Troubleshooting FIMCM: No mapping between account names and security IDs was done
Overview
Recently worked an issue in support concerning Microsoft Forefront Identity Manager - Certificate Management. The resolution was pretty straight forward, and I wanted to ensure that I shared this information.
Problem Statement
Attempting to recover a smart card, generates the following error message. "User lookup failed. No mapping between account names and security IDs was done."
Troubleshooting the issue, we obtained a FIM CM Verbose Trace Log. ( How to capture a FIM CM Verbose Trace Log ). In the log, we were able to see the error message being generated during the search for the user in the security group. In doing so, this lead us to the RequestSecurity.Groups in the web.config file.
Error message
User lookup failed. No mapping between account names and security IDs was done.
FIM CM Verbose trace log
"2012-07-09 16:39:07.21 -05" "Microsoft.Clm.Security.Authorization.Sid" "Microsoft.Clm.Security.Authorization.Sid LookupAccount(System.String, System.String)" "<DOMAIN NAME>\username>" "<DOMAIN NAME>\FIM CM AUTH AGENT>" 0x00000224 0x00000012
Looking up account: <domain name>\security group name>, machine:
"2012-07-09 16:39:07.21 -05" "Microsoft.Clm.Security.Authorization.Sid" "Microsoft.Clm.Security.Authorization.Sid LookupAccount(System.String, System.String)" "<DOMAIN NAME>\username>" "<DOMAIN NAME>\FIM CM AUTH AGENT>" 0x00000224 0x00000012
1) Exception Information
*********************************************
Exception Type: System.ApplicationException
Message: User lookup failed.
Data: System.Collections.ListDictionaryInternal
TargetSite: Microsoft.Clm.Security.Authorization.Sid LookupAccount(System.String, System.String)
HelpLink: NULL
Source: Microsoft.Clm.Security.Authorization
StackTrace Information
*********************************************
at Microsoft.Clm.Security.Authorization.Sid.LookupAccount(String machineName, String account)
2) Exception Information
*********************************************
Exception Type: System.ComponentModel.Win32Exception
NativeErrorCode: 1332
ErrorCode: -2147467259
Message: No mapping between account names and security IDs was done
Data: System.Collections.ListDictionaryInternal
TargetSite: NULL
HelpLink: NULL
Source: NULL
Cause
In this case, the problem was the groups mentioned in the RequestSecurity.Groups in the FIM Certificate Management Web Config file were invalid.
Resolution
Navigate to %programfiles%\Microsoft Forefront Identity Manager\2010\Certificate Management\Web
Backup the web.config file by simply making a copy of the file
Once the file is backed up, Edit the web.config file
Search for "CLM.RequestSecurity.Groups"
Example
<add key="Clm.RequestSecurity.Flags" value="UseGroups" />
<add key="Clm.RequestSecurity.Groups" value="<DOMAIN NAME>\domain users,<DOMAIN NAME>\fimcm users,<DOMAIN NAME>\MyNewCMUsers" />
<add key="Clm.RequestSecurity.ManagerCanApprove" value="true" />
Ensure that all of the Groups mentioned here exist in the Active Directory and have the correct names
Once confirmed, save the web.config file
Execute an IISRESET
Test the process again