certutil -ping fails with 30 seconds timeout - what to do?

10

The certificate store on my Win7 box is constantly hanging. Observe:


C:\>1.cmd

C:\>certutil -?   | findstr /i ping
  -ping             -- Ping Active Directory Certificate Services Request interface
  -pingadmin        -- Ping Active Directory Certificate Services Admin interface

C:\>set PROMPT=$P($t)$G

C:\(13:04:28.57)>certutil -ping
CertUtil: -ping command FAILED: 0x80070002 (WIN32: 2)
CertUtil: The system cannot find the file specified.

C:\(13:04:58.68)>certutil -pingadmin

CertUtil: -pingadmin command FAILED: 0x80070002 (WIN32: 2)
CertUtil: The system cannot find the file specified.

C:\(13:05:28.79)>set PROMPT=$P$G

C:\>

Explanations:

  • The first command shows you that there are –ping and –pingadmin parameters to certutil
  • Trying any ping parameter fails with 30 seconds timeout (the current time is seen in the prompt)

This is a serious problem. It screws all the secure communication in my app. If anyone knows how this can be fixed - please share.

Thanks.

P.S.

1.cmd is simply a batch of these commands:

certutil -? | findstr /i ping
set PROMPT=$P($t)$G
certutil -ping
certutil -pingadmin
set PROMPT=$P$G

EDIT1

I have succeeded to pin down the single windows API that causes the problem - DsGetDcName

According to the windbg, the certutil -ping invokes it like so:

PDOMAIN_CONTROLLER_INFO pdci;
DWORD ret = ::DsGetDcName(NULL, NULL, NULL, NULL, DS_DIRECTORY_SERVICE_PREFERRED, &pdci);

On my workstation it times out for 30 seconds and then returns error code 1355, which is ERROR_NO_SUCH_DOMAIN No domain controller is available for the specified domain or the domain does not exist.

On another machine, which is accidentally a windows server 2003, it returns almost immediately with the correct domain controller name inside the returned DOMAIN_CONTROLLER_INFO structure.

Now the question is what is missing on my workstation for that API to find the correct domain controller?

security
windows-7
ssl-certificate
certificate
ad-certificate-services
asked on Server Fault Dec 30, 2010 by mark • edited Dec 19, 2011 by maweeras

1 Answer

0

Please check for the following

  1. Can you run certutil -ping -config "cadnsname\CA logical name" from the affected hosts.
  2. Who has the permissions to Request certificates at the CA (did someone change Authenticated Users to Domain Users)?
  3. Look at DCOM Permissions to ensure that Authenticated Users have the correct permissions at the CA. DCOM Permissions on the CA for Certificate Service DCOM Access group:

    Access Permissions level -> Local Access - Allow, Remote Access - Allow Launch and Activation Permissions level -> Remote Launch - Allow, Remote Activation - Allow

For more details you can refer to below URL for troubleshooting.

http://blogs.technet.com/b/askds/archive/2007/11/06/how-to-troubleshoot-certificate-enrollment-in-the-mmc-certificate-snap-in.aspx

answered on Server Fault Jan 18, 2011 by Mit Naik • edited Jul 12, 2015 by sebix

User contributions licensed under CC BY-SA 3.0