In some cases the FIM service fails to start. The error presented to the user may state the need to "verify that you have sufficient privileges to start system services."
The actual cause of the start up failure is a timeout. The service fails to start within the default timeout threshold of 30 seconds. While increasing the timeout via a registry change may address the symptom this modification effects all services.
The FIM service uses the .NET framework. At the FIM service startup the .NET CLR attempts to validate the Authenticode signature. If the FIM service server is not connected to the Internet (or connectivity is limited) the certificate revocation checking may fail. While the service will start (if the timeout is sufficiently increased) it may take several minutes.
Adding one line to the existing Microsoft.ResourceManagement.Service.exe.config file on the FIM server the Authenticode verification may be avoided. This increases the start up performance of the service and avoids the need to increasing the timeout.
If the Authenticode verification process is contributing to the service start up failure the following events occur. (To enable CAPI2 logging please see the CAPI2 section of Directory Services Debug Logging Primer.)
Events:
Log Name: System Source: Service Control Manager Event ID: 7000 Task Category: None Level: Error Keywords: Classic User: N/A Computer: FIM01.contoso.com Description: The Forefront Identity Manager Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion. Log Name: System Source: Service Control Manager Event ID: 7009 Task Category: None Level: Error Keywords: Classic User: N/A Computer: FIM01.contoso.com Description: A timeout was reached (30000 milliseconds) while waiting for the Forefront Identity Manager Service service to connect. Log Name: Microsoft-Windows-CAPI2/Operational Source: Microsoft-Windows-CAPI2 Event ID: 41 Task Category: Verify Revocation Level: Error Keywords: Path Validation,Path Validation User: S-1-5-21-0123456789-0123456789-0123456789-1234 Computer: FIM01.contoso.com Description: For more details for this event, please refer to the "Details" section Event Xml: <EventAuxInfo ProcessName="Microsoft.ResourceManagement.Service.exe" /> <Result value="80092013">The revocation function was unable to check revocation because the revocation server was offline.</Result> Log Name: Microsoft-Windows-CAPI2/Operational Source: Microsoft-Windows-CAPI2 Event ID: 11 Task Category: Build Chain Level: Error Keywords: Path Validation,Path Validation User: S-1-5-21-0123456789-0123456789-0123456789-1234 Computer: FIM01.contoso.com Description: For more details for this event, please refer to the "Details" section Event Xml: <EventAuxInfo ProcessName="Microsoft.ResourceManagement.Service.exe" /> <Result value="80092013">The revocation function was unable to check revocation because the revocation server was offline.</Result>
Log Name: System Source: Service Control Manager Event ID: 7000 Task Category: None Level: Error Keywords: Classic User: N/A Computer: FIM01.contoso.com Description: The Forefront Identity Manager Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
Log Name: System Source: Service Control Manager Event ID: 7009 Task Category: None Level: Error Keywords: Classic User: N/A Computer: FIM01.contoso.com Description: A timeout was reached (30000 milliseconds) while waiting for the Forefront Identity Manager Service service to connect.
Log Name: Microsoft-Windows-CAPI2/Operational Source: Microsoft-Windows-CAPI2 Event ID: 41 Task Category: Verify Revocation Level: Error Keywords: Path Validation,Path Validation User: S-1-5-21-0123456789-0123456789-0123456789-1234 Computer: FIM01.contoso.com Description: For more details for this event, please refer to the "Details" section Event Xml: <EventAuxInfo ProcessName="Microsoft.ResourceManagement.Service.exe" /> <Result value="80092013">The revocation function was unable to check revocation because the revocation server was offline.</Result>
Log Name: Microsoft-Windows-CAPI2/Operational Source: Microsoft-Windows-CAPI2 Event ID: 11 Task Category: Build Chain Level: Error Keywords: Path Validation,Path Validation User: S-1-5-21-0123456789-0123456789-0123456789-1234 Computer: FIM01.contoso.com Description: For more details for this event, please refer to the "Details" section Event Xml: <EventAuxInfo ProcessName="Microsoft.ResourceManagement.Service.exe" /> <Result value="80092013">The revocation function was unable to check revocation because the revocation server was offline.</Result>
Resolution:
Disable the .NET CLR Authenticode check for the FIM service.
Screenshot of the Microsoft.ResourceManagement.Service.exe.config after the edit.
More Information: <generatePublisherEvidence> Element
Thank you. This works perfect. I had the problem in a separated test environment without an internet connection.