The certificate store on my Win7 box is constantly hanging. Observe:
C:\>1.cmd C:\>certutil -? | findstr /i ping -ping -- Ping Active Directory Certificate Services Request interface -pingadmin -- Ping Active Directory Certificate Services Admin interface C:\>set PROMPT=$P($t)$G C:\(13:04:28.57)>certutil -ping CertUtil: -ping command FAILED: 0x80070002 (WIN32: 2) CertUtil: The system cannot find the file specified. C:\(13:04:58.68)>certutil -pingadmin CertUtil: -pingadmin command FAILED: 0x80070002 (WIN32: 2) CertUtil: The system cannot find the file specified. C:\(13:05:28.79)>set PROMPT=$P$G C:\>
–pingadminparameters to certutil
This is a serious problem. It screws all the secure communication in my app. If anyone knows how this can be fixed - please share.
1.cmd is simply a batch of these commands:
certutil -? | findstr /i ping set PROMPT=$P($t)$G certutil -ping certutil -pingadmin set PROMPT=$P$G
I have succeeded to pin down the single windows API that causes the problem - DsGetDcName
According to the windbg, the certutil -ping invokes it like so:
PDOMAIN_CONTROLLER_INFO pdci; DWORD ret = ::DsGetDcName(NULL, NULL, NULL, NULL, DS_DIRECTORY_SERVICE_PREFERRED, &pdci);
On my workstation it times out for 30 seconds and then returns error code 1355, which is
ERROR_NO_SUCH_DOMAIN No domain controller is available for the specified domain or the domain does not exist.
On another machine, which is accidentally a windows server 2003, it returns almost immediately with the correct domain controller name inside the returned
Now the question is what is missing on my workstation for that API to find the correct domain controller?
Please check for the following
Can you run
certutil -ping -config "cadnsname\CA logical name" from the affected hosts.
Who has the permissions to Request certificates at the CA (did someone change Authenticated Users to Domain Users)?
Look at DCOM Permissions to ensure that Authenticated Users have the correct permissions at the CA. DCOM Permissions on the CA for Certificate Service DCOM Access group:
Access Permissions level -> Local Access - Allow, Remote Access - Allow Launch and Activation Permissions level -> Remote Launch - Allow, Remote Activation - Allow
For more details you can refer to below URL for troubleshooting.
User contributions licensed under CC BY-SA 3.0