Publishing a certificate revocation list (CRL) fails with the error message "Insufficient access rights to perform the operation. 0x80072098 (WIN32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)".

Assume the following scenario:

• An attempt is made to publish a new certificate revocation list (CRL) on a certification authority
• The certificate authority is configured to publish the certificate revocation lists to Active Directory (LDAP CDP).
• Publishing the certificate revocation list fails with the following error message:

Insufficient access rights to perform the operation. 0x80072098 (WIN32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)

Sometimes it is necessary for a certificate issued by a certification authority to be withdrawn from circulation even before its expiration date. To make this possible, a certification authority keeps a revocation list. This is a signed file with a relatively short expiration date, which is used in combination with the certificate to check its validity.

A corresponding event is also logged in the Windows Event Viewer:

Active Directory Certificate Services could not publish a Base CRL for key 0 to the following location on server DC01.intra.adcslabor.de: ldap:///CN=ADCS Labor Issuing CA 1,CN=ADCS Labor Issuing CA 1,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=intra,DC=adcslabor,DC=de.  Insufficient access rights to perform the operation. 0x80072098 (WIN32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS).
 ldap: 0x32: LDAP_INSUFFICIENT_RIGHTS: 00002098: SecErr: DSID-03150F94, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

If the publication of a Certificate Revocation List (CRL) fails with the ERROR_DS_INSUFF_ACCESS_RIGHTS error, it means that the certification authority does not have write permissions to the corresponding object in Active Directory.

Write permissions to LDAP revocation list distribution points are controlled by the Cert Publishers group.

Each Active Directory integrated certificate authority is added to this group during role configuration.

It should be noted that the certification authority runs in the SYSTEM context of the computer on which it is installed. This means that group memberships to computer accounts do not take effect until the certification authority is restarted. Accordingly, the certification authority computer must be restarted once after role configuration.

Related links:

• Publishing a certificate revocation list (CRL) fails with the error message "Directory object not found. 0x8007208d (WIN32: 8333 ERROR_DS_OBJ_NOT_FOUND)".
• Publish a Certificate Revocation List to an Active Directory Revocation List Distribution Point
• Create and publish a certificate revocation list