Cert Publishers - Uwe Gradenegger

When installing an Active Directory integrated certificate authority, the error message "Insufficient access rights to perform the operation. 0x80072098 (Win32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)" appears.

Assume the following scenario:

A certification authority (Enterprise Certification Authority) integrated into Active Directory is installed via Windows PowerShell.
Delegated permissions are used to install the certificate authority. Thus, the installing user is not a member of the Enterprise Administrators group.
After running the Role Configuration Wizard, one or more of the following error messages is displayed on the command line:

Setup could not add the Certification Authority's computer account to the Pre-Windows 2000 Compatible Access security group. Certificate managers Restrictions feature will not work correctly on this Certification Authority. To fix this, an administrator must manually add the Certification's Authority's computer account to the Pre-Windows 2000 Compatible Access security group in Active Directory. Insufficient access rights to perform the operation. 0x80072098 (Win32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)

Warning: Setup could not add the certification authority's computer account to the cert Publishers Security Group. This Certification Authority will not be able to publish certificates in Active Directory. To fix this, an administrator must manually add the Certification Authority's computer account to the Cert Publishers security group in Active Directory.  Insufficient access rights to perform the operation. 0x80072098 (Win32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)

Details of the event with ID 75 of the source Microsoft-Windows-CertificationAuthority

Event Source:	Microsoft-Windows-CertificationAuthority
Event ID:	75 (0x4B)
Event log:	Application
Event type:	Error
Symbolic Name:	MSG_E_DELTA_CRL_PUBLICATION_HOST_NAME
Event text (English):	Active Directory Certificate Services could not publish a Delta CRL for key %1 to the following location on server %4: %2. %3.%5%6
Event text (German):	Failed to publish delta certificate revocation list for key %1 at the following location on server "%4": %2. %3.%5%6

Details of the event with ID 65 of the source Microsoft-Windows-CertificationAuthority

Event Source:	Microsoft-Windows-CertificationAuthority
Event ID:	65 (0x41)
Event log:	Application
Event type:	Error
Symbolic Name:	MSG_E_BASE_CRL_PUBLICATION
Event text (English):	Active Directory Certificate Services could not publish a Base CRL for key %1 to the following location: %2. %3.%5%6
Event text (German):	No base certificate revocation list could be published for the key %1 at the following location: %2. %3.%5%6

Details of the event with ID 66 of the source Microsoft-Windows-CertificationAuthority

Event Source:	Microsoft-Windows-CertificationAuthority
Event ID:	66 (0x42)
Event log:	Application
Event type:	Error
Symbolic Name:	MSG_E_DELTA_CRL_PUBLICATION
Event text (English):	Active Directory Certificate Services could not publish a Delta CRL for key %1 to the following location: %2. %3.%5%6
Event text (German):	Failed to publish delta certificate revocation list for key %1 at the following location: %2. %3.%5%6

Details of the event with ID 67 of the source Microsoft-Windows-CertificationAuthority

Event Source:	Microsoft-Windows-CertificationAuthority
Event ID:	67 (0x43)
Event log:	Application
Event type:	Error
Symbolic Name:	MSG_E_CRL_PUBLICATION_TOO_MANY_RETRIES
Event text (English):	Active Directory Certificate Services made %1 attempts to publish a CRL and will stop publishing attempts until the next CRL is generated.
Event text (German):	%1 certificate revocation list publication attempts were made. The publication attempts are canceled until the next certificate revocation list generation.

Publish a certificate revocation list (CRL) to an Active Directory revocation list distribution point (CDP).

Sometimes it is necessary for a certificate issued by a certification authority to be withdrawn from circulation even before its expiration date. To make this possible, a certification authority keeps a revocation list. This is a signed file with a relatively short expiration date, which is used in combination with the certificate to check its validity.

In some cases (for example, with an offline certificate authority, or if non-standard LDAP revocation list distribution points have been configured), the certificate revocation list must be manually published to Active Directory.

Publishing a certificate revocation list (CRL) fails with the error message "Insufficient access rights to perform the operation. 0x80072098 (WIN32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)".

Assume the following scenario:

An attempt is made to publish a new certificate revocation list (CRL) on a certification authority
The certificate authority is configured to publish the certificate revocation lists to Active Directory (LDAP CDP).
Publishing the certificate revocation list fails with the following error message:

Insufficient access rights to perform the operation. 0x80072098 (WIN32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)

Publishing a certificate revocation list (CRL) fails with error message "Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)".

Assume the following scenario:

A new revocation list is created on the certification authority.
The certification authority is configured to publish revocation lists to a network path.
Publishing fails with the following error message:

Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)