Fabien's IT security diary: Forefront Identity Manager 2010 CM: errors and solutions

Unable to check CA in Edit Profile template

Something is wrong with the SQL connection between the CA Exit Module and the SQL Server.
Try to check the password if using SQL Auth. Try to check kerberos' spn elsewise.
Check log: Application and Services Logs > FIM Certificate Management
Restart AD CS, and check 10 seconds later if any warning is raised inside that log.

Value cannot be null. Parameter name byte

If you installed manually certificates in agents store, you have to fill certificate hashes in web.config. Please see Installation > Edit the web.config
Open the web.config file of certificatemanagement.
Search for "Hash", and check that the hash is the one of the fim cm agent certificate.

Base CSP smart card self-service control is not installed or the current site is not specified in the allowed sites list by your Administrator. Please contact your system Administrator. Additional information: Automation server can't create object

If you are on a x64 system, please install FIM CM x64 and user Internet explorer 64 bits.

FIM CM: while reading the smart card

Client encountered an unexpected error while trying to communicate with the server.
Error number: -2146828218
Error description: Permission denied

If using v3 certificate templates for the agents (windows 2008) instead of v2 (win. 2003)
Then the following errors will appear.

Currently, FIM 2010 RC1 CM only does support v2 templates.
Not sure if for RTM any improvments will be made.
Please note that this event is related to the following ones:

Windows Logs > Security > Failed login - Key Migration failed

Event ID 5059. Key operation migration failed
clmAgent ; User key ; RSA ; import of persistent cryptographic key 0x80090029 The requested operation is not supported;----------------------------------
Key migration operation.
...
Cryptographic Parameters:Provider Name: Microsoft Software Key Storage ProviderAlgorithm Name: RSA

...Additional Information:Operation: Import of persistent cryptographic key.Return Code: 0x80090029
----------------------------------

Consequences:
- When performing an enroll request on behalf of another user: Data at the root level is invalid. Line 1, position 1
- When executing a software certificate enroll: Invalid provider type specified.
Check http://www.apollojack.com/2009/06/invalid-provider-type-specified.html

Fabien's IT security diary

Monday, November 2, 2009

Forefront Identity Manager 2010 CM: errors and solutions

Unable to check CA in Edit Profile template

Value cannot be null. Parameter name byte

Base CSP smart card self-service control is not installed or the current site is not specified in the allowed sites list by your Administrator. Please contact your system Administrator. Additional information: Automation server can't create object

FIM CM: while reading the smart card

If using v3 certificate templates for the agents (windows 2008) instead of v2 (win. 2003)
Then the following errors will appear.

Windows Logs > Security > Failed login - Key Migration failed

No comments:

Post a Comment

About Me

Blog Archive

Labels

Fabien's IT security diary

Monday, November 2, 2009

Forefront Identity Manager 2010 CM: errors and solutions

Unable to check CA in Edit Profile template

Value cannot be null. Parameter name byte

Base CSP smart card self-service control is not installed or the current site is not specified in the allowed sites list by your Administrator. Please contact your system Administrator. Additional information: Automation server can't create object

FIM CM: while reading the smart card

If using v3 certificate templates for the agents (windows 2008) instead of v2 (win. 2003)Then the following errors will appear.

Windows Logs > Security > Failed login - Key Migration failed

No comments:

Post a Comment

About Me

Blog Archive

Labels

If using v3 certificate templates for the agents (windows 2008) instead of v2 (win. 2003)
Then the following errors will appear.