Solved

Failed to enroll for one <certificate template name> certificate (0x80092009).  Cannot find the requested object

Posted on 2008-10-22
5
3,534 Views
Last Modified: 2012-05-05
I recently setup an Enterprise Root CA on our Windows Server 2008 x64 Enterprise Active Directory server, which uses the SHA512RSA algorithm, 4096 key character length, and RSA#Microsoft Software Key Storage Provider CPS.  I setup a duplicate template of the Workstation Authentication according to the instructions provided with System Center Configuration Manager and I was able to issue certificates to Windows 2008 servers and Vista Ultimate x64/32 clients both manually (through the request wizard, selecting that template) and using auto enrollment.

When I tried to use auto enrollment with XP SP3/Server 2K3 SP2 clients and server the CA successfully issued the certificate and placed it in the Issued store; however the client did not import the certificate to the personal local computer store and instead logged the event id 13 "Failed to enroll for one <certificate template name> certificate (0x80092009).  Cannot find the requested object."  I checked the certificate Enrollment Requests store, but it was empty.

When I tried to manually request certificates using the wizard on the XP SP3 domain joined clients and Server 2003 SP2 domain joined servers I received the "Certificate request failed. Cannot find the requested object" error message.

I found a hotfix (KB938397) for Windows Server 2003, but that did not resolve this issue for that OS.  

What I am doing wrong for XP/2K3 clients and servers?
0
Comment
Question by:jbcsystech
  • 4
5 Comments
 
LVL 6

Expert Comment

by:colin_harford
ID: 22854132
Your not alone.   I have run into the exact same problem as you, with the exact same settings.  I was able to export the certificate from the CA, to the test workstation and able to install it successfully.   Any sort of automatic request, renewal, etc all failed with the same error code.

I've called MS on it today, and the case is still in progress.  The tech seemed to believe that the problem is due to the use of SHA-2 type hashing algorithms not being supported on XP and 2003...  Per the release notes of XP SP3, it is supposed to add support for it, which my XP boxes are.

<begin XP SP3 Release Notes Copy>

Security Microsoft Kernel Mode Cryptographic Module Implements and supports the SHA2 hashing algorithms (SHA256, SHA384, and SHA512) in X.509 certificate validation.

The Federal Information Processing Standard (FIPS) 140-1 standard has been replaced by FIPS 140-2, and these modules have been validated and certified according to this standard.
 
<end XP SP3 Release Notes Copy>


With MS, we have begun the process of removing and re-adding the CA's using SHA1 and only a 2048 size.   Now, we have put the case on hold until next week so that he can research due to an issue with the online subca failing to re-install, and a question of whether RSA#Microsoft Software Key Storage Provider is actually going to work with XP/Server 2003.

Some documentation I've found, say that the new stuff in Suite B say its Vista and 2K8 only such as
http://msdn.microsoft.com/en-us/library/aa376210.aspx... other stuff like the release notes say it is supported with XP SP3...



Of course, if you set up CA with older settings to support XP/2003, officially, MS says you have to create a new CA, and start over with a cross site certificate between old and new...  Yet, I've also found this:

http://www.derkeiler.com/Newsgroups/microsoft.public.windows.server.security/2008-06/msg00113.html


which does in theory seem to imply the ability to do this...  I'll let you know what I find.
0
 
LVL 6

Expert Comment

by:colin_harford
ID: 22913586
Been working with PSS for awhile... a little scary at times but got a worthwhile update today that you might find interesting.  Will let you know once I have a KB for a hotfix you can request.

I've been assisting XXX on this issue for the past 2 days and wanted to give you an update on our research as well as our suggested plans moving forward regarding this issue.

First, I was able to reproduce this issue in-house and debugging reveals that this issue is a bug in the SHA2 support updates included in Windows XP SP3 and the KB938397 update for Windows Server 2003.

I have a good understanding of the issue and I have submitted this information to our development group to confirm my analysis and request a hotfix to resolve this issue.
Other than a code change, I have not yet found a way to allow the certificate request to work outside of lowering the encryption level on the CA.
So at this point the only immediate change we can recommend is to lower the encryption level on the CA.

Regarding the Hotfix request, assuming the development group agrees to resolve the issue via hotfix, this process can take anywhere from three weeks to several months depending upon complexity of the issue and the testing requirements. During this process, the development group will often generate a private hotfix that can be provided to you. If a private is provided, we ask that you test it your environment to confirm that it fixes the problem and does not cause any noticeable problem in your environment. You will be able to use and test it in your environment until the official hotfix is released but the private is not intended for redistribution outside of your organization. Also keep in mind that these privates are provided with relatively little upfront testing so it is not recommended to widely distribute in a production environment.
0
 
LVL 6

Expert Comment

by:colin_harford
ID: 23234401
Here is the latest on this case.


When MS added SHA2 support to XP/2K3 it was only for certification verification purposes (and only for AES CSP).   As a result XP/2K3 cannot use SHA2 for things like signing, auth, etc; which in this case makes it worthless.

If I get a hotfix for the issue, it is going to be a long ways out.  
0
 
LVL 6

Accepted Solution

by:
colin_harford earned 500 total points
ID: 24158265
Microsoft has contacted me with the KB article for the fix for this issue..

http://support.microsoft.com/kb/968730
0
 

Author Closing Comment

by:jbcsystech
ID: 31508936
Colin,

Thank you for your help and the time you spent working on this issue.
0

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now