Monday, November 30, 2015

Online Responder Service failed to create an enrollment request

Q: The customer implemented an internal CA structure with an OCSP server.  After a few weeks they began getting these two errors in their Application Event Logs every few hours.

The Online Responder Service could not locate a signing certificate for configuration ******.(Cannot find the original signer. 0x8009100e (-2146889714))

The Online Responder Service failed to create an enrollment request for the signing certificate template OCSPResponseSigning for configuration *********.(This operation requires an interactive window station. 0x800705b3 (WIN32: 1459))

A: After weeks of arguing with Microsoft support we reached a fourth tech who immediately identified the issue.  It was a simple registry key.

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Cryptography\ForceKeyProtection 
ForceKeyProtection has a value of 1.
They suggested we delete the key, reboot, reconfigure the OCSP server and they haven't seen the error since.

NOTE: You might have to check this setting. If there is a GPO used to enable it, you'll have to address that to keep the change permanent.  Otherwise that reg key will come back.

Security Settings>Local Policies>Security Options>"System Cryptography: Force Strong Key Protection for User Keys stored on the computer"