Microsoft KB Archive/251566
Article ID: 251566
Article Last Modified on 2/22/2007
- Microsoft Exchange 2000 Server Standard Edition
This article was previously published under Q251566
If a Microsoft Exchange 2000 Server administrator attempts to revoke an Exchange 2000 user's certificate, the following error message may be displayed:
If the administrator clicks Ignore, enrolls the user in security again, and then revokes the user's certificate, the error message is not displayed again, but the original certificates are not displayed as revoked.
This problem can occur if a subordinate certification authority (CA) is being used by the Key Management server (KM server).
For example, if two servers are set up as follows:
Server 1 (domain controller)
Certificate Server (root CA)
Exchange 2000 Server and KM server
Server 2 (member server, in the same Administrative Group (AG) and domain as Server 1)
Certificate Server (subordinate CA)
Exchange 2000 Server, no KM server
If a user on Server 2 is enrolled in KM server and then the certificate for Server 2 is revoked, the error message in the "Symptoms" section of this article is displayed.
The KM server (running as LocalSystem on Server 1) does not have right to revoke certificates issued by the CA on Server 2.
To work around this problem:
- Open the Certificate Authority Microsoft Management Console (MMC) snap-in on the computer that is configured as the subordinate CA.
- Open the properties of the subordinate CA, and then click the Security tab.
- Add the Exchange KMServers group and grant it Manage rights.
Microsoft has confirmed that this is a problem in Microsoft Exchange 2000 Server.
Additional query words: KMS exch2kp2w
Keywords: kbbug kberrmsg kbnofix KB251566