Error in CLM, Smartcard enrollment

WesE · Apr 15, 2008

Hello,

I am having some trouble getting my lab install of CLM 2007 w/ FP1 working.

Using a centralized registration model, the CLM Manager ID (CLMTemplateAdmin)

is trying to enroll SmardCard Logon for another user (labadmin). When I

assign the SC to the user (on a machine running CLM client) I get the error:

"Processing Error: Error generating requested certificates. Element not

found. 0x80070490 (WIN32:1168)". I can view the details of the SC and see my

mutilple Enroll request but none are marked completed.

Lab setup: Using Gemalto .Net cards, Client PC is XP w/ SP3, CLM & issuing

CA on 2003 Ent. w/ SP2.

Brian Komar \(MVP\) · Apr 15, 2008

what permissions assignments have you performed?

Brian

"WesE" <WesE@community.nospam> wrote in message

news:31E5ED9D-22C8-4E5F-9CBF-E13FDC760647@microsoft.com...

> Hello,

>

> I am having some trouble getting my lab install of CLM 2007 w/ FP1

> working.

> Using a centralized registration model, the CLM Manager ID

> (CLMTemplateAdmin)

> is trying to enroll SmardCard Logon for another user (labadmin). When I

> assign the SC to the user (on a machine running CLM client) I get the

> error:

> "Processing Error: Error generating requested certificates. Element not

> found. 0x80070490 (WIN32:1168)". I can view the details of the SC and see

> my

> mutilple Enroll request but none are marked completed.

>

> Lab setup: Using Gemalto .Net cards, Client PC is XP w/ SP3, CLM & issuing

> CA on 2003 Ent. w/ SP2.

>

>

Brian Komar \(MVP\) · Apr 15, 2008

what permissions assignments have you performed?

Brian

"WesE" <WesE@community.nospam> wrote in message

news:31E5ED9D-22C8-4E5F-9CBF-E13FDC760647@microsoft.com...

> Hello,

>

> I am having some trouble getting my lab install of CLM 2007 w/ FP1

> working.

> Using a centralized registration model, the CLM Manager ID

> (CLMTemplateAdmin)

> is trying to enroll SmardCard Logon for another user (labadmin). When I

> assign the SC to the user (on a machine running CLM client) I get the

> error:

> "Processing Error: Error generating requested certificates. Element not

> found. 0x80070490 (WIN32:1168)". I can view the details of the SC and see

> my

> mutilple Enroll request but none are marked completed.

>

> Lab setup: Using Gemalto .Net cards, Client PC is XP w/ SP3, CLM & issuing

> CA on 2003 Ent. w/ SP2.

>

>

Paul Adare · Apr 16, 2008

On Tue, 15 Apr 2008 16:16:01 -0700, WesE wrote:



> Hello,

>

> I am having some trouble getting my lab install of CLM 2007 w/ FP1 working.

> Using a centralized registration model, the CLM Manager ID (CLMTemplateAdmin)

> is trying to enroll SmardCard Logon for another user (labadmin). When I

> assign the SC to the user (on a machine running CLM client) I get the error:

> "Processing Error: Error generating requested certificates. Element not

> found. 0x80070490 (WIN32:1168)". I can view the details of the SC and see my

> mutilple Enroll request but none are marked completed.

>

> Lab setup: Using Gemalto .Net cards, Client PC is XP w/ SP3, CLM & issuing

> CA on 2003 Ent. w/ SP2.

Do the requests show as failed on the CA? If so, why did they fail on the

CA?

--

Paul Adare

http://www.identit.ca

HOST SYSTEM NOT RESPONDING, PROBABLY DOWN. DO YOU WANT TO WAIT? (Y/N)

WesE · Apr 18, 2008

Here is some more detail. Note in this scenario I am using a delegated

security model.

To keep things brief I will use the following shorthand:

CLM Subscriber: CLM_S, this is the end user that will be using the Smartcard.

CLM Initiator: CLM_I, this is the user that interacts with the host running

the CLM Client and the person who creates the SC request for CLM_S. CLM_I

also executes the request (after approval) and is the ID operating the CLM

Client web app when the SC is accessed.

SC request approver: CLM_A, this is user who is identified as the Approver

in the workflow.

Finally there is the clmEnrollAgent, this is the account name and I am not

completely sure of its role but it is not the same account as CLM_I.

Security settings:

SCP: CLM_A (Read & CLM Audit); CLM_I (Read & CLM Audit); CLM_S (None)

AD Group that CLM_S is a member of: CLM_I (Full Control)

Profile Template obj(in AD): CLM_S (Read); CLM_A (Read); CLM_I (Full

Control); clmEnrollAgent (Read, CLM Enroll)

Certificate template (in AD): CLM_I (Read & Enroll); nothing specific for

CLM_S but Auth Users have Read.

Profile Template in CLM Web App, Enroll Policy, Init Enroll Requests: CLM_I,

Approve Enroll Requests: CLM_A; Enroll Agent for Enroll Requests: CLM_I

I see no errors in the App, System or CLM event logs on CLM server with one

exception, my CLM service account is getting login failed accessing the CLM

DB, not sure why. I don't get any consistent errors and no errors from the

CA. I have been able to issue a soft cert (using self service) to CLM_S on

the CLM client machine.

I cannot get the CLM Client to log as described in the Troubleshooting

Guide. Suggestions to address this would be appreciated.

The order of events are (once we get to the point of the bar graph): Init

card -> Generating Key & Cert -> Requesting... -> then I get the processing

error as described in my original post.

Thanks,

-Wes

Paul Adare · Apr 18, 2008

On Fri, 18 Apr 2008 14:59:01 -0700, WesE wrote:



> Here is some more detail. Note in this scenario I am using a delegated

> security model.

>

> To keep things brief I will use the following shorthand:

>

> CLM Subscriber: CLM_S, this is the end user that will be using the Smartcard.

> CLM Initiator: CLM_I, this is the user that interacts with the host running

> the CLM Client and the person who creates the SC request for CLM_S. CLM_I

> also executes the request (after approval) and is the ID operating the CLM

> Client web app when the SC is accessed.

> SC request approver: CLM_A, this is user who is identified as the Approver

> in the workflow.

> Finally there is the clmEnrollAgent, this is the account name and I am not

> completely sure of its role but it is not the same account as CLM_I.

>

> Security settings:

>

> SCP: CLM_A (Read & CLM Audit); CLM_I (Read & CLM Audit); CLM_S (None)

CLM_I needs Read, CLM Request Enroll, and CLM Enrollment Agent permission

on the SCP.



>

> AD Group that CLM_S is a member of: CLM_I (Full Control)

This is more than is needed. CLM_I only needs the same permissions as those

on the SCP.



>

> Profile Template obj(in AD): CLM_S (Read); CLM_A (Read); CLM_I (Full

> Control); clmEnrollAgent (Read, CLM Enroll)

clmEnrollAgent doesn't need anything here. CLM_S and CLM_I need both Read

and CLM Enroll.



>

> Certificate template (in AD): CLM_I (Read & Enroll); nothing specific for

> CLM_S but Auth Users have Read.

>

> Profile Template in CLM Web App, Enroll Policy, Init Enroll Requests: CLM_I,

> Approve Enroll Requests: CLM_A; Enroll Agent for Enroll Requests: CLM_I

>

> I see no errors in the App, System or CLM event logs on CLM server with one

> exception, my CLM service account is getting login failed accessing the CLM

> DB, not sure why. I don't get any consistent errors and no errors from the

> CA. I have been able to issue a soft cert (using self service) to CLM_S on

> the CLM client machine.

>

> I cannot get the CLM Client to log as described in the Troubleshooting

> Guide. Suggestions to address this would be appreciated.

>

> The order of events are (once we get to the point of the bar graph): Init

> card -> Generating Key & Cert -> Requesting... -> then I get the processing

> error as described in my original post.

>

> Thanks,

>

> -Wes

--

Paul Adare

http://www.identit.ca

Death is a nonmaskable interrupt.

WesE · Apr 21, 2008

With those security settings I get the same error. Any suggestions on how to

get the CLM client to do detailed logging? I am using (export from regedit):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CLM\v1.0\SmartCardClient]

"LogFileName"="c:\\temp\\Scclient.log"

"Log Level"=dword:00000004

perms on c:\temp are allow everyone.

Thanks

-Wes

"Paul Adare" wrote:



> On Fri, 18 Apr 2008 14:59:01 -0700, WesE wrote:

> 

> > Here is some more detail. Note in this scenario I am using a delegated

> > security model.

> >

> > To keep things brief I will use the following shorthand:

> >

> > CLM Subscriber: CLM_S, this is the end user that will be using the Smartcard.

> > CLM Initiator: CLM_I, this is the user that interacts with the host running

> > the CLM Client and the person who creates the SC request for CLM_S. CLM_I

> > also executes the request (after approval) and is the ID operating the CLM

> > Client web app when the SC is accessed.

> > SC request approver: CLM_A, this is user who is identified as the Approver

> > in the workflow.

> > Finally there is the clmEnrollAgent, this is the account name and I am not

> > completely sure of its role but it is not the same account as CLM_I.

> >

> > Security settings:

> >

> > SCP: CLM_A (Read & CLM Audit); CLM_I (Read & CLM Audit); CLM_S (None)

>

> CLM_I needs Read, CLM Request Enroll, and CLM Enrollment Agent permission

> on the SCP.

> 

> >

> > AD Group that CLM_S is a member of: CLM_I (Full Control)

>

> This is more than is needed. CLM_I only needs the same permissions as those

> on the SCP.

> 

> >

> > Profile Template obj(in AD): CLM_S (Read); CLM_A (Read); CLM_I (Full

> > Control); clmEnrollAgent (Read, CLM Enroll)

>

> clmEnrollAgent doesn't need anything here. CLM_S and CLM_I need both Read

> and CLM Enroll.

> 

> >

> > Certificate template (in AD): CLM_I (Read & Enroll); nothing specific for

> > CLM_S but Auth Users have Read.

> >

> > Profile Template in CLM Web App, Enroll Policy, Init Enroll Requests: CLM_I,

> > Approve Enroll Requests: CLM_A; Enroll Agent for Enroll Requests: CLM_I

> >

> > I see no errors in the App, System or CLM event logs on CLM server with one

> > exception, my CLM service account is getting login failed accessing the CLM

> > DB, not sure why. I don't get any consistent errors and no errors from the

> > CA. I have been able to issue a soft cert (using self service) to CLM_S on

> > the CLM client machine.

> >

> > I cannot get the CLM Client to log as described in the Troubleshooting

> > Guide. Suggestions to address this would be appreciated.

> >

> > The order of events are (once we get to the point of the bar graph): Init

> > card -> Generating Key & Cert -> Requesting... -> then I get the processing

> > error as described in my original post.

> >

> > Thanks,

> >

> > -Wes

>

>

> --

> Paul Adare

> http://www.identit.ca

> Death is a nonmaskable interrupt.

>

Paul Adare · Apr 21, 2008

On Mon, 21 Apr 2008 14:57:49 -0700, WesE wrote:



> With those security settings I get the same error.

Check for errors on the CA and confirm that all of the fields from AD that

are required for the certificate template are actually populated for your

test user.

There's no real point logging the client at this point as your not even

issuing the certificates yet.

--

Paul Adare

http://www.identit.ca

Software: Typically silk nighties, nylons, garter belts. Contrast with

hardware.

WesE · Apr 22, 2008

Solved the problem. There was a problem in my certificate template.

"Paul Adare" wrote:



> On Mon, 21 Apr 2008 14:57:49 -0700, WesE wrote:

> 

> > With those security settings I get the same error.

>

> Check for errors on the CA and confirm that all of the fields from AD that

> are required for the certificate template are actually populated for your

> test user.

> There's no real point logging the client at this point as your not even

> issuing the certificates yet.

>

> --

> Paul Adare

> http://www.identit.ca

> Software: Typically silk nighties, nylons, garter belts. Contrast with

> hardware.

>

Error in CLM, Smartcard enrollment

WesE

Guest

Brian Komar \(MVP\)

Guest

Brian Komar \(MVP\)

Guest

Paul Adare

Guest

WesE

Guest

Paul Adare

Guest

WesE

Guest

Paul Adare

Guest

WesE

Guest