Certification Authority Does Not Publish Certificate Revocation List to Active Directory (280815)

SYMPTOMS

An enterprise Certification Authority (CA) may not publish the certificate revocation list (CRL) to the Active Directory (AD). This may occur on a per-server basis. Note that the only direct indication of this problem is the following event entry that is made by the CA in the Application Event log:

Event Type:	Error

Event Source:	CertSvc
Event Category:   None
Event ID:	         46
Date:		08/14/2000
Time:		05:13:00 AM
User:		N/A
Computer:	         CHAD
Description:
The "Enterprise and Stand-alone Exit Module" Exit Module "Notify" method
returned an error. The operation could not be completed. A retry should be
performed. The returned status code is 0x800704d5 (1237).  The
Certification Authority was unable to publish the CRL to the Directory
Service.  Publishing will be retried at a later time. Access is denied.
(0x80070005)

CAUSE

This problem can occur if the CA caches a damaged LDAP handle to the DC that was the LDAP distribution-point URL target. Initially, the CA connected to the CRL distribution point, and then cached that LDAP handle. If the DC then unexpectedly becomes unavailable, the CA was left with a cached LDAP handle, and this cached handle is invalid when the DC becomes available again. As a result of this, CRL publication requests are denied.

RESOLUTION

To work around this problem:

Force the CA to flush the bad handle to cause a new binding to be established. Note that you can usually work around this problem if you stop and then restart the Certificate services on the affected CA.
Manually publish the CRL after you restart the service.

Certification Authority Does Not Publish Certificate Revocation List to Active Directory (280815)

SYMPTOMS

CAUSE

RESOLUTION

STATUS