FIM CM “Operation timed out” message while trying to add a new certificate template to a profile template

When trying to add a new certificate template to a profile template in FIM CM 2010R2, the product tries to enumerate all existing certificate templates in the configuration partition of Active Directory. When an organization has a large number of complex templates (with large ACLs, etc.) FIM CM times out while trying to enumerate them.
This is both an undocumented issue and a rare occurrence. I could (partly) reproduce this, by adding around 400 certificate templates in a FIM CM lab. The result was that the FIM CM certificate templates web page appeared after around 60-90 seconds, instead of the 5 seconds that the page takes to appear using the default templates loaded by AD CS.
There is a workaround that solves the problem – add an explicit Deny Read ACL for the CLMAuthagent account (or, even better, a security group that contains this account) to all templates that are not going to be used by FIM CM. This in effect makes the product unable to read them and thus prevents the timeout while doing it.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s