none
Odd certutil backup behaviour RRS feed

  • Question

  • Not sure if this is the right forum (mods, please move it if it isn't as I can't find the Certificate service Forum in search)..

    Win 2012 R2 running certificate services fully patched. UAC disabled (as a test).

    I have a local admin user called backup-user.

    If I open a cmd prompt and run:

    certutil -backup and all the rest of the command line options, I get 

    CertUtil: -backup command FAILED: 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
    CertUtil: Access is denied.

    If I open up a PS prompt and run

    Backup-CARoleService with the appropriate argts, I get

    Backup-CARoleService : Access is denied. (Exception from HRESULT: 0x80070005
    (E_ACCESSDENIED))

    But... If I put certutil -backup in a batch file and run is as a scheduled task under the same backup-user, it runs fine.

    Also, if I run the Certificate Authority GUI as the backup-user, I can also backup the CA just fine.

    I see someone else has has an almost identical unanswered problem: https://social.technet.microsoft.com/Forums/ie/en-US/cb25730a-a71f-4d32-843c-4fb4d87b5972/remotely-executing-a-backupcaroleservice-returns-a-access-denied-after-what-appears-to-be?forum=winserverpowershell. 

    The answer there from AnnaWY (MSFT CSG) was to run it as a scheduled task, so I'm guessing that this is a known issue with certutil -backup in 2012 R2? (By the way, the exact same backup command work fine under 2008 R2.) Anyone else seen this? 

    Tuesday, September 15, 2015 5:46 PM

Answers

  • Did you run the command from an elevated command prompt (or ps prompt)?

    Hth, Anders Janson Enfo Zipper

    • Marked as answer by M.a.r.k.T. _ Wednesday, September 16, 2015 2:00 PM
    Wednesday, September 16, 2015 12:12 PM

All replies

  • Did you run the command from an elevated command prompt (or ps prompt)?

    Hth, Anders Janson Enfo Zipper

    • Marked as answer by M.a.r.k.T. _ Wednesday, September 16, 2015 2:00 PM
    Wednesday, September 16, 2015 12:12 PM
  • D'oh! "UAC disabled", so yes.
    Wednesday, September 16, 2015 12:35 PM
  • Sorry, missed that... I usually don't disable UAC and that is the error you get when running the command from an non-elevated command prompt.

    So if the same account allows you to do this remotely or as a scheduled task, then that's weird. It works for me using an account with administrator privileges in Windows on the local ca and manage permissions on the CA.

    I'd turn on auditing on the CA server and see what it says (CA mmc, properties of CA, auditing tab).

    EDIT: does certutil -backupdb work?


    Hth, Anders Janson Enfo Zipper


    Wednesday, September 16, 2015 12:57 PM
  • The backup must be run from an elevated prompt (or with elevation as a scheduled task)

    Brian

    • Proposed as answer by Brian Komar [MVP] Wednesday, September 16, 2015 1:20 PM
    • Unproposed as answer by M.a.r.k.T. _ Wednesday, September 16, 2015 1:24 PM
    Wednesday, September 16, 2015 1:20 PM
  • The backup must be run from an elevated prompt (or with elevation as a scheduled task)

    Brian

    @Brian, when UAC is disabled, there is no elevated command prompt. You may find these links useful:

    http://windows.microsoft.com/en-gb/windows/what-is-user-account-control#1TC=windows-7

    http://windows.microsoft.com/en-us/windows/turn-user-account-control-on-off#1TC=windows-7

    (Therefore, I have unmarked your answer that you prematurely proposed as the right answer.)

    @Anders: yes indeed - it is weird. :) I ran just the DB backup and got the same error:

    CertUtil: -backupDB command FAILED: 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
    CertUtil: Access is denied.

    I checked last night's scheduled backup and it ran fine. I'm not worried therefore - just curious as to why both PS and a command prompt fail but a scheduled task works and also why, when someone else had this problem, AnnaWY suggested a scheduled task - it made me think that perhaps it's a known issue.

    Wednesday, September 16, 2015 1:37 PM
  • Did you enable auditing? Did the event logs show anything?


    Hth, Anders Janson Enfo Zipper

    Wednesday, September 16, 2015 1:43 PM
  • I don't believe it [slaps forehead]: The policy for the test OU had ConsentPromptBehaviorAdmin 0 but was missing EnableLUA 0, so it looked like it was OK but actually it wasn't. How could I have not spotted that? Back to school for me. :)

    Wednesday, September 16, 2015 2:00 PM