Registrations are now open. Join us today!
There is still a lot of work to do on the wiki yet! More information about editing can be found here.
Already have an account?

Microsoft KB Archive/251566

From BetaArchive Wiki
Knowledge Base

XADM: Key Management Server Subordinate Certification Authority Cannot Be Reached When Attempting to Revoke a Certificate

Article ID: 251566

Article Last Modified on 2/22/2007


  • Microsoft Exchange 2000 Server Standard Edition

This article was previously published under Q251566


If a Microsoft Exchange 2000 Server administrator attempts to revoke an Exchange 2000 user's certificate, the following error message may be displayed:

The listed Certificate Authorities could not be contacted for revocation. If they still exist within your organization, please make sure that they are on line, press Cancel, and retry the operation. If the certificate authorities no longer exist, pressing Ignore will mark the users as revoked within the Key Management Service.

If the administrator clicks Ignore, enrolls the user in security again, and then revokes the user's certificate, the error message is not displayed again, but the original certificates are not displayed as revoked.


This problem can occur if a subordinate certification authority (CA) is being used by the Key Management server (KM server).

For example, if two servers are set up as follows:

Server 1 (domain controller)
Certificate Server (root CA)
Exchange 2000 Server and KM server

Server 2 (member server, in the same Administrative Group (AG) and domain as Server 1)
Certificate Server (subordinate CA)
Exchange 2000 Server, no KM server

If a user on Server 2 is enrolled in KM server and then the certificate for Server 2 is revoked, the error message in the "Symptoms" section of this article is displayed.

The KM server (running as LocalSystem on Server 1) does not have right to revoke certificates issued by the CA on Server 2.


To work around this problem:

  1. Open the Certificate Authority Microsoft Management Console (MMC) snap-in on the computer that is configured as the subordinate CA.
  2. Open the properties of the subordinate CA, and then click the Security tab.
  3. Add the Exchange KMServers group and grant it Manage rights.


Microsoft has confirmed that this is a problem in Microsoft Exchange 2000 Server.

Additional query words: KMS exch2kp2w

Keywords: kbbug kberrmsg kbnofix KB251566