Troubleshooting (Advanced Certificate Enrollment and Management)
Applies To: Windows Server 2003 with SP1
Despite the level of detail and documented procedures in this white paper, some scenarios and environments may encounter problems that require troubleshooting. This section contains some of the common errors and troubleshooting tips for the procedures in this white paper to assist in resolving potential problems in your environment.
The first troubleshooting tool shows the full descriptive text for an error code displayed by an application or tool. If an unexpected error appears, you can display the corresponding error message text with the following command.
certutil –error <Hexadecimal_Error_ID>
For example, to see the error text for error 0x80094800, run the following command at a command-line prompt.
certutil –error 0x80094800
Domain Controller Certificates Appear in User Objects
If a certificate template is configured for the CA to publish a certificate in Active Directory during the enrollment and issuance process, the CA will choose the requestor’s Active Directory object instead of the domain controller’s computer object. To correct this issue, follow the steps in Removing Certificates from an Active Directory Computer Object.
Certreq –new fails with error 0x80092023
This error may occur if the subject name was not specified in an X.500 format. You cannot specify just the raw string as the common name. You must at least add the prefix “CN=” to the string.
Certreq –submit fails with error 0x80094800
This common error occurs when the template is not available on the CA where the certificate request was submitted. To correct this issue, make sure that the template name is spelled correctly in the certificate request or as an –attrib parameter. Also, it is important to verify that you have performed the steps in Windows Server 2003 CA Configuration.
Certreq –submit fails with error 0x80094001
This error occurs if you have performed the steps described in Issuing Domain Controller Certificates with a Windows Server 2003 CA where the request uses the V1 Domain Controller certificate template and includes a subject or subject alternative name. The V1 domain controller template instructs an enterprise CA to read the subject name of the requestor from Active Directory, but this fails with manual certificate requests. An administrator’s user object in Active Directory will obviously never have the appropriate subject name for a domain controller.
You must not enroll manual certificate requests with V1 certificate templates on an enterprise CA.
Certreq –submit fails with error 0x80094803
This error typically occurs when a certificate template does not allow the subject or subject alternative name to be explicitly specified in the certificate request. By default, a template only allows information to be retrieved from Active Directory when building the subject or subject alternative name in a certificate. To correct this error for offline certificate enrollment, modify the specific template by running the fixdctemplate.vbs script in Appendix 2.
To verify the mandatory attributes of a subject alternative name in a template, run the following command at a command-line prompt with the Windows Server 2003 versions of certutil. On a Windows 2000 computer, you must add a prefix to the commands. The prefix is the path you have copied these commands to. In this white paper, the %HOMEDRIVE%\W2K3AdmPak path is used. You must be logged on as a member of the Authenticated User group in the Active Directory forest.
Certutil –v –dstemplate {CertificateTemplate_commonname}
For example, type
certutil -v -dstemplate OfflineDomaincontrollerauthentication
The command will display the properties of the specified template. Examine the parameters following msPKI-Certificate-Name-Flag in the output. Parameters that are indented in the output are disabled. Ensure that you have specified all attributes in the certificate request that are not indented in the output of the template properties.
Certreq –submit fails with error 0x8009480e
This error most commonly occurs when the template is not available on the CA to which you have submitted the request. This situation may also be corrected by running the fixtemplate.vbs script in Appendix 2. See also Certreq –submit fails with error 0x80094803.
Certutil –viewstore displays an empty dialog with no certificates
This error most commonly occurs when an invalid object class was specified in the command-line parameter(s). You can use ADSIedit from the Windows Server 2003 Support Tools on the Windows Server 2003 CD-ROM to identify the correct object class and its distinguished name.