Microsoft KB Archive/251566

= XADM: Key Management Server Subordinate Certification Authority Cannot Be Reached When Attempting to Revoke a Certificate =

Article ID: 251566

Article Last Modified on 2/22/2007

-

APPLIES TO


 * Microsoft Exchange 2000 Server Standard Edition

-



This article was previously published under Q251566





SYMPTOMS
If a Microsoft Exchange 2000 Server administrator attempts to revoke an Exchange 2000 user's certificate, the following error message may be displayed:

The listed Certificate Authorities could not be contacted for revocation. If they still exist within your organization, please make sure that they are on line, press Cancel, and retry the operation. If the certificate authorities no longer exist, pressing Ignore will mark the users as revoked within the Key Management Service.

If the administrator clicks Ignore, enrolls the user in security again, and then revokes the user's certificate, the error message is not displayed again, but the original certificates are not displayed as revoked.



CAUSE
This problem can occur if a subordinate certification authority (CA) is being used by the Key Management server (KM server).

For example, if two servers are set up as follows:

Server 1 (domain controller)

Certificate Server (root CA)

Exchange 2000 Server and KM server

Server 2 (member server, in the same Administrative Group (AG) and domain as Server 1)

Certificate Server (subordinate CA)

Exchange 2000 Server, no KM server

If a user on Server 2 is enrolled in KM server and then the certificate for Server 2 is revoked, the error message in the "Symptoms" section of this article is displayed.

The KM server (running as LocalSystem on Server 1) does not have right to revoke certificates issued by the CA on Server 2.



WORKAROUND
To work around this problem:
 * 1) Open the Certificate Authority Microsoft Management Console (MMC) snap-in on the computer that is configured as the subordinate CA.
 * 2) Open the properties of the subordinate CA, and then click the Security tab.
 * 3) Add the Exchange KMServers group and grant it Manage rights.



STATUS
Microsoft has confirmed that this is a problem in Microsoft Exchange 2000 Server.

Additional query words: KMS exch2kp2w

Keywords: kbbug kberrmsg kbnofix KB251566

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.