FIM CM was unable to decrypt necessary data error
Troubleshooting Steps:
Enable FIM CM Tracing:
(https://social.technet.microsoft.com/wiki/contents/articles/4020.how-to-capture-a-verbose-log-for-clm-or-fim-cm.aspx )
Enable CAPI Logging:
After looking at the CM logs we seen that the Cm was unable to find the correct certificate.
"DOMAIN\USERA" "DOMAIN\USERA" 0x00000F60 0x00000006 Data to be decrypted: MIIDZAYJKoZIhvcNAQcDoIIDVTCCA1ECAQAxggF4MIIBdAIBADBcMEUxEzARBgoJkiaJk/IsZAEZFgNsb2MxGzAZBgoJkiaJk/IsZAE=. "2014-03-19 14:37:27.14 -06" "Microsoft.Clm.Security.Principal.RevertToSelfContext" "Microsoft.Clm.Security.Principal.RevertToSelfContext RevertIfImpersonating()" "DOMAIN\USERA" "DOMAIN\USERA" 0x00000F60 0x00000006 Reverting to the process identity "2014-03-19 14:37:27.14 -06" "Microsoft.Clm.BusinessLayer.DataEncryption" "System.String Decrypt(System.String)" "DOMAIN\USERA" "DOMAIN\svc.cgyFIMCMAgent" 0x00000F60 0x00000006 Try to decrypt using EvelopedCMS. "2014-03-19 14:37:29.09 -06" "Microsoft.Clm.BusinessLayer.DataEncryption" "System.String Decrypt(System.String)" "DOMAIN\USERA" "DOMAIN\svc.cgyFIMCMAgent" 0x00000F60 0x00000006 General Information ********************************************* Additional Info: EnvelopedCMS decryption failed. Fall back to AES method. 1) Exception Information ********************************************* Exception Type: System.Security.Cryptography.CryptographicException Message: Unable to locate the decryption key. Data: System.Collections.ListDictionaryInternal TargetSite: System.Security.Cryptography.Pkcs.ContentInfo DecryptCms(Byte[]) HelpLink: NULL Source: Microsoft.Clm.Crypto StackTrace Information ********************************************* at Microsoft.Clm.Crypto.EnvelopedCmsExtension.DecryptCms(Byte[] encoded) at Microsoft.Clm.BusinessLayer.DataEncryption.Decrypt(String encrypted) "2014-03-19 14:37:29.12 -06" "Microsoft.Clm.BusinessLayer.DataEncryption" |
When we went to the CAPI log we opened up the log and filtered on error
We see 2 issues in this log Access denied and unable to check revocation
After confirming all certificates and permissions are correct per: (https://technet.microsoft.com/en-us/library/gg430115(v=ws.10).aspx)
Then we went to the revocation and found the machine did not have internet access and was checking the validity of the signing certs in use. We found the path in another error entry say it could not get to path.
Capi logging told us it was trying to get a crl that it could not. After making sure all other configurations were in line: Permission and account settings we manually installed the crl it was trying to get.
Resolution :Download and copy to server right click and install https://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl as indicated in the CAPI log.
- Anonymous
January 01, 2003
thanks