Recently, a co-worker of mine was working on an issue concerning the error message "There is no such object on the server" while attempting to un-block a Smart Card.  He took the time to write up the issue. 

The error "There is no such object on the server" could surface on any number of operations. However, today, we will be focusing on the fact that we are receiving the error during the Offline unblock of a Smart Card.


In this case, the below error is returned in the Browser.

 

The following call stack was discovered when reviewing the Application Event Log on the Forefront Identity Manager Certificate Management (FIM CM) server.  In reviewing this stack trace, we noticed the GetGroupBySid function call.  The GetGroupBySid function does a lookup in Active Directory for the group using the ObjectSid of the group.  Knowing this, we want to review the FIM CM Web.Config file.

<Data>at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) at System.DirectoryServices.DirectoryEntry.Bind()

at System.DirectoryServices.DirectoryEntry.get_Name()

at Microsoft.Clm.DS.DirEntry.BindDirectoryEntry(ProviderType providerType, String serverOrDomain, String path)

at Microsoft.Clm.DS.User.GetGroupBySid(Sid sidGroup)

at Microsoft.Clm.BusinessLayer.AccessControlManager.LoadGroupSecurityDescriptor(Sid sid)

at Microsoft.Clm.BusinessLayer.AccessControlManager.CheckUserAccess(String principal, DirectoryEntry userEntry, UserAccessRights desiredAccess)

at Microsoft.Clm.BusinessLayer.UserAccess.CheckUserAccessByName(String principal, String userName, UserAccessRights desiredAccess)

at Microsoft.Clm.Web.Security.CanPerformActionOnUser(String userName, ManagementAction action) at Microsoft.Clm.Web.Modules.ActionLinksUserControl.checkActionsByOfflineUnblockPermission()

at Microsoft.Clm.Web.Modules.ActionLinksUserControl.offlineUnblockLink_Click(Object sender, EventArgs e)
 
WEB.CONFIG (This is the FIM CM web.config file located at %Program Files%\Microsoft Forefront Identity Manager\2010\Certificate Management\web)

Any time we see activity where FIM CM is attempting to resolve Group SIDs, we should review the "PLUGGABLE EXTENSIONS" section of the FIM CM web.config file. 

<!-- PLUGGABLE EXTENSIONS *********************************************-->               

<!-- Request Security Implementation
Clm.RequestSecurity.Flags
Flags used for configuring default implementation. 
            Allowed values are:
                  UseUser
                  UseGroups
      These values can be OR-ed.
      If not specified, the value is defaulted to "UseGroups"

Clm.RequestSecurity.Groups

Comma-separated list of AD groups (Global or Universal)
that will
be used to determine certificate manager access
to users that are
members of these groups. The list should
contain group names using
DOMAIN\group format. Leaving the list
empty forces CLM to
consider all groups that users are members of.

EXAMPLE:
<add key="Clm.RequestSecurity.Flags" value="UseUser,UseGroups" />  
<add key="Clm.RequestSecurity.Groups" 
    value="DOMAIN1\Group1,DOMAIN2\Group2" />
-->

<add key="Clm.RequestSecurity.Flags" value="UseUser,UseGroups" />

<add key="Clm.RequestSecurity.Groups" value="" />

<add key="Clm.RequestSecurity.ManagerCanApprove" value="false" />

*NOTE: Leaving the list, CLM.REQUESTSECURITY.GROUPS empty, forces FIM CM to consider all groups that users are a member of
(Yes, we're ending a sentence with a preposition, but that's something we'll have to get over.)

RESOLUTION
To resolve this issue, we limited the list of groups to the Clm.RequestSecurity.Groups to those security groups that are of interest to FIM CM.  Essentially those configured in the Policy Settings in the FIM CM Portal. 

Was this a magic fix, guaranteed to work every time you get the "no such object on the server" error? - Of course not!

We never dug into what object wasn't found.  To do this we would need to collect more data such as:

  1. Network Monitor Trace - executing simultaneous network traces when reproducing the issue allows you to be able to review traffic leaving the FIM CM server and then from the Active Directory to see the traffic coming into the Directory Server and leaving again.
  2. Active Directory Logging - to help isolate the problem object

Additionally, another possible cause could have been one of the groups we included in the UseGroups flag.

That said, this solution allowed us to get back to business. As an added benefit, taking advantage of the UseGroups setting typically speeds up FIM CM operations; instead of having to iterate through an unknown number of groups to verify user permissions, we are only looking at limited subset of groups.

In conclusion:

  1. "There is no such object on the server" is an error that FIM CM gets back from the Active Directory and then passes that information back to the user.
  2. Logging - including event logs (Application, FIM Certificate Management, Security, System) can provide valuable clues as to what, or where the problem lies. 
    1. Here is how to enable verbose tracing for FIM CM and/or CLM
  3. The fix is either to identify the offending object and fix whatever is wrong with it, or bypass the attempt to find it. (In this case we did the latter
  4. Always take advantage of the UseGroups tag in the web.config