Troubleshooting - Page 2 - Uwe Gradenegger

When restoring a certification authority, the certification authority certificate is not selectable during role installation

Assume the following scenario:

A Certification Authority will migrated to another server or restored from backup.
A Thales (nCipher) hardware security module (HSM) is used to protect the private key of the certification authority certificate. Security World is configured with Operator Card Set (OCS) Protection.
The Certification Authority certificate was successfully restored and associated with the private key stored on the HSM..
When installing the certification authority role, the restored certification authority certificate cannot be selected.

Installation of a certificate authority certificate fails with error message "Object was not found. 0x80090011 (-2146893807 NTE_NOT_FOUND)".

Assume the following scenario:

A new certification authority is installed.
After configuring the certification authority role and issuing the certification authority certificate, it should now be installed on the certification authority.
A hardware security module (HSM) is used to protect the private key of the certification authority certificate.
The installation of the certificate authority certificate fails with the following error message:

An error was detected while configuring Active Directory Certificate Services.
The Active Directory Certificate Services Setup Wizard will need to be rerun to complete the configuration.
The new certificate public key does not match the current outstanding request.
The wrong request may have been used to generate the new certificate: Object was not found. 0x80090011 (-2146893807 NTE_NOT_FOUND)

Reconnecting to the private key fails with error message "Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)"

Assume the following scenario:

A Certification Authority will migrated to another server or restored from backup.
A hardware security module (HSM) is used to protect the private key of the certification authority certificate.
The certification authority certificate should now be installed on the target system. be restored and linked to the private key.
The operation fails with the following error message:

Cannot find the certificate and private key for decryption.
CertUtil: -repairstore command FAILED: 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)
CertUtil: Cannot find object or property.

Installation of the default certificate templates fails with error message "This security ID may not be assigned as the owner of this object."

Assume the following scenario:

For the first time, a certification authority (Enterprise Certification Authority) integrated into Active Directory is to be installed in the network.
The rights to install the certificate authority have been delegated to a separate security group or account for security reasons, so no Enterprise Administrator login is required. Put another way: The user used is not a member of the Enterprise Administrators group in the Active Directory forest.
Since this is the first certification authority in the network, no Standard certificate templates installed in the Active Directory. When opening the certificate template management console (certtmpl.msc), one is prompted to install it.
The installation fails with the following error message:

Windows could not install the new certificate templates. This security ID may not be assigned as the owner of this object.

Code signatures of Appx packages via SignTool.exe fail with error code 0x8007000b (ERROR_BAD_FORMAT)

Assume the following scenario:

An Appx package is to be signed.
For this purpose the SignTool.exe used.
The code signing certificate used was recently renewed.
The signing process with the new code signing certificate fails with the following error message:

"Error: SignerSign() failed." (-2147024885/0x8007000b)

No remote desktop logon possible from outside the Active Directory forest

Assume the following scenario:

You want to establish a remote desktop connection.
The client computer from which the connection is made is not a member of the same Active Directory forest as the target computer.
The connection fails with the following error message:

A user account restriction (for example, a time-of-day restriction) is preventing you from logging on. For assistance, contact your system administrator or technical support.

Login to the Network Device Enrollment Service (NDES) administration web page fails with HTTP error code 401 "Unauthorized: Access is denied due to invalid credentials."

Assume the following scenario:

An NDES server is configured on the network.
When calling the NDES administration web page (certsrv/mscep_admin) is not possible.
After several unsuccessful login attempts, the following HTTP error message is returned:

401 - Unauthorized: Access is denied due to invalid credentials.
You do not have permission to view this directory or page using the credentials that you supplied.

Remote desktop certificate request fails with error message "The permissions on the certificate template do not allow the current user to enroll for this type of certificate."

Assume the following scenario:

Machines are configured by group policy to request certificates for the remote desktop session host.
However, the certificates are not applied for.
In the event log of the affected system, the Event with ID 1064 of source Terminalservices-RemoteConnectionManager logged:

The RD Session Host server cannot install a new template-based certificate to be used for Transport Layer Security (TLS) 1.0\Secure Sockets Layer (SSL) authentication and encryption. The following error occurred: The permissions on the certificate template do not allow the current user to enroll for this type of certificate.

Remote desktop certificate request fails with error message "The requested certificate template is not supported by this CA."

Assume the following scenario:

Machines are configured by group policy to request certificates for the remote desktop session host.
However, the certificates are not applied for or existing certificates expire without renewal.
In the event log of the affected system, the event with ID 1064 of the source Terminalservices-RemoteConnectionManager is logged:

The RD Session Host server cannot install a new template-based certificate to be used for Transport Layer Security (TLS) 1.0\Secure Sockets Layer (SSL) authentication and encryption. The following error occurred: The requested certificate template is not supported by this CA.

Certificate requests for the online responder (OCSP) fail sporadically with error message "The revocation function was unable to check revocation for the certificate. 0x80092012 (-2146885614 CRYPT_E_NO_REVOCATION_CHECK)"

Assume the following scenario:

An online responder (OCSP) is set up in the network.
The certification authorities report at irregular intervals that certificate requests for the OCSP password signing certificates fail with the following error message:

The revocation function was unable to check revocation for the certificate. 0x80092012 (-2146885614 CRYPT_E_NO_REVOCATION_CHECK).

Enable logging for automatic certificate request (autoenrollment)

The following is an overview of the Windows Event Viewer events generated for Windows certificate clients, their activation, and their identification.

Troubleshooting for automatic certificate request (autoenrollment) via RPC/DCOM

Assume the following scenario:

A certificate template is configured for automatic certificate request (autoenrollment).
The certificate template is published on a certification authority (Enterprise Certification Authority) integrated into Active Directory.
However, the users or computers configured for automatic Certificate Enrollment do not apply for certificates as intended.

The following is a troubleshooting guide.

No certificate is requested via autoenrollment if a user is connected via Virtual Private Network (VPN)

Assume the following scenario:

A user works remotely via Virtual Private Network (VPN)
Actually, a certificate should be requested via autoenrollment, but this is not done
A connection test (certutil -ping) to the certification authority throws the following error message:

Server could not be reached: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_SERVER_UNAVAILABLE) -- (31ms)

CertUtil: -ping command FAILED: 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)
CertUtil: The RPC server is unavailable.

The Certificate Authority service fails to start and throws the error message "Provider DLL failed to initialize correctly. 0x8009001d (-2146893795 NTE_PROVIDER_DLL_FAIL)."

Assume the following scenario:

A certification authority is implemented in the network.
The certification authority service does not start.
When trying to start the Certification Authority service, you get the following error message:

Provider DLL failed to initialize correctly. 0x8009001d (-2146893795 NTE_PROVIDER_DLL_FAIL).

New certificates are regularly requested via Autoenrollment

Assume the following scenario:

A certificate template is configured for automatic request and issuance (AutoEnrollment).
Users or computers apply for new certificates at regular intervals and long before the defined renewal period.