NPS Server: A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider
Following on from my earlier thread, one of my DCs that also functions as an NPS server seems to still have an issue:
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/82610054-7d9f-4c62-b2e0-06ea676a5166
Turnign up the SChannel logging, I get this error message:
Log Name: System
Source: Schannel
Date: 11/05/2012 4:32:24 p.m.
Event ID: 36877
Task Category: None
Level: Warning
Keywords:
User: SYSTEM
Computer: DC.MY.LAN
Description:
The certificate received from the remote client application has not validated correctly. The error code is 0x80092013. The attached data contains the client certificate.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Schannel" Guid="{1F678132-5938-4686-9FDC-C8FF68F15C85}" />
<EventID>36877</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2012-05-11T04:32:24.368328000Z" />
<EventRecordID>17319</EventRecordID>
<Correlation />
<Execution ProcessID="504" ThreadID="3012" />
<Channel>System</Channel>
<Computer>DC.MY.LAN</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="ErrorCode">0x80092013</Data>
<Binary>308204923082037AA003020102020A1A57ACCF000100000446300D06092A864886F70D0101050500303E31133011060A0992268993F22C64011916034C414E31133011060A0992268993F22C64011916034348433112301006035504031309434843574E45583031301E170D3132303531313033333835395A170D3133303531313033333835395A301E311C301A0603550403131343484343485043303036332E4348432E4C414E30819F300D06092A864886F70D010101050003818D0030818902818100C9FB69439A9BE31C83311D635A4C0DF134CC03E5AD36533EC4787A1F71C359D8D8917348864951C17E3CB0028059994591390F6BFCC2EF59E9565A7A20DD27C002FD519CE87512A205A7CD7BE87836CCC13C9A5F4EB6CBF847865B82AB4FB663CE121F9F1DEFAB90C3C2C816D9FFB38EF7E8DC8B8C0C89F3ECEEFEFFAC4E54150203010001A382023430820230301D06092B060104018237140204101E0E004D0061006300680069006E0065301D0603551D250416301406082B0601050507030206082B06010505070301300B0603551D0F0404030205A0301E0603551D1104173015821343484343485043303036332E4348432E4C414E301D0603551D0E04160414A7CCC5A4F0A0736EB0B6B218122DA13C05F918F9301F0603551D2304183016801439F9E4BE91CCD55ECEF4A4EC857537B53A4783BE3081C80603551D1F0481C03081BD3081BAA081B7A081B48681B16C6461703A2F2F2F434E3D434843574E455830312831292C434E3D434843574E535632322C434E3D4344502C434E3D5075626C69632532304B657925323053657276696365732C434E3D53657276696365732C434E3D436F6E66696775726174696F6E2C44433D4348432C44433D4C414E3F63657274696669636174655265766F636174696F6E4C6973743F626173653F6F626A656374436C6173733D63524C446973747269627574696F6E506F696E743081B706082B060105050701010481AA3081A73081A406082B060105050730028681976C6461703A2F2F2F434E3D434843574E455830312C434E3D4149412C434E3D5075626C69632532304B657925323053657276696365732C434E3D53657276696365732C434E3D436F6E66696775726174696F6E2C44433D4348432C44433D4C414E3F634143657274696669636174653F626173653F6F626A656374436C6173733D63657274696669636174696F6E417574686F72697479300D06092A864886F70D0101050500038201010055D9E6265721316CB9D4DC3886C595553CF52CE90E12385B527506DF530EC5579646E13377C82D9A67CBF0E7B09205ABA845A53BD577B67CA895A3719FD8BDD5BA4390686CC37565A935871A4B9D44E809393147506392FA7F34C011DE37EA0ADBE2145D643C2CD90CF45F6E52B527192D53B64984B2711A0626E12BA573370482B1769A09F62158183EA260324CECCDC64A924F6713E97D2186D95987D5B5B8A10022EAF7B544CAAC1C8273AE71FC58E50F8F440C58EAFC31DC8E0F3C59EAE0DD9850E550A20D8EDB8CEA1E09F0FDEC4830063112E7C31C25AB255EBB00E1E1C21F1D0B110BA3CDE424BA3544665502BE76ACAE53AC18D63D5AF3593185E66B</Binary>
</EventData>
</Event>
Runnign a Certutil -TCAInfo comand, i get this
===============================================================
CA Name: EXCHANGE
Machine Name: NEWCA.MY.LAN
DS Location: CN=EXCHANGE,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=MY,DC=LAN
Cert DN: CN=EXCHANGE, DC=MY, DC=LAN
CA Registry Validity Period: 2 Years -- 11/05/2014 4:49 p.m.
NotAfter: 24/03/2017 7:38 a.m.
Connecting to NEWCA.MY.LAN\EXCHANGE ...
Server "EXCHANGE" ICertRequest2 interface is alive
Enterprise Root CA
dwFlags = CA_VERIFY_FLAGS_NT_AUTH (0x10)
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_NT_AUTH
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
CertContext[0][0]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=EXCHANGE, DC=MY, DC=LAN
NotBefore: 23/03/2012 7:29 a.m.
NotAfter: 24/03/2017 7:38 a.m.
Subject: CN=EXCHANGE, DC=MY, DC=LAN
Serial: 2305fccace68e1ba4f407e110bdc05ba
0f 3d 18 35 e3 13 ae ff 6c a0 48 18 6b ae 3d 29 0f 9e d8 45
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Exclude leaf cert:
da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90 af d8 07 09
Full chain:
0f 3d 18 35 e3 13 ae ff 6c a0 48 18 6b ae 3d 29 0f 9e d8 45
Issuer: CN=EXCHANGE, DC=MY, DC=LAN
NotBefore: 23/03/2012 7:29 a.m.
NotAfter: 24/03/2017 7:38 a.m.
Subject: CN=EXCHANGE, DC=MY, DC=LAN
Serial: 2305fccace68e1ba4f407e110bdc05ba
0f 3d 18 35 e3 13 ae ff 6c a0 48 18 6b ae 3d 29 0f 9e d8 45
A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478)
------------------------------------
Supported Certificate Templates:
Cert Type[0]: CodeSigning (Code Signing)
Cert Type[1]: Copy of RAS and IAS Server (Copy of RAS and IAS Server)
Cert Type[2]: DirectoryEmailReplication (Directory Email Replication)
Cert Type[3]: DomainControllerAuthentication (Domain Controller Authentication)
Cert Type[4]: EFSRecovery (EFS Recovery Agent)
Cert Type[5]: EFS (Basic EFS)
Cert Type[6]: DomainController (Domain Controller)
Cert Type[7]: WebServer (Web Server)
Cert Type[8]: Machine (Computer)
Cert Type[9]: User (User)
Cert Type[10]: SubCA (Subordinate Certification Authority)
Cert Type[11]: Administrator (Administrator)
Validated Cert Types: 12
================================================================
NEWCA.MY.LAN\EXCHANGE:
Enterprise Root CA
A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478)
Online
If I point the Wireless AP to a differnt NPS server it works fine, so it's something on this particluar one (have uninstalled and reinstalled NPS)
Something obvioulsy still a little screwy - any suggestions?
May 11th, 2012 7:58am
Doing some more examination, the NPS server that works, has only one valid version of the CA cert. The other NPS server has duplciate copies. Deleteing one of the duplicates from the CA Trusted root store and restartign NPS seems to do the job. I'll test
on another.
Free Windows Admin Tool Kit Click here and download it now
May 13th, 2012 5:48pm
Hi,
How is everything going?
Best Regards
Elytis ChengElytis Cheng
TechNet Community Support
May 14th, 2012 4:40am
To be frank, I'm not too sure! Some servers work and some don't and I honestly can't tell why. I republished the CRL as it looked fine on the CA, but that didn't seem to get out to all the domain. If I run a certutil -DCinfo verify, I get this output
- some are OK and some are not (I've included only the one successful and one failed to illustrate.
0: MYLANWNDC01
1: MYLANWHDC01
2: MYLANRXDC01
3: MYLANOTDC01
4: MYLANCHDC01
5: MYLANRTDC01
6: MYLANPKDC01
7: MYLANGSDC01
8: MYLANWNDC02
*** Testing DC[0]: MYLANWNDC01
** Enterprise Root Certificates for DC MYLANWNDC01
Certificate 0:
Serial Number: 2f39138dc1b34288470fc3bc79c2b3d9
Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN
NotBefore: 22/03/2007 12:07 p.m.
NotAfter: 22/03/2012 12:16 p.m.
Subject: CN=MYLANWNEX01, DC=MYLAN, DC=LAN
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template:
Cert Hash(sha1): f7 58 62 89 38 65 e1 fe aa 2b 32 f3 39 7e 7b 67 de 94 38 cf
Certificate 1:
Serial Number: 159b58b983258eb548e34b31a1dec26c
Issuer: CN=MYLAN, DC=MYLAN, DC=LAN
NotBefore: 21/01/2010 3:19 p.m.
NotAfter: 21/01/2015 3:25 p.m.
Subject: CN=MYLAN, DC=MYLAN, DC=LAN
Certificate Template Name (Certificate Type): CA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template: CA, Root Certification Authority
Cert Hash(sha1): 5f df 7c 2c 92 d8 0d 3c 20 2c c0 5b f3 88 49 cb a7 3c a0 4e
Certificate 2:
Serial Number: 2305fccace68e1ba4f407e110bdc05ba
Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN
NotBefore: 23/03/2012 7:29 a.m.
NotAfter: 24/03/2017 7:38 a.m.
Subject: CN=MYLANWNEX01, DC=MYLAN, DC=LAN
CA Version: V1.1
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template:
Cert Hash(sha1): 0f 3d 18 35 e3 13 ae ff 6c a0 48 18 6b ae 3d 29 0f 9e d8 45
** KDC Certificates for DC MYLANWNDC01
Certificate 0:
Serial Number: 3289526d00010000030c
Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN
NotBefore: 23/03/2012 8:55 a.m.
NotAfter: 23/03/2013 8:55 a.m.
Subject: EMPTY (DNS Name=MYLANWNDC01.MYLAN.LAN)
Non-root Certificate
Template: DomainControllerAuthentication, Domain Controller Authentication
Cert Hash(sha1): ea 6a 7b aa 34 59 f2 de 54 77 42 b4 04 58 57 9c ab 66 d2 a6
dwFlags = CA_VERIFY_FLAGS_NT_AUTH (0x10)
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
Application[2] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_NT_AUTH
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
ChainContext.dwRevocationFreshnessTime: 6 Days, 1 Hours, 5 Minutes, 21 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwRevocationFreshnessTime: 6 Days, 1 Hours, 5 Minutes, 21 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN
NotBefore: 23/03/2012 8:55 a.m.
NotAfter: 23/03/2013 8:55 a.m.
Subject:
Serial: 3289526d00010000030c
SubjectAltName: DNS Name=MYLANWNDC01.MYLAN.LAN
Template: Domain Controller Authentication
ea 6a 7b aa 34 59 f2 de 54 77 42 b4 04 58 57 9c ab 66 d2 a6
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
CRL 0748:
Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN
ce f0 dd 18 0e b6 e5 4a 5a 61 f1 a8 62 f9 a6 34 d2 96 87 5b
Delta CRL 074d:
Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN
1d d7 16 bb e4 68 c7 81 ab b9 38 29 9f 57 1c a3 ab a2 a8 47
Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication
Application[2] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon
CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN
NotBefore: 23/03/2012 7:29 a.m.
NotAfter: 24/03/2017 7:38 a.m.
Subject: CN=MYLANWNEX01, DC=MYLAN, DC=LAN
Serial: 2305fccace68e1ba4f407e110bdc05ba
0f 3d 18 35 e3 13 ae ff 6c a0 48 18 6b ae 3d 29 0f 9e d8 45
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Exclude leaf cert:
53 b9 f9 26 8f 1a 2c d0 50 31 36 f0 89 9d 40 97 16 b5 65 7c
Full chain:
ca cc 8f 65 9e 99 02 fe 1c 88 4f f1 4e c8 93 e4 60 86 e5 37
Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN
NotBefore: 23/03/2012 8:55 a.m.
NotAfter: 23/03/2013 8:55 a.m.
Subject:
Serial: 3289526d00010000030c
SubjectAltName: DNS Name=MYLANWNDC01.MYLAN.LAN
Template: Domain Controller Authentication
ea 6a 7b aa 34 59 f2 de 54 77 42 b4 04 58 57 9c ab 66 d2 a6
The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)
------------------------------------
Revocation check skipped -- server offline
Certificate 1:
Serial Number: 3289516400010000030b
Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN
NotBefore: 23/03/2012 8:55 a.m.
NotAfter: 23/03/2013 8:55 a.m.
Subject: EMPTY (Other Name:DS Object Guid=04 10 e9 f0 55 dc 97 e1 ab 47 8e 79 31 7c c2 b5 03 4e, DNS Name=MYLANWNDC01.MYLAN.LAN)
Non-root Certificate
Template: DirectoryEmailReplication, Directory Email Replication
Cert Hash(sha1): dd ef 99 cd 85 eb 81 7f dc 9a 7b 2b a7 ca f4 8f fe d6 e7 5a
dwFlags = CA_VERIFY_FLAGS_NT_AUTH (0x10)
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
Application[0] = 1.3.6.1.4.1.311.21.19 Directory Service Email Replication
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_NT_AUTH
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
ChainContext.dwRevocationFreshnessTime: 6 Days, 1 Hours, 5 Minutes, 21 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwRevocationFreshnessTime: 6 Days, 1 Hours, 5 Minutes, 21 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN
NotBefore: 23/03/2012 8:55 a.m.
NotAfter: 23/03/2013 8:55 a.m.
Subject:
Serial: 3289516400010000030b
SubjectAltName: Other Name:DS Object Guid=04 10 e9 f0 55 dc 97 e1 ab 47 8e 79 31 7c c2 b5 03 4e, DNS Name=MYLANWNDC01.MYLAN.LAN
Template: Directory Email Replication
dd ef 99 cd 85 eb 81 7f dc 9a 7b 2b a7 ca f4 8f fe d6 e7 5a
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
CRL 0748:
Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN
ce f0 dd 18 0e b6 e5 4a 5a 61 f1 a8 62 f9 a6 34 d2 96 87 5b
Delta CRL 074d:
Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN
1d d7 16 bb e4 68 c7 81 ab b9 38 29 9f 57 1c a3 ab a2 a8 47
Application[0] = 1.3.6.1.4.1.311.21.19 Directory Service Email Replication
CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN
NotBefore: 23/03/2012 7:29 a.m.
NotAfter: 24/03/2017 7:38 a.m.
Subject: CN=MYLANWNEX01, DC=MYLAN, DC=LAN
Serial: 2305fccace68e1ba4f407e110bdc05ba
0f 3d 18 35 e3 13 ae ff 6c a0 48 18 6b ae 3d 29 0f 9e d8 45
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Exclude leaf cert:
14 ab 91 86 3b 9a 9d 79 88 f9 06 3d 08 1f 8e eb 58 fc 90 89
Full chain:
1b f3 d4 d8 55 f5 cc 07 79 21 5e 85 20 49 ab dc 6d 42 dc de
Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN
NotBefore: 23/03/2012 8:55 a.m.
NotAfter: 23/03/2013 8:55 a.m.
Subject:
Serial: 3289516400010000030b
SubjectAltName: Other Name:DS Object Guid=04 10 e9 f0 55 dc 97 e1 ab 47 8e 79 31 7c c2 b5 03 4e, DNS Name=MYLANWNDC01.MYLAN.LAN
Template: Directory Email Replication
dd ef 99 cd 85 eb 81 7f dc 9a 7b 2b a7 ca f4 8f fe d6 e7 5a
The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)
------------------------------------
Revocation check skipped -- server offline
2 KDC certs for MYLANWNDC01
*** Testing DC[8]: MYLANWNDC02
** Enterprise Root Certificates for DC MYLANWNDC02
Certificate 0:
Serial Number: 2f39138dc1b34288470fc3bc79c2b3d9
Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN
NotBefore: 22/03/2007 12:07 p.m.
NotAfter: 22/03/2012 12:16 p.m.
Subject: CN=MYLANWNEX01, DC=MYLAN, DC=LAN
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template:
Cert Hash(sha1): f7 58 62 89 38 65 e1 fe aa 2b 32 f3 39 7e 7b 67 de 94 38 cf
Certificate 1:
Serial Number: 159b58b983258eb548e34b31a1dec26c
Issuer: CN=MYLAN, DC=MYLAN, DC=LAN
NotBefore: 21/01/2010 3:19 p.m.
NotAfter: 21/01/2015 3:25 p.m.
Subject: CN=MYLAN, DC=MYLAN, DC=LAN
Certificate Template Name (Certificate Type): CA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template: CA, Root Certification Authority
Cert Hash(sha1): 5f df 7c 2c 92 d8 0d 3c 20 2c c0 5b f3 88 49 cb a7 3c a0 4e
Certificate 2:
Serial Number: 2305fccace68e1ba4f407e110bdc05ba
Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN
NotBefore: 23/03/2012 7:29 a.m.
NotAfter: 24/03/2017 7:38 a.m.
Subject: CN=MYLANWNEX01, DC=MYLAN, DC=LAN
CA Version: V1.1
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template:
Cert Hash(sha1): 0f 3d 18 35 e3 13 ae ff 6c a0 48 18 6b ae 3d 29 0f 9e d8 45
** KDC Certificates for DC MYLANWNDC02
Certificate 0:
Serial Number: 3762c303000100000421
Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN
NotBefore: 21/04/2012 11:46 a.m.
NotAfter: 21/04/2013 11:46 a.m.
Subject: EMPTY (Other Name:DS Object Guid=04 10 55 cf 99 a3 a2 15 e0 41 a7 7c f7 97 9d a8 e3 26, DNS Name=MYLANWNDC02.MYLAN.LAN)
Non-root Certificate
Template: DirectoryEmailReplication, Directory Email Replication
Cert Hash(sha1): cb 10 1e 39 a9 c5 af f7 32 7a 10 43 b1 71 f5 61 fe 9e 0e 3c
dwFlags = CA_VERIFY_FLAGS_NT_AUTH (0x10)
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
Application[0] = 1.3.6.1.4.1.311.21.19 Directory Service Email Replication
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_NT_AUTH
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 18 Hours, 19 Minutes, 39 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 18 Hours, 19 Minutes, 39 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN
NotBefore: 21/04/2012 11:46 a.m.
NotAfter: 21/04/2013 11:46 a.m.
Subject:
Serial: 3762c303000100000421
SubjectAltName: Other Name:DS Object Guid=04 10 55 cf 99 a3 a2 15 e0 41 a7 7c f7 97 9d a8 e3 26, DNS Name=MYLANWNDC02.MYLAN.LAN
Template: Directory Email Replication
cb 10 1e 39 a9 c5 af f7 32 7a 10 43 b1 71 f5 61 fe 9e 0e 3c
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
CRL 074e:
Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN
c8 fc 3c 77 93 9a 79 63 41 2f ec 55 32 43 3a 56 a6 99 c1 46
Delta CRL 0753:
Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN
fa 63 f0 44 a5 b5 c6 c5 2e bf e1 89 cb 5c be 71 97 f2 c2 46
Application[0] = 1.3.6.1.4.1.311.21.19 Directory Service Email Replication
CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN
NotBefore: 23/03/2012 7:29 a.m.
NotAfter: 24/03/2017 7:38 a.m.
Subject: CN=MYLANWNEX01, DC=MYLAN, DC=LAN
Serial: 2305fccace68e1ba4f407e110bdc05ba
0f 3d 18 35 e3 13 ae ff 6c a0 48 18 6b ae 3d 29 0f 9e d8 45
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Exclude leaf cert:
38 b9 4b 07 2d 65 c7 4a d8 82 35 d8 25 f9 9c a4 cb 1a 7f 67
Full chain:
e3 03 47 da c4 1a db d0 77 00 9c 2e c7 af 6e 86 8d c8 86 52
------------------------------------
Verified Issuance Policies: None
Verified Application Policies:
1.3.6.1.4.1.311.21.19 Directory Service Email Replication
Certificate 1:
Serial Number: 3762c60f000100000422
Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN
NotBefore: 21/04/2012 11:46 a.m.
NotAfter: 21/04/2013 11:46 a.m.
Subject: EMPTY (DNS Name=MYLANWNDC02.MYLAN.LAN)
Non-root Certificate
Template: DomainControllerAuthentication, Domain Controller Authentication
Cert Hash(sha1): 19 f6 6d 63 4a 80 8a da 23 1a 69 19 fd 75 79 07 d4 d8 a9 b0
dwFlags = CA_VERIFY_FLAGS_NT_AUTH (0x10)
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
Application[2] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_NT_AUTH
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 18 Hours, 19 Minutes, 39 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 18 Hours, 19 Minutes, 39 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN
NotBefore: 21/04/2012 11:46 a.m.
NotAfter: 21/04/2013 11:46 a.m.
Subject:
Serial: 3762c60f000100000422
SubjectAltName: DNS Name=MYLANWNDC02.MYLAN.LAN
Template: Domain Controller Authentication
19 f6 6d 63 4a 80 8a da 23 1a 69 19 fd 75 79 07 d4 d8 a9 b0
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
CRL 074e:
Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN
c8 fc 3c 77 93 9a 79 63 41 2f ec 55 32 43 3a 56 a6 99 c1 46
Delta CRL 0753:
Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN
fa 63 f0 44 a5 b5 c6 c5 2e bf e1 89 cb 5c be 71 97 f2 c2 46
Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication
Application[2] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon
CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN
NotBefore: 23/03/2012 7:29 a.m.
NotAfter: 24/03/2017 7:38 a.m.
Subject: CN=MYLANWNEX01, DC=MYLAN, DC=LAN
Serial: 2305fccace68e1ba4f407e110bdc05ba
0f 3d 18 35 e3 13 ae ff 6c a0 48 18 6b ae 3d 29 0f 9e d8 45
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Exclude leaf cert:
99 02 c4 0d bf 77 20 e1 f2 e6 0f 38 83 05 6d f3 4d 5b dc 1f
Full chain:
00 b7 81 9c fb 94 02 f3 bb 1c b2 b3 32 5f df 54 46 a3 11 f4
------------------------------------
Verified Issuance Policies: None
Verified Application Policies:
1.3.6.1.5.5.7.3.2 Client Authentication
1.3.6.1.5.5.7.3.1 Server Authentication
1.3.6.1.4.1.311.20.2.2 Smart Card Logon
2 KDC certs for MYLANWNDC02
CertUtil: -DCInfo command completed successfully.
Free Windows Admin Tool Kit Click here and download it now
May 14th, 2012 4:46pm
Hmmm, when I run a verify on the CA certificate, I get this:
Issuer:
CN=MYLANWNEX01
DC=MYLAN
DC=LAN
Subject:
CN=MYLANWNEX01
DC=MYLAN
DC=LAN
Cert Serial Number: 2305fccace68e1ba4f407e110bdc05ba
dwFlags = CA_VERIFY_FLAGS_ALLOW_UNTRUSTED_ROOT (0x1)
dwFlags = CA_VERIFY_FLAGS_IGNORE_OFFLINE (0x2)
dwFlags = CA_VERIFY_FLAGS_FULL_CHAIN_REVOCATION (0x8)
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN (0x20000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 18 Hours, 50 Minutes, 57 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 18 Hours, 50 Minutes, 57 Seconds
CertContext[0][0]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN
NotBefore: 23/03/2012 7:29 a.m.
NotAfter: 24/03/2017 7:38 a.m.
Subject: CN=MYLANWNEX01, DC=MYLAN, DC=LAN
Serial: 2305fccace68e1ba4f407e110bdc05ba
0f 3d 18 35 e3 13 ae ff 6c a0 48 18 6b ae 3d 29 0f 9e d8 45
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
Failed "CDP" Time: 0
Error retrieving URL: Cannot find object or property. 0x80092004 (-2146885628)
ldap:///CN=MYLANWNEX01,CN=MYLANwnsv01,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=MYLAN,DC=LAN?certificateRevocationList?base?objectClass=cRLDistributionPoint
Failed "CDP" Time: 0
Error retrieving URL: The server name or address could not be resolved 0x80072ee7 (WIN32: 12007)
http://MYLANwnsv01.MYLAN.lan/CertEnroll/MYLANWNEX01.crl
---------------- Base CRL CDP ----------------
OK "Delta CRL (0753)" Time: 0
[0.0] ldap:///CN=MYLANWNEX01(1),CN=MYLANWNSV22,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=MYLAN,DC=LAN?deltaRevocationList?base?objectClass=cRLDistributionPoint
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
--------------------------------
CRL 074e:
Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN
c8 fc 3c 77 93 9a 79 63 41 2f ec 55 32 43 3a 56 a6 99 c1 46
Delta CRL 0753:
Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN
fa 63 f0 44 a5 b5 c6 c5 2e bf e1 89 cb 5c be 71 97 f2 c2 46
Exclude leaf cert:
c5 39 d7 d7 8e 49 70 56 b6 b8 b0 b7 aa 7e 75 f3 86 67 6c d4
Full chain:
a3 00 7b 14 65 79 ad 31 c2 0c 8f 02 99 5d de 14 43 44 4d 65
------------------------------------
Verified Issuance Policies: All
Verified Application Policies: All
Cert is a CA certificate
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.
the MYLANWNSV01 was the original CA many years ago, but it was moved to MYLANEX01 (by a third party I assume) and is now on MYLANWNSV22 as of a few days ago.- so the CDP is wrong.
Now how to fix?
If I open ADSIedit, I can see 3 itmes in the services\PKI\CDP container: THe new server and the 2 old ones
If I run certutil -URL the the URL listed under Enterprise PKI/CA/CDP lcoation
ldap:///CN=MYLANWNEX01(1),CN=MYLANWNSV22,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=MYLAN,DC=LAN?certificateRevocationList?base?objectClass=cRLDistributionPoint
2 CRLs are retrieved and they're both status 'OK'
May 14th, 2012 5:10pm
Hello,
Thank you for your post.
This is a quick note to let you know that we are performing research on this issue.
Best Regards
Elytis ChengElytis Cheng
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
May 15th, 2012 5:02am
Hi,
I have some confusion on the description, would like to clarify with you.
1. you told me that the name of the CA is EXCHANGE, but the subject of the CA certificate is MYLANWNEX01, the subject name should be the CA name. so please confirm the certificate you are checking is the CA certificate for the CA EXCHANGE.
2. 2305fccace68e1ba4f407e110bdc05ba is a self signed certificate, would you please let me konw how did you request/issue it. Generally, a self signed certificate does not have AIA and CDP.
3. As I understand, you concern is the error "CA certificates is not trusted by the policy provider", am I right? please check your NPS server, make sure the root CA certificate is installed in the "Trusted Root Certification Authorities" store on the NPS
server.
Thanks. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
May 16th, 2012 5:41am
Hi Aaron,
I have not used the actual server names in my postings (seems to be bad practice usually) - EXCHANGE=MYLANWNEX01 - but again, that's not the actual name of the server. If the real names are important, I'll be happy to redo the queries and paste in the real
names.That is the serial of the new CA certificate. It had expired so I renewed it. (belive I used renew with new key) - this did some appear to be working prior to the migration so was generated on server MYLANWNDC01 (not real name) as it was used with all my
NPS server successfully. The issues all seem to have occirred sicne I migrated.From one of the problem NPS servers when verifying the CA cert from Trusted Root Authority:
Issuer:
CN=MYLANWNEX01
DC=MYLAN
DC=LAN
Subject:
CN=MYLANWNEX01
DC=MYLAN
DC=LAN
Cert Serial Number: 2305fccace68e1ba4f407e110bdc05ba
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
CertContext[0][0]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN
NotBefore: 23/03/2012 7:29 a.m.
NotAfter: 24/03/2017 7:38 a.m.
Subject: CN=MYLANWNEX01, DC=MYLAN, DC=LAN
Serial: 2305fccace68e1ba4f407e110bdc05ba
0f 3d 18 35 e3 13 ae ff 6c a0 48 18 6b ae 3d 29 0f 9e d8 45
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Exclude leaf cert:
da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90 af d8 07 09
Full chain:
0f 3d 18 35 e3 13 ae ff 6c a0 48 18 6b ae 3d 29 0f 9e d8 45
------------------------------------
Verified Issuance Policies: All
Verified Application Policies: All
Cert is a CA certificate
ERROR: Verifying leaf certificate revocation status returned The revocation func
tion was unable to check revocation because the revocation server was offline. 0
x80092013 (-2146885613)
CertUtil: The revocation function was unable to check revocation because the rev
ocation server was offline.
Free Windows Admin Tool Kit Click here and download it now
May 16th, 2012 4:57pm
verify on NPS certificate from server taht was cauign issues:
Issuer:
CN=MYLANWNEX01
DC=MYLAN
DC=LAN
Subject:
CN=MYLANGSDC01.MYLAN.LAN
Cert Serial Number: 13daafdb000100000437
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 17 Hours, 3 Minutes, 22 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 17 Hours, 3 Minutes, 22 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN
NotBefore: 10/05/2012 9:24 a.m.
NotAfter: 10/05/2014 9:34 a.m.
Subject: CN=MYLANGSDC01.MYLAN.LAN
Serial: 13daafdb000100000437
SubjectAltName: DNS Name=MYLANGSDC01.MYLAN.LAN
Template: Copy of RAS and IAS Server
ec 17 c5 45 bc 07 c2 46 4a 19 2f 78 0f 96 a7 5a 30 4b a4 f3
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
CRL 0756:
Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN
07 ae 8f ce f4 0c be 2a 56 85 90 0a 1a a4 37 40 04 ac d7 11
Delta CRL 0756:
Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN
0d 35 d2 06 6c c5 5c 4b 31 da 21 b3 bf 07 fe 95 5e b6 e2 d0
Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN
NotBefore: 23/03/2012 7:29 a.m.
NotAfter: 24/03/2017 7:38 a.m.
Subject: CN=MYLANWNEX01, DC=MYLAN, DC=LAN
Serial: 2305fccace68e1ba4f407e110bdc05ba
0f 3d 18 35 e3 13 ae ff 6c a0 48 18 6b ae 3d 29 0f 9e d8 45
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Exclude leaf cert:
c8 5c 91 67 7b 4e 8e 38 64 a8 91 54 9c ab d7 73 55 27 99 db
Full chain:
6c 85 34 4b 55 c6 e2 3d 63 17 3f 34 db 58 0b db 85 6c d7 69
------------------------------------
Verified Issuance Policies: None
Verified Application Policies:
1.3.6.1.5.5.7.3.1 Server Authentication
1.3.6.1.5.5.7.3.2 Client Authentication
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.
May 16th, 2012 4:59pm
Just to note, the CA has no problem issuing certifcates, it behaves as I'd expect in all ways bar this problem with Wireless clients authenticating against SOME servers.
Free Windows Admin Tool Kit Click here and download it now
May 16th, 2012 5:01pm
I think below error causes your issue. please make sure the CRLs are available.
ERROR: Verifying leaf certificate revocation status returned The revocation func
tion was unable to check revocation because the revocation server was offline. 0
x80092013 (-2146885613)
CertUtil: The revocation function was unable to check revocation because the rev
ocation server was offline.
in addition, I suggest you verify your NPS cert by command "certutil -verify -fetchurl c:\nps.cer" on the NPS server and post the result.
Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
May 19th, 2012 4:00am
C:\Users\administrator.MYLAN>certutil -verify -urlfetch c:\NPS.cer
Issuer:
CN=MYLANWNEX01
DC=MYLAN
DC=LAN
Subject:
CN=MYLANGSDC01.MYLAN.LAN
Cert Serial Number: 1f459063000100000450
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 18 Hours, 13 Minutes, 55 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 18 Hours, 13 Minutes, 55 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN
NotBefore: 17/05/2012 8:40 a.m.
NotAfter: 17/05/2014 8:50 a.m.
Subject: CN=MYLANGSDC01.MYLAN.LAN
Serial: 1f459063000100000450
SubjectAltName: DNS Name=MYLANGSDC01.MYLAN.LAN
Template: Copy of RAS and IAS Server
66 40 01 a1 b4 5e 51 c0 38 63 05 b4 9f 0e 71 34 c3 a1 76 b9
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 0
[0.0] ldap:///CN=MYLANWNEX01,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=
Configuration,DC=MYLAN,DC=LAN?cACertificate?base?objectClass=certificationAuthorit
y
---------------- Certificate CDP ----------------
Verified "Base CRL (0756)" Time: 0
[0.0] ldap:///CN=MYLANWNEX01(1),CN=MYLANWNSV22,CN=CDP,CN=Public%20Key%20Services
,CN=Services,CN=Configuration,DC=MYLAN,DC=LAN?certificateRevocationList?base?objec
tClass=cRLDistributionPoint
Verified "Delta CRL (0756)" Time: 0
[0.0.0] ldap:///CN=MYLANWNEX01(1),CN=MYLANWNSV22,CN=CDP,CN=Public%20Key%20Servic
es,CN=Services,CN=Configuration,DC=MYLAN,DC=LAN?deltaRevocationList?base?objectCla
ss=cRLDistributionPoint
---------------- Base CRL CDP ----------------
OK "Delta CRL (075a)" Time: 0
[0.0] ldap:///CN=MYLANWNEX01(1),CN=MYLANWNSV22,CN=CDP,CN=Public%20Key%20Services
,CN=Services,CN=Configuration,DC=MYLAN,DC=LAN?deltaRevocationList?base?objectClass
=cRLDistributionPoint
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
--------------------------------
CRL 0756:
Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN
07 ae 8f ce f4 0c be 2a 56 85 90 0a 1a a4 37 40 04 ac d7 11
Delta CRL 075a:
Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN
4b 22 e1 26 d1 cf be 35 79 c5 68 47 2e bf 47 f4 d0 01 e9 4b
Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN
NotBefore: 23/03/2012 7:29 a.m.
NotAfter: 24/03/2017 7:38 a.m.
Subject: CN=MYLANWNEX01, DC=MYLAN, DC=LAN
Serial: 2305fccace68e1ba4f407e110bdc05ba
0f 3d 18 35 e3 13 ae ff 6c a0 48 18 6b ae 3d 29 0f 9e d8 45
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
Failed "CDP" Time: 0
Error retrieving URL: Cannot find object or property. 0x80092004 (-214688562
8)
ldap:///CN=MYLANWNEX01,CN=MYLANwnsv01,CN=CDP,CN=Public%20Key%20Services,CN=Servi
ces,CN=Configuration,DC=MYLAN,DC=LAN?certificateRevocationList?base?objectClass=cR
LDistributionPoint
Failed "CDP" Time: 0
Error retrieving URL: The server name or address could not be resolved 0x800
72ee7 (WIN32: 12007)
http://MYLANwnsv01.MYLAN.lan/CertEnroll/MYLANWNEX01.crl
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
--------------------------------
Exclude leaf cert:
02 af d9 3d a3 b5 d9 cf b0 ac d7 9b 27 24 5a 28 13 24 1d 15
Full chain:
bc 64 ac cf b5 22 ee ac 21 de 80 63 7a 9c 9f 80 28 f9 0a fd
------------------------------------
Verified Issuance Policies: None
Verified Application Policies:
1.3.6.1.5.5.7.3.1 Server Authentication
1.3.6.1.5.5.7.3.2 Client Authentication
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.
Would seem to be an OLD CDP? How do I resolve that and remove the old CHCWNSV01 server altogether?
Free Windows Admin Tool Kit Click here and download it now
May 20th, 2012 6:13pm
OK, when I take a look at the CRL for the CA cert under the enterprise PKI MMC
[1]CRL Distribution Point
Distribution Point Name:
Full Name:
URL=ldap:///CN=MYLANWNEX01,CN=MYLANwnsv01,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=MYLAN,DC=LAN?certificateRevocationList?base?objectClass=cRLDistributionPoint
URL=http://MYLANwnsv01.MYLAN.lan/CertEnroll/MYLANWNEX01.crl
So here's the old name again! MYLANWNSV01 should be MYLANWNSV22, and it's the same for the AIA
I don't want to risk stuffing this up any further, what's the thing to do?
May 20th, 2012 9:08pm
You have to be aware that any changes that you make in the configuration of the CA will only affect *future* certificates, not existing certificates. It sounds like you are going to have to support both
MYLANwnsv01.MYLAN.lanand
MYLANWNSV22.MYLAN.lan for the immediate future (until all previously issued certificates expire). What may work is
to make MYLANWNSV22.MYLAN.lan a CNAME for
MYLANwnsv01.MYLAN.lan. You can only remove the CNAME record when the last certificate issued with the previous names expires (no more need for CRL checking).
HTH,
Brian
Free Windows Admin Tool Kit Click here and download it now
May 20th, 2012 11:48pm
Thanks, will try this.
The current CA certificate still contains the old name MYLANWNSV01 in the CRL, rather than the new name. I've seen some articles suggesting replacing the ServerShortName with the new name - any thoughts on this?
URL=ldap:///CN=MYLANWNEX01,CN=MYLANwnsv01,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=MYLAN,DC=LAN?certificateRevocationList?base?objectClass=cRLDistributionPoint
i.e. can I add another ldap URL?
When running the above test against the NPS cert, the outut ahs changed soemwhat:
Error retrieving URL: Cannot find object or property. 0x80092004 (-214688562
8)
ldap:///CN=MYLANWNEX01,CN=MYLANwnsv01,CN=CDP,CN=Public%20Key%20Services,CN=Servi
ces,CN=Configuration,DC=MYLAN,DC=LAN?certificateRevocationList?base?objectClass=cR
LDistributionPoint
Wrong Issuer "Base CRL (075b)" Time: 5
[1.0]
http://MYLANwnsv01.MYLAN.lan/CertEnroll/MYLANWNEX01.crl
Wrong Issuer "Delta CRL (075b)" Time: 0
[1.0.0] ldap:///CN=MYLANWNEX01,CN=MYLANWNSV22,CN=CDP,CN=Public%20Key%20Services,
CN=Services,CN=Configuration,DC=MYLAN,DC=LAN?deltaRevocationList?base?objectClass=
cRLDistributionPoint
May 20th, 2012 11:52pm
On the same server (now it's had a day to settle) running a verify against the CA cert:
C:\Users\administrator.MYLAN>certutil -verify -urlfetch c:\CA.cer
Issuer:
CN=MYLANWNEX01
DC=MYLAN
DC=LAN
Subject:
CN=MYLANWNEX01
DC=MYLAN
DC=LAN
Cert Serial Number: 2305fccace68e1ba4f407e110bdc05ba
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
CertContext[0][0]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=MYLANWNEX01, DC=MYLAN, DC=LAN
NotBefore: 23/03/2012 7:29 a.m.
NotAfter: 24/03/2017 7:38 a.m.
Subject: CN=MYLANWNEX01, DC=MYLAN, DC=LAN
Serial: 2305fccace68e1ba4f407e110bdc05ba
0f 3d 18 35 e3 13 ae ff 6c a0 48 18 6b ae 3d 29 0f 9e d8 45
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
Failed "CDP" Time: 0
Error retrieving URL: Cannot find object or property. 0x80092004 (-214688562
8)
ldap:///CN=MYLANWNEX01,CN=MYLANwnsv01,CN=CDP,CN=Public%20Key%20Services,CN=Servi
ces,CN=Configuration,DC=MYLAN,DC=LAN?certificateRevocationList?base?objectClass=cR
LDistributionPoint
Wrong Issuer "Base CRL (075b)" Time: 4
[1.0]
http://MYLANwnsv01.MYLAN.lan/CertEnroll/MYLANWNEX01.crl
Wrong Issuer "Delta CRL (075b)" Time: 0
[1.0.0] ldap:///CN=MYLANWNEX01,CN=MYLANWNSV22,CN=CDP,CN=Public%20Key%20Services,
CN=Services,CN=Configuration,DC=MYLAN,DC=LAN?deltaRevocationList?base?objectClass=
cRLDistributionPoint
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
--------------------------------
Exclude leaf cert:
da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90 af d8 07 09
Full chain:
0f 3d 18 35 e3 13 ae ff 6c a0 48 18 6b ae 3d 29 0f 9e d8 45
------------------------------------
Verified Issuance Policies: All
Verified Application Policies: All
Cert is a CA certificate
ERROR: Verifying leaf certificate revocation status returned The revocation func
tion was unable to check revocation because the revocation server was offline. 0
x80092013 (-2146885613)
CertUtil: The revocation function was unable to check revocation because the rev
ocation server was offline.
CertUtil: -verify command completed successfully.
-----
I can open a webbrowser and retrieve the CRL from
http://MYLANwnsv01.MYLAN.lan/CertEnroll/MYLANWNEX01.crl and it contains the new CA name.
Free Windows Admin Tool Kit Click here and download it now
May 21st, 2012 5:01pm
Wow this goes on.
OK, I THINK the issue is this - the CRL for the CA certificate is wrong
FRom the current CA cert:
URL=ldap:///CN=MYLANWNEX01,CN=MYLANwnsv01,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=MYLAN,DC=LAN?certificateRevocationList?base?objectClass=cRLDistributionPoint
URL=http://MYLANwnsv01.MYLAN.lan/CertEnroll/MYLANWNEX01.crl
So it's issuing out new certificates with this CRL and, although the URL is reachable (thanks to CNAME suggestion above) THe LDAP won't be.
So do I:
1) UNDER CA > Extensions >remove the LDAP CRL altogether from the CA cert and get all new certs issued with HTTP (and which of the options do I choose)
2) Have a similar workaound in LDAP so the new CA (MYLANWNSV22) gets checked whenever someone looks for MYLANWNSV01
3) Create an all new CA cert (and how do I do this so it uses the right names) and get new certs for all the NPS servers?
4) Add new LDAP path ldap:///CN=<CATruncatedName><CRLNameSuffix>,CN=MYLANWNSV22,CN=CDP,CN=Public Key Services,CN=Services,<ConfigurationContainer><CDPObjectClass> and assign this the same optiosn as current default LDAP (which
can then be unticked and/or removed?)
May 22nd, 2012 8:21pm