Failed to enroll for one <certificate template name> certificate (0x80092009). Cannot find the requested object

I recently setup an Enterprise Root CA on our Windows Server 2008 x64 Enterprise Active Directory server, which uses the SHA512RSA algorithm, 4096 key character length, and RSA#Microsoft Software Key Storage Provider CPS.  I setup a duplicate template of the Workstation Authentication according to the instructions provided with System Center Configuration Manager and I was able to issue certificates to Windows 2008 servers and Vista Ultimate x64/32 clients both manually (through the request wizard, selecting that template) and using auto enrollment.

When I tried to use auto enrollment with XP SP3/Server 2K3 SP2 clients and server the CA successfully issued the certificate and placed it in the Issued store; however the client did not import the certificate to the personal local computer store and instead logged the event id 13 "Failed to enroll for one <certificate template name> certificate (0x80092009).  Cannot find the requested object."  I checked the certificate Enrollment Requests store, but it was empty.

When I tried to manually request certificates using the wizard on the XP SP3 domain joined clients and Server 2003 SP2 domain joined servers I received the "Certificate request failed. Cannot find the requested object" error message.

I found a hotfix (KB938397) for Windows Server 2003, but that did not resolve this issue for that OS.  

What I am doing wrong for XP/2K3 clients and servers?
Who is Participating?
Microsoft has contacted me with the KB article for the fix for this issue..
Your not alone.   I have run into the exact same problem as you, with the exact same settings.  I was able to export the certificate from the CA, to the test workstation and able to install it successfully.   Any sort of automatic request, renewal, etc all failed with the same error code.

I've called MS on it today, and the case is still in progress.  The tech seemed to believe that the problem is due to the use of SHA-2 type hashing algorithms not being supported on XP and 2003...  Per the release notes of XP SP3, it is supposed to add support for it, which my XP boxes are.

<begin XP SP3 Release Notes Copy>

Security Microsoft Kernel Mode Cryptographic Module Implements and supports the SHA2 hashing algorithms (SHA256, SHA384, and SHA512) in X.509 certificate validation.

The Federal Information Processing Standard (FIPS) 140-1 standard has been replaced by FIPS 140-2, and these modules have been validated and certified according to this standard.
<end XP SP3 Release Notes Copy>

With MS, we have begun the process of removing and re-adding the CA's using SHA1 and only a 2048 size.   Now, we have put the case on hold until next week so that he can research due to an issue with the online subca failing to re-install, and a question of whether RSA#Microsoft Software Key Storage Provider is actually going to work with XP/Server 2003.

Some documentation I've found, say that the new stuff in Suite B say its Vista and 2K8 only such as other stuff like the release notes say it is supported with XP SP3...

Of course, if you set up CA with older settings to support XP/2003, officially, MS says you have to create a new CA, and start over with a cross site certificate between old and new...  Yet, I've also found this:

which does in theory seem to imply the ability to do this...  I'll let you know what I find.
Been working with PSS for awhile... a little scary at times but got a worthwhile update today that you might find interesting.  Will let you know once I have a KB for a hotfix you can request.

I've been assisting XXX on this issue for the past 2 days and wanted to give you an update on our research as well as our suggested plans moving forward regarding this issue.

First, I was able to reproduce this issue in-house and debugging reveals that this issue is a bug in the SHA2 support updates included in Windows XP SP3 and the KB938397 update for Windows Server 2003.

I have a good understanding of the issue and I have submitted this information to our development group to confirm my analysis and request a hotfix to resolve this issue.
Other than a code change, I have not yet found a way to allow the certificate request to work outside of lowering the encryption level on the CA.
So at this point the only immediate change we can recommend is to lower the encryption level on the CA.

Regarding the Hotfix request, assuming the development group agrees to resolve the issue via hotfix, this process can take anywhere from three weeks to several months depending upon complexity of the issue and the testing requirements. During this process, the development group will often generate a private hotfix that can be provided to you. If a private is provided, we ask that you test it your environment to confirm that it fixes the problem and does not cause any noticeable problem in your environment. You will be able to use and test it in your environment until the official hotfix is released but the private is not intended for redistribution outside of your organization. Also keep in mind that these privates are provided with relatively little upfront testing so it is not recommended to widely distribute in a production environment.
Here is the latest on this case.

When MS added SHA2 support to XP/2K3 it was only for certification verification purposes (and only for AES CSP).   As a result XP/2K3 cannot use SHA2 for things like signing, auth, etc; which in this case makes it worthless.

If I get a hotfix for the issue, it is going to be a long ways out.  
jbcsystechAuthor Commented:

Thank you for your help and the time you spent working on this issue.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.