Release Notes for BHOLD Suite SP1


Welcome to the release notes for Microsoft® BHOLD Suite. You can use these notes to help you successfully install and use Microsoft BHOLD Suite as well as to guide you as you troubleshoot issues that may arise when you use BHOLD Suite.

Installing Microsoft BHOLD Suite

Installing—You can find the software and hardware prerequisites information and instructions for installing in Microsoft BHOLD Suite SP1 Installation Guide.

Upgrading— Upgrading from a previous version of BHOLD or any of its modules to this Microsoft BHOLD Suite Release is not supported.

Known issues

Issues affecting multiple modules

  • After you have installed a BHOLD Suite module, do not run the module’s setup program again or use the Change or Repair option in the Add/Remove Programs control panel.

  • The Custom Setup page in the setup wizard for BHOLD Suite modules does not report disk requirements accurately. In addition, the Disk Requirements dialog box displayed by the Disk Usage button on that page does not report the correct disk requirements.

  • All BHOLD modules must be installed by a user logged on with an account that is a member of the Domain Admins group, and the user account must be in the same domain as the computer on which the software is being installed.

  • After you have installed a BHOLD Suite module, you cannot run the setup wizard again for any purpose other than to uninstall the module. When you install a BHOLD Suite module, you should install all components., Do not customize the installation because you will not be able to add components later except by uninstalling and then reinstalling the module.

BHOLD Analytics

  • In the Analytics portal, there is no option to delete a ruleset.

  • When creating a report with a global filter, make sure that the global filter is set on a field that exists in the database. Otherwise, the Analytics portal will stop responding.

  • After you save and reload a ruleset, options for extend results with are not selected.

BHOLD Attestation

  • Some terms used in BHOLD Attestation are not properly translated when the language is set to German.

  • BHOLD Attestation cannot send mail through an email server that requires SSL authentication.

  • You cannot reactivate a campaign that has been deactivated. If you attempt to do so, the results will be unpredictable.


  • Adding a policy to a role is not logged.

  • The Users page in the Core portal shows two columns that are not default attributes of the user object.

  • Do not create custom tables in the B1 database. Custom tables can prevent subsequent upgrades.

  • After you have uninstalled BHOLD Core, to reinstall BHOLD Core you must either use the same account you used for the previous installation, or you must delete the B1 database before reinstalling.

  • When you link a role to an orgunit by using the BHOLD Core portal, you might receive a No Session ID error. The role is linked correctly, however.

  • On the Permission page on the BHOLD Core portal, the Permissions Context Attachements field is not used.

  • If you uninstall BHOLD Core and then attempt to reinstall BHOLD Core by using the existing database, you must be logged on with the same account that was used to install BHOLD Core the first time. Otherwise, the installation will fail.

  • BHOLD Core does not create a log entry when a policy (that is, an attribute-based authorization, or ABA, rule) is added or removed from a role.

  • If you install the BHOLD Core module of BHOLD Suite SP1 as to replace (upgrade) an earlier version of BHOLD Core, you must provide the same port for the BHOLD website as when you first installed BHOLD Core. You cannot change the port by reinstalling BHOLD Core.

  • Installing BHOLD Core on a server running Microsoft Exchange is not recommended. If you must do so (such as in a test environment), you must modify the Internet Information Service (IIS) applicationhost.config file. The following instructions apply to Microsoft Exchange 2010 and might need to be modified for other versions.

    In %windir%\system32\inetsrv\config\applicationhost.config, locate the following lines:

    [add name="kerbauth" image="C:\Program Files\Microsoft\Exchange Server\V14\Bin\kerbauth.dll" /]
    [add name="exppw" image="C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa\auth\exppw.dll" /]

    Change them to the following (add preCondition="bitness64"):

    [add name="kerbauth" image="C:\Program Files\Microsoft\Exchange Server\V14\Bin\kerbauth.dll" preCondition="bitness64" /]   
    [add name="exppw" image="C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa\auth\exppw.dll" preCondition="bitness64" /]  

    After you change the file, you must reset IIS by using the iisreset command.

  • Creating a new user can fail with the following error, especially if the user is in a lower-level organizational unit and is allowed exactly one permission:

    msg_error_Cannot use the ROLLBACK statement within an INSERT-EXEC statement

    If this happens, do not specify a maximum number of permissions when creating the user. Instead, after the user is added to the BHOLD role model, you can modify the user attributes to specify the maximum number of permissions allowed for the user.

  • When you create a role, the Supervisor role and Orgunit context adaptable values might not be saved correctly if you select either check box. After you create a role with either of these check boxes selected, verify that the values are correct and, if not, click Modify to specify the correct value.

BHOLD FIM Integration

  • Whenever you install a new build of BHOLD, you must change the registry string CoreWebPath in HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\bhold\FIM to enable the Self Service page to render. You must change the host name in the original value to the host IP address. For example, if the original value of CoreWebPath is https://ilm-vm-serverad:5151/bhold/core/b1scriptservice.asmx, it must be changed to a value such as

  • Do not change the database name of the FIMService database.

  • When installing Microsoft BHOLD Suite with Forefront Identity Manager 2010 R2, you must make sure that the bindings between the FIM Integration module and FIM are set to the R2 version number. The version number can be found in the FIM Portal under “About Forefront Identity Manager”. After you install the FIM Integration module, determine whether C:\Program Files\Microsoft Forefront Identity Manager\2010\Service\Microsoft.ResourceManagement.Service.exe.config contains a section with the following content and add it if it is not present:

      <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">  
          <assemblyIdentity name="FunctionLibrary" publicKeyToken="31bf3856ad364e35" culture="neutral" />  
          <bindingRedirect oldVersion="" newVersion="4.1.2273.0" />  
          <assemblyIdentity name="Microsoft.IdentityManagement.Activities" publicKeyToken="31bf3856ad364e35" culture="neutral" />  
          <bindingRedirect oldVersion="" newVersion="4.1.2273.0" />  
          <assemblyIdentity name="Microsoft.ResourceManagement.Automation" publicKeyToken="31bf3856ad364e35" culture="neutral" />  
          <bindingRedirect oldVersion="" newVersion="4.1.2273.0" />  
          <assemblyIdentity name="Microsoft.ResourceManagement" publicKeyToken="31bf3856ad364e35" culture="neutral" />  
          <bindingRedirect oldVersion="" newVersion="4.1.2273.0" />  
          <assemblyIdentity name="Microsoft.IdentityManagement.WFExtensionInterfaces" publicKeyToken="31bf3856ad364e35" culture="neutral" />  
          <bindingRedirect oldVersion="" newVersion="4.1.2273.0" />  

    The newVersion value must reflect the version number of the FIM installation. If you upgraded FIM from FIM 2010 to FIM 2010 R2 before installing BHOLD FIM Integration, make sure the Microsoft.ResourceManagement.Service.exe.config file has the binding redirect in place to forward all older versions of FIM to the latest version you have installed.

  • Setting an expired end date for a user in FIM does not affect whether roles are approved for the user.

  • Before installing the BHOLD FIM Integration module on a computer running both the FIM Service and Microsoft SharePoint 2013 if the FIM Portal is hosted on a different server (that is, the FIM Portal is not hosted on the server running the FIM Service), you must change the name of the following registry value:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\Web Server Extensions\15.0\Location

    After installing BHOLD FIM Integration, change the name back to Location.

  • If BHOLD FIM Integration and the FIM Portal are installed with SharePoint 2013 and are not installed on the same server as the FIM Service, you must configure the Windows authentication for the BHOLD RoleExchangePoint site to permit remote client access.

    The following procedure requires you to log on with an account that can manage Internet Information Services on the BHOLD server.

    To configure BHOLD RoleExchangePoint security for separate FIM Portal and FIM Service
    1. Log on to the server running BHOLD FIM Integration.

    2. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

    3. In Internet Information Services (IIS) Manager, in the server tree, expand the server name, expand Sites, expand BHOLD, expand BHOLD, and then click RoleExchangePoint.

    4. Under IIS, open Authentication, right-click Windows Authentication, and then click Advanced Settings.

    5. In the Advanced Settings dialog box, clear the Enable Kernel-mode authentication check box, and then click OK.

    6. In the Authentication pane, right-click Windows Authentication, and then click Providers.

    7. In the Providers dialog box, click an item in Enabled Providers, and then click Remove. Repeat until all items are removed from the list.

    8. In the Available Providers list, click Negotiate:Kerberos, click Add, and then click OK.

    9. Click Start, click Accessories, right-click Command Prompt, and then click Run as administrator.

    10. At the command prompt, type iisreset, and then press the Enter key.

    11. When the Internet services have successfully restarted, close the Command Prompt window.

BHOLD FIM Provisioning

BHOLD FIM Provisioning has been superseded by the Access Management Control module is not available as part of BHOLD Suite SP1.

BHOLD Model Generator

  • The Model Generator console does not display the number of items to process.

  • After you export the role model database, the Model Generator console displays the name of a method instead of the path of the exported file.

  • Model Generator does not create a log file.

  • Selecting the Initiate database after report check box on the export page has no effect.

  • After you uninstall BHOLD Model Generator, the registry continues to contain references to BHOLD Model Generator.

  • When the Model Generator console is displayed, a warning icon is displayed in the lower left corner of the screen. Clicking and expanding the warning icon causes an error message that an exception was thrown.

  • By default, the BHOLD administrator does not have access to the Model Generator registry keys. To access those keys, the Administrator must take ownership of the registry keys and then assign full rights to the Administrator account.

BHOLD Reporting

  • By default, the Reporting module allows views on data in the FIM database. For this reason, you should restrict access to the Reporting module if BHOLD is connected to a FIM deployment.

  • The Reporting setup wizard has a page which displays file locations as features of the Reporting module. These locations cannot be changed.

  • The Reporting Maintain All Rights permission has no effect. However, the BHold Reporting View All permission allows all reports to be generated.

  • By default, the BHOLD administrator does not have access to the BHOLD Reporting registry keys. To access those keys, the Administrator must take ownership of the registry keys and then assign full rights to the Administrator account.

  • BHOLD Reporting is available only in English.

BHOLD Access Management Connector

Before using the Access Management Connector to import identity data into BHOLD from multiple sources or from a source that allows duplicate user names, ensure that all user names (that is, the names that will appear in the Description attribute of the BHOLD user object) are unique.