Article ID: 251566
Article Last Modified on 2/22/2007
APPLIES TO
- Microsoft Exchange 2000 Server Standard Edition
This article was previously published under Q251566
SYMPTOMS
If a Microsoft Exchange 2000 Server administrator attempts to revoke an Exchange 2000 user's certificate, the following error message may be displayed:
If the administrator clicks Ignore, enrolls the user in security again, and then revokes the user's certificate, the error message is not displayed again, but the original certificates are not displayed as revoked.
CAUSE
This problem can occur if a subordinate certification authority (CA) is being used by the Key Management server (KM server).
For example, if two servers are set up as follows:
Server 1 (domain controller)
Certificate Server (root CA)
Exchange 2000 Server and KM server
Server 2 (member server, in the same Administrative Group (AG) and domain as Server 1)
Certificate Server (subordinate CA)
Exchange 2000 Server, no KM server
If a user on Server 2 is enrolled in KM server and then the certificate for Server 2 is revoked, the error message in the "Symptoms" section of this article is displayed.
The KM server (running as LocalSystem on Server 1) does not have right to revoke certificates issued by the CA on Server 2.
WORKAROUND
To work around this problem:
- Open the Certificate Authority Microsoft Management Console (MMC) snap-in on the computer that is configured as the subordinate CA.
- Open the properties of the subordinate CA, and then click the Security tab.
- Add the Exchange KMServers group and grant it Manage rights.
STATUS
Microsoft has confirmed that this is a problem in Microsoft Exchange 2000 Server.
Additional query words: KMS exch2kp2w
Keywords: kbbug kberrmsg kbnofix KB251566