Forefront Identity Manager 2010 RC1 - Certificate Management - errors and solutions
- Hi guys,
here are some errors I experienced during the setup of my platform.
Hope this can help you.
Cheers.
_Unable to check CA in Edit Profile template
Something is wrong with the SQL connection between the CA Exit Module and the SQL Server.
Try to check the password if using SQL Auth. Try to check kerberos' spn elsewise.
Check log: Application and Services Logs > FIM Certificate Management
Restart AD CS, and check 10 seconds later if any warning is raised inside that log.
_Value cannot be null. Parameter name byte
If you installed manually certificates in agents store, you have to fill certificate hashes in web.config. Please see Installation > Edit the web.config
Open the web.config file of certificatemanagement.
Search for "Hash", and check that the hash is the one of the fim cm agent certificate.
_Base CSP smart card self-service control is not installed or the current site is not specified in the allowed sites list by your Administrator. Please contact your system Administrator. Additional information: Automation server can't create object
If you are on a x64 system, please install FIM CM x64 and user Internet explorer 64 bits.
_FIM CM: while reading the smart card
Client encountered an unexpected error while trying to communicate with the server.
Error number: -2146828218
Error description: Permission denied
_If using v3 certificate templates for the agents (windows 2008) instead of v2 (win. 2003)
Then the following errors will appear.
Currently, FIM 2010 RC1 CM only does support v2 templates.
Not sure if for RTM any improvments will be made.
Please note that this event is related to the following ones:
_Windows Logs > Security > Failed login - Key Migration failed
Event ID 5059. Key operation migration failed
clmAgent ; User key ; RSA ; import of persistent cryptographic key 0x80090029 The requested operation is not supported;
----------------------------------Key migration operation.
...
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA...
Additional Information:
Operation: Import of persistent cryptographic key.
Return Code: 0x80090029----------------------------------
Consequences:
- When performing an enroll request on behalf of another user: Data at the root level is invalid. Line 1, position 1
- When executing a software certificate enroll: Invalid provider type specified.
- When executing a smart card certificate enroll: Base CSP smart card self-service control is not installed or the current site is not specified in the allowed sites list by your Administrator. Please contact your system Administrator. Additional information: Automation server can't create object
All Replies
- Fabien,
I would actually recommend installing the 32 bit client on a 64-bit operating system rather than using IE64 bit
This is because IE 32 bit is the default browser.
If you plan any manager initiated workflows where an email is sent to the subscriber, it will fail if they click the link
This is because the link is opened in the 32 bit browser.
Thanks!
Brian - Baseline is that you need the same bit-ness of CM Client + IE + middleware/driver
- That is correct, but not practical in the real world Anthony.
As long as MS does not provide a way to designate IE 64 bit as the default browser, any client that uses a manager initiated workflow where the CM service sends an email to the subscriber using OTPs, then the browser that is lauched is IE 32 bit.
If I followed your advice, I would get an error that the ActiveX control is not installed, because the 64-bit client is not recognized within the browser.
Yes, I could tell the client that they have to copy the link, open IE 64, paste the link, and then type in the OTP, but that would never work. Helpdesk would be up in arms over that
Brian - Correct. While in testing, we usually prioritize 32-bit IE on x64 OS higher than 64-bit IE because the default IE is 32-bit
- Anthony, do you mind elaborating on what you mean by prioritizing 32-bit IE over 64-bit IE?
Marc Mac Donell, ILM MVP, VP Identity and Access Solutions, Avaleris Inc. - i.e. we spend more time testing CM in 32-bit IE than 64-bit IE (on a x64 OS)
- I think that this is a great idea, since IE 32-bit is the default browser.
What is the technical reason that prevents you from installing both the 32-bit and 64-bit client?
Brian - I can't think of any.
Just that at some point, we need to lockdown the product and stabilize it. Since majority of the customers are not going to "mix-use" 32-bit and 64-bit IE and we haven't received any demand for such, we didn't bundle 32-bit component to the 64-bit installer.
