locked
ASN1 bad tag value met.

    Question

  • Hi

    I have a problem with unblocking user smartcards. All is well up to the point where the user executes the unblock of his smartcard. Then the clm website turns up an error

    ASN1 bad tag value met.

    I have checked the eventlogs on the CLM server and here is wath they turned out!


    Certificate Lifecycle manager Log

    Event Type: Error
    Event Source: System.Web
    Event Category: None
    Event ID: 0
    Date:  2009-04-01
    Time:  14:44:43
    User:  N/A
    Computer: JUPITER
    Description:
    Message:Exception of type 'System.Web.HttpUnhandledException' was thrown.
    Type:System.Web.HttpUnhandledException
    Source:System.Web
    Stack Trace:   at System.Web.UI.Page.HandleError(Exception e)
       at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
       at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
       at System.Web.UI.Page.ProcessRequest()
       at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context)
       at System.Web.UI.Page.ProcessRequest(HttpContext context)
       at ASP.content_sm_requests_myrequests_aspx.ProcessRequest(HttpContext context) in c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\clm\446be480\7055ce71\App_Web_j6dw42df.3.cs:line 0
       at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
       at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

    Inner Exception:Message:ASN1 bad tag value met.

    Type:System.Runtime.InteropServices.COMException
    Source:
    Stack Trace:   at Microsoft.Clm.Interop.capicom.EnvelopedDataClass.Decrypt(String EnvelopedMessage)
       at Microsoft.Clm.BusinessLayer.DataEncryption.Decrypt(String encrypted)
       at Microsoft.Clm.BusinessLayer.DefaultSecretProvider.ReadXml(String xml)
       at Microsoft.Clm.BusinessLayer.DefaultSecretProvider.GetSecrets(Request request)
       at Microsoft.Clm.BusinessLayer.SecretsUtility.GetNumberOfSecrets(UserProfile profileTemplate, Request clmRequest)
       at Microsoft.Clm.Web.MyRequests.NeedAuthorizationOnRequest(Request clmRequest)
       at Microsoft.Clm.Web.MyRequests.GetContinueUrl(Request clmRequest)
       at Microsoft.Clm.Web.MyRequests.GetExecuteLinkCell(Request clmRequest, String className)
       at Microsoft.Clm.Web.MyRequests.requestsGrid_InitializeRow(Object sender, RowEventArgs e)
       at Infragistics.WebUI.UltraWebGrid.UltraWebGrid.OnInitializeRow(UltraGridRow row, Object data)
       at Infragistics.WebUI.UltraWebGrid.DBBinding.FillRows(UltraWebGrid grid, RowsCollection rows, IEnumerable datasource)
       at Infragistics.WebUI.UltraWebGrid.DBBinding.BindList(IEnumerable datasource)
       at Infragistics.WebUI.UltraWebGrid.DBBinding.DataBind(Object dataSource, String dataMember)
       at Infragistics.WebUI.UltraWebGrid.UltraWebGrid.DataBind()
       at Microsoft.Clm.Web.MyRequests.LoadRequests()
       at Microsoft.Clm.Web.MyRequests.Page_Load(Object sender, EventArgs e)
       at System.Web.UI.Control.OnLoad(EventArgs e)
       at System.Web.UI.Control.LoadRecursive()
       at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    Application Log

    Event Type: Warning
    Event Source: ASP.NET 2.0.50727.0
    Event Category: Web Event
    Event ID: 1309
    Date:  2009-04-01
    Time:  14:44:43
    User:  N/A
    Computer: JUPITER
    Description:
    Event code: 3005
    Event message: An unhandled exception has occurred.
    Event time: 2009-04-01 14:44:43
    Event time (UTC): 2009-04-01 12:44:43
    Event ID: c12334475e0c4569adcce85a32361e05
    Event sequence: 244
    Event occurrence: 3
    Event detail code: 0
     
    Application information:
        Application domain: /LM/W3SVC/1/Root/Clm-1-128830615937963451
        Trust level: Full
        Application Virtual Path: /Clm
        Application Path: C:\Program Files\Microsoft Certificate Lifecycle Manager\web\
        Machine name: JUPITER
     
    Process information:
        Process ID: 4872
        Process name: w3wp.exe
        Account name: RIKSBANK\clmWebPool
     
    Exception information:
        Exception type: COMException
        Exception message: ASN1 bad tag value met.
     
     
    Request information:
        Request URL: https://jupiter/Clm/content/sm/requests/myrequests.aspx?NumberOfDays=-1&FilterRequests=ExecutableRequests
        Request path: /Clm/content/sm/requests/myrequests.aspx
        User host address: 10.210.5.206
        User: RIKSBANK\TORKRO
        Is authenticated: True
        Authentication Type: Basic
        Thread account name: RIKSBANK\clmWebPool
     
    Thread information:
        Thread ID: 1
        Thread account name: RIKSBANK\clmWebPool
        Is impersonating: False
        Stack trace:    at Microsoft.Clm.Interop.capicom.EnvelopedDataClass.Decrypt(String EnvelopedMessage)
       at Microsoft.Clm.BusinessLayer.DataEncryption.Decrypt(String encrypted)
       at Microsoft.Clm.BusinessLayer.DefaultSecretProvider.ReadXml(String xml)
       at Microsoft.Clm.BusinessLayer.DefaultSecretProvider.GetSecrets(Request request)
       at Microsoft.Clm.BusinessLayer.SecretsUtility.GetNumberOfSecrets(UserProfile profileTemplate, Request clmRequest)
       at Microsoft.Clm.Web.MyRequests.NeedAuthorizationOnRequest(Request clmRequest)
       at Microsoft.Clm.Web.MyRequests.GetContinueUrl(Request clmRequest)
       at Microsoft.Clm.Web.MyRequests.GetExecuteLinkCell(Request clmRequest, String className)
       at Microsoft.Clm.Web.MyRequests.requestsGrid_InitializeRow(Object sender, RowEventArgs e)
       at Infragistics.WebUI.UltraWebGrid.UltraWebGrid.OnInitializeRow(UltraGridRow row, Object data)
       at Infragistics.WebUI.UltraWebGrid.DBBinding.FillRows(UltraWebGrid grid, RowsCollection rows, IEnumerable datasource)
       at Infragistics.WebUI.UltraWebGrid.DBBinding.BindList(IEnumerable datasource)
       at Infragistics.WebUI.UltraWebGrid.DBBinding.DataBind(Object dataSource, String dataMember)
       at Infragistics.WebUI.UltraWebGrid.UltraWebGrid.DataBind()
       at Microsoft.Clm.Web.MyRequests.LoadRequests()
       at Microsoft.Clm.Web.MyRequests.Page_Load(Object sender, EventArgs e)
       at System.Web.UI.Control.OnLoad(EventArgs e)
       at System.Web.UI.Control.LoadRecursive()
       at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
     
     
    Custom event details:

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

     

    Wednesday, April 01, 2009 1:45 PM

Answers

  • We had an issue with the certificate for the CLMAgent account expired and we had to replace it, so we did and everything seems to work as it should. Can that be part of this problem?

    That is the entire problem.  When the agent account cert expires and you get a new key, old encrypted data can no longer be decrypted.  KB960765 has a fix for this that makes it possible for the old cert (assuming it's still in the machine's cert cache) can be used to decrypt old encrypted data.
    AhmadAW
    Monday, April 06, 2009 12:08 AM

All replies

  • It looks like you're running into an error while trying to decrypt the one-time password(s).  I think I've seen this error before; as I recall, it was related to the encryption algorithm being used by CLM.  This is defined in the web.config file.  Look for the Clm.Encryption.Algorithm key, the default value is AES.  I think I've seen that error when playing around with that value.  Sorry I can't be more specific.

    Have you changed that value?


    Marc Mac Donell, Senior Consultant (Identity Assurance), Avaleris Inc.
    Wednesday, April 01, 2009 5:37 PM
  • Hi Marc

    Thanks for your answer!

    We have not been changing any values wath so ever and the problem was first seen about a month ago on a single card but have since then escalated to be an issue that seems to go for every card! As we have set it up, we dont use one time passwords for pin unblock!

    Wath are the ASN1 value actually beeing used for? And wath is the mechanism for using it?

    We have had a few issues with the smartcard driver that we are using, do you think the driver can have any thing to do with this problem?

    Regards

    Uffe
    Thursday, April 02, 2009 5:25 AM
  • Uffe,

    Unfortunately, I don't recall the exact circumstances where I had seen that error previously.   The issues with the smartcard driver could be related, if they've impacted the smartcard's CSP.  What type of smartcard / driver are you using?

    From what I gather from your error message, CLM is trying to decrypt the secrets data from the CLM unblock request, which is encrypted, to determine if the request needs any further authorizations.  It would seem this is where you're running into the error.  I would suggest turning on verbose tracing ('4') in the CLM web.config for Microsoft.Clm.BusinessLayer and Microsoft.Clm.BusinessLayer.Encryption; I'd only turn this on for a quick test of the unblock request as this will generate a lot of log traffic.   This should help pinpoint what is causing the error. 

    Are you collecting data registration items during your unblock workflow?

    Cheers,

    Marc

    Marc Mac Donell, Senior Consultant (Identity Assurance), Avaleris Inc.
    Thursday, April 02, 2009 3:32 PM
  • Hi again

    We had an issue with the certificate for the CLMAgent account expired and we had to replace it, so we did and everything seems to work as it should. Can that be part of this problem? 

    I will start logging as you sugested as soon as the team starts to arrive at work!

    //Uffe   
    Friday, April 03, 2009 5:32 AM
  • We had an issue with the certificate for the CLMAgent account expired and we had to replace it, so we did and everything seems to work as it should. Can that be part of this problem?

    That is the entire problem.  When the agent account cert expires and you get a new key, old encrypted data can no longer be decrypted.  KB960765 has a fix for this that makes it possible for the old cert (assuming it's still in the machine's cert cache) can be used to decrypt old encrypted data.
    AhmadAW
    Monday, April 06, 2009 12:08 AM
  • Hi

    Thanks alot Ahmad!

    I guess this is the reason! However the link to the ka article is broken, I cant find any article with KB number 960765! 

    //Uffe 
    Monday, April 06, 2009 6:45 AM
  • OK

    So now we have a situation with a expired certificate, the CLMAgent certificate, by MS design issued by the CA using the default user template (v2 non arcived non exportable). The certificate that had expired is deleted from the MY store on the CLM server. The backup cyckle for the CLM mashine is full weekley and a full monthly to disk inside the PKI subnet, backups overwrigt the previous backup on the cycle, and guess wath, full monthly ran april 5 overwrithing the full monthly!

    Is there any way to get CLM to work again?

    //Uffe
    Tuesday, April 07, 2009 7:09 AM
  • Hi

    Thanks alot Ahmad!

    I guess this is the reason! However the link to the ka article is broken, I cant find any article with KB number 960765! 

    //Uffe 

    Uffe - the KB article has not been published yet so you'll need to call Customer Support Services, open a case, and request the hotfix. They may request a credit card number if you don't have a support contract but they won't charge your card once they determine that this is a bug fix.
    Paul Adare CTO IdentIT Inc. ILM MVP
    Wednesday, April 08, 2009 8:48 AM
  • Hi again

    well after a few errors did I manage to restore the old CLMAgent certificate and guess wath! It didnt help me, the ASN1 error still exists!

    So any idéas about wath it could be thats causing this to happen if it was'nt the certificate??

    Regards

    //Uffe
    Wednesday, April 08, 2009 11:00 AM
  • Hi again

    well after a few errors did I manage to restore the old CLMAgent certificate and guess wath! It didnt help me, the ASN1 error still exists!

    So any idéas about wath it could be thats causing this to happen if it was'nt the certificate??

    Regards

    //Uffe

    If the certificate has expired restoring the old certificate is not going to do you any good.
    Paul Adare CTO IdentIT Inc. ILM MVP
    Wednesday, April 08, 2009 11:25 AM
  • I think I was a bit unclear there! I have replaced the outdated certificate and during that operation i deleted the old certificate. Now I have the new certificate aswell as the old certificate in the personal store of the CLMAgent account on the CLM server.

    So I have a valid certificate aswell as the expired one!

    //Uffe 
    Wednesday, April 08, 2009 12:10 PM
  • Uffe,

    Given you've renewed the CLM agent's certificate, you'll need to modify the CLM web.config file to reflect the change.  The file contains three keys that reference the thumbprint of the CLM agent's certificate.   You'll need to get the certificate thumbprint for the valid certificate and change the value of the following keys:

    • Clm.SigningCertificate.Hash
    • Clm.SmartCard.ExchangeCertificate.Hash
    Additionally, you'll need to add the new thumbprint to the following key (separated by a semi-colon, not a comma as indicated in the file):

    • Clm.ValidSigningCertificates.Hashes

    To be clear, the Clm.ValidSigningCertificates.Hashes must contain the previous certificate's thumbprint and the new certificate's thumbprint, separated by a semi-colon.

    You will also need to verify the following key:

    • Clm.Encryption.Certificate.Hash
    If its value is empty, CLM uses the value of the Clm.SigningCertificate.Hash key to find the encryption certificate and you won't need to do anything further.  If it is not empty and it references the old certificate, you may need to change it as well.

    Hopefully, this will help you resolve your issue.  Restarting IIS is probably not a bad idea.  :)

    Cheers,

    Marc


    Marc Mac Donell, Senior Consultant (Identity Assurance), Avaleris Inc.
    Wednesday, April 08, 2009 12:37 PM
  • How did you restore the expired certificate? You need the expired certificate, the public key, and the private key as well, and as Marc points out you also need to update web.config.

    When I ran into this issue I did all of the above and was still not able to resolve the issue so you probably also need the hotfix.
    Paul Adare CTO IdentIT Inc. ILM MVP
    Wednesday, April 08, 2009 1:14 PM
  • HI

    I have restored both the public key and the private key!

    Updated the web.config

    Still no cigarr

    Did I hear hotfix??

    //Uffe
    Wednesday, April 08, 2009 1:45 PM
  • The KB article that Ahmad mentioned.
    Paul Adare CTO IdentIT Inc. ILM MVP
    Wednesday, April 08, 2009 2:14 PM
  • Hi again guys! :)

    I have the hot fix now and I installed the CLM_2007_FP1_FULL_KB960765 (can I get a confirm that this is the part of the hot fix I should aplie?) and then rebooted the server, when it came up again the CLM service couldent start! :( I managed to do a live test of our restore procedures and got the system back to the state it was in before I aplied the hot fix!

    I saw in the kb article that the fix will most likley fix my problem, so I just need to install it without crashing the system!

    Any help/instructions would help a lot here!

    //Uffe
    Thursday, April 09, 2009 10:49 AM
  • Hi Uffe,

    I have seen the same problem. We have renewed all the agent certificates (and made the changes in the Web.config file), everything works well with new cards, but cards issued before the certificate renewal can no longer be managed correctly by CLM. After a lot of testing I've finally got it to work if I keep the old certificate hash for Clm.Encryption.Certificate.Hash -but update all the others (Clm.SigningCertificate.Hash, Clm.EnrollmentAgent.Certificate.Hash and Clm.SmartCard.ExchangeCertificate.Hash).  However, I don't know why this solved my problem...

    Did you manage to find a nicer solution?

    Cheers,
    Joakim
    Tuesday, May 19, 2009 1:44 PM
  • Hi Johan

    Well a nicer solution, I wolden't realy call it that! :)

    I had the wrong build for the hotfix mentioned in the tread here and had to reinstall CLM all together with a new installmedia delivered from MS Support, that is I got the whole CLM installmedia as a hotfix, hehe!

    But now everything works well!

    //Uffe
    Friday, May 22, 2009 8:52 AM
  • Aha! That is a fantastic hotfix! Well, reinstalling everything does not sound too attractive to me right now, especially if the install is potentially not even available to me. And we have issued almost 1000 cards from this installation… Did MS Support tell you anything about putting this correction in a later version of ILM/CLM?

    Cheers,

    Joakim

    Wednesday, May 27, 2009 8:07 AM
  • Hi Joakim

    Yse, this is going to be fixed, I didnt get a date but the fix I got was from the development team with the understanding that it was'nt ready for production releas yet!

    As I understand it, your company is residing in central Stockholm? So am I, if you would like we could get in touch!

    //Uffe
    Wednesday, May 27, 2009 8:42 AM
  • Ja, låter som ett utmärkt idé. Måndag el tisdag nästa vecka runt lunchtid ser det OK ut för mig. Du kan maila mig direkt -förnamn.efternamn.
    Mvh,
    Joakim  

    Thursday, May 28, 2009 10:05 PM
  • Hi,

    Did you guys ever managed to fix the issue? I'm in the same position now, and though I've reinstalled 1087 from MS and added hotfix 1118, I'm unable to retire smartcards issued with the old ClmAgent cert after renewal..

    I do have a premier support case open, but any input is welcome..

    // Kent
    hedman
    Wednesday, October 21, 2009 1:45 PM
  • I dont know if you have got this fixed yet but I just rememberd that you have to edit the web.config file before you can get it to work!

    Regards

    Uffe 
    Friday, October 30, 2009 11:59 AM