Windows 2008 CA fails install ( ADCS ) : Object already exists. 0x8009000f

Article
07/15/2008

During the installation of Windows Server 2008 (2k8) certificate services ( ADCS ) the installation fails with the following error:

The installation debug logs under \windows\certocm.log will show something similar to the following:

202.5443.271: Generate Keys: TestHSMSPat: nCipher Enhanced Cryptographic Provider: 0x800(2048): Object already exists. 0x8009000f (-2146893809)

0.299.965: Message Box: Microsoft Active Directory Certificate Services: An error occurred when creating the new key container "TestHSMSPat". You do not have write access permission to the key container. Please use a different CA name.

Object already exists. 0x8009000f (-2146893809): Object already exists. 0x8009000f (-2146893809)

0.299.965: Message Box: Microsoft Active Directory Certificate Services: 6

Object already exists. 0x8009000f (-2146893809): Object already exists. 0x8009000f (-2146893809)

.299.965: Message Box: Microsoft Active Directory Certificate Services: 6

109.1880.439: Create Certificate: Object already exists. 0x8009000f (-2146893809)

109.2552.443: Install Server: Object already exists. 0x8009000f (-2146893809)

114.5848.949: End: CCertSrvSetup::Install: An error occurred when creating the new key container "TestHSMSPat". You do not have write access permission to the key container. Please use a different CA name.

Object already exists. 0x8009000f (-2146893809): Object already exists. 0x8009000f (-2146893809)

The following is assumptions are made:

1. You are using an nCipher HSM

2. You are using Operator Card Set (OCS ) key protection.

3. You are running Windows Server 2008.

In Windows 2003 you had an option to allow the CSP to interact with the desktop in the following UI for 2k3:

However, in Server 2008 ADCS , the options wording has changed a little bit:

"Use strong private key protection features provided by the CSP (this may require administrator interaction every time the private key is accessed by the CA"

Hope it helps someone one day - I spent a bunch of time on this before a kindly dev pointed out the obvious here.

I had a whole post all about how to workaround the fact that the CSP could not interact with the desktop...

Anyway.. here is what you will then see when the CA needs to interact:

You will see a little blinky box on your taskbar.. click on it.

You will see the interactive services desktop ( light blue ) and the nCIPhER dialog up pending the OCS insertion\PINs

spat

Comments

Anonymous
July 16, 2008
Thanks a bunch. I had this problem before and I had solved it. I ran into it again and did not remember my last solution (which was the same :)) Thanks again. Manish
Anonymous
October 10, 2008
Hi , But what's the situation with AD RMS
Anonymous
October 11, 2008
Rado - can you elaborate?
Anonymous
October 12, 2008
Hello , We tried to install AD RMS Services on server 2008 by using Ncipher HSM and OCS.Operation fall with error "time out" because the system waits for the OCS quorum.The problem is that when we install AD RMS there is no option like "Allow CSP to interact with desktop" and that is the reason that ncipher ocs wizard did not appear.Is there any metod to make CSP to intract with desktop? Thank you very much in advance.
Anonymous
October 20, 2008
I dont believe you can use OCS protection - you need to use module protection. I am not 100% sure on that one, but like 97% :) spat
Anonymous
October 23, 2008
Thank you Yes ,the solution is to use module protection.That make thinks look simple because we do not use smart cards every time application uses the key
Anonymous
April 02, 2009
Hi, I am getting the Error - "Object already exists. 0x8009000f" in Windows 2008 R2.
Anonymous
April 03, 2009
Can u paste the relevant portion of the debug logs under windowscertocm.log

Share via

Windows 2008 CA fails install ( ADCS ) : Object already exists. 0x8009000f

Comments

Additional resources