Debug shortcuts for FIM/ILM/CLM

Article
07/31/2011

When getting an error back from one of the CLM policy modules that are loaded by the CA ("denied by policy module") it may be useful to enable CLM Policy module debug logging as well as CA server debug logging.

You can manually edit the registry settings using the details on Technet but it's a bit cumbersome as the 'CANAME' part will be different for each installation obviously.

To accomplish this in a more convenient way you can use the Certutil command with the -setreg CA option:

certutil -setreg caPolicyModulesCLM2.Policy Verbose

certutil -setreg caPolicyModulesCLM2.PolicyModule Verbose

certutil -setreg caPolicyModulesCLM2.PolicyModule.Dump Verbose

certutil -setreg caPolicyModulesCLM2.PolicyModulePlugins Verbose

certutil -setreg caExitModulesCLME2.ExitModule Verbose

certutil.exe -f -setreg cadebug 0xffffffff

Net Stop Certsvc && Net Start Certsvc

Note that some of the settings above are only relevant for FIM but will be ignored by ILM and CLM.

Troubleshooting CLM 2007:
http://technet.microsoft.com/en-us/library/cc720663(WS.10).aspx

FIM CM Logging and random errors
http://blogs.msdn.com/b/spatdsg/archive/2010/08/02/fim-cm-logging-and-random-errors.aspx

FIM CM and SQL APIs– The EXECUTE permission was denied on the object
http://blogs.msdn.com/b/spatdsg/archive/2010/11/02/fim-cm-and-sql-apis-the-execute-permission-was-denied-on-the-object.aspx

Debug shortcuts for FIM/ILM/CLM

Additional resources