+1 971 231 5523 info@pkisolutions.com

Windows Server 2012 R2 ADCS Hotfixes & Known Issues

PKI Solutions Inc. Windows Server 2012 R2 ADCS Hotfixes & Known Issues

Windows Server 2012 R2

The purpose of this page is to maintain a list of known Microsoft hotfixes, patches and known issues related to the Active Directory Certificate Services role. The page will be updated as new releases are made by Microsoft as well as when new issues are identified. You can subscribe to the page to receive automated alerts when the content has changed. If you have any feedback or comments, or notice something that is missing, let us know.


Change Log – Last Updated August 23, 2017

August 23, 2017 – Updated 2008 R2 and 2012 R2 hotfix description for OCSP Bug (2950080) with long CA names. Microsoft article incorrectly describes the issue with the host name, it’s the CA name that is the issue.

November 7, 2016 – Moved OCSP Magic Number to Client Issues

June 6, 2016 – Add Bug 5298357 about invalid ASN.1 encoding of certificate issuance policies extensions

 

 

HotFixes

  • http://support.microsoft.com/kb/942076 – Error message when you visit a Web site that is hosted on IIS 7.0: “HTTP Error 404.11 – URL_DOUBLE_ESCAPED”
    NOTE: ADCS will resolve the issue if installed on the same machine as IIS. However, if hosting Delta CRL files on an alternate computer, this will be an issue

 

 

 

  • http://support.microsoft.com/kb/2950080 – “The CA certificate could not be retrieved, element not found” error occurs when the CA server host name is longer than 52 characters
    *NOTE* Article is incorrect – If the CA Name is longer than 52 characters this error will occur, the host name is inconsequential. Confirmed by Microsoft

 

 

  • http://support.microsoft.com/en-us/kb/283789 – The Issuer Statement Specified in the Capolicy.inf File Is Not Included in the Issued Certificate. *Though indicated as Windows Server 2000, this article is applicable to all newer operating systems. The issue is relevant only for End Entity certs using certificate templates where the subject info is built from AD. The Microsoft site appears to have deleted this article, so here is a WayBack Time Machine archive of the article.

 

 

Known Issues

  • Interactive Services Session 0 Isolation and HSM CSP/KSP
    Beginning with Windows Server 2012, services running in a separate context than the user logged into the desktop are unable to interact. This is due to the Session 0 isolation built into the Kernel. This will prevent many Hardware Security Module CSP/KSPs from being able to interact with users. This will be prevalent when card sets are required to be used to authenticate prior to accessing CA keys. This is a known issue with the Thales nCipher security world – at least through S/W v 12. More information on Session 0 isolation is here: http://msdn.microsoft.com/en-us/library/windows/desktop/ms683502(v=vs.85).aspx.
    Fix: Change HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlWindowsNoInteractiveServices to value and reboot.
    UPDATE: Thales has released Security World version 12.1 which has changed the driver model and is no longer affected by this registry key.

 

  • Windows XP Clients unable to enroll by default with a Windows Server 2012 R2 CA
    When a certificate request is received by a certification authority (CA), encryption for the request can be enforced by the CA via the RPC_C_AUTHN_LEVEL_PKT, as described in MSDN article Authentication-Level Constants. On Windows Server 2008 R2 and earlier versions, this setting is not enabled by default on the CA. On a Windows Server 2012 or Windows Server 2012 R2 CA, this enhanced security setting is enabled by default. More details available at http://technet.microsoft.com/en-US/library/dn473011#BKMK_Security.
    Fix: On the CA, run certutil -setreg CAInterfaceFlags -IF_ENFORCEENCRYPTICERTREQUEST and restart Certificate Services.

 

  • You cannot enroll in an Online Certificate Status Protocol certificate (CERT_E_INVALID_POLICY)
    Windows Server 2008 through 2012 R2 may be unable to enroll for a OCSP certificate. This is most often caused by a CA in the hierarchy that has specified specific OIDs but does not include the OCSP specific OID in its EKU (1.3.6.1.5.5.7.3.9). Refer to http://support.microsoft.com/kb/2962991 for more information.
    Fix: When specifying specific OIDs for CA EKUs, the OCSP OID must be included (1.3.6.1.5.5.7.3.9). No steps are needed when using the default “All Application Policies” configuration.

 

  • Error when installing Certificate Authority with Powershell on a Computer or VM without a Network Adapter
    This issue occurs when installing an offline, standalone Certificate Authority in a VM environment without a network adapter. In this configuration, using the Powershell Install-ADCSCertificationAuthority command will result in an error. If there is a network adapter present, unplugged or disabled, the error does not occur. The problem can occur in Windows 2008 or newer OS, however there are no native Powershell commands to perform the install prior to Server 2012. Custom scripts or Powershell cmdlets running on these older operating systems could experience the same error.
    Fix: There are three options to workaround the error: 1) Configure the VM guest with a network adapter that is unconnected, or is disabled. Once the installation is completed, you can remove the network adapter from the VM guest. 2) You can also specify the location for the CA database, even if it is a the default location by appending the argument –DatabaseDirectory $(Join-Path $env:SystemRoot “System32CertLog”)  to the Powershell command, 3) Use the Server Manager GUI to perform the installation.

 

  • Error when installing ADCS on computers with host names longer than 15 characters in length
    An error condition can occur when computer names are 16 or more characters in length and the network adapter is not connected (such as an offline CA). While the OS will indicate that possible Netbios name resolutions can occur, it does not prevent the use of a long name. When installing the ADCS role in Server 2012/R2 the installation will complete successfully, the secondary step to configure the role will result in Server Manager crashing. At this point, ADCS can not be uninstalled and consequently the computer name can not be shortened to 15 or fewer characters.
    Fix: The fix to this issue is to either use host names that are 15 or fewer characters. If you have already installed ADCS and have experience this issue, temporarily connect the network adapter to enable ADCS to be uninstalled and then change the computer name.

 

  • Renewing a Root CA certificate and changing the Validity Period with CAPolicy.inf fails
    When renewing a Root CA’s certificate, the validity period of the new certificate is equivalent to the validity period of the certificate being renewed (since Server 2008). If an alternate validity period is desired, the RenewalValidityPeriod and RenewalValidityPeriodUnits settings can be placed in a capolicy.inf to reflect a different value for the new certificate. However, ADCS will only use this value if it is equal to, or longer than the value of the certificate being renewed. You can not configure ADCS to renew a Root CA certificate for a lifetime shorter than the previous certificate.
    Fix: Use certutil –sign to sign and specify the desired lifetime of the certificate, add the modified cert to the CA’s computer personal store and associate it with the private key, modify the CA’s registry (CACertHash) and restart the CA.

 

  • Network Device Enrollment Service reports “You do not have sufficient permission to enroll with SCEP.” even for administrative accounts
    If NDES is installed and additional components of IIS are manually selected, such as ASP.Net 4.5 NDES can be installed and configured incorrectly. When accessing the NDES Admin page, you will receive an error that you have insufficient permissions even if you have administrative rights. More details available on the original blog post documenting the error condition.
    Fix: Uninstall NDES and all IIS role features, reinstall NDES and only use the default components selected. Alternative fix also available if the uninstall doesn’t work.

 

  • Windows Server sConfig Command Line tool allows Domain Membership and Computer Name changes even with an ADCS Certification Authority installed.
    When ADCS server roles are installed, controls are placed on the server to prevent domain membership changes and host name changes. To make changes to either of these, ADCS must first be installed. This behavior is experienced when making changes in the Control Panel System applet. However, when using sConfig (Server Core 2008 R2, or any version of Windows Server 2012 +), there are no controls to prevent these changes. Changing the domain membership or computer name can break the functionality of Enterprise CAs and can result in an unsupported configuration.
    Fix: Remove ADCS role features prior to using sConfig to make changes to domain membership or computer host name. Alternatively, when using the GUI version of Windows Server, use the Control Panel System applet.

 

  • Bug 5298357 – Bad ASN.1 encoding of certificate issuance policy extensions
    This is a known Microsoft bug and results in an extra \0 character at the end of URLs in certificate issuance policy extensions. This generally does not cause a problem, but for environments subject to certificate assessments, CABForum compliance, WebTrust audits, or use tools like certlint, you may receive errors such as “ERROR: Control character found in String in CertificatePolicies”.
    Fix: The bug affects the parsing of the CAPolicy.inf section for issuance policies, for example:
[GKPGEPolicy]
OID=1.3.6.1.4.1.46531.1.1
URL=http://pki.gkpge.pl/pki/cps.htmAnd[Extensions]
2.5.29.32=”{text}”      ; szOID_CERT_POLICIES
_continue_ = “OID=1.3.6.1.4.1.46531.1.1&”
_continue_ = “URL=http://pki.gkpge.pl/pki/cps.htm”The workaround is to specify the extension as hexadecimal. Remove the trailing 00 byte from an ASN.1 dump produced by certutil –v -v on the incorrectly encoded certificate, then reduced the highlighted lengths by one to compensate.

[Extensions]
2.5.29.32=”{hex}”       ; szOID_CERT_POLICIES
_continue_ = ” 30 3d”                                    ; SEQUENCE (3e Bytes)
_continue_ = ”    30 3b”                                 ; SEQUENCE (3c Bytes)
_continue_ = ”       06 0a”                              ; OBJECT_ID (a Bytes)
_continue_ = ”          2b 06 01 04 01 82 eb 43  01 01″
; 1.3.6.1.4.1.46531.1.1
_continue_ = ”       30 2d”                              ; SEQUENCE (2e Bytes)
_continue_ = ”          30 2b”                           ; SEQUENCE (2c Bytes)
_continue_ = ”             06 08″                        ; OBJECT_ID (8 Bytes)
_continue_ = ”                2b 06 01 05 05 07 02 01″
; 1.3.6.1.5.5.7.2.1 CPS
_continue_ = ”             16 1f”                        ; IA5_STRING (20 Bytes)
_continue_ = ”                68 74 74 70 3a 2f 2f 70  6b 69 2e 67 6b 70 67 65″ ; pki.gkpge
_continue_ = ”                2e 70 6c 2f 70 6b 69 2f  63 70 73 2e 68 74 6d”    ; .pl/pki/cps.htm
; “http://pki.gkpge.pl/pki/cps.htm”

  © Copyright 2013-2017 PKI Solutions Inc. // All Rights Reserved // Terms of Service // Privacy Policy // Pricing and Refund Policies