Recently worked an issue where we were receiving an exception in the Certificate Management Event Log when the FIM CMAgent account keys are stored in a HSM (Hardware Security Module). The event log provided enough information on the issue, and so did not need to reproduce the issue. It was the general information in the event log that lead me to the solution.
The general message was “EnvelopedCMS decryption failed. Fall back to AES method”. In this case, there was a LunaSA HSM involved.
Troubleshooting : Log Name: Application
Source: ASP.NET 2.0.50727.0
Date: 10/25/2012 8:21:53 PM
Event ID: 1309
Task Category: Web Event
Level: Warning
Keywords: Classic
User: N/A
Computer:
Description:
Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 10/25/2012 8:21:53 PM
Event time (UTC): 10/25/2012 4:21:53 PM
Event ID: 64646420362f4605818948a23b5fc91f
Event sequence: 136
Event occurrence: 1
Event detail code: 0
Application information:
Application domain: /LM/W3SVC/1/ROOT/CertificateManagement-1-129956552833822128
Trust level: Full
Application Virtual Path: /CertificateManagement
Application Path: C:\Program Files\Microsoft Forefront Identity Manager\2010\Certificate Management\web\
Machine name: FIM
Process information:
Process ID: 3484
Process name: w3wp.exe
Account name: DOMAIN\clmWebPool
Exception information:
Exception type: CryptographicException
Exception message: FIM CM was unable to decrypt necessary data.
Request information:
Request URL: http://DNSDOMAIN/CertificateManagement/content/common/requests/DisplayRequestStatus.aspx?ID=572d315253104199a8c186fa240ff7ec
Request path: /CertificateManagement/content/common/requests/DisplayRequestStatus.aspx
User host address: ::1
User: DOMAIN\root
Is authenticated: True
Authentication Type: Negotiate
Thread account name: DOMAIN\clmWebPool
Thread information:
Thread ID: 14
Is impersonating: False
Stack trace: at Microsoft.Clm.BusinessLayer.DataEncryption.DecryptUsingAES(String encryptedDataBlob)
at Microsoft.Clm.BusinessLayer.DataEncryption.Decrypt(String encrypted)
at Microsoft.Clm.BusinessLayer.DefaultSecretProvider.ReadXml(String xml)
at Microsoft.Clm.BusinessLayer.DefaultSecretProvider.GetSecrets(Request request)
at Microsoft.Clm.BusinessLayer.SecretsUtility.GetNumberOfSecrets(UserProfile profileTemplate, Request clmRequest)
at Microsoft.Clm.BusinessLayer.CheckClmOperations.CanCurrentUserDistributeSecretsOnClmRequest(UserProfile profileTemplate, Request clmRequest)
at Microsoft.Clm.Web.Modules.OneTimePasswordUserControl.Page_Load(Object sender, EventArgs e)
at System.Web.UI.Control.OnLoad(EventArgs e)
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
Log Name: FIM Certificate Management
Source: System.Web
Event ID: 0
Task Category: None
Level: Error
Message:Exception of type 'System.Web.HttpUnhandledException' was thrown.
Type:System.Web.HttpUnhandledException
Source:System.Web
Stack Trace: at System.Web.UI.Page.HandleError(Exception e)
at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest()
at System.Web.UI.Page.ProcessRequest(HttpContext context)
at ASP.content_common_requests_displayrequeststatus_aspx.ProcessRequest(HttpContext context)
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Inner Exception:Message:FIM CM was unable to decrypt necessary data.
Type:System.Security.Cryptography.CryptographicException
Source:Microsoft.Clm.BusinessLayer
Stack Trace: at Microsoft.Clm.BusinessLayer.DataEncryption.DecryptUsingAES(String encryptedDataBlob)
CERTIFICATE MANAGEMENT TRACE LOG
General Information
*********************************************
Additional Info:
EnvelopedCMS decryption failed. Fall back to AES method.
1) Exception Information
Exception Type: System.Security.Cryptography.CryptographicException
Message: An internal error occurred.
Data: System.Collections.ListDictionaryInternal
TargetSite: Void DecryptContent(System.Security.Cryptography.Pkcs.RecipientInfoCollection, System.Security.Cryptography.X509Certificates.X509Certificate2Collection)
HelpLink: NULL
Source: System.Security
StackTrace Information
at System.Security.Cryptography.Pkcs.EnvelopedCms.DecryptContent(RecipientInfoCollection recipientInfos, X509Certificate2Collection extraStore)
"2011-09-23 14:26:47.07 -04" "Microsoft.Clm.BusinessLayer.DataEncryption" "System.Security.Cryptography.X509Certificates.X509Certificate2 GetCertificateFromHash(Byte[])" " DOMAIN \myuser" "DOMAIN\FIMCMAgent" 0x000008CC 0x00000007
Getting certificate:
"2011-09-23 14:26:47.08 -04" "Microsoft.Clm.BusinessLayer.DataEncryption" "System.Security.Cryptography.X509Certificates.X509Certificate2 GetCertificateFromHash(Byte[])" " DOMAIN \myuser" " DOMAIN \FIMCMAgent" 0x000008CC 0x00000007
Opened MY Certificate store for READ access.
Found 1 matching certificates.
"2011-09-23 14:26:47.09 -04" "Microsoft.Clm.BusinessLayer.DataEncryption" "System.String DecryptUsingAES(System.String, System.Security.Cryptography.X509Certificates.X509Certificate2)" " DOMAIN \myuser" " DOMAIN \FIMCMAgent" 0x000008CC 0x00000007
RESOLUTION
1. Navigate to %programfiles%\Microsoft Forefront Identity Manager\2010\Certificate Management\web
2. Make a backup copy of the web.config file, and give the new name something like web.config.backup so that you know that it was backed up today.
3. Open the web.config file in an XML Editor (notepad, visual studio, or some other XML editor)
4. Search for Clm.Encryption.Algorithm in the web.config file.
a. You should come to a line that looks like <add key="Clm.Encryption.Algorithm" value="Aes" />
5. Change the value to TripleDes
a. Should look like: <add key="Clm.Encryption.Algorithm" value="TripleDes" />
6. Save the web.config
7. Open an Administrative Command Prompt
8. Type IISRESET
9. Execute Test
Tim Macaulay edited Revision 2. Comment: added information from the application and fim cm event logs
Ed Price - MSFT edited Original. Comment: Great article! Fonts