Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

CRL failing to publish to AD

7,470 views
Skip to first unread message

KHauer

unread,
Aug 14, 2008, 1:39:04 PM8/14/08
to
Migrated our Enterprise Certificate Authority following steps outlined in
http://support.microsoft.com/kb/298138. The CA was migrated from a Windows
2000 Server domain controller with SP4 to a Windows Server 2003 R2 member
server with SP2. Following the migration, the CA is issuing certificates
successfully, however, it cannot publish a new CRL, so authentication is
failing. The exact error from the CLI is:

CertUtil: -CRL command FAILED: 0x80072098 (WIN32: 8344)
CertUtil: Insufficient access rights to perform the operation.

The following error appears in the Application Log:

Event Type: Error
Event Source: CertSvc
Event Category: None
Event ID: 75
Date: 8/14/2008
Time: 10:29:36 AM
User: N/A
Computer: myCA
Description:
Certificate Services could not publish a Base CRL for key 0 to the following
location on server myDC.myDomain.com: ldap:///CN=Certifying
Authority,CN=myCA,CN=CDP,CN=Public Key
Services,CN=Services,CN=Configuration,DC=myDomain,DC=com. Insufficient
access rights to perform the operation. 0x80072098 (WIN32: 8344).
ldap: 0x32: 00002098: SecErr: DSID-03150A45, problem 4003
(INSUFF_ACCESS_RIGHTS), data 0

(The same error repeats for the Delta CRL.)

Can anyone help me resolve this?

KHauer

unread,
Aug 14, 2008, 2:31:01 PM8/14/08
to
Update on this:

I was able to restore authentication by browsing to the CertEnroll share and
manually installing the Base and Delta CRLs on each domain controller. This
tells me that the CA and certificate services are functioning properly, it's
just a matter of the CA being able to publish the CRL to AD, which currently,
it is unable to do.

KHauer

unread,
Aug 20, 2008, 11:21:02 AM8/20/08
to
Thank you for your response, Brian.

I went through and checked the permissions on the CDP\Computer and AIA
containers, and they were all set as you recommend they should be. However, I
noted one discrepancy: I can't seem to find the CA certificate object (but I
freely admit I may be looking in the wrong place).

I used ADSI Edit and was looking at everything in:

Configuration -> Services -> Public Key Services

Is that where I should be looking?

"Brian Komar (MVP)" wrote:

> What are the permissions on the CDP\Computer and AIA containers?
> DId you happen to ever delete the comptuer account and then rebuild?
> It sounds like a permissions problem in the configuration naming context.
> 1. AIA container. Ensure Cert Publishers is assigned Read, Write, Create all
> Child Objects and Delete All Child Objects.
> 2. CA Certificate object: CA computer account: Full Control, Read, and
> Write.
> 4. CDP\ComputerName. Cert Publishers group assigned Read, Write, Create all
> Child Objects and Delete All Child Objects
> 4. CRL Object(s) in the CDP\Computer Name container. CA Computer account:
> Full Control, Read, Write
> 5. CA object in Enrollment Services: Comptuer account assigned Read, Write
>
> Brian
>
> "KHauer" <KHa...@discussions.microsoft.com> wrote in message
> news:2C7E3AB2-27F9-405F...@microsoft.com...

Brian Komar (MVP)

unread,
Aug 20, 2008, 12:15:43 PM8/20/08
to
Use pkiview.msc to view the containers.
Brian

"KHauer" <KHa...@discussions.microsoft.com> wrote in message

news:6277B409-1883-4207...@microsoft.com...

KHauer

unread,
Aug 21, 2008, 1:20:20 PM8/21/08
to
Ok, I used PKIView.msc to view the containers. Couldn't figure out how to
view container permissions, but here's what I did so far:

1. When PKIView.msc opens, both Enterprise PKI and my CA show with nice big,
red X's in them.
2. Right-clicked on Enterprise PKI and selected 'Manage AD containers...'
3. NTAuthCertificates tab lists the CA and the status is OK.
4. AIA Container tab lists the CA, status OK.
5. CDP Container tab listed both the Base CRL and Delta CRL, both listed as
Expired.
6. I removed both CRLs from the CDP Container tab. When asked if I wanted to
remove the container, I said yes (which, I likely shouldn't have, I was
hoping it would recreate it on the fly).
7. Now I open the CA console and try and publish the CRL and receive the
following error:

Directory object not found. 0x8007208d (WIN32: 8333)

How badly did I break it? Thanks again for all your help, it's appreciated.
BTW, manually installing the CRLs on each DC is still working, authentication
works just fine (I just don't want to have to keep doing it manually).

Brian Komar (MVP)

unread,
Aug 21, 2008, 6:57:32 PM8/21/08
to
ummm, deleting the containers was a really bad idea.
You should have updated the objects in those containers by fixing the
permissions.
I recommend building a replica in a virtual environment, checking out the
permissions, and then recreate containers per those permissions.
Brian

"KHauer" <KHa...@discussions.microsoft.com> wrote in message

news:05C91D4C-F771-4386...@microsoft.com...

KHauer

unread,
Sep 5, 2008, 6:08:01 PM9/5/08
to
Maybe this is a silly question, but for the life of me I am *not* seeing
permissions on containers when using pkiview.

KHauer

unread,
Sep 16, 2008, 1:43:02 PM9/16/08
to
I created a virtual environment that matches my production environment and
went through the permissions on all the container and object permissions
using ADSIEdit under the
CN=Configuration,DC=buttecourt,DC=ca,DC=gov,CN=Services,CN=Public Key
Services container. I'm still getting the original error.

"Brian Komar (MVP)" wrote:

> Wrong tool.
> Use DSSITE.msc or ADSIEdit.msc


> Brian
>
> "KHauer" <KHa...@discussions.microsoft.com> wrote in message

> news:C4D9F95B-6B7B-4EB1...@microsoft.com...

0 new messages