CAPI2 errors on Windows Server 2008
Hi, For the last several weeks I've been getting CAPI2 errors in my Application Event log: Log Name: Application Source: Microsoft-Windows-CAPI2 Date: 5/08/2010 10:57:47 AM Event ID: 11 Task Category: None Level: Error Keywords: Classic User: N/A Computer: <Name> Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. In the extra details section it says: "A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file." I've enabled the extra CAPI2 logging under > "Applications and Services\Microsoft\Windows\CAPI2". The majority of these errors seem to be to do with the file lsass.exe (but there are heap of different event ID errors in there): <UserData> <CertVerifyRevocation> <Certificate fileRef="A8A246D4FAB341C80E704659784060BF994F6C51.cer" subjectName="<Server>" /> <IssuerCertificate fileRef="A8A246D4FAB341C80E704659784060BF994F6C51.cer" subjectName="<Server>" /> <Flags value="8" CERT_VERIFY_REV_SERVER_OCSP_FLAG="true" /> <AdditionalParameters timeToUse="2010-08-04T22:44:53.626Z" currentTime="2010-08-04T22:44:53.626Z" urlRetrievalTimeout="PT15S" /> <RevocationStatus index="0" error="80092014" reason="0" /> <EventAuxInfo ProcessName="lsass.exe" /> <CorrelationAuxInfo TaskId="{E6D7E3EC-988D-4B57-9880-54CBE071DF31}" SeqNumber="3" /> <Result value="80092014">The certificate is not in the revocation server's database.</Result> </CertVerifyRevocation> </UserData> I have already tried the fix of downloading the "Authrootstl.cab" file from the link in the error message, extracting the "Authroot.stl" and installing it but that doesn't seem to have made any difference. Has anyone got any suggestions on what I can try to fix this? Windows Server 2008, SP2. Thanks.
August 6th, 2010 12:43am

Do all of the errors have this HRESULT, <Result value="80092014">The certificate is not in the revocation server's database.</Result> This might indicate that the issue is on the issuer's side of this certificate (the public facing servers issuing CRLs, Delta CRLs, and serving OCSP have not been updated with the latest list of certificates that have been issued and revoked), A8A246D4FAB341C80E704659784060BF994F6C51.cer But when I downloaded the stl from the same location I did not see it listed on on the Trust List tab of the STL, did you see it? Also, if you open the certificates MMC and look at trusted root/intermediate stores, do any of the certs have the same thumbprint? Ultimately if all of the errors are of the same HRESULT or a similar one (such as not being able to contact the OCSP server), then the error definitely is not on your side, rather the issuer's. -- Mike Burr
Free Windows Admin Tool Kit Click here and download it now
August 6th, 2010 1:19am

Hi, No, there seems to be a variety of errors with different values. As an example here's one that seems to be to do with McAfee: Log Name: Microsoft-Windows-CAPI2/Operational Source: Microsoft-Windows-CAPI2 Date: 9/08/2010 1:02:17 PM Event ID: 11 Task Category: Build Chain Level: Error Keywords: Path Discovery,Path Validation User: SYSTEM Computer: <server> Description: For more details for this event, please refer to the "Details" section Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" /> <EventID>11</EventID> <Version>0</Version> <Level>2</Level> <Task>11</Task> <Opcode>2</Opcode> <Keywords>0x8000000000000003</Keywords> <TimeCreated SystemTime="2010-08-09T01:02:17.728Z" /> <EventRecordID>440914</EventRecordID> <Correlation /> <Execution ProcessID="16780" ThreadID="17532" /> <Channel>Microsoft-Windows-CAPI2/Operational</Channel> <Computer></Computer> <Security UserID="S-1-5-18" /> </System> <UserData> <CertGetCertificateChain> <Certificate fileRef="6F57D14A3225FFE6C69BD4BB3D649449D35A348A.cer" subjectName="McAfee, Inc." /> <AdditionalStore> <Certificate fileRef="CDD4EEAE6000AC7F40C3802C171E30148030C072.cer" subjectName="Microsoft Root Certificate Authority" /> <Certificate fileRef="C895AD48BF0335C59F8D532B2E1B90717DE3DF58.cer" subjectName="Orion_CA_HNZ-TS-01" /> <Certificate fileRef="BE36A4562FB2EE05DBB3D32323ADF445084ED656.cer" subjectName="Thawte Timestamping CA" /> <Certificate fileRef="A43489159A520F0D93D032CCAF37E7FE20A8B419.cer" subjectName="Microsoft Root Authority" /> <Certificate fileRef="7F88CD7223F3C813818C994614A89C99FA3B5247.cer" subjectName="Microsoft Authenticode(tm) Root Authority" /> <Certificate fileRef="245C97DF7514E7CF2DF8BE72AE957B9E04741E85.cer" subjectName="Copyright (c) 1997 Microsoft Corp." /> <Certificate fileRef="18F7C1FCC3090203FD5BAA2F861A754976C8DD25.cer" subjectName="NO LIABILITY ACCEPTED, (c)97 VeriSign, Inc." /> <Certificate fileRef="FEB8C432DCF9769ACEAE3DD8908FFD288665647D.cer" subjectName="Security Communication EV RootCA1" /> <Certificate fileRef="FD1ED1E2021B0B9F73E8EB75CE23436BBCC746EB.cer" subjectName="D-TRUST Root Class 3 CA 2007" /> <Certificate fileRef="FAB7EE36972662FB2DB02AF6BF03FDE87C4B2F9B.cer" subjectName="certSIGN ROOT CA" /> <Certificate fileRef="FAAA27B8CAF5FDF5CDA98AC3378572E04CE8F2E0.cer" subjectName="Certificado de la Clave Principal" /> <Certificate fileRef="FAA7D9FB31B746F200A85E65797613D816E063B5.cer" subjectName="VRK Gov. Root CA" /> <Certificate fileRef="FA0882595F9CA6A11ECCBEAF65C764C0CCC311D0.cer" subjectName="Certeurope Root CA 2" /> <Certificate fileRef="F9DD19266B2043F1FE4B3DCB0190AFF11F31A69D.cer" subjectName="Correo Uruguayo - Root CA" /> <Certificate fileRef="F9CD0E2CDA7624C18FBDF0F0ABB645B8F7FED57A.cer" subjectName="ComSign Secured CA" /> <EventOverflow objectCount="289" /> </AdditionalStore> <ExtendedKeyUsage /> <Flags value="80000004" CERT_CHAIN_CACHE_ONLY_URL_RETRIEVAL="true" CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY="true" /> <ChainEngineInfo context="user" /> <CertificateChain chainRef="{DB98B37B-98F0-490D-8268-EC9A9760DCA5}"> <TrustStatus> <ErrorStatus value="10001" CERT_TRUST_IS_NOT_TIME_VALID="true" CERT_TRUST_IS_PARTIAL_CHAIN="true" /> <InfoStatus value="0" /> </TrustStatus> <ChainElement> <Certificate fileRef="6F57D14A3225FFE6C69BD4BB3D649449D35A348A.cer" subjectName="McAfee, Inc." /> <TrustStatus> <ErrorStatus value="1" CERT_TRUST_IS_NOT_TIME_VALID="true" /> <InfoStatus value="2" CERT_TRUST_HAS_KEY_MATCH_ISSUER="true" /> </TrustStatus> <ApplicationUsage> <Usage oid="1.3.6.1.5.5.7.3.3" name="Code Signing" /> </ApplicationUsage> <IssuanceUsage> <Usage oid="2.16.840.1.113733.1.7.23.3" /> </IssuanceUsage> </ChainElement> </CertificateChain> <EventAuxInfo ProcessName="Mcshield.exe" /> <CorrelationAuxInfo TaskId="{D14E04EB-025C-4915-A22D-DAB08770A565}" SeqNumber="3" /> <Result value="800B010A">A certificate chain could not be built to a trusted root authority.</Result> </CertGetCertificateChain> </UserData> </Event> And this one, which also generated an error in the Application log: Log Name: Microsoft-Windows-CAPI2/Operational Source: Microsoft-Windows-CAPI2 Date: 9/08/2010 12:54:14 PM Event ID: 11 Task Category: Build Chain Level: Error Keywords: Path Discovery,Path Validation User: <User> Computer: <Server> Description: For more details for this event, please refer to the "Details" section Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" /> <EventID>11</EventID> <Version>0</Version> <Level>2</Level> <Task>11</Task> <Opcode>2</Opcode> <Keywords>0x8000000000000003</Keywords> <TimeCreated SystemTime="2010-08-09T00:54:14.242Z" /> <EventRecordID>440883</EventRecordID> <Correlation /> <Execution ProcessID="15832" ThreadID="18492" /> <Channel>Microsoft-Windows-CAPI2/Operational</Channel> <Computer></Computer> <Security UserID="S-1-5-21-3981545194-652732638-3826550242-1347" /> </System> <UserData> <CertGetCertificateChain> <Certificate fileRef="51C731109CF66DD3F9C55D28A95D9E4DEA12FE97.cer" subjectName="Microsoft Certificate Trust List Publisher" /> <AdditionalStore> <Certificate fileRef="375FCB825C3DC3752A02E34EB70993B4997191EF.cer" subjectName="Microsoft Time-Stamp PCA" /> <Certificate fileRef="F77A3F82B7C4B3A9D869A93E3335CF1F78BC441E.cer" subjectName="Microsoft Certificate Trust List PCA" /> <Certificate fileRef="CDD4EEAE6000AC7F40C3802C171E30148030C072.cer" subjectName="Microsoft Root Certificate Authority" /> <Certificate fileRef="51C731109CF66DD3F9C55D28A95D9E4DEA12FE97.cer" subjectName="Microsoft Certificate Trust List Publisher" /> <Certificate fileRef="80B9915817340CEE66D71EC27DA5F96EBF8D94D8.cer" subjectName="Microsoft Time-Stamp Service" /> </AdditionalStore> <ExtendedKeyUsage> <Usage oid="1.3.6.1.4.1.311.10.3.9" name="Root List Signer" /> </ExtendedKeyUsage> <Flags value="100" CERT_CHAIN_DISABLE_AUTH_ROOT_AUTO_UPDATE="true" /> <ChainEngineInfo context="user" /> <CertificateChain chainRef="{489961B6-B8C8-4445-9845-294147305540}"> <TrustStatus> <ErrorStatus value="1" CERT_TRUST_IS_NOT_TIME_VALID="true" /> <InfoStatus value="100" CERT_TRUST_HAS_PREFERRED_ISSUER="true" /> </TrustStatus> <ChainElement> <Certificate fileRef="51C731109CF66DD3F9C55D28A95D9E4DEA12FE97.cer" subjectName="Microsoft Certificate Trust List Publisher" /> <TrustStatus> <ErrorStatus value="1" CERT_TRUST_IS_NOT_TIME_VALID="true" /> <InfoStatus value="102" CERT_TRUST_HAS_KEY_MATCH_ISSUER="true" CERT_TRUST_HAS_PREFERRED_ISSUER="true" /> </TrustStatus> <ApplicationUsage> <Usage oid="1.3.6.1.4.1.311.10.3.9" name="Root List Signer" /> </ApplicationUsage> <IssuanceUsage /> </ChainElement> <ChainElement> <Certificate fileRef="F77A3F82B7C4B3A9D869A93E3335CF1F78BC441E.cer" subjectName="Microsoft Certificate Trust List PCA" /> <TrustStatus> <ErrorStatus value="0" /> <InfoStatus value="102" CERT_TRUST_HAS_KEY_MATCH_ISSUER="true" CERT_TRUST_HAS_PREFERRED_ISSUER="true" /> </TrustStatus> <ApplicationUsage> <Usage oid="1.3.6.1.4.1.311.10.3.1" name="Microsoft Trust List Signing" /> <Usage oid="1.3.6.1.4.1.311.10.3.9" name="Root List Signer" /> </ApplicationUsage> <IssuanceUsage /> </ChainElement> <ChainElement> <Certificate fileRef="CDD4EEAE6000AC7F40C3802C171E30148030C072.cer" subjectName="Microsoft Root Certificate Authority" /> <TrustStatus> <ErrorStatus value="0" /> <InfoStatus value="10C" CERT_TRUST_HAS_NAME_MATCH_ISSUER="true" CERT_TRUST_IS_SELF_SIGNED="true" CERT_TRUST_HAS_PREFERRED_ISSUER="true" /> </TrustStatus> <ApplicationUsage any="true" /> <IssuanceUsage any="true" /> </ChainElement> </CertificateChain> <EventAuxInfo ProcessName="OUTLOOK.EXE" /> <CorrelationAuxInfo TaskId="{F9BCADCD-6426-4617-B60D-FEF5AE7D6E13}" SeqNumber="15" /> <Result value="800B0101">A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.</Result> </CertGetCertificateChain> </UserData> </Event> I've got no idea how to read these to find out exactly what is causing the problem and what I can do to fix it?
August 9th, 2010 5:54am

Hi, I understand that you have tried the method 2 in the KB article 976235. However, as McAfee is known to cause the error message I suggest that we temporarily disable or uninstall the software to see if the issue continues. If the issue persists, let’s try the following: Suggestion 1: ---------------- Please run the following command: certutil -urlcache * delete Suggestion 2: ---------------- 1. Please backup and delete the contents of the following folders: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData 2. Please backup and delete the certificates listed under "Certificates" key: HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot\Certificates 3. Please restart the server to check the result. In addition, please help confirm if the server is accessing to the Internet over proxy.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
August 10th, 2010 10:21am

Hi, How's everything going? We've not heard back from you in a few days and wanted to check the current status of the issue. If you need further assistance, please do not hesitate to respond back. Thanks.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
August 17th, 2010 8:37am

Hi, Sorry I've been away from work and have only just come back. I'm still getting occasional Capi2 errors in the Application log but they don't seem to be referring to McAfee anymore. I've just tried running the command in "Suggestion 1" above. Should I now give it a day or so to see if the errors reappear or should I also do "Suggestion 2" now? And no the Server doesn't access the Internet via a proxy.
Free Windows Admin Tool Kit Click here and download it now
August 19th, 2010 4:46am

Hi, Thanks for your update. Do you mean that the McAfee has been disabled? We can monitor the issue for a few days before we perform the suggestion 2. Thanks.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
August 20th, 2010 4:33am

No, I didn't disable McAfee, they errors just haven't appeared for about a week. There were still some CAPI2 errors a couple of days ago though that seemed to relate back to the process IExplore.exe and another process that I've forgotten. This morning I've had no CAPI2 errors since running the command in your "Suggestion 1". It's Friday afternoon where I am in the world so I'm going to leave it over the weekend and report back on Monday with an update. Thanks.
Free Windows Admin Tool Kit Click here and download it now
August 20th, 2010 5:01am

It's now Monday and I haven't seen in CAPI2 errors appear over the weekend. I'm going to cautiously mark this down as being fixed with Suggestion 1 above, but I'll keep my eye on it. Thanks for the help!
August 23rd, 2010 5:03am

Hi, I hope you all have gone through http://support.microsoft.com/kb/2328240/ Regards, Sonu Chauhan
Free Windows Admin Tool Kit Click here and download it now
February 22nd, 2011 5:36pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics