:

  • Contains

  • Present

In addition, the Ends with condition returns results only if you specify whole words. The only exceptions to this behavior are the mail, otherMails, userPrincipalName and proxyAddresses attributes, where Ends with can properly query the values that end with your specified string.

For more information, see Support for filter by properties of Microsoft Entra ID (directory) objects in the Microsoft Graph documentation.

420917

Azure objects cannot be deleted.

Workaround

In the Delete Access Templates, give the user Read right on the ObjectClass property.

392597

You can run the UpdateServicesToExecute built-in script module only in a scheduled task named Update Services To ExecuteOn.

Attempting to run the UpdateServicesToExecute built-in script in a scheduled task with a different name will result in an error.

317057

Automation workflows with the Microsoft 365 script fail, if multiple workflows share the same script and the script is scheduled to execute at the same time.

Workaround

One Identity recommends scheduling the workflows with different scripts or at a different time.

200328

When a workflow is copied from a built-in workflow, it may not run as expected.

153539

Azure Group Properties are not available if they are added to the Microsoft 365 Portal or Hybrid Exchange Properties from the forwarding address attribute of Exchange online users.

98186

In Active Roles with the Office 365 Licenses Retention policy applied, after deprovisioning the Azure AD user, the Deprovisioning Results for the Office 365 Licenses Retention policy do not appear in the same window.

Workaround

To view the deprovisioning results of an Azure AD user:

  • In the Active Roles Console, right-click and select Deprovisioning Results.

  • In the right pane of the Active Roles Web Interface, click Deprovisioning Results.

  • To refresh the form, press F5.

91901

Table 17: Installer known issues
Known Issue Issue ID

After upgrading Active Roles, pending approval tasks do not appear in the Active Roles Web Interface.

91933

Table 18: Language Pack known issues
Known Issue Issue ID

In the Active Roles Configuration Center, changing the language in Global settings does not work properly.

Workaround

To change the language of the Web Interface, configure the language with the Active Roles 8.2 > Settings > User interface language option of the Web Interface.

125880

In the Active Roles Console, the O365 script execution configuration activity of the Workflow Designer is not completely localized to German.

151392

In the Active Roles Console, the German localization may contain visual issues and truncated texts.

91946

In the Active Roles Console, some strings are displayed in English instead of German in the German localization.

91942

In the Active Roles Synchronization Service, the Event Viewer messages are not translated to German.

91753

In the Active Roles Synchronization Service, the German localization does not have all connector strings translated.

91709

In the Active Roles Web Interface, some Azure-related strings are translated incorrectly for the supported languages. Translated texts may also contain link inconsistencies.

256939

In Active Roles, several German localization issues are present.

164713

In Active Roles, strings on the notification page are not localized.

153695

In the Language Pack installer, the link of the online EULA agreement in the EULA text does not work.

91925

Table 19: Synchronization Service known issues
Known Issue Issue ID

Due to limitations in Graph API that prevent creating Azure contacts in Azure AD, Active Roles Synchronization Service cannot synchronize Azure contacts from any source data system to Azure AD.

Depending on the source data system, attempting to synchronize Azure contacts to Azure AD can result in the following error messages:

  • If the source data system is Active Roles:

    An error occurred: "A parameter cannot be found that matches parameter name '<attribute>."

  • If the source data system is not Active Roles:

    Error: "Unexpected error."

412365, 412507

In the Synchronization Service, the following attributes of the Microsoft Azure AD Connector are currently not supported and cannot be queried via the Microsoft Graph API:

  • user attributes:

    • aboutMe

    • birthday

    • contacts

    • hireDate

    • interests

    • mySite

    • officeLocation

    • pastProjects

    • preferredName

    • responsibilites

    • schools

    • skills

  • group attributes:

    • acceptedSenders

    • allowExternalSenders

    • autoSubscribeNewMembers

    • hasMembersWithLicenseErrors

    • hideFromAddressLists

    • hideFromOutlookClients

    • isSubscribedByMail

    • membersWithLicenseErrors

    • rejectedSenders

    • unseenCount

This means that although these attributes are visible, they cannot be set in a mapping rule.

304074

After running the get-qcworkflowstatus cmdlet in the Synchronization Service, the workflow status is not accurate.

125768

Table 20: Web Interface known issues
Known Issue Issue ID

If you create an Exchange object that supports configuring additional properties on creation (for example, contacts or resource mailboxes), then opening the page of these properties immediately after creating the object will result in the configured values of these properties appearing incorrectly.

For example, specifying the:

  • Contact Info or Mail tip properties for a contact, or

  • Calendar Processing or Location properties for a resource mailbox

will result in the values of these properties appearing incorrectly in the Web Interface form, with the risk of saving them with these incorrect values if you click Save.

This error occurs because Active Roles creates Exchange objects (like mailboxes or contacts) on the Exchange Server first, and will populate the Web Interface forms of the opened Exchange objects afterwards. Because of this, if you open the Web Interface forms of the objects too quickly, Active Roles might fail the update request for the forms, resulting in empty or default values appearing for the affected properties.

Workaround

To prevent this issue from occurring, always wait at least one minute before opening the Web Interface forms of the newly-created Exchange objects. If the forms still show incorrect, default or empty values when opening them, specify your desired values again, then click Save.

457642

When searching for directory objects in the Active Roles Web Interface, using the Quick Search bar of the Web Interface header returns less results than the Search page when using the same search term. This is because the Quick Search bar can only find objects whose name starts with the specified search term.

Workaround

To get accurate and complete search results, use the Search menu on the left-side pane instead of the Quick Search bar in the Web Interface header.

448500

When administering approval requests in the Active Roles Web Interface, attempting to reject requests with the Examine Task > Reject button will not work. Instead, clicking the button simply returns you to the approval task details without any changes.

Workaround

Reject approval requests directly in the Pending Tasks list of the Web Interface. To do so:

  • Select the request(s) you want to reject, then click Reject selected.

  • Use the Reject button right next to the approval request in the list.

437370

Using a personal view to open an Active Directory (AD) Organizational Unit (OU) whose name contains the "<" special character results in the following error:

An error occurred during the last operation.
Error: A potentially dangerous Request.Query.String was detected from the client (DN="OU\<name-property>").

The issue is caused by the special character in the request URL of the Web Interface, causing failures in the web functionality of Active Roles.

Workaround

One Identity recommends avoiding the use of the "<" character in the name property of an AD object.

415590

When searching for hybrid Azure security groups, using the Quick Search bar of the Web Interface header returns fewer results than the Search page when using the same search term. This is because the Quick Search bar can only find objects whose name starts with the specified search term.

Workaround

To get accurate and complete search results, use the Search menu on the left-side pane instead of the Quick Search bar in the Web Interface header.

448500

When attempting to modify or delete Azure users, contacts, or groups synchronized from an on-premises Active Directory to an Azure Active Directory, the operation either appears to be successful but silently fails, or the operation fails with a generic error message.

If the operation appears to be successful, the following message appears:

The operation is successfully completed.

However, the operation silently fails, no error message appears, and the Azure user, contact or group is not deleted or modified.

If the operation fails, the following generic error message appears instead of a specific error message:

An error occurred during the last operation.

NOTE: Similar failures with either no error message or a generic error message might occur in the Active Roles Web Interface.

388062,

388063

If you click Azure > Resource Mailboxes to query room mailboxes after being idle for approximately 15-20 minutes, the Active Roles Web Interface will not list any room mailboxes.

Workaround

Restart the Administration Service.

293380

In the Active Roles Web Interface, Azure roles are not restored automatically after performing an Undo Deprovision action on a user.

Workaround

After the Undo Deprovision action is completed, assign the Azure roles to the user manually.

172655

Active Roles does not support creating Azure groups for existing groups.

117015

Active Roles Web Interface does not support setting the Exchange Online Property of the ProhibitSendQuota value in Storage Quotas.

91905

System requirements

Before installing Active Roles 8.2 in an on-premises environment, ensure that your system meets the following minimum hardware and software requirements.

NOTE: When setting up a virtual environment, carefully consider the configuration aspects such as CPU, memory availability, I/O subsystem, and network infrastructure to ensure the virtual layer has the necessary resources available. For more information about environment virtualization, see One Identity's Product Support Policies.

To authenticate and communicate with Azure, the Active Roles Service must have access to the following Microsoft endpoints:

  • https://login.microsoftonline.com/

  • https://developer.microsoft.com/graph

  • https://graph.windows.net/

To manage Azure Active Directory resources, you must install the following prerequisites in the Active Roles Configuration Center.

TIP: To run the PowerShell commands of the following modules, use the 64-bit version of Windows PowerShell.

Requirement

Version

Details

NuGet package provider

Minimum: 2.8.5.201

Maximum: 3.0.0.1

You must install the NuGet package provider on the computer(s) running an Active Roles Administration Service instance or Active Roles Synchronization Service.

For more information, see Install-PackageProvider in the Microsoft Package Management documentation.

Exchange Online PowerShell V3 module

Minimum: 3.0.0

Maximum: 3.5.0

You must install the Exchange Online PowerShell module on the computer(s) running an Active Roles Administration Service instance or Active Roles Synchronization Service.

For more information, see About the Exchange Online PowerShell module in the Microsoft Exchange PowerShell documentation.

Az.Accounts PowerShell module

Minimum: 2.15.1

Maximum: 2.16.0

You must install the Az.Accounts PowerShell module on the computer(s) running an Active Roles Administration Service instance or Active Roles Synchronization Service.

For more information, see Az.Accounts in the Microsoft PowerShell Gallery.

Az.Resources PowerShell module

Minimum: 6.15.1

Maximum: 6.16.0

You must install the Az.Resources PowerShell module on the computer(s) running an Active Roles Administration Service instance.

For more information, see Az.Resources in the Microsoft PowerShell Gallery.

Microsoft Graph PowerShell module

Maximum: 2.17.0

You must install the Microsoft Graph PowerShell module on the computer(s) running an Active Roles Administration Service instance. For installation instructions, see Microsoft Graph in the Microsoft PowerShell Gallery.

Microsoft Edge WebView2 Runtime

N/A

If no web browser is installed on the machine where you want to install and use Active Roles, download the Microsoft Edge Webview 2 Runtime installer with the following PowerShell command:

Invoke-WebRequest -Uri "https://go.microsoft.com/fwlink/p/?LinkId=2124703" -OutFile "$([System.IO.Path]::Combine([System.Environment]::GetFolderPath('UserProfile'), 'Downloads', 'MicrosoftEdgeWebView2Setup.exe'))"

After the download is finished, locate the installer in your Downloads folder and run it.

(Optional) One Identity certificate

N/A

If your organization enforces the AllSigned policy, you must install the One Identity certificate during the installation of Active Roles.

CAUTION: When importing PowerShell modules with the $context.O365ImportModules function, they are imported with the versions specified in the configuration of the Azure-specific prerequisites.

However, after importing the specified versions of the required PowerShell modules, running PowerShell cmdlets without passing them as a string to the $context.O365ImportModules function can cause inconsistent behavior in Active Roles. This is because if there are multiple versions of the same PowerShell module installed on the computer running the Active Roles server, PowerShell modules containing the script to run can be imported automatically with different versions.

To avoid inconsistent behavior in Active Roles by importing different PowerShell versions, run PowerShell modules only by passing them as a string to the $context.O365ImportModules function.

Hardware requirements
Table 21: Hardware requirements
Requirement Details

Processor

NOTE: The number of cores required depends on the size of the environment and the total number of managed objects.

For Administration Service, Web Interface and Synchronization Service, any of the following:

  • Intel 64 (EM64T)

  • AMD64

  • Minimum 2 cores

  • CPU speed: 2.0 GHz or faster

NOTE: For Active Roles Synchronization Service, One Identity recommends using a multi-core CPU for the best performance.

For Console, SPML Provider and Management Tools, any of the following:

  • Intel x86

  • Intel 64 (EM64T)

  • AMD64

  • CPU speed: 1.0 GHz or faster.

Memory

NOTE: The amount of RAM required depends on the size of the environment and the total number of managed objects.

Administration Service:

A minimum of 4 GB of RAM.

Web Interface, Synchronization Service:

A minimum of 2 GB of RAM.

Console, SPML Provider and Management Tools:

A minimum of 1 GB of RAM.

Hard disk space

Administration Service, Web Interface, Console, SPML Provider and Management Tools:

A minimum of 100 MB of free disk space.

Synchronization Service:

A minimum of 250 MB of free disk space.

NOTE: If SQL Server and Synchronization Service are installed on the same computer, the amount required depends on the size of the Synchronization Service database.

Operating system

You can install any of the Active Roles components on a computer running:

  • Microsoft Windows Server 2022

  • Microsoft Windows Server 2019

  • Microsoft Windows Server 2016

Active Roles supports the Standard or Datacenter edition of these operating systems.

In addition, you can install the Active Roles Console and Management Tools on a computer running:

  • Microsoft Windows 11, Professional or Enterprise edition.

  • Microsoft Windows 10, Professional or Enterprise edition, 32-bit (x86) or 64-bit (x64).

Component requirements

CAUTION: To avoid inconsistent behavior in Active Roles when managing Azure Active Directory resources, you must enable Transport Layer Security (TLS) protocol version 1.2. For more information, see TLS 1.2 enforcement for Azure AD Connect in the Microsoft Azure documentation.

All Active Roles components require:

Table 22: Administration Service requirements
Requirement

Details
SQL Server

You can host the Active Roles database on the following SQL Server versions:

  • Microsoft SQL Server 2022, any edition.

  • Microsoft SQL Server 2019, any edition.

  • Microsoft SQL Server 2017, any edition.

  • Microsoft SQL Server 2016, any edition.

  • Microsoft SQL Server 2014, any edition, 32-bit (x86) or 64-bit (x64), with or without any Service Pack.

  • Azure SQL hosted databases.

To connect Active Roles to a Microsoft SQL Server deployment, install Microsoft OLE DB Driver for SQL Server (MSOLEDBSQL).

IMPORTANT: Starting from version 8.2, Active Roles supports (and its installer is shipped with) Microsoft OLE DB Driver 19.x for SQL Server. However, Active Roles still supports earlier OLE DB Driver versions as well (18.4 or newer).

Windows Management Framework

Windows Management Framework 5.1 (available for download) is required on all supported operating systems.

Operating system on domain controllers

The product retains all of its features and functions when managing Active Directory on domain controllers running any of these operating systems, any edition, with or without any Service Packs:

  • Microsoft Windows Server 2022

  • Microsoft Windows Server 2019

  • Microsoft Windows Server 2016

NOTE: The supported domain functional level is Windows Server 2008 R2 or higher.

Exchange Server

Active Roles is capable of managing Exchange recipients on:

  • Microsoft Exchange Server 2019

  • Microsoft Exchange Server 2016

Table 23: Web Interface requirements
Requirement

Details

Internet Services

Active Roles Web Interface requires the Web Server (IIS) server role with the following role services:

  • Web Server/Common HTTP Features/

    • Default Document

    • HTTP Errors

    • Static Content

    • HTTP Redirection

  • Web Server/Security/

    • Request Filtering

    • Basic Authentication

    • Windows Authentication

  • Web Server/Application Development/

    • .NET Extensibility

    • ASP

    • ASP.NET

    • ISAPI Extensions

    • ISAPI Filters

  • Management Tools/IIS 6 Management Compatibility/

    • IIS 6 Metabase Compatibility

Feature delegation

Internet Information Services (IIS) must provide Read/Write delegation for the following features:

  • Handler Mappings

  • Modules

To confirm that these features have the Read/Write delegation configured, use the Feature Delegation option of the native Internet Information Services (IIS) Manager tool of the operating system.

.NET Trust Levels

The .NET Trust Level must be set to Full (internal) on every computer where the Web Interface component is installed.

To configure this setting:

  1. In the system-provided Internet Information Services (IIS) Manager tool, under Connections, expand the node of the computer, and navigate to Sites > Default Web Site.

  2. On the Default Web Site Home page, double-click .NET Trust Levels.

  3. Under Trust level, select Full (internal).

NOTE: Setting the .NET Trust Level to any other value will result in a failure when attempting to load any of the configured Active Roles Web Interface sites.

Web browser

You can access Active Roles Web Interface using:

  • Mozilla Firefox 36 (or newer) on Windows.

  • Google Chrome 61 (or newer) on Windows.

  • Microsoft Edge 79 (or newer), based on Chromium on Windows 10 and 11.

You can use a later version of Firefox and Google Chrome to access Active Roles Web Interface. However, the Active Roles Web Interface was tested only with the browser versions listed above.

Minimum screen resolution

Active Roles Web Interface is optimized for screen resolutions of 1280x800 or higher.

The minimum supported screen resolution is 1024x768.

Table 24: Console requirements
Requirement

Details

Web browser

Active Roles Console requires Microsoft Edge 79 (or newer), based on Chromium.

Table 25: Management Tools requirements
Requirement

Details

Windows Management Framework

Windows Management Framework 5.1 (available for download) is required on all supported operating systems.

Remote Server Administration Tools (RSAT)

To manage Terminal Services user properties by using Active Roles Management Shell, Active Roles Management Tools requires Remote Server Administration Tools (RSAT) for Active Directory.

For more information on installing the RSAT version applicable to your operating system, see Remote Server Administration Tools (RSAT) for Windows in the Microsoft Windows Server documentation.

Table 26: Synchronization Service requirements
Requirement

Details

Operating system on domain controllers

The product retains all of its features and functions when managing Active Directory on domain controllers running any of these operating systems, any edition, with or without any Service Packs:

  • Microsoft Windows Server 2022

  • Microsoft Windows Server 2019

  • Microsoft Windows Server 2016

NOTE: The supported domain functional level is Windows Server 2008 R2 or higher.

SQL Server

You can host the Active Roles Synchronization Service database on:

  • Microsoft SQL Server 2022, any edition.

  • Microsoft SQL Server 2019, any edition.

  • Microsoft SQL Server 2017, any edition.

  • Microsoft SQL Server 2016, any edition.

  • Microsoft SQL Server 2014, any edition, 32-bit (x86) or 64-bit (x64), with or without any Service Pack.

  • Azure SQL hosted databases.

Windows Management Framework

Windows Management Framework 5.1 (available for download) is required on all supported operating systems.

Supported connections

Active Roles Synchronization Service can connect to the following data systems:

  • Data sources accessible via an OLE DB provider.

    NOTE: To create a connection to an OLE DB-compliant relational database, the OLE DB Connector requires any version of Microsoft OLE DB Driver for SQL Server that is supported by Microsoft to be installed on the machine running Active Roles Synchronization Service.

    The Active Roles installer is shipped with and automatically installs Microsoft OLE DB Driver 19.x for SQL Server.

  • Delimited text files.

  • IBM AS/400, IBM Db2, and IBM RACF systems.

  • LDAP directory service.

  • Micro Focus NetIQ Directory systems.

  • The following Microsoft services and resources:

    • Active Directory Domain Services (AD DS) with the domain or forest functional level of Windows Server 2016 or higher.

    • Active Directory Lightweight Directory Services (AD LDS) running on any Windows Server operating system supported by Microsoft.

    • Azure Active Directory (Azure AD) using Microsoft Graph API version 1.0.

    • Exchange Online services.

    • Exchange Server with the following versions:

      • Microsoft Exchange Server 2019

      • Microsoft Exchange Server 2016

    • Lync Server version 2013 with limited support.

    • SharePoint 2019, 2016, or 2013.

    • SharePoint Online service.

    • Skype for Business 2019, 2016 or 2015.

    • Skype for Business Online service.

    • SQL Server, any version supported by Microsoft.

  • One Identity Active Roles version 7.4.3, 7.4.1, 7.3, 7.2, 7.1, 7.0, and 6.9.

  • One Identity Manager version 8.0 and 7.0 (D1IM 7.0).

  • OpenLDAP directory service.

  • Oracle Database, Oracle Database User Accounts, and Oracle Unified Directory data systems.

  • MySQL databases.

  • Salesforce systems.

  • SCIM-based data systems.

  • ServiceNow systems.

Legacy Active Roles ADSI Provider

To connect to Active Roles version 6.9, install the Active Roles ADSI Provider. For more information, see Installing additional components in the Active Roles Installation Guide.

One Identity Manager API

To connect to One Identity Manager 7.0, install One Identity Manager Connector on the computer running Active Roles Synchronization Service. This connector works with the RESTful web service and no SDK installation is required.

Internet connection

To connect to cloud directories or online services, the machine running Active Roles Synchronization Service must have a stable Internet connection.

Table 27: Synchronization Service Capture Agent requirements
Requirement

Details

Operating system

The DCs on which you install Active Roles Synchronization Service Capture Agent must run one of the following operating systems with or without any Service Pack:

  • Microsoft Windows Server 2022

  • Microsoft Windows Server 2019

  • Microsoft Windows Server 2016

For more information, see the Active Roles Synchronization Service Administration Guide.

Table 28: Language Pack requirements
Requirement

Details

Active Roles version

The Active Roles 8.2 Language Pack requires Active Roles version 8.2 of the Administration Service, Configuration Center, Console, Synchronization Service or the Web Interface installed on the target machine.

The Active Roles 8.2 Language Pack will not work properly with earlier versions of Active Roles.

Operating system

You can install the Active Roles Language Pack on 64-bit operating systems only.

Table 29: Add-on Manager requirements

Requirement

Details

Processor

Any of the following:

  • Intel 64 (EM64T)

  • AMD64

  • CPU speed: 1.0 GHz or faster

Memory

A minimum of 1 GB of RAM.

Hard Disk Space

A minimum of 100 MB of free disk space.

Operating System

Any of the following Windows Server operating systems:

  • Microsoft Windows Server 2022

  • Microsoft Windows Server 2019

  • Microsoft Windows Server 2016

In addition, you can also install Add-on Manager on a computer running:

  • Microsoft Windows 11, Professional or Enterprise edition.

  • Microsoft Windows 10, Professional or Enterprise edition, 64-bit (x64)

Active Roles Console

Add-on Manager requires Active Roles 8.2 Console installed.

Microsoft Windows PowerShell

Windows PowerShell 5.1 or later

Web Browser

Microsoft Edge 79 or newer (based on Chromium)

Table 30: Diagnostic Tools requirements

Requirement

Details

Processor

1.0 GHz or faster 32-bit (x86) or 64-bit (x64) CPU.

Memory

NOTE: The amount of RAM required depends on the size of the log file opened with the Log Viewer tool.

A minimum of 1 GB of RAM.

Hard disk space

A minimum of 10 MB of free disk space.

Operating system

Any of the following Windows Server operating systems:

  • Microsoft Windows Server 2022

  • Microsoft Windows Server 2019

  • Microsoft Windows Server 2016

Table 31: Data Collector and Reporting Pack requirements

Requirement

Details

Processor

Any of the following:

  • Intel x86

  • Intel 64 (EM64T)

  • AMD64

  • CPU speed: 2.0 GHz or faster.

Memory

A minimum of 2 GB of RAM.

Hard disk space

  • 12 MB for the Data Collector and Reporting Pack.

  • 10 GB for the SQL Server Reporting Services.

Operating system

Any of the following Windows Server operating systems:

  • Microsoft Windows Server 2022

  • Microsoft Windows Server 2019

  • Microsoft Windows Server 2016

SQL Server and SQL Server Reporting Services

You can host the Active Roles Data Collector and Reporting Pack on the following SQL Server versions:

  • Microsoft SQL Server 2022, any edition.

  • Microsoft SQL Server 2019, any edition.

  • Microsoft SQL Server 2017, any edition.

  • Microsoft SQL Server 2016, any edition.

  • Microsoft SQL Server 2014, any edition, 32-bit (x86) or 64-bit (x64), with or without any Service Pack.

  • Azure SQL hosted databases.

  • Azure SQL hosted databases.

To connect Active Roles to a Microsoft SQL Server deployment, install Microsoft OLE DB Driver for SQL Server (MSOLEDBSQL).

Active Roles ADSI Provider

Active Roles 8.2 Management Tools must be installed.

Deployment requirements on AWS

Before deploying Active Roles 8.2 in Amazon Web Services (AWS) to manage AWS Managed Microsoft AD via AWS Directory Service, ensure that the following prerequisites are met.

Connectivity requirements

You must have:

  • Stable network connectivity to Amazon Web Services (AWS).

  • Port 1433 open and available for the Amazon Relational Database Service (RDS) service.

  • Access to the AWS service with the AWSAdministratorAccess permission.

    NOTE: Make sure that you have AWSAdministratorAccess permission, as it is required for certain configuration steps. The AWSPowerUserAccess permission is not sufficient for completing the entire configuration procedure.

Infrastructure requirements

To deploy and configure Active Roles for AWS Managed Microsoft AD, you must have access to the following AWS services and resources:

  • AWS Managed Microsoft AD deployed via AWS Directory Service.

  • One or more Amazon Elastic Compute Cloud (EC2) instance(s) hosting the Active Roles services and components.

    The EC2 instance(s) must have, at minimum:

    • 2 vCPUs running at 2.0 GHz.

    • 4 GB of RAM.

    TIP: One Identity recommends hosting the main Active Roles services and components (the Active Roles Service and Console, and the Active Roles Web Interface) on separate EC2 instances. If you deploy all Active Roles services and components in a single EC2 instance, use a more powerful instance to ensure a better user experience for the product.

    NOTE: AWS Managed Microsoft AD support was tested with a single t2.large EC2 instance.

  • An Amazon Relational Database Service for SQL Server (RDS for SQL Server).

    NOTE: AWS Managed Microsoft AD support was tested with an RDS instance running the latest version of Microsoft SQL Server.

Make sure that all these components are discoverable or visible to each other.

Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione