In some cases the FIM service fails to start. The error presented to the user may state the need to "verify that you have sufficient privileges to start system services."

The actual cause of the start up failure is a timeout. The service fails to start within the default timeout threshold of 30 seconds. While increasing the timeout via a registry change may address the symptom this modification effects all services.

The FIM service uses the .NET framework. At the FIM service startup the .NET CLR attempts to validate the Authenticode signature. If the FIM service server is not connected to the Internet (or connectivity is limited) the certificate revocation checking may fail. While the service will start (if the timeout is sufficiently increased) it may take several minutes.

Adding one line to the existing Microsoft.ResourceManagement.Service.exe.config file on the FIM server the Authenticode verification may be avoided. This increases the start up performance of the service and avoids the need to increasing the timeout.

If the Authenticode verification process is contributing to the service start up failure the following events occur. (To enable CAPI2 logging please see the CAPI2 section of Directory Services Debug Logging Primer.)

Events:

Log Name:      System
Source:        Service Control Manager
Event ID:      7000
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      FIM01.contoso.com
Description:
The Forefront Identity Manager Service service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.

Log Name:      System
Source:        Service Control Manager
Event ID:      7009
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      FIM01.contoso.com
Description:
A timeout was reached (30000 milliseconds) while waiting for the Forefront Identity Manager Service service to connect.

Log Name:      Microsoft-Windows-CAPI2/Operational
Source:        Microsoft-Windows-CAPI2
Event ID:      41
Task Category: Verify Revocation
Level:         Error
Keywords:      Path Validation,Path Validation
User:          S-1-5-21-0123456789-0123456789-0123456789-1234
Computer:      FIM01.contoso.com
Description:
For more details for this event, please refer to the "Details" section
Event Xml:
      <EventAuxInfo ProcessName="Microsoft.ResourceManagement.Service.exe" />
      <Result value="80092013">The revocation function was unable to check revocation because the revocation server was offline.</Result>

Log Name:      Microsoft-Windows-CAPI2/Operational
Source:        Microsoft-Windows-CAPI2
Event ID:      11
Task Category: Build Chain
Level:         Error
Keywords:      Path Validation,Path Validation
User:          S-1-5-21-0123456789-0123456789-0123456789-1234
Computer:      FIM01.contoso.com
Description:
For more details for this event, please refer to the "Details" section
Event Xml:
      <EventAuxInfo ProcessName="Microsoft.ResourceManagement.Service.exe" />
      <Result value="80092013">The revocation function was unable to check revocation because the revocation server was offline.</Result>

Resolution:

Disable the .NET CLR Authenticode check for the FIM service.

1. Go to C:\Program Files\Microsoft Forefront Identity Manager\2010\Service
2. Make a backup copy of the existing Microsoft.ResourceManagement.Service.exe.config file.
3. Using a text editor open Microsoft.ResourceManagement.Service.exe.config
4. Right after the <runtime> section in the file add the following entry.
   <generatePublisherEvidence enabled="false"/>
5. Save the Microsoft.ResourceManagement.Service.exe.config file.
6. Start the FIM Service.

Screenshot of the Microsoft.ResourceManagement.Service.exe.config after the edit.

More Information: <generatePublisherEvidence> Element