TROUBLESHOOTING: FIMCM: No mapping between account names and security IDs was done

OVERVIEW / PURPOSE / GOAL
PROBLEM STATEMENT
ERROR MESSAGE
FIM CM VERBOSE TRACE LOG
CAUSE
RESOLUTION
SEE ALSO

OVERVIEW / PURPOSE / GOAL

Recently worked an issue in support concerning Microsoft Forefront Identity Manager - Certificate Management. The resolution was pretty straight forward, and I wanted to ensure that I shared this information.

PROBLEM STATEMENT

Attempting to recover a smart card, generates the following error message. "User lookup failed. No mapping between account names and security IDs was done."

Troubleshooting the issue, we obtained a FIM CM Verbose Trace Log. ( How to capture a FIM CM Verbose Trace Log ). In the log, we were able to see the error message being generated during the search for the user in the security group. In doing so, this lead us to the RequestSecurity.Groups in the web.config file.

ERROR MESSAGE

User lookup failed. No mapping between account names and security IDs was done.

FIM CM VERBOSE TRACE LOG

"2012-07-09 16:39:07.21 -05" "Microsoft.Clm.Security.Authorization.Sid" "Microsoft.Clm.Security.Authorization.Sid LookupAccount(System.String, System.String)" "<DOMAIN NAME>\<username>" "<DOMAIN NAME>\<FIM CM AUTH AGENT>" 0x00000224 0x00000012

Looking up account: <domain name>\<security group name>, machine:

1) Exception Information

*********************************************

Exception Type: System.ApplicationException

Message: User lookup failed.

Data: System.Collections.ListDictionaryInternal

TargetSite: Microsoft.Clm.Security.Authorization.Sid LookupAccount(System.String, System.String)

HelpLink: NULL

Source: Microsoft.Clm.Security.Authorization

StackTrace Information

*********************************************

at Microsoft.Clm.Security.Authorization.Sid.LookupAccount(String machineName, String account)

2) Exception Information

*********************************************

Exception Type: System.ComponentModel.Win32Exception

NativeErrorCode: 1332

ErrorCode: -2147467259

Message: No mapping between account names and security IDs was done

Data: System.Collections.ListDictionaryInternal

TargetSite: NULL

HelpLink: NULL

Source: NULL

CAUSE

In this case, the problem was the groups mentioned in the RequestSecurity.Groups in the FIM Certificate Management Web Config file were invalid.

RESOLUTION

Navigate to %programfiles%\Microsoft Forefront Identity Manager\2010\Certificate Management\Web
Backup the web.config file by simply making a copy of the file
Once the file is backed up, Edit the web.config file
Search for "CLM.RequestSecurity.Groups"
Example
<add key="Clm.RequestSecurity.Flags" value="UseGroups" />
<add key="Clm.RequestSecurity.Groups" value="<DOMAIN NAME>\domain users,<DOMAIN NAME>\fimcm users,<DOMAIN NAME>\MyNewCMUsers" />
<add key="Clm.RequestSecurity.ManagerCanApprove" value="true" />
Ensure that all of the Groups mentioned here exist in the Active Directory and have the correct names
Once confirmed, save the web.config file
Execute an IISRESET
Test the process again