FIM CM Provision API - Enrollment

Ask a question

Wednesday, February 09, 2011 12:36 PM

0

Hello There,

We are trying to develop webService (Signed XML output) using FIM CM Provision API to create User Certificate request to submit to Third Party CA.

getting couple of issues below -

Issue 1. FindOperations.UseRemoting = false; as not using remoting method now.

ReadOnlyCollection<ProfileTemplate> list = FindOperations.FindAllProfileTemplates();

Getting Below Error

system.InvalidOperationException: Application attempted to use .config file settings, but it hasn't been parsed yet.

at Microsoft.clm.common.clmconfiguration.CheckInit()
at Microsoft.clm.common.clmconfiguration.get_AuthAgentUsername()
at Microsoft.clm.BusinessLayer.settings.get_AuthAgentUsername()
at Microsoft.clm.BusinessLayer.Security.getClmAuthAgent()
at Microsoft.clm.BusinessLayer.UserProfiles.GetUserProfiles()
at Microsoft.clm.BusinessLayer.Shared.FindOperations.FindAllProfiletemplates()
at Microsoft.clm.Provision.FindOperationsByCulture.FindAllProfiletemplates(CultureInfo uiculture,Cultureinfo culture)
at Microsoft.clm.Provision.FindOperations.FindAllProfiletemplates
at Enroll.EnrollusingProvisionapi() in c:\Users\Administrator\Documents\Visual Studio 2010\Websites\FimFinal\App_Code\Enroll.cs

Issue no.2 FIM CM WebPortal (https.//localhost/Certificate Management) was running fine and now is getting an error

HTTP Error 404.17 - Not Found
The requested Content appears to be script and will not be served by the static file handler.

tried changing Application Pool from clmAppPool to .NET Classic and all available options(Default,.NET,integrated etc.) but still same error.

before this error , created some Sample Profile templates using this FIM CM Web portal which are appearing under container- public Key Services /Profile Templates in Active Directory Sites and Services which is on the same machine - 2008 datacenter Machine

FIM CM CA on the same Machine SQL Connection String is configured now / Microsoft CA runnning on the same machine for temporary testing - CA Server name is in the SQL database CertificateAuthority Table.Exit Module,Policy module is configured.clmAgent user certificate ThumbPrint is addded in Polciy Module.

In SQL Security-Login - 'clmApp' Role is give to one AD user .ByDefault clmAPP role was for SQL user 'clmuser'

Profile templates table is NULL now in the SQL DB table and no value in it

regards, Mangesh
- Reply
- Quote

All Replies

Thursday, February 10, 2011 10:21 AM

0

Kindly waiting...
- Reply
- Quote
Thursday, February 10, 2011 9:13 PM

0

For issue #1:

UseRemoting must be set to true for out-of-process applications that are accessing the Provision API remotely. .NET remoting allows client apps to make calls to remote objects hosted in the IIS process where the CLM web app is running. UseRemoting must be set to false for in-process applications. I strongly suggest that you do not attempt to run your service in the same pool, but instead access the Provision API remotely. This is the intended scenario, and it is what we support.
- Reply
- Quote
Friday, February 11, 2011 10:16 AM

0

Hi Heena,

But we need to create a webservice which will interact with java application for this we need to use In process method as specified in microsoft article

Using In-process calls

Developers can access the Provision API, or create notification handlers, or implement specific interfaces to run in-process with the FIM CM server. A developer could potentially write his/her own ASPX pages and make them run in the same process as the FIM CM Web application using the Provision API.

url: http://msdn.microsoft.com/en-us/library/bb468079.aspx

Do you mean to say that there is some issue in inprocess method
- Reply
- Quote
Friday, February 11, 2011 11:47 AM

0

Hi Heena,

I had tried a console application using Remoting in that i had specified.

RequestOperations.UseRemoting = true;

I got below error

The remote server returned an error: (401) Unauthorized.

Can you please let me know solution for this
- Reply
- Quote
Friday, February 11, 2011 8:55 PM

0

You do not need to use in-process just because you are creating a web service. Please try to access the Provision API remotely from a web service in a separate pool.

Does your client-side remoting app config file look similar to this?

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.runtime.remoting>
    <application>
      <channels>
        <channel ref="http" useDefaultCredentials="true">
          <clientProviders>
            <formatter ref="binary" />
          </clientProviders>
        </channel>
      </channels>
      <client>
        <wellknown type="Microsoft.Clm.Provision.RequestOperationsByCulture, Microsoft.Clm.Provision" url="http://localhost/certificatemanagement/remoterequests2.rem" />
        <wellknown type="Microsoft.Clm.Provision.FindOperationsByCulture, Microsoft.Clm.Provision" url="http://localhost/certificatemanagement/remoterequests3.rem" />
        <wellknown type="Microsoft.Clm.Provision.PermissionOperationsByCulture, Microsoft.Clm.Provision" url="http://localhost/certificatemanagement/remoterequests4.rem" />
        <wellknown type="Microsoft.Clm.Provision.ExecuteOperationsByCulture, Microsoft.Clm.Provision" url="http://localhost/certificatemanagement/remoterequests5.rem" />
      </client>
    </application>
</system.runtime.remoting>
</configuration>
- Reply
- Quote
Saturday, February 12, 2011 3:10 AM

0

Hi Heena,

Thanks a ton. Appreciate your effort

I have exactly the same thing in configuration file which i referred from your inputs on the below thread

http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/558007bb-8c0f-424c-97db-57edd6574ce5/
- Reply
- Quote
Monday, February 14, 2011 6:52 AM

0

Hi Heena,

For console application Still i am getting error it says

System.DirectoryServices.DirectoryServicesCOMException was caught
Message=There is no such object on the server.

Source=System.DirectoryServices
ErrorCode=-2147016656
ExtendedError=0
ExtendedErrorMessage=""
StackTrace:
    Server stack trace:
       at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
       at System.DirectoryServices.DirectoryEntry.Bind()
       at System.DirectoryServices.DirectoryEntry.get_Name()
       at Microsoft.Clm.DataAccess.AD.UserProfiles.Load(DirectoryEntry entry)
       at Microsoft.Clm.DataAccess.AD.UserProfiles.Load(Guid profileTemplateUuid)
       at Microsoft.Clm.BusinessLayer.UserProfiles.GetProfileTemplate(Guid profileTemplateUuid)
       at Microsoft.Clm.BusinessLayer.Shared.FindOperations.GetProfileTemplate(Guid profileTemplateUuid)
       at Microsoft.Clm.Provision.FindOperationsByCulture.GetProfileTemplate(Guid profileTemplateUuid, CultureInfo uiCulture, CultureInfo culture)
       at System.Runtime.Remoting.Messaging.StackBuilderSink._PrivateProcessMessage(IntPtr md, Object[] args, Object server, Int32 methodPtr, Boolean fExecuteInContext, Object[]& outArgs)
       at System.Runtime.Remoting.Messaging.StackBuilderSink.SyncProcessMessage(IMessage msg, Int32 methodPtr, Boolean fExecuteInContext)
    Exception rethrown at [0]:
       at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
       at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
       at Microsoft.Clm.Provision.FindOperationsByCulture.GetProfileTemplate(Guid profileTemplateUuid, CultureInfo uiCulture, CultureInfo culture)
       at Microsoft.Clm.Provision.FindOperations.GetProfileTemplate(Guid profileTemplateUuid)
       at FIMSample.Program.Main(String[] args) in C:\Users\Administrator\Documents\Visual Studio 2010\Projects\FIMPOC\FIMSample\Program.cs:line 29
InnerException:
- Reply
- Quote
Monday, February 14, 2011 8:19 AM

0

Hi,

after your last reply, this definitely look like a permissions issue, are you sure the domain user you're running the app with has read rights to the Configuration container to see the profile template objects in AD?

They are located in: <your domain>/Configuration/Services/Public Key Services/Profile Templates/<your templates>

Piotr
- Reply
- Quote
Monday, February 14, 2011 10:07 AM

0

Hi Piotr,

Thanks a lot. Appreciate your help. But permission is already there for Profile template as specified by you. Can you please let me know if I need to try something else for below error

System.DirectoryServices.DirectoryServicesCOMException was caught
Message=There is no such object on the server.

Source=System.DirectoryServices
ErrorCode=-2147016656
ExtendedError=0
ExtendedErrorMessage=""
StackTrace:
    Server stack trace:
       at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
       at System.DirectoryServices.DirectoryEntry.Bind()
       at System.DirectoryServices.DirectoryEntry.get_Name()
       at Microsoft.Clm.DataAccess.AD.UserProfiles.Load(DirectoryEntry entry)
       at Microsoft.Clm.DataAccess.AD.UserProfiles.Load(Guid profileTemplateUuid)
       at Microsoft.Clm.BusinessLayer.UserProfiles.GetProfileTemplate(Guid profileTemplateUuid)
       at Microsoft.Clm.BusinessLayer.Shared.FindOperations.GetProfileTemplate(Guid profileTemplateUuid)
       at Microsoft.Clm.Provision.FindOperationsByCulture.GetProfileTemplate(Guid profileTemplateUuid, CultureInfo uiCulture, CultureInfo culture)
       at System.Runtime.Remoting.Messaging.StackBuilderSink._PrivateProcessMessage(IntPtr md, Object[] args, Object server, Int32 methodPtr, Boolean fExecuteInContext, Object[]& outArgs)
       at System.Runtime.Remoting.Messaging.StackBuilderSink.SyncProcessMessage(IMessage msg, Int32 methodPtr, Boolean fExecuteInContext)
    Exception rethrown at [0]:
       at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
       at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
       at Microsoft.Clm.Provision.FindOperationsByCulture.GetProfileTemplate(Guid profileTemplateUuid, CultureInfo uiCulture, CultureInfo culture)
       at Microsoft.Clm.Provision.FindOperations.GetProfileTemplate(Guid profileTemplateUuid)
       at FIMSample.Program.Main(String[] args) in C:\Users\Administrator\Documents\Visual Studio 2010\Projects\FIMPOC\FIMSample\Program.cs:line 29
- Reply
- Quote
Monday, February 14, 2011 11:32 AM

0

Hi,

I remember I was struggling with something similar, but it was within the same IIS process FIM CM runs, so I'm not sure how it's being processed from a console application.

As you see in your stack trace it's using Remoting in the middle before doing the actual call to AD, so I'm not sure it's using the same credentials as the ones you're running the app with. When I saw the same error in IIS context it ended up being something wrong with delegation on the web pool account. But with the console app, I don't see how would that apply. Second thing is what Henna wrote about the config file entries, are you sure you have them?

if it's a permissions issue, maybe you will be able to find something in the security event log, either on the box, or on the DC.

Piotr
- Reply
- Quote
Monday, February 14, 2011 12:29 PM

0

Hi Piotr,

Thanks, I have a log which says

Active Directory Certificate Services denied request 12 because An unknown error occurred while processing the certificate. 0x80090327 (-2146893017). The request was for FIMPOC\Administrator. Additional information: Denied by Policy Module

I have my config file which is exactly same as heena said
- Reply
- Quote
Monday, February 14, 2011 1:31 PM

0

I'm a bit lost, could we focus on one case at a time? Are you creating a:
- webService?
- console app?
- the last error is from "Active Directory Certificate Services", and at the top you wrote you're using a "Third Party CA" - this error looks like it's from the CA, so not directly related to any of the above.

Piotr
- Reply
- Quote
Monday, February 14, 2011 2:21 PM

0
Hi Piotr,

Our objective is to test for third party CA. but currently we are using inbuilt CA- above error was from FIM CM 2010 web portal but which is solved and yes it is from Active Directory Certificate Service

We have created one console application and one web application so that we can use provision api, In both approach we are getting same error
1. We have proper client configuration
2. Rights of profile template is given for administrator user
System.DirectoryServices.DirectoryServicesCOMException was caught
Message=There is no such object on the server
- Reply
- Quote
Monday, February 14, 2011 3:03 PM

0

Hi,

can you paste the code you're using?

It still looks like a permissions issue, to help troubleshoot you can try using System.DirectoryServices.DirectoryEntry directly and try to bind to where you're trying to bind with the FIM CM Provisioning API.

Piotr
- Reply
- Quote

Tuesday, February 15, 2011 5:36 AM

Hi Piotr,

code

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using Microsoft.Clm.Provision;
using Microsoft.Clm.Shared;
using System.IO;
using Microsoft.Clm.Shared.ProfileTemplates;
using System.Configuration;
using System.Runtime.Remoting;
using System.DirectoryServices;


public partial class Enroll : System.Web.UI.Page
{
  protected void Page_Load(object sender, EventArgs e)
  {    
     string sUuid = "E52935D0-8931-451A-B59E-276098F52EC2";
      Guid uuid = new Guid(sUuid);
      try
      {
        FindOperations.UseRemoting = true;
        ProfileTemplate profileTemplateUuid = FindOperations.GetProfileTemplate(uuid);
        if (profileTemplateUuid == null)
        {
          Response.Write("Could not find a Profile Template for uuid ");
          return;
        }
      string input ="FIMPOC\\Administrator";

      if (!string.IsNullOrEmpty(input))
      {
        Guid userTarget = new Guid(input);
        RequestOperations.UseRemoting = true;
        Microsoft.Clm.Shared.Requests.Request enrollRequest = RequestOperations.InitiateEnroll(profileTemplateUuid.Uuid, null,
          userTarget, "My comment", 101);
      
        Response.Write("enroll uid" + enrollRequest.Uuid);
      }
      }
      catch (Exception ex)
      {
         
        Response.Write("there is some issue");
        Response.Write(ex);
      }
    
    }
  }

Tuesday, February 15, 2011 7:06 AM

0
Hi,

please try binding to that object in a try ... catch before using FIMCM API.

do something like (please correct any syntax errors, my C# is rusty):
```
System.DirectoryServices.DirectoryEntry dirEntry = System.DirectoryServices.DirectoryEntry("LDAP://<GUID=E52935D0-8931-451A-B59E-276098F52EC2>");<br/>
Response.Write(dirEntry.Properties("distinguishedName").Value);
```
Anyway, could someone confirm this code will be using the current webpool account credentials, and not some other because of the remoting?

in addition, looking what's below in your code ... are you sure "Guid userTarget = new Guid(input);" will work?

Piotr
- Reply
- Quote

Tuesday, February 15, 2011 12:58 PM

Hi Piotr,

Thanks for your input, Appreciate your efforts. I tried using your input

firstly Syntax for your code should be:

 System.DirectoryServices.DirectoryEntry dirEntry =new System.DirectoryServices.DirectoryEntry("LDAP://<GUID=E52935D0-8931-451A-B59E-276098F52EC2>");

 Response.Write(dirEntry.Properties["distinguishedName"].Value);

But still I get same error . I am pasting code below

string sUuid = "E52935D0-8931-451A-B59E-276098F52EC2";
    Guid uuid = new Guid(sUuid);
    try
    {
      System.DirectoryServices.DirectoryEntry dirEntry = new System.DirectoryServices.DirectoryEntry("LDAP://<GUID=E52935D0-8931-451A-B59E-276098F52EC2>");

      Response.Write(dirEntry.Properties["distinguishedName"].Value);

      FindOperations.UseRemoting = true;
      ProfileTemplate profileTemplateUuid = FindOperations.GetProfileTemplate(uuid);
      if (profileTemplateUuid == null)
      {
        Response.Write("Could not find a Profile Template for uuid ");
        return;
      }
      string input = "FIMPOC\administrator";

      if (!string.IsNullOrEmpty(input))
      {
        Guid userTarget = new Guid(input);
        RequestOperations.UseRemoting = true;
        Microsoft.Clm.Shared.Requests.Request enrollRequest = RequestOperations.InitiateEnroll(profileTemplateUuid.Uuid, null,
          userTarget, "My comment", 101);

        Response.Write("enroll uid" + enrollRequest.Uuid);
      }
    }
    catch (Exception ex)
    {

      Response.Write("there is some issue");
      Response.Write(ex);
    }

System.DirectoryServices.DirectoryServicesCOMException was caught
Message=There is no such object on the server

Regarding Guid userTarget = new Guid(input) yes it should work but my code breaks at your Response.write() now so it is not even going to this point. As you say there is some permission issue. Can you tell me is there something i need to do in Active directory

Thanks

Ganesh

Tuesday, February 15, 2011 7:32 PM

0

Hi Ganesh,

the idea with the check was to see if you can directly bind to the object with your credentials not using the FIM CM Provisioning API. So were you able to see the response from those lines before the error, or did they cause the error?

And also, you might need to add the dns name of your domain, or DC before the GUID, so like "LDAP://my.domain.com/<GUID=E52935D0-8931-451A-B59E-276098F52EC2>".

Anyway, I see you're testing this with the web app, is the web pool running on an account that has access to the templates?

Piotr
- Reply
- Quote
Wednesday, February 16, 2011 8:38 AM

0
Hi Piotr,

I didnt got any response the error was caused when we are directly binding with our credential. Even added dns name of my domain.

with regard to web app it is using defaultAppPool and it is using FIMPOC\clmwebpool as Identity. which is having permission of the template
- Proposed As Answer by ganesh bipin panda Wednesday, February 16, 2011 11:33 AM
- Edited by ganesh bipin panda Wednesday, February 16, 2011 11:48 AM
- Reply
- Quote
Wednesday, February 16, 2011 11:36 AM

0

Sorry guys,

By mistake proposed as answer was clicked. Please ignore it
- Reply
- Quote
Wednesday, March 02, 2011 6:47 PM

0

I am not sure if it's affecting you. But in our site, it looks like the CLM update is breaking remoting on the CLM server. It's affecting us in a lot of different ways. the Bulk Printing agent, notifications, and a few other parts all see to use this, and there appears to be some underlining problem thats preventing it from working. Our custom code works fine in one of our test enviroments that dosn't have the update applied, but once we apply the update, that enviroment also stops working.

We have a ticket open with microsoft, and they are doing a great job tracking it down. and I hope they have an answer soon. if it looks like it's going to be awile, we are going to have to reinstall our CLM deployments (uninstalling the update dosn't clear the problem, you have to reinstall).

Just thought I would thow this out in case you are having similar issues.
- Reply
- Quote
Friday, March 04, 2011 8:02 PM

0
Ok. thanks to the CLM support guys, we got the problem I was having figured out. they tracked it down to a Dll version mismatch. Looks like the client had newer Dlls then the server did. so if your having troubles in the area of CLM and remoting. check to make sure the DLLs match between client and server. specifically Microsoft.CLM.common,Microsoft.CLM.Provision,Microsoft.Clm.Shared,Microsoft.clm.BusinessLayer (not sure if the last one is needed)

The actually error we where getting on the bulk client was "Object cannot be stored in an array of the type" in case it helps someone searching.

The solution in the end was to apply the Update 1 hotfix to the server, this seemed to fix both the client and the server side. I am now able to query the profiles from my provisioning code where I couldn't even connect before.

The hot fix roll up package can be found at:

http://support.microsoft.com/kb/2028634

Make sure that you check the Fim Service after installing, I found it got switched back to manual. (i Have it on Delayed startup on mine because we run the SQL server on the CLM server.
- Marked As Answer by Markus VilcinskasMicrosoft Employee, Owner Friday, April 08, 2011 3:08 PM
- Reply
- Quote
Wednesday, August 10, 2011 4:18 PM

0

Ok, turns out that I started getting the exact same problem. and it wasn't a DLL mismatch.

In this case. I could unblock most of the users, but there were a few cards that produced the "There is no such object on the server" error right after we selected the user (so we never got to the unblock choice).

It turns out that the problem had to do with a group the user was a member of. the CLM portal was trying to enumerate all the groups that the user was a member of, and it looks like it didn't have rights to one of them.

Microsoft Uber Guru David G. (no I am not going to tell you his full name, get your own Uber Guru). was able to figure this out because of the logging showed a "GetGroupBySid" failing.

He also told me that you can configure CLM to ignore all non CLM related groups a user is a member of, by telling CLM which groups to care about. Since we are sub delegated this seemed like a great idea. so we modified the

<add key="Clm.RequestSecurity.Groups" value="" />

Line in the web.config file to include the group’s clm uses, and everything started working as it should.

I think Microsoft is writing up a doc on this. I would Google (oops sorry, meant BING) “Clm.RequestSecurity.Groups” and see if you can’t find it in a week or two.
Meow
- Reply
- Quote
Sunday, January 29, 2012 11:50 AM

0
In regards to

"The remote server returned an error: (401) Unauthorized."

You should add this lines to your channel properties in your web.config:
```
<channels>

<channel ref='http' useDefaultCredentials='true'>

<clientProviders>

<formatter ref='binary' />

</clientProviders>

</channel>

</channels>
```
Tamir Lavi
- Edited by Tamir Lavi Sunday, January 29, 2012 11:51 AM
- Reply
- Quote
Monday, March 05, 2012 2:15 PM

0
Hi everybody!

I have tried everything proposed in this thread, I still get the 401 error. There's no DLL mismatch, and server and client configuration seem to be ok for remoting. I've created a console application for testing purposes, but what I didn't get is how does the remote server where FIM CM is running identify the user doing the remote-requests? Do I need to submit the user's UUID for identification, or is the user determined automatically by just running the remote-app under his account? The user running the console-app is a user with admin-rights known to AD, those rights include to read and approve requests and it works if I access the FIM CM via web-interface under the same URL I put into my local configuration file. The server's web.config is also configured properly!

What I basically want to do is to check if there are any pending enrollment requests, and if there are any, approve them automatically. I need to feature a one-time password, so that if a request is approved, an email containing it is sent to an authority. This process should stay on the FIM-CM server, I just want to automate the approval-process with the remote app! It's no problem finding the pending requests and approving them manually by browsing to the FIM-CM URL, but I am having no luck with the API so far.

Since this is not very well documented, it would be nice to get some information.

BTW, I also get the 401 Error running the app on the Server hosting the FIM CM, not in the same context, so I still set

FindOperations.UseRemoting = true;

Thanks in advance!

M
- Edited by muxilla Monday, March 05, 2012 2:30 PM
- Edited by muxilla Monday, March 05, 2012 2:45 PM
- Reply
- Quote
Monday, March 05, 2012 2:47 PM

0

well I found out it's a 401 2 Error, so there must be something wrong with the server configuration. Since I am allowed to browse to the FIM CM with the very same account, I don't know why it does not work. Will keep investigating.
- Reply
- Quote
Thursday, June 21, 2012 4:40 PM

0

Hello,
Well, I got such an error HTTP 401.2, the cause of this error is in authentication algorithms which where disabled: Check which of them are enabled or disabled on CertificateManagement application under root Default WebSite->CertificateManagement->Authentication.
And configure Authentication as it described in http://technet.microsoft.com/en-us/library/hh230239(v=ws.10);

Hope it will help to you.
http://cheryatnikov.blogspot.com/
- Reply
- Quote

FIM CM Provision API - Enrollment

All Replies

Using In-process calls

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support by product

Other support links

Not an IT pro?