Overview

Recently worked an issue in support concerning Microsoft Forefront Identity Manager - Certificate Management.  The resolution was pretty straight forward, and I wanted to ensure that I shared this information.

 

Problem Statement

Attempting to recover a smart card, generates the following error message.  "User lookup failed. No mapping between account names and security IDs was done." 

Troubleshooting the issue, we obtained a FIM CM Verbose Trace Log.  ( How to capture a FIM CM Verbose Trace Log ).  In the log, we were able to see the error message being generated during the search for the user in the security group.  In doing so, this lead us to the RequestSecurity.Groups in the web.config file.


Error message

User lookup failed. No mapping between account names and security IDs was done.


FIM CM Verbose trace log

"2012-07-09 16:39:07.21 -05" "Microsoft.Clm.Security.Authorization.Sid" "Microsoft.Clm.Security.Authorization.Sid LookupAccount(System.String, System.String)" "<DOMAIN NAME>\<username>" "<DOMAIN NAME>\<FIM CM AUTH AGENT>" 0x00000224 0x00000012

Looking up account: <domain name>\<security group name>, machine:

"2012-07-09 16:39:07.21 -05" "Microsoft.Clm.Security.Authorization.Sid" "Microsoft.Clm.Security.Authorization.Sid LookupAccount(System.String, System.String)" "<DOMAIN NAME>\<username>" "<DOMAIN NAME>\<FIM CM AUTH AGENT>" 0x00000224 0x00000012

1) Exception Information

*********************************************

Exception Type: System.ApplicationException

Message: User lookup failed.

Data: System.Collections.ListDictionaryInternal

TargetSite: Microsoft.Clm.Security.Authorization.Sid LookupAccount(System.String, System.String)

HelpLink: NULL

Source: Microsoft.Clm.Security.Authorization

StackTrace Information

*********************************************

at Microsoft.Clm.Security.Authorization.Sid.LookupAccount(String machineName, String account)

2) Exception Information

*********************************************

Exception Type: System.ComponentModel.Win32Exception

NativeErrorCode: 1332

ErrorCode: -2147467259

Message: No mapping between account names and security IDs was done

Data: System.Collections.ListDictionaryInternal

TargetSite: NULL

HelpLink: NULL

Source: NULL


Cause

In this case, the problem was the groups mentioned in the RequestSecurity.Groups in the FIM Certificate Management Web Config file were invalid. 


Resolution

  1. Navigate to %programfiles%\Microsoft Forefront Identity Manager\2010\Certificate Management\Web
  2. Backup the web.config file by simply making a copy of the file
  3. Once the file is backed up, Edit the web.config file
  4. Search for "CLM.RequestSecurity.Groups"
  5. Example

    <add key="Clm.RequestSecurity.Flags" value="UseGroups" />

    <add key="Clm.RequestSecurity.Groups" value="<DOMAIN NAME>\domain users,<DOMAIN NAME>\fimcm users,<DOMAIN NAME>\MyNewCMUsers" />

    <add key="Clm.RequestSecurity.ManagerCanApprove" value="true" />

  6. Ensure that all of the Groups mentioned here exist in the Active Directory and have the correct names
  7. Once confirmed, save the web.config file
  8. Execute an IISRESET
  9. Test the process again

SEE ALSO

FIM LANDING PAGE: Resource Wiki Contents