Server 2008 Certificate Authority - Renewals not working, cert templates not loading
Hello, the better place to ask is the security forum: http://social.technet.microsoft.com/Forums/en/winserversecurity/threadsBest regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
September 27th, 2011 9:26am

Automatic certificate enrollment is no longer working in a 2008 domain. CA is running on a 2008 DC, and clients are 2008 DC's. Renewal's were working previously, no config changes made between time it was working and not. The following errors are logged: Certificate enrollment for Local system failed to retrieve certificate template information from the Active Directory (More data is available. 0x800700ea (WIN32/HTTP: 234)). Enrollment was not performed. Automatic certificate enrollment for local system failed (0x800700ea) More data is available. Debugging is enabled and 0x800700ea (WIN32/HTTP: 234) shows up in the certsrv log where policies are being referenced. Selecting Certificate Templates in certsrv displays "Template information could not be loaded". Selecting manage prompts "Windows has detected that new certificate templates should be installed. Do you want to install them?". Selecting yes prompts "Windows could not install the certificate templates. More data is available". Clicking OK prompts "Windows could not create the object identifier list. The size limit for this request was exceeded." Is it possible that the templates are corrupt? If so, how can the templates be restored/reset? Thanks for reading my question.
Free Windows Admin Tool Kit Click here and download it now
September 28th, 2011 2:07am

As suggested I have asked this in the security forum. Can this post be deleted or what is the proper way for this to get cleaned up? it does not looked like I have the ability to delete my own posts. Thanks
September 28th, 2011 2:12am

You can check the availability/readability of the templates both from the CA server itself and other computers using the command: certutil -adtemplate Using Adsiedit.msc you can check the certificate templaltes by connecting to the configuration well known naming context and checking the availability of the templates under Services -> Public Key Services -> Certificate Templates. If you need to recreated the default templates (make sure you have documented any changes you performed on default templates) use the following command: certutil -installdefaulttemplates /Hasain
Free Windows Admin Tool Kit Click here and download it now
September 28th, 2011 8:59am

Thank you for the reply. I can see the certificate templates listed in the AD configuration container. I'm getting a FAILED: 0x800700ea (WIN32/HTTP: 234) on what seems to be any certutil template command I run, trying to reinstall gives the same error. I have not had much luck with finding out additional info on the error code itself. Verified Issuance Policies: All Verified Application Policies: All Supported Certificate Templates: 429.2157.0: 0x4 (WIN32: 4) 808.2493.0: 0x800700ea (WIN32/HTTP: 234) 808.2933.0: 0x800700ea (WIN32/HTTP: 234) 805.1897.0: 0x800700ea (WIN32/HTTP: 234) CAEnumCertTypesForCA: More data is available. 0x800700ea (WIN32/HTTP: 234) 314.94.0: 0x800700ea (WIN32/HTTP: 234) 314.344.0: 0x800700ea (WIN32/HTTP: 234) 314.614.0: 0x800700ea (WIN32/HTTP: 234) 314.735.0: 0x800700ea (WIN32/HTTP: 234) 314.1750.0: 0x800700ea (WIN32/HTTP: 234) CertUtil: -TCAInfo command FAILED: 0x800700ea (WIN32/HTTP: 234) CertUtil: More data is available. 301.3370.0: 0x800700ea (WIN32/HTTP: 234) 429.2157.0: 0x4 (WIN32: 4) 808.2493.0: 0x800700ea (WIN32/HTTP: 234) 808.2933.0: 0x800700ea (WIN32/HTTP: 234) 805.1897.0: 0x800700ea (WIN32/HTTP: 234) 307.2395.0: 0x800700ea (WIN32/HTTP: 234) 307.2703.0: 0x800700ea (WIN32/HTTP: 234) 307.2631.0: 0x800700ea (WIN32/HTTP: 234) 307.2724.0: 0x800700ea (WIN32/HTTP: 234) CertUtil: -CATemplates command FAILED: 0x800700ea (WIN32/HTTP: 234) CertUtil: More data is available. 301.3370.0: 0x800700ea (WIN32/HTTP: 234)
September 28th, 2011 9:37pm

The cause was the maxpagesize parameter was set to too low of a value (I had this set to a very low value for testing reasons and apparently did not commit the change back to default). The error that lead to finding the cause was "Windows could not create the object identifier list. The size limit for this request was exceeded." Thanks to a colleague for pointing this out. Certificate services was simply not able to complete a query to AD.
Free Windows Admin Tool Kit Click here and download it now
October 14th, 2011 2:53pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics