The FIM Certificate Management Update Service (FIM CM Update Service) is a Windows service that runs predefined tasks on a repeated interval. The predefined tasks and the repeat interval can be configured. One predefined task that must exist for the SQL API to operate is the ExternalRequests task. This task will create and submit FIM CM requests from the ExternalRequests table.

Service Configuration

In order to write to the external SQL API, an account, whether using SQL Integrated Authentication or Mixed Mode authentication, must be used.

Perform the following procedure to enable SQL integrated authentication.

To enable SQL integrated authentication

  1. Log on to the SQL Server Management console as a database administrator.

  2. Expand the FIM CM database server tree and click Logins node. On the menu bar, select Action, New Login…

  3. On the General tab, find the external account by clicking the '…' button next to the field name.

  4. Select the external user name and click OK. This will close the selection dialog box and default the domain to the external user domain name. Ensure that the default Authentication selection is set to Windows Authentication with the Security access set to Grant access.

  5. Select the Database Access tab. Click permit for the FIM CM database

  6. In the Database roles for 'CLM' list, select permit on 'clmExternalAPI'. This will guarantee the service has the appropriate permissions to write to the FIM CM database for its required functionality.

Perform the following procedure for Mixed Mode Authentication.

To enable mixed-mode authentication

  1. If Mixed Mode SQL authentication is used, the FIM CM Configuration Wizard will create a CLMExternal Account with all the required permissions for the SQL API to function. In order to reset the CLMExternal account password:

  2. Log on to the SQL Server Management console as a database administrator.

  3. Expand the FIM CM database server tree and click Logins node.

  4. Select the CLMExternal account and select Properties

  5. Modify the existing password and click OK. You will be prompted to confirm the new password.

The FIM CM Update Service can be configured by using an XML based configuration file (Microsoft.CLM.Service.exe.config).

The appSettings section has the following configuration items:

  • Interval time

  • List of tasks (called workers)

Generally, the value attribute for a worker is a fully qualified .NET Framework assembly name; however, the ExternalRequests, RenewalService, and Maintenance values are predefined workers whose .NET Framework assembly name is already known.

The system.diagnostics value is used to configure tracing. Use this section to diagnose a problem. Tracing information is logged and viewable with the event viewer. Name and value pairs of assemblies are listed in the switches section to turn tracing on for each assembly. The value describes the desired level of tracing. The following table details the available tracing levels.

Tracing levels

Tracing Level Description


Errors only







Sample Configuration File

The following is an example FIM CM Update Service configuration file. The configuration file is located in Program Files:

%ProgramFiles%\Microsoft Certificate Lifecycle Manager\Bin\Microsoft.CLM.Service.exe.config

You can change the configuration file by using a text editor such as Notepad.

  Copy Code
<?xml version="1.0" encoding="utf-8" ?>
		<section name="enterpriselibrary.configurationSettings"
type="Microsoft.Practices.EnterpriseLibrary.Configuration.ConfigurationManagerSectionHandler, Microsoft.Practices.EnterpriseLibrary.Configuration" />

This section specifies caching configuration settings, such as the path to the actual configuration file, encryption options, and so on.

	<enterpriselibrary.configurationSettings xmlns:xsd="" xmlns:xsi="" defaultSection="" applicationName="Application" xmlns="">
			<configurationSection name="cachingConfiguration" encrypt="false">
				<storageProvider xsi:type="XmlFileStorageProviderData" name="XML File Storage Provider" path="EnterpriseCaching.config" />
				<dataTransformer xsi:type="XmlSerializerTransformerData" name="Xml Serializer Transformer">
					<includeTypes />
		<keyAlgorithmStorageProvider xsi:nil="true" />

This section specifies how often the service should perform its tasks. The interval is specified in milliseconds. The default value is 5 hours. The minimum value is 1 hour. Setting this value to a number less than 1 hour will result in an interval of 1 hour.
		<add key="Microsoft.Clm.Service.Interval" value="18000000" />
This setting is used by the renewal service; it is a list of profile template names, each separated by a semicolon with no extra spaces before or after the semicolon, that will have online update requests initiated for them as opposed to renew requests. Any profile template that is not listed here will have a renew request initiated for it.
The online update requests will specify "CertificateExpiry" as the reason for the request.
		<add key="Microsoft.Clm.Service.RenewalService.OnlineUpdateProfileTemplates" value="Sample Profile Template;Sample Smart Card Logon Profile Template" />

Determine whether failed external requests are subsequently processed or not.
		<add key="Microsoft.Clm.Service.RetryFailedExternalRequests" value="true" />
This section lists modules that are launched and controlled by this service. There are 4 built-in modules that Clm provides: ExternalRequests, RenewalService, TemporarySmartCardDisable, and OnlineUpdateService.
Please see the topic "Configuring the CM Service Configuration File" in the service configuration guide.
		<add key="Microsoft.Clm.Service.WorkerCount" value="4" />
		<add key="Microsoft.Clm.Service.Worker0" value="ExternalRequests" />
		<add key="Microsoft.Clm.Service.Worker1" value="RenewalService" />
		<add key="Microsoft.Clm.Service.Worker2" value="TemporarySmartCardDisable" />
	 <add key="Microsoft.Clm.Service.Worker3" value="OnlineUpdateService" />

		<trace autoflush="true" indentsize="2" />
			<add name="Microsoft.Clm.Service" value="1" />
			<add name="Microsoft.Clm.BusinessLayer.Worker" value="4" />

See Also