none
NAP on 2008 R2: domain client computers doesn't get certificat even if they are compliant.

    Question

  • Hi all

    I have struggled with my first setup of NAP on 2008 r2. I followed this guide: http://www.windowsecurity.com/articles/Deploying-IPsec-Server-Domain-Isolation-Windows-Server-2008-Group-Policy-Part1.html

    Im sure I have set everything up as instructed and i have gone over it 3 times now to make sure i haven't made som human error.

    I can confirm everything is running IPSecwise but for some reason i don't get a certificat even if the computer is complient. In my case firewall is running.

    I suspect the reason it isn't working is becuase the guide is for 2008 and im using 2008 R2 and perhaps Microsoft changed something but I haven't been able to find a guide for 2008 R2.

     

    One thing that doesn't match in the guide with my system is the GPO: NAP Client configuration. According  to the guide when im done setting it up im supposed, so say the guide, to right click on it and choose apply. I don't have an apply when i do that, only have import export and remove and then your typical right click options.

     

    I need some help here. I have scowerd the net to find a guide that works with 2008 R2 but not been able to find one.

    It would be very helpfull if one of you guys would run through the guide and tell whats missing or maybe point me to another guide. Or perhaps help me out why my client isn't receving any certificat.

     

    Help me Obi Wan Kenobi

    you are my only hope

    Wednesday, April 28, 2010 10:42 AM

All replies

  • Hi All

     

    I looked on the technet forum and found a step by step guide for NAP IPSec but following the setup in this guide from microsoft didn't do anything to help solve my problem. Though there were some differences in the guide I have found and the one from microsoft...

     

    http://www.microsoft.com/downloads/details.aspx?FamilyID=298ff956-1e6c-4d97-a3ed-7e7ffc4bed32&displaylang=en

     

    Are there really no one out there willing to give this a try?

    Thursday, April 29, 2010 6:32 AM
  • Hi,

    The process for getting a certificate is below. If the client isn't getting a certificate, you should verify that each step is occuring.

    1. The client discovers the HRA.
    2. The client attempts to gain access and sends it's access request with health status to HRA.
    3. HRA forwards the request to NPS for approval.
    4. The client is approved or denied a certificate by NPS depending on which policy is matched.
    5. If the client is approved, NPS will instruct HRA to request a certificate from the Certification Authority (CA) on behalf of the client.
    6. HRA requests the certificate from the CA and sends it to the client.
    7. The client receives the certificate and gains access to the network.

    Please review the event logs on the client and the server. The instructions for reviewing these logs are in a sticky post I created here: Troubleshooting basics.

    The need to "apply" settings in 2008 is not needed in 2008 R2. Almost nothing else has changed. There is a slight change to one of the IPsec policy configurations, but this would not affect whether or not the client gets a certificate.

    First you should make sure that the client is getting the correct settings from the GPO. Then check to see that it matched the correct policy on NPS. Lastly, ensure that the HRA configuration is correct on both the server and client side. The HRA must be configured with the CA and the client must be configured with the HRA.

    Let me know what you find out, and we'll go from there.

    Thanks,

    -Greg

    Monday, May 03, 2010 6:22 PM
  • Hi Greg and thank you for answering...

     

    The Event logs show nothing on either client or server.. :( besides from some DCOM errors on the server, but i don't think those are related.

     

    This is the first i have set up a NAP server but i went i must add...

     

    I chekced the GPO and recheked it. its the excat same as the guide tells me to do it. I found another post on technet saying the issue with not getting the certificat could be related with the GPO being applied before network services are up and running. I did make the change to the GPO so that i would wait for network service but this didn't do much.

     

    Im not sure what you mena by checking that the GPO matches the NAP policy?

    I have gone through HRA settings and they seem to be correct on the NAP server but im not sure what you mean by checking the HRA on the client? if you mean if the client is compliant it is...

     

    in my setup, since i have followed the guide, my HRA and CA are on the same server, with my root ca being on the AD server.

     

    Tuesday, May 04, 2010 9:01 AM
  • Hi,

    Please issue a "netsh nap client show group" on the client. This will tell you if the client is receiving the settings from the GPO (and what they are).

    Next, issue a "netsh nap client show state" on the client. This will tell you if the client is using the settings. If you can provide the output here that will help.

    Thanks,

    -Greg

    Tuesday, May 04, 2010 2:29 PM
  • Hi Greg,

     

    This is wierd. I have run those command before on another client with good results. The command you post are allso mentioned in the guide...

     

    But when i run them on my virtual client the CMD crashes when i write  "netsh nap client show group" and i get access denied when i write this one (even with  admin priv.)  "netsh nap client show state"...

     

    im logged on as an domain administrator on the client. any ideas?

     

    I proberly should include that my servers are on subnet 1 and clients are on subnet 2... i don't know if this makes a differnece certificat wise...?

     

     

    Tuesday, May 04, 2010 3:13 PM
  • I don't know if anyone will still respond to this thread:

    "netsh nap client sh group" shows IPSec enabled

    "netsh nap client sh state" tells me the SHA has updated the state of the computer, and that IPSec Replying party is initialised

    However I have no certificate and no record of a request to the CA in any event viewer.

     

     


    CarolChi
    Tuesday, May 24, 2011 2:06 PM
  • Hi Carol,

    Review the client side events to see what failed. You may not be able to locate the HRA, or there might be a configuration problem on the HRA. It isn't possible to know which without looking at these logs.

    If your client found the HRA but was unable to acquire a certificate, there will be a failure code that provides hints about what the problem might be on your HRA. If you look a the event logs on the HRA this can also provide more information about what is wrong.

    -Greg

    Tuesday, May 24, 2011 3:39 PM
  • I have made some progress since posting. there was a certificate revocation check error on the (new) subordinate CA on the HRA server.

    Now I have a DCOM error relating to the CA, just rebooting to see if it will go away.

    So the HRA was doing fine.

    I'd love to find an easy guide to CRLs for small environments.


    CarolChi
    Tuesday, May 24, 2011 3:43 PM
  • Active Directory Certificate Services denied request 6 because The revocation function was unable to check revocation for the certificate. 0x80092012 (-2146885614). The request was for MYDOM\NAP$. Additional information: Error Constructing or Publishing Certificate

    The Health Registration Authority was unable to acquire a certificate for request with the correlation-id {C4A91C29-D2BF-4F37-B8DA-43FABB968CD4}-2011-05-24 15:47:28Z at 10.99.98.56 (principal: MYDOM\CCLT2$). Discarding the request. The Certification Authority \\NAP.mydom.pri\mydom-NAP-subCA denied the request with the following error: Error Constructing or Publishing Certificate (0x80004005). Contact the Certification Authority administrator for more information.

     


    CarolChi
    Tuesday, May 24, 2011 3:50 PM
  • And when I try to publish the CRL : The directory name is invalid 0x8007010b (WIN32/HTTP: 267). Maybe an IIS7.5 problem?
    CarolChi
    Tuesday, May 24, 2011 3:51 PM
  • This is where I always gete stuck. How do I decide what is correct?

    certutil -getreg CA\CRLPublicationURLs give this:


      CRLPublicationURLs REG_MULTI_SZ =
        0: 1:C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl
        CSURL_SERVERPUBLISH -- 1

        1: 15:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10
        CSURL_SERVERPUBLISH -- 1
        CSURL_ADDTOCERTCDP -- 2
        CSURL_ADDTOFRESHESTCRL -- 4
        CSURL_ADDTOCRLCDP -- 8

        2: 0:http://%1/CertEnroll/%3%8%9.crl

        3: 1:file://%1/CertEnroll/%3%8%9.crl
        CSURL_SERVERPUBLISH -- 1

    Do I need LDAP publishing as the CA & HRA are on the same system?


    CarolChi
    Tuesday, May 24, 2011 3:58 PM
  • Hi Carol,

    I'm not quite sure what you are trying to do here. You can't use CRLs with NAP.

    What is your setup? Do you have a Root CA on a DC or some other server, with a standalone subordinate CA on the same server as HRA and NPS?

    When the client attempts to get a certificate, it will request one from HRA. HRA then requests the certificate (on behalf of the client) from the CA. Assuming that HRA has permission and the client is compliant, a certificate is issued with the validity period that is configured on HRA. Where in this process are you seeing a problem?

    -Greg

    Tuesday, May 24, 2011 4:04 PM
  • Well now I can publish a CRL, but still not check the revocation

    Active Directory Certificate Services denied request 21 because The revocation function was unable to check revocation for the certificate. 0x80092012 (-2146885614). The request was for MYDOM\NAP$. Additional information: Error Constructing or Publishing Certificate


    CarolChi
    Tuesday, May 24, 2011 4:16 PM
  • I have a root CA elsewhere, but online and a standalone subordinate CA on the HRA / NPS server.

    I'm just building it in a test environment.

    The client is requesting a certificate

    The HRA server (Called NAP) is trying to get a certificate from the subordinate CA.

    The subordinate CA is refusing the request :

    Active Directory Certificate Services denied request 24 because The revocation function was unable to check revocation for the certificate. 0x80092012 (-2146885614). The request was for MYDOM\NAP$. Additional information: Error Constructing or Publishing Certificate

    I have lots of refused certificates and no issued ones.

     

     


    CarolChi
    Tuesday, May 24, 2011 4:25 PM
  • Hi,

    Sorry for the delay in getting back to you. 

    I know you said your Root CA is online, but can the subordinate CA contact it? I think that I've seen this issue before when the Root CA was offline.

    -Greg

    Wednesday, May 25, 2011 7:11 PM
  • Ths subordinate CA can ping and get certificates from the root CA. I suppose that is enough?
    CarolChi
    Wednesday, May 25, 2011 7:54 PM
  • Active Directory Certificate Services denied request 88 because The revocation function was unable to check revocation for the certificate. 0x80092012 (-2146885614). The request was for SMALLDOM\NAP$. Additional information: Error Constructing or Publishing Certificate

     

     


    CarolChi
    Wednesday, May 25, 2011 8:01 PM
  • Restart the Root CA. Try the CA service first, and if that doesn't work then reboot the box.
    Wednesday, May 25, 2011 8:08 PM
  • This blog article might help: http://blogs.technet.com/b/askds/archive/2008/03/13/troubleshooting-ldap-over-ssl.aspx or this article http://technet.microsoft.com/en-us/library/bb331963(EXCHG.80).aspx 

    I'm reasonably sure the problem has to do with connecting to the Root CA. Do you have any CA events on the Root CA that indicate a problem?

    -Greg 

    Wednesday, May 25, 2011 9:08 PM
  • Restarted everything last night before bed.

    Upgraded the CA Root server to Enterprise edition (it was standard). Now have to apply a load of patches.

    The machines in the NAP Exclusion group are getting their certificates from the root CA.

    The ones in the group NAP Client computers who are supposed to get their certificates from the subordinate CA are the problem.

    The subordinate CA is getting it's Health cert from the RootCA.

    Anyway i will do patching, go to work and see how things look later today.

     

     


    CarolChi
    Thursday, May 26, 2011 6:22 AM
  • What version of Windows is your Root CA running? In 2008 (not R2) you could not use Standard to publish new certificate templates. There is a required step that would be impossible. See http://technet.microsoft.com/en-us/library/dd314188(WS.10).aspx this step is not possible on the standard version of Windows Server 2008. I think this was changed in R2 however.

    -Greg

     

    Thursday, May 26, 2011 7:53 AM
  • Root CA is (and has been for a while) running 2008 R2. I upgraded it yestrday from Standard to Enterprise but that does not make any difference.

    Looking at the blog entry, I see I am in the "more complicated" cases...

    On my root CA all the certificates except two are OK. They are the oldest CA cert (expired) and a McAfee one (untrusted root).

    On my subordinate CA all the certificates are unable to find revocation information:

    The revocation function was unable to check revocation for the certificate. 0x80092012 (-2146885614)
    ------------------------------------
    Revocation check skipped -- no revocation information available
    Certificate is valid

    I will continue to read


    CarolChi
    Thursday, May 26, 2011 12:03 PM
  • What about double escaping?
    CarolChi
    Thursday, May 26, 2011 12:31 PM
  • One thing you could try doing is to alter the CA location to point to your Root CA. You would need to change the HRA setting from standalone CA to enterprise CA, and unless you run a command on the CA the health certificates you get on clients will not have the correct validity period - but this will tell you that everything else is working except for your standalone CA.

    Something else I thought I would mention is that I seem to recall having a revocation error before when there was a time synchronization problem between my CAs. If you happen to have the time set differently on one server this can cause problems, so it's worth checking.

    -Greg

    P.S. What do you mean by double escaping?
    Thursday, May 26, 2011 7:11 PM
  • I have got rid of the whole server and will start again.

    Double escaping is a thing the IIS 7.5 does not allow web sites to do - somehting to do with publishing characters that need two bytes to display (in our case the + in the CRL names). IIS 7.5 disable this be default as it is a security risk and you have to turn it back on to be able to publish a file name with a + in it to http.

    I wondered if this was also the problem

    Do you know which CRL publication methods are necessary for NPS/NAP on a single subnet LAN?


    CarolChi
    Friday, May 27, 2011 7:29 AM
  • Well I have rebuild a new server, new name, new subordinate CA, deleted and re-issued the system health validation template.

    If I refer the SHA to the Root CA:

    Log Name:      Application
    Source:        Microsoft-Windows-CertificationAuthority
    Date:          27/05/2011 17:22:39
    Event ID:      53
    Task Category: None
    Level:         Warning
    Keywords:      Classic
    User:          SYSTEM
    Computer:      VDC.smalldom.pri
    Description:
    Active Directory Certificate Services denied request 165 because The request contains no certificate template information. 0x80094801 (-2146875391).  The request was for SMALLDOM\NPS$.  Additional information: Denied by Policy Module  0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute.

    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-CertificationAuthority" Guid="{6A71D062-9AFE-4F35-AD08-52134F85DFB9}" EventSourceName="CertSvc" />
        <EventID Qualifiers="33370">53</EventID>
        <Version>0</Version>
        <Level>3</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2011-05-27T15:22:39.000000000Z" />
        <EventRecordID>21682</EventRecordID>
        <Correlation />
        <Execution ProcessID="0" ThreadID="0" />
        <Channel>Application</Channel>
        <Computer>VDC.smalldom.pri</Computer>
        <Security UserID="S-1-5-18" />
      </System>
      <EventData Name="MSG_DN_CERT_DENIED_WITH_INFO">
        <Data Name="RequestId">165</Data>
        <Data Name="Reason">The request contains no certificate template information. 0x80094801 (-2146875391)</Data>
        <Data Name="SubjectName">SMALLDOM\NPS$</Data>
        <Data Name="AdditionalInformation">Denied by Policy Module  0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute.
    </Data>
      </EventData>
    </Event>


    CarolChi
    Friday, May 27, 2011 3:31 PM
  • Or this on the subordinate CA

    Log Name:      Application
    Source:        Microsoft-Windows-CertificationAuthority
    Date:          27/05/2011 17:31:46
    Event ID:      53
    Task Category: None
    Level:         Warning
    Keywords:      Classic
    User:          SYSTEM
    Computer:      NPS.smalldom.pri
    Description:
    Active Directory Certificate Services denied request 23 because The revocation function was unable to check revocation for the certificate. 0x80092012 (-2146885614).  The request was for SMALLDOM\NPS$.  Additional information: Error Constructing or Publishing Certificate
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-CertificationAuthority" Guid="{6A71D062-9AFE-4F35-AD08-52134F85DFB9}" EventSourceName="CertSvc" />
        <EventID Qualifiers="33370">53</EventID>
        <Version>0</Version>
        <Level>3</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2011-05-27T15:31:46.000000000Z" />
        <EventRecordID>314</EventRecordID>
        <Correlation />
        <Execution ProcessID="0" ThreadID="0" />
        <Channel>Application</Channel>
        <Computer>NPS.smalldom.pri</Computer>
        <Security UserID="S-1-5-18" />
      </System>
      <EventData Name="MSG_DN_CERT_DENIED_WITH_INFO">
        <Data Name="RequestId">23</Data>
        <Data Name="Reason">The revocation function was unable to check revocation for the certificate. 0x80092012 (-2146885614)</Data>
        <Data Name="SubjectName">SMALLDOM\NPS$</Data>
        <Data Name="AdditionalInformation">Error Constructing or Publishing Certificate</Data>
      </EventData>
    </Event>

     


    CarolChi
    Friday, May 27, 2011 3:33 PM
  • Hi,

    The error on the Root CA indicates that you haven't published the certificate template. I would go through the steps to do this, make sure you include the step http://technet.microsoft.com/en-us/library/dd314188(WS.10).aspx

    -Greg

    Friday, May 27, 2011 4:45 PM
  • Can I delete it and try again? I already did that once, it shows in the AD certificate templates.

    When I right click on certificate tempates in the root CA and choose New... Certificate Template to Issue.. the System Health on is no longer visible.


    CarolChi
    Friday, May 27, 2011 5:11 PM
  • Yes, delete it from both certtmpl.msc and certsrv.msc and go through the entire process again. Make sure you follow the instructions carefully.
    Friday, May 27, 2011 5:32 PM
  • Done that very carefully. The 1.3.6.1.4.1.311.47.1.1 attribute is stored somewhere so I re-used it. Now I have no subordinate CA, a newly published template and the HRA pointing to the Root CA.

    But still the same error:

     

    Log Name:      System
    Source:        HRA
    Date:          27/05/2011 19:42:49
    Event ID:      9
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      NPS.smalldom.pri
    Description:
    The Health Registration Authority was unable to acquire a certificate for request with the correlation-id {2212FE83-CF3B-4750-B996-030AFFBBFC20}-2011-05-27 17:42:49Z at 10.99.98.53 (principal: SMALLDOM\WIN7-WC$). Discarding the request. The Certification Authority \\VDC.smalldom.pri\SmalldomCA denied the request with the following error: Denied by Policy Module  0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute.
     (0x80004005). Contact the Certification Authority administrator for more information.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="HRA" />
        <EventID Qualifiers="49406">9</EventID>
        <Level>2</Level>
        <Task>0</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2011-05-27T17:42:49.000000000Z" />
        <EventRecordID>1944</EventRecordID>
        <Channel>System</Channel>
        <Computer>NPS.smalldom.pri</Computer>
        <Security />
      </System>
      <EventData>
        <Data>{2212FE83-CF3B-4750-B996-030AFFBBFC20}-2011-05-27 17:42:49Z</Data>
        <Data>10.99.98.53</Data>
        <Data>SMALLDOM\WIN7-WC$</Data>
        <Data>\\VDC.smalldom.pri\SmalldomCA</Data>
        <Data>Denied by Policy Module  0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute.
    </Data>
        <Data>0x80004005</Data>
      </EventData>
    </Event>


    CarolChi
    Friday, May 27, 2011 5:48 PM
  • If you are pointing the HRA to en Enterprise CA, you must change the CA type in the HRA console and specify the compliant and noncompliant templates. Use the same template for both.
    Friday, May 27, 2011 5:52 PM
  • If you are pointing the HRA to en Enterprise CA, you must change the CA type in the HRA console and specify the compliant and noncompliant (correction, see below) templates. Use the same template for both.
    Friday, May 27, 2011 5:52 PM
  • Oops, I should hae said authenticated and non authenticated templates (for domain joined and non domain joined computers). You don't need two different templates unless you actually will be issuing health certs to non domain joined systems, but you still have to enter a template in the HRA console for both types.
    Friday, May 27, 2011 6:25 PM
  • I figured that one out!

    I only want domain joined users and computers to get certificates.

    Now my NPS server can't find the domain controllers. I'm getting 4402 There is no domain controller available every 10 minutes. I have turned on the

    The root CA is still issuing certificates for the computers in the IPSec NAP exemption group, and the domain is not showing any other problems.

    I'll reboot it...


    CarolChi
    Friday, May 27, 2011 6:38 PM
  • However, despite the NPS server not being able to find the domain controllers the clients have now got certificates.

    And after rebooting the NPS server can no find the domain controllers.

    So to the next stage:

    I don't want my root CA online, and I don't want it filled with all these certificates. I don't want it to be accessible to network service, so I want a subordinate CA.

    Since this is a test for a small environment, I can combine CA and NPS on one server.

    SHould I do a more integrated sort of CA?

     

     

     


    CarolChi
    Friday, May 27, 2011 6:47 PM
  • I'm not sure what you mean by a more integrated CA, but its quite common to put a standalone CA on the same computer as NPS. I am not sure why NPS can't find your DC. I think your environment must have something unique that is causing some problems. Usually a standalone CA on the NPS/HRA works without a hitch.
    Friday, May 27, 2011 7:33 PM
  • I will try again.

    You have been Most helpful and I have learned a lot. It is not always easy for smaller users to get to grips with these technologies, but they need them too.

     


    CarolChi
    Friday, May 27, 2011 7:35 PM
  • =)

    The IPsec enforcement method is the most complex so you've done a good job learning it. There are lots of steps and different services to configure. Once you get past the initial configuration though I hope it will become easier for you. I think it will be.

    Friday, May 27, 2011 7:40 PM
  • Connection to DCs re-established after a re-boot.

    Now I have tried to make a new subordinate standalone CA.

    It throws two errors.

    Reading these files, I would say it is trying to publsh a delta CRL to a server DDC which does not have a CA structure (it did once have one).

    So probable the CRLs are forever lots of invaid.

    How do I track down this phantom location for CRLs?

     

    Log Name:      Application
    Source:        Microsoft-Windows-CertificationAuthority
    Date:          27/05/2011 21:37:54
    Event ID:      74
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          SYSTEM
    Computer:      NPS.smalldom.pri
    Description:
    Active Directory Certificate Services could not publish a Base CRL for key 0 to the following location on server ddc.smalldom.pri: ldap:///CN=smalldom-NPS-subCA,CN=NPS,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=smalldom,DC=pri.  Directory object not found. 0x8007208d (WIN32: 8333).
    ldap: 0x20: 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
     'CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=smalldom,DC=pri'

    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-CertificationAuthority" Guid="{6A71D062-9AFE-4F35-AD08-52134F85DFB9}" EventSourceName="CertSvc" />
        <EventID Qualifiers="49754">74</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2011-05-27T19:37:54.000000000Z" />
        <EventRecordID>438</EventRecordID>
        <Correlation />
        <Execution ProcessID="0" ThreadID="0" />
        <Channel>Application</Channel>
        <Computer>NPS.smalldom.pri</Computer>
        <Security UserID="S-1-5-18" />
      </System>
      <EventData Name="MSG_E_BASE_CRL_PUBLICATION_HOST_NAME">
        <Data Name="CAKeyIdentifier">0</Data>
        <Data Name="URL">ldap:///CN=smalldom-NPS-subCA,CN=NPS,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=smalldom,DC=pri</Data>
        <Data Name="ErrorMessageText">Directory object not found. 0x8007208d (WIN32: 8333)</Data>
        <Data Name="HostName">ddc.smalldom.pri</Data>
        <Data Name="param5">
        </Data>
        <Data Name="AdditionalErrorMessage">ldap: 0x20: 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
     'CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=smalldom,DC=pri'
    </Data>
      </EventData>
    </Event>

    ________________________

     

    Log Name:      Application
    Source:        Microsoft-Windows-CertificationAuthority
    Date:          27/05/2011 21:37:54
    Event ID:      66
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          SYSTEM
    Computer:      NPS.smalldom.pri
    Description:
    Active Directory Certificate Services could not publish a Delta CRL for key 0 to the following location: ldap:///CN=smalldom-NPS-subCA,CN=NPS,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=smalldom,DC=pri.  Operation aborted 0x80004004 (-2147467260).
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-CertificationAuthority" Guid="{6A71D062-9AFE-4F35-AD08-52134F85DFB9}" EventSourceName="CertSvc" />
        <EventID Qualifiers="49754">66</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2011-05-27T19:37:54.000000000Z" />
        <EventRecordID>439</EventRecordID>
        <Correlation />
        <Execution ProcessID="0" ThreadID="0" />
        <Channel>Application</Channel>
        <Computer>NPS.smalldom.pri</Computer>
        <Security UserID="S-1-5-18" />
      </System>
      <EventData Name="MSG_E_DELTA_CRL_PUBLICATION">
        <Data Name="CAKeyIdentifier">0</Data>
        <Data Name="URL">ldap:///CN=smalldom-NPS-subCA,CN=NPS,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=smalldom,DC=pri</Data>
        <Data Name="ErrorMessageText">Operation aborted 0x80004004 (-2147467260)</Data>
        <Data Name="param4">
        </Data>
        <Data Name="param5">
        </Data>
        <Data Name="AdditionalErrorMessage">
        </Data>
      </EventData>
    </Event>


    CarolChi
    Friday, May 27, 2011 7:47 PM
  • I wish I could be more help, but you might have more experience with CRLs than I do. I found a couple resources that discussed this but I've personally never encountered the errors.

    http://technet.microsoft.com/en-us/library/cc726336(WS.10).aspx

    http://www.agileconcepts.com/Blogs/AQ/Lists/Posts/Post.aspx?ID=22 

    -Greg

    Friday, May 27, 2011 7:54 PM