Is registry access required?

Mar 28, 2014 at 1:10 PM
When trying to simply connect to a CA prior to doing some reporting, I'm getting this error:
PS C:\Users\skp > connect-certificationauthority -ComputerName FQDN.ca.example.com

New-Object : Exception calling ".ctor" with "1" argument(s): "Requested registry access is not allowed."
At C:\Users\skp\Documents\WindowsPowerShell\Modules\PSPKI\Server\Connect-CertificationAuthority.ps1:13 char:4
+             New-Object PKI.CertificateServices.CertificateAuthority $CName
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [New-Object], MethodInvocationException
    + FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewObjectCommand
Is registry access required? What keys is the code trying to access?

When I use "Get-CertificationAuthority -ComputerName fqdn.ca.example.com", the result comes back null (not sure if this is related or not, i've never used this method before attempting to troubleshoot this issue).

I'm on PSv3 and using PSPKI v2.8, with no other modules.

Any thoughts on how to troubleshoot this further?
Coordinator
Mar 28, 2014 at 1:41 PM
Edited Mar 28, 2014 at 1:42 PM
Can you supply stack trace?
Once error is throwed, call: $error[0].exception.innerexception.stacktrace

The behavior of this command is to retrieve configuration data by using remote registry by default. If remote registry fails, the code falls back to ICertAdmin DCOM connection. From what I see, you don't have sufficient permissions to access CA configuration.
Mar 28, 2014 at 2:39 PM
From Remote Workstation:
> $error[0].exception.innerexception.stacktrace
   at Microsoft.Win32.RegistryKey.OpenSubKey(String name, Boolean writable)
   at PKI.Utils.CryptoRegistry.GetRReg(String entry, String caName, String computerName, String node)
   at PKI.CertificateServices.CertificateAuthority.get_config(String computerName, String configString)
   at PKI.CertificateServices.CertificateAuthority.initializeFromServerName(String computerName)
   at PKI.CertificateServices.CertificateAuthority..ctor(String computerName)
I thought I'd try this locally on the CA (running PSv2), I'm getting these errors: (note: same response with shortname)
> connect-certificationauthority -ComputerName FQDN.ca.example.com 
New-Object : Exception calling ".ctor" with "1" argument(s): "There is no such object on the server.
"
At C:\Users\skp\Documents\WindowsPowerShell\Modules\pspki\Server\Connect-CertificationAuthority.ps1:13 char:14
+             New-Object <<<<  PKI.CertificateServices.CertificateAuthority $CName
    + CategoryInfo          : InvalidOperation: (:) [New-Object], MethodInvocationException
    + FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewObjectCommand

> $error[0].exception.innerexception.stacktrace
   at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
   at System.DirectoryServices.DirectoryEntry.Bind()
   at System.DirectoryServices.DirectoryEntry.get_AdsObject()
   at System.DirectoryServices.PropertyValueCollection.PopulateList()
   at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName)
   at System.DirectoryServices.PropertyCollection.get_Item(String propertyName)
   at PKI.CertificateServices.CertificateAuthority.get_ds()
   at PKI.CertificateServices.CertificateAuthority..ctor(String computerName)
> connect-certificationauthority -ComputerName localhost
New-Object : Exception calling ".ctor" with "1" argument(s): "Requested registry access is not allowed."
At C:\Users\skp\Documents\WindowsPowerShell\Modules\pspki\Server\Connect-CertificationAuthority.ps1:13 char:14
+             New-Object <<<<  PKI.CertificateServices.CertificateAuthority $CName
    + CategoryInfo          : InvalidOperation: (:) [New-Object], MethodInvocationException
    + FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewObjectCommand

> $error[0].exception.innerexception.stacktrace
   at Microsoft.Win32.RegistryKey.OpenSubKey(String name, Boolean writable)
   at PKI.Utils.CryptoRegistry.GetRReg(String entry, String caName, String computerName, String node)
   at PKI.CertificateServices.CertificateAuthority.get_config(String computerName, String configString)
   at PKI.CertificateServices.CertificateAuthority..ctor(String computerName)
I'm not a local admin on the CA server, but I do have Administrator privileges on the CA. Do you know what key is being accessed in the registry? I will try to dig into permissions on the CA and see what I can find.
Coordinator
Mar 28, 2014 at 3:46 PM
I will take a look and return to you soon.

p.s. Just to clarify: make sure if you logged in via domain account. And what type is your CA? Enterprise or Standalone?
Mar 28, 2014 at 4:04 PM
Correct, I am logged in using my domain account both remote and locally on the CA server. This CA is a Standalone.
Coordinator
Mar 28, 2014 at 4:27 PM
I looked at the code and I see that Remote Registry (when connect remotely) is working, however, you do not have permissions to access CA configuration key: HKLM\System\CurrentControlSet\Services\CertSvc\Configuration. Can you show permissions on this key?
Coordinator
Mar 28, 2014 at 4:52 PM
When I use "Get-CertificationAuthority -ComputerName fqdn.ca.example.com", the result comes back null (not sure if this is related or not, i've never used this method before attempting to troubleshoot this issue).
it is null, because Get-CertificationAuthority returns only Enterprise CAs, so it is expected behavior.
Mar 28, 2014 at 6:55 PM
Camelot wrote:
I looked at the code and I see that Remote Registry (when connect remotely) is working, however, you do not have permissions to access CA configuration key: HKLM\System\CurrentControlSet\Services\CertSvc\Configuration. Can you show permissions on this key?
Effective Permissions:
Query Value
Enumerate Subkeys
Notify
Read Control

I happened to click on HKLM\System\CurrentControlSet\Services\CertSvc\Security, and I do not have access to that key.
Coordinator
Mar 28, 2014 at 6:57 PM
Apparently, someone changed permissions in registry. Make sure you remove all explicit permissions and replace them with inheritable (should inherit from Services key).
Mar 28, 2014 at 7:45 PM
I totally agree something changed on the system; I'm working up those channels to figure out what that is, but I'm being asked "what I need", not "what they broke"; which is frustrating.

To clarify, the permissions on CertSvc\Configuration are inherited, the permissions are the effective permissions of my userid on those keys.
Coordinator
Mar 28, 2014 at 8:59 PM
I already answered -- they key must have only inherited permissions from Services key. Just open Services key permissions and you will see, there are several ACEs (I don't remember exactly). System and Administrators have Full Control, Domain Users -- Read and there should be Creator Owner too.
Mar 29, 2014 at 8:58 PM
The permissions are set to inherit from the services key.

Users: Query Value, Enumerate Subkeys, Notify, Read Control
Administrators: Full Control
Creator Owner: Full Control
SYSTEM: Full Control

I'm seeing the same issue on a test CA where I local admin, and I'm getting all the same exact results, even though I have full control permissions on the registry.

Are there other services which could be limiting this access? Other ideas?
Coordinator
Mar 30, 2014 at 8:21 AM
Make sure if subkeys under CertSvc key have the same permissions. And what about Remote Registry service?
Apr 4, 2014 at 7:43 PM
CertSvc and subkeys have the same inherited perms and Remote Registry is running.
Coordinator
Apr 15, 2014 at 5:23 AM
I tried various tests and was unable to repro the issue. Can you connect to the specified registry key via Regedit by connecting to a remote registry?