The certificate store on my Win7 box is constantly hanging. Observe:
C:\>1.cmd C:\>certutil -? | findstr /i ping -ping -- Ping Active Directory Certificate Services Request interface -pingadmin -- Ping Active Directory Certificate Services Admin interface C:\>set PROMPT=$P($t)$G C:\(13:04:28.57)>certutil -ping CertUtil: -ping command FAILED: 0x80070002 (WIN32: 2) CertUtil: The system cannot find the file specified. C:\(13:04:58.68)>certutil -pingadmin CertUtil: -pingadmin command FAILED: 0x80070002 (WIN32: 2) CertUtil: The system cannot find the file specified. C:\(13:05:28.79)>set PROMPT=$P$G C:\>
Explanations:
- The first command shows you that there are
–ping
and–pingadmin
parameters to certutil - Trying any ping parameter fails with 30 seconds timeout (the current time is seen in the prompt)
This is a serious problem. It screws all the secure communication in my app. If anyone knows how this can be fixed - please share.
Thanks.
P.S.
1.cmd is simply a batch of these commands:
certutil -? | findstr /i ping
set PROMPT=$P($t)$G
certutil -ping
certutil -pingadmin
set PROMPT=$P$G
EDIT1
I have succeeded to pin down the single windows API that causes the problem - DsGetDcName
According to the windbg, the certutil -ping invokes it like so:
PDOMAIN_CONTROLLER_INFO pdci;
DWORD ret = ::DsGetDcName(NULL, NULL, NULL, NULL, DS_DIRECTORY_SERVICE_PREFERRED, &pdci);
On my workstation it times out for 30 seconds and then returns error code 1355, which is ERROR_NO_SUCH_DOMAIN
No domain controller is available for the specified domain or the domain does not exist.
On another machine, which is accidentally a windows server 2003, it returns almost immediately with the correct domain controller name inside the returned DOMAIN_CONTROLLER_INFO
structure.
Now the question is what is missing on my workstation for that API to find the correct domain controller?
Please check for the following
Can you run
certutil -ping -config "cadnsname\CA logical name"
from the affected hosts.Who has the permissions to Request certificates at the CA (did someone change Authenticated Users to Domain Users)?
Look at DCOM Permissions to ensure that Authenticated Users have the correct permissions at the CA. DCOM Permissions on the CA for Certificate Service DCOM Access group:
Access Permissions level -> Local Access - Allow, Remote Access - Allow Launch and Activation Permissions level -> Remote Launch - Allow, Remote Activation - Allow
For more details you can refer to below URL for troubleshooting.
http://blogs.technet.com/b/askds/archive/2007/11/06/how-to-troubleshoot-certificate-enrollment-in-the-mmc-certificate-snap-in.aspx