11

The certificate store on my Win7 box is constantly hanging. Observe:

C:\>1.cmd

C:\>certutil -?   | findstr /i ping
  -ping             -- Ping Active Directory Certificate Services Request interface
  -pingadmin        -- Ping Active Directory Certificate Services Admin interface

C:\>set PROMPT=$P($t)$G

C:\(13:04:28.57)>certutil -ping
CertUtil: -ping command FAILED: 0x80070002 (WIN32: 2)
CertUtil: The system cannot find the file specified.

C:\(13:04:58.68)>certutil -pingadmin

CertUtil: -pingadmin command FAILED: 0x80070002 (WIN32: 2)
CertUtil: The system cannot find the file specified.

C:\(13:05:28.79)>set PROMPT=$P$G

C:\>

Explanations:

  • The first command shows you that there are –ping and –pingadmin parameters to certutil
  • Trying any ping parameter fails with 30 seconds timeout (the current time is seen in the prompt)

This is a serious problem. It screws all the secure communication in my app. If anyone knows how this can be fixed - please share.

Thanks.

P.S.

1.cmd is simply a batch of these commands:

certutil -? | findstr /i ping
set PROMPT=$P($t)$G
certutil -ping
certutil -pingadmin
set PROMPT=$P$G

EDIT1

I have succeeded to pin down the single windows API that causes the problem - DsGetDcName

According to the windbg, the certutil -ping invokes it like so:

PDOMAIN_CONTROLLER_INFO pdci;
DWORD ret = ::DsGetDcName(NULL, NULL, NULL, NULL, DS_DIRECTORY_SERVICE_PREFERRED, &pdci);

On my workstation it times out for 30 seconds and then returns error code 1355, which is ERROR_NO_SUCH_DOMAIN No domain controller is available for the specified domain or the domain does not exist.

On another machine, which is accidentally a windows server 2003, it returns almost immediately with the correct domain controller name inside the returned DOMAIN_CONTROLLER_INFO structure.

Now the question is what is missing on my workstation for that API to find the correct domain controller?

Improve this question

1 Answer 1

Reset to default
0

Please check for the following

  1. Can you run certutil -ping -config "cadnsname\CA logical name" from the affected hosts.

  2. Who has the permissions to Request certificates at the CA (did someone change Authenticated Users to Domain Users)?

  3. Look at DCOM Permissions to ensure that Authenticated Users have the correct permissions at the CA. DCOM Permissions on the CA for Certificate Service DCOM Access group:

    Access Permissions level -> Local Access - Allow, Remote Access - Allow Launch and Activation Permissions level -> Remote Launch - Allow, Remote Activation - Allow

For more details you can refer to below URL for troubleshooting.

http://blogs.technet.com/b/askds/archive/2007/11/06/how-to-troubleshoot-certificate-enrollment-in-the-mmc-certificate-snap-in.aspx

Improve this answer
4
  • I am sorry to expose my ignorance, but how can I know the CADNSName? It would be helpful if you indicated how do I discover the relevant "cadnsname\CA logical name". Can you explain a bit more on the steps that you suggest? Thanks.
    – mark
    Jan 19, 2011 at 7:09
  • Unfortunately, I failed to follow the steps described in the article that you have attached, because it is probably intended for Windows Server machines with the access to the Active Directory. Mine is a Windows 7 workstation with no such access.
    – mark
    Jan 19, 2011 at 8:49
  • I have edited the question further.
    – mark
    Jan 19, 2011 at 9:59
  • certutil -adca
    – unNamed
    Mar 28, 2019 at 9:33

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .