Recently worked an issue where we were receiving an exception in the Certificate Management Event Log when the FIM CMAgent account keys are stored in a HSM (Hardware Security Module).  The event log provided enough information on the issue, and so did not need to reproduce the issue.  It was the general information in the event log that lead me to the solution. 

 

The general message was “EnvelopedCMS decryption failed. Fall back to AES method”.  In this case, there was a LunaSA HSM involved. 

APPLICATION EVENT LOG

Troubleshooting : Log Name:      Application

Source:        ASP.NET 2.0.50727.0

Date:          10/25/2012 8:21:53 PM

Event ID:      1309

Task Category: Web Event

Level:         Warning

Keywords:      Classic

User:          N/A

Computer:     

Description:

Event code: 3005

Event message: An unhandled exception has occurred.

Event time: 10/25/2012 8:21:53 PM

Event time (UTC): 10/25/2012 4:21:53 PM

Event ID: 64646420362f4605818948a23b5fc91f

Event sequence: 136

Event occurrence: 1

Event detail code: 0

 

Application information:

    Application domain: /LM/W3SVC/1/ROOT/CertificateManagement-1-129956552833822128

    Trust level: Full

    Application Virtual Path: /CertificateManagement

    Application Path: C:\Program Files\Microsoft Forefront Identity Manager\2010\Certificate Management\web\

    Machine name: FIM

 

Process information:

    Process ID: 3484

    Process name: w3wp.exe

    Account name: DOMAIN\clmWebPool

 

Exception information:

    Exception type: CryptographicException

    Exception message: FIM CM was unable to decrypt necessary data.

 

Request information:

    Request URL: http://DNSDOMAIN/CertificateManagement/content/common/requests/DisplayRequestStatus.aspx?ID=572d315253104199a8c186fa240ff7ec

    Request path: /CertificateManagement/content/common/requests/DisplayRequestStatus.aspx

    User host address: ::1

    User: DOMAIN\root

    Is authenticated: True

    Authentication Type: Negotiate

    Thread account name: DOMAIN\clmWebPool

 

Thread information:

    Thread ID: 14

    Thread account name: DOMAIN\clmWebPool

    Is impersonating: False

    Stack trace:    at Microsoft.Clm.BusinessLayer.DataEncryption.DecryptUsingAES(String encryptedDataBlob)

   at Microsoft.Clm.BusinessLayer.DataEncryption.Decrypt(String encrypted)

   at Microsoft.Clm.BusinessLayer.DefaultSecretProvider.ReadXml(String xml)

   at Microsoft.Clm.BusinessLayer.DefaultSecretProvider.GetSecrets(Request request)

   at Microsoft.Clm.BusinessLayer.SecretsUtility.GetNumberOfSecrets(UserProfile profileTemplate, Request clmRequest)

   at Microsoft.Clm.BusinessLayer.CheckClmOperations.CanCurrentUserDistributeSecretsOnClmRequest(UserProfile profileTemplate, Request clmRequest)

   at Microsoft.Clm.Web.Modules.OneTimePasswordUserControl.Page_Load(Object sender, EventArgs e)

   at System.Web.UI.Control.OnLoad(EventArgs e)

   at System.Web.UI.Control.LoadRecursive()

   at System.Web.UI.Control.LoadRecursive()

   at System.Web.UI.Control.LoadRecursive()

   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

FIM CERTIFICATE MANAGEMENT EVENT LOG

Log Name:      FIM Certificate Management

Source:        System.Web

Date:          10/25/2012 8:21:53 PM

Event ID:      0

Task Category: None

Level:         Error

Keywords:      Classic

User:          N/A

Computer:     

Description:

Message:Exception of type 'System.Web.HttpUnhandledException' was thrown.

Type:System.Web.HttpUnhandledException

Source:System.Web

Stack Trace:   at System.Web.UI.Page.HandleError(Exception e)

   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

   at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

   at System.Web.UI.Page.ProcessRequest()

   at System.Web.UI.Page.ProcessRequest(HttpContext context)

   at ASP.content_common_requests_displayrequeststatus_aspx.ProcessRequest(HttpContext context)

   at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()

   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

 

Inner Exception:Message:FIM CM was unable to decrypt necessary data.

Type:System.Security.Cryptography.CryptographicException

Source:Microsoft.Clm.BusinessLayer

Stack Trace:   at Microsoft.Clm.BusinessLayer.DataEncryption.DecryptUsingAES(String encryptedDataBlob)

   at Microsoft.Clm.BusinessLayer.DataEncryption.Decrypt(String encrypted)

   at Microsoft.Clm.BusinessLayer.DefaultSecretProvider.ReadXml(String xml)

   at Microsoft.Clm.BusinessLayer.DefaultSecretProvider.GetSecrets(Request request)

   at Microsoft.Clm.BusinessLayer.SecretsUtility.GetNumberOfSecrets(UserProfile profileTemplate, Request clmRequest)

   at Microsoft.Clm.BusinessLayer.CheckClmOperations.CanCurrentUserDistributeSecretsOnClmRequest(UserProfile profileTemplate, Request clmRequest)

   at Microsoft.Clm.Web.Modules.OneTimePasswordUserControl.Page_Load(Object sender, EventArgs e)

   at System.Web.UI.Control.OnLoad(EventArgs e)

   at System.Web.UI.Control.LoadRecursive()

   at System.Web.UI.Control.LoadRecursive()

   at System.Web.UI.Control.LoadRecursive()

   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

 

CERTIFICATE MANAGEMENT TRACE LOG

General Information

*********************************************

Additional Info:

EnvelopedCMS decryption failed. Fall back to AES method.

1) Exception Information

*********************************************

Exception Type: System.Security.Cryptography.CryptographicException

Message: An internal error occurred.

Data: System.Collections.ListDictionaryInternal

TargetSite: Void DecryptContent(System.Security.Cryptography.Pkcs.RecipientInfoCollection, System.Security.Cryptography.X509Certificates.X509Certificate2Collection)

HelpLink: NULL

Source: System.Security

StackTrace Information

*********************************************

   at System.Security.Cryptography.Pkcs.EnvelopedCms.DecryptContent(RecipientInfoCollection recipientInfos, X509Certificate2Collection extraStore)

   at Microsoft.Clm.BusinessLayer.DataEncryption.Decrypt(String encrypted)

"2011-09-23 14:26:47.07 -04" "Microsoft.Clm.BusinessLayer.DataEncryption" "System.Security.Cryptography.X509Certificates.X509Certificate2 GetCertificateFromHash(Byte[])" " DOMAIN \myuser" "DOMAIN\FIMCMAgent" 0x000008CC 0x00000007

Getting certificate:

"2011-09-23 14:26:47.08 -04" "Microsoft.Clm.BusinessLayer.DataEncryption" "System.Security.Cryptography.X509Certificates.X509Certificate2 GetCertificateFromHash(Byte[])" " DOMAIN \myuser" " DOMAIN \FIMCMAgent" 0x000008CC 0x00000007

Opened MY Certificate store for READ access.

"2011-09-23 14:26:47.08 -04" "Microsoft.Clm.BusinessLayer.DataEncryption" "System.Security.Cryptography.X509Certificates.X509Certificate2 GetCertificateFromHash(Byte[])" " DOMAIN \myuser" " DOMAIN \FIMCMAgent" 0x000008CC 0x00000007

Found 1 matching certificates.

"2011-09-23 14:26:47.09 -04" "Microsoft.Clm.BusinessLayer.DataEncryption" "System.String DecryptUsingAES(System.String, System.Security.Cryptography.X509Certificates.X509Certificate2)" " DOMAIN \myuser" " DOMAIN \FIMCMAgent" 0x000008CC 0x00000007

 

 

RESOLUTION

1.       Navigate to %programfiles%\Microsoft Forefront Identity Manager\2010\Certificate Management\web

2.       Make a backup copy of the web.config file, and give the new name something like web.config.backup so that you know that it was backed up today.

3.       Open the web.config file in an XML Editor (notepad, visual studio, or some other XML editor)

4.       Search for Clm.Encryption.Algorithm in the web.config file.

a.       You should come to a line that looks like <add key="Clm.Encryption.Algorithm" value="Aes" />

5.       Change the value to TripleDes

a.       Should look like: <add key="Clm.Encryption.Algorithm" value="TripleDes" />

6.       Save the web.config

7.       Open an Administrative Command Prompt

8.       Type IISRESET

9.       Execute Test