Support-Tip:(CM): FIM/MIM Certificate Management (CM) and Certificate Management Agent (cmAgent) certificate issued by a Foreign Certification Authority (CA)

 

Applies To:

  • Forefront Identity Manager 2010 (All builds)
  • Forefront Identity Manager 2010 R2 & R2 SP1
  • Microsoft Identity Manager 2016 & SP1

PROBLEM SCENARIO DESCRIPTION

CM is servicing a Certification Authority (CA1), however it was different Certification Authority (CA2) that issued cmAgent certificate.

CM certificate requests targeted to CA1 will fail (Denied by Policy Module) and errors will be logged in several places:

  1. The FIM Certificate Management event log on the CA (Log Name: FIM Certificate Management, Source: FIM CM CA Modules) contains the following: “2015-06-29 14:03:18.48 -04” “Microsoft.Clm.PolicyModule.Policy” “Void VerifySigningCertificateValidity(System.Security.Cryptography.X509Certificates.X509Certificate)” “” “NT AUTHORITY\SYSTEM” 0x00000F6C 0x00000006

1) Exception Information

*********************************************

Exception Type: System.ApplicationException

Message: Unable to verify certificate validity.

Data: System.Collections.ListDictionaryInternal

TargetSite: Void VerifySigningCertificateValidity(System.Security.Cryptography.X509Certificates.X509Certificate)

HelpLink: NULL

Source: Microsoft.Clm.PolicyModule

 

StackTrace Information

*********************************************

   at Microsoft.Clm.PolicyModule.Policy.VerifySigningCertificateValidity(X509Certificate cert)

   at Microsoft.Clm.PolicyModule.Policy.LoadEnrollmentAttributesData(String xml)

 

2) Exception Information

*********************************************

Exception Type: System.Security.Cryptography.CryptographicException

Message: None of the signers of the cryptographic message or certificate trust list is trusted.

 

Data: System.Collections.ListDictionaryInternal

TargetSite: Void VerifySigningCertificateValidity(System.Security.Cryptography.X509Certificates.X509Certificate)

HelpLink: NULL

Source: Microsoft.Clm.PolicyModule

 

StackTrace Information

*********************************************

   at Microsoft.Clm.PolicyModule.Policy.VerifySigningCertificateValidity(X509Certificate cert)

 

By running the FIM CM Policy Module on the foreign CA in “verbose mode” you will see the following error message:

Signing certificate (hash=[<hash_of_the_cmagent_certificate>] is invalid.  Verification status=[The revocation function was unable to check revocation because the revocation server was offline.

  1. In the CA’s Application log EventID 53 will be written:

Active Directory Certificate Services denied request <RequestID> because An unknown error occurred while processing the certificate. 0x80090327 (-2146893017).  The request was for <domain\user>.  Additional information: Denied by Policy Module

  1. CM logging (clm.txt) also contains this error: Request certificate from CA for certificate template: SomeCertificateTemplate. Status: -2146877420. Disposition: Denied. Disposition Message: Denied by Policy Module. Error Message: The request was denied by a certificate manager or CA administrator. 0x80094014 (-2146877420)
NOTE All versions of CLM/FIM CM/MIM CM are affected

CAUSE

This situation will occur if:

  1. a) A foreign PKI (not the one served by CM) issued cmAgent certificate
  2. b) If a single instance of CM serves more than one CA.

During certificate enrollment and verification of the certificate request, CA verifies cmAgent certificate.

This verification is by default done using “Offline” mode.

“Offline” means, the CA will verify the cmAgent certificate using the local CRL cache and will NOT try to retrieve CRL from network locations.

“Offline” check works very fast but will succeed only if cmAgent certificate is used by the same CA that verifies the certificate request and cmAgent certificate.

But if foreign PKI issued cmAgent certificate or it there are two or more CAs served by the CM, “Offline” revocation will not be sufficient (local CRL cache on the CA does not contain relevant revocation info, because cmAgent certificate is issued by different CA and CRL from this different CA is required for successful check), verification of cmAgent certificate will return “revocation server was offline” and consequently CM certificate requests fail.

 RESOLUTION:

The solution is to set the CA (the one where the errors are reported and the one that didn’t issue cmAgent certificate) to “Online” mode.

This will allow the CA to retrieve revocation info from the network.

HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\[CA Name]\PolicyModules\Clm.Policy

Name = CertificateRevokationMode

Type = Reg_SZ

Value = Online

(please note that “k” in CertificateRevokationMode is NOT a typo)

 

It is still possible the certificate verification will fail for some other reasons, like, CRLs not available even if online check is done or maybe trust issue (in this case you should consult CAPI2 Log https://technet.microsoft.com/en-us/library/cc749296(v=ws.10).aspx), however, moving to “Online” mode is required step in the given scenario.

 

ADDITIONAL INFORMATION / RESOURCES FOR CERTIFICATE MANGAEMENT