none
FIM CM Cannot issue Smart Card RRS feed

  • Question

  • I have installed and configured FIM 2010 R2 SP1 and all is working, but I cannot issue a smart card. I get this error on the web page.  Smart Card is a Gemalto USB "SmartCard Gemalto .net V2+"

    I have the middleware and card reader installed and seem to be all in order.

    After this screen, I get error below

    I enabled logging locally and this is all I get.

    CCardModuleImpl::BeginTransaction Began transaction

    CCardModuleImpl::LoadOnReader ATR=3B1696417374726964

    CCardModuleImpl::LoadOnReader Name=Axalto Cryptoflex .NET

    CCardModuleImpl::LoadOnReader Provider=axaltocm.dll

    CCardModuleImpl::LoadOnReader CSP Name=Microsoft Base Smart Card Crypto Provider

    CCardModuleImpl::LoadOnReader CardId={3BBC36B9-9858-5F58-290C-81EA6707CDDE}

    AdkDispatchMessages() 4

    CCardModuleImpl::EndTransaction Ended transaction

    AdkDispatchMessages() 6

    CCardModuleImpl::BeginTransaction Began transaction

    CCardModuleImpl::LoadOnReader ATR=3B1696417374726964

    CCardModuleImpl::LoadOnReader Name=Axalto Cryptoflex .NET

    CCardModuleImpl::LoadOnReader Provider=axaltocm.dll

    CCardModuleImpl::LoadOnReader CSP Name=Microsoft Base Smart Card Crypto Provider

    CCardModuleImpl::LoadOnReader CardId={3BBC36B9-9858-5F58-290C-81EA6707CDDE}

    AdkDispatchMessages() 7

    CCardModuleImpl::EndTransaction Ended transaction

    AdkDispatchMessages() 3

    > CSCardResourceManager::GetClientVersion

    CSCardResourceManager::GetClientVersion retrieving module name

    CSCardResourceManager::GetClientVersion retrieving FileVersionInfo

    CSCardResourceManager::GetClientVersion querying version number

    < CSCardResourceManager::GetClientVersion

    CCardModuleImpl::BeginTransaction Began transaction

    CCardModuleImpl::EndTransaction Ended transaction

    AdkDispatchMessages() 5

    CCardModuleImpl::BeginTransaction Began transaction

    CCardModuleImpl::EndTransaction Ended transaction

    CCardModuleImpl::BeginTransaction Began transaction

    CCardModuleImpl::EndTransaction Ended transaction

    CCardModuleImpl::BeginTransaction Began transaction

    CCardModuleImpl::EndTransaction Ended transaction

    < CCardManager::EndTransactionKeepAlive Started

    SmartCardTransactionKeepAlive::EndTransactionKeepAlive

    < CCardManager::EndTransactionKeepAlive Completed

    < CCardManager::InitializeSecureSession

    --- InitializeSecureSession.ValidateCertChain skipped

    > CCardManager::InitializeSecureSession SUCCEEDED

    CCardModuleImpl::BeginTransaction Began transaction

    CCardModuleImpl::EndTransaction Ended transaction

    AdkDispatchMessages() 7

    CCardModuleImpl::BeginTransaction Began transaction

    CCardModuleImpl::EndTransaction Ended transaction

    AdkDispatchMessages() 4

    CCardModuleImpl::BeginTransaction Began transaction

    < CCardManager::StartTransactionKeepAlive Started

    SmartCardTransactionKeepAlive::StartTransactionKeepAlive

    SmartCardTransactionKeepAlive::StartTransactionKeepAlive Starting Keep Alive thread

    SmartCardTransactionKeepAlive::StartTransactionKeepAlive Completed

    < CCardManager::StartTransactionKeepAlive Successfuly started

    < CCardManager::StartTransactionKeepAlive Completed


    Nosh Mernacaj, Identity Management Specialist


    Wednesday, October 19, 2016 2:55 PM

Answers

  • Working with Nosh we found the issue with several items :

    Item1: Agent cert did not have encryption type
    Item2: SMIME Capabilities missing from cert
    Item3: Root CA for cert issued was missing from trusted root and ntauth store

    Cheers

    Friday, October 21, 2016 5:23 PM
    Moderator

All replies

  • I found a little more information on the FIM CM Server log.

    Actually I found logs on the server (Turns out the service was not able to write to it.)

    Enterprise Caching: Getting Cache Manager: AccessControl.
    "2016-10-19 12:45:39.91 -04" "Microsoft.Clm.BusinessLayer.EnterpriseCaching" "System.Object GetCachedItem(EnterpriseCachingType, System.String)" "ONE\mernacan" "ONE\APP_MEMAUTHAGENT" 0x0000146C 0x00000003
    Enterprise Caching : Getting cached item: AC4:ONE\mernacan:99vCP8JChvnMV5waP1FSYDR5EVM=:1 ENT_CACHING_IN_CACHE ToString():'True'.
    "2016-10-19 12:45:39.91 -04" "Microsoft.Clm.BusinessLayer.AccessControlManager" "Boolean CheckRequestAccess(System.String, System.String, Microsoft.Clm.Common.RequestRights)" "ONE\mernacan" "ONE\mernacan" 0x0000146C 0x00000003
    Principal: ONE\mernacan, securityDescriptor: O:S-1-5-21-1085031214-73586283-839522115-755438D:(D;;LC;;;S-1-5-21-1085031214-73586283-839522115-769455)(A;;DCSW;;;S-1-5-21-1085031214-73586283-839522115-247903)(A;;SWRC;;;S-1-5-21-1085031214-73586283-839522115-247903)(A;;RC;;;WD)(A;;CCDCLCSWSDRC;;;S-1-5-21-1085031214-73586283-839522115-755438)(A;;DCSW;;;S-1-5-21-1085031214-73586283-839522115-769455)(A;;CCDCSW;;;S-1-5-21-1085031214-73586283-839522115-769455)       , desiredAccess: RequestExecute
    "2016-10-19 12:45:39.91 -04" "Microsoft.Clm.Security.Principal.RevertToSelfContext" "Microsoft.Clm.Security.Principal.RevertToSelfContext Revert()" "ONE\mernacan" "ONE\mernacan" 0x0000146C 0x00000003
    Reverting to the process identity
    "2016-10-19 12:45:39.96 -04" "Microsoft.Clm.Security.Principal.RevertToSelfContext" "Void Restore()" "ONE\mernacan" "ONE\APP_MEMWEBPOOL" 0x0000146C 0x00000003
    Restoring saved token identity
    "2016-10-19 12:45:39.96 -04" "Microsoft.Clm.Web.Modules.BaseCspUserControl" "Void ProcessClientMessage(Microsoft.Clm.BusinessLayer.SmartCard.BaseCsp.Serialization.bcspClientMsg)" "ONE\mernacan" "ONE\mernacan" 0x0000146C 0x00000003


    1) Exception Information
    *********************************************
    Exception Type: System.ArgumentException
    Message: Server key exchange certificate does not support key exchange.
    ParamName: NULL
    Data: System.Collections.ListDictionaryInternal
    TargetSite: Void unwrapKey(Microsoft.Clm.Crypto.InteropX509Certificate, Byte[])
    HelpLink: NULL
    Source: Microsoft.Clm.Crypto

    StackTrace Information
    *********************************************
       at Microsoft.Clm.Crypto.SessionProtector.unwrapKey(InteropX509Certificate serverCert, Byte[] wrappedKey)
       at Microsoft.Clm.BusinessLayer.SmartCard.BaseCsp.Protocol.CreateSessionProtector()
       at Microsoft.Clm.BusinessLayer.SmartCard.BaseCsp.Protocol.ProcessClientMessage()
       at Microsoft.Clm.BusinessLayer.SmartCard.BaseCsp.Protocol.ProcessClientMessage(Guid requestUuid, bcspClientMsg clientMsg)
       at Microsoft.Clm.Web.Modules.BaseCspUserControl.ProcessClientMessage(bcspClientMsg msg)


    Nosh Mernacaj, Identity Management Specialist


    Wednesday, October 19, 2016 4:52 PM
  • Nosh Glad you found the issue

    Wednesday, October 19, 2016 5:32 PM
    Moderator
  • Sorry, I did not find the issue, just doing the LOG on the FIM CM Server, hopping to provide more details.

    Nosh Mernacaj, Identity Management Specialist

    Wednesday, October 19, 2016 5:34 PM
  • Nosh

    I would double-check and confirm the certificate template used Update the certificate template used for CLMAgent certificate
    - start certtmpl.msc and double click on the CLMAgent template
    - “Request Handling” tab -> Purpose: dropdown box set to “Signature and encryption” (“Signature” is not correct).

    2. Issue new CLMAgent Certificate using the updated CLMAgent certificate template (don’t forget to update web.config and FIM CM CA Policy Module setting with the new clmagent certificate).

    Wednesday, October 19, 2016 6:31 PM
    Moderator
  • Thanks a lot David.

    Thing is , I can issue other types of certs, but Smart Card only fails.  The same agent is used.


    Nosh Mernacaj, Identity Management Specialist


    Wednesday, October 19, 2016 6:57 PM
  • Hi Brian,

    Here is what the singature looks like on the clmAgent template. 

    I am using CA 2008 Ent and FIM CM 2010 R2 Sp1.

    Here is the template for the Smartcard. Is SHA1 still supported in FIM CM?

    Lastly, clmAgent template is 2003 version, is that ok?


    Nosh Mernacaj, Identity Management Specialist

    Thursday, October 20, 2016 12:34 PM
  • Your Agent cert doesn't look right as I said earlier

    This cert is copied from the default user certificate template:


    See: https://technet.microsoft.com/en-us/library/gg430118(v=ws.10).aspx

    Thursday, October 20, 2016 12:48 PM
    Moderator
  • Thanks David,

    I will create a new one and let you know.

    I do see a discrepancy already, CSP for RSA missing.

    Thanks,

    Nosh


    Nosh Mernacaj, Identity Management Specialist

    Thursday, October 20, 2016 1:00 PM
  • Hi David,

    Thanks for your help thus far.  I recreated the templates following the instructions, still same results.

    CA is 2008 ENT, FIM CM 2010 R2 SP1.

    Agent Template is 2003 (As requested) and Smart Card Template is 2008.

    Thanks,

    Nosh


    Nosh Mernacaj, Identity Management Specialist

    Thursday, October 20, 2016 6:08 PM
  • Working with Nosh we found the issue with several items :

    Item1: Agent cert did not have encryption type
    Item2: SMIME Capabilities missing from cert
    Item3: Root CA for cert issued was missing from trusted root and ntauth store

    Cheers

    Friday, October 21, 2016 5:23 PM
    Moderator