On my Domain Controller (WinSer 2008 64bit) i installed CA I created users FIMCMAgent, FIMCMKRAgent, FIMCMAuthAgent, FIMCMManagerAgent, FIMCMWebAgent, FIMCMEnrollAgent...give them all permisions.. Now on another server trying to install FIM CM with above mentioned users. and i got this error: "Specified FIM CM Agent Certificate Template must meet all of the following requirements. 1. Private key must be exportable. 2. At least one of the configured CSPs must be installed on the local computer and SHA256, 3DES, DES, and AES algorithms must be supported." If on "Set up server certificates" i choose: Create and configure certificates manually installation starts fine but later i have problems when on Forefront Identity Manager Certificate Management home page, i click: Enroll a user for a new set of certificates or a smart card choose name Britta and press Search i got an error: Current user does not have access to any profile templates. if i try to Enroll a user for a new set of certificates or a smart card from another Domain Admin rights computer and choose Administrator and press Search then i can Select a Profile Template but i got an error: Please note the following information and contact your system administrator: Access is denied. Domain_name\bsimon does not have Enroll access right to the Domain_name\Administrator user. To continue press the browser's BACK button. If this error persists, please contact your system administrator. Please can you help me to resolve my problem??

On Fri, 22 Apr 2011 07:35:45 +0000, Toni666 wrote: If on "Set up server certificates" i choose: Create and configure certificates manually installation starts fine but later i have problems Did you actually enroll the 3 CM agent certificates? Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca Transistor: A sibling, opposite of transbrother.

Hi Paul, Sorry for the delay, I was sick.And i have a lot of Questions.. Yes i created i DomainCA/Certificate Templates: FIM CM User Agent, FIM CM Key Recovery Agent, FIM CM Enrollment Agent.I have also created on FIM CM Portal/Administration/Manage Profile templates: "Our Company Smart Card Profile Template" and "Our Company User Profile Template" When i Login on CM Portal (Loged in as Domain Admin): Manager operations\Common Tasks\Enroll a user for a new set of certificates or a smart card For a user i choose "Britta"- because she is member of FIM CM Subscribers group I can choose Profile Template: Smart Card Profile Template or User Profile Template But I got an error: Current user [Domain\administrator] is not authorized to initiate this operation [Enroll] on Domain User Profile Template I have checked in Active Directory Sites and Services in Profile Templates and Domain Admins group have all permisions. As we will use Gemalto .NET cards do i need in Domain Smart Card Profile Template in Provider name choose Gemalto .NET? And is there any factory PIN on Gemalto Smart Cards ? I ask that because when i log in on Computer as "Britta Simon" - member of FIM CM Subscribers group and Request a temporary smart card i got an error that my PIN is not good.. The question is certainly from a beginner but please explain to me what Middleware is? What it should be?

hi Toni, to go step by step let's solve the permission problem first: But I got an error: Current user [Domain\administrator] is not authorized to initiate this operation [Enroll] on Domain User Profile Template The administrator must be member of a group that has Initiate privileges in the FIM CM Profile Template. Check the Enroll Policy of the Domain User Profile template. The section Workflow: Initiate Enroll Requests should contain a group which contains the Administrator as member./Matthias

Hi Matthias, Sorry for the delay. So if i go: Manager operations\Common Tasks\Enroll a user for a new set of certificates or a smart card\ Name: Britta\ In Select a Profile Template I choose "Our Domain Smart Card Profile Template". I got an error: Current user [Domain\Domain Admin] is not authorized to initiate this operation [Enroll] on "Our Domain Smart Card Profile Template" Access is denied. AVACOM\bsimon does not have Enroll access right to the AVACOM\bsimon user. I checked on: http://server_name/CertificateManagement Edit I add permision for Domain\Domain Admins - Grant On Domain\FIM CM Subscribers I also add Domain Admins group I do the same for [Our Domain Smart Card Profile Template] Now i have an error: Data at the root level is invalid. Line 1, position 1.

http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/6d3d9a87-fe8c-46a6-8eba-d5db8b25f15d

Ensure that the CNG Key Isolation service is started/Matthias

Yes, CNG Key Isolation service was stoped. It seams that my domain Admin now can do: Enroll a user for a new set of certificates or a smart card. It generates One-time password for user "Britta Simon". When i log in as "Britta Simon" i see Approved in Requests. I try to do "Complete a request with one-time passwords" and use one-time password which i get as Administrator but get this error: Specified name or server name of the CA is invalid. When i log in as "Britta Simon" and try to do "Manage my info\Request a temporary smart card" I got an error "Not a valid Base CSP smart card". If I try to do "Manage my info\Request a permanent smart card" I got an error "Specified name or server name of the CA is invalid." I use Gemalto .NET cards So i changed smart card provider name from "Microsoft Smart Card Base CSP" to "Gemalto .NET" in "Our Domain Smart Card Profile Template" but it didnt help, i got an error: PKCS#11 smart card self-service control error: PKCS11 Error: Failed to load PKCS11 module .

Regarding Error: Specified name or server name of the CA is invalid I checked. I have do this on my Domain Controller, which is also CA. "Configure the FIM CM Exit Module and Policy Module " "To determine the thumbprint of the FIM CM Agent" "To configure the FIM CM Exit Module and Policy Module" from this link: http://technet.microsoft.com/en-us/library/fim_cm_test_lab_guide(WS.10).aspx So this should not be a problem.

On Thu, 5 May 2011 11:42:20 +0000, Toni666 wrote: When i log in as "Britta Simon" i see Approved in Requests. I try to do "Complete a request with one-time passwords" and use one-time password which i get as Administrator but get this error: Specified name or server name of the CA is invalid. This means that in whatever profile template you're using, you've selected the wrong CA. When i log in as "Britta Simon" and try to do "Manage my info\Request a temporary smart card" I got an error "Not a valid Base CSP smart card". Does the profile template require a permanent smart card before you can be issued a temporary one? If I try to do "Manage my info\Request a permanent smart card" I got an error "Specified name or server name of the CA is invalid." As above, you've got the wrong CA specified in the profile template. I use Gemalto .NET cards So i changed smart card provider name from "Microsoft Smart Card Base CSP" to "Gemalto .NET" in "Our Domain Smart Card Profile Template" but it didnt help, i got an error: PKCS#11 smart card self-service control error: PKCS11 Error: Failed to load PKCS11 module . That's because the card you're using is in fact a Base CSP card and not a P11 card. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca It is now pitch dark. If you proceed, you will likely fall into a pit.