locked
Issues Implementing the Microsoft Online Responder RRS feed

  • Question

  • All,

    In setting up the Microsoft Online Responder, I completed the following:
    1. Installed the Online Responder Service
    2. Configured the CAs (location of the responder given as http://DNSName/ocsp)
    3. Assigned Read and Enroll permissions on the certificate template to the Online Responder computer account via the Certificate Templates console
    4. Made the certificate template available for enrollment via the Certification Authority console
    5. Updated the registry to allow the renewal of OCSP Response Signing certificates
    6. Configured the Online Responder
    7. Created a Revocation Configuration (using the defaults for automatic enrollment)
    The above steps were accomplished using the procedures listed in Brian Komar's book, "Windows Server 2008 PKI and Certificate Security" (any departures are listed above).

    At this point in my lab environment the Revocation Configuration Status reads "Working". However, as luck would have it, in the environment I care about the Revocation Configuration Status reads "Bad signing certificate on Array controller".

    One major difference between this environment and my lab environment is the Use Strong Private Key Protection Features Provided By The CSP (This May Require Administrator Interaction Every Time The Private Key Is Accessed By The CA) check box is selected in the non-lab environment (see thread).

    Under Revocation Configuration the Signing Certificate Selection is "Automatically enrolled" and the Enrollment Template is "OCSPResponseSigning". When I look at the Array Configuration section, the Assign Signing Certificate is disabled (as expected since I did not choose to manually select a signing certificate when adding the revocation configuration). In the Revocation Configuration Status states "Signing Certificate Not Found" and "The revocation provider is successfully using the current configuration".

    If anyone has encountered this problem and resolved it, please let me know.

    Thanks,

    toshinorit
    • Changed type toshinorit Wednesday, February 4, 2009 3:51 PM
    Wednesday, February 4, 2009 5:43 AM

Answers

  • Hi,

    Based on my test, this issue may occur if the OCSP Signing certificate was not issued successfully or was not issued automatically.

    1.    Let’s try to manually apply for a CSSP Signing certificate to test. Create a OCSP.inf and copy the following content to it, save it.

    [NewRequest]
        Subject = "cn=Test"
        PrivateKeyArchive = FALSE
        Exportable = TRUE
        UserProtected = FALSE
        MachineKeySet = TRUE
        ProviderName= "Microsoft Software Key Storage Provider"
        UseExistingKeySet = FALSE
        RequestType = PKCS10
    [EnhancedKeyUsageExtension]
        OID="1.3.6.1.5.5.7.3.9"

    [RequestAttributes]
    CertificateTemplate = "OCSPResponseSigning"

    2.    After that, run the following command(please replace [PATH] with the actual path of ocsp.inf):

    certreq –new [PATH]ocsp.inf ocsp.req 
    certreq –submit ocsp.req ocsp.cer

    3.    What’s the result? Open CA console, could you find it in Issued certificates? If not, please let us know if there is any error message.

    4.    If OCSP Signing certificates was not automatically, try the steps below.

    a.     right-click your CA server in CA console, choose Properties. Switch to Policy Module, choose Properties, choose the "automatically" option.
    b.    Open Certificates Templates, choose OCSP Response Signing template, Properites, switch to Security tab, make sure the CA Server was listed and have proper rights.

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Proposed as answer by Mervyn Zhang Thursday, February 5, 2009 9:38 AM
    • Unproposed as answer by toshinorit Thursday, February 5, 2009 3:10 PM
    • Marked as answer by Mervyn Zhang Monday, February 16, 2009 1:17 AM
    Thursday, February 5, 2009 9:34 AM
  • Hi,

    Regarding the Event 23 and 33, please refer to the following article for troubleshooting.

    Event ID 23 — AD CS Online Responder Service
    http://technet.microsoft.com/en-us/library/cc774506.aspx

    Event ID 33 — AD CS Online Responder Service
    http://technet.microsoft.com/en-us/library/cc774529.aspx

    For more information about error of Online Responder Service, please refer to:

    AD CS Online Responder Service
    http://technet.microsoft.com/en-us/library/cc774531.aspx

    If the issue persists, please help to clarify the following question.

    How did you setup the "OCSP Response Signing" template?

    There is error about "OCSPResponseSigning2" in error "The Online Responder Service failed to create an enrollment request for the signing certificate template OCSPResponseSigning2 ". Please delete current OCSP Response Signing Template in CA and reissue it using the original OCSP Response Signing.

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by Mervyn Zhang Monday, February 16, 2009 1:17 AM
    Wednesday, February 11, 2009 12:20 PM

All replies

  • As an additional note, I tried rebuilding the Revocation Configuration this time selecting the Manually select a signing certificate option.

    In doing so, the Revocation Configuration Status is "Signing certificate status is not yet available for the Array controller". Under Array Configuration, the Signing Certificate states "The data necessary to complete this operation is not yet available. (Exception from HRESULT: 0x8000000A)" and the Revocation Provider Status states "The revocation provider is successfully using the current configuration".
    Wednesday, February 4, 2009 6:07 AM
  • Hi,

    Based on my test, this issue may occur if the OCSP Signing certificate was not issued successfully or was not issued automatically.

    1.    Let’s try to manually apply for a CSSP Signing certificate to test. Create a OCSP.inf and copy the following content to it, save it.

    [NewRequest]
        Subject = "cn=Test"
        PrivateKeyArchive = FALSE
        Exportable = TRUE
        UserProtected = FALSE
        MachineKeySet = TRUE
        ProviderName= "Microsoft Software Key Storage Provider"
        UseExistingKeySet = FALSE
        RequestType = PKCS10
    [EnhancedKeyUsageExtension]
        OID="1.3.6.1.5.5.7.3.9"

    [RequestAttributes]
    CertificateTemplate = "OCSPResponseSigning"

    2.    After that, run the following command(please replace [PATH] with the actual path of ocsp.inf):

    certreq –new [PATH]ocsp.inf ocsp.req 
    certreq –submit ocsp.req ocsp.cer

    3.    What’s the result? Open CA console, could you find it in Issued certificates? If not, please let us know if there is any error message.

    4.    If OCSP Signing certificates was not automatically, try the steps below.

    a.     right-click your CA server in CA console, choose Properties. Switch to Policy Module, choose Properties, choose the "automatically" option.
    b.    Open Certificates Templates, choose OCSP Response Signing template, Properites, switch to Security tab, make sure the CA Server was listed and have proper rights.

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Proposed as answer by Mervyn Zhang Thursday, February 5, 2009 9:38 AM
    • Unproposed as answer by toshinorit Thursday, February 5, 2009 3:10 PM
    • Marked as answer by Mervyn Zhang Monday, February 16, 2009 1:17 AM
    Thursday, February 5, 2009 9:34 AM
  • Mervyn,

    Thanks for the quick response!

    Using the exact steps provided I created the certificate request and attempted to submit it to the CA. In doing so, I received the following results:

    C:\>certreq -new c:\ocsp.inf ocsp.req

    CertReq: Request Created

    C:\>certreq -submit ocsp.req ocsp.cer
    RequestId: 3297
    Certificate not issued (Denied) Denied by Policy Module The DNS name is unavaila
    ble and cannot be added to the Subject Alternate name. 0x8009480f (-2146875377)
    Certificate Request Processor: The DNS name is unavailable and cannot be added t
    o the Subject Alternate name. 0x8009480f (-2146875377)
    Denied by Policy Module

    C:\>

    On the Request Handling tab under Policy Module in the CA properties, I verified that the default for when a certificate request is received is set for Follow The Settings In The Certificate Template, If Applicable. Otherwise, Automatically Issue The Certificate.

    On the Security tab of the OCSP Response Signing certificate template properties, the CA server has both Read and Enroll permissions.

    I look forward to any additional suggestions you may have.

    Thanks,

    toshinorit
    Thursday, February 5, 2009 3:40 PM
  • Hi,

    The error " Certificate not issued (Denied) Denied by Policy Module The DNS name is unavailable and cannot be added to the Subject Alternate name " is caused by Certificate Templates settings. Please try the steps below:

    1.    Open MMC, add Certificate Templates Console, right-click OCSP Response Signing template, choose Properties, switch to Subject Name tab, select UPN or SPN option, uncheck DNS name option.
    2.    Run "certreq -submit ocsp.req ocsp.cer" again.

    Could you get the certificate now? If so, try to add Revocation Configuration.

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Friday, February 6, 2009 1:51 AM
  • Mervyn,

    Recreating your steps above I selected the UPN option and de-selected the DNS Name option under the Subject Name tab in OCSP Response Signing Properties and re-ran the above commands.

    C:\>certreq -new c:\ocsp.inf ocsp.req

    CertReq: Request Created

    C:\>certreq -submit ocsp.req ocsp.cer
    RequestId: 3597
    Certificate retrieved(Issued) Issued

    C:\>

    I checked the CA for the Issued Certificates and was able to locate the 3597 OCSP Response Signing certificate. Yay!

    So now, it appears I have been able to generate a certificate request. I then proceeded to try and verify the certifcate chain with the following results by running certutil -verify ocsp.cer > ocsp.txt:

    Verified Issuance Policies: None
    Verified Application Policies:
        1.3.6.1.5.5.7.3.9 OCSP Signing
    Leaf certificate revocation check passed
    CertUtil: -verify command completed successfully.

    Checking the event logs for the OnlineResponder...

    Event 33
    The Online Responder Service failed to create an enrollment request for the signing certificate template OCSPResponseSigning for configuration CompanyXYZ Revocation Configuration.(This operation requires an interactive window station. 0x800705b3 (WIN32: 1459))

    Event 23
    The Online Responder Service could not locate a signing certificate for configuration CompanyXYZ Revocation Configuration.(Cannot find the original signer. 0x8009100e (-2146889714))

    And returning to the Online Responder Configuration pages...

    • Revocation Configuration Status - Bad signing certificate on Array controller
    • Revocation Configuration Signing Certificate Selection - Automatically enrolled
    • Revocation Configuration Enrollment Template - OCSPResponseSigning
    • Array Configuration Status - Online
    • Revocation Configuration Status Signing Certificate - Not Found
    • Revocation Provider Status -
    Type: Microsoft CRL-based revocation status provider
    The revocation provider is successfully using the current configuration

    Please advise...

    Thanks,

    toshinorit
    Friday, February 6, 2009 6:49 PM
  • Hi,

    Have you deleted the old Revocation Configuration and create a new Revocation Configuration?

    Open MMC and add Online Responder, click Revocation Configuration, right-click the old configuration in the right-panel, choose Delete.

    Right-click Revocation Configuration, choose Add Revocation Configuration. Follow the steps to get a new certificate.

    If the issue persists, please check the Event Log, find the latest Revocation Configuration entries. Please note the time, record the events after new configuration.

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Monday, February 9, 2009 2:52 AM
  • Mervyn,

    I did recreate the revocation configuration resulting in the errors above.

    But just to be sure, I am reinstalling the Online Responder role and assembling the results. That being said, should I rebuild the revocation configuration using the Automatically Select A Signing Certificate or Manually Select A Signing Certificate option?

    Thanks,

    toshinorit
    Tuesday, February 10, 2009 11:06 AM
  • Mervyn,

    I just reconfirmed the errors from my posting on Fri Feb 06 2009 12:49:17 GMT-0600. After deleting the revocation configuration I reinstalled the Online Responder role service using the Automatically Select A Signing Certificate option and received the same Event 33 and Event 23 errors.

    Event 33 - 2/10/2009 7:25:36 AM
    The Online Responder Service failed to create an enrollment request for the signing certificate template OCSPResponseSigning2 for configuration CompanyXYZ Revocation Configuration.(This operation requires an interactive window station. 0x800705b3 (WIN32: 1459))

    Event 23 - 2/10/2009 7:25:36 AM
    The Online Responder Service could not locate a signing certificate for configuration CompanyXYZ Revocation Configuration.(Cannot find the original signer. 0x8009100e (-2146889714))

    Please advise.

    Thanks,

    toshinorit
    Tuesday, February 10, 2009 12:38 PM
  • Hi,

    Regarding the Event 23 and 33, please refer to the following article for troubleshooting.

    Event ID 23 — AD CS Online Responder Service
    http://technet.microsoft.com/en-us/library/cc774506.aspx

    Event ID 33 — AD CS Online Responder Service
    http://technet.microsoft.com/en-us/library/cc774529.aspx

    For more information about error of Online Responder Service, please refer to:

    AD CS Online Responder Service
    http://technet.microsoft.com/en-us/library/cc774531.aspx

    If the issue persists, please help to clarify the following question.

    How did you setup the "OCSP Response Signing" template?

    There is error about "OCSPResponseSigning2" in error "The Online Responder Service failed to create an enrollment request for the signing certificate template OCSPResponseSigning2 ". Please delete current OCSP Response Signing Template in CA and reissue it using the original OCSP Response Signing.

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by Mervyn Zhang Monday, February 16, 2009 1:17 AM
    Wednesday, February 11, 2009 12:20 PM
  • Mervyn,

    This is not answered, I have the exactl same issue described above and I went through the links you recomended and still not working.

    WHats the resolution.
    Friday, March 5, 2010 1:17 AM
  • Hi,

    I had also same issue. When I changed OCSP Signing Certificate (which I had duplicated) security permissions from computer group directly to computer account the revocation was added as it should. Also the certificate was issued by RootCA.

    Permissions to computer account are read & enroll. Hope this would help.

    Monday, March 8, 2010 11:20 AM
  • Hi all

    Are there any news/updates?
    I have the same problem with events 23/33...
    Everything seems to be good, ca is online, template with permissions okay, manual enrollment works fine with this template...
    Working now with MS premier support on this issue...

    One question:
    What means point 5 in the initial post, Updated the registry to allow the renewal of OCSP Response Signing certificates?

    Thanks for any help/advise...
    Michael
    Thursday, March 18, 2010 10:59 AM
  • Hi again

    I figured it out:

    In my case it was a problem with a security option as described here:

    http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/d06a07ae-9999-47de-af33-9304d82142f3

    Cheers

    Michael

    Monday, March 22, 2010 1:14 PM
  • Just in case anyone comes across this thread and the above solution doesn't help - the only fix for me was to remove the role service from the affected server and reinstall it and readd the server to the online responder array.
    Wednesday, July 11, 2012 2:04 AM