FIM CM Provision API - Enrollment
Hello There, We are trying to develop webService (Signed XML output) using FIM CM Provision API to create User Certificate request to submit to Third Party CA. getting couple of issues below - Issue 1. FindOperations.UseRemoting = false; as not using remoting method now. ReadOnlyCollection<ProfileTemplate> list = FindOperations.FindAllProfileTemplates(); Getting Below Error system.InvalidOperationException: Application attempted to use .config file settings, but it hasn't been parsed yet. at Microsoft.clm.common.clmconfiguration.CheckInit() at Microsoft.clm.common.clmconfiguration.get_AuthAgentUsername() at Microsoft.clm.BusinessLayer.settings.get_AuthAgentUsername() at Microsoft.clm.BusinessLayer.Security.getClmAuthAgent() at Microsoft.clm.BusinessLayer.UserProfiles.GetUserProfiles() at Microsoft.clm.BusinessLayer.Shared.FindOperations.FindAllProfiletemplates() at Microsoft.clm.Provision.FindOperationsByCulture.FindAllProfiletemplates(CultureInfo uiculture,Cultureinfo culture) at Microsoft.clm.Provision.FindOperations.FindAllProfiletemplates at Enroll.EnrollusingProvisionapi() in c:\Users\Administrator\Documents\Visual Studio 2010\Websites\FimFinal\App_Code\Enroll.cs Issue no.2 FIM CM WebPortal (https.//localhost/Certificate Management) was running fine and now is getting an error HTTP Error 404.17 - Not Found The requested Content appears to be script and will not be served by the static file handler. tried changing Application Pool from clmAppPool to .NET Classic and all available options(Default,.NET,integrated etc.) but still same error. before this error , created some Sample Profile templates using this FIM CM Web portal which are appearing under container- public Key Services /Profile Templates in Active Directory Sites and Services which is on the same machine - 2008 datacenter Machine FIM CM CA on the same Machine SQL Connection String is configured now / Microsoft CA runnning on the same machine for temporary testing - CA Server name is in the SQL database CertificateAuthority Table.Exit Module,Policy module is configured.clmAgent user certificate ThumbPrint is addded in Polciy Module. In SQL Security-Login - 'clmApp' Role is give to one AD user .ByDefault clmAPP role was for SQL user 'clmuser' Profile templates table is NULL now in the SQL DB table and no value in it regards, Mangesh
February 9th, 2011 7:36am

Kindly waiting...
Free Windows Admin Tool Kit Click here and download it now
February 10th, 2011 5:21am

For issue #1: UseRemoting must be set to true for out-of-process applications that are accessing the Provision API remotely. .NET remoting allows client apps to make calls to remote objects hosted in the IIS process where the CLM web app is running. UseRemoting must be set to false for in-process applications. I strongly suggest that you do not attempt to run your service in the same pool, but instead access the Provision API remotely. This is the intended scenario, and it is what we support.
February 10th, 2011 4:13pm

Hi Heena, But we need to create a webservice which will interact with java application for this we need to use In process method as specified in microsoft article Using In-process calls Developers can access the Provision API, or create notification handlers, or implement specific interfaces to run in-process with the FIM CM server. A developer could potentially write his/her own ASPX pages and make them run in the same process as the FIM CM Web application using the Provision API. url: http://msdn.microsoft.com/en-us/library/bb468079.aspx Do you mean to say that there is some issue in inprocess method
Free Windows Admin Tool Kit Click here and download it now
February 11th, 2011 5:16am

Hi Heena, I had tried a console application using Remoting in that i had specified. RequestOperations.UseRemoting = true; I got below error The remote server returned an error: (401) Unauthorized. Can you please let me know solution for this
February 11th, 2011 6:47am

You do not need to use in-process just because you are creating a web service. Please try to access the Provision API remotely from a web service in a separate pool. Does your client-side remoting app config file look similar to this? <?xml version="1.0" encoding="utf-8" ?> <configuration> <system.runtime.remoting> <application> <channels> <channel ref="http" useDefaultCredentials="true"> <clientProviders> <formatter ref="binary" /> </clientProviders> </channel> </channels> <client> <wellknown type="Microsoft.Clm.Provision.RequestOperationsByCulture, Microsoft.Clm.Provision" url="http://localhost/certificatemanagement/remoterequests2.rem" /> <wellknown type="Microsoft.Clm.Provision.FindOperationsByCulture, Microsoft.Clm.Provision" url="http://localhost/certificatemanagement/remoterequests3.rem" /> <wellknown type="Microsoft.Clm.Provision.PermissionOperationsByCulture, Microsoft.Clm.Provision" url="http://localhost/certificatemanagement/remoterequests4.rem" /> <wellknown type="Microsoft.Clm.Provision.ExecuteOperationsByCulture, Microsoft.Clm.Provision" url="http://localhost/certificatemanagement/remoterequests5.rem" /> </client> </application> </system.runtime.remoting> </configuration>
Free Windows Admin Tool Kit Click here and download it now
February 11th, 2011 3:55pm

Hi Heena, Thanks a ton. Appreciate your effort I have exactly the same thing in configuration file which i referred from your inputs on the below thread http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/558007bb-8c0f-424c-97db-57edd6574ce5/
February 11th, 2011 10:10pm

Hi Heena, For console application Still i am getting error it says System.DirectoryServices.DirectoryServicesCOMException was caught Message=There is no such object on the server. Source=System.DirectoryServices ErrorCode=-2147016656 ExtendedError=0 ExtendedErrorMessage="" StackTrace: Server stack trace: at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) at System.DirectoryServices.DirectoryEntry.Bind() at System.DirectoryServices.DirectoryEntry.get_Name() at Microsoft.Clm.DataAccess.AD.UserProfiles.Load(DirectoryEntry entry) at Microsoft.Clm.DataAccess.AD.UserProfiles.Load(Guid profileTemplateUuid) at Microsoft.Clm.BusinessLayer.UserProfiles.GetProfileTemplate(Guid profileTemplateUuid) at Microsoft.Clm.BusinessLayer.Shared.FindOperations.GetProfileTemplate(Guid profileTemplateUuid) at Microsoft.Clm.Provision.FindOperationsByCulture.GetProfileTemplate(Guid profileTemplateUuid, CultureInfo uiCulture, CultureInfo culture) at System.Runtime.Remoting.Messaging.StackBuilderSink._PrivateProcessMessage(IntPtr md, Object[] args, Object server, Int32 methodPtr, Boolean fExecuteInContext, Object[]& outArgs) at System.Runtime.Remoting.Messaging.StackBuilderSink.SyncProcessMessage(IMessage msg, Int32 methodPtr, Boolean fExecuteInContext) Exception rethrown at [0]: at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) at Microsoft.Clm.Provision.FindOperationsByCulture.GetProfileTemplate(Guid profileTemplateUuid, CultureInfo uiCulture, CultureInfo culture) at Microsoft.Clm.Provision.FindOperations.GetProfileTemplate(Guid profileTemplateUuid) at FIMSample.Program.Main(String[] args) in C:\Users\Administrator\Documents\Visual Studio 2010\Projects\FIMPOC\FIMSample\Program.cs:line 29 InnerException:
Free Windows Admin Tool Kit Click here and download it now
February 14th, 2011 1:52am

Hi, after your last reply, this definitely look like a permissions issue, are you sure the domain user you're running the app with has read rights to the Configuration container to see the profile template objects in AD? They are located in: <your domain>/Configuration/Services/Public Key Services/Profile Templates/<your templates> Piotr
February 14th, 2011 3:19am

Hi Piotr, Thanks a lot. Appreciate your help. But permission is already there for Profile template as specified by you. Can you please let me know if I need to try something else for below error System.DirectoryServices.DirectoryServicesCOMException was caught Message=There is no such object on the server. Source=System.DirectoryServices ErrorCode=-2147016656 ExtendedError=0 ExtendedErrorMessage="" StackTrace: Server stack trace: at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) at System.DirectoryServices.DirectoryEntry.Bind() at System.DirectoryServices.DirectoryEntry.get_Name() at Microsoft.Clm.DataAccess.AD.UserProfiles.Load(DirectoryEntry entry) at Microsoft.Clm.DataAccess.AD.UserProfiles.Load(Guid profileTemplateUuid) at Microsoft.Clm.BusinessLayer.UserProfiles.GetProfileTemplate(Guid profileTemplateUuid) at Microsoft.Clm.BusinessLayer.Shared.FindOperations.GetProfileTemplate(Guid profileTemplateUuid) at Microsoft.Clm.Provision.FindOperationsByCulture.GetProfileTemplate(Guid profileTemplateUuid, CultureInfo uiCulture, CultureInfo culture) at System.Runtime.Remoting.Messaging.StackBuilderSink._PrivateProcessMessage(IntPtr md, Object[] args, Object server, Int32 methodPtr, Boolean fExecuteInContext, Object[]& outArgs) at System.Runtime.Remoting.Messaging.StackBuilderSink.SyncProcessMessage(IMessage msg, Int32 methodPtr, Boolean fExecuteInContext) Exception rethrown at [0]: at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) at Microsoft.Clm.Provision.FindOperationsByCulture.GetProfileTemplate(Guid profileTemplateUuid, CultureInfo uiCulture, CultureInfo culture) at Microsoft.Clm.Provision.FindOperations.GetProfileTemplate(Guid profileTemplateUuid) at FIMSample.Program.Main(String[] args) in C:\Users\Administrator\Documents\Visual Studio 2010\Projects\FIMPOC\FIMSample\Program.cs:line 29
Free Windows Admin Tool Kit Click here and download it now
February 14th, 2011 5:07am

Hi, I remember I was struggling with something similar, but it was within the same IIS process FIM CM runs, so I'm not sure how it's being processed from a console application. As you see in your stack trace it's using Remoting in the middle before doing the actual call to AD, so I'm not sure it's using the same credentials as the ones you're running the app with. When I saw the same error in IIS context it ended up being something wrong with delegation on the web pool account. But with the console app, I don't see how would that apply. Second thing is what Henna wrote about the config file entries, are you sure you have them? if it's a permissions issue, maybe you will be able to find something in the security event log, either on the box, or on the DC. Piotr
February 14th, 2011 6:32am

Hi Piotr, Thanks, I have a log which says Active Directory Certificate Services denied request 12 because An unknown error occurred while processing the certificate. 0x80090327 (-2146893017). The request was for FIMPOC\Administrator. Additional information: Denied by Policy Module I have my config file which is exactly same as heena said
Free Windows Admin Tool Kit Click here and download it now
February 14th, 2011 7:29am

I'm a bit lost, could we focus on one case at a time? Are you creating a: - webService? - console app? - the last error is from "Active Directory Certificate Services", and at the top you wrote you're using a "Third Party CA" - this error looks like it's from the CA, so not directly related to any of the above. Piotr
February 14th, 2011 8:31am

Hi Piotr, Our objective is to test for third party CA. but currently we are using inbuilt CA- above error was from FIM CM 2010 web portal but which is solved and yes it is from Active Directory Certificate Service We have created one console application and one web application so that we can use provision api, In both approach we are getting same error We have proper client configuration Rights of profile template is given for administrator user System.DirectoryServices.DirectoryServicesCOMException was caught Message=There is no such object on the server
Free Windows Admin Tool Kit Click here and download it now
February 14th, 2011 9:21am

Hi, can you paste the code you're using? It still looks like a permissions issue, to help troubleshoot you can try using System.DirectoryServices.DirectoryEntry directly and try to bind to where you're trying to bind with the FIM CM Provisioning API. Piotr
February 14th, 2011 10:03am

Hi Piotr, code using System; using System.Collections.Generic; using System.Linq; using System.Web; using System.Web.UI; using System.Web.UI.WebControls; using Microsoft.Clm.Provision; using Microsoft.Clm.Shared; using System.IO; using Microsoft.Clm.Shared.ProfileTemplates; using System.Configuration; using System.Runtime.Remoting; using System.DirectoryServices; public partial class Enroll : System.Web.UI.Page { protected void Page_Load(object sender, EventArgs e) { string sUuid = "E52935D0-8931-451A-B59E-276098F52EC2"; Guid uuid = new Guid(sUuid); try { FindOperations.UseRemoting = true; ProfileTemplate profileTemplateUuid = FindOperations.GetProfileTemplate(uuid); if (profileTemplateUuid == null) { Response.Write("Could not find a Profile Template for uuid "); return; } string input ="FIMPOC\\Administrator"; if (!string.IsNullOrEmpty(input)) { Guid userTarget = new Guid(input); RequestOperations.UseRemoting = true; Microsoft.Clm.Shared.Requests.Request enrollRequest = RequestOperations.InitiateEnroll(profileTemplateUuid.Uuid, null, userTarget, "My comment", 101); Response.Write("enroll uid" + enrollRequest.Uuid); } } catch (Exception ex) { Response.Write("there is some issue"); Response.Write(ex); } } }
Free Windows Admin Tool Kit Click here and download it now
February 15th, 2011 12:36am

Hi, please try binding to that object in a try ... catch before using FIMCM API. do something like (please correct any syntax errors, my C# is rusty): System.DirectoryServices.DirectoryEntry dirEntry = System.DirectoryServices.DirectoryEntry("LDAP://<GUID=E52935D0-8931-451A-B59E-276098F52EC2>");<br/> Response.Write(dirEntry.Properties("distinguishedName").Value); Anyway, could someone confirm this code will be using the current webpool account credentials, and not some other because of the remoting? in addition, looking what's below in your code ... are you sure "Guid userTarget = new Guid(input);" will work? Piotr
February 15th, 2011 2:06am

Hi Piotr, Thanks for your input, Appreciate your efforts. I tried using your input firstly Syntax for your code should be: System.DirectoryServices.DirectoryEntry dirEntry =new System.DirectoryServices.DirectoryEntry("LDAP://<GUID=E52935D0-8931-451A-B59E-276098F52EC2>"); Response.Write(dirEntry.Properties["distinguishedName"].Value); But still I get same error . I am pasting code below string sUuid = "E52935D0-8931-451A-B59E-276098F52EC2"; Guid uuid = new Guid(sUuid); try { System.DirectoryServices.DirectoryEntry dirEntry = new System.DirectoryServices.DirectoryEntry("LDAP://<GUID=E52935D0-8931-451A-B59E-276098F52EC2>"); Response.Write(dirEntry.Properties["distinguishedName"].Value); FindOperations.UseRemoting = true; ProfileTemplate profileTemplateUuid = FindOperations.GetProfileTemplate(uuid); if (profileTemplateUuid == null) { Response.Write("Could not find a Profile Template for uuid "); return; } string input = "FIMPOC\administrator"; if (!string.IsNullOrEmpty(input)) { Guid userTarget = new Guid(input); RequestOperations.UseRemoting = true; Microsoft.Clm.Shared.Requests.Request enrollRequest = RequestOperations.InitiateEnroll(profileTemplateUuid.Uuid, null, userTarget, "My comment", 101); Response.Write("enroll uid" + enrollRequest.Uuid); } } catch (Exception ex) { Response.Write("there is some issue"); Response.Write(ex); } System.DirectoryServices.DirectoryServicesCOMException was caught Message=There is no such object on the server Regarding Guid userTarget = new Guid(input) yes it should work but my code breaks at your Response.write() now so it is not even going to this point. As you say there is some permission issue. Can you tell me is there something i need to do in Active directory Thanks Ganesh
Free Windows Admin Tool Kit Click here and download it now
February 15th, 2011 7:58am

Hi Ganesh, the idea with the check was to see if you can directly bind to the object with your credentials not using the FIM CM Provisioning API. So were you able to see the response from those lines before the error, or did they cause the error? And also, you might need to add the dns name of your domain, or DC before the GUID, so like "LDAP://my.domain.com/<GUID=E52935D0-8931-451A-B59E-276098F52EC2>". Anyway, I see you're testing this with the web app, is the web pool running on an account that has access to the templates? Piotr
February 15th, 2011 2:32pm

Hi Piotr, I didnt got any response the error was caused when we are directly binding with our credential. Even added dns name of my domain. with regard to web app it is using defaultAppPool and it is using FIMPOC\clmwebpool as Identity. which is having permission of the template
Free Windows Admin Tool Kit Click here and download it now
February 16th, 2011 3:38am

Sorry guys, By mistake proposed as answer was clicked. Please ignore it
February 16th, 2011 6:36am

I am not sure if it's affecting you. But in our site, it looks like the CLM update is breaking remoting on the CLM server. It's affecting us in a lot of different ways. the Bulk Printing agent, notifications, and a few other parts all see to use this, and there appears to be some underlining problem thats preventing it from working. Our custom code works fine in one of our test enviroments that dosn't have the update applied, but once we apply the update, that enviroment also stops working. We have a ticket open with microsoft, and they are doing a great job tracking it down. and I hope they have an answer soon. if it looks like it's going to be awile, we are going to have to reinstall our CLM deployments (uninstalling the update dosn't clear the problem, you have to reinstall). Just thought I would thow this out in case you are having similar issues.
Free Windows Admin Tool Kit Click here and download it now
March 2nd, 2011 1:47pm

Ok. thanks to the CLM support guys, we got the problem I was having figured out. they tracked it down to a Dll version mismatch. Looks like the client had newer Dlls then the server did. so if your having troubles in the area of CLM and remoting. check to make sure the DLLs match between client and server. specifically Microsoft.CLM.common,Microsoft.CLM.Provision,Microsoft.Clm.Shared,Microsoft.clm.BusinessLayer (not sure if the last one is needed) The actually error we where getting on the bulk client was "Object cannot be stored in an array of the type" in case it helps someone searching. The solution in the end was to apply the Update 1 hotfix to the server, this seemed to fix both the client and the server side. I am now able to query the profiles from my provisioning code where I couldn't even connect before. The hot fix roll up package can be found at: http://support.microsoft.com/kb/2028634 Make sure that you check the Fim Service after installing, I found it got switched back to manual. (i Have it on Delayed startup on mine because we run the SQL server on the CLM server.
March 4th, 2011 3:02pm

Ok, turns out that I started getting the exact same problem. and it wasn't a DLL mismatch. In this case. I could unblock most of the users, but there were a few cards that produced the "There is no such object on the server" error right after we selected the user (so we never got to the unblock choice). It turns out that the problem had to do with a group the user was a member of. the CLM portal was trying to enumerate all the groups that the user was a member of, and it looks like it didn't have rights to one of them. Microsoft Uber Guru David G. (no I am not going to tell you his full name, get your own Uber Guru). was able to figure this out because of the logging showed a "GetGroupBySid" failing. He also told me that you can configure CLM to ignore all non CLM related groups a user is a member of, by telling CLM which groups to care about. Since we are sub delegated this seemed like a great idea. so we modified the <add key="Clm.RequestSecurity.Groups" value="" /> Line in the web.config file to include the group’s clm uses, and everything started working as it should. I think Microsoft is writing up a doc on this. I would Google (oops sorry, meant BING) “Clm.RequestSecurity.Groups” and see if you can’t find it in a week or two.Meow
Free Windows Admin Tool Kit Click here and download it now
August 10th, 2011 12:18pm

In regards to "The remote server returned an error: (401) Unauthorized." You should add this lines to your channel properties in your web.config: <channels> <channel ref='http' useDefaultCredentials='true'> <clientProviders> <formatter ref='binary' /> </clientProviders> </channel> </channels> Tamir Lavi
January 29th, 2012 6:50am

Hi everybody! I have tried everything proposed in this thread, I still get the 401 error. There's no DLL mismatch, and server and client configuration seem to be ok for remoting. I've created a console application for testing purposes, but what I didn't get is how does the remote server where FIM CM is running identify the user doing the remote-requests? Do I need to submit the user's UUID for identification, or is the user determined automatically by just running the remote-app under his account? The user running the console-app is a user with admin-rights known to AD, those rights include to read and approve requests and it works if I access the FIM CM via web-interface under the same URL I put into my local configuration file. The server's web.config is also configured properly! What I basically want to do is to check if there are any pending enrollment requests, and if there are any, approve them automatically. I need to feature a one-time password, so that if a request is approved, an email containing it is sent to an authority. This process should stay on the FIM-CM server, I just want to automate the approval-process with the remote app! It's no problem finding the pending requests and approving them manually by browsing to the FIM-CM URL, but I am having no luck with the API so far. Since this is not very well documented, it would be nice to get some information. BTW, I also get the 401 Error running the app on the Server hosting the FIM CM, not in the same context, so I still set FindOperations.UseRemoting = true; Thanks in advance! M
Free Windows Admin Tool Kit Click here and download it now
March 5th, 2012 9:15am

well I found out it's a 401 2 Error, so there must be something wrong with the server configuration. Since I am allowed to browse to the FIM CM with the very same account, I don't know why it does not work. Will keep investigating.
March 5th, 2012 9:47am

Hello, Well, I got such an error HTTP 401.2, the cause of this error is in authentication algorithms which where disabled: Check which of them are enabled or disabled on CertificateManagement application under root Default WebSite->CertificateManagement->Authentication. And configure Authentication as it described in http://technet.microsoft.com/en-us/library/hh230239(v=ws.10); Hope it will help to you.http://cheryatnikov.blogspot.com/
Free Windows Admin Tool Kit Click here and download it now
June 21st, 2012 12:40pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics