XADM: Key Management Server Subordinate Certification Authority Cannot Be Reached When Attempting to Revoke a Certificate (251566)


The information in this article applies to:

  • Microsoft Exchange 2000 Server
This article was previously published under Q251566

SYMPTOMS

If a Microsoft Exchange 2000 Server administrator attempts to revoke an Exchange 2000 user's certificate, the following error message may be displayed:
The listed Certificate Authorities could not be contacted for revocation. If they still exist within your organization, please make sure that they are on line, press Cancel, and retry the operation. If the certificate authorities no longer exist, pressing Ignore will mark the users as revoked within the Key Management Service.
If the administrator clicks Ignore, enrolls the user in security again, and then revokes the user's certificate, the error message is not displayed again, but the original certificates are not displayed as revoked.

CAUSE

This problem can occur if a subordinate certification authority (CA) is being used by the Key Management server (KM server).

For example, if two servers are set up as follows:

Server 1 (domain controller)
Certificate Server (root CA)
Exchange 2000 Server and KM server

Server 2 (member server, in the same Administrative Group (AG) and domain as Server 1)
Certificate Server (subordinate CA)
Exchange 2000 Server, no KM server

If a user on Server 2 is enrolled in KM server and then the certificate for Server 2 is revoked, the error message in the "Symptoms" section of this article is displayed.

The KM server (running as LocalSystem on Server 1) does not have right to revoke certificates issued by the CA on Server 2.

WORKAROUND

To work around this problem:
  1. Open the Certificate Authority Microsoft Management Console (MMC) snap-in on the computer that is configured as the subordinate CA.
  2. Open the properties of the subordinate CA, and then click the Security tab.
  3. Add the Exchange KMServers group and grant it Manage rights.

STATUS

Microsoft has confirmed that this is a problem in Microsoft Exchange 2000 Server.
Modification Type:MinorLast Reviewed:4/25/2005
Keywords:kbbug kberrmsg kbnofix KB251566
©2004 Microsoft Corporation. All rights reserved.