locked
None of the signers of the cryptographic message or certificate trust list is trusted (FIM CM) RRS feed

  • Question

  • Hi,

    I have a WS08 R2 on all servers and am running: AD, an offline Root CA, an Issuing Subordinate AD integrated CA, FIM CM, SQL 2008 R2 (all on separate servers).

    And I followed the following setup guide: http://technet.microsoft.com/en-us/library/hh230258(WS.10).aspx

     

    When I try to 'execute' a FIM CM smart card request, after typing in the PIN number, I get this error message when it tries to obtain a certificate from the PKI server:

    "Processing error: Error generating requested certificates. the request was denied by a certificate manager or CA administrator. 0x80094014"

     

    I then found how to troubleshoot this error on: https://blogs.msdn.com/b/spatdsg/archive/2010/08/02/fim-cm-logging-and-random-errors.aspx

    So I enabled the FIM CM policy module logging options and got this error on the PKI server that FIM CM talks to (message below).


    "Microsoft.Clm.PolicyModule.Policy" "Microsoft.Clm.Shared.CertificateServer.EnrollmentAttributes LoadEnrollmentAttributesData(System.String)" "" "NT AUTHORITY\SYSTEM" 0x00000B50 0x00000006


    1) Exception Information
    *********************************************
    Exception Type: System.ApplicationException
    Message: Unable to verify certificate validity.
    Data: System.Collections.ListDictionaryInternal
    TargetSite: Void VerifySigningCertificateValidity(System.Security.Cryptography.X509Certificates.X509Certificate)
    HelpLink: NULL
    Source: Microsoft.Clm.PolicyModule

    StackTrace Information
    *********************************************
       at Microsoft.Clm.PolicyModule.Policy.VerifySigningCertificateValidity(X509Certificate cert)
       at Microsoft.Clm.PolicyModule.Policy.LoadEnrollmentAttributesData(String xml)

    2) Exception Information
    *********************************************
    Exception Type: System.Security.Cryptography.CryptographicException
    Message: None of the signers of the cryptographic message or certificate trust list is trusted.

    Data: System.Collections.ListDictionaryInternal
    TargetSite: Void VerifySigningCertificateValidity(System.Security.Cryptography.X509Certificates.X509Certificate)
    HelpLink: NULL
    Source: Microsoft.Clm.PolicyModule

    StackTrace Information
    *********************************************
       at Microsoft.Clm.PolicyModule.Policy.VerifySigningCertificateValidity(X509Certificate cert)

     

    The PKI health viewer says everything is fine. The PKI server is issuing certificates correctly to other servers.

    I have also verified that the CLM hash is correct - so what else could be wrong with my configuration?

     

    thank you,

    sk

    Tuesday, August 16, 2011 3:37 PM

Answers

  • Hello,

    i have solved the problem in our integration environment. for better diagnostics i enabled the Windows\CAPI2 Log and FIM CM module logging.

    my cause seemed to be a wrong cached CRL in the issuing ca system account. i added a scheduled task (to be able to clear the cache of the SYSTEM account) with the following commands (as cmd file):

    certutil –urlcache * delete
    certutil -v -verify -urlfetch <signing cert>.cer > urlfetch_system.txt
    certutil -v –urlcache CRL > urlcache_system.txt

    Afterwards certificates could be issued via fim cm without problem.

    best regards

    Friday, August 26, 2011 11:38 AM

All replies

  • On Tue, 16 Aug 2011 15:37:52 +0000, S.Kwan wrote:

    Message: None of the signers of the cryptographic message or certificate trust list is trusted.

    Sounds like you neglected to add the thumbprint of the CLM Agent
    certificate to the list of approved signing certificates on the CA's policy
    module.

    In the Certification Authority console, open the properties for your CA,
    then the properties for the Policy Module, on the Signing Certificates tab,
    paste the thumbprint for the CLM Agent cert. Restart Certificate Services.


    Paul Adare
    MVP - Identity Lifecycle Manager
    http://www.identit.ca
    Don't hit the keys so hard, it hurts.

    Tuesday, August 16, 2011 3:53 PM
  • Hi,

    That was my first thought earlier today - and that is exactly what I rechecked, and rechecked and rechecked.

    The thumbprint is in the Policy Module as in the .config file. Even restarted both the PKI and FIM CM servers.

    I was very much hoping this would fix it; but unfortunately it did not.

     

    Tuesday, August 16, 2011 4:05 PM
  • Just a though, Make sure that the issuing CA and subordinate CA certificate chains are trusted by the computer/FIM CM service account stores  under Trusted Root Cerificate Authorities. You can check this with the Cerificates snapin.
    Tuesday, August 16, 2011 5:17 PM
  • Just a though, Make sure that the issuing CA and subordinate CA certificate chains are trusted by the computer/FIM CM service account stores  under Trusted Root Cerificate Authorities. You can check this with the Cerificates snapin.

    the problem is on the actual CA server...it trusts itself. I have confirmed that the chain also exists on the FIM CM server.
    Tuesday, August 23, 2011 11:45 AM
  • I have exactly the same problem (same error, same behaviour, checked signing cert hash etc. ). Maybe someone has a hint regarding the internal cert chain validation within the fim policy module? Is there a difference regarding to the normal cert chain validation? When i put the signing cert in the cert store of that machine (local system/user) the chain validation shows not problem. So i maybe there is a difference.

    Additionally it is quite odd as i have a second CA (with exactly the same configuration - used for users certs) and this one is working without problems.  

    Thursday, August 25, 2011 10:01 AM
  • Hello,

    i have solved the problem in our integration environment. for better diagnostics i enabled the Windows\CAPI2 Log and FIM CM module logging.

    my cause seemed to be a wrong cached CRL in the issuing ca system account. i added a scheduled task (to be able to clear the cache of the SYSTEM account) with the following commands (as cmd file):

    certutil –urlcache * delete
    certutil -v -verify -urlfetch <signing cert>.cer > urlfetch_system.txt
    certutil -v –urlcache CRL > urlcache_system.txt

    Afterwards certificates could be issued via fim cm without problem.

    best regards

    Friday, August 26, 2011 11:38 AM