The Online Responder Service could not locate a signing certificate for configuration ******.(Cannot find the original signer. 0x8009100e (-2146889714))
The Online Responder Service failed to create an enrollment request for the signing certificate template OCSPResponseSigning for configuration *********.(This operation requires an interactive window station. 0x800705b3 (WIN32: 1459))
A: After weeks of arguing with Microsoft support we reached a fourth tech who immediately identified the issue. It was a simple registry key.
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Cryptography\ForceKeyProtection
ForceKeyProtection has a value of 1.
They suggested we delete the key, reboot, reconfigure the OCSP server and they haven't seen the error since.
NOTE: You might have to check this setting. If there is a GPO used to enable it, you'll have to address that to keep the change permanent. Otherwise that reg key will come back.
Security Settings>Local Policies>Security Options>"System Cryptography: Force Strong Key Protection for User Keys stored on the computer"
No comments:
Post a Comment