Quantcast
Channel: Security forum
Viewing all articles
Browse latest Browse all 12072

FIM CM fails to issue certificates every few days

$
0
0

I have two Windows Server 2008 R2 issuing CAs (one for computers and one for users). I'm also using FIM CM 2010 to enroll certificates. I have issued certificates for clmAgent, clmEnrollAgent and clmKRAgent, whilst logged in with these accounts, from the User issuing CA. I have added the thumbprints from these to the web.config file as described in Microsoft article "Manually assigning, renewing or replacing FIM CM account certificates" on both issuing CAs. I have configured the thumbprint of the clmAgent on the Policy Module of both issuing servers. I have also specified the clmKRAgent certificate as the Key Recovery agent on both issuing CAs.

I can issue a WebServer certificate using FIM CM from the computer issuing CA. However, FIM CM will stop working with an error of "The request was denied by a certificate manager or CA administrator. 0x80094014 (-2146877420), every couple of days. I also get an error in the FIM CM event log on the FIM CM server stating that "None of the signers of the cryptographic message or certificate trust list is trusted".

I decided to revoke the original clmAgent, clmEnrollAgent and clmKRAgent certificates to see if this would resolve my issue, which it hasn't even though I have updated the web.config on the FIM CM server and policy module and key recovery on the issuing CAs to reflect these new certificates.

I now get on the computer issuing CA (which should issue the certificate) an event 77 "The "FIM CM Policy Module" policy module logged the following warning: TheCertificateTemplateName Certificate template could not be loaded. Element not found. 0x80070490 (WIN32:1168)." The strange thing is thatCertificateTemplateName refers to a certificate template that was originally used for the clmAgent, but I issued a new certificate using a new certificate template trying to the intermittent FIM CM error I mentioned above.

I can resolve the error by running a scheduled task on the computer issuing CA, as the systen account. The batch script that I run contains the following commands:

certutil –urlcache * delete
certutil -v -verify -urlfetch <signing cert>.cer > urlfetch_system.txt
certutil -v –urlcache CRL > urlcache_system.txt

If I view the text file urlcache_system.txt it seems to fail and states no more data. However, after running this scheduled task FIM CM will issue certficates without issue, but then the same issue returns after another couple of days.

I have rechecked all the thumbprints time and time again and they are definately correct.

I was getting a error on the user issuing CA of event 130 with a source of CertificateAuthority with a message of "Active Directory Certificate Services could not create a certificate revocation list. Bad data. 0x80090005", but I deleted the http CRL entry from the user issuing CA and re-added it and this error went away, even though I couldn't see anything wrong with this entry and I could using the URL to view the CRL. I'm not sure if this is related to my issue above.

I also have a baseline secuirty GPO applied so could this be causing any issues with the policy module, such as the system account requiring some user rights that may have been removed. I doubt whether this has happened but I'm just trying to give a full picture.

Any assistance would be greatly appreciated. 


Viewing all articles
Browse latest Browse all 12072

Trending Articles