- Microsoft Forefront Identity Manager 2010 R2 Service Pack 1
- Certificate Management
PROBLEM SCENARIO DESCRIPTION
Certificate management – renewal of the CLM agent certificate does not work.
Error(s): One or more signatures did not include the required application or issuance policies. The request is missing one or more required valid signatures. 0x8009480b-2146875381
The general cause of this issue, is that the Smart Card Template had the property “Number of Authorized Signatures” set to 1. There was no Signing Certificate found to sign the certificates, so the request failed. Likely because the CLM Agent Certificate is the Signing Certificate.
|NOTE||This is appropriate for a Smart Card. However, not the CLMAgent Certificate. The CLMAgent Certificate is usually manually created and renewed by an Administrator.|
Check the certificate that needs to be renewed
- Log on to the Certificate Management Server as the CLM Agent Account
- Open the Certificate Snap-In, Personal Store
- There should be a CLMAgent or CMAgent Certificate (*NOTE: The name may vary depending on solution)
- Select the Details Tab and then Certificate Template Information (*NOTE: This will help to identify the certificate template that has been utilized.)
- Once you have identified the Certificate Template, locate the Template
- Navigate to the CA and open the Certificate Templates snap-in (not certificates)
- Locate the MIM CM Signing Template
- Select the Issuance Requirements tab
- Temporarily de-select the CA Certificate Manager Approval and This number of authorized signatures
- Click Ok
- Renew the CLM Agent Certificate
- Then, if your business rules ask for it, revert the template back by selecting the items in (d).
Support / Additional Links
- [Support Tip]: FIM CM 2010 / MIM CM 2016 Admin Key Diversification and Certificate Renewal: https://blogs.technet.microsoft.com/iamsupport/2016/08/03/support-tip-fim-cm-2010-mim-cm-2016-admin-key-diversification-and-certificate-renewal/
- Deploying Microsoft Identity Manager Certificate Manager 2016 (MIM CM): https://docs.microsoft.com/en-us/microsoft-identity-manager/mim-cm-deploy
- Manually assigning, renewing or replacing FIM CM account certificates: https://docs.microsoft.com/en-us/previous-versions/mim/hh149034(v=ws.10)