ASN1 bad tag value met.
-
Wednesday, April 01, 2009 1:45 PM
Hi
I have a problem with unblocking user smartcards. All is well up to the point where the user executes the unblock of his smartcard. Then the clm website turns up an error
ASN1 bad tag value met.
I have checked the eventlogs on the CLM server and here is wath they turned out!
Certificate Lifecycle manager LogEvent Type: Error
Event Source: System.Web
Event Category: None
Event ID: 0
Date: 2009-04-01
Time: 14:44:43
User: N/A
Computer: JUPITER
Description:
Message:Exception of type 'System.Web.HttpUnhandledException' was thrown.
Type:System.Web.HttpUnhandledException
Source:System.Web
Stack Trace: at System.Web.UI.Page.HandleError(Exception e)
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest()
at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context)
at System.Web.UI.Page.ProcessRequest(HttpContext context)
at ASP.content_sm_requests_myrequests_aspx.ProcessRequest(HttpContext context) in c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\clm\446be480\7055ce71\App_Web_j6dw42df.3.cs:line 0
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)Inner Exception:Message:ASN1 bad tag value met.
Type:System.Runtime.InteropServices.COMException
Source:
Stack Trace: at Microsoft.Clm.Interop.capicom.EnvelopedDataClass.Decrypt(String EnvelopedMessage)
at Microsoft.Clm.BusinessLayer.DataEncryption.Decrypt(String encrypted)
at Microsoft.Clm.BusinessLayer.DefaultSecretProvider.ReadXml(String xml)
at Microsoft.Clm.BusinessLayer.DefaultSecretProvider.GetSecrets(Request request)
at Microsoft.Clm.BusinessLayer.SecretsUtility.GetNumberOfSecrets(UserProfile profileTemplate, Request clmRequest)
at Microsoft.Clm.Web.MyRequests.NeedAuthorizationOnRequest(Request clmRequest)
at Microsoft.Clm.Web.MyRequests.GetContinueUrl(Request clmRequest)
at Microsoft.Clm.Web.MyRequests.GetExecuteLinkCell(Request clmRequest, String className)
at Microsoft.Clm.Web.MyRequests.requestsGrid_InitializeRow(Object sender, RowEventArgs e)
at Infragistics.WebUI.UltraWebGrid.UltraWebGrid.OnInitializeRow(UltraGridRow row, Object data)
at Infragistics.WebUI.UltraWebGrid.DBBinding.FillRows(UltraWebGrid grid, RowsCollection rows, IEnumerable datasource)
at Infragistics.WebUI.UltraWebGrid.DBBinding.BindList(IEnumerable datasource)
at Infragistics.WebUI.UltraWebGrid.DBBinding.DataBind(Object dataSource, String dataMember)
at Infragistics.WebUI.UltraWebGrid.UltraWebGrid.DataBind()
at Microsoft.Clm.Web.MyRequests.LoadRequests()
at Microsoft.Clm.Web.MyRequests.Page_Load(Object sender, EventArgs e)
at System.Web.UI.Control.OnLoad(EventArgs e)
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Application Log
Event Type: Warning
Event Source: ASP.NET 2.0.50727.0
Event Category: Web Event
Event ID: 1309
Date: 2009-04-01
Time: 14:44:43
User: N/A
Computer: JUPITER
Description:
Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 2009-04-01 14:44:43
Event time (UTC): 2009-04-01 12:44:43
Event ID: c12334475e0c4569adcce85a32361e05
Event sequence: 244
Event occurrence: 3
Event detail code: 0
Application information:
Application domain: /LM/W3SVC/1/Root/Clm-1-128830615937963451
Trust level: Full
Application Virtual Path: /Clm
Application Path: C:\Program Files\Microsoft Certificate Lifecycle Manager\web\
Machine name: JUPITER
Process information:
Process ID: 4872
Process name: w3wp.exe
Account name: RIKSBANK\clmWebPool
Exception information:
Exception type: COMException
Exception message: ASN1 bad tag value met.
Request information:
Request URL: https://jupiter/Clm/content/sm/requests/myrequests.aspx?NumberOfDays=-1&FilterRequests=ExecutableRequests
Request path: /Clm/content/sm/requests/myrequests.aspx
User host address: 10.210.5.206
User: RIKSBANK\TORKRO
Is authenticated: True
Authentication Type: Basic
Thread account name: RIKSBANK\clmWebPool
Thread information:
Thread ID: 1
Thread account name: RIKSBANK\clmWebPool
Is impersonating: False
Stack trace: at Microsoft.Clm.Interop.capicom.EnvelopedDataClass.Decrypt(String EnvelopedMessage)
at Microsoft.Clm.BusinessLayer.DataEncryption.Decrypt(String encrypted)
at Microsoft.Clm.BusinessLayer.DefaultSecretProvider.ReadXml(String xml)
at Microsoft.Clm.BusinessLayer.DefaultSecretProvider.GetSecrets(Request request)
at Microsoft.Clm.BusinessLayer.SecretsUtility.GetNumberOfSecrets(UserProfile profileTemplate, Request clmRequest)
at Microsoft.Clm.Web.MyRequests.NeedAuthorizationOnRequest(Request clmRequest)
at Microsoft.Clm.Web.MyRequests.GetContinueUrl(Request clmRequest)
at Microsoft.Clm.Web.MyRequests.GetExecuteLinkCell(Request clmRequest, String className)
at Microsoft.Clm.Web.MyRequests.requestsGrid_InitializeRow(Object sender, RowEventArgs e)
at Infragistics.WebUI.UltraWebGrid.UltraWebGrid.OnInitializeRow(UltraGridRow row, Object data)
at Infragistics.WebUI.UltraWebGrid.DBBinding.FillRows(UltraWebGrid grid, RowsCollection rows, IEnumerable datasource)
at Infragistics.WebUI.UltraWebGrid.DBBinding.BindList(IEnumerable datasource)
at Infragistics.WebUI.UltraWebGrid.DBBinding.DataBind(Object dataSource, String dataMember)
at Infragistics.WebUI.UltraWebGrid.UltraWebGrid.DataBind()
at Microsoft.Clm.Web.MyRequests.LoadRequests()
at Microsoft.Clm.Web.MyRequests.Page_Load(Object sender, EventArgs e)
at System.Web.UI.Control.OnLoad(EventArgs e)
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
Custom event details:For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
All Replies
-
Wednesday, April 01, 2009 5:37 PM
It looks like you're running into an error while trying to decrypt the one-time password(s). I think I've seen this error before; as I recall, it was related to the encryption algorithm being used by CLM. This is defined in the web.config file. Look for the Clm.Encryption.Algorithm key, the default value is AES. I think I've seen that error when playing around with that value. Sorry I can't be more specific.
Have you changed that value?
Marc Mac Donell, Senior Consultant (Identity Assurance), Avaleris Inc. -
Thursday, April 02, 2009 5:25 AMHi Marc
Thanks for your answer!
We have not been changing any values wath so ever and the problem was first seen about a month ago on a single card but have since then escalated to be an issue that seems to go for every card! As we have set it up, we dont use one time passwords for pin unblock!
Wath are the ASN1 value actually beeing used for? And wath is the mechanism for using it?
We have had a few issues with the smartcard driver that we are using, do you think the driver can have any thing to do with this problem?
Regards
Uffe -
Thursday, April 02, 2009 3:32 PMUffe,
Unfortunately, I don't recall the exact circumstances where I had seen that error previously. The issues with the smartcard driver could be related, if they've impacted the smartcard's CSP. What type of smartcard / driver are you using?
From what I gather from your error message, CLM is trying to decrypt the secrets data from the CLM unblock request, which is encrypted, to determine if the request needs any further authorizations. It would seem this is where you're running into the error. I would suggest turning on verbose tracing ('4') in the CLM web.config for Microsoft.Clm.BusinessLayer and Microsoft.Clm.BusinessLayer.Encryption; I'd only turn this on for a quick test of the unblock request as this will generate a lot of log traffic. This should help pinpoint what is causing the error.
Are you collecting data registration items during your unblock workflow?
Cheers,
Marc
Marc Mac Donell, Senior Consultant (Identity Assurance), Avaleris Inc. -
Friday, April 03, 2009 5:32 AMHi again
We had an issue with the certificate for the CLMAgent account expired and we had to replace it, so we did and everything seems to work as it should. Can that be part of this problem?
I will start logging as you sugested as soon as the team starts to arrive at work!
//Uffe -
Monday, April 06, 2009 12:08 AM
We had an issue with the certificate for the CLMAgent account expired and we had to replace it, so we did and everything seems to work as it should. Can that be part of this problem?
That is the entire problem. When the agent account cert expires and you get a new key, old encrypted data can no longer be decrypted. KB960765 has a fix for this that makes it possible for the old cert (assuming it's still in the machine's cert cache) can be used to decrypt old encrypted data.
AhmadAW- Marked As Answer by Ahmad Abdel-wahedMicrosoft Employee Monday, April 06, 2009 12:08 AM
-
Monday, April 06, 2009 6:45 AMHi
Thanks alot Ahmad!
I guess this is the reason! However the link to the ka article is broken, I cant find any article with KB number 960765!
//Uffe -
Tuesday, April 07, 2009 7:09 AMOK
So now we have a situation with a expired certificate, the CLMAgent certificate, by MS design issued by the CA using the default user template (v2 non arcived non exportable). The certificate that had expired is deleted from the MY store on the CLM server. The backup cyckle for the CLM mashine is full weekley and a full monthly to disk inside the PKI subnet, backups overwrigt the previous backup on the cycle, and guess wath, full monthly ran april 5 overwrithing the full monthly!
Is there any way to get CLM to work again?
//Uffe -
Wednesday, April 08, 2009 8:48 AM
Hi
Thanks alot Ahmad!
I guess this is the reason! However the link to the ka article is broken, I cant find any article with KB number 960765!
//Uffe
Uffe - the KB article has not been published yet so you'll need to call Customer Support Services, open a case, and request the hotfix. They may request a credit card number if you don't have a support contract but they won't charge your card once they determine that this is a bug fix.
Paul Adare CTO IdentIT Inc. ILM MVP -
Wednesday, April 08, 2009 11:00 AMHi again
well after a few errors did I manage to restore the old CLMAgent certificate and guess wath! It didnt help me, the ASN1 error still exists!
So any idéas about wath it could be thats causing this to happen if it was'nt the certificate??
Regards
//Uffe -
Wednesday, April 08, 2009 11:25 AM
Hi again
well after a few errors did I manage to restore the old CLMAgent certificate and guess wath! It didnt help me, the ASN1 error still exists!
So any idéas about wath it could be thats causing this to happen if it was'nt the certificate??
Regards
//Uffe
If the certificate has expired restoring the old certificate is not going to do you any good.
Paul Adare CTO IdentIT Inc. ILM MVP- Marked As Answer by Spruce Stockholm Wednesday, April 08, 2009 12:06 PM
- Unmarked As Answer by Spruce Stockholm Wednesday, April 08, 2009 12:06 PM
-
Wednesday, April 08, 2009 12:10 PMI think I was a bit unclear there! I have replaced the outdated certificate and during that operation i deleted the old certificate. Now I have the new certificate aswell as the old certificate in the personal store of the CLMAgent account on the CLM server.
So I have a valid certificate aswell as the expired one!
//Uffe -
Wednesday, April 08, 2009 12:37 PMUffe,
Given you've renewed the CLM agent's certificate, you'll need to modify the CLM web.config file to reflect the change. The file contains three keys that reference the thumbprint of the CLM agent's certificate. You'll need to get the certificate thumbprint for the valid certificate and change the value of the following keys:
- Clm.SigningCertificate.Hash
- Clm.SmartCard.ExchangeCertificate.Hash
- Clm.ValidSigningCertificates.Hashes
To be clear, the Clm.ValidSigningCertificates.Hashes must contain the previous certificate's thumbprint and the new certificate's thumbprint, separated by a semi-colon.
You will also need to verify the following key:
- Clm.Encryption.Certificate.Hash
Hopefully, this will help you resolve your issue. Restarting IIS is probably not a bad idea. :)
Cheers,
Marc
Marc Mac Donell, Senior Consultant (Identity Assurance), Avaleris Inc. -
Wednesday, April 08, 2009 1:14 PMHow did you restore the expired certificate? You need the expired certificate, the public key, and the private key as well, and as Marc points out you also need to update web.config.
When I ran into this issue I did all of the above and was still not able to resolve the issue so you probably also need the hotfix.
Paul Adare CTO IdentIT Inc. ILM MVP -
Wednesday, April 08, 2009 1:45 PMHI
I have restored both the public key and the private key!
Updated the web.config
Still no cigarr
Did I hear hotfix??
//Uffe -
Wednesday, April 08, 2009 2:14 PMThe KB article that Ahmad mentioned.
Paul Adare CTO IdentIT Inc. ILM MVP -
Thursday, April 09, 2009 10:49 AMHi again guys! :)
I have the hot fix now and I installed the CLM_2007_FP1_FULL_KB960765 (can I get a confirm that this is the part of the hot fix I should aplie?) and then rebooted the server, when it came up again the CLM service couldent start! :( I managed to do a live test of our restore procedures and got the system back to the state it was in before I aplied the hot fix!
I saw in the kb article that the fix will most likley fix my problem, so I just need to install it without crashing the system!
Any help/instructions would help a lot here!
//Uffe -
Tuesday, May 19, 2009 1:44 PMHi Uffe,
I have seen the same problem. We have renewed all the agent certificates (and made the changes in the Web.config file), everything works well with new cards, but cards issued before the certificate renewal can no longer be managed correctly by CLM. After a lot of testing I've finally got it to work if I keep the old certificate hash for Clm.Encryption.Certificate.Hash -but update all the others (Clm.SigningCertificate.Hash, Clm.EnrollmentAgent.Certificate.Hash and Clm.SmartCard.ExchangeCertificate.Hash). However, I don't know why this solved my problem...
Did you manage to find a nicer solution?
Cheers,
Joakim -
Friday, May 22, 2009 8:52 AMHi Johan
Well a nicer solution, I wolden't realy call it that! :)
I had the wrong build for the hotfix mentioned in the tread here and had to reinstall CLM all together with a new installmedia delivered from MS Support, that is I got the whole CLM installmedia as a hotfix, hehe!
But now everything works well!
//Uffe -
Wednesday, May 27, 2009 8:07 AM
Aha! That is a fantastic hotfix! Well, reinstalling everything does not sound too attractive to me right now, especially if the install is potentially not even available to me. And we have issued almost 1000 cards from this installation… Did MS Support tell you anything about putting this correction in a later version of ILM/CLM?
Cheers,
Joakim
-
Wednesday, May 27, 2009 8:42 AMHi Joakim
Yse, this is going to be fixed, I didnt get a date but the fix I got was from the development team with the understanding that it was'nt ready for production releas yet!
As I understand it, your company is residing in central Stockholm? So am I, if you would like we could get in touch!
//Uffe -
Thursday, May 28, 2009 10:05 PMJa, låter som ett utmärkt idé. Måndag el tisdag nästa vecka runt lunchtid ser det OK ut för mig. Du kan maila mig direkt -förnamn.efternamn.Mvh,Joakim
-
Wednesday, October 21, 2009 1:45 PMHi,
Did you guys ever managed to fix the issue? I'm in the same position now, and though I've reinstalled 1087 from MS and added hotfix 1118, I'm unable to retire smartcards issued with the old ClmAgent cert after renewal..
I do have a premier support case open, but any input is welcome..
// Kent
hedman -
Friday, October 30, 2009 11:59 AMI dont know if you have got this fixed yet but I just rememberd that you have to edit the web.config file before you can get it to work!
Regards
Uffe
.png)
