none
FIM CM Certificate issuing related errors RRS feed

  • Question

  • Hello!

    I am implementing a new installation of FIM 2010 R2 CM in a test environment.

    The test environment is "half-production", as it was built to be as close as possible to the active production environment.

    I have 2 DC servers (2008r2 sp1), a CA server, an MSSQL 2008 R2 server, and an application server for the FIM installation.

    I have done everything that's written in the "Test Lab Guide" document (blogs.technet.com/b/tlgs/archive/2010/11/04/test-lab-guide-demonstrate-fim-cm-2010.aspx), and when I reached the part of "Perform FIM CM subscriber tasks",  and needed to "Request a new set of certificates",

    After clicking on "yes" on the "Web Access Confirmation" window,  I get the following error:

    The version of OLE on the client and server machines does not match. 0x80010110

    This is happening when I try to do this procedure from a client station. Upon performing this from the FIM CM server itself, the process completes successfully.

    I've read 

    social.technet.microsoft.com/Forums/en-US/ilm2/thread/dc204523-be10-4a9e-9d81-3d5f54a6993d

    that in some cases, downgrading the FIM CM's host server OS to 2008 (non-R2), helps working around this issue.

    I've installed a vanilla 2008 server, and installed the FIM CM module, and reinstalled the FIM CM CA Modules on the CA server.

    I verified the installation, as described in the installation guide, and retried issuing a new set of certificates, both from the server itself, and from a client station.

    This time, I get this error: "Certificate was not found in MY store of the FIM CM Agent User". This error is seen both from the server and from the client, upon requesting a new set of certificates.

    Please advise regarding this issue (regarding the FIM CM Agent User).

    Kind Regards,

    Marom. 

    Sunday, April 21, 2013 2:25 PM

All replies

  • The FIM CM Agent User needs a signing certificate in its MY Store, which either seems to be missing or not recognized by FIM CM. To resolve this, login as your FIM CM Agent User (or use Run As), start certmgr.msc, and check if it exists.

    If it doesn't exist, request a new certificate using the appropriate Certificate Template (if you did everything according to the lab guide, you should have created a Certificate Template for the Agent User).

    Now you either already had a certificate or generated a new one; at any rate, there's a certificate in the FIM CM Agent User's MY Store. Retrieve the certificate's Thumbprint from the certificate properties dialog and remove the blanks (i.e. change "AA 11 B4 EF ..." into "AA11B4EF.."). Then register the certificate in both FIM CM's web.config (setting Clm.ValidSigningCertificate.Hashes) and the CA Policy Module. This is described in more detail here.

    BTW, is there any chance that your original problem might have occurred because you had deployed a Service Pack or Hotfix on the server but not on the client?

    Wednesday, May 8, 2013 9:39 AM

  • Hey, Nils!

    The OLE problem occurred in a static environment, in which no patch or fix were applied. 

    I am referring to the FIM CM server, the client, as well as the DC, SQL server, and the CA server. 

    I should mention at this point, that for a brief time period (a few days), tris error no longer appeared, and I was able to issue temp and permanent smart cards, as well as revoking them etc... 

    Yesterday, after not having changed anything in the environment, this happened again. ("OLE version mismatch")

    I checked and rechecked everything possible, including the web.config file, the hashes, permissions, CA templates, FIM CM templates... EVERYTHING!

    Any ideas? Do you think re-installing the FIM CM server would help? (re-running the wizard and re-associating all of the CLM services?)



    Thanks!

    Marom.
    Wednesday, May 8, 2013 10:20 AM
  • Hello, everyone!

    Regarding the first issue I posted here, the OLE problem:

    The issue has been resolved.

    It sure was a weird one:

    Apparently, the applicationHost.config file was modified.

    One of our programmers must have modified it for debugging purposes, and failed to revert the file to the original version.

    Luckily I keep backups of important files such as this file and the web.config file, so I could replace the defected file with the previous one.

    The file is located in this path: %windir%/System32/inetsrv/config

    iisreset is required after the modification of the file, for changes to apply.

    The second issue, with "MY store" has not been addressed yet, but is now moot.

    Thanks a lot!

    Monday, May 20, 2013 3:04 PM