Approving Requests
Getting "Unable to process your request" error pop-up in FIM Portal when attempting to Approve a request. I am seeing a ton of these in the event log and seem tied to the attempt to approve the request in terms of timing:
SystSystem.Web.Services: System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid
according to the validation procedure.
at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.ConnectStream.WriteHeaders(Boolean async)
--- End of inner exception stack trace ---
at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)
at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
at Microsoft.ResourceManagement.WebServices.Mail.Exchange.ExchangeServiceBinding.FindItem(FindItemType FindItem1)
at Microsoft.ResourceManagement.WebServices.Mail.Exchange.MailChannel.ExchangeMailChannelListener`1.ExchangeMailListener.<OnPollTimerExpired>b__0(Boolean findUnreadItems)
at Microsoft.ResourceManagement.WebServices.Mail.Exchange.MailChannel.ExchangeMailChannelListener`1.ExchangeMailListener.OnPollTimerExpired(Object state)System.Web.Services: System.Net.WebException: The underlying connection was closed: Could not
establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.ConnectStream.WriteHeaders(Boolean async)
--- End of inner exception stack trace ---
at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)
at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
at Microsoft.ResourceManagement.WebServices.Mail.Exchange.ExchangeServiceBinding.FindItem(FindItemType FindItem1)
at Microsoft.ResourceManagement.WebServices.Mail.Exchange.MailChannel.ExchangeMailChannelListener`1.ExchangeMailListener.<OnPollTimerExpired>b__0(Boolean findUnreadItems)
at Microsoft.ResourceManagement.WebServices.Mail.Exchange.MailChannel.ExchangeMailChannelListener`1.ExchangeMailListener.OnPollTimerExpired(Object state)em.Web.Services: System.Net.WebException: The underlying connection was closed: Could not establish
trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)
So, I know that the Exchange server that I have tied to the FIM Portal has an invalid certificate. While I have added the certificate to the Trusted People | Local Computer store, the name on the certificate is different than the host name that is
in use right now. It's a known issue and will at some point be fixed.
My question is, is this invalid certificate what is the ultimate source of that error and why when approving requests? And, if so, why would it kill the entire approval?
November 24th, 2010 6:34pm
The errors in the event log are definately caused by the certificate issue. This is logged very often, in fact every time the FIM Service account tries to check it's mailbox for new mails. That's why the timing might seem to be the same as your attempt...
Not sure if the approval functionality from within the portal is impacted by this.http://setspn.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
November 24th, 2010 7:06pm
So, I tried an invalid Exchange server name and the event log is different:
“The remote name could not be resolved”
So then I looked at the certificate and entered its exact host name into the configuration after confirming that I could go to that host URL and not
get a certificate warning or prompted for a logon:
https://autodiscover.na.msg.company.com
And now I am back to the original error in the Event log (see original post). So what gives? I don't see why it is still having communication
problems if the certificate is valid, etc. now?
November 24th, 2010 7:17pm
So you are saying that in your fimservice configuration file (located in the FIM Service program files dir) the exchange server is referenced by it's FQDN.
This FQDN is what is matched on the certificate in the subject?
The certificate is still valid?
The issuer (root ca) of the certificate is in the Trusted Root CA store of the Computer?http://setspn.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
November 24th, 2010 7:24pm
Well, the certificate was imported into "Trusted People | Local Computer" per the FIM directions. The certificate issuer is not listed in the Trusted Root CA store of the computer. The issuer is "Entrust Certification Authority - L1C".
How do I get this issuer into the trusted root CA store of the computer?
I exported the certificate in the "Trusted People | Local computer" store and imported it into the Trusted Root CA store but still getting the error.
November 24th, 2010 10:12pm
The certificate is part of a chain:
The HTTPS service you are accessing is presenting a certificate. This certificate was issued by a Certificate Authority (INTERMEDIATE CA) Possibly that CA was issued by an other CA (ROOT CA)
For the FIM Service to trust the certificate there's no need to install this locally.
However when you start - run - mmc, add the certificate snapin and choose "computer account", you should be able to import the chain of Certificate Authorities that issued the certificate. All certificates involved in issueing the HTTPS certificate should
be imported. Normally commercial root CA's should be in the store already, however this is sometimes not the case.
Intermediate CA certificates should be in the Intermediate Certifcate Authorities certificate store.
The Root CA should be in the Trusted Root Certificate Authorities certificate store.
There might be multiple intermediate, but there will only be one root.
Get it?
If you need any further info, just ask.
Regards,
Thomas
http://setspn.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
November 25th, 2010 4:48pm
The certificate is part of a chain:
The HTTPS service you are accessing is presenting a certificate. This certificate was issued by a Certificate Authority (INTERMEDIATE CA) Possibly that CA was issued by an other CA (ROOT CA)
For the FIM Service to trust the certificate there's no need to install this locally.
However when you start - run - mmc, add the certificate snapin and choose "computer account", you should be able to import the chain of Certificate Authorities that issued the certificate. All certificates involved in issueing the HTTPS certificate should
be imported. Normally commercial root CA's should be in the store already, however this is sometimes not the case.
Intermediate CA certificates should be in the Intermediate Certifcate Authorities certificate store.
The Root CA should be in the Trusted Root Certificate Authorities certificate store.
There might be multiple intermediate, but there will only be one root.
Get it?
If you need any further info, just ask.
Regards,
Thomas
http://setspn.blogspot.com
November 25th, 2010 4:48pm
I understand the basics of how certificates work and have been in the Certificates snap-in mucking around. The issue is that I do not see any way to import the certificate chain into the appropriate places. I can import the certificate, but the
issuer/root certificate from Entrust does not go in the Trusted Root Certificate Authority. I am wondering if this certificate isn't quite right. I look in the Certificate Path and there is only one entry:
autodiscover.na.msg.company.com
Seems like that isn't quite right, but it has been awhile since I have messed with it. Seems like there ought to be a self-signed root certificate in the path and I doubt that one is it. Need to do some research on what a proper certificate should
look like. If my recollection serves me correctly, it should be a little different than what I am seeing.
Free Windows Admin Tool Kit Click here and download it now
November 26th, 2010 10:54am