OVERVIEW / PURPOSE

Recently worked my way through a FIM Certificate Management configuration issue where the Configuration Wizard was failing with a Logon failure. 

PROBLEM STATEMENT

You have just installed Forefront Identity Manager 2010 Certificate Management, and now going through the Configuration Wizard.  In doing so, you receive an error message

ERROR MESSAGE

Logon failed for the user clmKRAgent@clmsamp.samples.  Please check username and password.
> Logon failure: unknown user name or bad password. 
(Exception from HRESULT: 0x8007052E)

You investigate the Configuration Wizard Log File ((%programfiles%\Microsoft Forefront Identity Management\2010\Certificate Management\config.log), and find the following information.

CONFIGURATION WIZARD LOG FILE

(%programfiles%\Microsoft Forefront Identity Management\2010\Certificate Management\config.log) 

"2012-05-15 16:08:01.27 -05" "Microsoft.Clm.Config.Core.CertificateAuthority" "System.Object IssueCertificateForUser(System.String, System.String, System.String, System.String, Microsoft.Clm.CertificateServices.Interop.CertificateFormatFlags, AgentType)" "" "CLMSAMP\da.clmsamp.samples" 0x00000E04 0x00000001

General Information
*********************************************
Additional Info:
Logon failure: unknown user name or bad password for the user: clmKRAgent@clmsamp.samples

1) Exception Information
*********************************************
Exception Type: System.Runtime.InteropServices.COMException
ErrorCode: -2147023570
Message: Logon failure: unknown user name or bad password. (Exception from HRESULT: 0x8007052E)
Data: System.Collections.ListDictionaryInternal
TargetSite: Void ThrowExceptionForHRInternal(Int32, IntPtr)
HelpLink: NULL
Source: mscorlib

StackTrace Information
*********************************************
   at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo)
   at Microsoft.Clm.Security.Principal.LoggedOnUser.Logon(String userName, String password)
   at Microsoft.Clm.Security.Principal.LoggedOnUser..ctor(String userName, String password, LogonType logonType, LogonProvider logonProvider)
   at Microsoft.Clm.Security.Principal.LoggedOnUser..ctor(String userName, String password)
   at Microsoft.Clm.Config.Core.CertificateAuthority.IssueCertificateForUser(String caConfig, String templateName, String userName, String password, CertificateFormatFlags flag, AgentType agentType)
"2012-05-15 16:08:01.29 -05" "Microsoft.Clm.Config.Core.CertificateAuthority" "System.Object IssueCertificateForUser(System.String, System.String, System.String, System.String, Microsoft.Clm.CertificateServices.Interop.CertificateFormatFlags, AgentType)" "" "PROD\da.matt.chambers" 0x00000E04 0x00000001

General Information
*********************************************
Additional Info:
Failed to issue certificate for user: clmKRAgent@clmsamp.samples

1) Exception Information
*********************************************
Exception Type: System.UnauthorizedAccessException
Message: Logon failed for the user clmKRAgent@clmsamp.samples. Please check username and password
Data: System.Collections.ListDictionaryInternal
TargetSite: System.Object IssueCertificateForUser(System.String, System.String, System.String, System.String, Microsoft.Clm.CertificateServices.Interop.CertificateFormatFlags, AgentType)
HelpLink: NULL
Source: Microsoft.Clm.Config

StackTrace Information
*********************************************
   at Microsoft.Clm.Config.Core.CertificateAuthority.IssueCertificateForUser(String caConfig, String templateName, String userName, String password, CertificateFormatFlags flag, AgentType agentType)

2) Exception Information
*********************************************
Exception Type: System.Runtime.InteropServices.COMException
ErrorCode: -2147023570
Message: Logon failure: unknown user name or bad password. (Exception from HRESULT: 0x8007052E)
Data: System.Collections.ListDictionaryInternal
TargetSite: Void ThrowExceptionForHRInternal(Int32, IntPtr)
HelpLink: NULL
Source: mscorlib

StackTrace Information
*********************************************
   at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo)
   at Microsoft.Clm.Security.Principal.LoggedOnUser.Logon(String userName, String password)
   at Microsoft.Clm.Security.Principal.LoggedOnUser..ctor(String userName, String password, LogonType logonType, LogonProvider logonProvider)
   at Microsoft.Clm.Security.Principal.LoggedOnUser..ctor(String userName, String password)
   at Microsoft.Clm.Config.Core.CertificateAuthority.IssueCertificateForUser(String caConfig, String templateName, String userName, String password, CertificateFormatFlags flag, AgentType agentType)
"2012-05-15 16:08:01.29 -05" "Microsoft.Clm.Config.Steps.Finish" "Void Finish_Activated(System.Object, System.EventArgs)" "" "CLMSAMP\da.clmsamp.samples" 0x00000E04 0x00000001

1) Exception Information
*********************************************
Exception Type: System.UnauthorizedAccessException
Message: Logon failed for the user clmKRAgent@clmsamp.samples. Please check username and password
Data: System.Collections.ListDictionaryInternal
TargetSite: System.Object IssueCertificateForUser(System.String, System.String, System.String, System.String, Microsoft.Clm.CertificateServices.Interop.CertificateFormatFlags, AgentType)
HelpLink: NULL
Source: Microsoft.Clm.Config

StackTrace Information
*********************************************
   at Microsoft.Clm.Config.Core.CertificateAuthority.IssueCertificateForUser(String caConfig, String templateName, String userName, String password, CertificateFormatFlags flag, AgentType agentType)
   at Microsoft.Clm.Config.Steps.Finish.CreateKeyRecoveryUser()
   at Microsoft.Clm.Config.Steps.Finish.Finish_Activated(Object sender, EventArgs e)

2) Exception Information
*********************************************
Exception Type: System.Runtime.InteropServices.COMException
ErrorCode: -2147023570
Message: Logon failure: unknown user name or bad password. (Exception from HRESULT: 0x8007052E)
Data: System.Collections.ListDictionaryInternal
TargetSite: Void ThrowExceptionForHRInternal(Int32, IntPtr)
HelpLink: NULL
Source: mscorlib

StackTrace Information
*********************************************
   at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo)
   at Microsoft.Clm.Security.Principal.LoggedOnUser.Logon(String userName, String password)
   at Microsoft.Clm.Security.Principal.LoggedOnUser..ctor(String userName, String password, LogonType logonType, LogonProvider logonProvider)
   at Microsoft.Clm.Security.Principal.LoggedOnUser..ctor(String userName, String password)
   at Microsoft.Clm.Config.Core.CertificateAuthority.IssueCertificateForUser(String caConfig, String templateName, String userName, String password, CertificateFormatFlags flag, AgentType agentType)

RESOLUTION / WORK AROUND

The best way around this error is to create the accounts necessary for Certificate Lifecycle Manager 2007 or FIM Certificate Management prior to running the Configuration Wizard.  During the Configuration Wizard on the Accounts page:

  1. Uncheck the box to use the defaults
  2. Click the button to for Custom Accounts
  3. On each tab, in the lower left, check "Use existing account"
  4. In the textbox for the username enter <domain>\< the name of the agent account that you used for the agent account specified on the current tab > (e.g. CLMSAMP\clmAgent)
  5. Repeat Steps 3 and 4 for each tab
  6. Click Ok when finished
  7. Finish the Wizard

 

ADDITIONAL INFORMATION

SEE ALSO