Troubleshooting FIM CM: "Logon failure: unknown user name or bad password"

OVERVIEW / PURPOSE
PROBLEM STATEMENT
- ERROR MESSAGE
CONFIGURATION WIZARD LOG FILE
RESOLUTION / WORK AROUND
ADDITIONAL INFORMATION
SEE ALSO

OVERVIEW / PURPOSE

Recently worked my way through a FIM Certificate Management configuration issue where the Configuration Wizard was failing with a Logon failure.

PROBLEM STATEMENT

You have just installed Forefront Identity Manager 2010 Certicate Management, and now going through the Configuration Wizard. In doing so, you receive an error message

ERROR MESSAGE

Logon failed for the user clmKRAgent@clmsamp.samples. Please check username and password.
> Logon failure: unknown user name or bad password.
(Exception from HRESULT: 0x8007052E)

You investigate the Configuration Wizard Log File ((%programfiles%\Microsoft Forefront Identity Management\2010\Certificate Management\config.log), and find the following information.

CONFIGURATION WIZARD LOG FILE

(%programfiles%\Microsoft Forefront Identity Management\2010\Certificate Management\config.log)

"2012-05-15 16:08:01.27 -05" "Microsoft.Clm.Config.Core.CertificateAuthority" "System.Object IssueCertificateForUser(System.String, System.String, System.String, System.String, Microsoft.Clm.CertificateServices.Interop.CertificateFormatFlags, AgentType)" "" "CLMSAMP\da.clmsamp.samples" 0x00000E04 0x00000001

General Information
*********************************************
Additional Info:
Logon failure: unknown user name or bad password for the user: clmKRAgent@clmsamp.samples

1) Exception Information
*********************************************
Exception Type: System.Runtime.InteropServices.COMException
ErrorCode: -2147023570
Message: Logon failure: unknown user name or bad password. (Exception from HRESULT: 0x8007052E)
Data: System.Collections.ListDictionaryInternal
TargetSite: Void ThrowExceptionForHRInternal(Int32, IntPtr)
HelpLink: NULL
Source: mscorlib

StackTrace Information
*********************************************
   at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo)
   at Microsoft.Clm.Security.Principal.LoggedOnUser.Logon(String userName, String password)
   at Microsoft.Clm.Security.Principal.LoggedOnUser..ctor(String userName, String password, LogonType logonType, LogonProvider logonProvider)
   at Microsoft.Clm.Security.Principal.LoggedOnUser..ctor(String userName, String password)
   at Microsoft.Clm.Config.Core.CertificateAuthority.IssueCertificateForUser(String caConfig, String templateName, String userName, String password, CertificateFormatFlags flag, AgentType agentType)
"2012-05-15 16:08:01.29 -05" "Microsoft.Clm.Config.Core.CertificateAuthority" "System.Object IssueCertificateForUser(System.String, System.String, System.String, System.String, Microsoft.Clm.CertificateServices.Interop.CertificateFormatFlags, AgentType)" "" "PROD\da.matt.chambers" 0x00000E04 0x00000001

General Information
*********************************************
Additional Info:
Failed to issue certificate for user: clmKRAgent@clmsamp.samples

1) Exception Information
*********************************************
Exception Type: System.UnauthorizedAccessException
Message: Logon failed for the user clmKRAgent@clmsamp.samples. Please check username and password
Data: System.Collections.ListDictionaryInternal
TargetSite: System.Object IssueCertificateForUser(System.String, System.String, System.String, System.String, Microsoft.Clm.CertificateServices.Interop.CertificateFormatFlags, AgentType)
HelpLink: NULL
Source: Microsoft.Clm.Config

2) Exception Information
*********************************************
Exception Type: System.Runtime.InteropServices.COMException
ErrorCode: -2147023570
Message: Logon failure: unknown user name or bad password. (Exception from HRESULT: 0x8007052E)
Data: System.Collections.ListDictionaryInternal
TargetSite: Void ThrowExceptionForHRInternal(Int32, IntPtr)
HelpLink: NULL
Source: mscorlib

StackTrace Information
*********************************************
   at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo)
   at Microsoft.Clm.Security.Principal.LoggedOnUser.Logon(String userName, String password)
   at Microsoft.Clm.Security.Principal.LoggedOnUser..ctor(String userName, String password, LogonType logonType, LogonProvider logonProvider)
   at Microsoft.Clm.Security.Principal.LoggedOnUser..ctor(String userName, String password)
   at Microsoft.Clm.Config.Core.CertificateAuthority.IssueCertificateForUser(String caConfig, String templateName, String userName, String password, CertificateFormatFlags flag, AgentType agentType)
"2012-05-15 16:08:01.29 -05" "Microsoft.Clm.Config.Steps.Finish" "Void Finish_Activated(System.Object, System.EventArgs)" "" "CLMSAMP\da.clmsamp.samples" 0x00000E04 0x00000001

StackTrace Information
*********************************************
   at Microsoft.Clm.Config.Core.CertificateAuthority.IssueCertificateForUser(String caConfig, String templateName, String userName, String password, CertificateFormatFlags flag, AgentType agentType)
   at Microsoft.Clm.Config.Steps.Finish.CreateKeyRecoveryUser()
   at Microsoft.Clm.Config.Steps.Finish.Finish_Activated(Object sender, EventArgs e)

RESOLUTION / WORK AROUND

The best way around this error is to create the accounts necessary for Certificate Lifecycle Manager 2007 or FIM Certificate Management prior to running the Configuration Wizard. During the Configuration Wizard on the Accounts page:

Uncheck the box to use the defaults

Click the button to for Custom Accounts

On each tab, in the lower left, check "Use existing account"

In the textbox for the username enter <domain>\< the name of the agent acccount that you used for the agent account specified on the current tab > (e.g. CLMSAMP\clmAgent)

Repeat Steps 3 and 4 for each tab

Click Ok when finished

Finish the Wizard