ISSUE

FIM CM certificate requests fail. The error returned in the CM request page is "denied by Policy Module."

TROUBLESHOOTING

Application and FIM Certificate Manager event logs

Log Name: Application
Source: Microsoft-Windows-CertificationAuthority
Date: 5/30/2013 12:17:36 PM
Event ID: 53
Task Category: None
Level: Warning
Keywords: Classic
User: SYSTEM
Computer: CA.contoso.com
Description:
Active Directory Certificate Services denied request xxxx because An unknown error occurred while processing the certificate. 0x80090327 (-2146893017). The request was for CN=CA.contoso.com. Additional information: Denied by Policy Module

Log Name: FIM Certificate Management
Source: FIM CM CA Modules
Date: 5/30/2013 12:17:36 PM
Event ID: 0
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: CA.contoso.com
Description:
"2013-05-30 12:17:36.56 -05" "Microsoft.Clm.PolicyModule.Policy" "Microsoft.Clm.Shared.CertificateServer.EnrollmentAttributes LoadEnrollmentAttributesData(System.String)" "" "NT AUTHORITY\SYSTEM" 0x00001C84 0x00000004
 
1) Exception Information
*********************************************
Exception Type: System.ApplicationException
Message: Unable to verify certificate validity.
Data: System.Collections.ListDictionaryInternal
TargetSite: Void VerifySigningCertificateValidity(System.Security.Cryptography.X509Certificates.X509Certificate)
HelpLink: NULL
Source: Microsoft.Clm.PolicyModule
StackTrace Information
*********************************************
at Microsoft.Clm.PolicyModule.Policy.VerifySigningCertificateValidity(X509Certificate cert)
at Microsoft.Clm.PolicyModule.Policy.LoadEnrollmentAttributesData(String xml)
 
2) Exception Information
*********************************************
Exception Type: System.Security.Cryptography.CryptographicException
Message: None of the signers of the cryptographic message or certificate trust list is trusted.
Data: System.Collections.ListDictionaryInternal
TargetSite: Void VerifySigningCertificateValidity(System.Security.Cryptography.X509Certificates.X509Certificate)
HelpLink: NULL
Source: Microsoft.Clm.PolicyModule
StackTrace Information
*********************************************
at Microsoft.Clm.PolicyModule.Policy.VerifySigningCertificateValidity(X509Certificate cert)

Enabling FIM CM logging (clm.txt) finds the following.

Request certificate from CA for certificate template: FIMCMCheckout. Status: -2146877420. Disposition: Denied. Disposition Message: Denied by Policy Module. Error Message: The request was denied by a certificate manager or CA administrator. 0x80094014 (-2146877420)

FURTHER TROUBLESHOOTING

Based on the exception details in the CM module event CAPI2 event logging was enabled on the CA. Reproducing the issue logged several CAPI2 events. The most notable example is below.

Log Name: Microsoft-Windows-CAPI2/Operational
Source: Microsoft-Windows-CAPI2
Date: 5/30/2013 1:19:25 PM
Event ID: 42
Task Category: Reject Revocation Information
Level: Error
Keywords: Revocation,Path Validation
User: SYSTEM
Computer: CA.contoso.com
Description:
For more details for this event, please refer to the "Details" section
Event Xml:
<System>
<Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" />
<EventID>42</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>42</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000005</Keywords>
<TimeCreated SystemTime="2013-05-30T18:19:25.984466500Z" />
<EventRecordID>17757</EventRecordID>
<Correlation />
<Execution ProcessID="8428" ThreadID="7344" />
<Channel>Microsoft-Windows-CAPI2/Operational</Channel>
<Computer>CA.contoso.com</Computer>
<Security UserID="S-1-5-18" />
</System>
<UserData>
<CertRejectedRevocationInfo>
<SubjectCertificate fileRef="85E6EA9235EC50D0AA98D8EEF86B91020DA7AC60.cer" subjectName="SVC_FIMCM_Agent" />
<IssuerCertificate fileRef="BA02C4B3EE999E878E5145883733A4CF069D28DE.cer" subjectName="CA" />
<CertificateRevocationList location="Store" fileRef="322DD0D0B6CEF55C8D276661F10A7ECEADEB6F0E.crl" issuerName="CA" />
<Action name="CheckTimeValidity" />
<EventAuxInfo ProcessName="certsrv.exe" />
<CorrelationAuxInfo TaskId="{6356E380-076B-4286-8E3A-C37766BBE58A}" SeqNumber="3" />
</CertRejectedRevocationInfo>
</UserData>
</Event>

The event indicated something may be amiss with a CRL on the CA. Checking the CRL file on the CA itself (%systemroot%\System32\CertSrv\CertEnroll) found an expired CRL. However the externally published CRL (AD, http site, etc.) was current.

RESOLUTION

Published a new CRL in the Certification Authority snap-in and the local file (and others) updated as expected.

Sample Screenshots

Location and viewing local CRL file on CA

Publishing a new CRL