Enable FIM CM Tracing:(http://social.technet.microsoft.com/wiki/contents/articles/4020.how-to-capture-a-verbose-log-for-clm-or-fim-cm.aspx )
Enable CAPI Logging:
After looking at the CM logs we seen that the Cm was unable to find the correct certificate.
"DOMAIN\USERA" "DOMAIN\USERA" 0x00000F60 0x00000006
Data to be decrypted: MIIDZAYJKoZIhvcNAQcDoIIDVTCCA1ECAQAxggF4MIIBdAIBADBcMEUxEzARBgoJkiaJk/IsZAEZFgNsb2MxGzAZBgoJkiaJk/IsZAE=.
"2014-03-19 14:37:27.14 -06" "Microsoft.Clm.Security.Principal.RevertToSelfContext" "Microsoft.Clm.Security.Principal.RevertToSelfContext RevertIfImpersonating()" "DOMAIN\USERA" "DOMAIN\USERA" 0x00000F60 0x00000006
Reverting to the process identity
"2014-03-19 14:37:27.14 -06" "Microsoft.Clm.BusinessLayer.DataEncryption" "System.String Decrypt(System.String)" "DOMAIN\USERA" "DOMAIN\svc.cgyFIMCMAgent" 0x00000F60 0x00000006
Try to decrypt using EvelopedCMS.
"2014-03-19 14:37:29.09 -06" "Microsoft.Clm.BusinessLayer.DataEncryption" "System.String Decrypt(System.String)" "DOMAIN\USERA" "DOMAIN\svc.cgyFIMCMAgent" 0x00000F60 0x00000006
EnvelopedCMS decryption failed. Fall back to AES method.
1) Exception Information
Exception Type: System.Security.Cryptography.CryptographicException
Message: Unable to locate the decryption key.
TargetSite: System.Security.Cryptography.Pkcs.ContentInfo DecryptCms(Byte)
at Microsoft.Clm.Crypto.EnvelopedCmsExtension.DecryptCms(Byte encoded)
at Microsoft.Clm.BusinessLayer.DataEncryption.Decrypt(String encrypted)
"2014-03-19 14:37:29.12 -06" "Microsoft.Clm.BusinessLayer.DataEncryption"
When we went to the CAPI log we opened up the log and filtered on error
We see 2 issues in this log Access denied and unable to check revocation
After confirming all certificates and permissions are correct per: (http://technet.microsoft.com/en-us/library/gg430115(v=ws.10).aspx)
Then we went to the revocation and found the machine did not have internet access and was checking the validity of the signing certs in use. We found the path in another error entry say it could not get to path.
Capi logging told us it was trying to get a crl that it could not. After making sure all other configurations were in line: Permission and account settings we manually installed the crl it was trying to get.
Resolution :Download and copy to server right click and install http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl as indicated in the CAPI log.