dwielgosz
asked on
Need help with Errors regarding certification authority in Event Viewer
I've have asked several questions here at EE regarding certificates without so far having gotten any helpfull answers. Hoping to get this problem resolved, I am pasting the Events, in sequence, from the application event viewer into this question and am hoping that I can have the following question(s) answered to resolve this once and for all:
We have a single, active directory domain, run our own exchange server (both ver. 2000) do not host a website internally.
Is this a problem that I should even be concerned about?
Do I need to even run Cert. services?
Is this being caused by an expired domain controller certificate?
Event Type: Warning
Event Source: Winlogon
Event Category: None
Event ID: 1010
Date: 6/6/2005
Time: 6:20:44 AM
User: N/A
Computer: WIN2KSERV
Description:
Automatic enrollment against the certification authority MS IIS DCOM Server for a certificate of type DomainController has failed. (0x80070005) Access is denied.
. Another certification authority will be tried.
Event Type: Warning
Event Source: Winlogon
Event Category: None
Event ID: 1010
Date: 6/6/2005
Time: 6:20:55 AM
User: N/A
Computer: WIN2KSERV
Description:
Automatic enrollment against the certification authority "our domain"!002c LLC for a certificate of type DomainController has failed. (0x80090008) Invalid algorithm specified.
. Another certification authority will be tried.
Event Type: Warning
Event Source: Winlogon
Event Category: None
Event ID: 1010
Date: 6/6/2005
Time: 6:20:56 AM
User: N/A
Computer: WIN2KSERV
Description:
Automatic enrollment against the certification authority MS IIS DCOM Server for a certificate of type DomainController has failed. (0x80070005) Access is denied.
. Another certification authority will be tried.
Event Type: Warning
Event Source: Winlogon
Event Category: None
Event ID: 1010
Date: 6/6/2005
Time: 6:21:13 AM
User: N/A
Computer: WIN2KSERV
Description:
Automatic enrollment against the certification authority "our domain"!002c LLC for a certificate of type DomainController has failed. (0x80090008) Invalid algorithm specified.
. Another certification authority will be tried.
Event Type: Information
Event Source: CertSvc
Event Category: None
Event ID: 38
Date: 6/6/2005
Time: 8:12:35 AM
User: N/A
Computer: WIN2KSERV
Description:
Certificate Services for "our domain", LLC was stopped.
Event Type: Information
Event Source: ESENT
Event Category: General
Event ID: 100
Date: 6/6/2005
Time: 8:13:05 AM
User: N/A
Computer: WIN2KSERV
Description:
certsrv.exe (3736) The database engine 6.01.3940.0031 started.
Event Type: Information
Event Source: CertSvc
Event Category: None
Event ID: 58
Date: 6/6/2005
Time: 8:13:07 AM
User: N/A
Computer: WIN2KSERV
Description:
Certificate Services did not start: A certificate in the CA certificate chain for "our domain", LLC has expired. A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. 0x800b0101 (-2146762495).
Event Type: Warning
Event Source: CertSvc
Event Category: None
Event ID: 103
Date: 6/6/2005
Time: 8:13:08 AM
User: N/A
Computer: WIN2KSERV
Description:
Certificate Services temporarily added the root certificate of certificate chain 5 to the downloaded Enterprise Root store. If this problem persists, publishing the root certificate to the Active Directory may be necessary.
Event Type: Information
Event Source: CertSvc
Event Category: None
Event ID: 26
Date: 6/6/2005
Time: 8:13:09 AM
User: N/A
Computer: WIN2KSERV
Description:
Certificate Services for "our domain", LLC was started.
Event Type: Information
Event Source: CertSvc
Event Category: None
Event ID: 58
Date: 6/6/2005
Time: 9:00:11 AM
User: N/A
Computer: WIN2KSERV
Description:
Certificate Services did not start: A certificate in the CA certificate chain for "our domain", LLC has expired. A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. 0x800b0101 (-2146762495).
Event Type: Warning
Event Source: CertSvc
Event Category: None
Event ID: 103
Date: 6/6/2005
Time: 9:00:12 AM
User: N/A
Computer: WIN2KSERV
Description:
Certificate Services temporarily added the root certificate of certificate chain 6 to the downloaded Enterprise Root store. If this problem persists, publishing the root certificate to the Active Directory may be necessary.
That's it, sorry about the length, but hopefully it will provide some clarity that I may have been missing on the previous questions.
We have a single, active directory domain, run our own exchange server (both ver. 2000) do not host a website internally.
Is this a problem that I should even be concerned about?
Do I need to even run Cert. services?
Is this being caused by an expired domain controller certificate?
Event Type: Warning
Event Source: Winlogon
Event Category: None
Event ID: 1010
Date: 6/6/2005
Time: 6:20:44 AM
User: N/A
Computer: WIN2KSERV
Description:
Automatic enrollment against the certification authority MS IIS DCOM Server for a certificate of type DomainController has failed. (0x80070005) Access is denied.
. Another certification authority will be tried.
Event Type: Warning
Event Source: Winlogon
Event Category: None
Event ID: 1010
Date: 6/6/2005
Time: 6:20:55 AM
User: N/A
Computer: WIN2KSERV
Description:
Automatic enrollment against the certification authority "our domain"!002c LLC for a certificate of type DomainController has failed. (0x80090008) Invalid algorithm specified.
. Another certification authority will be tried.
Event Type: Warning
Event Source: Winlogon
Event Category: None
Event ID: 1010
Date: 6/6/2005
Time: 6:20:56 AM
User: N/A
Computer: WIN2KSERV
Description:
Automatic enrollment against the certification authority MS IIS DCOM Server for a certificate of type DomainController has failed. (0x80070005) Access is denied.
. Another certification authority will be tried.
Event Type: Warning
Event Source: Winlogon
Event Category: None
Event ID: 1010
Date: 6/6/2005
Time: 6:21:13 AM
User: N/A
Computer: WIN2KSERV
Description:
Automatic enrollment against the certification authority "our domain"!002c LLC for a certificate of type DomainController has failed. (0x80090008) Invalid algorithm specified.
. Another certification authority will be tried.
Event Type: Information
Event Source: CertSvc
Event Category: None
Event ID: 38
Date: 6/6/2005
Time: 8:12:35 AM
User: N/A
Computer: WIN2KSERV
Description:
Certificate Services for "our domain", LLC was stopped.
Event Type: Information
Event Source: ESENT
Event Category: General
Event ID: 100
Date: 6/6/2005
Time: 8:13:05 AM
User: N/A
Computer: WIN2KSERV
Description:
certsrv.exe (3736) The database engine 6.01.3940.0031 started.
Event Type: Information
Event Source: CertSvc
Event Category: None
Event ID: 58
Date: 6/6/2005
Time: 8:13:07 AM
User: N/A
Computer: WIN2KSERV
Description:
Certificate Services did not start: A certificate in the CA certificate chain for "our domain", LLC has expired. A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. 0x800b0101 (-2146762495).
Event Type: Warning
Event Source: CertSvc
Event Category: None
Event ID: 103
Date: 6/6/2005
Time: 8:13:08 AM
User: N/A
Computer: WIN2KSERV
Description:
Certificate Services temporarily added the root certificate of certificate chain 5 to the downloaded Enterprise Root store. If this problem persists, publishing the root certificate to the Active Directory may be necessary.
Event Type: Information
Event Source: CertSvc
Event Category: None
Event ID: 26
Date: 6/6/2005
Time: 8:13:09 AM
User: N/A
Computer: WIN2KSERV
Description:
Certificate Services for "our domain", LLC was started.
Event Type: Information
Event Source: CertSvc
Event Category: None
Event ID: 58
Date: 6/6/2005
Time: 9:00:11 AM
User: N/A
Computer: WIN2KSERV
Description:
Certificate Services did not start: A certificate in the CA certificate chain for "our domain", LLC has expired. A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. 0x800b0101 (-2146762495).
Event Type: Warning
Event Source: CertSvc
Event Category: None
Event ID: 103
Date: 6/6/2005
Time: 9:00:12 AM
User: N/A
Computer: WIN2KSERV
Description:
Certificate Services temporarily added the root certificate of certificate chain 6 to the downloaded Enterprise Root store. If this problem persists, publishing the root certificate to the Active Directory may be necessary.
That's it, sorry about the length, but hopefully it will provide some clarity that I may have been missing on the previous questions.
ASKER
I've been reading. I do not have the tool Kit. I tried the Microsoft website and they have many tools for free download, but DStore.exe isn't one of them. Any ideas?
First off, verify whether or not your root cert has expired. If it has, renew it. You can use the CA mmc to do this, I don't have it handy so can't talk you through it at the moment
ASKER
Under "issued certificates" the first 7 entries all expired a while ago. The requestor name for each is "ourdomain\DomainControlle
By the way, I did get a copy of dsstore
By the way, I did get a copy of dsstore
No, its not the requestor, its the cert of the entity that signs the issued cert. Open up one the expired certs and look on the Certification Path tab, at the top of the tree will be the root CA cert. Double click on it and verify the expiry date.
ASKER
OK, I opened each of the 7 expired certificates (all issued to our DC), clicked the "certification path" tab and double-clicked on the root of the tree. In each one, the root was our domain name which is what the original (first) certificate was issued to. Each of the root certificates was good and is set to expire on 06/18/2005.
I ran the Dsstore.exe on the DC yesterday and didn't see any blatant error messages. I then ran certutil.exe and received an error when I ran the "-vroot" command. The error is pasted below:
C:\Documents and Settings\Administrator>cer
Web Virtual Root Already Exists
File Share Create Error
CertUtil: -vroot command FAILED: 0x80070911 (WIN32: 2321)
CertUtil: The share must be removed from the Distributed File System before it c
an be deleted.
Is the "CertEnroll" supposed to be a DFS share because that's where it's located and I was wondering if that's causing some of these problems?
I ran the Dsstore.exe on the DC yesterday and didn't see any blatant error messages. I then ran certutil.exe and received an error when I ran the "-vroot" command. The error is pasted below:
C:\Documents and Settings\Administrator>cer
Web Virtual Root Already Exists
File Share Create Error
CertUtil: -vroot command FAILED: 0x80070911 (WIN32: 2321)
CertUtil: The share must be removed from the Distributed File System before it c
an be deleted.
Is the "CertEnroll" supposed to be a DFS share because that's where it's located and I was wondering if that's causing some of these problems?
Suspect that is bit of a sidetrack. First off we need to get the root cert sorted. You have verified that the cert is valid, although only for another 11 days, you now need to verify it has been published in AD. There is a section in the dsstore doc which details how to do this. Note that whatever the current state, you are going to have to do this again in 11 days anyway.
ASKER
OK, you'rer right..haha I'll consider this a warmup then. Meanwhile back to the doc.
ASKER
Did I use the wrong syntax? or command for that matter?
C:\Documents and Settings\Administrator>dss
-addroot
CryptQueryObject failed! - 80070057
C:\Documents and Settings\Administrator>dss
-addroot
CryptQueryObject failed! - 80070057
ASKER
I think that this may be relevant to the problems that I'm having here. I ran, "DCDiag.exe" on the DC and everything passed except for 2 items:
Starting Test: MachineAccount
DomainController is not trusted for account delegation
DomainController failed test MachineAccount
Starting Test:frssysvol
Error: No record of File Replication system, SYSVOL started.
The Active Directory may be prevented from starting.
DomainController passed test frssysvol
How do I correct the machineaccount item?
Starting Test: MachineAccount
DomainController is not trusted for account delegation
DomainController failed test MachineAccount
Starting Test:frssysvol
Error: No record of File Replication system, SYSVOL started.
The Active Directory may be prevented from starting.
DomainController passed test frssysvol
How do I correct the machineaccount item?
Open AD U&C, bring up the properties of the DC account, in 2000 there is a tick box, i think on the first tab, something like 'Trust this account for delegation' - it has a security warning next to it.
ASKER
OK, that's been resolved which takes me back to the question about whether I ran the correct command in trying to get the root cert. published to AD. This is what I ran and the results, is this the correct command? Later on I tried the same command with the path to one f the certifiicates after the "-addroot". IU also tried it with simply the name of one of the root verts after the "-addroot". , either way I got the results below.
C:\Documents and Settings\Administrator>dss
-addroot
CryptQueryObject failed! - 80070057
C:\Documents and Settings\Administrator>dss
-addroot
CryptQueryObject failed! - 80070057
Looks like it is the right syntax, possibly the wrong command. i'd try and display the root cert first, dsstore dc=home,dc=domainname,dc=c
Note that the domain name needs to be that of the forest root domain, not a subsidiary domain.
Note that the domain name needs to be that of the forest root domain, not a subsidiary domain.
ASKER
I'll try that. We have only one domain here, the root would be the FQDN minus the HOME part.
A side note about all this: yesterday I was working on a workstation here and had an opportunity to be in a user's, Control Panel\Users and Passwords\Advanced Tab and just for the heck of it, I clicked on "New Certificate" and went through that process and found that when it got to the point that you select the certificate from the CA, the CA listed was "MS IIS DCOM Server and the computer was "admin.HOME.OurDomain.com"
A side note about all this: yesterday I was working on a workstation here and had an opportunity to be in a user's, Control Panel\Users and Passwords\Advanced Tab and just for the heck of it, I clicked on "New Certificate" and went through that process and found that when it got to the point that you select the certificate from the CA, the CA listed was "MS IIS DCOM Server and the computer was "admin.HOME.OurDomain.com"
ASKER
I successfully ran the command to display. It displayed a total of 9 certificates, numbers 0 - 8. They are all the same format and the only difference is the last line on each one has a different number. They are all issued by our domain and to our domain. One of the last lines is pasted below:
SHA5 HASH: AF58B75F C85D3715 184A90B0 FD3715F2 5245EE60
SHA5 HASH: AF58B75F C85D3715 184A90B0 FD3715F2 5245EE60
ASKER
On the -addroot command, do I simply name the file name of the root cert., or do I give the path? And to be certain, how can I determine if I'm identfying the correct item as the root certificate? Where should it be located?
Interesting - you probably need to clean out the Certificates node in AD Sites and Services of all references to MS IIS DCOM.
Open AD S&S, select 'Show Services Node' on the view menu. Navigate to Services/Public Key Services and ensure there is only a node for your real server under CDP. Under that node will be the name of your CA, ensure only that name exists under AIA, Certification Authorities, and Enrollment Services.
When you enter the 'New Cert' wizard on a workstation, it is these entries that the ws interrogates to find a CA to request a cert from.
Bit confused by your definition of a root, if your DC's FQDN is server.home.domainname.com
Open AD S&S, select 'Show Services Node' on the view menu. Navigate to Services/Public Key Services and ensure there is only a node for your real server under CDP. Under that node will be the name of your CA, ensure only that name exists under AIA, Certification Authorities, and Enrollment Services.
When you enter the 'New Cert' wizard on a workstation, it is these entries that the ws interrogates to find a CA to request a cert from.
Bit confused by your definition of a root, if your DC's FQDN is server.home.domainname.com
ASKER
I'm sure that in my futile attempts to correct this problem that I've created multiple copies of our certificate. Should I get rid of those? Should I delete them? Should I delete the MS IIS DCOM cert. and how do I do that, if yes?
yes, its worth clearing out the redundant certs. to delete them, use dsstore with the -del switch. Docs suggest it will list the roots and prompt you for which one to remove.
ASKER
OK, I cleaned out all of them except for the (hopefully) oldest one. I assumed that each time a new cert was added, the new cert would be given the number 0. Thus making #8 the oldest and 7 the second oldest, etc. Is there a refresh function to refresh, or is that the -pulse command? How can I renew this now and the other issues like making sure that it's published to active directory?
ASKER
I ran the dsstore -dcmon display on the domain controller and it return information that there are 65 KDC certificates for win2kserv(our DC). Is this an unusually high number?
dsstore is used to administer the certs stored in AD (Directory Service STORE) so you have now verified that a single copy of the current root cert is published to AD. The -pulse command is issued to force all DC's to request a DC cert from the CA. Issue that now, lets see if you still get a failed cert request.
ASKER
Sorry it took so long to reply.
I did the -pulse command and Ididn't get any type of return at the command prompt which makes me think that the command completed without error, Correct?
I did the -pulse command and Ididn't get any type of return at the command prompt which makes me think that the command completed without error, Correct?
Possibly, are there corresponding new certs/failed requests viewable in the CA mmc console?
ASKER
No
Then something didn't work. i think its time to go back to the start - the errors you noted originally were split into 2 groups, Winlogon for the DC cert request failures and Certsvc.
If you restart the Certificate service, do you still get errors in the event log, and if so, what are they?
If you restart the Certificate service, do you still get errors in the event log, and if so, what are they?
ASKER
Well originally I was getting 3 errors every 8 hours (see below)
Event Type: Warning
Event Source: Winlogon
Event Category: None
Event ID: 1010
Date: 6/6/2005
Time: 6:20:44 AM
User: N/A
Computer: WIN2KSERV
Description:
Automatic enrollment against the certification authority MS IIS DCOM Server for a certificate of type DomainController has failed. (0x80070005) Access is denied.
. Another certification authority will be tried.
Event Type: Warning
Event Source: Winlogon
Event Category: None
Event ID: 1010
Date: 6/6/2005
Time: 6:20:55 AM
User: N/A
Computer: WIN2KSERV
Description:
Automatic enrollment against the certification authority "our domain"!002c LLC for a certificate of type DomainController has failed. (0x80090008) Invalid algorithm specified.
. Another certification authority will be tried.
Event Type: Warning
Event Source: Winlogon
Event Category: None
Event ID: 1010
Date: 6/6/2005
Time: 6:20:56 AM
User: N/A
Computer: WIN2KSERV
Description:
Automatic enrollment against the certification authority MS IIS DCOM Server for a certificate of type DomainController has failed. (0x80070005) Access is denied.
. Another certification authority will be tried.
The MS IIS DCOM Server reference, I believe, was to a CA authority that had been installed on a test server perhaps 10 months ago that is no longer in existence. So, I deleted them from the AD Sites & Services/Services applet
After some "poking around" I found certificate related entries (and templates) located in the AD Sites and Services and deleted the entries related to "MS IIS Dcom Server" and since doing that, I only get the error referencing the CA "OurDomain!002c LLC". It remains the same...spaced at 8 hour intervals.
I think it was last Friday that I decided to pay for CA tech support provided by Microsoft. The technician that is working on it, obviously, has other priorities because that hasn't gone anywhere and the communication on the issue is minimal, at best. Meanwhile the June 18, 2005 expiration date for the CA cert has come and gone without any disastrous effects that I'm aware of and, in fact, I am not even able to find any reference to the certs that were on the brink of expiration. I wouldn't be surprised if everything got washed out somehow with all of the attempts to issue new certs and all. I still cannot request a newcertificate from within the Certificates/Personal msc. The error message remains the same and apparently has the Microsoft tech baffled as well, the message is, "The certificate cannot be installed because of a problem with the cryptographic hardware" . I looked at the NIC for the DC and it had Smart Card authentication enabled so I disabled that thinking for sure that I had found the "magic bullet", but it din't have any impact at all.
I just restarted the CA and there aren't any error messages from the restart itself. I do get the other one about the "invalid algorithm" every 8 hours and I also get this one below every now and then:
Event Type: Warning
Event Source: CertSvc
Event Category: None
Event ID: 103
Date: 6/21/2005
Time: 8:32:12 AM
User: N/A
Computer: WIN2KSERV
Description:
Certificate Services temporarily added the root certificate of certificate chain 3 to the downloaded Enterprise Root store. If this problem persists, publishing the root certificate to the Active Directory may be necessary.
Event Type: Warning
Event Source: Winlogon
Event Category: None
Event ID: 1010
Date: 6/6/2005
Time: 6:20:44 AM
User: N/A
Computer: WIN2KSERV
Description:
Automatic enrollment against the certification authority MS IIS DCOM Server for a certificate of type DomainController has failed. (0x80070005) Access is denied.
. Another certification authority will be tried.
Event Type: Warning
Event Source: Winlogon
Event Category: None
Event ID: 1010
Date: 6/6/2005
Time: 6:20:55 AM
User: N/A
Computer: WIN2KSERV
Description:
Automatic enrollment against the certification authority "our domain"!002c LLC for a certificate of type DomainController has failed. (0x80090008) Invalid algorithm specified.
. Another certification authority will be tried.
Event Type: Warning
Event Source: Winlogon
Event Category: None
Event ID: 1010
Date: 6/6/2005
Time: 6:20:56 AM
User: N/A
Computer: WIN2KSERV
Description:
Automatic enrollment against the certification authority MS IIS DCOM Server for a certificate of type DomainController has failed. (0x80070005) Access is denied.
. Another certification authority will be tried.
The MS IIS DCOM Server reference, I believe, was to a CA authority that had been installed on a test server perhaps 10 months ago that is no longer in existence. So, I deleted them from the AD Sites & Services/Services applet
After some "poking around" I found certificate related entries (and templates) located in the AD Sites and Services and deleted the entries related to "MS IIS Dcom Server" and since doing that, I only get the error referencing the CA "OurDomain!002c LLC". It remains the same...spaced at 8 hour intervals.
I think it was last Friday that I decided to pay for CA tech support provided by Microsoft. The technician that is working on it, obviously, has other priorities because that hasn't gone anywhere and the communication on the issue is minimal, at best. Meanwhile the June 18, 2005 expiration date for the CA cert has come and gone without any disastrous effects that I'm aware of and, in fact, I am not even able to find any reference to the certs that were on the brink of expiration. I wouldn't be surprised if everything got washed out somehow with all of the attempts to issue new certs and all. I still cannot request a newcertificate from within the Certificates/Personal msc. The error message remains the same and apparently has the Microsoft tech baffled as well, the message is, "The certificate cannot be installed because of a problem with the cryptographic hardware" . I looked at the NIC for the DC and it had Smart Card authentication enabled so I disabled that thinking for sure that I had found the "magic bullet", but it din't have any impact at all.
I just restarted the CA and there aren't any error messages from the restart itself. I do get the other one about the "invalid algorithm" every 8 hours and I also get this one below every now and then:
Event Type: Warning
Event Source: CertSvc
Event Category: None
Event ID: 103
Date: 6/21/2005
Time: 8:32:12 AM
User: N/A
Computer: WIN2KSERV
Description:
Certificate Services temporarily added the root certificate of certificate chain 3 to the downloaded Enterprise Root store. If this problem persists, publishing the root certificate to the Active Directory may be necessary.
No idea what this last one means - a google on the description came back with 6 hits, all a single discussion on a forum at sslguru.com, which has been now purged from their database. Not sure what else I can add, except that from a logical point of view, until the cert service can start and persist without errors, there's no reason to expect that any functionality will work correctly.
Good luck with the MS Support
Good luck with the MS Support
ASKER
Do you have any idea what the error reference to "invalid algorithm" means.? I would guess that it refers to either the public or private key and if it does, is there someway I can open that cert up and edit it, or change the keys? How can I find out what "certficate chain 3" is? Sometimes it will refer to other chains as well, such as 2 or 4.
I think the algorithm error may be a red herring - the CA name it is trying to reference looks like junk.
You can't edit the cert or the keys, thats the whole point of a PKI.
Don't know how to find out what the chains are, rather depends on what the error is referring to.
You can't edit the cert or the keys, thats the whole point of a PKI.
Don't know how to find out what the chains are, rather depends on what the error is referring to.
ASKER
Heh, Heh, sorry, the domain name junk that you refer to is junk that I substituted for our actual domain name that I didn't really want publicized. A tad bit paranoid.
Can I just delete the certs and get new ones? Also, I've been looking all over that PC for the actual certs and can't find them. What extensions do they have? I've been looking for extensions, .cer, .pk*
Can I just delete the certs and get new ones? Also, I've been looking all over that PC for the actual certs and can't find them. What extensions do they have? I've been looking for extensions, .cer, .pk*
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
2) If you have decided to use Cert Services, then yes you should be concerned about it.
3) This looks like it is caused by an expired root CA certificate, which means that you then can't issue a DC cert. An essential tool for Win2k PKI troubleshooting and maintenance is DSSTORE, part of the Resource kit. Docs at http://download.microsoft.com/download/2/c/2/2c295add-e36d-49c6-890f-45d307b8cc88/smrtcrdtrbl.doc. It may also be caused by the latest Root CA cert not being published to AD - detailed in the doc
HTH
Simon