Hi,
I have a problem with the setup of an AD CS cluster. I have followed the “007-008669-001_Microsoft ADCS_Integration Guide_RevN.pdf” but it still doesn’t work.
Environment:
Two tier PKI infrastructure(one offline root and two issuing servers).
Two servers with windows server 2016 (1607 Build 14393.0).
HSM: LunaSA 6.3.0
Cluster node: node110.10.10.111
Cluster node: node210.10.10.112
Cluster name(Service Name):CACluster10.10.10.113
Cluster administration name:AdminCluster10.10.10.115
CA Name:InternalIssuingCA1
Total of 6 objects in HSM.
C:\Program Files\SafeNet\LunaClient>cmu list
Please enter password for token in slot 0 : *******************
handle=340 label=InternalIssuingCA1
handle=357 label=InternalIssuingCA1
handle=139 label=InternalIssuingCA1
handle=189 label=InternalIssuingCA1
handle=250 label=InternalIssuingCA1
handle=191 label=InternalIssuingCA1
Node1 see:
C:\Program Files\SafeNet\LunaClient\KSP>ksputil.exe listKeys /s 0
This Servers Host Name is: node1.labb.test.org and the logged on user is: Admin@labb
Enter challenge for slot '0' :*******************
MachineKey: InternalIssuingCA1 Handle: 340
MachineKey: InternalIssuingCA1 Handle: 189
Node2 see:
C:\Program Files\SafeNet\LunaClient\KSP>ksputil.exe listKeys /s 0
This Servers Host Name is: node2.labb.test.org and the logged on user is: Admin@labb
Enter challenge for slot '0' :*******************
MachineKey: InternalIssuingCA1 Handle: 357
MachineKey: InternalIssuingCA1 Handle: 139
The problem is that the Failover Cluster Manager cannot start the AD CS service on any of the 2 nodes. However I can start the AD CS service on each node if I use “net start certsvc” and after that the cluster is reachable if I use the command “certutil -config CACluster\InternalIssuingCA1 -ping”.
When using the “Failover Cluster manager” I receive the following error on node1:
Log Name: Application
Source: Microsoft-Windows-CertificationAuthority
Date: 2018-09-20 15:23:58
Event ID: 100
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: node1.labb.test.org
Description:
Active Directory Certificate Services did not start: Could not load or verify the current CA certificate. InternalIssuingCA1 Keyset does not exist 0x80090016 (-2146893802 NTE_BAD_KEYSET).
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-CertificationAuthority" Guid="{XXXXXXXX-YYYY-ZZZZ-WWWWWWWWWWWW}" />
<EventID>100</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2018-09-20T13:23:58.116529300Z" />
<EventRecordID>54941</EventRecordID>
<Correlation />
<Execution ProcessID="6072" ThreadID="5480" />
<Channel>Application</Channel>
<Computer>node1.labb.test.org</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData Name="MSG_E_CA_CERT_INVALID">
<Data Name="CACommonName">InternalIssuingCA1</Data>
<Data Name="ErrorCode">Keyset does not exist 0x80090016 (-2146893802 NTE_BAD_KEYSET)</Data>
</EventData>
</Event>
And on node2:
Log Name: Application
Source: Microsoft-Windows-CertificationAuthority
Date: 2018-09-20 14:22:58
Event ID: 100
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: node2.labb.test.org
Description:
Active Directory Certificate Services did not start: Could not load or verify the current CA certificate. InternalIssuingCA1 The system cannot find the file specified. 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND).
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-CertificationAuthority" Guid="{XXXXXXXX-YYYY-ZZZZ-WWWWWWWWWWWW}" />
<EventID>100</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2018-09-20T12:22:58.605162700Z" />
<EventRecordID>54429</EventRecordID>
<Correlation />
<Execution ProcessID="4308" ThreadID="3856" />
<Channel>Application</Channel>
<Computer>node2.labb.test.org</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData Name="MSG_E_CA_CERT_INVALID">
<Data Name="CACommonName">InternalIssuingCA1</Data>
<Data Name="ErrorCode">The system cannot find the file specified. 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)</Data>
</EventData>
</Event>
Any ideas on what could be the problem?
I have a problem with the setup of an AD CS cluster. I have followed the “007-008669-001_Microsoft ADCS_Integration Guide_RevN.pdf” but it still doesn’t work.
Environment:
Two tier PKI infrastructure(one offline root and two issuing servers).
Two servers with windows server 2016 (1607 Build 14393.0).
HSM: LunaSA 6.3.0
Cluster node: node110.10.10.111
Cluster node: node210.10.10.112
Cluster name(Service Name):CACluster10.10.10.113
Cluster administration name:AdminCluster10.10.10.115
CA Name:InternalIssuingCA1
Total of 6 objects in HSM.
C:\Program Files\SafeNet\LunaClient>cmu list
Please enter password for token in slot 0 : *******************
handle=340 label=InternalIssuingCA1
handle=357 label=InternalIssuingCA1
handle=139 label=InternalIssuingCA1
handle=189 label=InternalIssuingCA1
handle=250 label=InternalIssuingCA1
handle=191 label=InternalIssuingCA1
Node1 see:
C:\Program Files\SafeNet\LunaClient\KSP>ksputil.exe listKeys /s 0
This Servers Host Name is: node1.labb.test.org and the logged on user is: Admin@labb
Enter challenge for slot '0' :*******************
MachineKey: InternalIssuingCA1 Handle: 340
MachineKey: InternalIssuingCA1 Handle: 189
Node2 see:
C:\Program Files\SafeNet\LunaClient\KSP>ksputil.exe listKeys /s 0
This Servers Host Name is: node2.labb.test.org and the logged on user is: Admin@labb
Enter challenge for slot '0' :*******************
MachineKey: InternalIssuingCA1 Handle: 357
MachineKey: InternalIssuingCA1 Handle: 139
The problem is that the Failover Cluster Manager cannot start the AD CS service on any of the 2 nodes. However I can start the AD CS service on each node if I use “net start certsvc” and after that the cluster is reachable if I use the command “certutil -config CACluster\InternalIssuingCA1 -ping”.
When using the “Failover Cluster manager” I receive the following error on node1:
Log Name: Application
Source: Microsoft-Windows-CertificationAuthority
Date: 2018-09-20 15:23:58
Event ID: 100
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: node1.labb.test.org
Description:
Active Directory Certificate Services did not start: Could not load or verify the current CA certificate. InternalIssuingCA1 Keyset does not exist 0x80090016 (-2146893802 NTE_BAD_KEYSET).
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-CertificationAuthority" Guid="{XXXXXXXX-YYYY-ZZZZ-WWWWWWWWWWWW}" />
<EventID>100</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2018-09-20T13:23:58.116529300Z" />
<EventRecordID>54941</EventRecordID>
<Correlation />
<Execution ProcessID="6072" ThreadID="5480" />
<Channel>Application</Channel>
<Computer>node1.labb.test.org</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData Name="MSG_E_CA_CERT_INVALID">
<Data Name="CACommonName">InternalIssuingCA1</Data>
<Data Name="ErrorCode">Keyset does not exist 0x80090016 (-2146893802 NTE_BAD_KEYSET)</Data>
</EventData>
</Event>
And on node2:
Log Name: Application
Source: Microsoft-Windows-CertificationAuthority
Date: 2018-09-20 14:22:58
Event ID: 100
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: node2.labb.test.org
Description:
Active Directory Certificate Services did not start: Could not load or verify the current CA certificate. InternalIssuingCA1 The system cannot find the file specified. 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND).
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-CertificationAuthority" Guid="{XXXXXXXX-YYYY-ZZZZ-WWWWWWWWWWWW}" />
<EventID>100</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2018-09-20T12:22:58.605162700Z" />
<EventRecordID>54429</EventRecordID>
<Correlation />
<Execution ProcessID="4308" ThreadID="3856" />
<Channel>Application</Channel>
<Computer>node2.labb.test.org</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData Name="MSG_E_CA_CERT_INVALID">
<Data Name="CACommonName">InternalIssuingCA1</Data>
<Data Name="ErrorCode">The system cannot find the file specified. 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)</Data>
</EventData>
</Event>
Any ideas on what could be the problem?