Certification Authority Service Startup Failure

Source: Microsoft Support

RAPID PUBLISHING ARTICLES PROVIDE INFORMATION DIRECTLY FROM WITHIN THE MICROSOFT SUPPORT ORGANIZATION. THE INFORMATION CONTAINED HEREIN IS CREATED IN RESPONSE TO EMERGING OR UNIQUE TOPICS, OR IS INTENDED SUPPLEMENT OTHER KNOWLEDGE BASE INFORMATION.

When you try to start the Certification Authority (CA) Service it fails to start.

You may experience the following symptoms:

·         After the machine on which the CA (Certificate Authority) is installed the CA Service appears to be started, but attempts to stop the CA Service are failing.

 

·         The following error appears in the event log:

Event Type: Error

Event Source: DCOM

Event Category: None

Event ID: 10010

Date: 10.03.2008

Time: 13:41:10

User: N/A

Computer: CA_Server

Description:

The server {D99E6E73-FC88-11D0-B498-00A0C90312F3} did not register with DCOM within the required timeout.

 

·         "d99e6e73-fc88-11d0-b498-00a0c90312f3" resolves to CCertAdminD

·         When attempting to ping the CA locally or remotely using "certutil -ping" after longer period of time it fails with "Server execution failed 0x80080005 (-2146959355)" which resolves to CO_E_SERVER_EXEC_FAILURE

·         Internally the following error corresponds to the error displayed by certutil:

ole32!CClientContextActivator::CreateInstance returns 80080005

·         Output of rpcdump is showing that the Certificate Server RPC Interfaces are not registered:

"

UUID: 91ae6020-9e3c-11cf-8d7c-00aa00c091be

ncalrpc:[OLEBB84529DBB4F460BBE49579DD000]

 

UUID: 91ae6020-9e3c-11cf-8d7c-00aa00c091be

ncacn_np:\\\\W2K3TESTCA[\\pipe\\cert]

 

UUID: 91ae6020-9e3c-11cf-8d7c-00aa00c091be

ncacn_ip_tcp:10.10.10.10[1089]

"

This type of behavior can be caused by the following:

1. During the CA installation the CSP is set not to interact with the desktop

 

2. When the remote desktop session is created without "console" switch and CA is installed and administered from this session

 

3. In all other scenarios in which CryptExportPublicKeyInfo does not properly return due to errors in the CSP or HSM

1.       If the CA is administered using remote desktop make sure that console switch and session is specified.

 

2.       Make sure that the CSP used for the CA keys can interact with the desktop.

 

3.       If the HSM is used for the CA Keys, make sure that it is properly configured.

 

4.       Make sure that CryptExportPublicKeyInfo returns successfully.

The problem can be traced during the failed CA service startup when the CryptExportPublicKeyInfo (this function is defined on crypt32.dll) fails to get the required info from the 3rd party CSP. This problem causes CA server not to properly start and RPC interfaces not to be registered. All that leads to the inconsistent and confusing behavior.

 

The failed CA startup call stack looks like this:

 

0:000> k

ChildEBP RetAddr 

WARNING: Stack unwind information not available. Following frames may be wrong.

0006f488 761b4dd3 ncsp+0x9710

0006f4b4 761f1f47 crypt32!ExportCspPublicKeyInfoEx+0x23 [d:\nt\ds\security\cryptoapi\pki\certstor\certhlpr.cpp @ 4144]

0006f4dc 761f1f73 crypt32!CryptExportPublicKeyInfoEx+0x67 [d:\nt\ds\security\cryptoapi\pki\certstor\certhlpr.cpp @ 4325]

0006f504 0105f48e crypt32!CryptExportPublicKeyInfo+0x1e [d:\nt\ds\security\cryptoapi\pki\certstor\certhlpr.cpp @ 4356]

0006f52c 010583ef certsrv!myCryptExportPublicKeyInfo+0x25 [d:\nt\ds\security\cryptoapi\pki\activex\xelib\xelib.cpp @ 689]

0006f554 0105cf86 certsrv!myVerifyPublicKeyFromHProv+0x2b [d:\nt\ds\security\services\ca\certlib\crypt.cpp @ 176]

0006f584 01039ba3 certsrv!myValidateSigningKey+0xa2 [d:\nt\ds\security\services\ca\certlib\cscsp.cpp @ 701]

0006f610 00000000 certsrv!pkcsLoadCAContext+0x2dc [d:\nt\ds\security\services\ca\certsrv\pkcs.cpp @ 7726]

 

MICROSOFT AND/OR ITS SUPPLIERS MAKE NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY, RELIABILITY OR ACCURACY OF THE INFORMATION CONTAINED IN THE DOCUMENTS AND RELATED GRAPHICS PUBLISHED ON THIS WEBSITE (THE “MATERIALS”) FOR ANY PURPOSE. THE MATERIALS MAY INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS AND MAY BE REVISED AT ANY TIME WITHOUT NOTICE.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, MICROSOFT AND/OR ITS SUPPLIERS DISCLAIM AND EXCLUDE ALL REPRESENTATIONS, WARRANTIES, AND CONDITIONS WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING BUT NOT LIMITED TO REPRESENTATIONS, WARRANTIES, OR CONDITIONS OF TITLE, NON INFRINGEMENT, SATISFACTORY CONDITION OR QUALITY, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THE MATERIALS.