AD CS Error: "The directory name is invalid." 0x8007010b (WIN32/HTTP:267)

AD CS Error: "The directory name is invalid." 0x8007010b (WIN32/HTTP:267)

Sometimes when you publish new CRLs or check Application eventlog on CA server you may get error message: The directory name is invalid. 0x8007010b (WIN32/HTTP:267):

 

  

Usually this happens after incorrect CDP extension configuration on CA server. This error means that CA server was unable to publish one or more CRL file to a local, network folder or LDAP directory. Unfortunately error message doesn't contain a detailed explanation, so you will have to manually check all possible problem sources. At first you need to retrieve CDP extension paths used for physical file publication. Run the following command on CA server:

certutil –getreg CA\CRLPublicationURLs

and select paths with the following publication flags:

  • CSURL_SERVERPUBLISH – 1
  • CSURL_SERVERPUBLISHDELTA -- 40 (64)

CA server uses them to publish files. If this is a local path (for example, D:\CertData\<somepath>) make sure if it exist. If local path exist, check folder security permissions. System (LocalSystem) account must have FullControl rights. If this is a network path (for example \\Server\Share\<somepath> or file://\\Server\Share\<somepath>) than make sure if:

  • CA server is able to resolve remote server name;
  • CA server can connect to remote server by using SMB/CIFS;
  • CA server computer account (with dollar sign at the end) has Change or FullControl share permissions on the target folder;
  • CA server computer account has NTFS Write permission on the target folder.

If one of this condition fails, you will get mentioned error message. Additionally check path syntax, because it is common to miss some characters in long paths.

If this is LDAP path make sure if the following conditions are valid:

  • CA server computer account is a member of Cert Publishers security group;
  • Cert Publishers security group has FullControl permissions on the subcontainers of the following container:



    CN=CDP, CN=Public Key Services, CN=Services, CN=Configuration, DC={forest root domain}.
  • Inside of CDP container you may find subcontainer with the name equal to CA server short (or NetBIOS) name. If not, create new container manually (by using ADSIEdit.msc MMC snap-in). Assign FullControl permissions for Cert Publishers group.

When all these conditions are valid (after corresponding problem resilution) try to publish new CRLs again by running the following command

certutil –CRL

Sort by: Published Date | Most Recent | Most Useful
Comments
  • Good Article!

  • another lovely reason for the error message, if you use a custom URL, like crl.contoso.com the server itself can't access the FQDN because of a loopback setting.  Method 2 in the following artcle resolved my issue:  support.microsoft.com/.../896861 DisableLoopbackCheck = 1

  • Thank you for the great article!

    Michael

  • Great post. thanks.

Page 1 of 1 (4 items)