+1 971 231 5523 info@pkisolutions.com

Windows Server 2008 R2 ADCS Hotfixes & Known Issues

PKI Solutions Inc. Windows Server 2008 R2 ADCS Hotfixes & Known Issues

Windows Server 2008 R2

The purpose of this page is to maintain a list of known Microsoft hotfixes, patches and known issues related to the Active Directory Certificate Services role. The page will be updated as new releases are made by Microsoft as well as when new issues are identified. You can subscribe to the page to receive automated alerts when the content has changed. If you have any feedback or comments, or notice something that is missing, let us know.

 

Change Log – Last Updated August 23, 2017

August 23, 2017 – Updated 2008 R2 and 2012 R2 hotfix description for OCSP Bug (2950080) with long CA names. Microsoft article incorrectly describes the issue with the host name, it’s the CA name that is the issue.

November 7, 2016 – Moved OCSP Magic Number to Client Issues

July 8, 2015 – Added new Known Issue about sConfig allowing domain and computer name changes. Added Hotfix/Resolution 283789 regarding capolicy.inf processing.

 

HotFixes

  • http://support.microsoft.com/kb/942076 – Error message when you visit a Web site that is hosted on IIS 7.0: “HTTP Error 404.11 – URL_DOUBLE_ESCAPED”
    NOTE: Not ADCS will resolve the issue if installed on the same machine as IIS. However, if hosting Delta CRL files on an alternate computer, this will be an issue

 

 

 

 

 

 

  • http://support.microsoft.com/kb/2615174 – “0x80092013, CRYPT_E_REVOCATION_OFFLINEA” error message when you try to verify a certificate that has multiple chains in Windows Server 2008 R2 or in Windows 7

 

  • http://support.microsoft.com/kb/978034 – Active Directory Certificate Services cannot be reinstalled by using the “Use existing private key” option on a computer that is running in Windows Server 2008 R2

 

 

 

  • http://support.microsoft.com/kb/2578963 – Members of a security group cannot modify the security settings of a certificate template even if you delegate the full control permission to the group in Windows 7 or in Windows Server 2008 R2

 

 

 

  • http://support.microsoft.com/kb/2740017 – PIN dialog box for smart card authentication appears two times when you try to access CA certificates on a computer that is running Windows Server 2008 R2 or Windows Server 2012
    NOTE: Can also affect some Card based Hardware Security Modules – such as Thales nCipher ACS/OCS cardsets.

 

 

 

  • http://support.microsoft.com/kb/2950080 – “The CA certificate could not be retrieved, element not found” error occurs when the CA server host name is longer than 52 characters.
    *NOTE* Article is incorrect – If the CA Name is longer than 52 characters this error will occur, the host name is inconsequential. Confirmed by Microsoft

 

 

 

  • http://support.microsoft.com/en-us/kb/283789 – The Issuer Statement Specified in the Capolicy.inf File Is Not Included in the Issued Certificate. *Though indicated as Windows Server 2000, this article is applicable to all newer operating systems. The issue is relevant only for End Entity certs using certificate templates where the subject info is built from AD. The Microsoft site appears to have deleted this article, so here is a WayBack Time Machine archive of the article.

 

Known Issues

  • You cannot enroll in an Online Certificate Status Protocol certificate (CERT_E_INVALID_POLICY)
    Windows Server 2008 through 2012 R2 may be unable to enroll for a OCSP certificate. This is most often caused by a CA in the hierarchy that has specified specific OIDs but does not include the OCSP specific OID in its EKU (1.3.6.1.5.5.7.3.9). Refer to http://support.microsoft.com/kb/2962991 for more information.
    Fix: When specifying specific OIDs for CA EKUs, the OCSP OID must be included (1.3.6.1.5.5.7.3.9). No steps are needed when using the default “All Application Policies” configuration.

 

  • Renewing a Root CA certificate and changing the Validity Period with CAPolicy.inf fails
    When renewing a Root CA’s certificate, the validity period of the new certificate is equivalent to the validity period of the certificate being renewed (since Server 2008). If an alternate validity period is desired, the RenewalValidityPeriod and RenewalValidityPeriodUnits settings can be placed in a capolicy.inf to reflect a different value for the new certificate. However, ADCS will only use this value if it is equal to, or longer than the value of the certificate being renewed. You can not configure ADCS to renew a Root CA certificate for a lifetime shorter than the previous certificate.
    Fix: Use certutil –sign to sign and specify the desired lifetime of the certificate, add the modified cert to the CA’s computer personal store and associate it with the private key, modify the CA’s registry (CACertHash) and restart the CA.

 

  • Windows Server sConfig Command Line tool allows Domain Membership and Computer Name changes even with an ADCS Certification Authority installed.
    When ADCS server roles are installed, controls are placed on the server to prevent domain membership changes and hostname changes. To make changes to either of these, ADCS must first be installed. This behavior is experienced when making changes in the Control PanelSystem applet. However, when using sConfig (Server Core 2008 R2, or any version of Windows Server 2012 +), there are no controls to prevent these changes. Changing the domain membership or computer name can break the functionality of Enterprise CAs and can result in an unsupported configuration.
    Fix: Remove ADCS role features prior to using sConfig to make changes to domain membership or computer host name. Alternatively, when using the GUI version of Windows Server, use the Control PanelSystem applet.

  © Copyright 2013-2016 PKI Solutions Inc. // All Rights Reserved // Terms of Service // Privacy Policy // Pricing and Refund Policies