Windows 2008 CA fails install ( ADCS ) : Object already exists. 0x8009000f


During the installation of Windows Server 2008 (2k8) certificate services ( ADCS ) the installation fails with the following error:


 


 clip_image002


The installation debug logs under \windows\certocm.log will show something similar to the following:



 



202.5443.271: Generate Keys: TestHSMSPat: nCipher Enhanced Cryptographic Provider: 0x800(2048): Object already exists. 0x8009000f (-2146893809)

0.299.965: Message Box: Microsoft Active Directory Certificate Services: An error occurred when creating the new key container “TestHSMSPat”. You do not have write access permission to the key container. Please use a different CA name.


 Object already exists. 0x8009000f (-2146893809): Object already exists. 0x8009000f (-2146893809)


0.299.965: Message Box: Microsoft Active Directory Certificate Services: 6


0.299.965: Message Box: Microsoft Active Directory Certificate Services: An error occurred when creating the new key container “TestHSMSPat”. You do not have write access permission to the key container. Please use a different CA name.


Object already exists. 0x8009000f (-2146893809): Object already exists. 0x8009000f (-2146893809)


.299.965: Message Box: Microsoft Active Directory Certificate Services: 6


109.1880.439: Create Certificate: Object already exists. 0x8009000f (-2146893809)


109.2552.443: Install Server: Object already exists. 0x8009000f (-2146893809)


114.5848.949: End: CCertSrvSetup::Install: An error occurred when creating the new key container “TestHSMSPat”. You do not have write access permission to the key container. Please use a different CA name.


Object already exists. 0x8009000f (-2146893809): Object already exists. 0x8009000f (-2146893809)


The following is assumptions are made:



1.       You are using an nCipher HSM


2.       You are using Operator Card Set (OCS ) key protection.


3.       You are running Windows Server 2008.


 


In Windows 2003 you had an option to allow the CSP to interact with the desktop in the following UI for 2k3:


 

image

 


image


However, in Server 2008 ADCS ,   the options wording has changed a  little bit:



“Use strong private key protection features provided by the CSP (this may require administrator interaction every time the private key is accessed by the CA”



clip_image002[1] 


Hope it helps someone one day – I spent a bunch of time on this before a kindly dev pointed out the obvious here.


I had a whole post all about how to workaround the fact that the CSP could not interact with the desktop…


Anyway.. here is what you will then see when the CA needs to interact:


You will see a little blinky box on your taskbar.. click on it.


clip_image002[3]


You will see the interactive services desktop ( light blue ) and the nCIPhER dialog up pending the OCS insertion\PINs


clip_image004


clip_image006


spat


 


Comments (8)

  1. Manish Mehta says:

    Thanks a bunch. I had this problem before and I had solved it. I ran into it again and did not remember my last solution (which was the same :))

    Thanks again.

    Manish

  2. Rado says:

    Hi ,

    But what’s the situation with AD RMS

  3. SpatDSG says:

    Rado – can you elaborate?

  4. Rado says:

    Hello ,

    We tried to install AD RMS Services on server 2008 by using Ncipher HSM and OCS.Operation fall with error "time out" because the system waits for the OCS quorum.The problem is that when we install AD RMS there is no option like "Allow CSP to interact with desktop" and that is the reason that ncipher ocs wizard did not appear.Is there any metod to make CSP to intract with desktop?

    Thank you very much in advance.

  5. SpatDSG says:

    I dont believe you can use OCS protection – you need to use module protection.  I am not 100% sure on that one, but like 97% 🙂

    spat

  6. rado says:

    Thank you

    Yes ,the solution is to use module protection.That make thinks look simple because we do not use smart cards every time application uses the key  

  7. Partha says:

    Hi,

    I am getting the Error – "Object already exists. 0x8009000f" in Windows 2008 R2.

  8. SpatDSG says:

    Can u paste the relevant portion of the debug logs under windowscertocm.log