"Cannot impersonate a user" error in CLM configuration wizard

Article ID: 2012394 - View products that this article applies to.
Expand all | Collapse all

Symptoms

When CLM is installed on a Windows 2008 server and you run the Configuration Wizard, it returns this error:

An error occurred: Cannot impersonate a user [clmAgent@clmdom.local] while placing request.
>An error occurred: Cannot generate the request for the user.
>CertEnroll::CX509Enrollment::p_CreateRequest: Provider type not defined. 0x80090017 (-2146893801)

Cause

You are attempting to issue a Windows 2008 certificate template to the clmAgent account. CLM requires Windows 2003 certificates.

Resolution

When you duplicate the default User certificate template for the purpose of issuing it to the clmAgent account, you must select a Windows 2003 template for the duplicate certificate template.

More Information

When duplicating a certificate template in a Windows 2008 CA, you can choose either a Windows 2003 or Windows 2008 version for the minimum supported CA. For the CLM Agent accounts, you must use the Windows 2003 version.

 The clm.log file will show this exception:

IssueCertificateForUser(System.String, System.String, System.String, System.String, Boolean, Microsoft.Clm.CertificateServices.Interop.CertificateFormatFlags)" 

General Information
*********************************************
Additional Info:
Unable to impersonate user: clmAgent@clmdom.local

1) Exception Information
*********************************************
Exception Type: System.Exception
Message: An error occurred: Cannot generate the request for the user.
Data: System.Collections.ListDictionaryInternal
TargetSite: System.String Create(System.String)
HelpLink: NULL
Source: Microsoft.Clm.Config

StackTrace Information
*********************************************
   at Microsoft.Clm.Config.Core.CertificateRequest.Create(String templateName)
   at Microsoft.Clm.Config.Core.CertificateAuthority.IssueCertificateForUser(String caConfig, String templateName, String userName, String password, Boolean currentUserStore, CertificateFormatFlags flag)

 

Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

Properties

Article ID: 2012394 - Last Review: January 5, 2010 - Revision: 1.0
APPLIES TO
  • Microsoft Forefront Identity Manager 2010
  • Microsoft Identity Lifecycle Manager 2007
Keywords: 
KB2012394

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com