none
The parameter is incorrect. 0x80070057 (WIN32: 87)

    Question

  • Hi,

    I built a two-tier PKI based on this guide: http://social.technet.microsoft.com/wiki/contents/articles/15037.step-by-step-guide-two-tier-pki-hierarchy-deployment.aspx

    I set "AlternateSignatureAlgorithm" to 0 on both the root and intermediate CA as I have XP and 2003 clients.

    After the Intermediate CA installation, I have a lot of failed requests:

    My current user is a member of the Enterprise Admins group and it seems like it's failing on getting the CA Exchange certificate. The command 'certutil -cainfo xchg' gives the following:

    CertUtil: -CAInfo command FAILED: 0x80070057 (WIN32: 87)
    CertUtil: The parameter is incorrect.

    If I try to issue the failed request, I get 'The requested property value is empty 0x80094004'.

    The command 'certutil -dump' gives the right information, the 'Flags' property is set to 13.

    Is there anyone who can help me troubleshoot this?



    • Edited by Flop' Monday, July 21, 2014 8:37 PM
    Monday, July 21, 2014 6:17 PM

Answers

  • OK - then I would "reinstall" the default templates running

    certutil -installdefaulttemplates

    ... and again wait for AD replication. This usually fixes all sorts of weird issues that had happened to the default templates.

    (More information here)

    As for the MMC test / empty list: You might need to run gpupdate /force at the client (even if the "client" is the CA itself) to download the list of templates to the registry. But I would then only repeat the test after the issue with the OID had been fixed.

    • Marked as answer by Flop' Monday, July 21, 2014 11:40 PM
    Monday, July 21, 2014 11:18 PM

All replies

  • Can you issue other end-entity certificates? What happens if you publish a template (say: a copy of Authenticated Session) and make sure that normal users do not have enroll permissions? If it fails - which error is displayed?

    Did you make additional changes (not listed in the article you have linked) such as configuring policy\DisableExtensionList ?

    I have seen similar issues with failed requests for OCSP certificates for CAs that disallowed the Application Policies extensions  - by adding its OID to the list in the DisableExtensionList registry key.

    Do you also see the error in the event log as described in this thread?

    The other thread implies that the OID attribute of the CAExchange template might be missing - I would check with adsiedit.msc if your template also lacks the attribute msPKI-Cert-Template-OID.

    Does the CAExchange template has the OID attribute populated?

    If not...

    Don't edit the attribute yet as the value given in the other thread as the value is unique for each AD forest!! Editing templates in this way is also not supported. I would do the following first:

    • Start certtmpl.msc (or right-click Certificate Templates, Manage), especially if this was the first CA ever installed to this forest. If you tried to issue a test certificate as described at the top of my post you have done this already.
    • Trigger AD replication and wait a bit if the attribute gets populated and the CAExchange error goes away.

    In case the OID attribute remains empty and the OIDs of other standard templates are populated we could infer the OID from that of another template - it should be same as the one of the Administrator template, just with the 7 at the end replaced with 26. But editing the template in adsiedit is really last resort.

    Elke

    Monday, July 21, 2014 10:04 PM
    • Can you issue other end-entity certificates?

    I clicked on "Certificate Templates" - New - Certificate Template to Issue and selected "User". Then I tried to request a New Certificate through a mmc (Certificates - Current User) but it's telling that "Certificate types are not available" even though I have permission to Enroll.

    • Did you make additional changes (not listed in the article you have linked) such as configuring policy\DisableExtensionList ?

    No, except I specified my own OID from IANA in this section for both the root/intermediate CAs:

    [InternalPolicy]
    OID= 1.2.3.4.1455.67.89.5

    • Do you also see the error in the event log as described in this thread?

    Yes, I have this (the error code is different though the event ID is the same):

    EventID 96: Active Directory Certificate Services could not create an encryption certificate.  Requested by DOMAIN\User.  The parameter is incorrect. 0x80070057 (WIN32: 87).

    The XML View:

    <EventData Name="MSG_E_CANNOT_CREATE_XCHG_CERT">
     <Data Name="Disposition">Requested by DOMAIN\User</Data>
      <Data Name="ErrorCode">The parameter is incorrect. 0x80070057 (WIN32: 87)</Data>
      </EventData>

    The msPKI-Cert-Template-OID attribute for the CAExchange template is indeed "not set". This attribute is also empty for the Administrator template. This attribute seems to be empty on all the templates!

    Though I triggered an AD replication, this attribute remains empty.I have a similar setup on my lab (same steps and same CAPolicy.inf files used) that is working perfectly and this attribute is populated for all the templates.

    What canI do in this situation? Why might be the reason this attribute wasn't populated at all for the templates?




    • Edited by Flop' Monday, July 21, 2014 11:01 PM
    Monday, July 21, 2014 10:56 PM
  • OK - then I would "reinstall" the default templates running

    certutil -installdefaulttemplates

    ... and again wait for AD replication. This usually fixes all sorts of weird issues that had happened to the default templates.

    (More information here)

    As for the MMC test / empty list: You might need to run gpupdate /force at the client (even if the "client" is the CA itself) to download the list of templates to the registry. But I would then only repeat the test after the issue with the OID had been fixed.

    • Marked as answer by Flop' Monday, July 21, 2014 11:40 PM
    Monday, July 21, 2014 11:18 PM
  • The command was successful but the attribute is, unfortunately, still empty! (I forced the AD replication and restarted the CA service).

    EDIT:

    I deleted all the templates in ADSI then executed the command, now my templates have the attribute populated! Everything seems to work fine even the certificate request!



    • Edited by Flop' Monday, July 21, 2014 11:38 PM
    Monday, July 21, 2014 11:31 PM
  • Edit: I have typed this before I saw your most recent edit. So this is obsolete but I leave it here for reference.

    I would recommend opening a case with Microsoft then.

    "On principle" you could craft the missing OIDs by reading off the part of the OID unique for your forest as the OID property of the object named "CN=OID" in the Public Key Services container (in AD config. container)... and add the template specific suffix (just compare the structure and logic of OIDs with your lab).

    However, any OID used with templates should have a corresponding object in this OID container - and by just editing the template (which is already unsupported!) you would not create that object. There is no supported way to create these OID objects.

    As you asked for the root cause - I wonder if something happened to the permissions of the OID container... so that the OID objects could not be created.

    • Edited by Elke Stangl Monday, July 21, 2014 11:52 PM Add ref. to most recent edit by Flop
    Monday, July 21, 2014 11:47 PM
  • Great - I have just replied before I saw your most recent edit so this is obsolete.
    Monday, July 21, 2014 11:53 PM