Attempting to enroll a user for a new permanent smart card as per the 'Introduction to Forefront Identity Manager Certificate Manager (FIM CM) Smart Cards' walkthrough on TechNet. The FIM CM Portal returns an error stating that 'Data at the root level is invalid. Line 1, position 1.' I'm using Gemalto reader/writer and card. Edit: The Key Isolation Service is started, as per this post.

Per the same post, you should also verify that the CM agent account certs were not created with the Win2008 cert templates. FIM-CM installation doesn't prevent this, so you can then hit this error.CraigMartin Edgile, Inc. http://identitytrench.com

Craig, thanks. I am running through this walkthrough in a Windows Server 2008 environment, and yes the CM agent account certificates were created with Windows Server 2008 ADCS certificate templates. There's no mention of having to use Windows Server 2003 certificate templates in the walkthrough, I would struggle with this as our PKI is deployed on Windows Server 2008 CAs. Has anybody else encountered this issue when using FIM CM to manage SC certificates?

You might have the wrong doc, try this one. It includes this warning: FIM CM does not support Cryptography Next Generation (CNG), which is turned on when Windows Server 2008, Enterprise Edition certificate templates are used. You must therefore select Windows 2003 Server, Enterprise Edition for the templates that you are creating in this procedure to work properly with FIM CM. CraigMartin Edgile, Inc. http://identitytrench.com

To add to Craig's response and to your concerns, there is no need to struggle. You can publish either Windows Server 2000 (v1), 2003 (v2) and 2008 (v3) certificate templates within your Windows Server 2008 CA environment. The version of the certificate templates is not specific to the version of Windows Server you're running your PKI on; rather, it reflects the version of certificate template and the features and capabilities provided in that version, i.e. new CNG algorithms with the Windows Server 2008 certificate templates.Marc Mac Donell, ILM MVP, VP Identity and Access Solutions, Avaleris Inc.

The Key Recovery Agent uses a Windows Server 2003, Enterprise Edition certificate template & the Enrollment Agent uses a Windows 2000 certificate template. The problem is with the FIM CM Agent as it is currently using a Windows Server 2008 certificate template. I have a 'failed request' on the issuing CA for clmAgent. Is there any guidance on the creation of the FIM CM Agent certificate template? Perhaps somebody could point me at a document? Thanks..

Monsieur Komar has produced such a document, you can find it here.CraigMartin Edgile, Inc. http://identitytrench.com

Attempting to 'determine the thumbprint of the FIM CM Agent'.. When I open ADUC, the clmAgent account does not have any X.509 certificates. How do these get onto the user account in AD DS? Cheers, MMS_guruIdentity & Metadirectory, Hewlett-Packard UK

On Tue, 9 Nov 2010 18:58:14 +0000, MMS_guru wrote: Attempting to 'determine the thumbprint of the FIM CM Agent'.. When I open ADUC, the clmAgent account does not have any X.509 certificates. How do these get onto the user account in AD DS? They don't, nor do they need to be published to the directory. You can get the thumbprint from the Issued Certificates node in the Certification Authority console. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca

Paul, thanks. I can find the thumbprint entry, have copied it but cannot paste it into the Signing Certificates in the CA's Policy Module. Also, I am unable to add the CA (domain\CA Name) to the SQL Server logins. Many thanks for your help with this. Cheers, MMS_guruIdentity & Metadirectory, Hewlett-Packard UK

On Wed, 10 Nov 2010 11:41:22 +0000, MMS_guru wrote: Paul, thanks. I can find the thumbprint entry, have copied it but cannot paste it into the Signing Certificates in the CA's Policy Module. There is a leading space in the thumbprint value that you need to make sure you haven't copied. If you've copied it, the OK button on that dialog box will not be activated after pasting. Also, if you've pasted it into the web.config file, you're going to have problems. I'd suggest that you start over again and make sure that you don't get the leading space when you do the initial copy. Also, I am unable to add the CA (domain\CA Name) to the SQL Server logins. Without more detail here I don't know what you mean. You cannot browse for the account name here, you need to manually type it, and you need to end the account name with a $ sign. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca

The leading space fixed this, thanks Paul. I attempt to add FABRIKAM\FAB-CA$ manually to the SQL logins, when I click OK, I get Windows NT user or group 'FABRIKAM\FAB-CA$' not found. Any thoughts? Cheers..Identity & Metadirectory, Hewlett-Packard UK

On Wed, 10 Nov 2010 13:43:32 +0000, MMS_guru wrote: I attempt to add FABRIKAM\FAB-CA$ manually to the SQL logins, when I click OK, I get/Windows NT user or group 'FABRIKAM\FAB-CA$' not found/. Any thoughts? Cheers.. If you open the SQL Management Studio and look at the properties of the top-most node in the left pane of the tool, what is listed under Server Collation? Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca

Latin1_General_CI_ASIdentity & Metadirectory, Hewlett-Packard UK

On Wed, 10 Nov 2010 14:11:07 +0000, MMS_guru wrote: Latin1_General_CI_AS Ok, the only suggestion I have is that you try playing around with the case when entering the account name. Try browsing for the CA account, and then add a $ sign to the end of the resulting account name and see if that gets you any further along. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca

Got it, it wants the hostname of the server hosting the CA, not the actual name of the CA itself. Thanks very much for your help Paul, greatly appreciated.Identity & Metadirectory, Hewlett-Packard UK