see sharp RSS 2.0
# Thursday, 18 November 2010

You can extend the lifetime of FIM CM OTP's.

All that needs to be done is:

  • Select the Custom Password Provider option in your policy 
  • set the type to Microsoft.CLM.BusinessLayer.DefaultSecretProvider
  • the Password provider data controls the OTP generation.
    the format is in the form of
    • numberofotp can be 0,1 or two
    • i did not see a technical limit (yeah its possibly an int32, so there IS a limit) for length or lifetime


  • 1,8,40 will generate one OTP with a length of '8' and a lifetime of 40 days
  • 2.8.8,40 will generate two OTPs, both with a length of 8 and a lifetime of 40 days

It seems that adding 'm' to the lifetime will make it minutes, not days.



Thursday, 18 November 2010 11:22:46 (Mitteleuropäische Zeit, UTC+01:00)  #    -
# Wednesday, 02 September 2009

I often have to diagnose CA 'misbehaviours' and its even more often when I have to lookup where the hell the logfiles are and hor to enable the logging. So a bit of googelingbinging and found this

Certification Authority Settings

  • Enable Certificate Services Debug Logging by running the following commands on the CA:
    certutil.exe -f -setreg ca\debug 0xffffffff
    Net Stop Certsvc && Net Start Certsvc
  • The following log files will be created:
    %SystemRoot%\certsrv.log (Certsrv.exe) Certificate Services
    %SystemRoot%\certutil.log (Certutil.exe)
    %SystemRoot%\certreq.log (Certreq.exe)
    %SystemRoot%\certmmc.log (Certmmc.dll) Certificate Services MMC snap-in
    %SystemRoot%\certocm.log (Certocm.dll) Certificate Services Setup

take a look, there are is more useful information there...


Ah, and if you use CLM/FIM this might be of interest as well:

Wednesday, 02 September 2009 20:49:27 (Mitteleuropäische Sommerzeit, UTC+02:00)  #    -
CLM | Tracing | CA
# Wednesday, 29 April 2009
You can increase the logging level of the Certificate service in the event log for troubleshooting.
This causes Certificate services to log more frequent and verbose Application Event log entries.
To increase the logging level of the Certificate service, run the command:

certutil -setreg ca\loglevel logginglevel

where logginglevel is the level you want to use, and then restart the service.

The following ranges are available:


taken from

and don't forget to restart the certificate services :-)

If you use CLM you may also want to set the loglevel for the Policy and Exit modules:

Policy module
Add a string value named Microsoft.Clm.PolicyModule to the following registry key:
Exit module
Add a string value named Microsoft.Clm.ExitModule in the following registry key:

Set the string value to the desired logging level (Info, Warning, Error or verbose), and then restart the CLM Service to apply the trace logging settings.

Policy module plugins
If you need logging for the CLM policy module plugins, you must create a config file.
Enabling trace logging for the policy module plug-ins causes CLM 2007 to write the error output to the system debug stream, viewable using DebugView.

To enable trace logging, you must create a config file for certsrv.exe file in the C:\WINDOWS\system32 folder.
Create a new text document and name it certsrv.exe.config;
open the new file and copy/paste the following configuration information (It's standard .NET tracing):

<?xml version="1.0" encoding="utf-8" ?>
  <trace autoflush="true" indentsize="2" />
    <add name="Microsoft.Clm.PolicyModulePlugins" value="4" />

Wednesday, 29 April 2009 18:48:59 (Mitteleuropäische Sommerzeit, UTC+02:00)  #    -
CLM | Tracing
# Friday, 13 February 2009
So, ever played to much with a CLM test or demo environment and the database is full of old requests?
You can clean the database by running the ILM configuration wizard.
The wizard wil drop (and recreate) the database as part of the final configuration.
If you want the certificates from your current installation, don't let the wizard create new service account certificates.
There is a checkbox for this option.
I've done this for CLM 2007 (FP1) but I did not test it for newer releases (so i give no warranties).

Friday, 13 February 2009 14:28:44 (Mitteleuropäische Zeit, UTC+01:00)  #    -
# Wednesday, 11 February 2009
There are two possible reasons for a BIND Problem in CLM
  1. Not in trusted sites
    If working with CLM, be sure to add the CLM website to your browsers Trusted Site list.
    Many problems like links that do not work, Active Directory (AD) Bind problems and of course ActiveX problems

  2. Service Principal names
    In order for Kerberos to work the SPN must be correctly set. Verify its setting by issuing SETSPN -l MYDOMAIN\serviceaccount where the serviceaccount is the account the IIS App Pool is running.
    It should contain something like
    If you are using WIndows 2008 you can check for duplicate SPNs by issuing setspn -X
Wednesday, 11 February 2009 14:20:08 (Mitteleuropäische Zeit, UTC+01:00)  #    -
Authentication | CLM
<2018 October>
About the author/Disclaimer

The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.
Any link on this site may lead to an external website that is not under my control and that external website might show an opinion that is not mine.

© Copyright 2018
Hannes Köhler
Sign In
Total Posts: 39
This Year: 0
This Month: 0
This Week: 0
Comments: 1
All Content © 2018, Hannes Köhler
DasBlog theme 'Business' created by Christoph De Baene (delarou)