CRL failing to publish to AD

Discussion:

(too old to reply)

KHauer

17 years ago

Migrated our Enterprise Certificate Authority following steps outlined in
http://support.microsoft.com/kb/298138. The CA was migrated from a Windows
2000 Server domain controller with SP4 to a Windows Server 2003 R2 member
server with SP2. Following the migration, the CA is issuing certificates
successfully, however, it cannot publish a new CRL, so authentication is
failing. The exact error from the CLI is:

CertUtil: -CRL command FAILED: 0x80072098 (WIN32: 8344)
CertUtil: Insufficient access rights to perform the operation.

The following error appears in the Application Log:

Event Type: Error
Event Source: CertSvc
Event Category: None
Event ID: 75
Date: 8/14/2008
Time: 10:29:36 AM
User: N/A
Computer: myCA
Description:
Certificate Services could not publish a Base CRL for key 0 to the following
location on server myDC.myDomain.com: ldap:///CN=Certifying
Authority,CN=myCA,CN=CDP,CN=Public Key
Services,CN=Services,CN=Configuration,DC=myDomain,DC=com. Insufficient
access rights to perform the operation. 0x80072098 (WIN32: 8344).
ldap: 0x32: 00002098: SecErr: DSID-03150A45, problem 4003
(INSUFF_ACCESS_RIGHTS), data 0

(The same error repeats for the Delta CRL.)

Can anyone help me resolve this?

KHauer

17 years ago

Permalink

Update on this:

I was able to restore authentication by browsing to the CertEnroll share and
manually installing the Base and Delta CRLs on each domain controller. This
tells me that the CA and certificate services are functioning properly, it's
just a matter of the CA being able to publish the CRL to AD, which currently,
it is unable to do.

KHauer

17 years ago

Permalink

Thank you for your response, Brian.

I went through and checked the permissions on the CDP\Computer and AIA
containers, and they were all set as you recommend they should be. However, I
noted one discrepancy: I can't seem to find the CA certificate object (but I
freely admit I may be looking in the wrong place).

I used ADSI Edit and was looking at everything in:

Configuration -> Services -> Public Key Services

Is that where I should be looking?

...

Brian Komar (MVP)

17 years ago

Permalink

Use pkiview.msc to view the containers.
Brian

...

KHauer

17 years ago

Permalink

Ok, I used PKIView.msc to view the containers. Couldn't figure out how to
view container permissions, but here's what I did so far:

1. When PKIView.msc opens, both Enterprise PKI and my CA show with nice big,
red X's in them.
2. Right-clicked on Enterprise PKI and selected 'Manage AD containers...'
3. NTAuthCertificates tab lists the CA and the status is OK.
4. AIA Container tab lists the CA, status OK.
5. CDP Container tab listed both the Base CRL and Delta CRL, both listed as
Expired.
6. I removed both CRLs from the CDP Container tab. When asked if I wanted to
remove the container, I said yes (which, I likely shouldn't have, I was
hoping it would recreate it on the fly).
7. Now I open the CA console and try and publish the CRL and receive the
following error:

Directory object not found. 0x8007208d (WIN32: 8333)

How badly did I break it? Thanks again for all your help, it's appreciated.
BTW, manually installing the CRLs on each DC is still working, authentication
works just fine (I just don't want to have to keep doing it manually).

...

Brian Komar (MVP)

17 years ago

Permalink

ummm, deleting the containers was a really bad idea.
You should have updated the objects in those containers by fixing the
permissions.
I recommend building a replica in a virtual environment, checking out the
permissions, and then recreate containers per those permissions.
Brian

Post by KHauer
Ok, I used PKIView.msc to view the containers. Couldn't figure out how to
1. When PKIView.msc opens, both Enterprise PKI and my CA show with nice big,
red X's in them.
2. Right-clicked on Enterprise PKI and selected 'Manage AD containers...'
3. NTAuthCertificates tab lists the CA and the status is OK.
4. AIA Container tab lists the CA, status OK.
5. CDP Container tab listed both the Base CRL and Delta CRL, both listed as
Expired.
6. I removed both CRLs from the CDP Container tab. When asked if I wanted to
remove the container, I said yes (which, I likely shouldn't have, I was
hoping it would recreate it on the fly).
7. Now I open the CA console and try and publish the CRL and receive the
Directory object not found. 0x8007208d (WIN32: 8333)
How badly did I break it? Thanks again for all your help, it's
appreciated.
BTW, manually installing the CRLs on each DC is still working,
authentication
works just fine (I just don't want to have to keep doing it manually).

Post by Brian Komar (MVP)
Use pkiview.msc to view the containers.
Brian

Post by KHauer
Thank you for your response, Brian.
I went through and checked the permissions on the CDP\Computer and AIA
containers, and they were all set as you recommend they should be. However, I
noted one discrepancy: I can't seem to find the CA certificate object
(but
I
freely admit I may be looking in the wrong place).
Configuration -> Services -> Public Key Services
Is that where I should be looking?

What are the permissions on the CDP\Computer and AIA containers?
DId you happen to ever delete the comptuer account and then rebuild?
It sounds like a permissions problem in the configuration naming context.
1. AIA container. Ensure Cert Publishers is assigned Read, Write,
Create
all
Child Objects and Delete All Child Objects.
2. CA Certificate object: CA computer account: Full Control, Read, and
Write.
4. CDP\ComputerName. Cert Publishers group assigned Read, Write,
Create
all
Child Objects and Delete All Child Objects
Full Control, Read, Write
5. CA object in Enrollment Services: Comptuer account assigned Read, Write
Brian

Post by KHauer
I was able to restore authentication by browsing to the CertEnroll
share
and
manually installing the Base and Delta CRLs on each domain
controller.
This
tells me that the CA and certificate services are functioning
properly,
it's
just a matter of the CA being able to publish the CRL to AD, which currently,
it is unable to do.

...

KHauer

17 years ago

Permalink

Maybe this is a silly question, but for the life of me I am *not* seeing
permissions on containers when using pkiview.

Post by Brian Komar (MVP)
ummm, deleting the containers was a really bad idea.
You should have updated the objects in those containers by fixing the
permissions.
I recommend building a replica in a virtual environment, checking out the
permissions, and then recreate containers per those permissions.
Brian

Post by KHauer
Ok, I used PKIView.msc to view the containers. Couldn't figure out how to
1. When PKIView.msc opens, both Enterprise PKI and my CA show with nice big,
red X's in them.
2. Right-clicked on Enterprise PKI and selected 'Manage AD containers...'
3. NTAuthCertificates tab lists the CA and the status is OK.
4. AIA Container tab lists the CA, status OK.
5. CDP Container tab listed both the Base CRL and Delta CRL, both listed as
Expired.
6. I removed both CRLs from the CDP Container tab. When asked if I wanted to
remove the container, I said yes (which, I likely shouldn't have, I was
hoping it would recreate it on the fly).
7. Now I open the CA console and try and publish the CRL and receive the
Directory object not found. 0x8007208d (WIN32: 8333)
How badly did I break it? Thanks again for all your help, it's appreciated.
BTW, manually installing the CRLs on each DC is still working, authentication
works just fine (I just don't want to have to keep doing it manually).

Post by Brian Komar (MVP)
Use pkiview.msc to view the containers.
Brian

...

KHauer

17 years ago

Permalink

I created a virtual environment that matches my production environment and
went through the permissions on all the container and object permissions
using ADSIEdit under the
CN=Configuration,DC=buttecourt,DC=ca,DC=gov,CN=Services,CN=Public Key
Services container. I'm still getting the original error.

Wrong tool.
Use DSSITE.msc or ADSIEdit.msc
Brian

Post by KHauer
Maybe this is a silly question, but for the life of me I am *not* seeing
permissions on containers when using pkiview.

Post by KHauer
Ok, I used PKIView.msc to view the containers. Couldn't figure out how to
1. When PKIView.msc opens, both Enterprise PKI and my CA show with nice big,
red X's in them.
2. Right-clicked on Enterprise PKI and selected 'Manage AD containers...'
3. NTAuthCertificates tab lists the CA and the status is OK.
4. AIA Container tab lists the CA, status OK.
5. CDP Container tab listed both the Base CRL and Delta CRL, both
listed
as
Expired.
6. I removed both CRLs from the CDP Container tab. When asked if I
wanted
to
remove the container, I said yes (which, I likely shouldn't have, I was
hoping it would recreate it on the fly).
7. Now I open the CA console and try and publish the CRL and receive the
Directory object not found. 0x8007208d (WIN32: 8333)
How badly did I break it? Thanks again for all your help, it's appreciated.
BTW, manually installing the CRLs on each DC is still working, authentication
works just fine (I just don't want to have to keep doing it manually).

Post by Brian Komar (MVP)
Use pkiview.msc to view the containers.
Brian

Post by KHauer
Thank you for your response, Brian.
I went through and checked the permissions on the CDP\Computer and AIA
containers, and they were all set as you recommend they should be.
However, I
noted one discrepancy: I can't seem to find the CA certificate object
(but
I
freely admit I may be looking in the wrong place).
Configuration -> Services -> Public Key Services
Is that where I should be looking?

What are the permissions on the CDP\Computer and AIA containers?
DId you happen to ever delete the comptuer account and then rebuild?
It sounds like a permissions problem in the configuration naming context.
1. AIA container. Ensure Cert Publishers is assigned Read, Write,
Create
all
Child Objects and Delete All Child Objects.
2. CA Certificate object: CA computer account: Full Control, Read, and
Write.
4. CDP\ComputerName. Cert Publishers group assigned Read, Write,
Create
all
Child Objects and Delete All Child Objects
4. CRL Object(s) in the CDP\Computer Name container. CA Computer
Full Control, Read, Write
5. CA object in Enrollment Services: Comptuer account assigned
Read,
Write
Brian

...