Monday, November 30, 2015
Online Responder Service failed to create an enrollment request
Q: The customer implemented an internal CA structure with an OCSP server. After a few weeks they began getting these two errors in their Application Event Logs every few hours.
The Online Responder Service could not locate a signing certificate for configuration ******.(Cannot find the original signer. 0x8009100e (-2146889714))
The Online Responder Service failed to create an enrollment request for the signing certificate template OCSPResponseSigning for configuration *********.(This operation requires an interactive window station. 0x800705b3 (WIN32: 1459))
A: After weeks of arguing with Microsoft support we reached a fourth tech who immediately identified the issue. It was a simple registry key.
ForceKeyProtection has a value of 1.
They suggested we delete the key, reboot, reconfigure the OCSP server and they haven't seen the error since.
NOTE: You might have to check this setting. If there is a GPO used to enable it, you'll have to address that to keep the change permanent. Otherwise that reg key will come back.
Security Settings>Local Policies>Security Options>"System Cryptography: Force Strong Key Protection for User Keys stored on the computer"
at 1:38 PM