FIM CM was unable to decrypt necessary data error

 

clip_image002

Troubleshooting Steps:

Enable FIM CM Tracing:
(https://social.technet.microsoft.com/wiki/contents/articles/4020.how-to-capture-a-verbose-log-for-clm-or-fim-cm.aspx )

Enable CAPI Logging:

(https://blogs.msdn.com/b/benjaminperkins/archive/2013/10/01/enable-capi2-event-logging-to-troubleshoot-pki-and-ssl-certificate-issues.aspx )

After looking at the CM logs we seen that the Cm was unable to find the correct certificate.

"DOMAIN\USERA" "DOMAIN\USERA" 0x00000F60 0x00000006

Data to be decrypted: MIIDZAYJKoZIhvcNAQcDoIIDVTCCA1ECAQAxggF4MIIBdAIBADBcMEUxEzARBgoJkiaJk/IsZAEZFgNsb2MxGzAZBgoJkiaJk/IsZAE=.

"2014-03-19 14:37:27.14 -06" "Microsoft.Clm.Security.Principal.RevertToSelfContext" "Microsoft.Clm.Security.Principal.RevertToSelfContext RevertIfImpersonating()" "DOMAIN\USERA" "DOMAIN\USERA" 0x00000F60 0x00000006

Reverting to the process identity

"2014-03-19 14:37:27.14 -06" "Microsoft.Clm.BusinessLayer.DataEncryption" "System.String Decrypt(System.String)" "DOMAIN\USERA" "DOMAIN\svc.cgyFIMCMAgent" 0x00000F60 0x00000006

Try to decrypt using EvelopedCMS.

"2014-03-19 14:37:29.09 -06" "Microsoft.Clm.BusinessLayer.DataEncryption" "System.String Decrypt(System.String)" "DOMAIN\USERA" "DOMAIN\svc.cgyFIMCMAgent" 0x00000F60 0x00000006

General Information

*********************************************

Additional Info:

EnvelopedCMS decryption failed. Fall back to AES method.

1) Exception Information

*********************************************

Exception Type: System.Security.Cryptography.CryptographicException

Message: Unable to locate the decryption key.

Data: System.Collections.ListDictionaryInternal

TargetSite: System.Security.Cryptography.Pkcs.ContentInfo DecryptCms(Byte[])

HelpLink: NULL

Source: Microsoft.Clm.Crypto

StackTrace Information

*********************************************

at Microsoft.Clm.Crypto.EnvelopedCmsExtension.DecryptCms(Byte[] encoded)

at Microsoft.Clm.BusinessLayer.DataEncryption.Decrypt(String encrypted)

"2014-03-19 14:37:29.12 -06" "Microsoft.Clm.BusinessLayer.DataEncryption"

When we went to the CAPI log we opened up the log and filtered on error

clip_image004

We see 2 issues in this log Access denied and unable to check revocation

clip_image006

clip_image008

After confirming all certificates and permissions are correct per: (https://technet.microsoft.com/en-us/library/gg430115(v=ws.10).aspx)

Then we went to the revocation and found the machine did not have internet access and was checking the validity of the signing certs in use. We found the path in another error entry say it could not get to path.

clip_image010

Capi logging told us it was trying to get a crl that it could not. After making sure all other configurations were in line: Permission and account settings we manually installed the crl it was trying to get.

Resolution :Download and copy to server right click and install  https://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl as indicated in the CAPI log.