MIM CM PublishCRL: The parameter is incorrect. 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER) RRS feed

  • Question

  • Hi,

    We're having a weird error from MIM CM when we revoke certificate or disable smart card.

    Exception Type: System.ArgumentException
    Message: CCertAdmin::PublishCRLs: The parameter is incorrect. 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
    ParamName: NULL
    Data: System.Collections.ListDictionaryInternal
    TargetSite: Void PublishCRLs(System.String, System.DateTime, Microsoft.Clm.CertificateServices.Interop.CrlFlags)
    HelpLink: NULL
    Source: CertificateAuthority.Admin
    HResult: -2147024809

    MIM CM call the CA to publish a CRL with the new certificate that has been revoked.  Theorically, i would say it's "by design".

    But, the msClm-Data attribute of the Profile Template in Active Directory ("CN=MyProfile,CN=Public Key Services,CN=Configuration,DC=MyDomaine,DC=Com") specify that PublichCRL and PublishDeltaCRL are set to False for ALL policies


    It's not critical but if someone has an idea why we have this issue would be appreciate.

    Adding to this, the CA receive the call from CM

    Event ID 4871 – Certificate Services Received A Request To Publish The Certificate Revocation List

    Next Update: 0

    Publish Base: No

    Publish Delta: No


    This posting is provided AS IS without warranty of any kind

    Friday, May 29, 2020 1:52 PM

All replies

  • I'm seeing the same issue in my environment with templates that are set to revoke but not publish CRL's.  I ran a test to suspend a card.  The error showed up in the trace log.  The certificate authority reported a 4871 audit event for successful request to publish a CRL with data:

    Certificate Services received a request to publish the certificate revocation list (CRL).

    Next Update: 0
    Publish Base: No
    Publish Delta: No

    From the MIMCMManagerAgent service account.  Since both of the Publish options are "No", I don't see why MIM CM is sending the request, as its basically telling the CA to do something, but don't do anything.  Manual and automated publishing of CRL's from the CA server with have a "Yes" value in either one of those values depending on the CRL type its publishing. 

    The timestamp on my CM trace file is one second before the audit event on the CA.  So its ambiguous whether there is a problem on the CM side first and it still tries to perform an operation on the CA, or if the CM side error is related to it sending a bad request to the CA.

    Wednesday, June 10, 2020 1:35 AM