Publishing a certificate revocation list (CRL) fails with the error message "Insufficient access rights to perform the operation. 0x80072098 (WIN32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)".

Assume the following scenario:

  • An attempt is made to publish a new certificate revocation list (CRL) on a certification authority
  • The certificate authority is configured to publish the certificate revocation lists to Active Directory (LDAP CDP).
  • Publishing the certificate revocation list fails with the following error message:
Insufficient access rights to perform the operation. 0x80072098 (WIN32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)

Sometimes it is necessary for a certificate issued by a certification authority to be withdrawn from circulation even before its expiration date. To make this possible, a certification authority keeps a revocation list. This is a signed file with a relatively short expiration date, which is used in combination with the certificate to check its validity.

A corresponding event is also logged in the Windows Event Viewer:

Active Directory Certificate Services could not publish a Base CRL for key 0 to the following location on server DC01.intra.adcslabor.de: ldap:///CN=ADCS Labor Issuing CA 1,CN=ADCS Labor Issuing CA 1,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=intra,DC=adcslabor,DC=de.  Insufficient access rights to perform the operation. 0x80072098 (WIN32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS).
ldap: 0x32: LDAP_INSUFFICIENT_RIGHTS: 00002098: SecErr: DSID-03150F94, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

Cause

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem and is available under a free license. It can downloaded via GitHub and can be used free of charge.

If the publication of a certificate revocation list (CRL) fails with the error ERROR_DS_INSUFF_ACCESS_RIGHTS, this means that the certification authority does not have write access to the corresponding object in the Active Directory.

Write permissions to LDAP revocation list distribution points are controlled by the Cert Publishers group.

Each Active Directory integrated certificate authority is added to this group during role configuration.

It should be noted that the certification authority runs in the SYSTEM context of the computer on which it is installed. This means that group memberships to computer accounts do not take effect until the certification authority is restarted. Accordingly, the certification authority computer must be restarted once after role configuration.

Related links:

en_USEnglish