+1 971 231 5523 info@pkisolutions.com

ADCS Client Hotfixes & Known Issues

PKI Solutions Inc. ADCS Client Hotfixes & Known Issues

ADCS Clients

The purpose of this page is to maintain a list of known Microsoft hotfixes, patches and known issues related to the Active Directory Certificate Services role. The page will be updated as new releases are made by Microsoft as well as when new issues are identified. You can subscribe to the page to receive automated alerts when the content has changed. If you have any feedback or comments, or notice something that is missing, let us know.

Change Log – Last Updated September 11, 2017

September 11, 2017 – Added KB 2494172 for Windows 7 Client issues with 802.1x failing when an invalid certificate is present.
January 19, 2017 – Added KB 938397 regarding Server 2003 being unable to validate SHA2 certificates
November 7, 2016 – Added RDS Certificate Generation/Renewal Errors



Certificate related issues and updates for client/server operating systems. These updates are targeted to those issues that would affect an internal PKI at an organization. It does not include certificate issues that are general product issues outside of its interaction with a Microsoft ADCS environment.



  • http://support.microsoft.com/kb/968730 – Windows Server 2003 and Windows XP clients cannot obtain certificates from a Windows Server 2008-based certification authority (CA) if the CA is configured to use SHA2 256 or higher encryption


  • http://support.microsoft.com/kb/2520487 – AD DS database size increases significantly when the Credential Roaming feature is enabled in Windows Vista, in Windows 7, in Windows Server 2008 or in Windows Server 2008 R2






  • http://support.microsoft.com/kb/983557 – Error message when you try to request a certificate in Windows Vista or in Windows Server 2008: “The filename or extension is too long. (0x800700CE)”


  • http://support.microsoft.com/kb/956544 – When you enroll a certificate on a computer that is running Windows Vista or that is running Windows Server 2008, you are prompted to insert a smart card even though a smart card is already inserted


  • http://support.microsoft.com/kb/955805 – Certain applications become very slow on a Windows Server 2008-based or Windows Vista SP1-based computer when a certificate with the SIA extension is installed



  • http://support.microsoft.com/kb/2797120 – Name constraint validation fails when a URN is specified in a subject alternative name in Windows 7, Windows 8, Windows Server 2008 R2 and Windows Server 2012


  • http://support.microsoft.com/kb/2625430 – Private key permissions are reset to the default values if a machine certificate is renewed by the Certificate Autoenrollment feature in Windows 7 or in Windows Server 2008 R2


  • http://support.microsoft.com/kb/903930 – After you publish a certificate in Active Directory on a Windows XP-based computer, certificate renewal may leave the Active Directory certificate store empty




Known Issues

  • Computers configured to use a CA issued Certificate for Remote Desktop Services will generate a new certificate repeatedly
    When you define a Group Policy to use a specific template for certificate enrollment on  your RDS servers (or computer to computer remote desktop services) rather than the self-signed certificate, the computer will generate a new certificate each time GPUpdate is run, Group Policy processing cycles occur, or during bootup. This is due to a bug in the API for detecting the certificate template and certificate display name.
    Fix: Ensure the Template Name and Template Display Name in the template properties are identical.


  • Computers configured to use OCSP for revocation checking will stop using OCSP and default to CRLs
    Microsoft Windows OCSP client will follow any published OCSP extension present in a certificate that is being verified, including Group Policy pushed locations. However, once Windows has made 50 OCSP requests about about certificates from a specific CA keypair, the OCSP client will stop using OCSP queries and directly download the CRL. The client will continue to reference the CRL instead of OCSP until the CRL has expired. At that time the client will return to OCSP queries until it reaches this “magic” number and retrieves the CRL again. This value can be adjusted up, but can’t be disabled. The value is located at HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftSystemCertificatesChainEngineConfigCryptnetCachedOcspSwitchToCrlCount. and more details at http://tinyurl.com/nlamat7
    Fix: Adjust this “magic” number to an appropriate value to ensure your OCSP client continues to perform OCSP queries as appropriate in your environment.


  • Windows XP computers are unable to enroll for certificates from a Windows 2012+ Certification Authority
    When a certificate request is received by a certification authority (CA), encryption for the request can be enforced by the CA via the RPC_C_AUTHN_LEVEL_PKT, as described in MSDN article Authentication-Level Constants. On a Windows Server 2012 or higher CA, this enhanced security setting is enabled by default. The  CA enforces enhanced security in the requests that are sent to it. This  higher security level requires that the packets requesting a certificate are encrypted, so they cannot be intercepted and read.
    Fix: To enable these older clients to enroll, use the command “certutil -setreg cainterfaceflags -IF_ENFORCEENCRYPTICERTREQUEST and restart CertSrv to apply the value. This will disable the encryption requirements for ALL clients

  © Copyright 2013-2016 PKI Solutions Inc. // All Rights Reserved // Terms of Service // Privacy Policy // Pricing and Refund Policies