locked
Can not enroll for a certificate with FIM CM - certificate is missing in MY Store RRS feed

  • Question

  • Hello,

    I have deployed FIM CM 2010 for a customer, as a service for managing certificates on smart cards. Everything was working fine for a few months, and then, without any obvious reason message "Certificate was not found in the MY store of the FIM CM Agent user" appears every time when enrollment is initiated. All accounts that FIM CM uses were created automatically during config wizard, so I can not log on as clmAgent and check if certificate is really there. All configuration seems to be fine.

    What can I do? Run Config wizard again? That looks like a last solution for me. Is there any other way? Can I reset password on clmAgent account, try to log on locally and see if certificate is there?

    Please help. Thanks in advance.

    Damir


    Damir
    Thursday, April 21, 2011 10:52 AM

Answers

  • On Thu, 21 Apr 2011 15:58:42 +0000, Paul Adare wrote:

    ClmUtil ?setacctpwd agent NewPassword

    ClmUtil -setacctpwd agent NewPassword


    Paul Adare
    MVP - Identity Lifecycle Manager
    http://www.identit.ca
    Command:  Statement presented by a human and accepted by a computer in such
    a manner as to make the human feel as if he is in control.

    • Marked as answer by damirdMVP Tuesday, April 26, 2011 10:12 PM
    Thursday, April 21, 2011 3:59 PM

All replies

  • On Thu, 21 Apr 2011 10:52:49 +0000, damird [MVP] wrote:

    Can I reset password on clmAgent account, try to log on locally and see if certificate is there?

    Yes. Reset the password in Active Directory for the account and then on
    each FIM CM server run the following command:

    ClmUtil ?setacctpwd agent NewPassword


    Paul Adare
    MVP - Identity Lifecycle Manager
    http://www.identit.ca
    Command:  Statement presented by a human and accepted by a computer in such
    a manner as to make the human feel as if he is in control.

    Thursday, April 21, 2011 3:58 PM
  • On Thu, 21 Apr 2011 15:58:42 +0000, Paul Adare wrote:

    ClmUtil ?setacctpwd agent NewPassword

    ClmUtil -setacctpwd agent NewPassword


    Paul Adare
    MVP - Identity Lifecycle Manager
    http://www.identit.ca
    Command:  Statement presented by a human and accepted by a computer in such
    a manner as to make the human feel as if he is in control.

    • Marked as answer by damirdMVP Tuesday, April 26, 2011 10:12 PM
    Thursday, April 21, 2011 3:59 PM
  • Hi Paul,

    Thanks very much for your help. I did this, and logged on as clmAgent, and looked in Personal store. Certificate wasn't there and I really have no idea how it disappeared. Anyway, I enrolled for new certificate (from same template as it was earlier), updated FIM CA Policy Module with new certificate hash as well as web.config file for FIM CM Portal.

    I tried to enroll for a certificate, and didn't get same error. However, all process went well up to the point where certificate is requested from CA. Execution was stopped with error "Invalid algorithm specified (HRESULT : 0x80090008)" and cannot proceed from here. It might be worth to mention that customer added one new CA, and I redirected FIM CM to this new CA for enrollment. Certificate templates are in AD, and same template is used as before, just from new CA (new CA is same version as old one - Windows Server 2003 R2). FIM CM is installed on Windows Server 2008.

    Can you help please?

    Thanks,

    Damir


    Damir
    Friday, April 22, 2011 4:00 PM
  • It sounds like you selected Server 2008 or V3 certificates. The three agent certificates must be based on V2 certificate templates

    The other possibility is that the CA was installed using a SHA2 signing algorithm. It looks lie FIM CM may only work with SHA1 certificates

    Brian

    Friday, April 22, 2011 4:03 PM
  • Hi Brian,

    No, I'm not using v3 certificates since all CAs are Windows Server 2003. All three agent certificates are issued from Windows Server 2003 RootCA and from v2 templates. New CA is not installed using SHA2 algorithm.

    Thanks,

    Damir


    Damir
    Friday, April 22, 2011 4:11 PM