Certificate request fails with error message "Bad Data. 0x80090005 (-2146893819 NTE_BAD_DATA)."

Author Uwe GradeneggerPosted on Categories Troubleshooting, Certification AuthorityTags , ,

Assume the following scenario:

  • A user sends a certificate request to a certificate authority.
  • The certificate request fails with the following error message:
Bad Data. 0x80090005 (-2146893819 NTE_BAD_DATA).
Denied by Policy Module.

The Certification Authority will use the Event no. 53 with the same error code. In the same context, the events no. 86, 88 and 130 occur.

Active Directory Certificate Services denied request 12345 because Bad Data. 0x80090005 (-2146893819 NTE_BAD_DATA). The request was for CN=Rudi Ratlos. Additional information: Error Constructing or Publishing Certificate Resubmitted by INTRA\Administrator

In some cases, the certification authority will not log an event. For example, this behavior has been observed with an offline certification authority when submitting the certificate request via the certification authority MMC.

A certificate request via VMware AirWatch/Workspace One also returns the same error code:

COMException while submitting enroll request: Bad Data. (Exception from HRESULT: 0x80090005)

Side effect: Also no more issuing of blacklists possible

Also the Issuing certificate revocation lists on the certification authority is most likely also no longer possible.

If it is no longer possible for the certification authority to issue revocation lists, there is a risk of acute failure of the PKI because, when the previous certificate revocation list expires, even certificates that have already been issued can no longer be checked for validity. The problem should therefore be prioritized or postponed to Emergency blacklists can be resorted to.

Cause

In this case, a SafeNet Hardware Security Module (HSM) was used.

The error can occur among others,

  • if the network connection to the hardware security module has been interrupted and the private key cannot be accessed.
  • if the permissions on the slot of the HSM are no longer correct.
  • the password for the slot or partition has been changed and not re-entered on the certification authority.

See also the LunaKSP.log in the operating system directory:

ERROR, No registered slots/partitions were found for the user NETWORK SERVICE@NT AUTHORITY!!!

Likewise, if enabled, the HA log. The keywords are:

  • dropped
  • offline
  • unable to reach member

Solution

In most cases, restarting the certification authority service will be sufficient.

A restart of the certification authority service may fail with error code RPC_S_DUPLICATE_ENDPOINT, if sufficient waiting time between stop and start of the service is not observed.

In some circumstances it will not be enough to restart only the certificate authority service, but the whole server must be restarted.

3 thoughts on “Die Beantragung eines Zertifikats schlägt fehl mit Fehlermeldung „Bad Data. 0x80090005 (-2146893819 NTE_BAD_DATA).“”

  1. Pingback: Details about the event with ID 53 of the source Microsoft-Windows-CertificationAuthority - Uwe Gradenegger
  2. Pingback: Details about the event with ID 130 of the source Microsoft-Windows-CertificationAuthority - Uwe Gradenegger
  3. Pingback: Limits of Microsoft Active Directory Certificate Services - Uwe Gradenegger

Comments are closed.

en_USEnglish
de_DEDeutsch en_USEnglish