You are currently offline, waiting for your internet to reconnect

"Cannot impersonate a user" error in CLM configuration wizard

This article has been archived. It is offered "as is" and will no longer be updated.

When CLM is installed on a Windows 2008 server and you run the Configuration Wizard, it returns this error:

An error occurred: Cannot impersonate a user [clmAgent@clmdom.local] while placing request.
>An error occurred: Cannot generate the request for the user.
>CertEnroll::CX509Enrollment::p_CreateRequest: Provider type not defined. 0x80090017 (-2146893801)

You are attempting to issue a Windows 2008 certificate template to the clmAgent account. CLM requires Windows 2003 certificates.
When you duplicate the default User certificate template for the purpose of issuing it to the clmAgent account, you must select a Windows 2003 template for the duplicate certificate template.
More Information

When duplicating a certificate template in a Windows 2008 CA, you can choose either a Windows 2003 or Windows 2008 version for the minimum supported CA. For the CLM Agent accounts, you must use the Windows 2003 version.

 The clm.log file will show this exception:

IssueCertificateForUser(System.String, System.String, System.String, System.String, Boolean, Microsoft.Clm.CertificateServices.Interop.CertificateFormatFlags)" 

General Information
Additional Info:
Unable to impersonate user: clmAgent@clmdom.local

1) Exception Information
Exception Type: System.Exception
Message: An error occurred: Cannot generate the request for the user.
Data: System.Collections.ListDictionaryInternal
TargetSite: System.String Create(System.String)
HelpLink: NULL
Source: Microsoft.Clm.Config

StackTrace Information
   at Microsoft.Clm.Config.Core.CertificateRequest.Create(String templateName)
   at Microsoft.Clm.Config.Core.CertificateAuthority.IssueCertificateForUser(String caConfig, String templateName, String userName, String password, Boolean currentUserStore, CertificateFormatFlags flag)


Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

Article ID: 2012394 - Last Review: 12/12/2015 05:39:03 - Revision: 1.0

Microsoft Forefront Identity Manager 2010, Microsoft Identity Lifecycle Manager 2007

  • kbnosurvey kbarchive KB2012394