none
The Active Directory Certificate Services service terminated with service-specific error %%-2146893807.

    Question

  • hi all,

    here with experiencing a problem with active directory certificate services. the service stopped suddenly, and when i try to restart

    there are two events created as follows,

    Log Name:      System

    Source:        Service Control Manager

    Date:          1/9/2012 11:35:51 AM

    Event ID:      7024

    Task Category: None

    Level:         Error

    Keywords:      Classic

    User:          N/A

    Computer:      cert.polo.com

    Description:

    The Active Directory Certificate Services service terminated with service-specific error %%-2146893807.

     

     

     

    Log Name:      Application

    Source:        Microsoft-Windows-CertificationAuthority

    Date:          1/9/2012 11:35:51 AM

    Event ID:      100

    Task Category: None

    Level:         Error

    Keywords:      Classic

    User:          SYSTEM

    Computer:      cert.polo.com

    Description:

    Active Directory Certificate Services did not start: Could not load or verify the current CA certificate.  POLO Object was not found. 0x80090011 (-2146893807).

    these two errors are generating everytime that we try to start the active directory certificate service.

    anybody gone through a situation like this?

    thanks.

    Monday, January 09, 2012 9:31 AM

All replies

  • this means that the certificate (CA certificate) is not found in the certificate store (local machine). Open blank MMC console, add Certificates snap-in (focused on computer account) and check Personal store.

    Also, do you use any HSM?


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki
    Monday, January 09, 2012 11:24 AM
  • hi,

    the CA certificate is there in the personal store of ther certificate store. and it is not expired.

    Tuesday, January 10, 2012 6:08 AM
  • Run the command certutil -verifystore my and verify that there are no issues reported with the certificate. If you are using a HSM, ensure that you have connectivity to the HSM.

    BRian

    • Proposed as answer by Brian Komar [MVP] Tuesday, January 10, 2012 12:35 PM
    • Unproposed as answer by mrMEW Friday, January 27, 2012 5:31 AM
    Tuesday, January 10, 2012 12:35 PM
  • also, make sure if private key is associated with the CA certificate.
    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki
    Tuesday, January 10, 2012 6:55 PM
  • hi,

     

    here with my result for "certutil -verifystore my" command

     

    my
    ================ Certificate 0 ================
    Serial Number: 61c69c7b000000000002
    Issuer: POLO, DC=polo, DC=com
     NotBefore: 11/25/2011 6:08 PM
     NotAfter: 11/24/2012 6:08 PM
    Subject: CN=cert.polo.com
    Certificate Template Name (Certificate Type): Machine
    Non-root Certificate
    Template: Machine, Computer
    Cert Hash(sha1): f9 47 13 70 86 1d f7 c4 2d 1b 4f dc 0c a8 f2 5f ab 56 dd 5b
      Key Container = 08428145938f6dba39bf9dc1af7c821e_7bc55cfc-4e5d-4d06-8de4-aeedf3b0c210
      Simple container name: le-Machine-e6f16ae4-207b-448b-bfe2-0c1bbb6b53cb
      Provider = Microsoft RSA SChannel Cryptographic Provider
    Private key is NOT exportable
    Encryption test passed
    -------- CERT_CHAIN_CONTEXT --------
    ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
    ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
    ChainContext.dwRevocationFreshnessTime: 5 Days, 17 Hours, 7 Minutes, 51 Seconds

    SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
    SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
    SimpleChain.dwRevocationFreshnessTime: 5 Days, 17 Hours, 7 Minutes, 51 Seconds

    CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
      Issuer: POLO, DC=polo, DC=com
      NotBefore: 11/25/2011 6:08 PM
      NotAfter: 11/24/2012 6:08 PM
      Subject: CN=cert.polo.com
      Serial: 61c69c7b000000000002
      SubjectAltName: DNS Name=cert.polo.com
      Template: Machine
      f9 47 13 70 86 1d f7 c4 2d 1b 4f dc 0c a8 f2 5f ab 56 dd 5b
      Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
      Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
      Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
      Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
        CRL 24:
        Issuer: POLO, DC=polo, DC=com
        7d 85 f7 ef ba f8 8e 55 40 a4 ec 03 5d 84 33 9d 35 ac c0 6c
        Delta CRL 2a:
        Issuer: POLO, DC=polo, DC=com
        e8 dc 51 5b e6 5f 5a 5b 04 0e 84 58 02 51 97 2c fe a4 6e cf
      Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
      Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication

    CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
      Issuer: POLO, DC=polo, DC=com
      NotBefore: 11/25/2011 6:07 PM
      NotAfter: 11/25/2026 6:17 PM
      Subject: POLO, DC=polo, DC=com
      Serial: 69d4612091a5f79a42c86cad312b4fa9
      3b b5 1b 90 96 33 5f 47 36 16 50 cc 60 11 2f 37 51 8f ad 77
      Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
      Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
      Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

    Exclude leaf cert:
      7a e9 34 bb da 2d 68 c8 d2 41 c0 0e 53 f8 1c 4b b8 30 e6 9f
    Full chain:
      e0 ec b7 81 54 04 17 05 b2 e4 ac 9e 8b b4 2a 36 0c c1 38 ac
      Issuer: POLO, DC=polo, DC=com
      NotBefore: 11/25/2011 6:08 PM
      NotAfter: 11/24/2012 6:08 PM
      Subject: CN=cert.polo.com
      Serial: 61c69c7b000000000002
      SubjectAltName: DNS Name=cert.polo.com
      Template: Machine
      f9 47 13 70 86 1d f7 c4 2d 1b 4f dc 0c a8 f2 5f ab 56 dd 5b
    The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)
    ------------------------------------
    Revocation check skipped -- server offline
    Certificate is valid

    ================ Certificate 1 ================
    Serial Number: 69d4612091a5f79a42c86cad312b4fa9
    Issuer: POLO, DC=polo, DC=com
     NotBefore: 11/25/2011 6:07 PM
     NotAfter: 11/25/2026 6:17 PM
    Subject: POLO, DC=polo, DC=com
    CA Version: V0.0
    Signature matches Public Key
    Root Certificate: Subject matches Issuer
    Template:
    Cert Hash(sha1): 3b b5 1b 90 96 33 5f 47 36 16 50 cc 60 11 2f 37 51 8f ad 77
      Key Container = POLO
      Provider = Microsoft Software Key Storage Provider
    Encryption test FAILED
    Verified Issuance Policies: All
    Verified Application Policies: All
    Certificate is valid
    CertUtil: -verifystore command completed successfully.

    have a look on bold lines. the certificate service is down and cannot start the service. other than that the certificate seems ok.

    thanks

     


    • Edited by mrMEW Wednesday, January 11, 2012 7:43 AM edited
    Wednesday, January 11, 2012 6:07 AM
  • Hi, I'm no expert at this but you could try the following, anybody with better suggestions please contribute You can check:

    1. CA: are all containers in the Public Key Services? It may be easiest to check with pkiview.msc -> Manage AD Containers (for Enterprise PK).You should see your CA exist for Certification Authorities in the PKI View.

    2. the database and logs are available for ADCS?

    3. the CA 's certificate + private key in computer certiifcate store?

    4. If an upper CA higher in the hierarchy have signed your CA's certificate, there is a CRL or an OCSP resonder available for certsvc service?

    5. Do you really have contact with a domain controller?

    6. Check Time Sync

     --------------------------------------------------------------------------------------------------------------------

    First You must have a trust of your root in ADDS. Ie certutil-f-dspublish dittrootcertutanprivatnyckel.cer RootCA

    Second Your root must have a CRL that is valid and available to ADCS certsvc when the service starts. OCSP also works. Unless you solve these two and the basic requirements, your ADCS will NEVER start!

     

    1. You should have a KRA object when you look in adsiedit.msc. Check under Configuration -> Services -> Public Key Services -> KRA.

    2. Publish your rootcert to ADDS again (as domain admin) with the command certutil-f-dspublish dittrootcertutanprivatnyckel.cer RootCA

    3. What members do you have in the groups' Certificate Service DCOM Access "and" Cert Publishers "?

    If expired on DELTA CRL and CRL BASE in CDP container ( Reboot your CA. Try to publish CRLs from your CA. Use the command certutil-CRL ["Publish Delta CRL's to this location" is set to LDAP, and run the command certutil-CRL]. Reboot Then on the server again and see if the PKI View still complain that your CRLs are old or expired).

    • Edited by DIFFMEISTER Wednesday, January 11, 2012 7:36 PM
    Wednesday, January 11, 2012 7:34 PM
  • Hi, I'm no expert at this but you could try the following, anybody with better suggestions please contribute You can check:

    1. CA: are all containers in the Public Key Services? It may be easiest to check with pkiview.msc -> Manage AD Containers (for Enterprise PK).You should see your CA exist for Certification Authorities in the PKI View.

    2. the database and logs are available for ADCS?

    3. the CA 's certificate + private key in computer certiifcate store?

    4. If an upper CA higher in the hierarchy have signed your CA's certificate, there is a CRL or an OCSP resonder available for certsvc service?

    5. Do you really have contact with a domain controller?

    6. Check Time Sync

     --------------------------------------------------------------------------------------------------------------------

    First You must have a trust of your root in ADDS. Ie certutil-f-dspublish dittrootcertutanprivatnyckel.cer RootCA

    Second Your root must have a CRL that is valid and available to ADCS certsvc when the service starts. OCSP also works. Unless you solve these two and the basic requirements, your ADCS will NEVER start!

     

    1. You should have a KRA object when you look in adsiedit.msc. Check under Configuration -> Services -> Public Key Services -> KRA.

    2. Publish your rootcert to ADDS again (as domain admin) with the command certutil-f-dspublish dittrootcertutanprivatnyckel.cer RootCA

    3. What members do you have in the groups' Certificate Service DCOM Access "and" Cert Publishers "?

    If expired on DELTA CRL and CRL BASE in CDP container ( Reboot your CA. Try to publish CRLs from your CA. Use the command certutil-CRL ["Publish Delta CRL's to this location" is set to LDAP, and run the command certutil-CRL]. Reboot Then on the server again and see if the PKI View still complain that your CRLs are old or expired).


    your suggestions has no relation with the topic's issue.
    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki
    Thursday, January 12, 2012 8:29 AM
  • According to the provided details, we can see that you also get the error message saying “Object was not found” when you tried to click “Manage private keys” in the MMC console. The possible cause is the missing private key of this certificate. To resolve the missing private key, we need restore the previous backup to the CA. Based on the current status, please let me know if you have the backup contents of CA before. If so, please restore it to the CA and check the status again.
    Microsoft TechNet Forum Bandara
    Friday, January 13, 2012 5:30 PM
  • According to the provided details, we can see that you also get the error message saying “Object was not found” when you tried to click “Manage private keys” in the MMC console. The possible cause is the missing private key of this certificate. To resolve the missing private key, we need restore the previous backup to the CA. Based on the current status, please let me know if you have the backup contents of CA before. If so, please restore it to the CA and check the status again.
    Microsoft TechNet Forum Bandara

    with only clarification: only private key must be restored (not entire CA with DB and settings).
    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki
    Friday, January 13, 2012 5:46 PM
  • hi,

    yes it was there. but later when we try to export the CA Certificate it allows to export with the private key. even if try to repair the store using "certutil -repairstore" it ends with successful state.  

    moreover i can confirm this situation doesn't relate any  HSM configurations since we moved the Certificate Server VM to another host. unfortunately the result is the same.  

    unluckily couldn't find any backup of the CA since it was working in normal condition. now as an option thinking of re-install the CA in another server using the same root Certificate which was issued from above CA. folks, your ideas on this is really appreciated. 

    here with some links which was helpful to troubleshoot this issue further.

     

    http://technet.microsoft.com/en-us/library/dd299867%28WS.10%29.aspx

    http://eventid.net/display-eventid-100-source-CertSvc-eventno-2711-phase-1.htm

    http://khurramullah.blogspot.com/2008/08/certificate-services-unable-to-start.html

    http://www.network-builders.com/certificate-services-t11895.html

    http://support.microsoft.com/kb/952722

    http://www.spywarepoint.com/certutil-help-t62418.html

    http://kb.prismmicrosys.com/evtpass/evtpages/EventId_100_Microsoft-Windows-CertificationAuthority_61773.asp

    http://bizsupport1.austin.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&taskId=110&prodSeriesId=1840637&prodTypeId=18964&objectID=c01419892&printver=true

     

    Thanks


    • Edited by mrMEW Friday, January 13, 2012 5:54 PM edited
    Friday, January 13, 2012 5:54 PM

  • Microsoft TechNet Forum Bandara
    Friday, January 13, 2012 7:10 PM
  • Version can be a possible senario for this case, becouse here use 2k8 std
    Microsoft TechNet Forum Bandara
    Friday, January 13, 2012 7:12 PM
  • Version can be a possible senario for this case, becouse here use 2k8 std
    Microsoft TechNet Forum Bandara


    unfortunately, this is not the case. The problem was indicated in the starting post — invalid certificate or missing private key.


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki
    Friday, January 13, 2012 7:27 PM
  • Hi Vadim:

    Why suddenly it happen on this CA server, what could be the issue.(for invalid certificate or missing private key)


    Microsoft TechNet Forum Bandara
    Sunday, January 15, 2012 10:08 AM
  • I don't know why.
    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki
    Monday, January 16, 2012 8:51 AM
  • Hi Vadims/Manjula

    Why It Happen ?? 

    Private keys for the Microsoft RSAbased CSPs reside in the user profile under RootDirectory%\Application Data\Microsoft\Crypto\RSA and they must be protected. Public key and private key (Key pairs) are used together in encryption and decryption operations. If the private keys are missing, this will cause the public key and private key cannot match well, and thats why cause the service cannot work well

    answer from Microsoft support team,


    Microsoft TechNet Forum Bandara
    Wednesday, January 25, 2012 6:16 AM
  • The path is slightly different (in this case): %ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\SystemKeys


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki
    Wednesday, January 25, 2012 7:10 AM
  • hi all

     

    as there was no proper solution, had to re-install the certificate server after removing all the certificate related objecs from active directory.

     

    Thanks

    Friday, January 27, 2012 5:34 AM