Overview / Purpose

Recently worked on a FIM Certificate Management issue that I wanted to share the information acquired during this troubleshooting session, and what ended up resolving the issue.


Problem statement

Windows Update Services updated the Bulk Client to FIM Certificate Management 2010 Update 2.  After noticing that, Update 2 was installed across the rest of FIM Certificate Management.  Attempting to issue Smart Cards through the Bulk Client tool produced the following error message.


Error message

The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)


FIM CM - Verbose Logging information

An error occurred during request execution. Request:

Exception Information

Exception Type: System.Runtime.InteropServices.COMException
ErrorCode: -2147023174
Message: The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)
Data: System.Collections.ListDictionaryInternal
TargetSite: Microsoft.Clm.CertificateServices.Interop.PropertyType GetCAPropertyFlags(System.String, Microsoft.Clm.CertificateServices.Interop.CAProperty)
HelpLink: NULL
Source: Microsoft.Clm.CertificateServices.Interop

StackTrace Information

Server stack trace:
   at Microsoft.Clm.CertificateServices.Interop.ICertRequest2.GetCAPropertyFlags(String strConfig, CAProperty PropId)
   at Microsoft.Clm.CertificateServices.Interop.CertRequest.GetCAProperty(String config, CAProperty property, Int32 index, CAFormatFlag flags)
   at Microsoft.Clm.BusinessLayer.CertificateServer.IsOnline()
   at Microsoft.Clm.BusinessLayer.RequestExecution.CheckCertificateAuthorityAvailable(UserProfile profileTemplate)
   at Microsoft.Clm.BusinessLayer.RequestExecution.RequestCertificates(Guid requestGuid, UniqueCertificateRequests enroll, String password, String comment)
   at Microsoft.Clm.BusinessLayer.SmartCard.SmartCard.EnrollGenerateCerts(Request aRequest, UniqueCertificateRequests enrollData, String pfxPassword, CertificateRequestResults& requestResults)
   at Microsoft.Clm.BusinessLayer.SmartCard.BaseCsp.EnrollProtocol.Process()
   at Microsoft.Clm.BusinessLayer.SmartCard.BaseCsp.Protocol.ProcessClientMessage()
   at Microsoft.Clm.BusinessLayer.SmartCard.BaseCsp.Protocol.ProcessClientMessage(Guid requestUuid, bcspClientMsg clientMsg)
   at Microsoft.Clm.BusinessLayer.RemoteRequests.ProcessBaseCspClientMessage(Guid requestUuid, bcspClientMsg msg, CultureInfo uiCulture, CultureInfo culture)
   at System.Runtime.Remoting.Messaging.StackBuilderSink._PrivateProcessMessage(IntPtr md, Object[] args, Object server, Int32 methodPtr, Boolean fExecuteInContext, Object[]& outArgs)
   at System.Runtime.Remoting.Messaging.StackBuilderSink.SyncProcessMessage(IMessage msg, Int32 methodPtr, Boolean fExecuteInContext)
Exception rethrown at [0]:
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at Microsoft.Clm.BusinessLayer.RemoteRequests.ProcessBaseCspClientMessage(Guid requestUuid, bcspClientMsg msg, CultureInfo uiCulture, CultureInfo culture)
   at Microsoft.Clm.BulkClient.BaseCsp.ClientProtocol.ExecuteRequest(Guid requestUuid, String reader)
   at Microsoft.Clm.BulkClient.RequestExecution.RequestExecutionWorkerThread.ExecuteSmartCardRequest(Guid guidReq, Boolean isBaseCsp)
   at Microsoft.Clm.BulkClient.RequestExecution.RequestExecutionWorkerThread.DoWork()


In this particular issue, we discovered the cause of the problem to be an Access Denied.  We discovered that the account issuing the smart cards was not allowing delegation.


Troubleshooting steps

Possible problem connecting to the Certificate Authority (CA):

Here is a Microsoft Knowledge Base Article ( KB-975795: Error Connecting to Certificate Authority: <domain>\<CA name> ) that provides information into this error and items to check. 

*NOTE: Even if you have done some of these, it is important to double check these items, as that is what we did in this case and we were able to locate the issue.

In one customer issue, we discovered that item #4 in the above mentioned Microsoft Knowledge Base Article was actually our problem. 

#4 The user account requesting the certificate might have the "Account is sensitive and cannot be delegated" checkbox checked in the Account options section of the Account tab in AD Users and Computers.

  • Validate that the version of the Bulk Client and the Smart Card Client on the client machine are the same.
  • Validate config files:

    It is very possible that the config files may have been overwritten during the installation of the update.  If you have a backup of the config files, compare them against what is currently there to confirm that they are the same.  If they are not, replace the config files with the ones from your backup. 



Provide the account issuing the Smart Cards with allowing delegation

See also