Microsoft KB Archive/218802

= XADM: Can't Enroll Using X.509 V3 Certificates =

Article ID: 218802

Article Last Modified on 10/28/2006

-

APPLIES TO


 * Microsoft Exchange Server 5.5 Standard Edition

-



This article was previously published under Q218802



IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry



SYMPTOMS
When Key Management (KM) Server administrators choose to issue X.509 v3 certificates (or issue both v1 and v3), they receive the following error message when they click OK on the dialog box that shows the certificate server to use:

The KMS database had an error - c1031d9f

The following event is logged in the event viewer application log:

Event ID: 5017

Source: MSExchangeKMS

Type: Error

Category: none

Description: KMS Admin \ failed to set the CertServer configuration.



CAUSE
The organization name contains a special character such as a comma, underscore (_), and so on.



RESOLUTION
A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Apply it only to computers that are experiencing this specific problem.

To resolve this problem, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS

NOTE: In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

The English version of this fix should have the following file attributes or later:

Component: Setup Program

After you obtain the fix, follow these steps to apply it:  Create a new folder on your hard disk, and then copy the contents of the Server\Setup\I386 folder from the Exchange Server 5.5 CD-ROM to this new folder. Rename the Setup.exe file in the folder on the hard disk to Setup.old, and then rename the Srvrmax.exe or Srvrmin.exe file to Setup.exe. Note that the Srvrmax.exe file should be used for the Enterprise edition of Exchange Server 5.5 and the Srvrmin.exe file should be used for the Standard edition of Exchange Server 5.5. Run Setup.exe from the folder on the hard disk. When the installation process is finished, apply the latest service pack for Exchange Server 5.5, even if it was already applied previously. For additional information about how to obtain the latest service pack for Exchange Server 5.5, click the article number below to view the article in the Microsoft Knowledge Base:

191014 XGEN: How to Obtain the Latest Exchange Server 5.5 Service Pack





WORKAROUND
WARNING: If you are using X.509 V1 certificates, the steps listed below remove the key history for all users. If you have users who will still be using X.509.V1, do not run the steps below and please call Microsoft Product Support Services (PSS) and reference this article.

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

 From a command prompt, run net stop certsvc to stop the Certificate Authority Service.</li> Open the registry and change the value for the following key from "," to "!":

HKEY_LOCAL_MACHINE\CurrentControlSet\Services\CertSrc\Configuration\ \Subject Name Separator

NOTE: The value should be punctuation characters only such as the comma, period (.), semicolon , or exclamation mark (!). The default is a comma. It also needs to be a punctuation mark that is not present in the organization name.</li> From a command prompt, run net stop msexchangekms to stop the KMS service.</li> Make a backup of the Kmsdata folder.</li> Delete all the files in the Kmsdata folder.</li> From a command prompt, change directory to point to the C:\Exchsrvr\Bin folder, and run the following command:

kmserver -I  -X "c=us, o=\"  \", ou=, cn=certificate authority"

where  is your KMS password,   is your organization name, and   is your site name.</li> Restart the services. You should now be able to use X.509 V3 certificates.</li></ol>

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in Microsoft Exchange Server version 5.5.

Keywords: kbhotfixserver kbqfe kbbug kbfix kbqfe KB218802

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.