locked
CX509EnrollmentPolicyActiveDirectory::Initialize fails with 0x8007003a RRS feed

  • Question

  • Hi.

    We are developing and deploying an application that uses IX509EnrollmentPolicyServer (CX509EnrollmentPolicyActiveDirectory) to fetch a list of CA templates (GetTemplates). We get the needed server address from ICertConfig and then pass this info into ::Initialize. This procedure works fine on 3 production and test enviromens, however it does not work in the clients enviroment. There the Initialize call fails with the folowing error:

    System.Runtime.InteropServices.COMException (0x8007003A): CertEnroll::CX509EnrollmentPolicyActiveDirectory::Initialize: The specified server cannot perform the requested operation. 0x8007003a (WIN32: 58)
       at CERTENROLLLib.CX509EnrollmentPolicyActiveDirectoryClass.Initialize(String bstrPolicyServerUrl, String bstrPolicyServerId, X509EnrollmentAuthFlags AuthFlags, Boolean fIsUnTrusted, X509CertificateEnrollmentContext Context)
    ...

     certutil -config XXXX-CA -CATemplates works howerver and the CA is operational.

    What can I do to figure out what the problem is. I suspet some crazy security setting is messing things up.

    Thanks.

    Saturday, March 31, 2012 10:05 PM

Answers

  • For anyone facing similar problems.

    The root cause was in incorrect usage of CX509EnrollmentPolicyActiveDirectory (mostly due to poor documentation). IX509EnrollmentPolicyServer is mostly described in the context of CX509EnrollmentPolicyWebService. The it is natural that a server hostname must be provided to Initialize method. However in case of AD variant of the class, the polocy module is actually always running on the AD DC not on the AD CS (ergo, ICertConfig is no of much use here)!

    http://msdn.microsoft.com/en-us/library/ee392501(v=prot.10).aspx

    "With Windows Client Certificate Enrollment Protocol/Certificate Templates Structure, the policy server is always a domain controller..."

    So one should put the DC addres in there, or better yet, as some testing proved, just NULL and the class will pick up the default DC automatically and do LDAP queries on it.

    • Marked as answer by Damjan Cvetko Monday, April 2, 2012 9:13 AM
    Monday, April 2, 2012 9:13 AM