Certificate request fails with error message "Bad Data. 0x80090005 (-2146893819 NTE_BAD_DATA)."

Assume the following scenario:

  • A user sends a certificate request to a certificate authority.
  • The certificate request fails with the following error message:
Bad Data. 0x80090005 (-2146893819 NTE_BAD_DATA).
Denied by Policy Module.

The Certification Authority will use the Event no. 53 with the same error code. In the same context, the events no. 86, 88 and 130 occur.

Active Directory Certificate Services denied request 12345 because Bad Data. 0x80090005 (-2146893819 NTE_BAD_DATA). The request was for CN=Rudi Ratlos. Additional information: Error Constructing or Publishing Certificate Resubmitted by INTRA\Administrator

In some cases, the certification authority will not log an event. For example, this behavior has been observed with an offline certification authority when submitting the certificate request via the certification authority MMC.

A certificate request via VMware AirWatch/Workspace One also returns the same error code:

COMException while submitting enroll request: Bad Data. (Exception from HRESULT: 0x80090005)

Side effect: Also no more issuing of blacklists possible

Also the Issuing certificate revocation lists on the certification authority is most likely also no longer possible.

If it is no longer possible for the certification authority to issue revocation lists, there is a risk of acute failure of the PKI because, when the previous certificate revocation list expires, even certificates that have already been issued can no longer be checked for validity. The problem should therefore be prioritized or postponed to Emergency blacklists can be resorted to.

Cause

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem and is available under a free license. It can downloaded via GitHub and can be used free of charge.

In this case, a SafeNet Hardware Security Module (HSM) was used.

The error can occur among others,

  • if the network connection to the hardware security module has been interrupted and the private key cannot be accessed.
  • if the permissions on the slot of the HSM are no longer correct.
  • the password for the slot or partition has been changed and not re-entered on the certification authority.

See also the LunaKSP.log in the operating system directory:

ERROR, No registered slots/partitions were found for the user NETWORK SERVICE@NT AUTHORITY!!!

Likewise, if enabled, the HA log. The keywords are:

  • dropped
  • offline
  • unable to reach member

Solution

In most cases, restarting the certification authority service will be sufficient.

A restart of the certification authority service may fail with error code RPC_S_DUPLICATE_ENDPOINT, if sufficient waiting time between stop and start of the service is not observed.

In some circumstances it will not be enough to restart only the certificate authority service, but the whole server must be restarted.

3 thoughts on “Die Beantragung eines Zertifikats schlägt fehl mit Fehlermeldung „Bad Data. 0x80090005 (-2146893819 NTE_BAD_DATA).“”

Comments are closed.

en_USEnglish