none
Certutil returns 0x8007007e (WIN32/HTTP: 126 ERROR_MOD_NOT_FOUND)

    Question

  • Having weird problem on one issuing ca, when I run certutil on that server, it everytime returns 0x8007007e (WIN32/HTTP: 126 ERROR_MOD_NOT_FOUND): certadm.dll and same for certenroll.dll

    Any ideas what's causing this?

    Wednesday, October 29, 2014 7:42 AM

Answers

  • Solved for my case!

    Once I deleted the registry key "debug" with value 0xffffffff that is located in CA configuration in below path, I do not receive any more these errors in output: hklm/system/currentcontrolset/services/certsvc/configuration/ca server name

    • Proposed as answer by AhmadJY Monday, March 20, 2017 8:03 AM
    • Marked as answer by Narcoticoo Tuesday, March 21, 2017 2:25 PM
    Monday, March 20, 2017 8:03 AM

All replies

  • Hi,

    Would you please tell us are there any related error messages in the Event Logs of the problematic CA?

    If there are, please post them out for further analyzing.

    Best Regards,

    Amy

    Thursday, October 30, 2014 5:33 AM
    Moderator
  • There aren't any errors in the event log. This only happens when certutil.exe is used, for example if I try to run certutil.exe -dump, it outputs everything but the error described above is shown. This doesn't happen on other CAs in the environment.

    Thursday, October 30, 2014 4:41 PM
  • Hi,

    Looks like there is something wrong with the Certutil.exe, please try to replace it with a version from a healthy machine. The Certutil.exe is under System32 folder.

    Best Regards,

    Amy

    Friday, October 31, 2014 2:13 AM
    Moderator
  • The certutil.exe is exactly the same on a working machine, so the problem isn't there...  also certadm.dll and certenroll.dl are exactly the same on a working machine.

    Saturday, November 01, 2014 8:23 AM
  • Hi Narcoticoo,

    The issue should be caused by the server missing some certificate service dll and exe files. You need to capture the Process Monitor to find which dll or exe files are missing:

    1) Logon as domain admin and download Process Monitor from the following link:
        URL: < http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx>
    2) Extract the ZIP file on the server, restart the computer and then run Processmon.exe
    3) While Process Monitor is running, click the microscope icon in the toolbar to stop the capture (CTRL+E) and clear the initial logs (CTRL+X). (Don’t close it)

    Note: Turn off any network access (including Internet Explorer access, network share access, etc) and turn off 3rd party applications (as many as possible

    Capture:
     
    a. In Process Monitor window, create a path filter "c:\Windows\system32"


    b. Start the capture (CTRL+E).
     
    c. Reproduce the issue.
     
    d. When the error appears, (in Process Monitor) please stop the capture (CTRL+E), Save (File -> Save ) the Process Monitor log.

    Then you can find which files that are missing, copy the missing files from other working server.

    Thanks.


    Wednesday, November 12, 2014 2:32 AM
  • Any updates?
    Thursday, November 20, 2014 5:04 AM
  • Nope. I tried looking at procmon already before you suggested it, I didn't find anything missing at that point. I have to check it again.

    The CA itself is working just fine, it's just the certutil tool that has the hickups.

    Thursday, November 20, 2014 6:03 PM
  • Hi , have the issue resoved? If not, please try to change the filter to "contains" and check if it helps.

    Thursday, November 27, 2014 11:36 AM
  • This is still not resolved. I've followed this guide https://technet.microsoft.com/fi-fi/library/hh824869.aspx?f=255&MSPPError=-2147217396, but still the issue persists... As noted before, procmon does not provide any useful information while running certutil.exe


    • Edited by Narcoticoo Saturday, April 18, 2015 5:04 AM
    Saturday, April 18, 2015 5:03 AM
  • This is still not resolved. I've followed this guide https://technet.microsoft.com/fi-fi/library/hh824869.aspx?f=255&MSPPError=-2147217396, but still the issue persists... As noted before, procmon does not provide any useful information while running certutil.exe


    Hi,

    I have the same issue, may I know how did you solve it?

    Tuesday, March 07, 2017 6:05 AM
  • This is still not resolved. I've followed this guide https://technet.microsoft.com/fi-fi/library/hh824869.aspx?f=255&MSPPError=-2147217396, but still the issue persists... As noted before, procmon does not provide any useful information while running certutil.exe


    Hi,

    I have the same issue, may I know how did you solve it?


    Like said, still not solved...
    Tuesday, March 07, 2017 8:21 AM
  • We think that this issue that we have on our Windows 2012 R2 Sub CA is OS issue not PKI issue, that is because if we run the same commands from a Windows 10 machine against the PKI server, we do not receive this error. We are thinking of migrating the CA (backup and restore) on a new Windows 2012 R2 member server and see the results.
    Friday, March 17, 2017 7:29 AM
  • Hi,

    I restored the CA database and private key to new Windows 2012 R2 server and it is working, but once I imported the registry (The one I backed up from the original PKI server on which we have the issue) I experience the same issue; so it seems there is some issue on the registry for the SUB CA.

    My plan now is to restore again the PKI database and the private key on a new server then before importing the registry, I will compare between registry settings related to PKI in the original server with this new server and see what is different....

    Monday, March 20, 2017 7:27 AM
  • Solved for my case!

    Once I deleted the registry key "debug" with value 0xffffffff that is located in CA configuration in below path, I do not receive any more these errors in output: hklm/system/currentcontrolset/services/certsvc/configuration/ca server name

    • Proposed as answer by AhmadJY Monday, March 20, 2017 8:03 AM
    • Marked as answer by Narcoticoo Tuesday, March 21, 2017 2:25 PM
    Monday, March 20, 2017 8:03 AM
  • Solved for my case!

    Once I deleted the registry key "debug" with value 0xffffffff that is located in CA configuration in below path, I do not receive any more these errors in output: hklm/system/currentcontrolset/services/certsvc/configuration/ca server name


    I'll test this tomorrow, thanks!
    Monday, March 20, 2017 4:38 PM
  • I can confirm, this worked! Thanks AhmadJY!

    Tuesday, March 21, 2017 2:25 PM
  • I do NOT have "debug" key on CA, so I can not remove it (hence not a solution to me)

    I get this error on Win 10 1803 17134.48 clients only with CA on Server 2012 R2

    All other 1607 clients work fine! (hence it is not CA issue)


    • Edited by scerazy Friday, May 18, 2018 9:01 AM
    Friday, May 18, 2018 7:58 AM
  • Same error from Powershell (as per last post in this thread)
    Get-Certificate -Template "Remote Desktop Authentication" -DnsName testdns.domain.com -url 'https:/<CAserver>/ADPolicyProvider_CEP_Kerbos/service.svc/CEP' -CertStoreLocation cert:\localmachine\my
    Get-Certificate : CX509EnrollmentPolicyWebService::LoadPolicy: The specified module could not be found. 0x8007007e
    (WIN32/HTTP: 126 ERROR_MOD_NOT_FOUND)
    At line:1 char:1
    + Get-Certificate -Template "Remote Desktop Authentication" -DnsName se ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [Get-Certificate], Exception
        + FullyQualifiedErrorId : System.Exception,Microsoft.CertificateServices.Commands.GetCertificateCommand


    • Edited by scerazy Friday, May 18, 2018 8:59 AM
    Friday, May 18, 2018 8:54 AM