FIM CM unable to see an Enterprise Certification Authority
Hello,
When I installed FIM CM server : I could select the Enterprise CA that I want to use with FIM in the list using the configuration wizard.
Now, if I try to edit the certificate template associated to a FIM CM profile template (let say for eg. the "FIM CM Sample Smart Card Logon Profile Template") : I can't see my CA under the "Certification Authority" list. I can see all my certificate
templates in the list bellow that, but I can't select any of them (since I can't select the CA to use.
FYI :
* I have FIM CM installed on a server separate from the CA
* I have re-checked all the permissions required for the FIM CM service accounts.
* I have two Enterprise CAs but as I configured FIM CM : I want to use it only with one of them
Can any one help me with this please ?
Thanks in advance.
Cheers,
May 7th, 2010 1:00pm
have you specified the connection string in the Exit Module in the CA?
Free Windows Admin Tool Kit Click here and download it now
May 7th, 2010 1:12pm
Thanks for your reply,
Yes I have "Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=FIMCM_DB_NAME;Data Source=sql_server.mydomain.com\SQLInstance"
Where :
* FIMCM_DB_NAME : is the name of the FIM CM Database
* sql_server.mydomain.com : is the DNS name of my SQL server
* SQLInstance : is the name of the SQL instance
Is this ok ?
May 7th, 2010 2:32pm
But isn't the exit module used only for certificate requests ? My problem occurs before that : it's at the profile template - certificate template configuration.
Thanks
Free Windows Admin Tool Kit Click here and download it now
May 7th, 2010 2:41pm
But isn't the exit module used only for certificate requests ? My problem occurs before that : it's at the profile template - certificate template configuration.
Thanks
can you use clmUtil to make sure the CA is registered in CLM?
May 7th, 2010 4:45pm
But isn't the exit module used only for certificate requests ? My problem occurs before that : it's at the profile template - certificate template configuration.
Thanks
can you use clmUtil to make sure the CA is registered in CLM?
Can you tell me how to do that please ?
Free Windows Admin Tool Kit Click here and download it now
May 7th, 2010 4:54pm
i agree with anthony, your ca is probably not registered with fim cm.
configure db connection in clmutil.exe.config by copying the database string from web.config and then run clmutil -listca, or you can look in certificateauthority table.
if not ca registered then check if you have a security login in your db with your domain\ca$ with proper rights.
mihail
May 7th, 2010 7:59pm
Thanks mihail and anthony,
I checked both using clmutil and certifcateauthority table : my CA is not listed in the DB.
Indeed, the security login with my domain\ca$ (ca being my CA's hostname) was missing. I created it, assigned rights to the FIM database, restarted the FIM Server : but I still can't see my CA.
Do you have any idea how to procede ?
Thanks a lot !
Free Windows Admin Tool Kit Click here and download it now
May 10th, 2010 5:28pm
you need to restart the CA
it's registered at the start of the CA
May 10th, 2010 5:51pm
Yes that was it !
Thanks a lot everyone !
Free Windows Admin Tool Kit Click here and download it now
May 10th, 2010 6:12pm
FIM CM Log has no errors, just Information messages.
Can you elaborate on "register SPNs"? or give me URL to docs describing it. I have followed TechNet CM setup procedure on the FIM infrastructure that was setup by someone else.
the CA computer login is created on SQL server and asigned correct security role. i have even tryed to make him a member of 'DBO' role to make sure that permissions are not an issue.
/****** Object: Login [EXTPOC\vacswdepoc07$] Script Date: 07/02/2011 09:31:42 ******/
CREATE LOGIN [EXTPOC\vacswdepoc07$] FROM WINDOWS WITH DEFAULT_DATABASE=[FIMCertificateManagement], DEFAULT_LANGUAGE=[us_english]
GO
CREATE USER [extpoc\vacswdepoc07$] FOR LOGIN [EXTPOC\vacswdepoc07$] WITH DEFAULT_SCHEMA=[dbo]
GO
July 2nd, 2011 12:52pm
I have the same problem. I followed all the steps described in this post and CA still does not register. Please help! are there any logs that contain anything useful? so far i looked at all of the events and nothing there gave me any clues.
thanks
Free Windows Admin Tool Kit Click here and download it now
July 2nd, 2011 7:40pm
Look at the FIM CM log (under application logs)
The typical reason is a failure to register SPNs or to create a login for the CA computer account and assign the necessary security roles to the FIM CM database
Brian
July 2nd, 2011 11:54pm