Certification Authority Service Startup Failure

Support for Windows Server 2003 ended on July 14, 2015

Microsoft ended support for Windows Server 2003 on July 14, 2015. This change has affected your software updates and security options. Learn what this means for you and how to stay protected.

This article has been archived. It is offered "as is" and will no longer be updated.
Source: Microsoft Support
RAPID PUBLISHING
RAPID PUBLISHING ARTICLES PROVIDE INFORMATION DIRECTLY FROM WITHIN THE MICROSOFT SUPPORT ORGANIZATION. THE INFORMATION CONTAINED HEREIN IS CREATED IN RESPONSE TO EMERGING OR UNIQUE TOPICS, OR IS INTENDED SUPPLEMENT OTHER KNOWLEDGE BASE INFORMATION.
Symptom


When you try to start the Certification Authority (CA) Service it fails to start.

You may experience the following symptoms:

·         After the machine on which the CA (Certificate Authority) is installed the CA Service appears to be started, but attempts to stop the CA Service are failing.

 

·         The following error appears in the event log:

Event Type: Error

Event Source: DCOM

Event Category: None

Event ID: 10010

Date: 10.03.2008

Time: 13:41:10

User: N/A

Computer: CA_Server

Description:

The server {D99E6E73-FC88-11D0-B498-00A0C90312F3} did not register with DCOM within the required timeout.

 

·         "d99e6e73-fc88-11d0-b498-00a0c90312f3" resolves to CCertAdminD

·         When attempting to ping the CA locally or remotely using "certutil -ping" after longer period of time it fails with "Server execution failed 0x80080005 (-2146959355)" which resolves to CO_E_SERVER_EXEC_FAILURE

·         Internally the following error corresponds to the error displayed by certutil:

ole32!CClientContextActivator::CreateInstance returns 80080005

·         Output of rpcdump is showing that the Certificate Server RPC Interfaces are not registered:

"

UUID: 91ae6020-9e3c-11cf-8d7c-00aa00c091be

ncalrpc:[OLEBB84529DBB4F460BBE49579DD000]

 

UUID: 91ae6020-9e3c-11cf-8d7c-00aa00c091be

ncacn_np:\\\\W2K3TESTCA[\\pipe\\cert]

 

UUID: 91ae6020-9e3c-11cf-8d7c-00aa00c091be

ncacn_ip_tcp:10.10.10.10[1089]

"
Cause


This type of behavior can be caused by the following:

1. During the CA installation the CSP is set not to interact with the desktop

 

2. When the remote desktop session is created without "console" switch and CA is installed and administered from this session

 

3. In all other scenarios in which CryptExportPublicKeyInfo does not properly return due to errors in the CSP or HSM
Resolution


1.       If the CA is administered using remote desktop make sure that console switch and session is specified.

 

2.       Make sure that the CSP used for the CA keys can interact with the desktop.

 

3.       If the HSM is used for the CA Keys, make sure that it is properly configured.

 

4.       Make sure that CryptExportPublicKeyInfo returns successfully.
More Information


The problem can be traced during the failed CA service startup when the CryptExportPublicKeyInfo (this function is defined on crypt32.dll) fails to get the required info from the 3rd party CSP. This problem causes CA server not to properly start and RPC interfaces not to be registered. All that leads to the inconsistent and confusing behavior. 
DISCLAIMER
MICROSOFT AND/OR ITS SUPPLIERS MAKE NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY, RELIABILITY OR ACCURACY OF THE INFORMATION CONTAINED IN THE DOCUMENTS AND RELATED GRAPHICS PUBLISHED ON THIS WEBSITE (THE “MATERIALS”) FOR ANY PURPOSE. THE MATERIALS MAY INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS AND MAY BE REVISED AT ANY TIME WITHOUT NOTICE.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, MICROSOFT AND/OR ITS SUPPLIERS DISCLAIM AND EXCLUDE ALL REPRESENTATIONS, WARRANTIES, AND CONDITIONS WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING BUT NOT LIMITED TO REPRESENTATIONS, WARRANTIES, OR CONDITIONS OF TITLE, NON INFRINGEMENT, SATISFACTORY CONDITION OR QUALITY, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THE MATERIALS.
Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.
Properties

Article ID: 959117 - Last Review: 01/16/2015 03:21:05 - Revision: 3.0

Microsoft Windows Server 2003, Standard Edition (32-bit x86), Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems, Microsoft Windows Server 2003, Enterprise Edition (32-bit x86), Microsoft Windows Server 2003, Enterprise x64 Edition

  • kbnosurvey kbarchive kbnomt kbrapidpub KB959117
Feedback