Re: CRL failing to publish to AD

I created a virtual environment that matches my production environment and
went through the permissions on all the container and object permissions
using ADSIEdit under the
CN=Configuration,DC=buttecourt,DC=ca,DC=gov,CN=Services,CN=Public Key
Services container. I'm still getting the original error.

"Brian Komar (MVP)" wrote:

Wrong tool.
Use DSSITE.msc or ADSIEdit.msc
Brian

"KHauer" <KHauer@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C4D9F95B-6B7B-4EB1-A384-D59EF49AF3C8@xxxxxxxxxxxxxxxx
Maybe this is a silly question, but for the life of me I am *not* seeing
permissions on containers when using pkiview.

"Brian Komar (MVP)" wrote:

ummm, deleting the containers was a really bad idea.
You should have updated the objects in those containers by fixing the
permissions.
I recommend building a replica in a virtual environment, checking out the
permissions, and then recreate containers per those permissions.
Brian

"KHauer" <KHauer@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:05C91D4C-F771-4386-BB0D-48C689360DD4@xxxxxxxxxxxxxxxx
Ok, I used PKIView.msc to view the containers. Couldn't figure out how
to
view container permissions, but here's what I did so far:

1. When PKIView.msc opens, both Enterprise PKI and my CA show with nice
big,
red X's in them.
2. Right-clicked on Enterprise PKI and selected 'Manage AD
containers...'
3. NTAuthCertificates tab lists the CA and the status is OK.
4. AIA Container tab lists the CA, status OK.
5. CDP Container tab listed both the Base CRL and Delta CRL, both
listed
as
Expired.
6. I removed both CRLs from the CDP Container tab. When asked if I
wanted
to
remove the container, I said yes (which, I likely shouldn't have, I was
hoping it would recreate it on the fly).
7. Now I open the CA console and try and publish the CRL and receive
the
following error:

Directory object not found. 0x8007208d (WIN32: 8333)

How badly did I break it? Thanks again for all your help, it's
appreciated.
BTW, manually installing the CRLs on each DC is still working,
authentication
works just fine (I just don't want to have to keep doing it manually).

"Brian Komar (MVP)" wrote:

Use pkiview.msc to view the containers.
Brian

"KHauer" <KHauer@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:6277B409-1883-4207-BA2B-D61B9A1343F4@xxxxxxxxxxxxxxxx
Thank you for your response, Brian.

I went through and checked the permissions on the CDP\Computer and
AIA
containers, and they were all set as you recommend they should be.
However, I
noted one discrepancy: I can't seem to find the CA certificate
object
(but
I
freely admit I may be looking in the wrong place).

I used ADSI Edit and was looking at everything in:

Configuration -> Services -> Public Key Services

Is that where I should be looking?

"Brian Komar (MVP)" wrote:

What are the permissions on the CDP\Computer and AIA containers?
DId you happen to ever delete the comptuer account and then
rebuild?
It sounds like a permissions problem in the configuration naming
context.
1. AIA container. Ensure Cert Publishers is assigned Read, Write,
Create
all
Child Objects and Delete All Child Objects.
2. CA Certificate object: CA computer account: Full Control, Read,
and
Write.
4. CDP\ComputerName. Cert Publishers group assigned Read, Write,
Create
all
Child Objects and Delete All Child Objects
4. CRL Object(s) in the CDP\Computer Name container. CA Computer
account:
Full Control, Read, Write
5. CA object in Enrollment Services: Comptuer account assigned
Read,
Write

Brian

"KHauer" <KHauer@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:2C7E3AB2-27F9-405F-88A9-4C6B18F02B53@xxxxxxxxxxxxxxxx
Update on this:

I was able to restore authentication by browsing to the
CertEnroll
share
and
manually installing the Base and Delta CRLs on each domain
controller.
This
tells me that the CA and certificate services are functioning
properly,
it's
just a matter of the CA being able to publish the CRL to AD,
which
currently,
it is unable to do.




.