none
Can't edit or delete certificate template - "The object name has bad syntax"

    שאלה

  • While creating certificate templates recently on my CA running Server 2016, I created 2 templates with the same name.  It appears that Windows allowed the display names to be the same, but appended "CNF:" followed by a guid to the actual template name.

    I tried to edit the template, but get an error that changes can't be saved because "The object name has bad syntax."  I get similar errors when trying to delete or rename the template.  I've created a new template with the settings I need, but would like to delete this old template to ensure it doesn't cause problems or confusion in the future. 

    How can I delete this certificate template?

    יום שלישי 12 יוני 2018 14:40

תשובות

  • Hi NeighborGeek,

    When you see this, it is the result of having two objects with the same name, one of them will get these precise additions to prevent the conflict. A typical if rare cause is a replication failure. When you look with ADSI Edit, you will see the template twice, once with the name it's supposed to have, once with this CNF:+GUID entry in front of it. Here's two more, in this case DCs: https://social.technet.microsoft.com/Forums/windowsserver/en-US/f0e71ce4-772a-46b3-b7b8-ad41f76a4d58/conflicting-dc-names-same-server-has-two-names-in-sites-amp-services?forum=winserverDS


    You should be able to simply delete the conflicting template object (the one with the CNF:+GUID) in ADSI Edit, possibly after seizing ownership just to make sure. Note that in the unlikely event this is the only object left, deleting the object causes the name and display name to go forever, so Certutil and other tools cannot resolve the OID to the name anymore and will fall back to the OID.

    Kind Regards,

    • סומן כתשובה על-ידי NeighborGeek יום שישי 15 יוני 2018 11:48
    יום חמישי 14 יוני 2018 06:52

כל התגובות

  • You can use ADSIEdit.msc tool to connect to Active Directory and manually edit template name. Templates are stored at:

    cn=Certificate Templates, cn=Public Key Services, cn=Services,{ConfigurationNamingContext}

    you only need to edit cn attribute.


    Vadims Podāns, aka PowerShell CryptoGuy
    My weblog: www.sysadmins.lv
    PowerShell PKI Module: PSPKI
    Check out new: SSL Certificate Verifier
    Check out new: PowerShell File Checksum Integrity Verifier tool.

    יום שלישי 12 יוני 2018 17:44
  • Thank you for the response.  I've just tried to rename the object in ADSI Edit, and to modify the CN attribute of the object, but both of those are failing as well.  

    For reference, the current CN of the template is "VPNUserAuthentication
    CNF:836294d7-d056-445e-ade5-475045e3cf96".  I'm trying to change it to "VPNUserAuthenticationOLD".

    When attempting to rename it, I get this error:

    When I open the properties and try to edit the CN attribute, I get this:

    I did check the security tab in the properties, and my admin account is listed as the owner.  I tried granting my account full control permissions as well, but that didn't help. 

    Any other suggestions?

    יום רביעי 13 יוני 2018 15:41
  • Hi NeighborGeek,

    When you see this, it is the result of having two objects with the same name, one of them will get these precise additions to prevent the conflict. A typical if rare cause is a replication failure. When you look with ADSI Edit, you will see the template twice, once with the name it's supposed to have, once with this CNF:+GUID entry in front of it. Here's two more, in this case DCs: https://social.technet.microsoft.com/Forums/windowsserver/en-US/f0e71ce4-772a-46b3-b7b8-ad41f76a4d58/conflicting-dc-names-same-server-has-two-names-in-sites-amp-services?forum=winserverDS


    You should be able to simply delete the conflicting template object (the one with the CNF:+GUID) in ADSI Edit, possibly after seizing ownership just to make sure. Note that in the unlikely event this is the only object left, deleting the object causes the name and display name to go forever, so Certutil and other tools cannot resolve the OID to the name anymore and will fall back to the OID.

    Kind Regards,

    • סומן כתשובה על-ידי NeighborGeek יום שישי 15 יוני 2018 11:48
    יום חמישי 14 יוני 2018 06:52
  • I just took another crack at it with ADSI Edit.  This time, despite my admin account already being listed as owner, I went ahead and changed the owner to my (same) admin account, and was able to successfully delete the template.  Thanks for the help, both of you!
    יום שישי 15 יוני 2018 11:48