Windows Server - CLM error when attempting to issue a certificate

Asked By MikeCantalup on 14-Jun-07 04:37 PM
Has anyone seen the error below when attempting to enroll a certificate or
smartcard for a user through the CLM portal?

It looks like an issue with the CLMAgent certificate, but I've re-issued a
new cert twice for the user, without any luck.  When going through the CLM
Wizard, I checked the box to create the certificates manually because we
already have KRAs setup in our CAs.  So, I logged onto the CLM server as
clmAgent and requested its own User certificate.

Any ideas?

Object reference not set to an instance of an object.
Technical Details
Type: System.NullReferenceException
Source: Microsoft.Clm.Common
Stack Trace: at Microsoft.Clm.Common.Utility.ByteArray2HexString(Byte[]
bytes) at

To continue press the browser's BACK button. If this error persists, please
contact your system administrator.

The correlating event in the CLM Event Log is:

Message:Exception of type 'System.Web.HttpUnhandledException' was thrown.
Stack Trace:   at System.Web.UI.Page.HandleError(Exception e)
at System.Web.UI.Page.ProcessRequestMain(Boolean
includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest(Boolean
includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest()
at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context)
at System.Web.UI.Page.ProcessRequest(HttpContext context)
context) in c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET
Files\clm\665ee6b8\3ec3f1f8\App_Web_-fl0pv5u.7.cs:line 0
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&

Inner Exception:Message:Unable to access the encryption certificate: .
Stack Trace:   at Microsoft.Clm.BusinessLayer.DataEncryption.Encrypt(String
at Microsoft.Clm.BusinessLayer.DefaultSecretProvider.BuildXml(String[]
secrets, DateTime expiration)
at Microsoft.Clm.BusinessLayer.Create.commonRequestCreate(Guid
targetUserUuid, UserProfile profileTemplate, RequestType requestType,
RequestFlags requestFlags, TypeSpecificData requestData, String comment, Byte
at Microsoft.Clm.BusinessLayer.Create.EnrollRequest(Guid
profileTemplateUuid, Guid targetUserUuid, RequestFlags requestFlags, String
comment, Byte requestPriority)
at Microsoft.Clm.BusinessLayer.Create.CreateEnrollRequest(Guid
profileTemplateUuid, Guid targetUserUuid, String comment, Byte
at Microsoft.Clm.Web.ManagerInitiateEnroll.CreateRequest()
at Microsoft.Clm.Web.ManagerInitiateEnroll.createAndSubmit()
at Microsoft.Clm.Web.ManagerInitiateEnroll.Page_Load(Object sender,
EventArgs e)
at System.Web.UI.Control.OnLoad(EventArgs e)
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Page.ProcessRequestMain(Boolean
includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

Inner Exception:Message:Object reference not set to an instance of an object.
Stack Trace:   at Microsoft.Clm.Common.Utility.ByteArray2HexString(Byte[]

MikeCantalup replied on 14-Jun-07 04:53 PM
One other thing, I tried enabling trace logging but without any luck.

I followed the instructions in the Troubleshooting section of the CLM MSDN
library.  When I modified the web.config file, though, it gave me the
following error:
Couldn't find type for class
Microsoft.Diagnostics.SimpleTextWriterTraceListener, Microsoft.Configuration,
Version=, Culture=neutral, PublicKeyToken=a951996bdb7f9221,

This was the change I made to web.config.
Microsoft.Configuration, Version=, Culture=neutral,
PublicKeyToken=a951996bdb7f9221, Custom=null"
Anton Ovechkin replied on 15-Jun-07 06:41 AM

the troubleshooting guide is a bit misleading, the specified type's name is
invalid, the correct name is
Microsoft.Clm.Configuration, Version=1.0.2122.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35". Besides, you don't need to add special
listeners to enable simple file logging. Enable (set value to 4) any trace
switches that you need and make sure that the following line is not
commented out in the web.config and points to a location where Everyone has
full control permission:

Alternatively, you can run dbgview.exe on the server and it will capture all
trace output without having to write to a file.

Once you enable tracing and restart the IIS, you should get a better idea
why the GetEncryptionCertificate method is failing as it should log the hash
of the cert that it  is trying to load. Typically this error means that the
clmAgent windows user doesn't have access to the cert or its associated
private key. Easy way to confirm that is to logon to CLM server as the
clmAgent user an examine his MY cert store using mmc.

Hope this helps,
MikeCantalup replied on 15-Jun-07 11:25 AM
Thanks, Anton.  The debug works now.

CLM is able to open the certificate store, but it cannot find the
certificate.  I've tried a custom encryption certificate and the standard
User certificate.  I've even tried adding clmAgent as an Administrator, and
that didn't work.  So, it doesn't appear to be a certificate issue or a
permission issue.  Maybe a configuration error in CLM?  When I ran the
configuration wizard, I chose to manually create and issue the certificates.

I just opened a support call with Microsoft, so I'll let you know what they
say.  If anyone has any other suggestions, though, I'd appreciate it.
Anton Ovechkin replied on 15-Jun-07 12:31 PM
Did you specify the hash of the cert(s) that you created manually in the
web.config? The following lines should have actual hash values (hex-encoded
strings, no spaces). The Config Wizard will do it for you, but if you are
requesting the certs manually you need to fill them in.

To keep things simple you can use the same cert/hash for 1,2,4, but you'll
need a separate Enrollment Agent cert for 3. 1,2,4 are accessed under the
Clm.Agent user account, 3 - under the Clm.EnrollAgent.
MikeCantalup replied on 15-Jun-07 02:11 PM
That did it.  Thanks for the help.

Did I miss this in the documentation, or is it missing from the documentation?
Anton Ovechkin replied on 15-Jun-07 02:35 PM
Glad I could help. I do not think this info is in the docs currently.