Error in CLM, Smartcard enrollment

W

WesE

Hello,

I am having some trouble getting my lab install of CLM 2007 w/ FP1 working.
Using a centralized registration model, the CLM Manager ID (CLMTemplateAdmin)
is trying to enroll SmardCard Logon for another user (labadmin). When I
assign the SC to the user (on a machine running CLM client) I get the error:
"Processing Error: Error generating requested certificates. Element not
found. 0x80070490 (WIN32:1168)". I can view the details of the SC and see my
mutilple Enroll request but none are marked completed.

Lab setup: Using Gemalto .Net cards, Client PC is XP w/ SP3, CLM & issuing
CA on 2003 Ent. w/ SP2.
 
B

Brian Komar \(MVP\)

what permissions assignments have you performed?
Brian
"WesE" <WesE@community.nospam> wrote in message
news:31E5ED9D-22C8-4E5F-9CBF-E13FDC760647@microsoft.com...
> Hello,
>
> I am having some trouble getting my lab install of CLM 2007 w/ FP1
> working.
> Using a centralized registration model, the CLM Manager ID
> (CLMTemplateAdmin)
> is trying to enroll SmardCard Logon for another user (labadmin). When I
> assign the SC to the user (on a machine running CLM client) I get the
> error:
> "Processing Error: Error generating requested certificates. Element not
> found. 0x80070490 (WIN32:1168)". I can view the details of the SC and see
> my
> mutilple Enroll request but none are marked completed.
>
> Lab setup: Using Gemalto .Net cards, Client PC is XP w/ SP3, CLM & issuing
> CA on 2003 Ent. w/ SP2.
>
>
 
B

Brian Komar \(MVP\)

what permissions assignments have you performed?
Brian
"WesE" <WesE@community.nospam> wrote in message
news:31E5ED9D-22C8-4E5F-9CBF-E13FDC760647@microsoft.com...
> Hello,
>
> I am having some trouble getting my lab install of CLM 2007 w/ FP1
> working.
> Using a centralized registration model, the CLM Manager ID
> (CLMTemplateAdmin)
> is trying to enroll SmardCard Logon for another user (labadmin). When I
> assign the SC to the user (on a machine running CLM client) I get the
> error:
> "Processing Error: Error generating requested certificates. Element not
> found. 0x80070490 (WIN32:1168)". I can view the details of the SC and see
> my
> mutilple Enroll request but none are marked completed.
>
> Lab setup: Using Gemalto .Net cards, Client PC is XP w/ SP3, CLM & issuing
> CA on 2003 Ent. w/ SP2.
>
>
 
P

Paul Adare

On Tue, 15 Apr 2008 16:16:01 -0700, WesE wrote:

> Hello,
>
> I am having some trouble getting my lab install of CLM 2007 w/ FP1 working.
> Using a centralized registration model, the CLM Manager ID (CLMTemplateAdmin)
> is trying to enroll SmardCard Logon for another user (labadmin). When I
> assign the SC to the user (on a machine running CLM client) I get the error:
> "Processing Error: Error generating requested certificates. Element not
> found. 0x80070490 (WIN32:1168)". I can view the details of the SC and see my
> mutilple Enroll request but none are marked completed.
>
> Lab setup: Using Gemalto .Net cards, Client PC is XP w/ SP3, CLM & issuing
> CA on 2003 Ent. w/ SP2.

Do the requests show as failed on the CA? If so, why did they fail on the
CA?

--
Paul Adare
http://www.identit.ca
HOST SYSTEM NOT RESPONDING, PROBABLY DOWN. DO YOU WANT TO WAIT? (Y/N)
 
W

WesE

Here is some more detail. Note in this scenario I am using a delegated
security model.

To keep things brief I will use the following shorthand:

CLM Subscriber: CLM_S, this is the end user that will be using the Smartcard.
CLM Initiator: CLM_I, this is the user that interacts with the host running
the CLM Client and the person who creates the SC request for CLM_S. CLM_I
also executes the request (after approval) and is the ID operating the CLM
Client web app when the SC is accessed.
SC request approver: CLM_A, this is user who is identified as the Approver
in the workflow.
Finally there is the clmEnrollAgent, this is the account name and I am not
completely sure of its role but it is not the same account as CLM_I.

Security settings:

SCP: CLM_A (Read & CLM Audit) CLM_I (Read & CLM Audit) CLM_S (None)

AD Group that CLM_S is a member of: CLM_I (Full Control)

Profile Template obj(in AD): CLM_S (Read) CLM_A (Read) CLM_I (Full
Control) clmEnrollAgent (Read, CLM Enroll)

Certificate template (in AD): CLM_I (Read & Enroll) nothing specific for
CLM_S but Auth Users have Read.

Profile Template in CLM Web App, Enroll Policy, Init Enroll Requests: CLM_I,
Approve Enroll Requests: CLM_A Enroll Agent for Enroll Requests: CLM_I

I see no errors in the App, System or CLM event logs on CLM server with one
exception, my CLM service account is getting login failed accessing the CLM
DB, not sure why. I don't get any consistent errors and no errors from the
CA. I have been able to issue a soft cert (using self service) to CLM_S on
the CLM client machine.

I cannot get the CLM Client to log as described in the Troubleshooting
Guide. Suggestions to address this would be appreciated.

The order of events are (once we get to the point of the bar graph): Init
card -> Generating Key & Cert -> Requesting... -> then I get the processing
error as described in my original post.

Thanks,

-Wes
 
P

Paul Adare

On Fri, 18 Apr 2008 14:59:01 -0700, WesE wrote:

> Here is some more detail. Note in this scenario I am using a delegated
> security model.
>
> To keep things brief I will use the following shorthand:
>
> CLM Subscriber: CLM_S, this is the end user that will be using the Smartcard.
> CLM Initiator: CLM_I, this is the user that interacts with the host running
> the CLM Client and the person who creates the SC request for CLM_S. CLM_I
> also executes the request (after approval) and is the ID operating the CLM
> Client web app when the SC is accessed.
> SC request approver: CLM_A, this is user who is identified as the Approver
> in the workflow.
> Finally there is the clmEnrollAgent, this is the account name and I am not
> completely sure of its role but it is not the same account as CLM_I.
>
> Security settings:
>
> SCP: CLM_A (Read & CLM Audit) CLM_I (Read & CLM Audit) CLM_S (None)

CLM_I needs Read, CLM Request Enroll, and CLM Enrollment Agent permission
on the SCP.

>
> AD Group that CLM_S is a member of: CLM_I (Full Control)

This is more than is needed. CLM_I only needs the same permissions as those
on the SCP.

>
> Profile Template obj(in AD): CLM_S (Read) CLM_A (Read) CLM_I (Full
> Control) clmEnrollAgent (Read, CLM Enroll)

clmEnrollAgent doesn't need anything here. CLM_S and CLM_I need both Read
and CLM Enroll.

>
> Certificate template (in AD): CLM_I (Read & Enroll) nothing specific for
> CLM_S but Auth Users have Read.
>
> Profile Template in CLM Web App, Enroll Policy, Init Enroll Requests: CLM_I,
> Approve Enroll Requests: CLM_A Enroll Agent for Enroll Requests: CLM_I
>
> I see no errors in the App, System or CLM event logs on CLM server with one
> exception, my CLM service account is getting login failed accessing the CLM
> DB, not sure why. I don't get any consistent errors and no errors from the
> CA. I have been able to issue a soft cert (using self service) to CLM_S on
> the CLM client machine.
>
> I cannot get the CLM Client to log as described in the Troubleshooting
> Guide. Suggestions to address this would be appreciated.
>
> The order of events are (once we get to the point of the bar graph): Init
> card -> Generating Key & Cert -> Requesting... -> then I get the processing
> error as described in my original post.
>
> Thanks,
>
> -Wes


--
Paul Adare
http://www.identit.ca
Death is a nonmaskable interrupt.
 
W

WesE

With those security settings I get the same error. Any suggestions on how to
get the CLM client to do detailed logging? I am using (export from regedit):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CLM\v1.0\SmartCardClient]
"LogFileName"="c:\\temp\\Scclient.log"
"Log Level"=dword:00000004

perms on c:\temp are allow everyone.

Thanks
-Wes

"Paul Adare" wrote:

> On Fri, 18 Apr 2008 14:59:01 -0700, WesE wrote:
>
> > Here is some more detail. Note in this scenario I am using a delegated
> > security model.
> >
> > To keep things brief I will use the following shorthand:
> >
> > CLM Subscriber: CLM_S, this is the end user that will be using the Smartcard.
> > CLM Initiator: CLM_I, this is the user that interacts with the host running
> > the CLM Client and the person who creates the SC request for CLM_S. CLM_I
> > also executes the request (after approval) and is the ID operating the CLM
> > Client web app when the SC is accessed.
> > SC request approver: CLM_A, this is user who is identified as the Approver
> > in the workflow.
> > Finally there is the clmEnrollAgent, this is the account name and I am not
> > completely sure of its role but it is not the same account as CLM_I.
> >
> > Security settings:
> >
> > SCP: CLM_A (Read & CLM Audit) CLM_I (Read & CLM Audit) CLM_S (None)
>
> CLM_I needs Read, CLM Request Enroll, and CLM Enrollment Agent permission
> on the SCP.
>
> >
> > AD Group that CLM_S is a member of: CLM_I (Full Control)
>
> This is more than is needed. CLM_I only needs the same permissions as those
> on the SCP.
>
> >
> > Profile Template obj(in AD): CLM_S (Read) CLM_A (Read) CLM_I (Full
> > Control) clmEnrollAgent (Read, CLM Enroll)
>
> clmEnrollAgent doesn't need anything here. CLM_S and CLM_I need both Read
> and CLM Enroll.
>
> >
> > Certificate template (in AD): CLM_I (Read & Enroll) nothing specific for
> > CLM_S but Auth Users have Read.
> >
> > Profile Template in CLM Web App, Enroll Policy, Init Enroll Requests: CLM_I,
> > Approve Enroll Requests: CLM_A Enroll Agent for Enroll Requests: CLM_I
> >
> > I see no errors in the App, System or CLM event logs on CLM server with one
> > exception, my CLM service account is getting login failed accessing the CLM
> > DB, not sure why. I don't get any consistent errors and no errors from the
> > CA. I have been able to issue a soft cert (using self service) to CLM_S on
> > the CLM client machine.
> >
> > I cannot get the CLM Client to log as described in the Troubleshooting
> > Guide. Suggestions to address this would be appreciated.
> >
> > The order of events are (once we get to the point of the bar graph): Init
> > card -> Generating Key & Cert -> Requesting... -> then I get the processing
> > error as described in my original post.
> >
> > Thanks,
> >
> > -Wes
>
>
> --
> Paul Adare
> http://www.identit.ca
> Death is a nonmaskable interrupt.
>
 
P

Paul Adare

On Mon, 21 Apr 2008 14:57:49 -0700, WesE wrote:

> With those security settings I get the same error.

Check for errors on the CA and confirm that all of the fields from AD that
are required for the certificate template are actually populated for your
test user.
There's no real point logging the client at this point as your not even
issuing the certificates yet.

--
Paul Adare
http://www.identit.ca
Software: Typically silk nighties, nylons, garter belts. Contrast with
hardware.
 
W

WesE

Solved the problem. There was a problem in my certificate template.

"Paul Adare" wrote:

> On Mon, 21 Apr 2008 14:57:49 -0700, WesE wrote:
>
> > With those security settings I get the same error.
>
> Check for errors on the CA and confirm that all of the fields from AD that
> are required for the certificate template are actually populated for your
> test user.
> There's no real point logging the client at this point as your not even
> issuing the certificates yet.
>
> --
> Paul Adare
> http://www.identit.ca
> Software: Typically silk nighties, nylons, garter belts. Contrast with
> hardware.
>
 
You must log in or register to reply here.

Similar threads

P
Enrollment user certificat not available during on behalf (..) smartcard procedure
Replies
0
Views
403
Psychoteur
P
P
[Resolved] Enrollment user certificat not available during on behalf (..) smartcard procedure
Replies
0
Views
983
Psychoteur
P
W
Error in CLM, Smartcard enrollment
Replies
8
Views
462
WesE
W
W
CLM client reports - Invalid Smartcard Serial Number
Replies
4
Views
306
WesE
W
W
CLM client reports - Invalid Smartcard Serial Number
Replies
4
Views
269
WesE
W
Back
Top Bottom