none
FIM CM 2010 R2 Smart Card Renew policy, update service creates additional renewal requests RRS feed

  • Question

  • Hi,

    I could use some advice with a smart card renewal issue in FIM CM 2010 R2. (Self-service)

    How can I prevent FIM CM update service from creating additional renewal requests for a smart card that was already renewed?

    FIM CM update service detects in FIM CM database when a certificate enters its renewal period. When it's time, a renewal request is created and an email with OTP is sent to the user. The user successfully completes the renewal request and all should be OK.

    The problem: FIM CM update service will soon (default within 5 hours), re-check for certificates entering renewal. Although the smart card was just renewed, an additional renewal request is created and a new OTP email is sent to the user.
    If the user completes also the second renewal request, a third request is generated, and it goes on.

    I'm assuming that the still valid, still expiring certificate is re-detected by the FIM CM update service.

    The second renewal request can be avoided by enabling "revoke old certificates" in the revokation settings workflow, without delay. This would however make the renewal request creation revoke the certificate. I would prefer to keep the certificate valid until expiry, or revoke it when the request is completed.

    Thanks


    • Edited by StoffeB Tuesday, March 3, 2015 8:37 AM clarification
    Monday, March 2, 2015 3:27 PM

All replies

  • To make the process work, I had to abandon the renew policy.

    As a workaround, we configured FIM CM update service to trigger an Online update request instead of the default renew request. The Online update process always revokes the expiring certificate, but not before the request is completed by the user. That detail makes all the difference.

    I'm still curious to hear if anyone else recognizes this issue.

    The FIM CM build is 4.1.3496

    Friday, March 20, 2015 1:23 PM
  • Hi, I'm having the same issue. Can you please share some information about the workaround. I guess you completely disabled the renewal policy, but I'm not sure how to replace it with online update policy. Thanks
    Tuesday, December 8, 2015 7:44 AM
  • Here u go:

    https://technet.microsoft.com/en-us/library/ee534907(v=ws.10).aspx#BKMK_ConfigureRenewalRequests

    snippet:
    To issue an online update request instead of a renewal request, when the certificate is within the expiry period, you must modify the FIM CM Service configuration file, Microsoft.CLM.Service.exe.config.

    I did not set attributes or URL in the FIM CM client. 

    There's a side effect in case you would make changes to the certificate template on the issuing CA.  A change will trigger online update for all cards issued with that FIM CM template.

    Additionally, consider extending validity of the OTP:
    https://social.technet.microsoft.com/Forums/en-US/12128753-b443-49d4-a4a3-9881ddc02cec/fim-cm-default-password-provider-settings?forum=ilm2

    Good luck!

    Tuesday, December 8, 2015 1:02 PM
  • The problem: FIM CM update service will soon (default within 5 hours), re-check for certificates entering renewal. Although the smart card was just renewed, an additional renewal request is created and a new OTP email is sent to the user.
    If the user completes also the second renewal request, a third request is generated, and it goes on.

    Hi,

    do you know what is the reason for this behavior ?

    thanks .

    Monday, May 8, 2017 12:17 PM
  • No, I never figured that out.
    A workaround could be to revoke the certificate in the renewal workflow. Unfortunately the revoke happens too early (during request creation instead of request execute) and I don't want to lock any users out from VPN.
    Monday, May 8, 2017 1:31 PM