Active Directory Web Services was unable to process the server certificate.
Hi there,
we are encountering the following problem, which we cannot explain:
Active Directory Web Services, Source: ADWS, Event 1402, Warning
Active Directory Web Services was unable to process the server certificate. A certificate is required to use SSL/TLS connections. To use SSL/TLS connections, verify that a valid server authentication certificate from a trusted Certificate Authority
(CA) is installed on the machine.
Certificate name: <SOMEHOST>.<SOMEDOMAIN>.COM
The server has exactly one valid certificate with the following properties:
v3-Template (2008)Server Authentication EKUSAN:DNSRSA4096 / SHA256 (No alternate signature format)Empty Subject Name (Also tested with CN)Provider = Microsoft Software Key Storage ProviderPrivate key is NOT exportable
ADWS is running as SYSTEM (Default) and the private key is accessable and configured for System: Full Control.
The debug-log shows:
ADWSHostFactory: [5/23/2012 4:41:58 PM] [5] ProvisionCertificate: caught a CryptographicException: System.Security.Cryptography.CryptographicException: Invalid provider type specified.
at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)
at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()
at Microsoft.ActiveDirectory.WebServices.ADWSHostFactory.ProvisionCertificate(ServiceHost host)
ADWSHostFactory: [5/23/2012 4:41:58 PM] [5] ProvisionCertificate: skipping certificate provisioning
There is just on other certificate with the same name, but it's a Remote Desktop Authentication-EKU one.
Anyone, any ideas?
Thanks,
MMF
May 23rd, 2012 10:15am
Hmm, I think I found the solution. Hooray :(
http://blogs.msdn.com/b/alejacma/archive/2009/12/22/invalid-provider-type-specified-error-when-accessing-x509certificate2-privatekey.aspx
CNG seems to be not supported by the ADWS-application, as it is obviously written in .NET < 3.5 SP1.
Am I right, Microsoft? Or at least guessing in the right direction? ;)
I reverted back to a Windows Server 2003 Template, using the RSA SChannel CSP, and - it's working :)
Still - it is only working, if the RSA SChannel CSP is chosen and the certificate has a subject name == Common Name.
If I enroll a KerberosAuthentication-Certificate (MS-Default, which I need for the additional domain SANs), it is not used by ADWS.
Epic bug.... as it does not have a Subject Name per default.
(Btw: The CNG certificate is working fine for "normal" LDAPS by ADDS)
Now to mark my own answer... ;)
MMF
Free Windows Admin Tool Kit Click here and download it now
May 23rd, 2012 10:56am