FIM CM Troubleshooting: Object reference not set to an instance of an object

 

Problem Statement

You are a FIM CM Administrator working inside of Forefront Identity Manager 2010 – Certificate Management. You navigate to "Manage profile templates" on the main menu. You attempt one of the following actions on the "FIM CM Sample Smart Card Logon Profile Template":

• Manage it by clicking on it.
• Copy it, by placing a check mark and then clicking "Copy a selected profile template".

You receive the error message "Object reference not set to an instance of an object".

Please note the following information and contact your system administrator:

Object reference not set to an instance of an object.

To continue press the browser's BACK button. If this error persists, please contact your system administrator.

Troubleshooting

 

To troubleshoot the issue, we reviewed the FIM Certificate Management Event Log, as well as enabled FIM CM Tracing.

FIM Certificate Management Event Log

Log Name: FIM Certificate Management Source: System.Web Date: 8/29/2011 7:44:18 AM Event ID: 0 Task Category: None Level: Error Keywords: Classic User: N/A Description: Message:Exception of type 'System.Web.HttpUnhandledException' was thrown. Type:System.Web.HttpUnhandledException Source:System.Web Stack Trace: at System.Web.UI.Page.HandleError(Exception e) at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest() at System.Web.UI.Page.ProcessRequest(HttpContext context) at ASP.content_idn_profiles_profiledetails_aspx.ProcessRequest(HttpContext context) in c:\Windows\Microsoft.NET\Framework64\v2.0.50727\Temporary ASP.NET Files\certificatemanagement\a8741d44\95e9fa81\App_Web_mgtpi_xa.4.cs:line 0 at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) Inner Exception:Message:Object reference not set to an instance of an object. Type:System.NullReferenceException Source:Microsoft.Clm.BusinessLayer Stack Trace: at Microsoft.Clm.BusinessLayer.Templates.LoadTemplate(String oidOrName) at Microsoft.Clm.Web.ProfileDetails.LoadCertificateTemplatesIntoInterface() at Microsoft.Clm.Web.ProfileDetails.Page_Load(Object sender, EventArgs e) at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) at System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e) at System.Web.UI.Control.OnLoad(EventArgs e) at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

 

Certificate Manager trace log

In reviewing the trace log, we searched for the keyword "exception" and we found the following:

CLM TRACE FILE Translating user name <DOMAIN>\<USER> from Unknown to Guid "2011-08-11 09:30:27.32 -04" "Microsoft.Clm.BusinessLayer.UserProfiles" "System.Guid CopyProfileTemplate(Microsoft.Clm.Common.AD.UserProfile, System.String, System.String)" "<DOMAIN>\<USER>" "<DOMAIN>\FIMCMAuthAgent" 0x00000ACC 0x00000007 General Information ********************************************* Additional Info: Error copying profile template with uuid: to Copy Of FIM CM Sample Smart Card Logon Profile Template 1) Exception Information ********************************************* Exception Type: System.Runtime.InteropServices.COMException ErrorCode: -2147016426 Message: Name translation: Could not find the name or insufficient right to see name. (Exception from HRESULT: 0x80072116) Data: System.Collections.ListDictionaryInternal TargetSite: Void Set(Int32, System.String) HelpLink: NULL Source: Microsoft.Clm.Interop.activeds StackTrace Information ********************************************* at Microsoft.Clm.Interop.activeds.NameTranslateClass.Set(Int32 lnSetType, String bstrADsPath) at Microsoft.Clm.DS.NameTranslator.Translate(String name, NameType from, NameType to) at Microsoft.Clm.DS.NameTranslator.ConvertToGuid(String name) at Microsoft.Clm.BusinessLayer.Users.ConvertNameToGuid(String name) at Microsoft.Clm.BusinessLayer.Security.get_CurrentUserUuid() at Microsoft.Clm.BusinessLayer.UserProfiles.WriteProfileTemplateHistory(UserProfile profileTemplateOld, UserProfile profileTemplateToSave, ProfileTemplateHistoryActionType actionType) at Microsoft.Clm.BusinessLayer.UserProfiles.CopyProfileTemplate(UserProfile profileTemplateToCopy, String destProfileTemplateCommonName, String destProfileTemplateDisplayName)

 

Resolution

We can see in the event log, that we are experiencing problems loading the template. "Microsoft.Clm.BusinessLayer.Templates.LoadTemplate(String oidOrName)"

In the FIM CM Trace, we can see that we are failing on Name Translation because of sufficient permissions.

Message: Name translation: Could not find the name or insufficient right to see name. (Exception from HRESULT: 0x80072116)

We were able to resolve the issue by reviewing the permission on the Smart Card Logon Template. There we noticed that Authenticated Users was not listed. We added Authenticated Users and gave it Read access. Logged Off and back on, and we were now able to work with the certificate.

1. Go to the Certificate Authority
2. Expand the server, and select Certificate Template
3. From the Action menu, select Manage
4. Locate and select the Smartcard Logon Template 
5. From the Action menu, select Properties
6. Select the Security Tab
7. Click the Add button
8. Type Authenticated Users and click Check Names
9. Click Ok
10. Ensure that Read is Allow 
11. Click Ok
12. On the Certificate Management Server, Log Off and back on 

 

---