Event ID 77 is logged in the Application log when the CertSvc service starts on a CA server that is running Windows Server 2003 with Service Pack 1

View products that this article applies to.

SYMPTOMS

After you install Microsoft Windows Server 2003 Service Pack 1 (SP1) on a certification authority (CA) server, the following event may be logged many times in the Application log when the Certificate Services (CertSvc) service starts:

Event Type: Warning
Event Source: CertSvc
Event Category: None
Event ID: 77
Date: date
Time: time
User: N/A
Computer: computer_name
Description: The "Windows default" Policy Module logged the following warning: The User(v3.0): V1 Certificate Template could not be loaded. Element not found. 0x80070490 (WIN32: 1168).

Additionally, the CA server may no longer issue certificates. The policy module denies all certificate requests. The following event is logged in the CA server's Application log when each request is rejected:

Event Type: Warning
Event Source: CertSvc
Event Category: None
Event ID: 53
Date: date
Time: time
User: N/A
Computer: computer_name
Description: Certificate Services denied request 4 because the requested certificate template is not supported by this CA. 0x80094800 (-2146875392). The request was for domain\user. Additional information: Denied by Policy Module 0x80094800, the request was for a certificate template that is not supported by the Certificate Services policy: User.

Back to the top

WORKAROUND

To work around this problem, follow these steps:

Downgrade the CA server by removing the Windows Server 2003 SP1 service pack.
Update the schema in the Microsoft Windows 2000-based domain to Windows Server 2003. Additionally, update the templates by reregistering the %windir%\System32\Certcli.dll file on the CA server. To do this, follow these steps:
1. Click Start, click Run, type cmd, and then click OK.
2. At the command prompt, type the following command, and then press ENTER:
  regsvr32 /i:i /n /s %windir%\system32\certcli.dll
3. Type the following commands. Press ENTER after each command.
  net stop certsvc
  net start certsvc
4. Type exit, and then press ENTER to close the Command Prompt window.

Back to the top

MORE INFORMATION

An enterprise CA server that is running Windows Server 2003, Standard Edition can issue only certificates that are based on Windows 2000-style version 1 templates. Therefore, you do not have to update the schema to install a Windows Server 2003-based CA server in a Windows 2000-based domain.

Windows Server 2003 SP1 includes new code to enable template auditing. The new code specifically looks for Windows Server 2003 schema attributes when the code enumerates templates. If you do not update the schema, the schema attributes are not present. Therefore, the CA server cannot load any of the templates in the Active Directory directory service.

When the CertSvc service starts, the CA server looks for the msPKI-Template-Minor-Revision attribute when the CA server tries to enumerate the templates. Therefore, event 77 is logged. The msPKI-Template-Minor-Revision attribute is not present in the Windows 2000 schema. Therefore, this attribute is not instantiated on the template object. Because the templates cannot be successfully enumerated, the templates are not loaded into the in-memory cache that the CertSvc service maintains. The Certification Authority snap-in shows the templates in the Certificate Templates folder. If you add or remove these templates, the pKIEnrollmentServices object is updated in Active Directory. When the CertSvc service tries to view the pKIEnrollmentServices object to see what templates the object is supposed to load, the CertSvc service fails.

You can verify that templates have not loaded by enabling debug logging for the CertSvc service and then restarting the service. To do this, follow these steps:

Click Start, click Run, type cmd, and then click OK.
At the command prompt, type the following command, and then press ENTER:
certutil -setreg ca\debug 0xfffffffe3
Type the following commands. Press ENTER after each command.
net stop certsvc
net start certsvc
Type exit, and then press ENTER to close the Command Prompt window.

After you follow these steps, open the %windir%\Certsrv.log file. You see entries that resemble the following:

Opened Log: <Date> <Time>
certcli.dll: 5.2.3790.1830 retail (srv03_sp1_rtm.050324-1447)
certsrv.exe: 5.2.3790.1830 retail (srv03_sp1_rtm.050324-1447)
439.99.0: 0x80070716 (WIN32: 1814)
508.1588.0: 0x80070716 (WIN32: 1814)
439.99.0: 0x80070716 (WIN32: 1814)
508.1588.0: 0x80070716 (WIN32: 1814)
439.99.0: 0x80070716 (WIN32: 1814)
508.1588.0: 0x80070716 (WIN32: 1814)
439.99.0: 0x80070716 (WIN32: 1814)
508.1588.0: 0x80070716 (WIN32: 1814)
439.99.0: 0x80070716 (WIN32: 1814)
508.1588.0: 0x80070716 (WIN32: 1814)
439.99.0: 0x80070716 (WIN32: 1814)
508.1588.0: 0x80070716 (WIN32: 1814)
439.99.0: 0x80070716 (WIN32: 1814)
508.1588.0: 0x80070716 (WIN32: 1814)
439.99.0: 0x80070716 (WIN32: 1814)
508.1588.0: 0x80070716 (WIN32: 1814)
439.99.0: 0x80070716 (WIN32: 1814)
508.1588.0: 0x80070716 (WIN32: 1814)
439.99.0: 0x80070716 (WIN32: 1814)
508.1588.0: 0x80070716 (WIN32: 1814)
508.1334.0: 0x80070002 (WIN32: 2): AlternatePublishDomains
513.14724.0: 0x80070490 (WIN32: 1168): CAExchange
508.2045.0: 0x80070490 (WIN32: 1168)
CertSrv: Opening Database C:\WINDOWS\system32\CertLog\Enterprise Root CA.edb
CertSrv: Database open
1006.1328.0: 0x80070490 (WIN32: 1168): msPKI-Template-Minor-Revision
1004.4460.0: 0x80070490 (WIN32: 1168): ExchangeUser
1006.1328.0: 0x80070490 (WIN32: 1168): msPKI-Template-Minor-Revision
1004.4460.0: 0x80070490 (WIN32: 1168): EFSRecovery
1006.1328.0: 0x80070490 (WIN32: 1168): msPKI-Template-Minor-Revision
1004.4460.0: 0x80070490 (WIN32: 1168): EFS
1006.1328.0: 0x80070490 (WIN32: 1168): msPKI-Template-Minor-Revision
1004.4460.0: 0x80070490 (WIN32: 1168): DomainController
1006.1328.0: 0x80070490 (WIN32: 1168): msPKI-Template-Minor-Revision
1004.4460.0: 0x80070490 (WIN32: 1168): WebServer
1006.1328.0: 0x80070490 (WIN32: 1168): msPKI-Template-Minor-Revision
1004.4460.0: 0x80070490 (WIN32: 1168): Machine
1006.1328.0: 0x80070490 (WIN32: 1168): msPKI-Template-Minor-Revision
1004.4460.0: 0x80070490 (WIN32: 1168): User
1006.1328.0: 0x80070490 (WIN32: 1168): msPKI-Template-Minor-Revision
1004.4460.0: 0x80070490 (WIN32: 1168): SubCA
1006.1328.0: 0x80070490 (WIN32: 1168): msPKI-Template-Minor-Revision
1004.4460.0: 0x80070490 (WIN32: 1168): Administrator
CertSrv: Policy Module Enabled (Windows default)
CertSrv: Exit Module[1] Enabled: 7f (Windows default)
CertSrv: Certification Authority Service Ready (13s)  DC=W2K-SRV-01.windows2000.com 
...
CertSrv: Base + Delta CRL Publishing Enabled, TimeOut=84325s, 23 Hours, 25 Minutes, 
25 Seconds
429.2137.0: 0xffffffff (ESE: -1)
809.78.0: 0x80072095 (WIN32: 8341)
CertSrv: Certification Authority Service Stopped
503.2452.0: 0x0 (WIN32: 0)
CertSrv: Exit Status = S_OK

If you have not updated the schema, the following two trace entries appear for each template that does not load:

1006.1328.0: 0x80070490 (WIN32: 1168): msPKI-Template-Minor-Revision
1004.4460.0: 0x80070490 (WIN32: 1168): ExchangeUser

The first trace entry indicates that loading the msPKI-Template-Minor-Revision attribute has failed. The second trace entry is a debug trace that is taken when the policy module logs the template load failure. The default policy module expects the msPKI-Template-Minor-Revision attribute to be available even for version 1 templates. Therefore, the templates do not load.

After you update the schema, update the templates, and restart the CA server, the Certsrv.log file contains entries that resemble the following:

Opened Log: <Date> <Time>
certcli.dll: 5.2.3790.1830 retail (srv03_sp1_rtm.050324-1447)
certsrv.exe: 5.2.3790.1830 retail (srv03_sp1_rtm.050324-1447)
439.99.0: 0x80070716 (WIN32: 1814)
508.1588.0: 0x80070716 (WIN32: 1814)
439.99.0: 0x80070716 (WIN32: 1814)
508.1588.0: 0x80070716 (WIN32: 1814)
439.99.0: 0x80070716 (WIN32: 1814)
508.1588.0: 0x80070716 (WIN32: 1814)
439.99.0: 0x80070716 (WIN32: 1814)
508.1588.0: 0x80070716 (WIN32: 1814)
439.99.0: 0x80070716 (WIN32: 1814)
508.1588.0: 0x80070716 (WIN32: 1814)
439.99.0: 0x80070716 (WIN32: 1814)
508.1588.0: 0x80070716 (WIN32: 1814)
439.99.0: 0x80070716 (WIN32: 1814)
508.1588.0: 0x80070716 (WIN32: 1814)
439.99.0: 0x80070716 (WIN32: 1814)
508.1588.0: 0x80070716 (WIN32: 1814)
439.99.0: 0x80070716 (WIN32: 1814)
508.1588.0: 0x80070716 (WIN32: 1814)
439.99.0: 0x80070716 (WIN32: 1814)
508.1588.0: 0x80070716 (WIN32: 1814)
508.1334.0: 0x80070002 (WIN32: 2): AlternatePublishDomains
CertSrv: Opening Database C:\WINDOWS\system32\CertLog\Enterprise Root CA.edb
CertSrv: Database open
1004.4374.0: 0x80094800 (-2146875392): EnrollmentAgent
1004.4374.0: 0x80094800 (-2146875392): ExchangeUser
1004.4374.0: 0x80094800 (-2146875392): EFSRecovery
1004.4374.0: 0x80094800 (-2146875392): EFS
1004.4374.0: 0x80094800 (-2146875392): DomainController
1004.4374.0: 0x80094800 (-2146875392): WebServer
1004.4374.0: 0x80094800 (-2146875392): Machine
1004.4374.0: 0x80094800 (-2146875392): User
1004.4374.0: 0x80094800 (-2146875392): SubCA
1004.4374.0: 0x80094800 (-2146875392): Administrator
CertSrv: Policy Module Enabled (Windows default)
CertSrv: Exit Module[1] Enabled: 7f (Windows default)
CertSrv: Certification Authority Service Ready (17s)  DC=W2K-SRV-01.windows2000.com 
...
CertSrv: Base + Delta CRL Publishing Enabled, TimeOut=81098s, 22 Hours, 31 Minutes, 
38 Seconds

Errors in the Certsrv.log file are expected because of the code changes in Windows Server 2003 SP1. The entries for the Windows Server 2003 SP1 debug trace are logged because of expected failures that occur when resource strings are loaded.

In Windows Server 2003 SP1, the Certsrv.exe program is missing 10 resource strings. Windows Server 2003 SP1 looks for the missing resource strings in the Ws03res.dll file. Therefore, these log entries are expected. These entries are not related to the template issues. The following trace entries are each logged 10 times in the Certsrv.log file:

439.99.0: 0x80070716 (WIN32: 1814)
508.1588.0: 0x80070716 (WIN32: 1814)

Some template auditing functionality was added to the CA for Windows Server 2003 SP1. The policy module code was modified to load more information from the templates. The code was also modified to keep the information in an in-memory data structure so that only changes to the templates can be audited. If you have updated the schema, an entry that resembles the following is logged when the CA starts:

1004.4374.0: 0x80094800 (-2146875392): EnrollmentAgent

When the CA server starts, the list in memory is empty. One such log entry appears for each template that the CA is configured to issue because the Windows Server 2003 SP1 code that loads templates cannot find the template in the list in memory. Therefore, each template causes one debug trace entry.

This behavior does not cause any problems.

Back to the top

REFERENCES

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

910249 (http://support.microsoft.com/kb/910249/ ) You may receive a "The request contains no certificate template information" error message when you submit a CSR to an enterprise CA by using the Certification Authority Microsoft Management Console (MMC) snap-in in Windows Server 2003

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

922423 (http://support.microsoft.com/kb/922423/ ) Error message when you try to directly send a new SSL server certificate request to a CA service after you upgrade from Exchange 2000 Server to Exchange Server 2003: "Access is denied"

Back to the top