次の方法で共有


Windows 2008 CA fails install ( ADCS ) : Object already exists. 0x8009000f

During the installation of Windows Server 2008 (2k8) certificate services ( ADCS ) the installation fails with the following error:

 

 clip_image002

The installation debug logs under \windows\certocm.log will show something similar to the following:

 

202.5443.271: Generate Keys: TestHSMSPat: nCipher Enhanced Cryptographic Provider: 0x800(2048): Object already exists. 0x8009000f (-2146893809)

0.299.965: Message Box: Microsoft Active Directory Certificate Services: An error occurred when creating the new key container "TestHSMSPat". You do not have write access permission to the key container. Please use a different CA name.

 Object already exists. 0x8009000f (-2146893809): Object already exists. 0x8009000f (-2146893809)

0.299.965: Message Box: Microsoft Active Directory Certificate Services: 6

0.299.965: Message Box: Microsoft Active Directory Certificate Services: An error occurred when creating the new key container "TestHSMSPat". You do not have write access permission to the key container. Please use a different CA name.

Object already exists. 0x8009000f (-2146893809): Object already exists. 0x8009000f (-2146893809)

.299.965: Message Box: Microsoft Active Directory Certificate Services: 6

109.1880.439: Create Certificate: Object already exists. 0x8009000f (-2146893809)

109.2552.443: Install Server: Object already exists. 0x8009000f (-2146893809)

114.5848.949: End: CCertSrvSetup::Install: An error occurred when creating the new key container "TestHSMSPat". You do not have write access permission to the key container. Please use a different CA name.

Object already exists. 0x8009000f (-2146893809): Object already exists. 0x8009000f (-2146893809)

The following is assumptions are made:

1. You are using an nCipher HSM

2. You are using Operator Card Set (OCS ) key protection.

3. You are running Windows Server 2008.

 

In Windows 2003 you had an option to allow the CSP to interact with the desktop in the following UI for 2k3:

 

image

 

image

However, in Server 2008 ADCS , the options wording has changed a little bit:

"Use strong private key protection features provided by the CSP (this may require administrator interaction every time the private key is accessed by the CA"

clip_image002[1] 

Hope it helps someone one day - I spent a bunch of time on this before a kindly dev pointed out the obvious here.

I had a whole post all about how to workaround the fact that the CSP could not interact with the desktop...

Anyway.. here is what you will then see when the CA needs to interact:

You will see a little blinky box on your taskbar.. click on it.

clip_image002[3]

You will see the interactive services desktop ( light blue ) and the nCIPhER dialog up pending the OCS insertion\PINs

clip_image004

clip_image006

spat

Comments

  • Anonymous
    July 16, 2008
    Thanks a bunch. I had this problem before and I had solved it. I ran into it again and did not remember my last solution (which was the same :)) Thanks again. Manish

  • Anonymous
    October 10, 2008
    Hi , But what's the situation with AD RMS

  • Anonymous
    October 11, 2008
    Rado - can you elaborate?

  • Anonymous
    October 12, 2008
    Hello , We tried to install AD RMS Services on server 2008 by using Ncipher HSM and OCS.Operation fall with error "time out" because the system waits for the OCS quorum.The problem is that when we install AD RMS there is no option like "Allow CSP to interact with desktop" and that is the reason that ncipher ocs wizard did not appear.Is there any metod to make CSP to intract with desktop? Thank you very much in advance.

  • Anonymous
    October 20, 2008
    I dont believe you can use OCS protection - you need to use module protection.  I am not 100% sure on that one, but like 97% :) spat

  • Anonymous
    October 23, 2008
    Thank you Yes ,the solution is to use module protection.That make thinks look simple because we do not use smart cards every time application uses the key  

  • Anonymous
    April 02, 2009
    Hi, I am getting the Error - "Object already exists. 0x8009000f" in Windows 2008 R2.

  • Anonymous
    April 03, 2009
    Can u paste the relevant portion of the debug logs under windowscertocm.log