V
Varga Gábor
Hi,
I would like to install an Enterprise Root CA in a domain environment. My server is member of the domain and my account is member of both Enterprise and Domain Admins group. The domain has the required Public Key Services structure according to ADSI Edit.
When I want to do the installation using powershell, I always have the error message:
Install-AdcsCertificationAuthority : Active Directory Certificate Services setup failed with the following error: A
value for the attribute was not in the acceptable range of values. 0x80072082 (WIN32: 8322 ERROR_DS_RANGE_CONSTRAINT)
At line:1 char:1
+ Install-AdcsCertificationAuthority -CAType EnterpriseRootCA
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument:
) [Install-AdcsCertificationAuthority], CertificationAuthoritySetupEx
ception
+ FullyQualifiedErrorId : SetCAProperties,Microsoft.CertificateServices.Deployment.Commands.CA.InstallADCSCertific
ationAuthority
The certocm.log file contains the following:
109.887.1838: <2018/11/19, 13:03:13>: Enterprise CA option availability status: ENUM_ENTERPRISE_UNAVAIL_REASON_NO_INSTALL_RIGHTS
437.625.0:<2018/11/19, 13:03:13>: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND): ConfigurationDirectory
454.346.0:<2018/11/19, 13:03:19>: 0x80004005 (-2147467259 E_FAIL)
454.346.0:<2018/11/19, 13:03:19>: 0x80004005 (-2147467259 E_FAIL)
454.346.0:<2018/11/19, 13:03:20>: 0x80004005 (-2147467259 E_FAIL)
454.249.0:<2018/11/19, 13:03:25>: 0x80004005 (-2147467259 E_FAIL): AES-GMAC
454.249.0:<2018/11/19, 13:03:25>: 0x80004005 (-2147467259 E_FAIL): AES-CMAC
454.249.0:<2018/11/19, 13:03:25>: 0x80004005 (-2147467259 E_FAIL): AES-GMAC
454.249.0:<2018/11/19, 13:03:25>: 0x80004005 (-2147467259 E_FAIL): AES-CMAC
454.249.0:<2018/11/19, 13:03:25>: 0x80004005 (-2147467259 E_FAIL): AES-GMAC
454.249.0:<2018/11/19, 13:03:25>: 0x80004005 (-2147467259 E_FAIL): AES-CMAC
454.249.0:<2018/11/19, 13:03:25>: 0x80004005 (-2147467259 E_FAIL): AES-GMAC
454.249.0:<2018/11/19, 13:03:25>: 0x80004005 (-2147467259 E_FAIL): AES-CMAC
454.249.0:<2018/11/19, 13:03:25>: 0x80004005 (-2147467259 E_FAIL): AES-GMAC
454.249.0:<2018/11/19, 13:03:25>: 0x80004005 (-2147467259 E_FAIL): AES-CMAC
452.627.0:<2018/11/19, 13:03:25>: 0x80090030 (-2146893776 NTE_DEVICE_NOT_READY): Microsoft Platform Crypto Provider
454.678.0:<2018/11/19, 13:03:25>: 0x80090030 (-2146893776 NTE_DEVICE_NOT_READY)
454.249.0:<2018/11/19, 13:03:25>: 0x80004005 (-2147467259 E_FAIL): AES-GMAC
454.249.0:<2018/11/19, 13:03:25>: 0x80004005 (-2147467259 E_FAIL): AES-CMAC
454.249.0:<2018/11/19, 13:03:25>: 0x80004005 (-2147467259 E_FAIL): AES-GMAC
454.249.0:<2018/11/19, 13:03:25>: 0x80004005 (-2147467259 E_FAIL): AES-CMAC
454.249.0:<2018/11/19, 13:03:25>: 0x80004005 (-2147467259 E_FAIL): AES-GMAC
454.249.0:<2018/11/19, 13:03:25>: 0x80004005 (-2147467259 E_FAIL): AES-CMAC
454.249.0:<2018/11/19, 13:03:25>: 0x80004005 (-2147467259 E_FAIL): AES-GMAC
454.249.0:<2018/11/19, 13:03:25>: 0x80004005 (-2147467259 E_FAIL): AES-CMAC
3109.1367.0:<2018/11/19, 13:03:25>: 0x80090016 (-2146893802 NTE_BAD_KEYSET): UD01-DEV-SM75029-CA
3109.1368.0:<2018/11/19, 13:03:25>: 0x0 (WIN32: 0)
3109.1369.0:<2018/11/19, 13:03:25>: 0x60 (WIN32: 96)
112.339.0:<2018/11/19, 13:03:25>: 0x80090016 (-2146893802 NTE_BAD_KEYSET): Exception at ds\security\services\ca\fs\crypto\cngcryptofactory.cpp(441): NCryptOpenKey(hProv, &hKey, pwszKeyName, nLegacyKeySpec, acquireToOpenKeyFlags(fAcquire))
HRESULT = 0x80090016
114.883.949: <2018/11/19, 13:03:25>: End: CCertSrvSetup::InitializeDefaults
114.3137.948: <2018/11/19, 13:03:25>: Begin: CCertSrvSetup::SetCASetupProperty
114.3226.949: <2018/11/19, 13:03:25>: End: CCertSrvSetup::SetCASetupProperty
114.3137.948: <2018/11/19, 13:03:25>: Begin: CCertSrvSetup::SetCASetupProperty
114.938.0:<2018/11/19, 13:03:25>: 0x80072082 (WIN32: 8322 ERROR_DS_RANGE_CONSTRAINT)
114.3164.0:<2018/11/19, 13:03:25>: 0x80072082 (WIN32: 8322 ERROR_DS_RANGE_CONSTRAINT)
0.363.965: <2018/11/19, 13:03:25>: Message Box: Microsoft Active Directory Certificate Services: Active Directory Certificate Services setup failed with the following error: A value for the attribute was not in the acceptable range of values. 0x80072082 (WIN32: 8322 ERROR_DS_RANGE_CONSTRAINT): A value for the attribute was not in the acceptable range of values. 0x80072082 (WIN32: 8322 ERROR_DS_RANGE_CONSTRAINT)
114.3226.949: <2018/11/19, 13:03:25>: End: CCertSrvSetup::SetCASetupProperty: Active Directory Certificate Services setup failed with the following error: A value for the attribute was not in the acceptable range of values. 0x80072082 (WIN32: 8322 ERROR_DS_RANGE_CONSTRAINT): A value for the attribute was not in the acceptable range of values. 0x80072082 (WIN32: 8322 ERROR_DS_RANGE_CONSTRAINT)
Do you have any idea, what should I see?
Thanks!
Gabor
Continue reading...
I would like to install an Enterprise Root CA in a domain environment. My server is member of the domain and my account is member of both Enterprise and Domain Admins group. The domain has the required Public Key Services structure according to ADSI Edit.
When I want to do the installation using powershell, I always have the error message:
Install-AdcsCertificationAuthority : Active Directory Certificate Services setup failed with the following error: A
value for the attribute was not in the acceptable range of values. 0x80072082 (WIN32: 8322 ERROR_DS_RANGE_CONSTRAINT)
At line:1 char:1
+ Install-AdcsCertificationAuthority -CAType EnterpriseRootCA
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument:
) [Install-AdcsCertificationAuthority], CertificationAuthoritySetupException
+ FullyQualifiedErrorId : SetCAProperties,Microsoft.CertificateServices.Deployment.Commands.CA.InstallADCSCertific
ationAuthority
The certocm.log file contains the following:
109.887.1838: <2018/11/19, 13:03:13>: Enterprise CA option availability status: ENUM_ENTERPRISE_UNAVAIL_REASON_NO_INSTALL_RIGHTS
437.625.0:<2018/11/19, 13:03:13>: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND): ConfigurationDirectory
454.346.0:<2018/11/19, 13:03:19>: 0x80004005 (-2147467259 E_FAIL)
454.346.0:<2018/11/19, 13:03:19>: 0x80004005 (-2147467259 E_FAIL)
454.346.0:<2018/11/19, 13:03:20>: 0x80004005 (-2147467259 E_FAIL)
454.249.0:<2018/11/19, 13:03:25>: 0x80004005 (-2147467259 E_FAIL): AES-GMAC
454.249.0:<2018/11/19, 13:03:25>: 0x80004005 (-2147467259 E_FAIL): AES-CMAC
454.249.0:<2018/11/19, 13:03:25>: 0x80004005 (-2147467259 E_FAIL): AES-GMAC
454.249.0:<2018/11/19, 13:03:25>: 0x80004005 (-2147467259 E_FAIL): AES-CMAC
454.249.0:<2018/11/19, 13:03:25>: 0x80004005 (-2147467259 E_FAIL): AES-GMAC
454.249.0:<2018/11/19, 13:03:25>: 0x80004005 (-2147467259 E_FAIL): AES-CMAC
454.249.0:<2018/11/19, 13:03:25>: 0x80004005 (-2147467259 E_FAIL): AES-GMAC
454.249.0:<2018/11/19, 13:03:25>: 0x80004005 (-2147467259 E_FAIL): AES-CMAC
454.249.0:<2018/11/19, 13:03:25>: 0x80004005 (-2147467259 E_FAIL): AES-GMAC
454.249.0:<2018/11/19, 13:03:25>: 0x80004005 (-2147467259 E_FAIL): AES-CMAC
452.627.0:<2018/11/19, 13:03:25>: 0x80090030 (-2146893776 NTE_DEVICE_NOT_READY): Microsoft Platform Crypto Provider
454.678.0:<2018/11/19, 13:03:25>: 0x80090030 (-2146893776 NTE_DEVICE_NOT_READY)
454.249.0:<2018/11/19, 13:03:25>: 0x80004005 (-2147467259 E_FAIL): AES-GMAC
454.249.0:<2018/11/19, 13:03:25>: 0x80004005 (-2147467259 E_FAIL): AES-CMAC
454.249.0:<2018/11/19, 13:03:25>: 0x80004005 (-2147467259 E_FAIL): AES-GMAC
454.249.0:<2018/11/19, 13:03:25>: 0x80004005 (-2147467259 E_FAIL): AES-CMAC
454.249.0:<2018/11/19, 13:03:25>: 0x80004005 (-2147467259 E_FAIL): AES-GMAC
454.249.0:<2018/11/19, 13:03:25>: 0x80004005 (-2147467259 E_FAIL): AES-CMAC
454.249.0:<2018/11/19, 13:03:25>: 0x80004005 (-2147467259 E_FAIL): AES-GMAC
454.249.0:<2018/11/19, 13:03:25>: 0x80004005 (-2147467259 E_FAIL): AES-CMAC
3109.1367.0:<2018/11/19, 13:03:25>: 0x80090016 (-2146893802 NTE_BAD_KEYSET): UD01-DEV-SM75029-CA
3109.1368.0:<2018/11/19, 13:03:25>: 0x0 (WIN32: 0)
3109.1369.0:<2018/11/19, 13:03:25>: 0x60 (WIN32: 96)
112.339.0:<2018/11/19, 13:03:25>: 0x80090016 (-2146893802 NTE_BAD_KEYSET): Exception at ds\security\services\ca\fs\crypto\cngcryptofactory.cpp(441): NCryptOpenKey(hProv, &hKey, pwszKeyName, nLegacyKeySpec, acquireToOpenKeyFlags(fAcquire))
HRESULT = 0x80090016
114.883.949: <2018/11/19, 13:03:25>: End: CCertSrvSetup::InitializeDefaults
114.3137.948: <2018/11/19, 13:03:25>: Begin: CCertSrvSetup::SetCASetupProperty
114.3226.949: <2018/11/19, 13:03:25>: End: CCertSrvSetup::SetCASetupProperty
114.3137.948: <2018/11/19, 13:03:25>: Begin: CCertSrvSetup::SetCASetupProperty
114.938.0:<2018/11/19, 13:03:25>: 0x80072082 (WIN32: 8322 ERROR_DS_RANGE_CONSTRAINT)
114.3164.0:<2018/11/19, 13:03:25>: 0x80072082 (WIN32: 8322 ERROR_DS_RANGE_CONSTRAINT)
0.363.965: <2018/11/19, 13:03:25>: Message Box: Microsoft Active Directory Certificate Services: Active Directory Certificate Services setup failed with the following error: A value for the attribute was not in the acceptable range of values. 0x80072082 (WIN32: 8322 ERROR_DS_RANGE_CONSTRAINT): A value for the attribute was not in the acceptable range of values. 0x80072082 (WIN32: 8322 ERROR_DS_RANGE_CONSTRAINT)
114.3226.949: <2018/11/19, 13:03:25>: End: CCertSrvSetup::SetCASetupProperty: Active Directory Certificate Services setup failed with the following error: A value for the attribute was not in the acceptable range of values. 0x80072082 (WIN32: 8322 ERROR_DS_RANGE_CONSTRAINT): A value for the attribute was not in the acceptable range of values. 0x80072082 (WIN32: 8322 ERROR_DS_RANGE_CONSTRAINT)
Do you have any idea, what should I see?
Thanks!
Gabor
Continue reading...