Spat's WebLog (Steve Patrick)

When things go wrong...

Windows 2008 CA fails install ( ADCS ) : Object already exists. 0x8009000f

Windows 2008 CA fails install ( ADCS ) : Object already exists. 0x8009000f

  • Comments 8

During the installation of Windows Server 2008 (2k8) certificate services ( ADCS ) the installation fails with the following error:

 

 clip_image002

The installation debug logs under \windows\certocm.log will show something similar to the following:

 

202.5443.271: Generate Keys: TestHSMSPat: nCipher Enhanced Cryptographic Provider: 0x800(2048): Object already exists. 0x8009000f (-2146893809)

0.299.965: Message Box: Microsoft Active Directory Certificate Services: An error occurred when creating the new key container "TestHSMSPat". You do not have write access permission to the key container. Please use a different CA name.

 Object already exists. 0x8009000f (-2146893809): Object already exists. 0x8009000f (-2146893809)

0.299.965: Message Box: Microsoft Active Directory Certificate Services: 6

0.299.965: Message Box: Microsoft Active Directory Certificate Services: An error occurred when creating the new key container "TestHSMSPat". You do not have write access permission to the key container. Please use a different CA name.

Object already exists. 0x8009000f (-2146893809): Object already exists. 0x8009000f (-2146893809)

.299.965: Message Box: Microsoft Active Directory Certificate Services: 6

109.1880.439: Create Certificate: Object already exists. 0x8009000f (-2146893809)

109.2552.443: Install Server: Object already exists. 0x8009000f (-2146893809)

114.5848.949: End: CCertSrvSetup::Install: An error occurred when creating the new key container "TestHSMSPat". You do not have write access permission to the key container. Please use a different CA name.

Object already exists. 0x8009000f (-2146893809): Object already exists. 0x8009000f (-2146893809)

The following is assumptions are made:

1.       You are using an nCipher HSM

2.       You are using Operator Card Set (OCS ) key protection.

3.       You are running Windows Server 2008.

 

In Windows 2003 you had an option to allow the CSP to interact with the desktop in the following UI for 2k3:

 

image

 

image

However, in Server 2008 ADCS ,   the options wording has changed a  little bit:

"Use strong private key protection features provided by the CSP (this may require administrator interaction every time the private key is accessed by the CA"

clip_image002[1] 

Hope it helps someone one day - I spent a bunch of time on this before a kindly dev pointed out the obvious here.

I had a whole post all about how to workaround the fact that the CSP could not interact with the desktop...

Anyway.. here is what you will then see when the CA needs to interact:

You will see a little blinky box on your taskbar.. click on it.

clip_image002[3]

You will see the interactive services desktop ( light blue ) and the nCIPhER dialog up pending the OCS insertion\PINs

clip_image004

clip_image006

spat

 

Leave a Comment
  • Please add 1 and 8 and type the answer here:
  • Post
  • Thanks a bunch. I had this problem before and I had solved it. I ran into it again and did not remember my last solution (which was the same :))

    Thanks again.

    Manish

  • Hi ,

    But what's the situation with AD RMS

  • Rado - can you elaborate?

  • Hello ,

    We tried to install AD RMS Services on server 2008 by using Ncipher HSM and OCS.Operation fall with error "time out" because the system waits for the OCS quorum.The problem is that when we install AD RMS there is no option like "Allow CSP to interact with desktop" and that is the reason that ncipher ocs wizard did not appear.Is there any metod to make CSP to intract with desktop?

    Thank you very much in advance.

  • I dont believe you can use OCS protection - you need to use module protection.  I am not 100% sure on that one, but like 97% :)

    spat

  • Thank you

    Yes ,the solution is to use module protection.That make thinks look simple because we do not use smart cards every time application uses the key  

  • Hi,

    I am getting the Error - "Object already exists. 0x8009000f" in Windows 2008 R2.

  • Can u paste the relevant portion of the debug logs under \windows\certocm.log

Page 1 of 1 (8 items)