Chat now with support
Chat with Support

Active Roles 7.5.2 - Release Notes

Deprecated features

The following is a feature that is no longer supported starting with ARS 7.5.2.

Redistributable STS (rSTS) was a third party authentication component that you could use as an alternative to the default IIS Windows authentication, when logging in to the Active Roles Web Interface. You could configure the rSTS authentication method in the rSTS API Admin Tool and the Active Roles Configuration Center. You also needed the rSTS API Admin Tool to configure Active Roles integration with Duo or Okta.

Starting from Active Roles 7.5.2, the rSTS authentication method and the rSTS API Admin Tool are no longer available and supported for new installations of Active Roles. The Active Roles documentation has been updated to reflect this change.

Resolved issues

The following is a list of issues addressed in this release.

Table 2: Resolved Issues – Active Roles Administration Service

Resolved issue

Issue ID

Previously, when importing a specific configuration, the Active Roles Administration Service was stuck at the getting ready phase because the IsOnInitCommentedOut function had an infinite loop when the script had more than one comment.

The issue has been fixed.

287577

Table 3: Resolved Issues – Active Roles Configuration Center

Resolved issue

Issue ID

Previously, in the Active Roles Configuration Center during an upgrade, when navigating to Active Roles databases > Import Configuration to import the configuration database of an earlier Active Roles 7.x version to a newer Active Roles 7.x version, the following error could occur:

[Error] [ArsBaseCommand.ProcessRecord]: Violation of UNIQUE KEY constraint 'UQ_APOs_distinguishedName'. Cannot insert duplicate key in object 'dbo.APOs'. The duplicate key value is (CN=Built-in Policy - Azure - Default Rules to Generate Properties,CN=Builtin,CN=Administration,CN=Policies,CN=Configuration). The statement has been terminated.

This error occurred if you changed the name of any built-in object, such as a policy, and then created a new built-in object with the same name, which caused the import configuration operation to fail.

The issue has been fixed: the import configuration operation finishes successfully even if there are built-in objects with the same name, and the error will be logged and displayed at the end instead of causing the operation to fail.

240451

Previously, attempting to configure a new Active Roles Web Interface in the Active Roles Configuration Center from an existing 7.4.x configuration was not possible, as the previous Web Interface configuration did not appear in the list of configuration files.

This issue was caused by a version information update error, resulting in the existing Web Interface configuration accidentally filtered out by the Active Roles Configuration Center. This issue has been fixed in this release.

297632

Table 4: Resolved Issues – Active Roles Console (MMC Interface)

Resolved issue

Issue ID

Previously, in the Active Roles Console, using the $context.O365ImportModule("<moduleName>") command in a workflow with the azuread or the exchangeonlinemanagement module resulted in a null reference exception instead of importing and connecting the modules using the stored credentials.

The issue has been fixed and now the $context.O365ImportModule("<moduleName>") command imports and connects the module successfully using the stored credentials.

280567

Previously, in customer environments where database replication was configured, when a workflow approval was created in the Active Roles Console (MMC Interface), and the approval request was approved (via the Active Roles Self Service Web Interface) on a different Administration Service, the secondary approval activity in the workflow approval was bypassed and the request was completed.

The issue has been fixed and now the second level workflow approval is not bypassed anymore when the first approval is performed:

  • On the publisher Active Roles instance when the modification which needs to be approved is done on the subscriber.

  • On the subscriber Active Roles instance when the modification which needs to be approved is done on the publisher.

251629

Previously, in the Active Roles Console (MMC Interface), using the $context.O365ImportModules function in a script module inside a workflow did not work. Instead, you could import multiple modules at once by specifying a string array with the $context.O365ImportModule function.

The issue has been fixed by changing the behavior of these functions as follows:

  • Use the $context.O365ImportModule function to import a single Microsoft Azure or O365 PowerShell module. If you have multiple versions of the specified module installed, you can optionally specify the major version to import.

  • Use the $context.O365ImportModules function to import multiple Microsoft Azure or O365 PowerShell modules at once by specifying them in an array.

Both functions support importing the following Azure and O365 Windows PowerShell modules:

  • Azure Az

  • AzureAD

  • ExchangeOnlineManagement

  • MicrosoftTeams PowerShell Module

283192

Previously, the Active Roles Console did not list any Access Templates for Security Groups and Resource Mailboxes. This issue has been fixed, and the new Security Group and Resource Mailbox Access Templates are available under the Configuration > Access Templates > Azure node.

297763

Table 5: Resolved Issues – Active Roles Installer

Resolved issue

Issue ID
Previously, the Active Roles Installer stopped with an error if users launched it without the required elevated permissions. This issue is now fixed, and the installer prompts users to restart it with elevated permissions to perform the installation.

298958

Table 6: Resolved Issues – Active Roles SPML Provider

Resolved issue

Issue ID

Previously, when the Active Roles SPML Provider was installed on a separate host from the Active Roles Administration Service, submitting a modification request using Constrained Delegation resulted in an unsupportedOperation error due to a com_object that the Active Roles SPML Provider could not cast properly.

The issue has been fixed.

289838

Table 7: Resolved Issues – Active Roles Synchronization Service
Resolved issue Issue ID

Previously, in the Active Roles Synchronization Service, when you created or updated a connector with incorrect configuration (that is, you entered an incorrect username, password, and so on), you could not modify your settings later due to connection failure.

The issue has been fixed and now if you create or update a connector with incorrect configuration, an error message appears with a Open and fix button, allowing you to fix the configuration.

302092

Previously, in the Active Roles Synchronization Service, if you configured a new mapping pair between Active Roles and a SCIM connector created in the Active Roles Synchronization Service Console that used the configuration of an Azure AD connector created in Starling Connect, running a full map caused the SCIM Connector to loop infinitely.

The issue has been fixed and now mapping a SCIM connector which was created in Starling Connect with Active Roles does not cause the SCIM connector to loop infinitely.

296338

Previously, in the Active Roles Synchronization Service, you could save a connection with an incorrect username or password without any warning.

The issue has been fixed and now if you try to save a connection with an incorrect username or password, Active Roles Synchronization Service will warn you to fix your settings.

90712

Previously, in the Active Roles Synchronization Service, when creating a new connection with the Oracle Database Connector, then creating another connection to Active Directory (AD) and configuring password synchronization, the Oracle Database Connector connection was listed as available for password synchronization.

The issue has been fixed and now the Oracle Database Connector connection is not listed as available for password synchronization.

301940

Previously, in the Active Roles Synchronization Service, creating a new connection using the Oracle Database User Accounts Connector with any connection information or even blank values resulted in the following error: Value cannot be null. Parameter name: type.

This error was caused by a case sensitivity issue when loading the assembly, and is now fixed.

301941

Previously, in the Active Roles Synchronization Service and Quick Connect, when synchronizing groups, both in case of Azure-to-Active Directory or Active Directory-to-Active Directory merge attempts, the merge rule on the members attribute ignored mapping and did not resolve object references.

The issue has been fixed and now when synchronizing groups, the merge rule on the members attribute handles members as references and not as string attributes (either DN in case of an on-prem Active Directory object, or Object ID in case of an Azure Active Directory object), so the merge rule does not overwrite DNs or Object IDs.

 270758

An earlier fix in the Active Roles Synchronization Service included a different null result handling for scripts, causing issues.

The issue has been fixed.

 286380

Previously, in the Active Roles Synchronization Service, defining a mapping rule on the Microsoft Office 365 (O365) Connector failed due to the incorrect handling of invalid, corrupted or unrecognizable license files located in the connected O365 platform. Such license files can be the result of a broken Azure operation originating from an earlier version.

The issue has been fixed and now invalid, corrupted or unrecognizable license files are ignored during the O365 Connector mapping operations.

294905

Attempting to define a mapping rule for the Microsoft Office 365 Connector results in an error if the Azure BackSync application does not have the minimum set of roles assigned.

To solve this issue, the Active Roles Synchronization Service Administration Guide has been updated to clarify that the O365 Connector works only if the Azure BackSync application receives the minimum set of roles (namely, the Exchange Administrator and the Directory Writers roles) required for implementing automatic permission and role assignment in Active Roles Synchronization Service.

296252

Previously, configuring a Microsoft Office 365 Connector workflow returned a True value for all license attributes instead of individual values, even if just one license has been applied.

This issue was caused by a license synchronization problem due to the incorrect processing of certain cmdlet calls, and has been fixed by ensuring that the O365 Connector returns the proper True or False values depending on whether the related service plan is enabled or disabled for a user within a specific license.

297183

Table 8: Resolved Issues – Active Roles Web Interface

Resolved issue

Issue ID

Previously, in the Active Roles Web Interface, after registering an Azure Tenant in the Active Roles Configuration Center, searching for a room mailbox in the global search bar did not return any room mailbox objects.

The issue has been fixed and now you can search for room mailbox objects in the global search bar of the Active Roles Web Interface.

301535

Previously, in the Active Roles Web Interface, after registering an Azure Tenant in the Active Roles Configuration Center, opening the User properties of any user took 4-5 seconds.

The issue has been fixed and now opening the User properties takes the same amount of time both when the Azure Tenant is not registered and when it is registered.

303259

Previously, in the Active Roles Web Interface, you could only select users for email forwarding, while all other email-enabled objects, such as groups or contacts, were not available for email forwarding because searches only returned user objects.

The issue has been fixed and now you can select any email-enabled object for email forwarding.

299990

Previously, in the Active Roles Web Interface, examining an approval task or approving group memberships without configuring Azure resulted in the following exception error:

Can't execute custom entry method Get_AzureO365GroupMembers due following error: "Exception of type 'ActiveRoles.Web.ScriptServices.ScriptServiceException' was thrown."

This UI-related issue has been fixed.

291961

Previously, importing an Active Roles configuration with the Administration Service > Active Roles databases > Import configuration wizard of the Active Roles Configuration Center could result in an inconsistent Active Roles Web Interface configuration state if the Active Roles Web Interface had been previously configured with the Dashboard > Web Interface > Configure setting. This issue was caused by a discrepancy between the previously configured Active Roles Web Interface configuration and the imported Active Roles Web Interface configuration.

The issue has been fixed and now importing an Active Roles Web Interface configuration will not result in a conflicted Active Roles Web Interface configuration state if the Active Roles Web Interface has already been configured in the Active Roles Configuration Center.

275240

Previously, there was a reflected cross-site scripting (XSS) vulnerability in the Active Roles Web Interface's internal redirect URL handling.

The issue has been fixed, the XSS vulnerability is now removed, and all querystring inputs are sanitized correctly.

284021

Known issues

The following is a list of issues known to exist at the time of release.

Table 9: General known issues
Known Issue Issue ID

Activating the EnableAntiForgery key (<add key="EnableAntiForgery" value="true"/> in web.config) may cause the following error message:

Session timeout due to inactivity. Please reload the page to continue.

Workaround

Update the IgnoreValidation key in the<appSettings> section by adding a property value in lowercase:

  1. Open the IIS Manager.

  2. In the left pane, under Connections, expand the tree view to Sites > Default Web Site.

  3. Under Default Web Site, click on the Active Roles application (ARWebAdmin by default).

  4. Double-click Configuration Editor.

  5. From the Section drop-down, select appSettings.

  6. Find the IgnoreForValidation key.

  7. Append the comma-separated value to IgnoreForValidation, for example: lowercasecontrolname.

  8. In the right pane, under Actions, click Apply.

  9. Recycle the App pool.

91977

Table 10: Known Issues – Active Roles Configuration Center
Known Issue Issue ID
When configured for Group and Contacts, the Office 365 and Azure Tenant Selection policy displays additional tabs. 229031
Tenant selection supports selecting only a single tenant. 229030

In the Starling Connect Connection Settings link, clicking Next displays progress, but the functionality is not affected, so the button is not required.

126892

Table 11: Known Issues – Active Roles Console (MMC Interface)

Known Issue

Issue ID

Automation workflow with Office 365 script fails, if multiple workflows share the same script and the script is scheduled to execute at the same time.

Workaround

One Identity recommends scheduling the workflows with different scripts or at a different time.

200328

When a workflow is copied from built-in workflows, it may not be executed as expected.

153539

Azure Group Properties are not available if they are added to the Office 365 Portal or Hybrid Exchange Properties from the forwarding address attribute of Exchange online users.

98186

In Active Roles with the Office 365 Licenses Retention policy applied, after deprovisioning the Azure AD user, the Deprovisioning Results for the Office 365 Licenses Retention policy are not displayed in the same window.

Workaround

To view the Deprovisioning Results after deprovisioning the Azure AD user:

  • In Active Roles MMC Console, right-click and select Deprovisioning Results.

  • In the right pane of the Active Roles Web Interface, click Deprovisioning Results.

  • To refresh the form, press F5.

91901

Table 12: Known Issues – Active Roles Installer

Known Issue

Issue ID

After upgrading Active Roles, the pending approval tasks are not displayed in the ARS Web Interface.

91933

Table 13: Known Issues – Active Roles Synchronization Service

Known Issue

Issue ID

In the Active Roles Synchronization Service, the following new attributes of the AzureAD Connector are currently not supported and cannot be queried via the Microsoft Graph API:

user

group

aboutMe

allowExternalSenders

birthday

autoSubscribeNewMembers

hireDate

hideFromAddressLists

interests

hideFromOutlookClients

mySite

isSubscribedByMail

officeLocation

unseenCount

pastProjects

acceptedSenders

preferredName

membersWithLicenseErrors

responsibilities

rejectedSenders

schools

hasMembersWithLicenseErrors

skills

 

contacts

 

This means that although these attributes are visible, they cannot be set in a mapping rule.

304074

After running the get-qcworkflowstatus cmdlet in the Synchronization Service, the workflow status is not accurate.

125768

Table 14: Known Issues – Active Roles Web Interface
Known Issue Issue ID

In the Active Roles Web Interface, Azure roles are not restored automatically after performing an Undo Deprovision action on a user.

Workaround

After the Undo Deprovision action is completed, assign the Azure roles to the user manually.

 172655

Active Roles does not support creating Azure groups for existing groups.

117015

Active Roles Web Interface does not support setting the Exchange Online Property of the ProhibitSendQuota value in Storage Quotas. 91905

In the Active Roles Web Interface, when you click Azure > Resource Mailboxes to query room mailboxes after being idle for approximately 15-20 minutes, the Active Roles Web Interface will not list any room mailboxes.

Workaround

Restart the Administration Service.

293380

Trying to reset the password of an Azure user in the Active Roles Web Interface returns the following error message:

One or more errors occurred. Http Exception - Status Code Forbidden. Reason phrase Forbidden {"error":{"code":Authorization_RequestDenied","message":"Insufficient privileges to complete the operation"}}

This error occurs because of a Microsoft Graph API-related issue, described in the Authorization_RequestDenied error when you try to change a password using Graph API article of the Microsoft Azure Troubleshooting documentation.

Workaround

To solve this problem, assign the Company Administrator Office 365 administrative role to Active Roles with the following PowerShell cmdlets:

Connect-MsolService
$displayName = "ActiveRoles"
$objectId = (Get-MsolServicePrincipal -SearchString $displayName).ObjectId
$roleName = "Company Administrator"
Add-MsolRoleMember -RoleName $roleName -RoleMemberType ServicePrincipal -RoleMemberObjectId $objectId

293601

System requirements

Before installing Active Roles 7.5.2, ensure that your system meets the following minimum hardware and software requirements.

NOTE: When setting up a virtual environment, carefully consider the configuration aspects such as CPU, memory availability, I/O subsystem, and network infrastructure to ensure the virtual layer has the necessary resources available. Please consult One Identity's Product Support Policies for more information on environment virtualization.

Before installing Active Roles 7.5.2, ensure that your system meets the following minimum hardware and software requirements, and install the following required software:

NOTE: To run these PowerShell commands, use the 64-bit version of Windows PowerShell.

Requirement

Details

Exchange Online PowerShell V2 module 2.0.3

The Exchange Online PowerShell V2 module version 2.0.3 (or newer) must be installed on the computer(s) running the Administration Service. For installation instructions, see Install and maintain the EXO V2 module in the Microsoft Azure Exchange PowerShell documentation.

Azure AD PowerShell module

The latest version of the Azure Active Directory (AD) PowerShell module must be installed on the computer(s) running the Administration Service. For installation instructions, see Installing the Azure AD Module in the Microsoft Azure PowerShell documentation.

Azure Az PowerShell module 2.5.3

The Azure Az PowerShell module version 2.5.3 (or older) must be installed on the computer(s) running the Administration Service and the Synchronization Service. For installation instructions, see Install the Azure Az PowerShell module in the Microsoft Azure PowerShell documentation.

Microsoft Teams PowerShell module 2.3.1

The Microsoft Teams PowerShell version 2.3.1 must be installed on the computer running the Administration Service. For installation instructions, see Install Microsoft Teams PowerShell in the Microsoft Teams documentation.

SharePoint Online Management Shell - x64

The SharePoint Online Management Shell must be installed on the computer running the Administration Service. For installation instructions, see Get started with SharePoint Online Management Shell in the Microsoft SharePoint PowerShell documentation.

Active Roles includes the following components:

This section lists the hardware and software requirements for installing and running each of these components.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating