[Troubleshooting] FIM CM Certificate Request Error: Denied by Policy Module

ISSUE
FIM CM certificate requests fail. The error returned in the CM request page is "denied by Policy Module."

TROUBLESHOOTING
Application and FIM Certificate Manager event logs

Log Name: Application

Source: Microsoft-Windows-CertificationAuthority

Date:

5/30/2013 12:17:36 PM

Event ID:

53

Task Category: None

Level: Warning

Keywords: Classic

User: SYSTEM

Computer: CA.contoso.com

Description:

Active Directory Certificate Services denied request xxxx because An unknown error occurred while processing the certificate.

0x80090327 (-2146893017). The request was for CN=CA.contoso.com. Additional information: Denied by Policy Module

Log Name: FIM Certificate Management

Source: FIM CM CA Modules

Date: 5/30/2013 12:17:36 PM

Event ID: 0

Task Category: None

Level: Error

Keywords: Classic

User: N/A

Computer: CA.contoso.com

Description:

"2013-05-30 12:17:36.56 -05" "Microsoft.Clm.PolicyModule.Policy" "Microsoft.Clm.Shared.CertificateServer.EnrollmentAttributes LoadEnrollmentAttributesData(System.String)"
 "" "NT AUTHORITY\SYSTEM" 0x00001C84 0x00000004

1) Exception Information

*********************************************

Exception Type: System.ApplicationException

Message: Unable to verify certificate validity.

Data: System.Collections.ListDictionaryInternal

TargetSite: Void VerifySigningCertificateValidity(System.Security.Cryptography.X509Certificates.X509Certificate)

HelpLink: NULL

Source: Microsoft.Clm.PolicyModule

StackTrace Information

*********************************************

at Microsoft.Clm.PolicyModule.Policy.VerifySigningCertificateValidity(X509Certificate cert)

at Microsoft.Clm.PolicyModule.Policy.LoadEnrollmentAttributesData(String xml)

2) Exception Information

*********************************************

Exception Type: System.Security.Cryptography.CryptographicException

Message:
None of the signers of the cryptographic message or certificate trust list is trusted.

Data: System.Collections.ListDictionaryInternal

TargetSite: Void VerifySigningCertificateValidity(System.Security.Cryptography.X509Certificates.X509Certificate)

HelpLink: NULL

Source: Microsoft.Clm.PolicyModule

StackTrace Information

*********************************************

at Microsoft.Clm.PolicyModule.Policy.VerifySigningCertificateValidity(X509Certificate cert)

Enabling FIM CM logging (clm.txt) finds the following.
Request certificate from CA for certificate template: FIMCMCheckout. Status: -2146877420. Disposition: Denied. Disposition Message: Denied by Policy Module. Error Message: The request was denied by a certificate manager or CA administrator. 0x80094014 (-2146877420)

FURTHER TROUBLESHOOTING
Based on the exception details in the CM module event CAPI2 event logging was enabled on the CA. Reproducing the issue logged several CAPI2 events. The most notable example is below.

Log Name: Microsoft-Windows-CAPI2/Operational

Source: Microsoft-Windows-CAPI2

Date: 5/30/2013 1:19:25 PM

Event ID: 42

Task Category: Reject Revocation Information

Level: Error

Keywords: Revocation,Path Validation

User: SYSTEM

Computer: CA.contoso.com

Description:

For more details for this event, please refer to the "Details" section

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"

<System

<Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" />

<EventID>42</EventID

<Version>0</Version

<Level>2</Level

<Task>42</Task

<Opcode>0</Opcode

<Keywords>0x4000000000000005</Keywords

<TimeCreated SystemTime="2013-05-30T18:19:25.984466500Z" />

<EventRecordID>17757</EventRecordID

<Correlation />

<Execution ProcessID="8428" ThreadID="7344" />

<Channel>Microsoft-Windows-CAPI2/Operational</Channel

<Computer>CA.contoso.com</Computer

<Security UserID="S-1-5-18" />

</System

<UserData

<CertRejectedRevocationInfo

<SubjectCertificate fileRef="85E6EA9235EC50D0AA98D8EEF86B91020DA7AC60.cer" subjectName="SVC_FIMCM_Agent" />

<IssuerCertificate fileRef="BA02C4B3EE999E878E5145883733A4CF069D28DE.cer" subjectName="CA" />

<CertificateRevocationList location="Store" fileRef="322DD0D0B6CEF55C8D276661F10A7ECEADEB6F0E.crl" issuerName="CA" />

<Action name="CheckTimeValidity" />

<EventAuxInfo ProcessName="certsrv.exe" />

<CorrelationAuxInfo TaskId="{6356E380-076B-4286-8E3A-C37766BBE58A}" SeqNumber="3" />

</CertRejectedRevocationInfo

</UserData

</Event>

The event indicated something may be amiss with a CRL on the CA. Checking the CRL file on the CA itself (%systemroot%\System32\CertSrv\CertEnroll) found an expired CRL. However the externally published CRL (AD, http site, etc.) was current.

RESOLUTION
Published a new CRL in the Certification Authority snap-in and the local file (and others) updated as expected.

Sample Screenshots
Location and viewing local CRL file on CA.

Publishing a new CRL

Wiki - Revision Comment List(Revision Comment)

| |

Comments

Steve Light - MSFT

5 Jun 2013 9:55 AM

Steve Light - MSFT edited Revision 1. Comment: Added some screen shots.
- Edit
Steve Light - MSFT

4 Jun 2013 12:01 PM

Steve Light - MSFT edited Original. Comment: Trying to added pics
- Edit

Wikis - Comment List

Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.

Posted by Steve Light - MSFT

on 5 Jun 2013 9:55 AM

Steve Light - MSFT edited Revision 1. Comment: Added some screen shots.
Edit
Posted by Steve Light - MSFT

on 4 Jun 2013 12:01 PM

Steve Light - MSFT edited Original. Comment: Trying to added pics
Edit

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

[Troubleshooting] FIM CM Certificate Request Error: Denied by Policy Module