David Steadman (STEADY) Tech Blog

Disclaimer: The opinions expressed on this blog is a personal opinion and do not express the opinion of my employer, Microsoft or any other party.

FIM CM was unable to decrypt necessary data error

FIM CM was unable to decrypt necessary data error

  • Comments 1
  • Likes



Troubleshooting Steps:

Enable FIM CM Tracing:
(http://social.technet.microsoft.com/wiki/contents/articles/4020.how-to-capture-a-verbose-log-for-clm-or-fim-cm.aspx )

Enable CAPI Logging:

(http://blogs.msdn.com/b/benjaminperkins/archive/2013/10/01/enable-capi2-event-logging-to-troubleshoot-pki-and-ssl-certificate-issues.aspx )

After looking at the CM logs we seen that the Cm was unable to find the correct certificate.

"DOMAIN\USERA" "DOMAIN\USERA" 0x00000F60 0x00000006


"2014-03-19 14:37:27.14 -06" "Microsoft.Clm.Security.Principal.RevertToSelfContext" "Microsoft.Clm.Security.Principal.RevertToSelfContext RevertIfImpersonating()" "DOMAIN\USERA" "DOMAIN\USERA" 0x00000F60 0x00000006

Reverting to the process identity

"2014-03-19 14:37:27.14 -06" "Microsoft.Clm.BusinessLayer.DataEncryption" "System.String Decrypt(System.String)" "DOMAIN\USERA" "DOMAIN\svc.cgyFIMCMAgent" 0x00000F60 0x00000006

Try to decrypt using EvelopedCMS.

"2014-03-19 14:37:29.09 -06" "Microsoft.Clm.BusinessLayer.DataEncryption" "System.String Decrypt(System.String)" "DOMAIN\USERA" "DOMAIN\svc.cgyFIMCMAgent" 0x00000F60 0x00000006

General Information


Additional Info:

EnvelopedCMS decryption failed. Fall back to AES method.

1) Exception Information


Exception Type: System.Security.Cryptography.CryptographicException

Message: Unable to locate the decryption key.

Data: System.Collections.ListDictionaryInternal

TargetSite: System.Security.Cryptography.Pkcs.ContentInfo DecryptCms(Byte[])

HelpLink: NULL

Source: Microsoft.Clm.Crypto

StackTrace Information


at Microsoft.Clm.Crypto.EnvelopedCmsExtension.DecryptCms(Byte[] encoded)

at Microsoft.Clm.BusinessLayer.DataEncryption.Decrypt(String encrypted)

"2014-03-19 14:37:29.12 -06" "Microsoft.Clm.BusinessLayer.DataEncryption"

When we went to the CAPI log we opened up the log and filtered on error


We see 2 issues in this log Access denied and unable to check revocation



After confirming all certificates and permissions are correct per: (http://technet.microsoft.com/en-us/library/gg430115(v=ws.10).aspx)

Then we went to the revocation and found the machine did not have internet access and was checking the validity of the signing certs in use. We found the path in another error entry say it could not get to path.


Capi logging told us it was trying to get a crl that it could not. After making sure all other configurations were in line: Permission and account settings we manually installed the crl it was trying to get.

Resolution :Download and copy to server right click and install  http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl as indicated in the CAPI log.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment