TROUBLESHOOTING: FIMCM: No mapping between account names and security IDs was done

TROUBLESHOOTING: FIMCM: No mapping between account names and security IDs was done


OVERVIEW / PURPOSE / GOAL

Recently worked an issue in support concerning Microsoft Forefront Identity Manager - Certificate Management.  The resolution was pretty straight forward, and I wanted to ensure that I shared this information.

PROBLEM STATEMENT

Attempting to recover a smart card, generates the following error message.  "User lookup failed. No mapping between account names and security IDs was done." 

Troubleshooting the issue, we obtained a FIM CM Verbose Trace Log.  ( How to capture a FIM CM Verbose Trace Log ).  In the log, we were able to see the error message being generated during the search for the user in the security group.  In doing so, this lead us to the RequestSecurity.Groups in the web.config file.

ERROR MESSAGE


User lookup failed. No mapping between account names and security IDs was done.
           

FIM CM VERBOSE TRACE LOG

"2012-07-09 16:39:07.21 -05" "Microsoft.Clm.Security.Authorization.Sid" "Microsoft.Clm.Security.Authorization.Sid LookupAccount(System.String, System.String)" "<DOMAIN NAME>\<username>" "<DOMAIN NAME>\<FIM CM AUTH AGENT>" 0x00000224 0x00000012

Looking up account: <domain name>\<security group name>, machine:

"2012-07-09 16:39:07.21 -05" "Microsoft.Clm.Security.Authorization.Sid" "Microsoft.Clm.Security.Authorization.Sid LookupAccount(System.String, System.String)" "<DOMAIN NAME>\<username>" "<DOMAIN NAME>\<FIM CM AUTH AGENT>" 0x00000224 0x00000012

 

1) Exception Information

*********************************************

Exception Type: System.ApplicationException

Message: User lookup failed.

Data: System.Collections.ListDictionaryInternal

TargetSite: Microsoft.Clm.Security.Authorization.Sid LookupAccount(System.String, System.String)

HelpLink: NULL

Source: Microsoft.Clm.Security.Authorization

StackTrace Information

*********************************************

at Microsoft.Clm.Security.Authorization.Sid.LookupAccount(String machineName, String account)

2) Exception Information

*********************************************

Exception Type: System.ComponentModel.Win32Exception

NativeErrorCode: 1332

ErrorCode: -2147467259

Message: No mapping between account names and security IDs was done

Data: System.Collections.ListDictionaryInternal

TargetSite: NULL

HelpLink: NULL

Source: NULL

CAUSE 


In this case, the problem was the groups mentioned in the RequestSecurity.Groups in the FIM Certificate Management Web Config file were invalid. 

RESOLUTION 

  1. Navigate to %programfiles%\Microsoft Forefront Identity Manager\2010\Certificate Management\Web
  2. Backup the web.config file by simply making a copy of the file
  3. Once the file is backed up, Edit the web.config file
  4. Search for "CLM.RequestSecurity.Groups"
  5. Example
    <add key="Clm.RequestSecurity.Flags" value="UseGroups" />
    <add key="Clm.RequestSecurity.Groups" value="<DOMAIN NAME>\domain users,<DOMAIN NAME>\fimcm users,<DOMAIN NAME>\MyNewCMUsers" />
    <add key="Clm.RequestSecurity.ManagerCanApprove" value="true" />
  6. Ensure that all of the Groups mentioned here exist in the Active Directory and have the correct names
  7. Once confirmed, save the web.config file
  8. Execute an IISRESET
  9. Test the process again

 

SEE ALSO

FIM LANDING PAGE: Resource Wiki Contents

Leave a Comment
  • Please add 2 and 7 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
Comments
  • Richard Mueller edited Revision 5. Comment: Added tags

Page 1 of 1 (1 items)
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
Comments
  • Richard Mueller edited Revision 5. Comment: Added tags

Page 1 of 1 (1 items)