RAPID PUBLISHING ARTICLES PROVIDE INFORMATION DIRECTLY FROM WITHIN THE MICROSOFT SUPPORT ORGANIZATION. THE INFORMATION CONTAINED HEREIN IS CREATED IN RESPONSE TO EMERGING OR UNIQUE TOPICS, OR IS INTENDED SUPPLEMENT OTHER KNOWLEDGE BASE INFORMATION.
↑ Back to the top
When you try to start the Certification Authority (CA) Service it fails to start.
You may experience the following symptoms:
��������� After the machine on which the CA (Certificate Authority) is installed the CA Service appears to be started, but attempts to stop the CA Service are failing.
�
��������� The following error appears in the event log:
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10010
Date: 10.03.2008
Time: 13:41:10
User: N/A
Computer: CA_Server
Description:
The server {D99E6E73-FC88-11D0-B498-00A0C90312F3} did not register with DCOM within the required timeout.
�
��������� "d99e6e73-fc88-11d0-b498-00a0c90312f3" resolves to CCertAdminD
��������� When attempting to ping the CA locally or remotely using "certutil -ping" after longer period of time it fails with "Server execution failed 0x80080005 (-2146959355)" which resolves to CO_E_SERVER_EXEC_FAILURE
��������� Internally the following error corresponds to the error displayed by certutil:
ole32!CClientContextActivator::CreateInstance returns 80080005
��������� Output of rpcdump is showing that the Certificate Server RPC Interfaces are not registered:
"
UUID: 91ae6020-9e3c-11cf-8d7c-00aa00c091be
ncalrpc:[OLEBB84529DBB4F460BBE49579DD000]
�
UUID: 91ae6020-9e3c-11cf-8d7c-00aa00c091be
ncacn_np:\\\\W2K3TESTCA[\\pipe\\cert]
�
UUID: 91ae6020-9e3c-11cf-8d7c-00aa00c091be
ncacn_ip_tcp:10.10.10.10[1089]
"
↑ Back to the top
This type of behavior can be caused by the following:
1. During the CA installation the CSP is set not to interact with the desktop
�
2. When the remote desktop session is created without "console" switch and CA is installed and administered from this session
�
3. In all other scenarios in which CryptExportPublicKeyInfo does not properly return due to errors in the CSP or HSM
↑ Back to the top
1.������ If the CA is administered using remote desktop make sure that console switch and session is specified.
�
2.������ Make sure that the CSP used for the CA keys can interact with the desktop.
�
3.������ If the HSM is used for the CA Keys, make sure that it is properly configured.
�
4.������ Make sure that CryptExportPublicKeyInfo returns successfully.
↑ Back to the top
The problem can be traced during the failed CA service startup when the CryptExportPublicKeyInfo (this function is defined on crypt32.dll) fails to get the required info from the 3rd party CSP. This problem causes CA server not to properly start and RPC interfaces not to be registered. All that leads to the inconsistent and confusing behavior.
�
↑ Back to the top
MICROSOFT AND/OR ITS SUPPLIERS MAKE NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY, RELIABILITY OR ACCURACY OF THE INFORMATION CONTAINED IN THE DOCUMENTS AND RELATED GRAPHICS PUBLISHED ON THIS WEBSITE (THE �MATERIALS�) FOR ANY PURPOSE. THE MATERIALS MAY INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS AND MAY BE REVISED AT ANY TIME WITHOUT NOTICE.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, MICROSOFT AND/OR ITS SUPPLIERS DISCLAIM AND EXCLUDE ALL REPRESENTATIONS, WARRANTIES, AND CONDITIONS WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING BUT NOT LIMITED TO REPRESENTATIONS, WARRANTIES, OR CONDITIONS OF TITLE, NON INFRINGEMENT, SATISFACTORY CONDITION OR QUALITY, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THE MATERIALS.
↑ Back to the top