Guest WesE Posted April 15, 2008 Posted April 15, 2008 Hello, I am having some trouble getting my lab install of CLM 2007 w/ FP1 working. Using a centralized registration model, the CLM Manager ID (CLMTemplateAdmin) is trying to enroll SmardCard Logon for another user (labadmin). When I assign the SC to the user (on a machine running CLM client) I get the error: "Processing Error: Error generating requested certificates. Element not found. 0x80070490 (WIN32:1168)". I can view the details of the SC and see my mutilple Enroll request but none are marked completed. Lab setup: Using Gemalto .Net cards, Client PC is XP w/ SP3, CLM & issuing CA on 2003 Ent. w/ SP2. Quote
Guest Brian Komar \(MVP\) Posted April 15, 2008 Posted April 15, 2008 what permissions assignments have you performed? Brian "WesE" <WesE@community.nospam> wrote in message news:31E5ED9D-22C8-4E5F-9CBF-E13FDC760647@microsoft.com...<span style="color:blue"> > Hello, > > I am having some trouble getting my lab install of CLM 2007 w/ FP1 > working. > Using a centralized registration model, the CLM Manager ID > (CLMTemplateAdmin) > is trying to enroll SmardCard Logon for another user (labadmin). When I > assign the SC to the user (on a machine running CLM client) I get the > error: > "Processing Error: Error generating requested certificates. Element not > found. 0x80070490 (WIN32:1168)". I can view the details of the SC and see > my > mutilple Enroll request but none are marked completed. > > Lab setup: Using Gemalto .Net cards, Client PC is XP w/ SP3, CLM & issuing > CA on 2003 Ent. w/ SP2. > > </span> Quote
Guest Brian Komar \(MVP\) Posted April 15, 2008 Posted April 15, 2008 what permissions assignments have you performed? Brian "WesE" <WesE@community.nospam> wrote in message news:31E5ED9D-22C8-4E5F-9CBF-E13FDC760647@microsoft.com...<span style="color:blue"> > Hello, > > I am having some trouble getting my lab install of CLM 2007 w/ FP1 > working. > Using a centralized registration model, the CLM Manager ID > (CLMTemplateAdmin) > is trying to enroll SmardCard Logon for another user (labadmin). When I > assign the SC to the user (on a machine running CLM client) I get the > error: > "Processing Error: Error generating requested certificates. Element not > found. 0x80070490 (WIN32:1168)". I can view the details of the SC and see > my > mutilple Enroll request but none are marked completed. > > Lab setup: Using Gemalto .Net cards, Client PC is XP w/ SP3, CLM & issuing > CA on 2003 Ent. w/ SP2. > > </span> Quote
Guest Paul Adare Posted April 16, 2008 Posted April 16, 2008 On Tue, 15 Apr 2008 16:16:01 -0700, WesE wrote: <span style="color:blue"> > Hello, > > I am having some trouble getting my lab install of CLM 2007 w/ FP1 working. > Using a centralized registration model, the CLM Manager ID (CLMTemplateAdmin) > is trying to enroll SmardCard Logon for another user (labadmin). When I > assign the SC to the user (on a machine running CLM client) I get the error: > "Processing Error: Error generating requested certificates. Element not > found. 0x80070490 (WIN32:1168)". I can view the details of the SC and see my > mutilple Enroll request but none are marked completed. > > Lab setup: Using Gemalto .Net cards, Client PC is XP w/ SP3, CLM & issuing > CA on 2003 Ent. w/ SP2.</span> Do the requests show as failed on the CA? If so, why did they fail on the CA? -- Paul Adare http://www.identit.ca HOST SYSTEM NOT RESPONDING, PROBABLY DOWN. DO YOU WANT TO WAIT? (Y/N) Quote
Guest WesE Posted April 18, 2008 Posted April 18, 2008 Here is some more detail. Note in this scenario I am using a delegated security model. To keep things brief I will use the following shorthand: CLM Subscriber: CLM_S, this is the end user that will be using the Smartcard. CLM Initiator: CLM_I, this is the user that interacts with the host running the CLM Client and the person who creates the SC request for CLM_S. CLM_I also executes the request (after approval) and is the ID operating the CLM Client web app when the SC is accessed. SC request approver: CLM_A, this is user who is identified as the Approver in the workflow. Finally there is the clmEnrollAgent, this is the account name and I am not completely sure of its role but it is not the same account as CLM_I. Security settings: SCP: CLM_A (Read & CLM Audit); CLM_I (Read & CLM Audit); CLM_S (None) AD Group that CLM_S is a member of: CLM_I (Full Control) Profile Template obj(in AD): CLM_S (Read); CLM_A (Read); CLM_I (Full Control); clmEnrollAgent (Read, CLM Enroll) Certificate template (in AD): CLM_I (Read & Enroll); nothing specific for CLM_S but Auth Users have Read. Profile Template in CLM Web App, Enroll Policy, Init Enroll Requests: CLM_I, Approve Enroll Requests: CLM_A; Enroll Agent for Enroll Requests: CLM_I I see no errors in the App, System or CLM event logs on CLM server with one exception, my CLM service account is getting login failed accessing the CLM DB, not sure why. I don't get any consistent errors and no errors from the CA. I have been able to issue a soft cert (using self service) to CLM_S on the CLM client machine. I cannot get the CLM Client to log as described in the Troubleshooting Guide. Suggestions to address this would be appreciated. The order of events are (once we get to the point of the bar graph): Init card -> Generating Key & Cert -> Requesting... -> then I get the processing error as described in my original post. Thanks, -Wes Quote
Guest Paul Adare Posted April 19, 2008 Posted April 19, 2008 On Fri, 18 Apr 2008 14:59:01 -0700, WesE wrote: <span style="color:blue"> > Here is some more detail. Note in this scenario I am using a delegated > security model. > > To keep things brief I will use the following shorthand: > > CLM Subscriber: CLM_S, this is the end user that will be using the Smartcard. > CLM Initiator: CLM_I, this is the user that interacts with the host running > the CLM Client and the person who creates the SC request for CLM_S. CLM_I > also executes the request (after approval) and is the ID operating the CLM > Client web app when the SC is accessed. > SC request approver: CLM_A, this is user who is identified as the Approver > in the workflow. > Finally there is the clmEnrollAgent, this is the account name and I am not > completely sure of its role but it is not the same account as CLM_I. > > Security settings: > > SCP: CLM_A (Read & CLM Audit); CLM_I (Read & CLM Audit); CLM_S (None)</span> CLM_I needs Read, CLM Request Enroll, and CLM Enrollment Agent permission on the SCP. <span style="color:blue"> > > AD Group that CLM_S is a member of: CLM_I (Full Control)</span> This is more than is needed. CLM_I only needs the same permissions as those on the SCP. <span style="color:blue"> > > Profile Template obj(in AD): CLM_S (Read); CLM_A (Read); CLM_I (Full > Control); clmEnrollAgent (Read, CLM Enroll)</span> clmEnrollAgent doesn't need anything here. CLM_S and CLM_I need both Read and CLM Enroll. <span style="color:blue"> > > Certificate template (in AD): CLM_I (Read & Enroll); nothing specific for > CLM_S but Auth Users have Read. > > Profile Template in CLM Web App, Enroll Policy, Init Enroll Requests: CLM_I, > Approve Enroll Requests: CLM_A; Enroll Agent for Enroll Requests: CLM_I > > I see no errors in the App, System or CLM event logs on CLM server with one > exception, my CLM service account is getting login failed accessing the CLM > DB, not sure why. I don't get any consistent errors and no errors from the > CA. I have been able to issue a soft cert (using self service) to CLM_S on > the CLM client machine. > > I cannot get the CLM Client to log as described in the Troubleshooting > Guide. Suggestions to address this would be appreciated. > > The order of events are (once we get to the point of the bar graph): Init > card -> Generating Key & Cert -> Requesting... -> then I get the processing > error as described in my original post. > > Thanks, > > -Wes</span> -- Paul Adare http://www.identit.ca Death is a nonmaskable interrupt. Quote
Guest WesE Posted April 21, 2008 Posted April 21, 2008 With those security settings I get the same error. Any suggestions on how to get the CLM client to do detailed logging? I am using (export from regedit): [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CLM\v1.0\SmartCardClient] "LogFileName"="c:\\temp\\Scclient.log" "Log Level"=dword:00000004 perms on c:\temp are allow everyone. Thanks -Wes "Paul Adare" wrote: <span style="color:blue"> > On Fri, 18 Apr 2008 14:59:01 -0700, WesE wrote: > <span style="color:green"> > > Here is some more detail. Note in this scenario I am using a delegated > > security model. > > > > To keep things brief I will use the following shorthand: > > > > CLM Subscriber: CLM_S, this is the end user that will be using the Smartcard. > > CLM Initiator: CLM_I, this is the user that interacts with the host running > > the CLM Client and the person who creates the SC request for CLM_S. CLM_I > > also executes the request (after approval) and is the ID operating the CLM > > Client web app when the SC is accessed. > > SC request approver: CLM_A, this is user who is identified as the Approver > > in the workflow. > > Finally there is the clmEnrollAgent, this is the account name and I am not > > completely sure of its role but it is not the same account as CLM_I. > > > > Security settings: > > > > SCP: CLM_A (Read & CLM Audit); CLM_I (Read & CLM Audit); CLM_S (None)</span> > > CLM_I needs Read, CLM Request Enroll, and CLM Enrollment Agent permission > on the SCP. > <span style="color:green"> > > > > AD Group that CLM_S is a member of: CLM_I (Full Control)</span> > > This is more than is needed. CLM_I only needs the same permissions as those > on the SCP. > <span style="color:green"> > > > > Profile Template obj(in AD): CLM_S (Read); CLM_A (Read); CLM_I (Full > > Control); clmEnrollAgent (Read, CLM Enroll)</span> > > clmEnrollAgent doesn't need anything here. CLM_S and CLM_I need both Read > and CLM Enroll. > <span style="color:green"> > > > > Certificate template (in AD): CLM_I (Read & Enroll); nothing specific for > > CLM_S but Auth Users have Read. > > > > Profile Template in CLM Web App, Enroll Policy, Init Enroll Requests: CLM_I, > > Approve Enroll Requests: CLM_A; Enroll Agent for Enroll Requests: CLM_I > > > > I see no errors in the App, System or CLM event logs on CLM server with one > > exception, my CLM service account is getting login failed accessing the CLM > > DB, not sure why. I don't get any consistent errors and no errors from the > > CA. I have been able to issue a soft cert (using self service) to CLM_S on > > the CLM client machine. > > > > I cannot get the CLM Client to log as described in the Troubleshooting > > Guide. Suggestions to address this would be appreciated. > > > > The order of events are (once we get to the point of the bar graph): Init > > card -> Generating Key & Cert -> Requesting... -> then I get the processing > > error as described in my original post. > > > > Thanks, > > > > -Wes</span> > > > -- > Paul Adare > http://www.identit.ca > Death is a nonmaskable interrupt. > </span> Quote
Guest Paul Adare Posted April 21, 2008 Posted April 21, 2008 On Mon, 21 Apr 2008 14:57:49 -0700, WesE wrote: <span style="color:blue"> > With those security settings I get the same error.</span> Check for errors on the CA and confirm that all of the fields from AD that are required for the certificate template are actually populated for your test user. There's no real point logging the client at this point as your not even issuing the certificates yet. -- Paul Adare http://www.identit.ca Software: Typically silk nighties, nylons, garter belts. Contrast with hardware. Quote
Guest WesE Posted April 22, 2008 Posted April 22, 2008 Solved the problem. There was a problem in my certificate template. "Paul Adare" wrote: <span style="color:blue"> > On Mon, 21 Apr 2008 14:57:49 -0700, WesE wrote: > <span style="color:green"> > > With those security settings I get the same error.</span> > > Check for errors on the CA and confirm that all of the fields from AD that > are required for the certificate template are actually populated for your > test user. > There's no real point logging the client at this point as your not even > issuing the certificates yet. > > -- > Paul Adare > http://www.identit.ca > Software: Typically silk nighties, nylons, garter belts. Contrast with > hardware. > </span> Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.