locked
OCSP problem RRS feed

  • Question

  • Hi,

    I'm having an issue getting OCSP working in my Server 2008 enterprise environment.

    I keep getting an error when creating a new revocation configuration.....

    I get event ID 33

    The Online Responder Service failed to create an enrollment request for the signing certificate template OCSPResponseSigning for configuration Revocation Configuration.(This operation requires an interactive window station. 0x800705b3 (WIN32: 1459))

    It appears to be a problem with the security template that gets applied to the servers. I work in a secure environment and the majority of the settings from the SSLF template in the Windows Server 2008 security guide get applied to the server. I've tested without these security settings applied and it seems to work ok and enrolls for the certificate properly.

    I can't for the life of me find which setting is causing this issue. Does anyone have any ideas???

    Thanks,

    Chris
    Wednesday, January 7, 2009 2:34 PM

Answers

  • Hi Mervyn,

    I think I've figured this out now. I've been testing different configurations and have narrowed it down to one setting.

    The setting is in

    Security Settings>Local Policies>Security Options

    and is the setting "System Cryptography:Force Strong Key Protection for User Keys"

    This was set to "User is prompted when the key is first used".

    I suppose this makes sense because the user of the keys is the NETWORK SERVICE account and a prompt wouldn't be able to be provided to this user. Once this was set to not defined the enrollment of the certificate went through not a problem.

    This is a side effect of using the the most restrictive settings from the security guide. A template was created setting all the security settings for the SSLF environment and this is applied to all servers. I'm sure this won't be the last time I have problems with these security settings.

    Thanks for your help!

    Chris
    • Marked as answer by Mervyn Zhang Tuesday, January 13, 2009 2:04 AM
    Monday, January 12, 2009 4:25 PM

All replies

  • Hi,

     

    The following article explain how to resolve Event ID 33 in detail. Please try to follow the suggestions to troubleshoot your problem.

     

    Event ID 33 — AD CS Online Responder Service

    http://technet.microsoft.com/en-us/library/cc774529.aspx

     

    If the issue still persists, please run the MPS report (PFE version) on the server for the analyzing. The MPS Reporting Tool is utilized to gather detailed information regarding a systems current configuration. The data collected will assist you with fault isolation.

    A . Please download MPS Reporting Tool (MPSRPT_PFE.EXE) from the following link:
    (http://www.microsoft.com/downloads/details.aspx?FamilyID=00ad0eac-720f-4441-9ef6-ea9f657b5c2f&DisplayLang=en)

    Please note: The link may be truncated when you read the E-mail. Be sure to include all text between '(' and ')' when navigating to the download location.

    B . Right click MPSRPT_PFE.EXE and select Run as Administrator to run this tool, and you will see a Command Window start up.

    C . Please type Y with the message of <Include the MSINFO32 report? (defaults to Y in 15 seconds)[Y,N]?

    D . When the tool is done you will see an Explorer Window opening up the %systemroot%\MPSReports\Setup\Reports\cab folder and containing a <Computername>MPSReports.cab file. Send this file to tfwst@microsoft.com for research.

    Thanks.

    • Proposed as answer by Mervyn Zhang Thursday, January 8, 2009 10:45 AM
    Thursday, January 8, 2009 10:44 AM
  • Thanks for the reply Mervyn!

    I've had a look at the article which you referred me to and have followed the troubleshooting steps. Unfortunately I'm still having the issue.

    The OCSP server can request a certificate from the CA using manual enrollment and this is successful. I gave the NETWORK SERVICE account the right to read the private key. I then created a new revocation configuration using the manual certificate assignment option. I am able to select the requested certificate for assignment but then the revocation configuration falis with the same error as above.

    I'm sure this is something to do with the security template that is applied to the server. This template really locks down the machine.

    The error states something about needing an interactive window station. I can't find anything else about that error which relates to my problem. I imagine that the security template is preventing the OCSP service or the NETWORK SERVICE account from doing something.

    Unfortunately I'm unable to put any servers Live without these security settings being applied so I need to find which setting is causing the issue so I can raise a request to exempt this particular server from having this setting applied.

    Thursday, January 8, 2009 12:49 PM
  • Hi,

    Could you please let us know the detailed steps you applied the security template and which security template was applied? Did you use GPOAccelerator?

    At the same time, let's try to check the following CA settings.

    1. Open your CA, right-click CA server, choose Properties, switch to Enrollment Agents tab. which options was selected? If "Restrict enrollment agents" was selected, please choose Do not restrict enrollment agents.

    2. Switch to Auditing tab, check Issue and manager certificate requests.

    3. Switch to Security tab, Click Add button to add "NETWORK SERVICE" to this list and give it properly permission.


    Try to test. If the issue persists, please check Event Log to see if there is any new error about certificates.

    Please also refer to the article below to check your OCSP setup. Please make sure all suggestions are followed.

    Configure a CA to Support OCSP Responders
    http://technet.microsoft.com/en-us/library/cc732526.aspx

    Thanks.

    • Proposed as answer by Mervyn Zhang Monday, January 12, 2009 11:53 AM
    Monday, January 12, 2009 11:53 AM
  • Hi Mervyn,

    I think I've figured this out now. I've been testing different configurations and have narrowed it down to one setting.

    The setting is in

    Security Settings>Local Policies>Security Options

    and is the setting "System Cryptography:Force Strong Key Protection for User Keys"

    This was set to "User is prompted when the key is first used".

    I suppose this makes sense because the user of the keys is the NETWORK SERVICE account and a prompt wouldn't be able to be provided to this user. Once this was set to not defined the enrollment of the certificate went through not a problem.

    This is a side effect of using the the most restrictive settings from the security guide. A template was created setting all the security settings for the SSLF environment and this is applied to all servers. I'm sure this won't be the last time I have problems with these security settings.

    Thanks for your help!

    Chris
    • Marked as answer by Mervyn Zhang Tuesday, January 13, 2009 2:04 AM
    Monday, January 12, 2009 4:25 PM