Exception calling "GetCA" with "2" argument(s): "There is no such object on the server. "

Jul 2, 2012 at 6:39 PM

After installing 1.8.1, I get the following error.

Exception calling "GetCA" with "2" argument(s): "There is no such object on the server."

At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSPKI\Get-CertificationAuthority.ps1:14 char:74
+         "__ComputerSet" {[PKI.CertificateAuthority.CertificateAuthority]::GetCA <<<< ("Server",$ComputerName)}
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DotNetMethodException

 

I get the same error on server 2008 and windows 7....

 

Thanks,

Scott Hahn

Coordinator
Jul 2, 2012 at 7:39 PM

An error indicates that your local domain controller has no information (or it is incorrect) about CA under Enrollment Services container. Please, can you show me entry name (or names) which you see in ADSIEdit.msc when connecting to configuration naming context and then: CN=Services, CN=Public Key Services,CN=Enrollment Services? Only record names are enough.

Jul 2, 2012 at 7:50 PM

Here are the names of the CAs...

Name                    
CN=BelronUSvmeuswpca011 
CN=BelronUSvmeuswpca012 
CN=US Intermediate CA 021
CN=US Intermediate CA 022
CN=US Intermediate CA 023

My workstation's domain is a sub domain of the CA's domain...

mycomputer.mydomain.maindomain.net

caname.maindomain.net

My userid is a member of the admin-ca group...

Thanks for any assistance....

 

Scott

Coordinator
Jul 2, 2012 at 8:17 PM

Can you, please, make another check, run the following commands in PowerShell console:

$Domain = [system.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name.Replace(".", ",DC=");
$adsi = [ADSI]"LDAP://CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=$Domain"
$adsi.psbase.children | %{$_.cn}

and show results? The results should be the same (without CN prefixes) as you already posted.

Jul 2, 2012 at 8:42 PM

Found the issue..

Our CAs are at the forest level. If I change the line as follows, it works...

$Domain = [system.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Forest.Name.Replace(".", ",DC=");

adding .Forest worked for me with this command....

Scott

Coordinator
Jul 2, 2012 at 8:56 PM

This should not be an issue. CAs are registered in configuration naming context which is forest-wide Active Directory partition. All information in Configuration partition is replicated between all domain controllers in the forest (including subdomains and other trees in the forest). However, thanks, for the information, I'll check it internally and will let you know.

Jul 3, 2012 at 3:12 PM
Camelot wrote:

This should not be an issue. CAs are registered in configuration naming context which is forest-wide Active Directory partition. All information in Configuration partition is replicated between all domain controllers in the forest (including subdomains and other trees in the forest). However, thanks, for the information, I'll check it internally and will let you know.

That's correct, but it seems you are opening the DN in the current domain, that's not always the forest root, to which the "CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration" is bound.

Bye, Claudio

Coordinator
Jul 3, 2012 at 3:46 PM
This discussion has been copied to a work item. Click here to go to the work item and continue the discussion.