Customers, including me, will do anything. Crazy things. Things that the dev never imagined crazy people would do. I just thought I would jot down a few crazy things, and how to use FIM CM logging to track down what was expected of me – and how I did not meet these expectations.

First up… right off the bat during the FIM CM configuration wizard  - after the customer user accounts are specified.

 Error

 clip_image001[4]

Name translation: Input name found, but not the associated output format. (Exception from HRESULT: 0x80072118)

FIM CM Configuration Log

C:\Program Files\Microsoft Forefront Identity Manager\2010\Certificate Management\Config.log

"2010-06-14 15:36:21.32 -07"       "Microsoft.Clm.Config.AD.NameTranslator"      
"System.String Translate(System.String, Microsoft.Clm.Interop.activeds.ADS_NAME_TYPE_ENUM, Microsoft.Clm.Interop.activeds.ADS_NAME_TYPE_ENUM)"         ""            "MGMT\administrator"                0x00000A48        0x00000001
Translating user name CN=CM_Agent,OU=FIMUsers,DC=mgmt,DC=local from ADS_NAME_TYPE_UNKNOWN to ADS_NAME_TYPE_NT4


So we are going from the DN to the NT4 name and cannot.  ADS_NAME_TYPE_NT4 is a reference to the  ADS_NAME_TYPE_ENUM  used via IADsNameTranslate.  The IADsNameTranslate interface translates distinguished names (DNs) among various formats as defined in the ADS_NAME_TYPE_ENUM enumeration.


typedef enum  {
  ADS_NAME_TYPE_1779                      = 1,
  ADS_NAME_TYPE_CANONICAL                 = 2,
  ADS_NAME_TYPE_NT4                       = 3,
  ADS_NAME_TYPE_DISPLAY                   = 4,
  ADS_NAME_TYPE_DOMAIN_SIMPLE             = 5,
  ADS_NAME_TYPE_ENTERPRISE_SIMPLE         = 6,
  ADS_NAME_TYPE_GUID                      = 7,
  ADS_NAME_TYPE_UNKNOWN                   = 8,
  ADS_NAME_TYPE_USER_PRINCIPAL_NAME       = 9,
  ADS_NAME_TYPE_CANONICAL_EX              = 10,
  ADS_NAME_TYPE_SERVICE_PRINCIPAL_NAME    = 11,
  ADS_NAME_TYPE_SID_OR_SID_HISTORY_NAME   = 12
} ADS_NAME_TYPE_ENUM;
ADS_NAME_TYPE_NT4 == Account name format used in Windows NT 4.0. For example, "Fabrikam\JeffSmith".

 

Resolution:

I had created each user from "net user" and thus no standard logon name , created a user logon name and everything was good.

clip_image001[6]

 

 

Next.. I think this was when enrolling for a smart card.

 Error

clip_image001[8]

Value cannot be null. Parameter name: bytes

A bit cryptic eh? Not the best error returned to the end user..

FIM CM trace Logging:

Edit the web.config .look for  <!-- TRACE SWITCHES **** and flip the value to 4 for verbose logging:

<add name="Microsoft.Clm.BusinessLayer.SD" value="5" />

 

After enabling this we can see in the log located at c:\temp\clm.txt – the following exception.

General Information
*********************************************

Additional Info:

Unable to access the certificate:

1) Exception Information
*********************************************
Exception Type: System.ArgumentNullException
Message: Value cannot be null.
Parameter name: bytes
ParamName: bytes
Data: System.Collections.ListDictionaryInternal
TargetSite: System.String ByteArray2HexString(Byte[])
HelpLink: NULL
Source: Microsoft.Clm.Common
StackTrace Information
*********************************************
   at Microsoft.Clm.Common.Utility.ByteArray2HexString(Byte[] bytes)
   at Microsoft.Clm.BusinessLayer.DataEncryption.GetCertificateFromHash(Byte[] certHash)

"2010-06-15 18:37:06.90 -07"    "Microsoft.Clm.Security.Principal.RevertToSelfContext"  "Void Restore()"        "MGMT\britta"   "MGMT\CM_WebAgent"      0x00000A64      0x00000004
Restoring saved token identity
"2010-06-15 18:37:06.90 -07"    "Microsoft.Clm.Security.Principal.RevertToSelfContext"  "Microsoft.Clm.Security.Principal.RevertToSelfContext RevertIfImpersonating()"  "MGMT\britta"   "MGMT\britta"   0x00000A64      0x00000004Reverting to the process identity
"2010-06-15 18:37:06.90 -07"    "Microsoft.Clm.Security.Principal.RevertToSelfContext"  "Void Restore()"        "MGMT\britta"   "MGMT\CM_WebAgent"      0x00000A64      0x00000004Restoring saved token identity
"2010-06-15 18:37:06.90 -07"    "Microsoft.Clm.BusinessLayer.UserIdentity"      "Boolean get_IsAuthenticated()" ""      "MGMT\CM_WebAgent"      0x00000A64      0x00000004Checking if MGMT\britta is authenticated
"2010-06-15 18:37:06.90 -07"    "Microsoft.Clm.BusinessLayer.UserIdentity"      "Boolean get_IsAuthenticated()" ""      "MGMT\CM_WebAgent"      0x00000A64      0x00000004True (is authenticated) MGMT\britta
"2010-06-15 18:37:06.93 -07"    "Microsoft.Clm.Web.GlobalASAX"  "Boolean DoesResxFileExist(System.Globalization.CultureInfo)"   ""      "MGMT\CM_WebAgent"      0x00000A64      0x00000004DoesResxFileExist
"2010-06-15 18:37:06.93 -07"    "Microsoft.Clm.Web.GlobalASAX"  "Boolean DoesResxFileExist(System.Globalization.CultureInfo)"   ""      "MGMT\CM_WebAgent"      0x00000A64      0x00000004Resx exists [C:\Program Files\Microsoft Forefront Identity anager\2010\Certificate Management\web\App_GlobalResources\WebResources.en-US.resx] for culture: en-US? False
"2010-06-15 18:37:06.93 -07"    "Microsoft.Clm.Web.GlobalASAX"  "Boolean DoesResxFileExist(System.Globalization.CultureInfo)"   ""      "MGMT\CM_WebAgent"      0x00000A64      0x00000004DoesResxFileExist
"2010-06-15 18:37:06.93 -07"    "Microsoft.Clm.Web.GlobalASAX"  "Boolean DoesResxFileExist(System.Globalization.CultureInfo)"   ""      "MGMT\CM_WebAgent"      0x00000A64      0x00000004
Resx exists [C:\Program Files\Microsoft Forefront Identity Manager\2010\Certificate Management\web\App_GlobalResources\WebResources.en.resx] for culture: en? True
"2010-06-15 18:37:06.93 -07"    "Microsoft.Clm.Web.GlobalASAX"  "Void Application_BeginRequest(System.Object, System.EventArgs)"        ""      "MGMT\CM_WebAgent"      0x00000A64      0x00000004Web UiCulture: en-US. Web Culture: en-US

Resolution:


Found on the internet:

http://www.eggheadcafe.com/software/aspnet/30158542/clm-error-when-attempting.aspx

 Did you specify the hash of the cert(s) that you created manually in the web.
Anton Ovechkin posted on Friday, June 15, 2007 12:31 PM
Did you specify the hash of the cert(s) that you created manually in the
web.config? The following lines should have actual hash values (hex-encoded
strings, no spaces). The Config Wizard will do it for you, but if you are
requesting the certs manually you need to fill them in.

 

Sure enough – the Web.config cert hashes were not populated.

Sample:
<!-- Additional Valid Certificates~~~~~~~~~~~~~~~
                Define the list of additional certificates that are considered valid
                signing certificates. Current signing certificate is valid by definition.
                -->
                <!-- comma-separated list of hex-encoded certificate hashes. -->
                <add key="Clm.ValidSigningCertificates.Hashes" value="" />
                <!-- controls how signing certificate is validated. -->
                <add key="Clm.ValidSigningCertificates.ValidationFlag" value="-1" />

 Error

image

 

Message: Processing error: Error generating requested certificates. The request was denied by a certificate manager or CA administrator. 0x80094014

Terrible error returned to the end user.. how is one supposed to know what to do? But at least we know the error is being sent back from the CA – in this case the policy module on the CA ( you did install this right? )

FIM CM enable Policy Module logging

To enable Policy Module Logging create the following string registry keys on the CA server:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<yourCAName>\PolicyModules\Clm.Policy
    "Microsoft.Clm.PolicyModule"="Verbose"
    "Microsoft.Clm.PolicyModule.Dump"="Verbose"
    "Microsoft.Clm.PolicyModulePlugins"="Verbose"

The logs are written to the CLM / FIM CM Event log on the CA.
To disable the logging, set the values to "None". You must restart the CA service for these changes to take effect.

Once this is turned on we see this:

\Log Name:      FIM Certificate Management
Source:        FIM CM CA Modules
Date:          7/6/2010 9:23:34 AM
Event ID:      0
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      MGMT-DC1.mgmt.local
Description:
"2010-07-06 09:23:34.65 -07"       "Microsoft.Clm.PolicyModule.Policy"                "Microsoft.Clm.Shared.CertificateServer.EnrollmentAttributes LoadEnrollmentAttributesData(System.String)"               ""            "NT AUTHORITY\SYSTEM"            0x00000D68                0x00000006
1) Exception Information
*********************************************
Exception Type: System.ApplicationException
Message: Signing certificate is not present in the list of valid signing certificates. Please verify that the FIM CM Agent signing certificate hash is specified in the CertValidHashes (REG_MULTI_SZ) value under the HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\[CA Name]\PolicyModules\Clm.Policy registry key.
Data: System.Collections.ListDictionaryInternal
TargetSite: Void VerifySigningCertificateValidity(System.Security.Cryptography.X509Certificates.X509Certificate)
HelpLink: NULL
Source: Microsoft.Clm.PolicyModule
StackTrace Information
*********************************************
   at Microsoft.Clm.PolicyModule.Policy.VerifySigningCertificateValidity(X509Certificate cert)
   at Microsoft.Clm.PolicyModule.Policy.LoadEnrollmentAttributesData(String xml)

Resolution:

 

Wow! What a great error – obviously someone put some thought into this one and expected this exact scenario.

On the CA ensure that the following hash ( specific to your server ) is preset in the policy module. If it is wrong, or does not exist you will get the 0x80094014 error.

Get the hash from the FIM CM web.config:

    <!-- hex-encoded certificate hash. –>
    <add key="Clm.SigningCertificate.Hash" value="2d0896173de8d58324721eceae95889637efbc81" />

The, on the CA properties -> Policy module:

clip_image001[10]

 

 Error

image

Specified name or server name of the CA is invalid


This error does give  us something to go on.
The CA is in the SQL DB and it is not populated:

image

 Resolution:

No specific log that I found but you need to ensure two things:


1.       The Certificate Server exit module has the correct SQL connection string
2.       The Certificate Server machine account  ( domain\caserver$ ) has permissions  on the SQL database role membership = clmApp

 

keyword: smartcard smart card CLM FIM