CertUtil:目录服务遇到未知故障。0x800720ef(WIN32:8431 ERROR_DS_UNKNOWN_ERROR)

CertUtil:目录服务遇到未知故障。0x800720ef(WIN32:8431 ERROR_DS_UNKNOWN_ERROR)

我正在尝试发布已撤销的证书,但在使用证书颁发机构控制台时出现未知故障:

在此处输入图片描述

事件查看器中的应用程序日志:

在此处输入图片描述

在此处输入图片描述

它说:Active Directory 证书服务无法将密钥 0 的 Delta CRL 发布到以下位置:ldap:///CN=ad-WIN-TJO4EL48O29-CA,CN=WIN-TJO4EL48O29,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=testdomain,DC=com。操作中止 0x80004004 (-2147467260 E_ABORT)。

我使用 JXplorer 搜索 LDAP:“CN=ad-WIN-TJO4EL48O29-CA、CN=WIN-TJO4EL48O29、CN=CDP、CN=Public Key Services、CN=Services、CN=Configuration、DC=ad、DC=testdomain、DC=com”并设法找到 CRL:

在此处输入图片描述

以下是 PKIView 结果: 在此处输入图片描述

以下是已颁发的叶证书:

certutil -verify -urlfetch C:\Users\Administrator.WIN-TJO4EL48O29\Desktop\Legacy-Crypto-Prov-aduser1-cert-1.cer
Issuer:
    CN=ad-WIN-TJO4EL48O29-CA
    DC=ad
    DC=testdomain
    DC=com
  Name Hash(sha1): 220e2a04c1eb8be0bfcf76501038643e5a116101
  Name Hash(md5): 94dcd520c11b2c4a2327043bda098d3c
Subject:
    CN=aduser1 ta1. test
    CN=Users
    DC=ad
    DC=testdomain
    DC=com
  Name Hash(sha1): b293b40fdd091f568d04b8bbef3b91c1344cee26
  Name Hash(md5): 528c81260b6dd49cb7867d03560e6ad1
Cert Serial Number: 750000000dea8d80286ceaef9300000000000d

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 17 Minutes, 6 Seconds

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 17 Minutes, 6 Seconds

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=ad-WIN-TJO4EL48O29-CA, DC=ad, DC=testdomain, DC=com
  NotBefore: 10/5/2022 5:28 PM
  NotAfter: 10/4/2024 5:28 PM
  Subject: CN=aduser1 ta1. test, CN=Users, DC=ad, DC=testdomain, DC=com
  Serial: 750000000dea8d80286ceaef9300000000000d
  SubjectAltName: Other Name:Principal [email protected]
  Template: SC2
  Cert: a2aff7c45cc99de276b3774a31c1b186f749aaa9
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  Verified "Certificate (0)" Time: 0 6143121a80ec40fd187470ae48a894919a4109d5
    [0.0] ldap:///CN=ad-WIN-TJO4EL48O29-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ad,DC=testdomain,DC=com?cACertificate?base?objectClass=certificationAuthority

  ----------------  Certificate CDP  ----------------
  Expired "Base CRL (02)" Time: 0 f9619fc274c3d3321d22169586c5f9bd753ce7c2
    [0.0] ldap:///CN=ad-WIN-TJO4EL48O29-CA,CN=WIN-TJO4EL48O29,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ad,DC=testdomain,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint

  Expired "Delta CRL (02)" Time: 0 1cdc3316dbdc3a2188d0a0c4a872ba85679e516e
    [0.0.0] ldap:///CN=ad-WIN-TJO4EL48O29-CA,CN=WIN-TJO4EL48O29,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ad,DC=testdomain,DC=com?deltaRevocationList?base?objectClass=cRLDistributionPoint

  ----------------  Base CRL CDP  ----------------
  Expired "Delta CRL (02)" Time: 0 1cdc3316dbdc3a2188d0a0c4a872ba85679e516e
    [0.0] ldap:///CN=ad-WIN-TJO4EL48O29-CA,CN=WIN-TJO4EL48O29,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ad,DC=testdomain,DC=com?deltaRevocationList?base?objectClass=cRLDistributionPoint

  OK "Delta CRL (16)" Time: 0 a547d441246d10f21f5e177f670d7b6539a68cf6
    [1.0] http://WIN-TJO4EL48O29.ad.testdomain.com/CertEnroll/ad-WIN-TJO4EL48O29-CA+.crl

  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0 (null)
  --------------------------------
    CRL 16:
    Issuer: CN=ad-WIN-TJO4EL48O29-CA, DC=ad, DC=testdomain, DC=com
    ThisUpdate: 10/7/2022 1:45 PM
    NextUpdate: 10/15/2022 2:05 AM
    CRL: 2e21644c799a4059ef2ed1b0152f092d55b1390c
    Delta CRL 16:
    Issuer: CN=ad-WIN-TJO4EL48O29-CA, DC=ad, DC=testdomain, DC=com
    ThisUpdate: 10/7/2022 1:45 PM
    NextUpdate: 10/9/2022 2:05 AM
    CRL: a547d441246d10f21f5e177f670d7b6539a68cf6
  Application[0] = 1.3.6.1.4.1.44986.2.1.1 Smartcard Logon PIV Key 9A
  Application[1] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon
  Application[2] = 1.3.6.1.5.5.7.3.2 Client Authentication

CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=ad-WIN-TJO4EL48O29-CA, DC=ad, DC=testdomain, DC=com
  NotBefore: 8/20/2022 2:57 PM
  NotAfter: 8/20/2032 3:07 PM
  Subject: CN=ad-WIN-TJO4EL48O29-CA, DC=ad, DC=testdomain, DC=com
  Serial: 786d96c2eb685a82477cc3154193d4a8
  Cert: 6143121a80ec40fd187470ae48a894919a4109d5
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  No URLs "None" Time: 0 (null)
  ----------------  Certificate CDP  ----------------
  No URLs "None" Time: 0 (null)
  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0 (null)
  --------------------------------

Exclude leaf cert:
  Chain: 3d88e70e09134d31c82a24115dea8f343c0c3021
Full chain:
  Chain: 07855df296396ba2d1a9a7c114f132f9176b6627
------------------------------------
Verified Issuance Policies: None
Verified Application Policies:
    1.3.6.1.4.1.44986.2.1.1 Smartcard Logon PIV Key 9A
    1.3.6.1.4.1.311.20.2.2 Smart Card Logon
    1.3.6.1.5.5.7.3.2 Client Authentication
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.

错误的原因是什么?我该如何解决?

答案1

我找到了答案。这是一个损坏的目录服务 ntds 数据库。应用程序和服务日志 \ 目录服务日志文件中的日志条目指向 ntds 数据库已损坏。

我关注了微软的这篇文章:https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc794920(v=ws.10)?redirectedfrom=MSDN

它恢复了 NTDS 数据库,我可以再次正确发布 CRL。

PKIView 显示工作设置:

在此处输入图片描述

感谢那些试图为我指明正确方向的人,尽管我最没想到会遇到 ntds 数据库损坏的情况。

相关内容