Windows 2008 CA fails install ( ADCS ) : Object already exists. 0x8009000f
During the installation of Windows Server 2008 (2k8) certificate services ( ADCS ) the installation fails with the following error:
The installation debug logs under \windows\certocm.log will show something similar to the following:
202.5443.271: Generate Keys: TestHSMSPat: nCipher Enhanced Cryptographic Provider: 0x800(2048): Object already exists. 0x8009000f (-2146893809)
0.299.965: Message Box: Microsoft Active Directory Certificate Services: An error occurred when creating the new key container "TestHSMSPat". You do not have write access permission to the key container. Please use a different CA name.
Object already exists. 0x8009000f (-2146893809): Object already exists. 0x8009000f (-2146893809)
0.299.965: Message Box: Microsoft Active Directory Certificate Services: 6
0.299.965: Message Box: Microsoft Active Directory Certificate Services: An error occurred when creating the new key container "TestHSMSPat". You do not have write access permission to the key container. Please use a different CA name.
Object already exists. 0x8009000f (-2146893809): Object already exists. 0x8009000f (-2146893809)
.299.965: Message Box: Microsoft Active Directory Certificate Services: 6
109.1880.439: Create Certificate: Object already exists. 0x8009000f (-2146893809)
109.2552.443: Install Server: Object already exists. 0x8009000f (-2146893809)
114.5848.949: End: CCertSrvSetup::Install: An error occurred when creating the new key container "TestHSMSPat". You do not have write access permission to the key container. Please use a different CA name.
Object already exists. 0x8009000f (-2146893809): Object already exists. 0x8009000f (-2146893809)
The following is assumptions are made:
1. You are using an nCipher HSM
2. You are using Operator Card Set (OCS ) key protection.
3. You are running Windows Server 2008.
In Windows 2003 you had an option to allow the CSP to interact with the desktop in the following UI for 2k3:
However, in Server 2008 ADCS , the options wording has changed a little bit:
"Use strong private key protection features provided by the CSP (this may require administrator interaction every time the private key is accessed by the CA"
![clip_image002[1]](https://msdntnarchive.blob.core.windows.net/media/TNBlogsFS/BlogFileStorage/blogs_msdn/spatdsg/WindowsLiveWriter/Windows2008CAfailsinstallADCS.0x8009000f_FDBC/clip_image002%5B1%5D.jpg)
Hope it helps someone one day - I spent a bunch of time on this before a kindly dev pointed out the obvious here.
I had a whole post all about how to workaround the fact that the CSP could not interact with the desktop...
Anyway.. here is what you will then see when the CA needs to interact:
You will see a little blinky box on your taskbar.. click on it.
![clip_image002[3]](https://msdntnarchive.blob.core.windows.net/media/TNBlogsFS/BlogFileStorage/blogs_msdn/spatdsg/WindowsLiveWriter/Windows2008CAfailsinstallADCS.0x8009000f_FDBC/clip_image002%5B3%5D.jpg)
You will see the interactive services desktop ( light blue ) and the nCIPhER dialog up pending the OCS insertion\PINs
spat