FIM CM was unable to decrypt necessary data error



Troubleshooting Steps:

Enable FIM CM Tracing:
( )

Enable CAPI Logging:

( )

After looking at the CM logs we seen that the Cm was unable to find the correct certificate.

"DOMAIN\USERA" "DOMAIN\USERA" 0x00000F60 0x00000006


"2014-03-19 14:37:27.14 -06" "Microsoft.Clm.Security.Principal.RevertToSelfContext" "Microsoft.Clm.Security.Principal.RevertToSelfContext RevertIfImpersonating()" "DOMAIN\USERA" "DOMAIN\USERA" 0x00000F60 0x00000006

Reverting to the process identity

"2014-03-19 14:37:27.14 -06" "Microsoft.Clm.BusinessLayer.DataEncryption" "System.String Decrypt(System.String)" "DOMAIN\USERA" "DOMAIN\svc.cgyFIMCMAgent" 0x00000F60 0x00000006

Try to decrypt using EvelopedCMS.

"2014-03-19 14:37:29.09 -06" "Microsoft.Clm.BusinessLayer.DataEncryption" "System.String Decrypt(System.String)" "DOMAIN\USERA" "DOMAIN\svc.cgyFIMCMAgent" 0x00000F60 0x00000006

General Information


Additional Info:

EnvelopedCMS decryption failed. Fall back to AES method.

1) Exception Information


Exception Type: System.Security.Cryptography.CryptographicException

Message: Unable to locate the decryption key.

Data: System.Collections.ListDictionaryInternal

TargetSite: System.Security.Cryptography.Pkcs.ContentInfo DecryptCms(Byte[])

HelpLink: NULL

Source: Microsoft.Clm.Crypto

StackTrace Information


at Microsoft.Clm.Crypto.EnvelopedCmsExtension.DecryptCms(Byte[] encoded)

at Microsoft.Clm.BusinessLayer.DataEncryption.Decrypt(String encrypted)

"2014-03-19 14:37:29.12 -06" "Microsoft.Clm.BusinessLayer.DataEncryption"

When we went to the CAPI log we opened up the log and filtered on error


We see 2 issues in this log Access denied and unable to check revocation



After confirming all certificates and permissions are correct per: (

Then we went to the revocation and found the machine did not have internet access and was checking the validity of the signing certs in use. We found the path in another error entry say it could not get to path.


Capi logging told us it was trying to get a crl that it could not. After making sure all other configurations were in line: Permission and account settings we manually installed the crl it was trying to get.

Resolution :Download and copy to server right click and install as indicated in the CAPI log.

David Steadman has written 40 articles

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>