locked
ADCS Invalid Issuance Policies error RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    I am working on completing the migration from our SHA1 ADCS CA infrastructure to SHA256.  We've been using the SHA256 CAs for some time with no issues.  The last item to remain was to migrate our only group of users that have user client authentication certificates from being issued SHA1 ones to SHA256 ones.  Both CA infrastructures are running on Windows Server 2012 R2.

    We'd been using the default "Client Authentication - User" template, but for a test I've cloned that policy to "TEST Client Auth - User".  Only a single test user account has Enroll or Autoenroll rights on the template.  The template was added to our SHA256 intermediate CA to issue.  There have been no other changes to the template.  It's a version 2 template, with Windows Server 2003/XP compatibilty set.

    When the test user logs in on my Windows 7 test computer, it does not successfully enroll in a certificate.  I checked the intermediate CA and found this error:

    Active Directory Certificate Services denied request 17778 because The certificate has invalid policy. 0x800b0113 (-2146762477 CERT_E_INVALID_POLICY).  The request was for CN=test, OU=Users, OU=Test, DC=subdomain, DC=domain, DC=com.  Additional information: Error Constructing or Publishing Certificate  Invalid Issuance Policies:  1.3.6.1.4.1.311.21.8.1084316.5799510.12209843.6103771.9194518.172.1.400

    Searching the Internet seems to point fingers at the Issuance Policy.  I checked the SHA256 intermediate CA certificate and it says the certificate is intended for the following purposes: "All application policies".

    I've never seen this error and am not quite sure how to solve it.

    Here is my CAPolicy.inf file:

    [Version]
Signature="$Windows NT$"
[Certsrv_Server]
RenewalKeyLength=2048
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=6
CRLPeriod=Days
CRLPeriodUnits=3
CRLDeltaPeriod=Days
CRLDeltaPeriodUnits=0
LoadDefaultTemplates=0
AlternateSignatureAlgorithms=1

    I checked and we don't have AlternateSignatureAlgorithms set in the registry (at HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\<CA name>\CSP\).

    Any help would be appreciated.  Thank you in advance!





    Friday, October 20, 2017 8:05 PM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote
    Hi,
    Based on my research of similar error, you could have a try the following approaches to see if it help to resolve this issue.
    1.Changing the CRLFlags registry key to ignore invalid policies by running the following commands:
    certutil –setreg CA\CRLFlags +CRLF_IGNORE_INVALID_POLICIES
    net stop certsvc
    net start certsvc
    2.Update the Issuing CA Certificate with ‘All issuance policies’.
    3.Update the issuing CA with specific Issuance Policies
    Here is an article regarding the similar error, you could take a look the details step by step:
    Issuance Policies with a CA Upgrade to Windows 2008 R2 AD CS PK
    https://silkspundotcom.wordpress.com/2012/02/14/issuance-policies-with-a-ca-upgrade-to-windows-2008-r2-ad-cs-pki/
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
    Best regards, 
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, October 23, 2017 5:55 AM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote
    Hi,
    Based on my research of similar error, you could have a try the following approaches to see if it help to resolve this issue.
    1.Changing the CRLFlags registry key to ignore invalid policies by running the following commands:
    certutil –setreg CA\CRLFlags +CRLF_IGNORE_INVALID_POLICIES
    net stop certsvc
    net start certsvc
    2.Update the Issuing CA Certificate with ‘All issuance policies’.
    3.Update the issuing CA with specific Issuance Policies
    Here is an article regarding the similar error, you could take a look the details step by step:
    Issuance Policies with a CA Upgrade to Windows 2008 R2 AD CS PK
    https://silkspundotcom.wordpress.com/2012/02/14/issuance-policies-with-a-ca-upgrade-to-windows-2008-r2-ad-cs-pki/
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
    Best regards, 
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, October 23, 2017 5:55 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    After more investigation, I found that my test user client authentication certificate template had the "Low Assurance" issuance policy set on it.  I removed that, and it now works.

    That said, if I wanted to use Issuance Policies, what would I need to do on my CAs?

    Monday, October 23, 2017 12:50 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    Thank you for the update and mark.

    You might need to modify the issuance policy, please refer to:
    Issuance Requirements
    https://technet.microsoft.com/en-us/library/cc753139(v=ws.11).aspx
    Best regards, 
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, October 24, 2017 9:34 AM