locked
LDAP CRL issues RRS feed

  • Question

  • I think i have a strange problem. My enterprise CA seems to run fine, although it does give a CRL offline error sometimes. When I run PKIView, it can access the http CRL but not the ldap ones (using default location). However, if I right click on "Enterprise PKI", select AD containers, select CDP container, i can see all the CRLs and can view them. Running server 008 dc.
    I exported a certificate it created and ran it through certutil. output below. the cdp and aia containers exist in adsiedit/adss. I uninstalled the CA and reinstalled, no difference. any ideas (other than fresh install) would be greatly appreciated...


    Issuer:
        CN=zat-CA1
        DC=zat
        DC=com
    Subject:
        CN=2008server1.zat.com
    Cert Serial Number: 618d348f000600000061

    dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
    dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
    ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
    HCCE_LOCAL_MACHINE
    CERT_CHAIN_POLICY_BASE
    -------- CERT_CHAIN_CONTEXT --------
    ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    ChainContext.dwRevocationFreshnessTime: 37 Minutes, 34 Seconds

    SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    SimpleChain.dwRevocationFreshnessTime: 37 Minutes, 34 Seconds

    CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
      Issuer: CN=zat-CA1, DC=zat, DC=com
      NotBefore: 29/04/2009 9:15 PM
      NotAfter: 29/04/2010 9:15 PM
      Subject: CN=2008server1.zat.com
      Serial: 618d348f000600000061
      SubjectAltName: Other Name:DS Object Guid=04 10 1b 62 f0 13 ff 55 10 42 aa 5a 78 b5 3a 25 22 84, DNS Name=2008server1.zat.com
      Template: DomainController
      2f f7 50 4f 31 5f cc d8 93 a2 73 91 ad 2d 7f 12 7d c8 ca 66
      Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
      Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
      ----------------  Certificate AIA  ----------------
      Failed "AIA" Time: 0
        Error retrieving URL: The system cannot open the device or file specified. 0x8007006e (WIN32/HTTP: 110)
        ldap:///CN=zat-CA1,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=zat,DC=com?cACertificate?base?objectClass=certificationAuthority

      ----------------  Certificate CDP  ----------------
      Verified "Base CRL (45)" Time: 0
        [0.0] http://2008server1.zat.com/CertEnroll/zat-CA1(6).crl

      Verified "Delta CRL (45)" Time: 0
        [0.0.0] http://2008server1.zat.com/CertEnroll/zat-CA1(6)+.crl

      Failed "CDP" Time: 0
        Error retrieving URL: The system cannot open the device or file specified. 0x8007006e (WIN32/HTTP: 110)
        [0.1.0] ldap:///CN=zat-CA1(6),CN=2008server1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=zat,DC=com?deltaRevocationList?base?objectClass=cRLDistributionPoint

      Failed "CDP" Time: 0
        Error retrieving URL: The system cannot open the device or file specified. 0x8007006e (WIN32/HTTP: 110)
        ldap:///CN=zat-CA1(6),CN=2008server1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=zat,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint

      ----------------  Base CRL CDP  ----------------
      OK "Delta CRL (45)" Time: 0
        [0.0] http://2008server1.zat.com/CertEnroll/zat-CA1(6)+.crl

      Failed "CDP" Time: 0
        Error retrieving URL: The system cannot open the device or file specified. 0x8007006e (WIN32/HTTP: 110)
        ldap:///CN=zat-CA1(6),CN=2008server1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=zat,DC=com?deltaRevocationList?base?objectClass=cRLDistributionPoint

      ----------------  Certificate OCSP  ----------------
      No URLs "None" Time: 0
      --------------------------------
        CRL 45:
        Issuer: CN=zat-CA1, DC=zat, DC=com
        0a 79 25 f6 35 bc 99 ea e8 94 ce 22 c6 92 7a a1 ae ec aa cd
        Delta CRL 45:
        Issuer: CN=zat-CA1, DC=zat, DC=com
        04 07 b1 13 cc 97 50 04 56 80 4c b4 3e 3c 15 bd 9f 12 95 f7
      Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
      Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication

    CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
      Issuer: CN=zat-CA1, DC=zat, DC=com
      NotBefore: 29/04/2009 8:13 PM
      NotAfter: 29/04/2014 8:23 PM
      Subject: CN=zat-CA1, DC=zat, DC=com
      Serial: 7f6e5d7070950ca84e844a0d85f1b18f
      Template: CA
      51 84 31 30 03 2d fa 19 45 3f 92 ac e4 8c 2f 35 4a 1c ec 71
      Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
      Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
      Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
      ----------------  Certificate AIA  ----------------
      No URLs "None" Time: 0
      ----------------  Certificate CDP  ----------------
      No URLs "None" Time: 0
      ----------------  Certificate OCSP  ----------------
      No URLs "None" Time: 0
      --------------------------------

    Exclude leaf cert:
      ad 90 cc 0a df 07 b9 a2 2b 21 d7 52 ba 92 03 01 ef 70 96 4a
    Full chain:
      bf 51 aa e9 51 65 32 42 39 0c 97 32 6d ea fe 27 f8 54 41 9f
    ------------------------------------
    Verified Issuance Policies: None
    Verified Application Policies:
        1.3.6.1.5.5.7.3.2 Client Authentication
        1.3.6.1.5.5.7.3.1 Server Authentication
    Leaf certificate revocation check passed
    CertUtil: -verify command completed successfully.
    Wednesday, April 29, 2009 11:41 AM

All replies

  • Hi,

    This issue may be caused by corrupt date stored in AD. Open ADSIEDIT.MSC, connect to Configuration partition, navigate to CN=Public Key Services,CN=Services,CN=Configuration,DC=Domain,DC=com.

    Check CN = 2008server1 under CN=CDP and CN=AIA. If there is any error or abnormal behavior, please let us know.

    Try to run the following commands to collect information for research.

    ldifde –f KI.txt –d "CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=Domain,DC=com" –p subtree

    ldifde –f PKI.txt –d "CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC= Domain,DC=com" –p subtree

    Note: Replcate DC= Domain,DC=com accordingly.

    Please use Windows Live SkyDrive (http://www.skydrive.live.com/) to upload the file and then give me the download address.

    Thanks.

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Thursday, April 30, 2009 9:47 AM
  • yes there is probably some corruption somewhere - i just cant figure out where.

    i havent used skydrive before, so hope it works
    http://cid-27c67029fca14da6.skydrive.live.com/self.aspx/PKI%20Problem

    the machine is virtualised i restored a snapshot since the original post, but the error's still there and the files on skydrive are current.


    when i tried uninstalling/re-installing, i wiped stuff from the containers in ADSS.
    Anyway if you have any ideas on how to remove any corruption i'll give it a try.
    got another ca in another forest its working fine if thats any help

    thanks for your time.
    Thursday, April 30, 2009 12:45 PM
  • Hi,

    Thank you for update.

    Based on my test, TAZ-CA1(1)- TAZ-CA1(5) should not appear in Adsi Edit. How did you did "when i tried uninstalling/re-installing, i wiped stuff from the containers in ADSS"? Please let us know the detailed steps.

    Also, please capture a screenshot of the CA Properties:

    Open CA console, right-click TAZ-CA1(5), choose Properties, switch to Extensions tab, choose "ldap:///…." In the CRL list. Capture a screenshot and upload to SkyDrive.

    Thanks.

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Monday, May 4, 2009 4:15 AM
  • hi mervyn,

    the crl publishes ok no errors. here are the steps i took. screenshots at http://cid-27c67029fca14da6.skydrive.live.com/browse.aspx/PKI2?authkey=p2KsIbDCvLY%24
    i just uninstalled-reinstalled. check out the bit in bold at the end on re-installing, especially the access denied error.


    1/ certutil -shutdown
    2/ certutil -key   
    C:\Users\Administrator>certutil -key
       Microsoft Strong Cryptographic Provider:
         le-DomainControllerAuthentication-70bbce24-84a0-4a96-ae7d-214322198916
            0204d6dc1aef68b82a75ca9e82e3571b_82c9b055-d375-4e08-94c0-12ba1b223d65
            AT_KEYEXCHANGE
       *** could not find any root certificate key to delete

    3/ remove CA role (remove tick from CA)  and restart computer
    4/ ADSS, expand services

     public key services\aia - wipe everything
     public key services\cdp - wipe everything
     public key services\certificate authorities - wipe everything
     public key services\enrolment services - wipe everything
     public key services\kra - wipe everything


    5/ C:\Users\Administrator>ldifde -r "cn=taz-ca1" -d "CN=Public KeyServices,CN=Services,CN=Configuration,DC=taz,DC=com" -f output.ldf
    Connecting to "2008server1.taz.com"
    Logging in as current user using SSPI
    Exporting directory to file output.ldf
    Searching for entries...
    Writing out entries
    No Entries found

    The command has completed successfully



    6/ certutil store -? | findstr "CN=NTAuth"   (showed nothing)
    7/ del %systemroot%\System32\Certlog
    8/ C:\Users\Administrator>certutil -ds taz-ca1
    CertUtil: -ds command completed successfully.

    9/ C:\Users\Administrator>certutil -ds 2008server1
    CertUtil: -ds command completed successfully.


    10/C:\Users\Administrator>certutil -ds -v NtAuthCertificates
    CN=Public Key Services,CN=Services,CN=Configuration,DC=taz,DC=com:
      NTAuthCertificates
        objectClass
            Element 0: "top"
            Element 1: "certificationAuthority"
        cn = "NTAuthCertificates"
        cACertificate
            Element 0: 920 Bytes
       ....
       some bits cut out
       ....

    ================ Certificate 5 ================
    Serial Number: 32041c93f735a9435f643880a0bb2f
    Issuer: CN=Taz-CA1, DC=taz, DC=com
    NotBefore: 16/02/2009 6:58 PM
    NotAfter: 16/02/2014 7:08 PM
    Subject: CN=Taz-CA1, DC=taz, DC=com
    Certificate Template Name (Certificate Type): CA
    CA Version: V0.0
    Signature matches Public Key
    Root Certificate: Subject matches Issuer
    Template: CA, Root Certification Authority
    Cert Hash(sha1): 86 70 44 65 d9 1c 65 de 15 40 bc 42 3d a5 b1 26 7b 3a b7 f5

        authorityRevocationList = EMPTY
        certificateRevocationList = EMPTY
        distinguishedName = "CN=NTAuthCertificates,CN=Public Key Services,CN=Service
    s,CN=Configuration,DC=taz,DC=com"
        instanceType = "4"
        whenCreated = "20081127013718.0Z" 27/11/2008 11:37 AM
        whenChanged = "20090430121040.0Z" 30/04/2009 10:10 PM
        uSNCreated = "7584" 0x1da0
        uSNChanged = "241923" 0x3b103
        showInAdvancedViewOnly = "TRUE"
        name = "NTAuthCertificates"
        objectGUID = 40cc4255-2bee-4e5a-a18f-6aa7063a89b1
        objectCategory = "CN=Certification-Authority,CN=Schema,CN=Configuration,DC=t
    az,DC=com"
        dSCorePropagationData = "16010101000000.0Z" EMPTY
        nTSecurityDescriptor =
        Allow       TAZ\Domain Admins
            Full Control
        Allow       TAZ\Enterprise Admins
            Full Control
        Allow       BUILTIN\Administrators
            Full Control
        Allow       Everyone
            Read
        Allow       TAZ\Enterprise Admins
            Full Control
        Allow       TAZ\Domain Admins
            Full Control

    11/ C:\Users\Administrator>certutil -viewdelstore "ldap:///CN=NtAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=taz,DC=com?base?cACertificate"

    ldap:///CN=NtAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=taz,DC=com?cACertificate?base
    CertUtil: -viewdelstore command FAILED: 0x80070005 (WIN32: 5)
    CertUtil: Access is denied.

    ******** access denied??? Am logged in as enterprise admin, and enterprise admin has full control on NTAuthCertificates (according to adsiedit)

    12/ certutil -viewdelstore
    DEL all certificates issued to Taz-CA1

    13/ regsvr32 /i:i /n /s certcli.dll
    14/ run certificates mmc for local computer, wipe all certificates in personal computer store, all taz-ca1 certificates in trusted root ca, intermediate ca, kra/certificates and enrolment requests





    =================================================
    1/ install CA role, using same name taz-ca1
    * enterprise CA, root, default key (2048), + web enrolment service role
    * pkiview, delete old "untrusted root" certificates from NTAuthCerticates (AD Containers), leaving new one only. (still shows errors on ldap CRL but not http)

    2/ gpupdate /force


    3/ Checked event viewier - 1 warning:
    Active Directory Certificate Services added the root certificate of certificate chain 0 to the downloaded Trusted Root Certification Authorities Enterprise store on the CA computer. This store will be updated from the Certification Authorities container in Active Directory the next time Group Policy is applied. To verify that the CA certificate is published correctly in Active Directory, run the following command: certutil -viewstore "ldap:///CN=taz-CA1,CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=taz,DC=com?cACertificate?base?objectClass=certificationAuthority" (you must include the quotation marks when you run this command). If the root CA certificate is not present, use the Certificates console on the root CA computer to export the certificate to a file, and then run the following command to publish it to Active Directory: Certutil -dspublish %certificatefilename% Root.

    4/ C:\Users\Administrator>certutil -viewstore "ldap:///CN=taz-CA1,CN=CertificationAuthorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=taz,DC=com?cACertificate?base?objectClass=certificationAuthority"

    ldap:///CN=taz-CA1,CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=taz,DC=com?cACertificate?base?objectClass=certificationAuthority
    CertUtil: -viewstore command FAILED: 0x8007006e (WIN32/HTTP: 110)
    CertUtil: The system cannot open the device or file specified.


    5/ export root ca, then C:\Users\Administrator>Certutil -dspublish c:\root.cer
    ldap:///CN=taz-CA1,CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=taz,DC=com?cACertificate

    Certificate already in DS store.

    ldap:///CN=taz-CA1,CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=taz,DC=com?cACertificate

    Certificate already in DS store.

    CertUtil: -dsPublish command completed successfully.
    Monday, May 4, 2009 11:16 AM
  • Hi,

    It seems you shouldn’t delete "public key services\aia" and other subtree under "public key services". After deleting them, there is error when trying to reinstall my testing CA role. It may take a long time to find the root cause of this issue, I suggest you don’t delete them when uninstalling. Just stop the service, uninstall/reinstall the role.

    Thanks.

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Tuesday, May 5, 2009 3:13 AM
  • Just to clarify, i didnt actually delete the containers, just the contents. But will follow your suggestion of leaving them alone.

    On the weekend I think i might create an enterprise CA on another DC to see if its a certificate issue/ad issue or a security access problem.

    thanks

    Tuesday, May 5, 2009 11:51 AM
  • Hi Mervyn,
    Just to throw a spanner in the works, whilst i get errors on pkiview on 2008server1, if I run it from nps1 (which at one stage had a standalone subordinate for ipsec nap), pkiview is able to get the ldap crls.

    http://cid-27c67029fca14da6.skydrive.live.com/browse.aspx/pkiview%20screenshots?authkey=nq7SmO9*ito%24

    pkiview1.jpg is from nps1. (the error on taz-nps1-ca is because the root/subordinate trust is broken; that's ok). BUT it shows full access to CRLs.
    pkiview2.jpg is from 2008server1. when run here, is unable to access CRLs through ldap.

    The CA certificate on both computers shows the same thumbprint.
    weird.....

    Wednesday, May 6, 2009 11:49 AM