Score:-1

CertUtil: The directory service encountered an unknown failure. 0x800720ef (WIN32: 8431 ERROR_DS_UNKNOWN_ERROR)

tg flag

I am trying to publish revoked certificates and I am getting an unknown failure when using the Certificate Authority console:

enter image description here

The Application Log in the Event Viewer:

enter image description here

enter image description here

It says: Active Directory Certificate Services could not publish a Delta CRL for key 0 to the following location: ldap:///CN=ad-WIN-TJO4EL48O29-CA,CN=WIN-TJO4EL48O29,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=testdomain,DC=com. Operation aborted 0x80004004 (-2147467260 E_ABORT).

I used JXplorer to search the LDAP: "CN=ad-WIN-TJO4EL48O29-CA,CN=WIN-TJO4EL48O29,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=testdomain,DC=com" and manage to find the CRL:

enter image description here

Here is the PKIView result: enter image description here

Here is a fetching of a leaf certificate that was issued:

certutil -verify -urlfetch C:\Users\Administrator.WIN-TJO4EL48O29\Desktop\Legacy-Crypto-Prov-aduser1-cert-1.cer
Issuer:
    CN=ad-WIN-TJO4EL48O29-CA
    DC=ad
    DC=testdomain
    DC=com
  Name Hash(sha1): 220e2a04c1eb8be0bfcf76501038643e5a116101
  Name Hash(md5): 94dcd520c11b2c4a2327043bda098d3c
Subject:
    CN=aduser1 ta1. test
    CN=Users
    DC=ad
    DC=testdomain
    DC=com
  Name Hash(sha1): b293b40fdd091f568d04b8bbef3b91c1344cee26
  Name Hash(md5): 528c81260b6dd49cb7867d03560e6ad1
Cert Serial Number: 750000000dea8d80286ceaef9300000000000d

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 17 Minutes, 6 Seconds

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 17 Minutes, 6 Seconds

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=ad-WIN-TJO4EL48O29-CA, DC=ad, DC=testdomain, DC=com
  NotBefore: 10/5/2022 5:28 PM
  NotAfter: 10/4/2024 5:28 PM
  Subject: CN=aduser1 ta1. test, CN=Users, DC=ad, DC=testdomain, DC=com
  Serial: 750000000dea8d80286ceaef9300000000000d
  SubjectAltName: Other Name:Principal [email protected]
  Template: SC2
  Cert: a2aff7c45cc99de276b3774a31c1b186f749aaa9
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  Verified "Certificate (0)" Time: 0 6143121a80ec40fd187470ae48a894919a4109d5
    [0.0] ldap:///CN=ad-WIN-TJO4EL48O29-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ad,DC=testdomain,DC=com?cACertificate?base?objectClass=certificationAuthority

  ----------------  Certificate CDP  ----------------
  Expired "Base CRL (02)" Time: 0 f9619fc274c3d3321d22169586c5f9bd753ce7c2
    [0.0] ldap:///CN=ad-WIN-TJO4EL48O29-CA,CN=WIN-TJO4EL48O29,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ad,DC=testdomain,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint

  Expired "Delta CRL (02)" Time: 0 1cdc3316dbdc3a2188d0a0c4a872ba85679e516e
    [0.0.0] ldap:///CN=ad-WIN-TJO4EL48O29-CA,CN=WIN-TJO4EL48O29,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ad,DC=testdomain,DC=com?deltaRevocationList?base?objectClass=cRLDistributionPoint

  ----------------  Base CRL CDP  ----------------
  Expired "Delta CRL (02)" Time: 0 1cdc3316dbdc3a2188d0a0c4a872ba85679e516e
    [0.0] ldap:///CN=ad-WIN-TJO4EL48O29-CA,CN=WIN-TJO4EL48O29,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ad,DC=testdomain,DC=com?deltaRevocationList?base?objectClass=cRLDistributionPoint

  OK "Delta CRL (16)" Time: 0 a547d441246d10f21f5e177f670d7b6539a68cf6
    [1.0] http://WIN-TJO4EL48O29.ad.testdomain.com/CertEnroll/ad-WIN-TJO4EL48O29-CA+.crl

  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0 (null)
  --------------------------------
    CRL 16:
    Issuer: CN=ad-WIN-TJO4EL48O29-CA, DC=ad, DC=testdomain, DC=com
    ThisUpdate: 10/7/2022 1:45 PM
    NextUpdate: 10/15/2022 2:05 AM
    CRL: 2e21644c799a4059ef2ed1b0152f092d55b1390c
    Delta CRL 16:
    Issuer: CN=ad-WIN-TJO4EL48O29-CA, DC=ad, DC=testdomain, DC=com
    ThisUpdate: 10/7/2022 1:45 PM
    NextUpdate: 10/9/2022 2:05 AM
    CRL: a547d441246d10f21f5e177f670d7b6539a68cf6
  Application[0] = 1.3.6.1.4.1.44986.2.1.1 Smartcard Logon PIV Key 9A
  Application[1] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon
  Application[2] = 1.3.6.1.5.5.7.3.2 Client Authentication

CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=ad-WIN-TJO4EL48O29-CA, DC=ad, DC=testdomain, DC=com
  NotBefore: 8/20/2022 2:57 PM
  NotAfter: 8/20/2032 3:07 PM
  Subject: CN=ad-WIN-TJO4EL48O29-CA, DC=ad, DC=testdomain, DC=com
  Serial: 786d96c2eb685a82477cc3154193d4a8
  Cert: 6143121a80ec40fd187470ae48a894919a4109d5
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  No URLs "None" Time: 0 (null)
  ----------------  Certificate CDP  ----------------
  No URLs "None" Time: 0 (null)
  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0 (null)
  --------------------------------

Exclude leaf cert:
  Chain: 3d88e70e09134d31c82a24115dea8f343c0c3021
Full chain:
  Chain: 07855df296396ba2d1a9a7c114f132f9176b6627
------------------------------------
Verified Issuance Policies: None
Verified Application Policies:
    1.3.6.1.4.1.44986.2.1.1 Smartcard Logon PIV Key 9A
    1.3.6.1.4.1.311.20.2.2 Smart Card Logon
    1.3.6.1.5.5.7.3.2 Client Authentication
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.

What is the cause of the error and how do I remedy it ?

cn flag
What is the status of *the directory service*?
cn flag
this means that either, CDP location that uses LDAP protocol is invalid, or CA cannot communicate to DC that holds global catalog. Application log in Event Viewer contains more details about the issue and will specify exact location that failed.
thotheolh avatar
tg flag
I am able to use LDAP to search for the location. I have updated my question.
Score:0
tg flag

I found the answer. It was a corrupted Directory Services ntds database. A log entry in the Applications and Services logs \ Directory Service log file points to the ntds database being corrupted.

I followed this Microsoft article: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc794920(v=ws.10)?redirectedfrom=MSDN

It restored the NTDS database and I could properly publish the CRLs again.

PKIView shows working setup:

enter image description here

Thanks to those who have tried to point me in the correct direction although the ntds database corruption was the last thing I was expecting to encounter.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.