PROBLEM STATEMENT

You are a FIM CM Administrator working inside of Forefront Identity Manager 2010 – Certificate Management. You navigate to "Manage profile templates" on the main menu. You attempt one of the following actions on the "FIM CM Sample Smart Card Logon Profile Template":

  • Manage it by clicking on it.
  • Copy it, by placing a check mark and then clicking "Copy a selected profile template".
You receive the error message "Object reference not set to an instance of an object".





TROUBLESHOOTING

 

To troubleshoot the issue, we reviewed the FIM Certificate Management Event Log, as well as enabled FIM CM Tracing.

FIM CERTIFICATE MANAGEMENT EVENT LOG

Log Name: FIM Certificate Management

Source: System.Web

Date: 8/29/2011 7:44:18 AM

Event ID: 0

Task Category: None

Level: Error

Keywords: Classic

User: N/A

Description:

Message:Exception of type 'System.Web.HttpUnhandledException' was thrown.

Type:System.Web.HttpUnhandledException

Source:System.Web

Stack Trace: at System.Web.UI.Page.HandleError(Exception e)

at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

at System.Web.UI.Page.ProcessRequest()

at System.Web.UI.Page.ProcessRequest(HttpContext context)

at ASP.content_idn_profiles_profiledetails_aspx.ProcessRequest(HttpContext context) in c:\Windows\Microsoft.NET\Framework64\v2.0.50727\Temporary ASP.NET Files\certificatemanagement\a8741d44\95e9fa81\App_Web_mgtpi_xa.4.cs:line 0

at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()

at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Inner Exception:Message:Object reference not set to an instance of an object.

Type:System.NullReferenceException

Source:Microsoft.Clm.BusinessLayer

Stack Trace: at Microsoft.Clm.BusinessLayer.Templates.LoadTemplate(String oidOrName)

at Microsoft.Clm.Web.ProfileDetails.LoadCertificateTemplatesIntoInterface()

at Microsoft.Clm.Web.ProfileDetails.Page_Load(Object sender, EventArgs e)

at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e)

at System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e)

at System.Web.UI.Control.OnLoad(EventArgs e)

at System.Web.UI.Control.LoadRecursive()

at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

 

 

CERTIFICATE MANAGER TRACE LOG

In reviewing the trace log, we searched for the keyword "exception" and we found the following:

CLM TRACE FILE

Translating user name <DOMAIN>\<USER> from Unknown to Guid

"2011-08-11 09:30:27.32 -04" "Microsoft.Clm.BusinessLayer.UserProfiles" "System.Guid CopyProfileTemplate(Microsoft.Clm.Common.AD.UserProfile, System.String, System.String)" "<DOMAIN>\<USER>" "<DOMAIN>\FIMCMAuthAgent" 0x00000ACC 0x00000007

General Information

*********************************************

Additional Info:

Error copying profile template with uuid: to Copy Of FIM CM Sample Smart Card Logon Profile Template

1) Exception Information

*********************************************

Exception Type: System.Runtime.InteropServices.COMException

ErrorCode: -2147016426

Message: Name translation: Could not find the name or insufficient right to see name. (Exception from HRESULT: 0x80072116)

Data: System.Collections.ListDictionaryInternal

TargetSite: Void Set(Int32, System.String)

HelpLink: NULL

Source: Microsoft.Clm.Interop.activeds

StackTrace Information

*********************************************

at Microsoft.Clm.Interop.activeds.NameTranslateClass.Set(Int32 lnSetType, String bstrADsPath)

at Microsoft.Clm.DS.NameTranslator.Translate(String name, NameType from, NameType to)

at Microsoft.Clm.DS.NameTranslator.ConvertToGuid(String name)

at Microsoft.Clm.BusinessLayer.Users.ConvertNameToGuid(String name)

at Microsoft.Clm.BusinessLayer.Security.get_CurrentUserUuid()

at Microsoft.Clm.BusinessLayer.UserProfiles.WriteProfileTemplateHistory(UserProfile profileTemplateOld, UserProfile profileTemplateToSave, ProfileTemplateHistoryActionType actionType)

at Microsoft.Clm.BusinessLayer.UserProfiles.CopyProfileTemplate(UserProfile profileTemplateToCopy, String destProfileTemplateCommonName, String destProfileTemplateDisplayName) 

 

 

RESOLUTION

We can see in the event log, that we are experiencing problems loading the template. "Microsoft.Clm.BusinessLayer.Templates.LoadTemplate(String oidOrName)"

In the FIM CM Trace, we can see that we are failing on Name Translation because of sufficient permissions.

 

Message: Name translation: Could not find the name or insufficient right to see name. (Exception from HRESULT: 0x80072116)

We were able to resolve the issue by reviewing the permission on the Smart Card Logon Template. There we noticed that Authenticated Users was not listed. We added Authenticated Users and gave it Read access. Logged Off and back on, and we were now able to work with the certificate.

  1. Go to the Certificate Authority
  2. Expand the server, and select Certificate Template
  3. From the Action menu, select Manage
  4. Locate and select the Smartcard Logon Template 
  5. From the Action menu, select Properties
  6. Select the Security Tab
  7. Click the Add button
  8. Type Authenticated Users and click Check Names
  9. Click Ok
  10. Ensure that Read is Allow 
  11. Click Ok
  12. On the Certificate Management Server, Log Off and back on