TROUBLESHOOTING: "EnvelopedCMS decryption failed. Fall back to AES Method"
Recently worked an issue where we were receiving an exception in the Certificate Management Event Log when the FIM CMAgent account keys are stored in an HSM (Hardware Security Module). The event log provided enough information on the issue, and so did not need to reproduce the issue. It was the general information in the event log that leads me to the solution.
The general message was “EnvelopedCMS decryption failed. Fall back to AES method”. In this case, there was a LunaSA HSM involved.
| APPLICATION EVENT LOG |
Troubleshooting : Log Name: Application Source: ASP.NET 2.0.50727.0 Date: 10/25/2012 8:21:53 PM Event ID: 1309 Task Category: Web Event Level: Warning Keywords: Classic User: N/A Computer: Description: Event code: 3005 Event message: An unhandled exception has occurred. Event time: 10/25/2012 8:21:53 PM Event time (UTC): 10/25/2012 4:21:53 PM Event ID: 64646420362f4605818948a23b5fc91f Event sequence: 136 Event occurrence: 1 Event detail code: 0
Application information: Application domain: /LM/W3SVC/1/ROOT/CertificateManagement-1-129956552833822128 Trust level: Full Application Virtual Path: /CertificateManagement Application Path: C:\Program Files\Microsoft Forefront Identity Manager\2010\Certificate Management\web\ Machine name: FIM
Process information: Process ID: 3484 Process name: w3wp.exe Account name: DOMAIN\clmWebPool
Exception information: Exception type: CryptographicException Exception message: FIM CM was unable to decrypt necessary data.
Request information: Request path: /CertificateManagement/content/common/requests/DisplayRequestStatus.aspx User host address: ::1 User: DOMAIN\root Is authenticated: True Authentication Type: Negotiate Thread account name: DOMAIN\clmWebPool
Thread information: Thread ID: 14 Thread account name: DOMAIN\clmWebPool Is impersonating: False Stack trace: at Microsoft.Clm.BusinessLayer.DataEncryption.DecryptUsingAES(String encryptedDataBlob) at Microsoft.Clm.BusinessLayer.DataEncryption.Decrypt(String encrypted) at Microsoft.Clm.BusinessLayer.DefaultSecretProvider.ReadXml(String xml) at Microsoft.Clm.BusinessLayer.DefaultSecretProvider.GetSecrets(Request request) at Microsoft.Clm.BusinessLayer.SecretsUtility.GetNumberOfSecrets(UserProfile profileTemplate, Request clmRequest) at Microsoft.Clm.BusinessLayer.CheckClmOperations.CanCurrentUserDistributeSecretsOnClmRequest(UserProfile profileTemplate, Request clmRequest) at Microsoft.Clm.Web.Modules.OneTimePasswordUserControl.Page_Load(Object sender, EventArgs e) at System.Web.UI.Control.OnLoad(EventArgs e) at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) |
| FIM CERTIFICATE MANAGEMENT EVENT LOG |
Log Name: FIM Certificate Management Source: System.Web Date: 10/25/2012 8:21:53 PM Event ID: 0 Task Category: None Level: Error Keywords: Classic User: N/A Computer: Description: Message:Exception of type 'System.Web.HttpUnhandledException' was thrown. Type:System.Web.HttpUnhandledException Source:System.Web Stack Trace: at System.Web.UI.Page.HandleError(Exception e) at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest() at System.Web.UI.Page.ProcessRequest(HttpContext context) at ASP.content_common_requests_displayrequeststatus_aspx.ProcessRequest(HttpContext context) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Inner Exception:Message:FIM CM was unable to decrypt necessary data. Type:System.Security.Cryptography.CryptographicException Source:Microsoft.Clm.BusinessLayer Stack Trace: at Microsoft.Clm.BusinessLayer.DataEncryption.DecryptUsingAES(String encryptedDataBlob) at Microsoft.Clm.BusinessLayer.DataEncryption.Decrypt(String encrypted) at Microsoft.Clm.BusinessLayer.DefaultSecretProvider.ReadXml(String xml) at Microsoft.Clm.BusinessLayer.DefaultSecretProvider.GetSecrets(Request request) at Microsoft.Clm.BusinessLayer.SecretsUtility.GetNumberOfSecrets(UserProfile profileTemplate, Request clmRequest) at Microsoft.Clm.BusinessLayer.CheckClmOperations.CanCurrentUserDistributeSecretsOnClmRequest(UserProfile profileTemplate, Request clmRequest) at Microsoft.Clm.Web.Modules.OneTimePasswordUserControl.Page_Load(Object sender, EventArgs e) at System.Web.UI.Control.OnLoad(EventArgs e) at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) |
CERTIFICATE MANAGEMENT TRACE LOG |
General Information ********************************************* Additional Info: EnvelopedCMS decryption failed. Fall back to AES method. 1) Exception Information ********************************************* Exception Type: System.Security.Cryptography.CryptographicException Message: An internal error occurred. Data: System.Collections.ListDictionaryInternal TargetSite: Void DecryptContent(System.Security.Cryptography.Pkcs.RecipientInfoCollection, System.Security.Cryptography.X509Certificates.X509Certificate2Collection) HelpLink: NULL Source: System.Security StackTrace Information ********************************************* at System.Security.Cryptography.Pkcs.EnvelopedCms.DecryptContent(RecipientInfoCollection recipientInfos, X509Certificate2Collection extraStore) at Microsoft.Clm.BusinessLayer.DataEncryption.Decrypt(String encrypted) "2011-09-23 14:26:47.07 -04" "Microsoft.Clm.BusinessLayer.DataEncryption" "System.Security.Cryptography.X509Certificates.X509Certificate2 GetCertificateFromHash(Byte[])" " DOMAIN \myuser" "DOMAIN\FIMCMAgent" 0x000008CC 0x00000007 Getting certificate: "2011-09-23 14:26:47.08 -04" "Microsoft.Clm.BusinessLayer.DataEncryption" "System.Security.Cryptography.X509Certificates.X509Certificate2 GetCertificateFromHash(Byte[])" " DOMAIN \myuser" " DOMAIN \FIMCMAgent" 0x000008CC 0x00000007 Opened MY Certificate store for READ access. "2011-09-23 14:26:47.08 -04" "Microsoft.Clm.BusinessLayer.DataEncryption" "System.Security.Cryptography.X509Certificates.X509Certificate2 GetCertificateFromHash(Byte[])" " DOMAIN \myuser" " DOMAIN \FIMCMAgent" 0x000008CC 0x00000007 Found 1 matching certificates. "2011-09-23 14:26:47.09 -04" "Microsoft.Clm.BusinessLayer.DataEncryption" "System.String DecryptUsingAES(System.String, System.Security.Cryptography.X509Certificates.X509Certificate2)" " DOMAIN \myuser" " DOMAIN \FIMCMAgent" 0x000008CC 0x00000007 |
RESOLUTION |
1. Navigate to %programfiles%\Microsoft Forefront Identity Manager\2010\Certificate Management\web 2. Make a backup copy of the web.config file, and give the new name something like web.config.backup so that you know that it was backed up today. 3. Open the web.config file in an XML Editor (notepad, visual studio, or some other XML editor) 4. Search for Clm.Encryption.Algorithm in the web.config file. a. You should come to a line that looks like <add key="Clm.Encryption.Algorithm" value="Aes" /> 5. Change the value to TripleDes a. Should look like: <add key="Clm.Encryption.Algorithm" value="TripleDes" /> 6. Save the web.config 7. Open an Administrative Command Prompt 8. Type IISRESET 9. Execute Test |