Event ID 29 — AD CS Online Responder Service

Applies To: Windows Server 2008 R2

The status and functioning of the Microsoft Online Responder service has dependencies on numerous features and components, including the ability to access timely certificate revocation data, the validity of the certification authority (CA) certificate and chain, and overall system response and availability.

Event Details

Product: Windows Operating System
ID: 29
Source: Microsoft-Windows-OnlineResponder
Version: 6.1
Symbolic Name: MSG_E_CACONFIG_FAILTOLOAD
Message: OnlineResponder Service: For configuration %1, settings could not be loaded. Any OCSP request for this configuration will be rejected.(%2)

Resolve

Correct revocation configuration problems

When the Online Responder service encounters an error while attempting to load its configuration, this can indicate that the revocation configuration has been corrupted. To correct this:

  • Follow the procedure in the "Create a valid revocation configuration" section.
  • If this does not resolve the problem, follow the procedure in the "Delete a revocation configuration from the registry" section, and then follow the procedure in the "Create a valid revocation configuration" section again.
  • If the corrupted revocation configuration occurs on the member of an Array, delete the revocation configuration by using the procedure in the "Delete a revocation configuration from the registry" section, and then use the procedure in the** **"Synchronize members with an Array controller" section to re-create the revocation configuration.
  • If the corrupted configuration occurs on an Array controller, you need follow the procedure in the "Designate an Array controller" section to designate a different Online Responder as the Array controller. Then the restored revocation configuration can be synchronized with the new Array controller.

To perform these procedures, you must have membership in local Administrators, or you must have been delegated the appropriate authority.

Create a valid revocation configuration

To create a valid revocation configuration:

  1. Click Start, point to Administrative Tools, and click Online Responder.
  2. In the details pane, right-click the revocation configuration identified in the event, and click Delete.
  3. In the console tree, click Revocation Configuration.
  4. In the Actions pane on the right, click Add Revocation Configuration to start the Add Revocation Configuration Wizard.
  5. Provide the information requested in the wizard, and then click Finish and Yes to complete the setup process.

If you cannot access the revocation configuration by using the Online Responder snap-in, you need to delete this information directly from the registry.

Caution: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.

Delete a revocation configuration from the registry

To delete a revocation configuration from the registry:

  1. On the Online Responder, click Start, type regedit, and then press ENTER.
  2. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\OCSPSvc\Responder.
  3. Delete the corrupted revocation configuration.

Synchronize members with an Array controller

To synchronize members with an Array controller:

  1. On the Online Responder, Start, point to Administrative Tools, and click Online Responder.
  2. In the console tree, click Array Configuration Members.
  3. In the Actions pane, click Synchronize Responder Configuration.

If the corrupted configuration occurs on an Array controller, you can temporarily make another computer the Array controller, synchronize the Array, and then reset the original computer to be the Array controller.

Designate an Array controller

To designate an Array controller:

  1. Click Start, point to Administrative Tools, and then click Online Responder.
  2. In the console tree, click Array ConfigurationMembers.
  3. Select the Online Responder that you want to designate as the Array controller.
  4. In the Actions pane, click Set as Array Controller.
  5. Synchronize the Array member with the corrupt configuration, and then reset the updated Array member as the Array controller.

If the problem persists, contact Microsoft Customer Service and Support.

Verify

An Online Responder serves as an intermediary between clients that need to check certificate validity and a certification authority (CA) that issues certificates and certificate revocation lists (CRLs). To verify that the Online Responder service is functioning properly, you need to isolate the Online Responder and client from the CA and any CRL distribution points to confirm that revocation checking continues to take place and that revocation data is originating only from the Online Responder. The best way to confirm this scenario is to complete the following steps that involve the CA, the client, CRL distribution points, and the Online Responder:

  • Issue new certificates.
  • Revoke a certificate.
  • Publish a CRL.
  • Remove CRL distribution point extensions from the issuing CA.
  • Confirm that client computers can still obtain revocation data.

To perform these procedures, you must be a member of local Administrators on the computer hosting the Online Responder and on the client computer, and you must have Manage CA permissions on the computer hosting the CA, or you must have been delegated the appropriate authority.

Issue new certificates

To issue new certificates:

  1. On the computer hosting the CA, click Start, point to Administrative Tools, and then click Certification Authority.

  2. Configure several certificate templates to autoenroll certificates for a computer running Windows Vista or Windows XP Professional.

  3. When information about the new certificates has been published to Active Directory domain controllers, open a command prompt window on the client computer and enter the following command to start certificate autoenrollment: certutil -pulse.

    Note: It can take up to eight hours for information about new certificates to be replicated to Active Directory domain controllers.

  4. On the client computer, use the Certificates snap-in to confirm that the certificates have been issued to the user and to the computer, as appropriate. If they have not been issued, repeat step 2. You can also stop and restart the client computer to initiate certificate autoenrollment.

Revoke a certificate

To revoke a certificate:

  1. On the computer hosting the CA, click Start, point to Administrative Tools, and then click Certification Authority.
  2. In the console tree, click Issued Certificates, and then select the certificate you want to revoke.
  3. On the Action menu, point to All Tasks, and then click Revoke Certificate.
  4. Select the reason for revoking the certificate, and click Yes.

Publish a CRL

To publish a CRL:

  1. On the computer hosting the CA, clickStart, point to Administrative Tools, and then click Certification Authority.
  2. In the console tree, click Revoked Certificates.
  3. On the Action menu, point to All Tasks, and then click Publish.

Remove all CRL distribution point extensions from the issuing CA

To remove all CRL distribution point extensions from the issuing CA:

  1. On the computer hosting the CA, click Start, point to Administrative Tools, and then click Certification Authority.
  2. Select the CA.
  3. On the Action menu, click Properties.
  4. On the Extensions tab, confirm that Select extension is set to CRL Distribution Point (CDP).
  5. Click any CRL distribution points that are listed, click Remove, and click OK.
  6. Stop and restart the CA.
  7. Configure a new certificate template, and complete autoenrollment again.

Confirm that client computers can obtain revocation data

To confirm that client computers can obtain revocation data:

  1. Click Start, type mmc, and then press ENTER.

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  3. On the File menu, click Add/Remove Snap-in, click Certificates, and then click Add.

  4. Select the user or computer account to whom the certificate was issued, click Finish, and then click OK.

  5. Open the Personal Certificates store, right-click the most recently issued certificate, point to All Tasks, and then click Export to start the Certificate Export Wizard. Export the certificate to a .cer* *file.

  6. Open a command prompt window.

  7. Type **certutil -url<exportedcert.cer> **and press ENTER.

    Exportedcert.cer is the file name of the certificate that was exported in the previous step.

  8. In the Verify and Retrieve dialog box that appears, click From CDP and From OCSP, and confirm that the revocation data is retrieved from the Online Responder and not from a CRL distribution point.

AD CS Online Responder Service

Active Directory Certificate Services