Microsoft KB Archive/931354

= Event ID 77 is logged in the Application log when the CertSvc service starts on a CA server that is running Windows Server 2003 with Service Pack 1 =

Article ID: 931354

Article Last Modified on 2/9/2007

-

APPLIES TO

 Microsoft Windows Server 2003 Service Pack 1, when used with:  Microsoft Windows Server 2003, Standard Edition (32-bit x86)

 Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)

 Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)

 Microsoft Windows Server 2003, Web Edition</li></ul> </li></ul>

-

<div class="symptoms_section">

SYMPTOMS
After you install Microsoft Windows Server 2003 Service Pack 1 (SP1) on a certification authority (CA) server, the following event may be logged many times in the Application log when the Certificate Services (CertSvc) service starts: Event Type: Warning

Event Source: CertSvc

Event Category: None

Event ID: 77

Date:

Time:

User: N/A

Computer:

Description: The &quot;Windows default&quot; Policy Module logged the following warning: The User(v3.0): V1 Certificate Template could not be loaded. Element not found. 0x80070490 (WIN32: 1168).

Additionally, the CA server may no longer issue certificates. The policy module denies all certificate requests. The following event is logged in the CA server's Application log when each request is rejected: Event Type: Warning

Event Source: CertSvc

Event Category: None

Event ID: 53

Date:

Time:

User: N/A

Computer:

Description: Certificate Services denied request 4 because the requested certificate template is not supported by this CA. 0x80094800 (-2146875392). The request was for \. Additional information: Denied by Policy Module 0x80094800, the request was for a certificate template that is not supported by the Certificate Services policy: User.

<div class="workaround_section">

WORKAROUND
To work around this problem, follow these steps: <ol> Downgrade the CA server by removing the Windows Server 2003 SP1 service pack.</li> Update the schema in the Microsoft Windows 2000-based domain to Windows Server 2003. Additionally, update the templates by reregistering the %windir%\System32\Certcli.dll file on the CA server. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> Click Start, click Run, type cmd, and then click OK.</li> At the command prompt, type the following command, and then press ENTER:

regsvr32 /i:i /n /s %windir%\system32\certcli.dll

</li> Type the following commands. Press ENTER after each command.

net stop certsvc

net start certsvc

</li> Type exit, and then press ENTER to close the Command Prompt window.</li></ol> </li></ol>

<div class="moreinformation_section">

MORE INFORMATION
An enterprise CA server that is running Windows Server 2003, Standard Edition can issue only certificates that are based on Windows 2000-style version 1 templates. Therefore, you do not have to update the schema to install a Windows Server 2003-based CA server in a Windows 2000-based domain.

Windows Server 2003 SP1 includes new code to enable template auditing. The new code specifically looks for Windows Server 2003 schema attributes when the code enumerates templates. If you do not update the schema, the schema attributes are not present. Therefore, the CA server cannot load any of the templates in the Active Directory directory service.

When the CertSvc service starts, the CA server looks for the msPKI-Template-Minor-Revision attribute when the CA server tries to enumerate the templates. Therefore, event 77 is logged. The msPKI-Template-Minor-Revision attribute is not present in the Windows 2000 schema. Therefore, this attribute is not instantiated on the template object. Because the templates cannot be successfully enumerated, the templates are not loaded into the in-memory cache that the CertSvc service maintains. The Certification Authority snap-in shows the templates in the Certificate Templates folder. If you add or remove these templates, the pKIEnrollmentServices object is updated in Active Directory. When the CertSvc service tries to view the pKIEnrollmentServices object to see what templates the object is supposed to load, the CertSvc service fails.

You can verify that templates have not loaded by enabling debug logging for the CertSvc service and then restarting the service. To do this, follow these steps: <ol> Click Start, click Run, type cmd, and then click OK.</li> At the command prompt, type the following command, and then press ENTER:

certutil -setreg ca\debug 0xfffffffe3

</li> Type the following commands. Press ENTER after each command.

net stop certsvc

net start certsvc

</li> Type exit, and then press ENTER to close the Command Prompt window.</li></ol>

After you follow these steps, open the %windir%\Certsrv.log file. You see entries that resemble the following: <pre class="fixed_text">Opened Log: <Date> <Time> certcli.dll: 5.2.3790.1830 retail (srv03_sp1_rtm.050324-1447) certsrv.exe: 5.2.3790.1830 retail (srv03_sp1_rtm.050324-1447) 439.99.0: 0x80070716 (WIN32: 1814) 508.1588.0: 0x80070716 (WIN32: 1814) 439.99.0: 0x80070716 (WIN32: 1814) 508.1588.0: 0x80070716 (WIN32: 1814) 439.99.0: 0x80070716 (WIN32: 1814) 508.1588.0: 0x80070716 (WIN32: 1814) 439.99.0: 0x80070716 (WIN32: 1814) 508.1588.0: 0x80070716 (WIN32: 1814) 439.99.0: 0x80070716 (WIN32: 1814) 508.1588.0: 0x80070716 (WIN32: 1814) 439.99.0: 0x80070716 (WIN32: 1814) 508.1588.0: 0x80070716 (WIN32: 1814) 439.99.0: 0x80070716 (WIN32: 1814) 508.1588.0: 0x80070716 (WIN32: 1814) 439.99.0: 0x80070716 (WIN32: 1814) 508.1588.0: 0x80070716 (WIN32: 1814) 439.99.0: 0x80070716 (WIN32: 1814) 508.1588.0: 0x80070716 (WIN32: 1814) 439.99.0: 0x80070716 (WIN32: 1814) 508.1588.0: 0x80070716 (WIN32: 1814) 508.1334.0: 0x80070002 (WIN32: 2): AlternatePublishDomains 513.14724.0: 0x80070490 (WIN32: 1168): CAExchange 508.2045.0: 0x80070490 (WIN32: 1168) CertSrv: Opening Database C:\WINDOWS\system32\CertLog\Enterprise Root CA.edb CertSrv: Database open 1006.1328.0: 0x80070490 (WIN32: 1168): msPKI-Template-Minor-Revision 1004.4460.0: 0x80070490 (WIN32: 1168): ExchangeUser 1006.1328.0: 0x80070490 (WIN32: 1168): msPKI-Template-Minor-Revision 1004.4460.0: 0x80070490 (WIN32: 1168): EFSRecovery 1006.1328.0: 0x80070490 (WIN32: 1168): msPKI-Template-Minor-Revision 1004.4460.0: 0x80070490 (WIN32: 1168): EFS 1006.1328.0: 0x80070490 (WIN32: 1168): msPKI-Template-Minor-Revision 1004.4460.0: 0x80070490 (WIN32: 1168): DomainController 1006.1328.0: 0x80070490 (WIN32: 1168): msPKI-Template-Minor-Revision 1004.4460.0: 0x80070490 (WIN32: 1168): WebServer 1006.1328.0: 0x80070490 (WIN32: 1168): msPKI-Template-Minor-Revision 1004.4460.0: 0x80070490 (WIN32: 1168): Machine 1006.1328.0: 0x80070490 (WIN32: 1168): msPKI-Template-Minor-Revision 1004.4460.0: 0x80070490 (WIN32: 1168): User 1006.1328.0: 0x80070490 (WIN32: 1168): msPKI-Template-Minor-Revision 1004.4460.0: 0x80070490 (WIN32: 1168): SubCA 1006.1328.0: 0x80070490 (WIN32: 1168): msPKI-Template-Minor-Revision 1004.4460.0: 0x80070490 (WIN32: 1168): Administrator CertSrv: Policy Module Enabled (Windows default) CertSrv: Exit Module[1] Enabled: 7f (Windows default) CertSrv: Certification Authority Service Ready (13s) DC=W2K-SRV-01.windows2000.com ... CertSrv: Base + Delta CRL Publishing Enabled, TimeOut=84325s, 23 Hours, 25 Minutes, 25 Seconds 429.2137.0: 0xffffffff (ESE: -1) 809.78.0: 0x80072095 (WIN32: 8341) CertSrv: Certification Authority Service Stopped 503.2452.0: 0x0 (WIN32: 0) CertSrv: Exit Status = S_OK If you have not updated the schema, the following two trace entries appear for each template that does not load:
 * 1006.1328.0: 0x80070490 (WIN32: 1168): msPKI-Template-Minor-Revision
 * 1004.4460.0: 0x80070490 (WIN32: 1168): ExchangeUser

The first trace entry indicates that loading the msPKI-Template-Minor-Revision attribute has failed. The second trace entry is a debug trace that is taken when the policy module logs the template load failure. The default policy module expects the msPKI-Template-Minor-Revision attribute to be available even for version 1 templates. Therefore, the templates do not load.

After you update the schema, update the templates, and restart the CA server, the Certsrv.log file contains entries that resemble the following: <pre class="fixed_text">Opened Log: <Date> <Time> certcli.dll: 5.2.3790.1830 retail (srv03_sp1_rtm.050324-1447) certsrv.exe: 5.2.3790.1830 retail (srv03_sp1_rtm.050324-1447) 439.99.0: 0x80070716 (WIN32: 1814) 508.1588.0: 0x80070716 (WIN32: 1814) 439.99.0: 0x80070716 (WIN32: 1814) 508.1588.0: 0x80070716 (WIN32: 1814) 439.99.0: 0x80070716 (WIN32: 1814) 508.1588.0: 0x80070716 (WIN32: 1814) 439.99.0: 0x80070716 (WIN32: 1814) 508.1588.0: 0x80070716 (WIN32: 1814) 439.99.0: 0x80070716 (WIN32: 1814) 508.1588.0: 0x80070716 (WIN32: 1814) 439.99.0: 0x80070716 (WIN32: 1814) 508.1588.0: 0x80070716 (WIN32: 1814) 439.99.0: 0x80070716 (WIN32: 1814) 508.1588.0: 0x80070716 (WIN32: 1814) 439.99.0: 0x80070716 (WIN32: 1814) 508.1588.0: 0x80070716 (WIN32: 1814) 439.99.0: 0x80070716 (WIN32: 1814) 508.1588.0: 0x80070716 (WIN32: 1814) 439.99.0: 0x80070716 (WIN32: 1814) 508.1588.0: 0x80070716 (WIN32: 1814) 508.1334.0: 0x80070002 (WIN32: 2): AlternatePublishDomains CertSrv: Opening Database C:\WINDOWS\system32\CertLog\Enterprise Root CA.edb CertSrv: Database open 1004.4374.0: 0x80094800 (-2146875392): EnrollmentAgent 1004.4374.0: 0x80094800 (-2146875392): ExchangeUser 1004.4374.0: 0x80094800 (-2146875392): EFSRecovery 1004.4374.0: 0x80094800 (-2146875392): EFS 1004.4374.0: 0x80094800 (-2146875392): DomainController 1004.4374.0: 0x80094800 (-2146875392): WebServer 1004.4374.0: 0x80094800 (-2146875392): Machine 1004.4374.0: 0x80094800 (-2146875392): User 1004.4374.0: 0x80094800 (-2146875392): SubCA 1004.4374.0: 0x80094800 (-2146875392): Administrator CertSrv: Policy Module Enabled (Windows default) CertSrv: Exit Module[1] Enabled: 7f (Windows default) CertSrv: Certification Authority Service Ready (17s) DC=W2K-SRV-01.windows2000.com ... CertSrv: Base + Delta CRL Publishing Enabled, TimeOut=81098s, 22 Hours, 31 Minutes, 38 Seconds Errors in the Certsrv.log file are expected because of the code changes in Windows Server 2003 SP1. The entries for the Windows Server 2003 SP1 debug trace are logged because of expected failures that occur when resource strings are loaded.

In Windows Server 2003 SP1, the Certsrv.exe program is missing 10 resource strings. Windows Server 2003 SP1 looks for the missing resource strings in the Ws03res.dll file. Therefore, these log entries are expected. These entries are not related to the template issues. The following trace entries are each logged 10 times in the Certsrv.log file:
 * 439.99.0: 0x80070716 (WIN32: 1814)
 * 508.1588.0: 0x80070716 (WIN32: 1814)

Some template auditing functionality was added to the CA for Windows Server 2003 SP1. The policy module code was modified to load more information from the templates. The code was also modified to keep the information in an in-memory data structure so that only changes to the templates can be audited. If you have updated the schema, an entry that resembles the following is logged when the CA starts:

1004.4374.0: 0x80094800 (-2146875392): EnrollmentAgent

When the CA server starts, the list in memory is empty. One such log entry appears for each template that the CA is configured to issue because the Windows Server 2003 SP1 code that loads templates cannot find the template in the list in memory. Therefore, each template causes one debug trace entry.

This behavior does not cause any problems.

<div class="references_section">