Errors with SharePoint Security Token Service: "The revocation function was unable to check revocation for the certificate"
I'm getting these errors in the eventlog and ULS, "An operation failed because the following certificate has validation errors:\n\nSubject Name: CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US\nIssuer Name: CN=SharePoint Root
Authority, OU=SharePoint, O=Microsoft, C=US\nThumbprint: <STS CERTIFICATE THUMBPRINT>\n\nErrors:\n\n RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate."
The errors point to the SharePoint Security Token Service as the issue ("The revocation function was unable to check revocation for the certificate") reported back by the Topology service. This is apparent when executing a search, accessing
the managed metadata service, issuing SPSite commands in Powershell, or anything that needs to run through the "SharePoint Web Services" site. I've looked at the certificate assigned to that site and everything appears to be in order.
It would seem to me to be either an incorrect endpoint configuration (internally cached perhaps?) or related to security access for the configuration database (in order to validate the certificate root).
What I’ve tried so far:
I’ve been all over the certificate settings, both in the server store, and within SharePoint Token Service config. Both appear to be configured correctly such that the root CAs can be validated.
Re-entered the passwords for the application pool domain accounts to eliminate these as a potential cause. I’ve also verified the service accounts reporting the error, do have access to the configuration database.
Re-provisioned the STS service to see if that might clear out any cached issues and validated everything else according to this
MS Tech note.
So far nothing has worked. Is there anything else I could be looking at that I've missed? (Full eventlog detail below)
Log Name: Application
Source: Microsoft-SharePoint Products-SharePoint Foundation
Date: 2/20/2015 11:19:41 AM
Event ID: 8311
Task Category: Topology
Level: Error
Keywords:
User: <SP SERVICE ACCOUNT>
Computer: <SHAREPOINTSERVER>
Description:
An operation failed because the following certificate has validation errors:\n\nSubject Name: CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US\nIssuer Name: CN=SharePoint Root Authority, OU=SharePoint, O=Microsoft, C=US\nThumbprint: <STS
CERT THUMBPRINT>\n\nErrors:\n\n RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-SharePoint Products-SharePoint Foundation" Guid="{6FB7E0CD-52E7-47DD-997A-241563931FC2}" />
<EventID>8311</EventID>
<Version>14</Version>
<Level>2</Level>
<Task>13</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000000</Keywords>
<TimeCreated SystemTime="2015-02-20T17:19:41.213852500Z" />
<EventRecordID>1611121</EventRecordID>
<Correlation />
<Execution ProcessID="10212" ThreadID="10328" />
<Channel>Application</Channel>
<Computer><SHAREPOINTSERVER></Computer>
<Security UserID="<SP SERVICE ACCOUNT>" />
</System>
<EventData>
<Data Name="string0">CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US</Data>
<Data Name="string1">CN=SharePoint Root Authority, OU=SharePoint, O=Microsoft, C=US</Data>
<Data Name="string2"><STS CERT THUMBPRINT></Data>
<Data Name="string3">RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate.
</Data>
</EventData>
</Event>
Hi Darren,
This problem seems to occur when an administrator deletes the local trust relationship of the farm from the Security section of the Central Administration website
In order to resolve this problem, the local trust relationship has to be created. This can be done by running the following PowerShell commands
$rootCert = (Get-SPCertificateAuthority).RootCertificate
New-SPTrustedRootAuthority -Name "localNew" -Certificate $rootCert
After running the above commands, perform an IISReset on all servers in the farm.
More information:
http://support.microsoft.com/kb/2545744
Best Regards,
Wendy
Forum Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
[email protected]
Wendy Li
TechNet Community Support
Similar Messages
-
Hi,
We have some problems with our Root CA. I can se a lot of failed requests. with the event id 22: in the logs. The description is: Active Directory Certificate Services could not process request 3686 due to an error: The revocation function was unable to
check revocation because the revocation server was offline. 0x80092013 (-2146885613). The request was for CN=xxxxx.ourdomain.com. Additional information: Error Verifying Request Signature or Signing Certificate
A couple of months ago we decomissioned one of our old 2003 DCs and it looks like this server might have had something to do with the CA structure but I am not sure whether this was in use or not since I could find the role but I wasn't able to see any existing
configuration.
Let's say that this server was previously responsible for the certificates and was the server that should have revoked the old certs, what can I do know to try and correct the problem?
Thank you for your help
//Crishello,
let me recap first:
you see these errors on a ROOT CA. so it seems like the ROOT CA is also operating as an ISSUING CA. Some clients try to issue a new certificate from the ROOT CA and this fails with your error mentioned.
do you say that you had a PREVIOUS CA which you decomissioned, and you now have a brand NEW CA, that was built as a clean install? When you decommissioned the PREVIOUS CA, that was your design decision to don't bother with the current certificates that it
issued and which are still valid, right?
The error says, that the REQUEST signature cannot be validated. REQUESTs are signed either by itself (self-signed) or if they are renewal requests, they would be signed with the previous certificate which the client tries to renew. The self-signed REQUESTs
do not contain CRL paths at all.
So this implies to me as these requests that are failing are renewal requests. Renewal requests would contain CRL paths of the previous certificates that are nearing their expiration.
As there are many such REQUEST and failures, it probably means that the clients use AUTOENROLLMENT, which tries to renew their current, but shortly expiring, certificates during (by default) their last 6 weeks of lifetime.
As you decommissioned your PREVIOUS CA, it does not issue CRL anymore and the current certificates cannot be checked for validity.
Thus, if the renewal tries to renew them by using the NEW CA, your NEW CA cannot validate CRL of the PREVIOUS CA and will not issue new certificates.
But it would not issue new certificates anyway even if it was able to verify the PREVIOUS CA's CRL, as it seems your NEW CA is completely brand new, without being restored from the PREVIOUS CA's database. Right?
So simply don't bother :-) As long as it was your design to decommission the PREVIOUS CA without bothering with its already issued certificates.
The current certificates which autoenrollment tries to renew cannot be checked for validity. They will also slowly expire over the next 6 weeks or so. After that, autoenrollment will ask your NEW CA to issue a brand new certificate without trying to renew.
Just a clean self-signed REQUEST.
That will succeed.
You can also verify this by trying to issue a certificate on an affected machine manually from Certificates MMC.
ondrej. -
Hi
I have 1 rootCA and 1 subordinate CA. I removed one of the locations to publish CRL and after that the ADCS service can't start. I get the warning first:
Revocation status for a certificate in the chain for CA certificate 2 for siu-SRVDC01-CA could not be verified because a server is currently unavailable. The revocation function was unable to check revocation because the revocation server was offline.
0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE).
And then the error:
Active Directory Certificate Services did not start: Could not load or verify the current CA certificate. siu-SRVDC01-CA The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE).
I've read many threads with similar problems but I can't find the solution. The CDP is online. I've run "certutil -url cert.cer" to verify the CDP and AIA and everything is fine. But the service is still not starting.
See this command too:
C:\>certutil -verify -urlfetch subCADC01.cer
Issuer:
CN=siu-SRVDC02-CA
DC=siu
DC=domain
Name Hash(sha1): 152a7c43f186d9179c1c3256d3a1a0af4a9df892
Name Hash(md5): b409e417a38bbe04b5800512bd94efac
Subject:
CN=siu-SRVDC01-CA
DC=siu
DC=domain
Name Hash(sha1): 5ee421b84c3b18ff134cf2e42226853d78d3409b
Name Hash(md5): e1a454692361733e45dad374dc14cae3
Cert Serial Number: 1e0000022c707c76c0a27b315700000000022c
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 1 Hours, 2 Minutes, 16 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 1 Hours, 2 Minutes, 16 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=siu-SRVDC02-CA, DC=siu, DC=domain
NotBefore: 19.03.2015 11:18
NotAfter: 19.03.2017 11:28
Subject: CN=siu-SRVDC01-CA, DC=siu, DC=domain
Serial: 1e0000022c707c76c0a27b315700000000022c
Template: SubCA
a1a8a95464c5b586da6e9b304142d59fc5a22ae0
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 0
[0.0] http://wwwca/CertEnroll/srvdc02.siu.domain_siu-SRVDC02-CA.crt
---------------- Certificate CDP ----------------
Verified "Base CRL (26)" Time: 0
[0.0] http://sharepoint.siu.no:8088/siu-SRVDC02-CA.crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
CRL 26:
Issuer: CN=siu-SRVDC02-CA, DC=siu, DC=domain
ThisUpdate: 19.03.2015 11:10
NextUpdate: 15.09.2015 23:30
e2ee543a68214f9b99dda2e9f58b1ddfc34429d1
CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=siu-SRVDC02-CA, DC=siu, DC=domain
NotBefore: 23.09.2011 13:00
NotAfter: 23.09.2021 13:10
Subject: CN=siu-SRVDC02-CA, DC=siu, DC=domain
Serial: 60fc459ebdefa5b646a081b0c21c259d
4ea8bb95b0038c69a83c939e8a54f892cd0b5056
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
Exclude leaf cert:
691f7e42f5c4a86d03b7225bf7303369ef6dcc7e
Full chain:
17e5b9477a1736c33dc0ff245e7b06de5b958c4c
Verified Issuance Policies: None
Verified Application Policies: All
Cert is a CA certificate
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.
Any clue?It looks like it is trying to get the CRL using LDAP. It is quite strange since no ldap entry is on the subordinate CA,
only an HTTP address:
<CertificateRevocationList location="TvoCache" url="ldap:///CN=siu-SRVDC02-CA,CN=srvdc02,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=siu,DC=domain?certificateRevocationList?base?objectClass=cRLDistributionPoint"
fileRef="DEEB557897A9FEA217DF83D95BF24CA54051B1CF.crl" issuerName="siu-SRVDC02-CA" />
<CertificateRevocationList deltaCRL="true" location="TvoCache" url="ldap:///CN=siu-SRVDC02-CA,CN=srvdc02,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=siu,DC=domain?deltaRevocationList?base?objectClass=cRLDistributionPoint"
I have checked that object using adsi Edit and the permissions seem ok. Also there is a value on both attributes: certificateRevocationList and deltaRevocationList.
This problem happened after I removed the LDAP entry for the "CRL Distribution point" from the sub CA properties. Should I add back the LDAP entry?
Log Name: Microsoft-Windows-CAPI2/Operational
Source: Microsoft-Windows-CAPI2
Date: 19.03.2015 14:42:07
Event ID: 11
Task Category: Build Chain
Level: Error
Keywords: Path Discovery,Path Validation
User: SYSTEM
Computer: srvdc01.siu.domain
Description:
For more details for this event, please refer to the "Details" section
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" />
<EventID>11</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>11</Task>
<Opcode>2</Opcode>
<Keywords>0x4000000000000003</Keywords>
<TimeCreated SystemTime="2015-03-19T13:42:07.481533500Z" />
<EventRecordID>131</EventRecordID>
<Correlation />
<Execution ProcessID="6288" ThreadID="5472" />
<Channel>Microsoft-Windows-CAPI2/Operational</Channel>
<Computer>srvdc01.siu.domain</Computer>
<Security UserID="S-1-5-18" />
</System>
<UserData>
<CertGetCertificateChain>
<Certificate fileRef="E02AA2C59FD54241309B6EDA86B5C56454A9A8A1.cer" subjectName="siu-SRVDC01-CA" />
<ExtendedKeyUsage />
<Flags value="40000000" CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT="true" />
<ChainEngineInfo context="machine" />
<CertificateChain chainRef="{60B61582-1C3C-4B58-AE8C-70278ADEE402}" revocationFreshnessTime="P2DT21H13M20S">
<TrustStatus>
<ErrorStatus value="1000040" CERT_TRUST_REVOCATION_STATUS_UNKNOWN="true" CERT_TRUST_IS_OFFLINE_REVOCATION="true" />
<InfoStatus value="100" CERT_TRUST_HAS_PREFERRED_ISSUER="true" />
</TrustStatus>
<ChainElement>
<Certificate fileRef="E02AA2C59FD54241309B6EDA86B5C56454A9A8A1.cer" subjectName="siu-SRVDC01-CA" />
<SignatureAlgorithm oid="1.2.840.113549.1.1.5" hashName="SHA1" publicKeyName="RSA" />
<PublicKeyAlgorithm oid="1.2.840.113549.1.1.1" publicKeyName="RSA" publicKeyLength="2048" />
<TrustStatus>
<ErrorStatus value="1000040" CERT_TRUST_REVOCATION_STATUS_UNKNOWN="true" CERT_TRUST_IS_OFFLINE_REVOCATION="true" />
<InfoStatus value="102" CERT_TRUST_HAS_KEY_MATCH_ISSUER="true" CERT_TRUST_HAS_PREFERRED_ISSUER="true" />
</TrustStatus>
<ApplicationUsage any="true" />
<IssuanceUsage />
<RevocationInfo freshnessTime="P2DT21H13M20S">
<RevocationResult value="80092013">The revocation function was unable to check revocation because the revocation server was offline.</RevocationResult>
<StrongSignProperties signHash="RSA/SHA1" issuerPublicKeyLength="2048" />
<DeltaStrongSignProperties signHash="RSA/SHA1" issuerPublicKeyLength="2048" />
<CertificateRevocationList location="TvoCache" url="ldap:///CN=siu-SRVDC02-CA,CN=srvdc02,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=siu,DC=domain?certificateRevocationList?base?objectClass=cRLDistributionPoint"
fileRef="DEEB557897A9FEA217DF83D95BF24CA54051B1CF.crl" issuerName="siu-SRVDC02-CA" />
<CertificateRevocationList deltaCRL="true" location="TvoCache" url="ldap:///CN=siu-SRVDC02-CA,CN=srvdc02,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=siu,DC=domain?deltaRevocationList?base?objectClass=cRLDistributionPoint"
fileRef="58A2CDBC7A238DDD76EEFEDE354A04596F5AED71.crl" issuerName="siu-SRVDC02-CA" />
</RevocationInfo>
</ChainElement>
<ChainElement>
<Certificate fileRef="56500BCD92F8548A9E933CA8698C03B095BBA84E.cer" subjectName="siu-SRVDC02-CA" />
<SignatureAlgorithm oid="1.2.840.113549.1.1.5" hashName="SHA1" publicKeyName="RSA" />
<PublicKeyAlgorithm oid="1.2.840.113549.1.1.1" publicKeyName="RSA" publicKeyLength="2048" />
<TrustStatus>
<ErrorStatus value="0" />
<InfoStatus value="10C" CERT_TRUST_HAS_NAME_MATCH_ISSUER="true" CERT_TRUST_IS_SELF_SIGNED="true" CERT_TRUST_HAS_PREFERRED_ISSUER="true" />
</TrustStatus>
<ApplicationUsage any="true" />
<IssuanceUsage any="true" />
</ChainElement>
</CertificateChain>
<EventAuxInfo ProcessName="certsrv.exe" />
<CorrelationAuxInfo TaskId="{54E4FCD3-E70A-4024-BB81-6A053EAACE21}" SeqNumber="9" />
<Result value="80092013">The revocation function was unable to check revocation because the revocation server was offline.</Result>
</CertGetCertificateChain>
</UserData>
</Event> -
The "SignFile" task was not given a value for the required parameter "CertificateThumbprint"
We have a line of business app which is deployed via clickonce. I can build and publish the application without any problems but when I try to use Continuous Integration (Build each check-in) I get the following error:
2>C:\Program Files (x86)\MSBuild\12.0\bin\amd64\Microsoft.Common.CurrentVersion.targets(3450,5):
error MSB4044:
The "SignFile" task was not given a value for the required parameter "CertificateThumbprint".
[C:\Builds\1\Pulse\DefaultBuild\src\Pulse\Pulse\Pulse.csproj]
Done executing task "SignFile" -- FAILED.
We sign the application (to be more specific: the ClickOnce manifest) using a code signing certificate which is registered in the AD as Trusted Publisher.
The Certificate is stored in Certificate store on my local workstation. The Certificate is also in the certificate store of the build server (1. In the Personal Store, 2. in the Personal store of the TFSBuildServiceHost Service Account and 3. in the Personal
store of the tfs/build server itself).
Where are using Visual Studio 2013 Update 4, C#, .Net 4.5 and TFS 2013 Update 4.
I have no clue what causes this error, any help is appreciated.I installed the
Windows Software Development Kit (SDK) for Windows 8 and now I can build the solution via command line.
"C:\Program Files (x86)\MSBuild\12.0\bin\amd64\MSBuild.exe" C:\Builds\1\Pulse\DefaultBuild\src\Pulse\Pulse.sln
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" C:\Builds\1\Pulse\DefaultBuild\src\Pulse\Pulse.sln
But the TFS Build still fails.
Here is the error output gathered from the tfsbuild logfile:
Task "AL"
C:\Program Files (x86)\Microsoft SDKs\Windows\v8.1A\bin\NETFX 4.5.1 Tools\x64\AL.exe /culture:de /out:obj\Debug\de\Pulse.resources.dll /platform:AnyCPU /template:obj\Debug\Pulse.exe /embed:obj\Debug\Pulse.View.Localization.CreditsView.de.resources /embed:obj\Debug\Pulse.View.Localization.PulseMainWindow.de.resources
Microsoft (R) Assembly Linker version 12.0.20806.33440
Copyright (C) Microsoft Corporation. All rights reserved.
Done executing task "AL".
2>Done building target "GenerateSatelliteAssemblies" in project "Pulse.csproj".
2>Target "CreateSatelliteAssemblies" in file "C:\Program Files (x86)\MSBuild\12.0\bin\amd64\Microsoft.Common.CurrentVersion.targets" from project "C:\Builds\1\Pulse\DefaultBuild\src\Pulse\Pulse\Pulse.csproj" (target "CoreBuild" depends on it):
2>Done building target "CreateSatelliteAssemblies" in project "Pulse.csproj".
Target "SetWin32ManifestProperties" skipped. Previously built successfully.
Target "_DeploymentComputeNativeManifestInfo" skipped, due to false condition; ('$(GenerateClickOnceManifests)'!='true') was evaluated as ('true'!='true').
2>Target "CleanPublishFolder" in file "C:\Program Files (x86)\MSBuild\12.0\bin\amd64\Microsoft.Common.CurrentVersion.targets" from project "C:\Builds\1\Pulse\DefaultBuild\src\Pulse\Pulse\Pulse.csproj" (target "_DeploymentComputeClickOnceManifestInfo" depends on it):
Task "RemoveDir" skipped, due to false condition; ('$(PublishDir)'=='$(OutputPath)app.publish\' and Exists('$(PublishDir)')) was evaluated as ('bin\Debug\app.publish\'=='bin\Debug\app.publish\' and Exists('bin\Debug\app.publish\')).
2>Done building target "CleanPublishFolder" in project "Pulse.csproj".
Target "_DeploymentGenerateTrustInfo" skipped, due to false condition; ('$(TargetZone)'!='') was evaluated as (''!='').
2>Target "_DeploymentComputeClickOnceManifestInfo" in file "C:\Program Files (x86)\MSBuild\12.0\bin\amd64\Microsoft.Common.CurrentVersion.targets" from project "C:\Builds\1\Pulse\DefaultBuild\src\Pulse\Pulse\Pulse.csproj" (target "GenerateApplicationManifest" depends on it):
Task "Copy"
Creating directory "bin\Debug\app.publish".
Copying file from "obj\Debug\Pulse.exe" to "bin\Debug\app.publish\Pulse.exe".
Done executing task "Copy".
Using "SignFile" task from assembly "Microsoft.Build.Tasks.v12.0, Version=12.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a".
Task "SignFile"
2>C:\Program Files (x86)\MSBuild\12.0\bin\amd64\Microsoft.Common.CurrentVersion.targets(3450,5): error MSB4044: The "SignFile" task was not given a value for the required parameter "CertificateThumbprint". [C:\Builds\1\Pulse\DefaultBuild\src\Pulse\Pulse\Pulse.csproj]
Done executing task "SignFile" -- FAILED.
2>Done building target "_DeploymentComputeClickOnceManifestInfo" in project "Pulse.csproj" -- FAILED.
2>Target "_CheckForCompileOutputs" in file "C:\Program Files (x86)\MSBuild\12.0\bin\amd64\Microsoft.Common.CurrentVersion.targets" from project "C:\Builds\1\Pulse\DefaultBuild\src\Pulse\Pulse\Pulse.csproj" (target "_CleanGetCurrentAndPriorFileWrites" depends on it):
2>Done building target "_CheckForCompileOutputs" in project "Pulse.csproj".
Target "_SGenCheckForOutputs" skipped, due to false condition; ('$(_SGenGenerateSerializationAssembliesConfig)' == 'On' or ('@(WebReferenceUrl)'!='' and '$(_SGenGenerateSerializationAssembliesConfig)' == 'Auto')) was evaluated as ('Off' == 'On' or (''!='' and 'Off' == 'Auto')).
2>Target "_CleanGetCurrentAndPriorFileWrites" in file "C:\Program Files (x86)\MSBuild\12.0\bin\amd64\Microsoft.Common.CurrentVersion.targets" from project "C:\Builds\1\Pulse\DefaultBuild\src\Pulse\Pulse\Pulse.csproj" (target "_CleanRecordFileWrites" depends on it):
Task "ReadLinesFromFile"
Done executing task "ReadLinesFromFile".
Task "ConvertToAbsolutePath"
Done executing task "ConvertToAbsolutePath".
Task "FindUnderPath"
Comparison path is "C:\Builds\1\Pulse\DefaultBuild\src\Pulse\Pulse".
Done executing task "FindUnderPath".
Task "FindUnderPath"
Comparison path is "C:\Builds\1\Pulse\DefaultBuild\bin\".
Done executing task "FindUnderPath".
Task "FindUnderPath"
Comparison path is "obj\Debug\".
Done executing task "FindUnderPath".
Task "RemoveDuplicates"
Done executing task "RemoveDuplicates".
2>Done building target "_CleanGetCurrentAndPriorFileWrites" in project "Pulse.csproj".
2>Target "_CleanRecordFileWrites" in file "C:\Program Files (x86)\MSBuild\12.0\bin\amd64\Microsoft.Common.CurrentVersion.targets" from project "C:\Builds\1\Pulse\DefaultBuild\src\Pulse\Pulse\Pulse.csproj" (target "CoreBuild" depends on it):
Task "RemoveDuplicates"
Done executing task "RemoveDuplicates".
Task "MakeDir"
Done executing task "MakeDir".
Task "WriteLinesToFile"
Done executing task "WriteLinesToFile".
2>Done building target "_CleanRecordFileWrites" in project "Pulse.csproj".
2>Done Building Project "C:\Builds\1\Pulse\DefaultBuild\src\Pulse\Pulse\Pulse.csproj" (default targets) -- FAILED.
1>Done executing task "MSBuild" -- FAILED.
1>Done building target "Build" in project "Pulse.sln" -- FAILED.
1>Done Building Project "C:\Builds\1\Pulse\DefaultBuild\src\Pulse\Pulse.sln" (default targets) -- FAILED.
Build FAILED.
"C:\Builds\1\Pulse\DefaultBuild\src\Pulse\Pulse.sln" (default target) (1) ->
"C:\Builds\1\Pulse\DefaultBuild\src\Pulse\Pulse\Pulse.csproj" (default target) (2) ->
(_DeploymentComputeClickOnceManifestInfo target) ->
C:\Program Files (x86)\MSBuild\12.0\bin\amd64\Microsoft.Common.CurrentVersion.targets(3450,5): error MSB4044: The "SignFile" task was not given a value for the required parameter "CertificateThumbprint". [C:\Builds\1\Pulse\DefaultBuild\src\Pulse\Pulse\Pulse.csproj]
0 Warning(s)
1 Error(s) -
İ bought smurfberies with my iPad but i want to refund it.What can i do?
Contact the app developer.
-
"Unable to check revocation" error while checking CDP from non-domain user account
Hi!
I use 3-tier PKI infrastructure:
Stand-alone offline Root CA: RootCA;
Stand-alone offline Intermediate subordinate CA: SubCA;
Enterprise CA: EntSubCA.
In certificate we have three CDP point for CRL check:
ldap:///, http:// and file://
I have Windows 2008 R2 server joined to domain.
I use command certutil –verify –urlfetch <filename.cer> >check.txt for revocation checking of certificate.
When I use domain user account for revocation checking, all OK.
I have access to any CDP and all fine.
But when i use local server user account, I haven't access to ldap:/// and process failed although all other links is OK.
My question is "why check fail with non-domain user accout while other CDP point succesfully verifed"?
Here is the logfile from local user:
Issuer:
CN=EntSubCA
DC=DED
DC=ROOT
Subject:
CN=servername.domain_name
Cert Serial Number: 5a896145000300006ee2
dwFlags = CA_VERIFY_FLAGS_ALLOW_UNTRUSTED_ROOT (0x1)
dwFlags = CA_VERIFY_FLAGS_IGNORE_OFFLINE (0x2)
dwFlags = CA_VERIFY_FLAGS_FULL_CHAIN_REVOCATION (0x8)
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN (0x20000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
ChainContext.dwRevocationFreshnessTime: 5 Days, 23 Hours, 15 Minutes, 48 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwRevocationFreshnessTime: 5 Days, 23 Hours, 15 Minutes, 48 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
Issuer: CN=EntSubCA, DC=DED, DC=ROOT
NotBefore: 05.02.2015 20:03
NotAfter: 05.02.2016 20:03
Subject: CN=servername.domain_name
Serial: 5a896145000300006ee2
SubjectAltName: DNS Name=servername.domain_name
Template: Machine
70 e4 6b 16 05 a1 62 e3 6d 24 96 ff 44 74 ee a2 3e ce df 18
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
---------------- Certificate AIA ----------------
Failed "AIA" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
ldap:///CN=EntSubCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?cACertificate?base?objectClass=certificationAuthority
Verified "Certificate (0)" Time: 0
[1.0] file://\\ca\crl\EntSubCA.crt
Verified "Certificate (0)" Time: 4
[2.0] http://webserver/crl/EntSubCA.crt
---------------- Certificate CDP ----------------
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?certificateRevocationList?base?objectClass=cRLDistributionPoint
Verified "Base CRL (018d)" Time: 0
[1.0] file://\\ca\crl\EntSubCA.crl
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
[1.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
Old Base CRL "Delta CRL (018d)" Time: 0
[1.0.1] file://\\ca\crl\EntSubCA.crl
Old Base CRL "Delta CRL (018d)" Time: 4
[1.0.2] http://webserver/crl/EntSubCA.crl
Verified "Base CRL (018d)" Time: 4
[2.0] http://webserver/crl/EntSubCA.crl
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
[2.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
Old Base CRL "Delta CRL (018d)" Time: 0
[2.0.1] file://\\ca\crl\EntSubCA.crl
Old Base CRL "Delta CRL (018d)" Time: 4
[2.0.2] http://webserver/crl/EntSubCA.crl
---------------- Base CRL CDP ----------------
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
OK "Base CRL (018d)" Time: 0
[1.0] file://\\ca\crl\EntSubCA.crl
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
[1.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
Old Base CRL "Delta CRL (018d)" Time: 0
[1.0.1] file://\\ca\crl\EntSubCA.crl
Old Base CRL "Delta CRL (018d)" Time: 4
[1.0.2] http://webserver/crl/EntSubCA.crl
OK "Base CRL (018d)" Time: 4
[2.0] http://webserver/crl/EntSubCA.crl
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
[2.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
Old Base CRL "Delta CRL (018d)" Time: 0
[2.0.1] file://\\ca\crl\EntSubCA.crl
Old Base CRL "Delta CRL (018d)" Time: 4
[2.0.2] http://webserver/crl/EntSubCA.crl
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
CRL 018d:
Issuer: CN=EntSubCA, DC=DED, DC=ROOT
33 af 4d be 0e 35 45 94 bc 8b 3f d9 c1 60 e7 0c c4 83 17 b6
Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication
CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=SubCA
NotBefore: 13.11.2014 19:12
NotAfter: 13.11.2017 19:22
Subject: CN=EntSubCA, DC=DED, DC=ROOT
Serial: 6109015b000100000008
Template: SubCA
9b 04 17 9f c5 fe 52 ca a5 58 49 6c c6 18 fa db 13 b3 92 9e
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Failed "AIA" Time: 0
Error retrieving URL: The network path was not found. 0x80070035 (WIN32: 53)
file://\\sub_ca\CertEnroll\sub_ca_SubCA(1).crt
Verified "Certificate (0)" Time: 0
[1.0] file://\\ca\crl\SubCA.crt
Verified "Certificate (0)" Time: 4
[2.0] http://webserver/crl/SubCA.crt
---------------- Certificate CDP ----------------
Verified "Base CRL (32)" Time: 0
[0.0] file://\\ca\crl\SubCA.crl
Verified "Base CRL (32)" Time: 4
[1.0] http://webserver/crl/SubCA.crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
CRL 32:
Issuer: CN=SubCA
8d a9 9d 51 65 a3 8e 77 02 22 40 57 62 70 e8 f6 c5 2e 60 1e
CertContext[0][2]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=RootCA
NotBefore: 28.05.2008 12:09
NotAfter: 28.05.2058 12:19
Subject: CN=SubCA
Serial: 616bd19f000100000004
Template: SubCA
06 d2 47 e7 dc 8f a7 97 a2 b8 c3 92 03 19 24 0c 47 45 22 14
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 0
[0.0] file://\\ca\crl\RootCA.crt
Verified "Certificate (0)" Time: 4
[1.0] http://webserver/crl/RootCA.crt
---------------- Certificate CDP ----------------
Verified "Base CRL (1c)" Time: 4
[0.0] http://webserver/crl/RootCA.crl
Verified "Base CRL (1c)" Time: 0
[1.0] file://\\ca\crl\RootCA.crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
CRL 1c:
Issuer: CN=RootCA
dc 98 2f 8d 16 9c 64 6e b2 74 89 95 9a 6c 1b 77 fd 58 63 fb
CertContext[0][3]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=RootCA
NotBefore: 27.05.2008 16:10
NotAfter: 27.05.2110 16:20
Subject: CN=RootCA
Serial: 258de6fbd3bbab92460530e9e9f10536
5d e4 56 38 13 0a 52 aa 66 51 25 61 19 33 c9 d7 a2 c7 dd 38
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 0
[0.0] file://\\ca\crl\RootCA.crt
Verified "Certificate (0)" Time: 4
[1.0] http://webserver/crl/RootCA.crt
---------------- Certificate CDP ----------------
Verified "Base CRL (1c)" Time: 0
[0.0] file://\\ca\crl\RootCA.crl
Verified "Base CRL (1c)" Time: 4
[1.0] http://webserver/crl/RootCA.crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
CRL 1c:
Issuer: CN=RootCA
dc 98 2f 8d 16 9c 64 6e b2 74 89 95 9a 6c 1b 77 fd 58 63 fb
Issuance[0] = 1.2.700.113556.1.4.7000.233.28688.7.167403.1102261.1593578.2302197.1
Exclude leaf cert:
5b 8d 96 39 f8 a3 6f af f3 89 bc 8d 78 e2 da 53 21 b8 ff aa
Full chain:
ca 99 30 47 9b ad ab ce 97 cc 70 80 a5 4e 11 b3 1a 83 98 78
Verified Issuance Policies: None
Verified Application Policies:
1.3.6.1.5.5.7.3.2 Client Authentication
1.3.6.1.5.5.7.3.1 Server Authentication
ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)
CertUtil: The revocation function was unable to check revocation because the revocation server was offline.
CertUtil: -verify command completed successfully.What you have discovered is the reason to *not* use LDAP URLs for CDP and AIA extensions in your PKI. To access those URLs, the account must access to the URLs. In your output, it is quite clear that the local account does not have necessary permissions
(you also use FILE URLs for publication, which again is not recommended).
The best practice is to use a single URL for the CDP extension. It should be an HTTP URL that is hosted on a highly available (internally and externally accessible) Web cluster.
For the AIA extension, it should contain two URLs: one for the CA certificate - again to an internally and externally accessible, highly available Web cluster and one for the OCSP service - also
an internally and externally accessible, highly available Web cluster.
the other issue is that the root CA is *not* trusted when run by a non-domain account. How are you adding the trusted root CA. It is recommended to do this by running
certutil -dspublish -f RootCA.crt.
This will ensure that the computer account trusts the root CA. In your output, the root CA certificate is not trusted.
Brian -
Why do I see 'Unable to check revocation because the revocation server was offline'?
Hi,
In a lab we've been renewing our Subordinate Issuing CA cert fine for 3 iterations. On the 4th renewal attempt, when I try to perform a 'Certutil -InstallCet Cert(4).crt, I receive the message 'The revocation function was unable to check revocation
because the revocation server was offline. 0x80092013'.
Why could I perform a renewal operation successfully up to this point but cant now? What does this message really mean cause no servers are offline?
Thanks for your help! SdeDotThanks Paul.
The first error I found in the registry was the DSConfigDN was incorrect due to me copying the commands from another test system.
We didn't specifically code a CDP or AIA on the Root cause each time we renewed the Cert on the Root, on the Sub CA we published the renewed Cert to AD and added the renewed Cert and renewed CRL to the local Root store.
What follows is the RootCA registry.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\FlyByNightRootCA:
Keys:
CSP
EncryptionCSP
ExitModules
PolicyModules
Values:
ViewAgeMinutes REG_DWORD = 10 (16)
ViewIdleMinutes REG_DWORD = 8
CAType REG_DWORD = 3
ENUM_STANDALONE_ROOTCA -- 3
UseDS REG_DWORD = 0
ForceTeletex REG_DWORD = 12 (18)
ENUM_TELETEX_AUTO -- 2
ENUM_TELETEX_UTF8 -- 10 (16)
SignedAttributes REG_MULTI_SZ =
0: RequesterName
EKUOIDsForPublishExpiredCertInCRL REG_MULTI_SZ =
0: 1.3.6.1.5.5.7.3.3 Code Signing
1: 1.3.6.1.4.1.311.61.1.1 Kernel Mode Code Signing
CommonName REG_SZ = FlyByNightRootCA
Enabled REG_DWORD = 1
PolicyFlags REG_DWORD = 0
CertEnrollCompatible REG_DWORD = 0
CRLEditFlags REG_DWORD = 100 (256)
EDITF_ENABLEAKIKEYID -- 100 (256)
CRLFlags REG_DWORD = 2
CRLF_DELETE_EXPIRED_CRLS -- 2
InterfaceFlags REG_DWORD = 41 (65)
IF_LOCKICERTREQUEST -- 1
IF_NOREMOTEICERTADMINBACKUP -- 40 (64)
EnforceX500NameLengths REG_DWORD = 1
SubjectTemplate REG_MULTI_SZ =
0: EMail
1: CommonName
2: OrganizationalUnit
3: Organization
4: Locality
5: State
6: DomainComponent
7: Country
ClockSkewMinutes REG_DWORD = a (10)
LogLevel REG_DWORD = 3
HighSerial REG_DWORD = 0
CAServerName REG_SZ = Server03
ValidityPeriod REG_SZ = Hours
ValidityPeriodUnits REG_DWORD = c (12)
CAXchgCertHash REG_MULTI_SZ =
KRACertHash REG_MULTI_SZ =
KRACertCount REG_DWORD = 0
KRAFlags REG_DWORD = 0
CRLPublicationURLs REG_MULTI_SZ =
0: 65:C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl
CSURL_SERVERPUBLISH -- 1
CSURL_SERVERPUBLISHDELTA -- 40 (64)
1: 8:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10
CSURL_ADDTOCRLCDP -- 8
2: 0:http://%1/CertEnroll/%3%8%9.crl
3: 6:file://%1/CertEnroll/%3%8%9.crl
CSURL_ADDTOCERTCDP -- 2
CSURL_ADDTOFRESHESTCRL -- 4
CRLPeriod REG_SZ = Hours
CRLPeriodUnits REG_DWORD = c (12)
CRLOverlapPeriod REG_SZ = Hours
CRLOverlapUnits REG_DWORD = 0
CRLDeltaPeriod REG_SZ = Hours
CRLDeltaPeriodUnits REG_DWORD = 0
CRLDeltaOverlapPeriod REG_SZ = Minutes
CRLDeltaOverlapUnits REG_DWORD = 0
CAXchgValidityPeriod REG_SZ = Weeks
CAXchgValidityPeriodUnits REG_DWORD = 1
CAXchgOverlapPeriod REG_SZ = Days
CAXchgOverlapPeriodUnits REG_DWORD = 1
MaxIncomingMessageSize REG_DWORD = 10000 (65536)
MaxIncomingAllocSize REG_DWORD = 10000 (65536)
CACertPublicationURLs REG_MULTI_SZ =
0: 1:C:\Windows\system32\CertSrv\CertEnroll\%1_%3%4.crt
CSURL_SERVERPUBLISH -- 1
1: 0:ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11
2: 0:http://%1/CertEnroll/%1_%3%4.crt
3: 2:file://%1/CertEnroll/%1_%3%4.crt
CSURL_ADDTOCERTCDP -- 2
CACertHash REG_MULTI_SZ =
0: e0 bb 32 b9 bf f7 43 1d 23 e2 da b6 26 10 33 d8 00 61 e6 14
1: a8 77 c8 09 af f0 07 4c 70 51 78 80 09 26 b1 05 f5 16 e5 be
Security REG_BINARY =
Allow CA Administrator BUILTIN\Administrators
Allow Certificate Manager BUILTIN\Administrators
Allow Enroll Everyone
SetupStatus REG_DWORD = 1
SETUP_SERVER_FLAG -- 1
DSConfigDN REG_SZ = CN=Configuration,DC=TestPKI,DC=Net
AuditFilter REG_DWORD = 7f (127)
CRLNextPublish REG_BINARY = 2/28/2015 4:22 AM
CertUtil: -getreg command completed successfully.
Thanks for your help! SdeDot -
Failed to create Subordinate CA because of unable to check revocation
Hi all,
I am building a subordinate CA on my domain controller with Windows Server 2012 R2 installed.
I submitted the CSR to my root CA (running EJBCA), then I accept the CA request and generated a certificate file. I already configured my root CA to append OCSP and CRL in this generated certification.
However, I keep receiving "revocation server was offline" error, although I passed the OCSP check with OpenSSL.
Here's the detailed error from certutil.exe
Any help?
PS C:\Users\Administrator> certutil -urlfetch -verify -seconds \\tsclient\Downloads\winPDCCA.cer
Issuer:
C=CA
O=ROOT
CN=ROOT Server CA
Name Hash(sha1): xxx
Name Hash(md5): xxx
Subject:
CN=win-PDC-CA
Name Hash(sha1): xxx
Name Hash(md5): xxx
Cert Serial Number: 58b8a199528589b8
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
Issuer: C=CA, O=ROOT, CN=ROOT Server CA
NotBefore: 3/5/2015 3:20 AM
NotAfter: 3/4/2040 8:18 AM
Subject: CN=win-PDC-CA
Serial: 58b8a199528589b8
Template: DomainController
12b9512bc6cc456929f73ea1ab0b597812164e46
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
Verified "Base CRL (17)" Time: 0
[0.0] http://ca.xxxxxxxxxx.com:8080/ejbca/publicweb/webdist/certdist?cmd=crl&issuer=CN=ROOT%20Server%
20CA,O=ROOT,C=CA
Verified "Delta CRL (17)" Time: 0
[0.0.0] http://ca.xxxxxxxxxx.com:8080/ejbca/publicweb/webdist/certdist?cmd=deltacrl&issuer=CN=ROOT%20
Server%20CA,O=ROOT,C=CA
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
Expired "OCSP" Time: 0
[0.0] http://ca.xxxxxxxxxx.com:8080/ejbca/publicweb/status/ocsp
CRL (null):
Issuer: C=CA, O=ROOT, CN=ROOT Server CA
ThisUpdate: 3/5/2015 3:30 AM
NextUpdate: 3/5/2015 3:30 PM
xxxx
CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=1000040
Issuer: C=CA, O=ROOT, CN=ROOT CA
NotBefore: 3/4/2015 8:18 AM
NotAfter: 3/4/2040 8:18 AM
Subject: C=CA, O=ROOT, CN=ROOT Server CA
Serial: 198c1ca481078881
xxxx
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
Verified "Base CRL (13)" Time: 0
[0.0] http://ca.xxxxxxxxxx.com:8080/ejbca/publicweb/webdist/certdist?cmd=crl&issuer=CN=ROOT%20CA,O=ROOT,C=CA
Verified "Delta CRL (13)" Time: 0
[0.0.0] http://ca.xxxxxxxxxx.com:8080/ejbca/publicweb/webdist/certdist?cmd=deltacrl&issuer=CN=ROOT%20
CA,O=ROOT,C=CA
---------------- Certificate OCSP ----------------
Expired "OCSP" Time: 0
[0.0] http://ca.xxxxxxxxxx.com:8080/ejbca/publicweb/status/ocsp
CertContext[0][2]: dwInfoStatus=10a dwErrorStatus=0
Issuer: C=CA, O=ROOT, CN=ROOT CA
NotBefore: 3/4/2015 8:18 AM
NotAfter: 3/4/2040 8:18 AM
Subject: C=CA, O=ROOT, CN=ROOT CA
Serial: 1def9f3b25d8ec1e
7487db4f9ea8055ca3d095b994fafdd7bbfd0283
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
Exclude leaf cert:
xxxx
Full chain:
xxxx
Issuer: C=CA, O=ROOT, CN=ROOT Server CA
NotBefore: 3/5/2015 3:20 AM
NotAfter: 3/4/2040 8:18 AM
Subject: CN=win-PDC-CA
Serial: 58b8a199528589b8
Template: DomainController
xxxx
The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-214688561
3 CRYPT_E_REVOCATION_OFFLINE)
Revocation check skipped -- server offline
Cert is a CA certificate
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.
PS C:\Users\Administrator>The OCSP server is providing expired responses, there is something definitely wrong with the OCSP configuration. Because you are using the EJBCA OCSP server by PrimeKey, you are going to have to contact them regarding the issues with your
configuration.
Brian
Hi Brian,
I am very confused about the "expired" response... Did it means the certificate is expired or the OCSP response is expired, or something else?
Anyway, I sniff the traffic between this Windows subordinate CA and the OCSP server when I run "certutil -url -v winPDCCA.cer" and choose it to verify OCSP.
tshark: -R without -2 is deprecated. For single-pass filtering use -Y.
Capturing on 'Ethernet 1'
-- omitted --
Online Certificate Status Protocol
responseStatus: successful (0)
responseBytes
ResponseType Id: 1.3.6.1.5.5.7.48.1.1 (id-pkix-ocsp-basic)
BasicOCSPResponse
tbsResponseData
responderID: byKey (2)
byKey: xx
producedAt: 2015-03-06 03:14:21 (UTC)
responses: 1 item
SingleResponse
certID
hashAlgorithm (SHA-1)
Algorithm Id: 1.3.14.3.2.26 (SHA-1)
issuerNameHash: xx
issuerKeyHash: xx
serialNumber: 1384483256
certStatus: good (0)
good
thisUpdate: 2015-03-06 03:14:21 (UTC)
signatureAlgorithm (shaWithRSAEncryption)
Algorithm Id: 1.2.840.113549.1.1.5 (shaWithRSAEncryption)
Padding: 0
signature: xx...
certs: 1 item
Certificate (id-at-countryName=CA,id-at-organizationName=ROOT,id-at-commonName=ROOT Server CA)
signedCertificate
version: v3 (2)
serialNumber: -2130212735
signature (shaWithRSAEncryption)
Algorithm Id: 1.2.840.113549.1.1.5 (shaWithRSAEncryption)
issuer: rdnSequence (0)
rdnSequence: 3 items (id-at-countryName=CA,id-at-organizationName=ROOT,id-at-commonName=ROOT CA)
RDNSequence item: 1 item (id-at-commonName=ROOT CA)
RelativeDistinguishedName item (id-at-commonName=ROOT CA)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: ROOT CA
RDNSequence item: 1 item (id-at-organizationName=ROOT)
RelativeDistinguishedName item (id-at-organizationName=ROOT)
Id: 2.5.4.10 (id-at-organizationName)
DirectoryString: printableString (1)
printableString: ROOT
RDNSequence item: 1 item (id-at-countryName=CA)
RelativeDistinguishedName item (id-at-countryName=CA)
Id: 2.5.4.6 (id-at-countryName)
CountryName: CA
validity
notBefore: utcTime (0)
utcTime: 15-03-04 11:48:18 (UTC)
notAfter: utcTime (0)
utcTime: 40-03-04 11:48:10 (UTC)
subject: rdnSequence (0)
rdnSequence: 3 items (id-at-countryName=CA,id-at-organizationName=ROOT,id-at-commonName=ROOT Server CA)
RDNSequence item: 1 item (id-at-commonName=ROOT Server CA)
RelativeDistinguishedName item (id-at-commonName=ROOT Server CA)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: ROOT Server CA
RDNSequence item: 1 item (id-at-organizationName=ROOT)
RelativeDistinguishedName item (id-at-organizationName=ROOT)
Id: 2.5.4.10 (id-at-organizationName)
DirectoryString: printableString (1)
printableString: ROOT
RDNSequence item: 1 item (id-at-countryName=CA)
RelativeDistinguishedName item (id-at-countryName=CA)
Id: 2.5.4.6 (id-at-countryName)
CountryName: CA
subjectPublicKeyInfo
algorithm (rsaEncryption)
Algorithm Id: 1.2.840.113549.1.1.1 (rsaEncryption)
Padding: 0
subjectPublicKey: xx...
extensions: 7 items
Extension (id-pe-authorityInfoAccessSyntax)
Extension Id: 1.3.6.1.5.5.7.1.1 (id-pe-authorityInfoAccessSyntax)
AuthorityInfoAccessSyntax: 1 item
AccessDescription
accessMethod: 1.3.6.1.5.5.7.48.1 (id-pkix.48.1)
accessLocation: 6
uniformResourceIdentifier: http://ca.xx.com:8080/ejbca/publicweb/status/ocsp
Extension (id-ce-subjectKeyIdentifier)
Extension Id: 2.5.29.14 (id-ce-subjectKeyIdentifier)
SubjectKeyIdentifier: xx
Extension (id-ce-basicConstraints)
Extension Id: 2.5.29.19 (id-ce-basicConstraints)
critical: True
BasicConstraintsSyntax
cA: True
Extension (id-ce-authorityKeyIdentifier)
Extension Id: 2.5.29.35 (id-ce-authorityKeyIdentifier)
AuthorityKeyIdentifier
keyIdentifier: xx
Extension (id-ce-freshestCRL)
Extension Id: 2.5.29.46 (id-ce-freshestCRL)
CRLDistPointsSyntax: 1 item
DistributionPoint
distributionPoint: fullName (0)
fullName: 1 item
GeneralName: uniformResourceIdentifier (6)
uniformResourceIdentifier: http://ca.xx.com:8080/ejbca/publicweb/webdist/certdist?cmd=deltacrl&issuer=CN=ROOT%20CA,O=ROOT,C=CA
Extension (id-ce-cRLDistributionPoints)
Extension Id: 2.5.29.31 (id-ce-cRLDistributionPoints)
CRLDistPointsSyntax: 1 item
DistributionPoint
distributionPoint: fullName (0)
fullName: 1 item
GeneralName: uniformResourceIdentifier (6)
uniformResourceIdentifier: http://ca.xx.com:8080/ejbca/publicweb/webdist/certdist?cmd=crl&issuer=CN=Whitebear%20Home%20CA,O=Whitebear%20Home,C=CA
cRLIssuer: 1 item
GeneralName: directoryName (4)
directoryName: rdnSequence (0)
rdnSequence: 3 items (id-at-countryName=CA,id-at-organizationName=ROOT,id-at-commonName=ROOT CA)
RDNSequence item: 1 item (id-at-commonName=ROOT CA)
RelativeDistinguishedName item (id-at-commonName=ROOT CA)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: uTF8String (4)
uTF8String: ROOT CA
RDNSequence item: 1 item (id-at-organizationName=ROOT)
RelativeDistinguishedName item (id-at-organizationName=ROOT)
Id: 2.5.4.10 (id-at-organizationName)
DirectoryString: uTF8String (4)
uTF8String: ROOT
RDNSequence item: 1 item (id-at-countryName=CA)
RelativeDistinguishedName item (id-at-countryName=CA)
Id: 2.5.4.6 (id-at-countryName)
CountryName: CA
Extension (id-ce-keyUsage)
Extension Id: 2.5.29.15 (id-ce-keyUsage)
critical: True
Padding: 1
KeyUsage: 86 (digitalSignature, keyCertSign, cRLSign)
1... .... = digitalSignature: True
.0.. .... = contentCommitment: False
..0. .... = keyEncipherment: False
...0 .... = dataEncipherment: False
.... 0... = keyAgreement: False
.... .1.. = keyCertSign: True
.... ..1. = cRLSign: True
.... ...0 = encipherOnly: False
0... .... = decipherOnly: False
algorithmIdentifier (shaWithRSAEncryption)
Algorithm Id: 1.2.840.113549.1.1.5 (shaWithRSAEncryption)
Padding: 0
encrypted: 3f209f1ce8bfc017b1b4c889370b0a49e284dd9895672f4b...
1 ^C
Based on the response, it seems that the OCSP server did return "good", "successful" in response. This is also verified with OpenSSL ocsp verification command:
openssl ocsp -url http://ca.xxx.com:8080/ejbca/publicweb/status/ocsp -issuer ROOTServerCA.pem -cert winPDCCA.cer -CAfile ROOTCA.pem
Response verify OK
winPDCCA.cer: good
This Update: Mar 6 03:21:44 2015 GMTopenssl ocsp -url http://ca.xxx.com:8080/ejbca/publicweb/status/ocsp -issuer ROOTCA.pem -cert ROOTServerCA.pem -CAfile ROOTCA.pem
Response verify OK
ROOTServerCA.pem: good
This Update: Mar 6 03:23:29 2015 GMT -
The Security Token Service is not available error on dedicated Distributed Cache server
I have an error on a dedicated Distributed Cache server stating that the Security Token Service is not available. I was under the impression that when Distributed Cache was running on a dedicated server that the only service that should be enabled
is Distributed Cache.
The token service is working as expected on all other servers but this one. Does this service need to be started or should I just ignore this error message?
Jennifer Knight (MCITP, MCPD)as per my little experience with 2013, if STS is working fine on Web server then I am sure that sharepoint will be fine...Distributed cache stores the ST issued by STS. NO need to worry about this error.
Login
Token Cache
DistributedLogonTokenCache
This
cache stores the security token issued by a Secure Token Service for use by any web server in the server farm. Any web server that receives a request for resources can access the security token from the cache, authenticate the user, and provide access to the
resources requested.
I would say check the ULS logs and get more details about the error why its not working on that server.
Please remember to mark your question as answered &Vote helpful,if this solves/helps your problem. ****************************************************************************************** Thanks -WS MCITP(SharePoint 2010, 2013) Blog: http://wscheema.com/blog -
Wsit: Modify the URL of the security token service at runtime
I've managed to modify the url of my webservice endpoint at runtime used by a client application with the BindingProvider.ENDPOINT_ADDRESS_PROPERTY. Is it also possible to modify the url of the security token service?
Check this article
http://blogs.technet.com/b/sykhad-msft/archive/2012/02/25/sharepoint-2010-nailing-the-error-quot-the-security-token-service-is-unavailable-quot.aspx
and similar thread
https://social.technet.microsoft.com/Forums/office/en-US/78cd4366-b11b-4300-93a4-4135d55f561f/error-8306-an-exception-occurred-when-trying-to-issue-security-token-please-help?forum=sharepointgeneralprevious
though it is SharePoint 2010 but will work similar in sps 2013 also -
The Security Token Service is not available -- SP Server on Windows 7
I just installed SharePoint Server 2010 on a Windows 7 workstation with the aim of setting up a development environment.
Installed all the prerequisites, then SP, everything seemed to go smoothly.
However, the Health Analyzer is warning my that "the Security Token Service is not available". It says that the "Administrator should try to restart the Security Token Service"
I looked under Services for my computer and also looked in IIS, did not see any thing that referenced security tokens. Where would I find the security token service?
Thanks.No.
In Central Admin>Application Management>Manage Service Applications I see the
Security Token Service Application is running. But the health analyzer is still saying that
The Security Token Service is not available.
Any advice on resolving this would be greatly appreciated. -
The Security Token Service is not available.
hi,
1. service check failed--
http://localhost:port/SecurityTokenServiceApplication/securitytoken.svc
Gettng Error message
2. while provision it again..
Get-SPServiceApplication | ?{$_ -match "Security"}
$sts.Status (result got -online)
$sts.Provision()
----Successful...
3.Event at Event viewer,..
WebHost failed to process a request.
Sender Information: System.ServiceModel.Activation.HostedHttpRequestAsyncResult/31626309
Exception: System.Web.HttpException: The service '/SecurityTokenServiceApplication/securitytoken.svc' does not exist. ---> System.ServiceModel.EndpointNotFoundException: The service '/SecurityTokenServiceApplication/securitytoken.svc' does not exist.
at System.ServiceModel.ServiceHostingEnvironment.HostingManager.EnsureServiceAvailable(String normalizedVirtualPath)
at System.ServiceModel.ServiceHostingEnvironment.EnsureServiceAvailableFast(String relativeVirtualPath)
at System.ServiceModel.Activation.HostedHttpRequestAsyncResult.HandleRequest()
at System.ServiceModel.Activation.HostedHttpRequestAsyncResult.BeginRequest()
--- End of inner exception stack trace ---
at System.ServiceModel.AsyncResult.End[TAsyncResult](IAsyncResult result)
at System.ServiceModel.Activation.HostedHttpRequestAsyncResult.End(IAsyncResult result)
Process Name: w3wp
Process ID: 5752
---------------------And-----------------------------
Event 8306
An exception occurred when trying to issue security token: The requested service, 'http://localhost:32843/SecurityTokenServiceApplication/securitytoken.svc'
could not be activated. See the server's diagnostic trace logs for more information..
Please help----------------
Prasad kambarCheck this article
http://blogs.technet.com/b/sykhad-msft/archive/2012/02/25/sharepoint-2010-nailing-the-error-quot-the-security-token-service-is-unavailable-quot.aspx
and similar thread
https://social.technet.microsoft.com/Forums/office/en-US/78cd4366-b11b-4300-93a4-4135d55f561f/error-8306-an-exception-occurred-when-trying-to-issue-security-token-please-help?forum=sharepointgeneralprevious
though it is SharePoint 2010 but will work similar in sps 2013 also -
Security Token Service application not working
Trying to use secure store service to access userprofileservice.asmx methods within Infopath 2010 form(doesn't contain any managed code). Created tareget application and using udcx file within the data connection library according to Microsoft tech articles.
I see errors related to accessing securitytokenservice application.It keeps on erroring out within the ULS logs, something like below
http://localhost:32843/SecurityTokenServiceApplication/securitytoken.svc/actas.
TCP error code 10061: No connection could be made because the target machine actively refused it ::1:32843
Used below links but no luck.
Method 2 of http://support.microsoft.com/kb/981684
http://support.microsoft.com/kb/2493524
http://www.avanadeblog.com/sharepointasg/iis/
My http://localhost works but i don't see
http://localhost:32843 working.
When i run netstat -a within command prompt i see port 32843 is working since the state of it is shown as "listening".
When i browse to
http://localhost:32843/SecurityTokenServiceApplication i see HTTP 404 error.
It is same with other services under SharePoint Web Services Site within IIS.
I see the same HTTP 404 error. The Security Token Service application pool is running.
I'm trying to make this work within my development envirnoment and i don't see the security token service application
working in my Production or test environment either. I have a standalone installation on my personal laptop and i don't see these things working there as well. If i had web.config file of a working Security token service application then i could have compared
that with the web.config on my developement box. This is the only thing i missed out on.
I'm kind of stuck with this since last one week and any help is appreciated.
Thanks, DC SharePointerthanks Henrik.
Farm Servers already have WCF Hotfix (976462) and I also checked the STS authentication settings in IIS. Only windows and Anonymous access is enabled. I did make the change(Authentication mode of spStsActAsBinding to IssuedToken, it was SspiNegotiatedOverTransport) that
is suggested in the link you provided. But no luck. My STS web.config has below membership and role providers
<system.web>
<membership>
<providers>
<add connectionStringName="DevSQLConn"
applicationName="/"
name="DevAspNetSqlMembershipProvider"
requiresQuestionAndAnswer="false"
type="System.Web.Security.SqlMembershipProvider,System.Web,Version=2.0.3600.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</membership>
<roleManager enabled="true">
<providers>
<add connectionStringName="DevSQLConn"
applicationName="/"
name="DevAspNetSqlRoleManager"
type="System.Web.Security.SqlRoleProvider,System.Web,Version=2.0.3600.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</roleManager>
</system.web>
Does this have to do anything with my issue. I think at some point they might have configured to use form based authentication.
Thanks, DC SharePointer -
Could Not Connect to Security Token Service Application
Receiving the following:
Get-SPSite : Could not connect to http://localhost:32843/SecurityTokenServiceApplication/securitytoken.svc. TCP error code 10061: No connection could be made
I have validated the site and app pool exist and are running... however, browsing to the url returns a 404 page. This is happening on 2/4 servers in my farm.
I have removed SharePoint and Web Server/Application Server Role from each server and re-installed SP to no avail... next step is re-image but thought I would check the blog-o-sphere first...
- Rickany anti virus on the servers?
is there any details about the error after connection could be made?
also have a look: http://blogs.technet.com/b/sykhad-msft/archive/2012/02/25/sharepoint-2010-nailing-the-error-quot-the-security-token-service-is-unavailable-quot.aspx
Please remember to mark your question as answered &Vote helpful,if this solves/helps your problem. ****************************************************************************************** Thanks -WS MCITP(SharePoint 2010, 2013) Blog: http://wscheema.com/blog -
Security Token Service Application Pool high CPU
The SecurityTokenServiceApplicationPool seems to be using really high CPU at times and it seems to slow down the servercausing spike to almost 100% CPU, recycling takes care of it temporarily, it will also go down on its own but to a lesser extent.
I cant seem to see any cause of this in the logs.
The Security Token Service Application Pool isnt on a recycle schedule by default.
Does anyone recommend putting it on a recycle schedule?
What are some common causes of it
thanks
themushHi,
As I understand, the SecurityTokenServiceApplicationPool caused high CPU usage in your envrionment.
Would recycling the application pool be help?
To check if there is performance issue, please provide more information about your application server which host this service application.
http://technet.microsoft.com/en-us/library/cc262485(v=office.15).aspx#hwforwebserver
Here are some references for application pool high usage in SharePoint:
http://weblogs.asp.net/erobillard/thoughts-on-sharepoint-application-pools-recycling-and-quot-jit-lag-quot
http://blogs.technet.com/b/stefan_gossner/archive/2007/11/26/dealing-with-memory-pressure-problems-in-moss-wss.aspx
Regards,
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
[email protected] .
Rebecca Tu
TechNet Community Support
Maybe you are looking for
-
Cross platform CS on PC to CS3 on Mac does not work like video says
Your video on cross platform workflow states that you can import older Premier CS files on a PC into CS3 on a Mac. I tried this and get the message, "this project was saved in a aversion prior to Adobe Premiere Pro CS3 and cannot be opened on a Mac.
-
Transport package from one to another portal server
Dear Portal experts, I would like to copy a demo portal to another machine. Therefore I created an export package. When I upload the package (epa) to the new server I get an error and advised to have a look at the log (which log isn't mentioned) and
-
Error while execution mappings
Hi All, When I try to execute, I am getting the following error. Steps: 1. Created a schema for staging area 2. Importing data to staging area, default table space is users. all these tables are truncate and insert. Data is loading successfully. 3. C
-
I work in animation, I have a Early 2008 mac pro. I am a motion graphics artist, I currently have a 2gb graphics card in the system but only 10gb of ram. Will I only see the best performance if I also max out the computer memory to 32gb of ram??
-
Hello I need help please. I need to populate records from a child table when the user clicks on a record in the header table . This is fairly easy . The difficulty is that the user needs to be able to edit a field from the child table and there could