Request goes into pending mode and Exception at source: [CertTemplateCache::ReloadCache]

[DaniDinCrypt]

Hi Vadim

thanks for this great work!

I have 2 issues (not sure they are corolated):

Issue 1 - After Installing the module I get this error every few seconds in the ADCSCertMod.SID.Policy.log

[7/27/2023 12:07:33 PM] Exception at source: [CertTemplateCache::ReloadCache] Error message: An item with the same key has already been added. Stack Trace: at System.ThrowHelper.ThrowArgumentException(ExceptionResource resource) at System.Collections.Generic.Dictionary`2.Insert(TKey key, TValue value, Boolean add) at ADCS.SidExtension.PolicyModule.CertTemplateCache.rebuildCache() in D:\a\1\s\src\ADCS.SidExtension.PolicyModule\CertTemplateCache.cs:line 88

Issue 2 - I submit a user request that matches a Template/Requester value. The request has a UPN extention and no SID extention. Both trusted and untrusted SID extenetion policy are set to ''Pass Through". For some reason the request goes into pending. If I issue the request I get a certificate with the SID extention added to it.

Here is what the ADCSCertMod.SID.Policy.log: [7/27/2023 12:37:25 PM] Requested template is offline. Starting request processing. [7/27/2023 12:37:25 PM] [Policy::VerifyRequest] Requester name: LAB\Admin [7/27/2023 12:37:25 PM] Found matching entry in Template/Requester table. [7/27/2023 12:37:25 PM] Reading request extensions. [7/27/2023 12:37:25 PM] Found 10 extensions. [7/27/2023 12:37:25 PM] Found SAN extension at index 5. [7/27/2023 12:37:25 PM] Executing principal search from UPN. [7/27/2023 12:37:25 PM] Alt principal name: Dan@Lab.local [7/27/2023 12:37:25 PM] Returned SID: S-1-5-21-3942857219-4075480183-1002062675-3104

here is the request: PKCS7/CMS Message: CMSG_SIGNED(2) CMSG_SIGNED_DATA_CMS_VERSION(3) Content Type: 1.3.6.1.5.5.7.12.2 CMC Data

PKCS7 Message Content: ================ Begin Nesting Level 1 ================ CMS Certificate Request: Tagged Attributes: 1

Body Part Id: 2 1.3.6.1.4.1.311.10.10.1 CMC Attributes Value[0]: Data Reference: 0 Cert Reference[0]: 1 1 attributes:

Attribute[0]: 1.3.6.1.4.1.311.21.20 (Client Information) Value[0][0], Length = 2d Client Id: = 5 ClientIdDefaultRequest -- 5 User: LAB\admin Machine: labapp20.Lab.Local Process: MMC.EXE

Tagged Requests: 1 CMC_TAGGED_CERT_REQUEST_CHOICE: Body Part Id: 1 ================ Begin Nesting Level 2 ================ Element 0: PKCS10 Certificate Request: Version: 1 Subject: CN=Dan Name Hash(sha1): b8495919a523df77c13a2735cbcdcca44a43bbfb Name Hash(md5): afd3afe6c76b289b69ba961f5a9bb5cd

Public Key Algorithm: Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA Algorithm Parameters: 05 00 Public Key Length: 2048 bits Public Key: UnusedBits = 0 0000 30 82 01 0a 02 82 01 01 00 b0 a6 22 5c 03 80 8a 0010 75 e3 6d e4 66 d6 be 73 50 fb b5 42 9b c1 f8 d4 0020 b5 35 f7 1a 59 5d 4e 55 03 ed 03 14 c5 1f 6d 0b 0030 0a 70 ab 53 85 f1 4c 3c ae 7c 89 71 45 e3 71 b1 0040 fd a7 72 e3 57 3c 00 a7 4f 63 67 d4 cc fb 99 87 0050 bb 17 31 59 3a 24 cc 0d a6 22 c6 09 d2 cd 91 91 0060 21 03 f2 71 60 df 28 8a 82 d2 db 23 08 f4 56 80 0070 0e e1 30 21 20 3d 85 2c 91 b2 22 d1 e3 cf 9a 12 0080 6f f5 07 e6 78 d6 2d c9 6b 7d 6a 6f ef 23 0e 94 0090 05 5a a1 58 dc a9 5e 54 84 76 80 9e 87 f7 88 57 00a0 cd 56 c0 ef 72 ce da 39 79 ca 60 a4 88 8d 5e 5f 00b0 95 a3 73 0e 8b 10 be b2 80 af 2c 95 e4 b4 01 ee 00c0 9e fc c0 53 6f 23 5f 00 b8 12 f1 03 a2 2d 63 24 00d0 3f 95 44 99 7e f1 6c 6e 48 6f 40 2c 2e a3 c4 b6 00e0 f0 c2 f3 4b 88 9f d9 4e 55 24 2d 59 4f 10 14 f8 00f0 a1 71 de 29 73 60 4c aa 9f 90 26 b2 2d fb 60 33 0100 e8 c6 05 a9 c3 23 c6 fd 95 02 03 01 00 01 Request Attributes: 4 4 attributes:

Attribute[0]: 1.3.6.1.4.1.311.13.2.3 (OS Version) Value[0][0], Length = e 10.0.17763.2

Attribute[1]: 1.3.6.1.4.1.311.21.20 (Client Information) Value[1][0], Length = 2d Client Id: = 5 ClientIdDefaultRequest -- 5 User: LAB\admin Machine: labapp20.Lab.Local Process: MMC.EXE

Attribute[2]: 1.3.6.1.4.1.311.13.2.2 (Enrollment CSP) Value[2][0], Length = 58 CSP Provider Info KeySpec = 1 Provider = Microsoft Strong Cryptographic Provider Signature: UnusedBits=0

Attribute[3]: 1.2.840.113549.1.9.14 (Certificate Extensions) Value[3][0], Length = fa Certificate Extensions: 6 1.3.6.1.4.1.311.21.7: Flags = 0, Length = 2d Certificate Template Information Template=NDES User Template(1.3.6.1.4.1.311.21.8.771466.8897920.9653376.15417.3030684.212.4658951.737699) Major Version Number=100 Minor Version Number=7

2.5.29.37: Flags = 0, Length = 22
Enhanced Key Usage
    Client Authentication (1.3.6.1.5.5.7.3.2)
    Secure Email (1.3.6.1.5.5.7.3.4)
    Encrypting File System (1.3.6.1.4.1.311.10.3.4)

2.5.29.15: Flags = 1(Critical), Length = 4
Key Usage
    Digital Signature, Key Encipherment (a0)

1.3.6.1.4.1.311.21.10: Flags = 0, Length = 28
Application Policies
    [1]Application Certificate Policy:
         Policy Identifier=Client Authentication
    [2]Application Certificate Policy:
         Policy Identifier=Secure Email
    [3]Application Certificate Policy:
         Policy Identifier=Encrypting File System

2.5.29.17: Flags = 0, Length = 21
Subject Alternative Name
    Other Name:
         Principal Name=Dan@Lab.local

2.5.29.14: Flags = 0, Length = 16
Subject Key Identifier
    2c9427d066fc7f8052d5e4bc16a3ee2866c80e20

Signature Algorithm: Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA Algorithm Parameters: 05 00 Signature: UnusedBits=0 0000 1e 64 1b 67 5d 69 1f 7d bd 90 0e d2 b3 83 c6 4f 0010 e3 79 5d 46 b9 9f bc 90 69 51 bf 60 13 87 24 67 0020 e0 09 63 55 4f 1e f7 12 6c 67 5c 69 11 70 b1 0f 0030 5a c1 50 6d 8a 10 aa 84 17 37 dd 27 fd e6 6b 6f 0040 15 ec 68 ae 48 79 81 22 ca d4 af e9 fa c7 bc d8 0050 28 41 c5 d9 37 93 fc be 56 85 96 75 ac 76 42 11 0060 b8 82 d2 1c 37 55 65 f9 52 e6 e8 d9 41 71 73 4a 0070 39 07 6b 8e f8 14 b8 83 d5 a1 8f 6a 12 b5 6b 17 0080 d2 dd 56 43 95 57 7d 7e 35 a0 ef 8a 18 bd 3b f7 0090 de a3 d3 99 0d 4e 49 b6 c8 e9 7c f7 36 95 f3 d6 00a0 26 b8 34 4f 9d 37 62 0a 9a 33 5f 67 3c 41 a0 4e 00b0 7b 92 1f c8 34 05 1f 7f a3 19 ea 17 8f a4 5a 14 00c0 80 23 2d 59 51 5b 8d 9d 8a 7f bf 69 46 ad 9b 5e 00d0 21 44 d4 c0 ad 80 41 fd b9 3d 61 d7 2f 87 93 56 00e0 37 aa 39 f4 72 df 67 eb 95 ca 51 7b b2 8e 0a d2 00f0 4b 3e 40 a9 51 9b 90 1b da 2d a9 55 43 29 91 0f Signature matches Public Key Key Id Hash(rfc-sha1): 2c9427d066fc7f8052d5e4bc16a3ee2866c80e20 Key Id Hash(sha1): 4e849655b4b260db61da91a3399f65040ae94e1b Key Id Hash(bcrypt-sha1): 39bd1bfff47ba9a219037c72f1edcac2e24be66b Key Id Hash(bcrypt-sha256): c9e507ad0114a51e38181b9bdccd4700bb79ce329d5e7c093854effe8abdb69f ---------------- End Nesting Level 2 ----------------

Tagged Content Info: 0 Tagged Other Messages: 0 ---------------- End Nesting Level 1 ----------------

Signer Count: 1

Signer Info[0]: Signature matches request Public Key CMSG_SIGNER_INFO_CMS_VERSION(3) CERT_ID_KEY_IDENTIFIER(2) 0000 2c 94 27 d0 66 fc 7f 80 52 d5 e4 bc 16 a3 ee 28 0010 66 c8 0e 20 Hash Algorithm: Algorithm ObjectId: 1.3.14.3.2.26 sha1 (sha1NoSign) Algorithm Parameters: NULL Encrypted Hash Algorithm: Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA Algorithm Parameters: NULL Encrypted Hash: 0000 68 a3 02 f6 69 24 7f e0 f9 07 a1 e4 6a 4f 82 86 0010 b6 ec 22 99 cb ee 69 d6 2e 27 8d 91 71 b2 af b3 0020 d8 c7 4a fc ac dd d2 4a 67 d5 56 31 af 39 bf 4e 0030 fa 6d ff 54 9e 60 11 8f a0 50 f5 69 9c 05 06 71 0040 1b 0e 46 f8 29 04 41 11 96 18 53 a4 e4 6e dd c9 0050 2c 0b 80 18 4b 2b 9d e1 57 62 e7 a2 f6 96 b7 51 0060 86 42 43 40 8e c8 fc 38 b8 7f 53 f8 f7 65 7d f3 0070 93 08 f4 44 16 ea c4 a0 ae 03 7a 06 39 05 f7 c5 0080 bc 3e d0 0c 0f 58 4d 9b 8c fe a4 0d 7f 19 bd e5 0090 99 fb 5d db 9b 9f 1e 67 01 5d 6b fc 4e 91 69 69 00a0 5c a0 10 f5 d6 27 42 df 81 c9 cd 4a 6d 90 93 1a 00b0 30 e0 82 e4 e3 27 f7 3e 89 be 81 22 3d 5f b6 a7 00c0 9a b2 7b f8 5e d9 aa ea 17 c4 60 6f 18 ea b3 2a 00d0 4a 7e d8 62 e3 b9 7a 21 8d 7d b8 56 83 6d 40 ae 00e0 a7 bf f1 59 61 5f 41 2c 44 cf e7 cf 8c b6 41 aa 00f0 d5 7b 2d 73 46 08 7f a8 8e ce c9 9b df 61 64 66

Authenticated Attributes[0]: 2 attributes:

Attribute[0]: 1.2.840.113549.1.9.3 (Content Type) Value[0][0], Length = a 1.3.6.1.5.5.7.12.2 CMC Data

Attribute[1]: 1.2.840.113549.1.9.4 (Message Digest) Value[1][0], Length = 16 Message Digest: e07597a62bdf4f7c4307a72bf4d550fa4ce4e0b6

Unauthenticated Attributes[0]: 0 attributes:

Computed Hash: bbe01a110c20439c86d4e9ac3b0979f6b4853ae6 No Recipient Computed Hash: bbe01a110c20439c86d4e9ac3b0979f6b4853ae6

No Certificates No CRLs CertUtil: -dump command completed successfully.

[Crypt32]

Error message: An item with the same key has already been added.

need to investigate this.

For some reason the request goes into pending. If I issue the request I get a certificate with the SID extention added to it.

then, Windows Default policy module instructed to put request into pending state. If SID policy module is configured to pass through and all validations succeeded, then I'm using native policy module action.

[DaniDinCrypt]

" Windows Default policy module instructed to put request into pending state. "

apparently - after installing the module - All requests that do not have Template/Requestor mapping - go into pending mode! This is an enterprise CA and the windows default module is configured to ''Follow the settings in the certificate template...".

I doubled checked this by configuring the CAs policy module back to default - and submiting the excat request/template/user - And I was able to get a certificate immidatly (but without the SID). I also tried submitting a request with an unresolved UPN (using the NTDS policy module where Template/Requestor mapping is configured) - and here again I got the a certificate (with no SID).

How can I further check this?

[Crypt32]

This is an enterprise CA and the windows default module is configured to ''Follow the settings in the certificate template...".

and what about template setting? It is in Issuance Requirements tab, CA Manger approval setting.

[DaniDinCrypt]

Nothing is checked under issuance Requirements. As I wrote - If I change the policy module back to windows default - certificates are issued immidiatly.

[DaniDinCrypt]

OK - I reinstalled the policy module and it seems to work OK now. I have no idea why this happened...

Thanks again

[Crypt32]

OK - I reinstalled the policy module and it seems to work OK now. I have no idea why this happened...

Thanks again

As a guess: you have to restart CA service when you change policy module settings.

BTW, do you still see errors in log file?

[DaniDinCrypt]

yes, I get about 8 of them, every 1 minute

On Fri, Jul 28, 2023 at 10:35 AM Vadims Podans @.***> wrote:

OK - I reinstalled the policy module and it seems to work OK now. I have no idea why this happened...

Thanks again

As a guess: you have to restart CA service when you change policy module settings.

BTW, do you still see errors in log file?

— Reply to this email directly, view it on GitHub https://github.com/PKISolutions/ADCS-SID-Extension-Policy-Module/issues/7#issuecomment-1655196539, or unsubscribe https://github.com/notifications/unsubscribe-auth/BBRPKMEX57HXFB2TRTMQOXLXSNTVTANCNFSM6AAAAAA2ZZ2QUM . You are receiving this because you authored the thread.Message ID: @.*** com>

-- יום טוב - דניאל

[Crypt32]

@DaniDinCrypt I'm looking into this and need few more details. Can you send me log file with errors?

[NeLeSism]

I have a bit similar issue.

• I have the same settings in the custom policy module as DaniDinCrypt
• Templates do not have any issuance requirements
• Tried reinstalling the policy module but did not help

Issues 1) online template certificate requests goes always to pending state (User & Computer)

[31.1.2024 10.15.21] [Policy::validatePrerequisites] Requested template '1.3.6.1.4.1.311.21.8.2995253.7410713.4214411.4398384.4691399.110.8219917.7697441' is not offline. Skipping. [31.1.2024 10.15.21] Requested template is not offline. Skip processing and return native policy module result.

2) Offline template requests that do not have UPN will go through without pending state and client receives certificate.

[31.1.2024 10.31.39] [Policy::VerifyRequest] Requester name: USERNAME OMITED [31.1.2024 10.31.39] Found matching entry in Template/Requester table. [31.1.2024 10.31.39] Reading request extensions. [31.1.2024 10.31.39] Found 9 extensions. [31.1.2024 10.31.39] SAN extension not found. Skipping. [31.1.2024 10.31.39] Enforcing SID extension policy. Requested action: PassThrough

3) If I add UPN to the offline template request it goes to pending state

[31.1.2024 10.26.16] Requested template is offline. Starting request processing. [31.1.2024 10.26.16] [Policy::VerifyRequest] Requester name: OMITED [31.1.2024 10.26.16] Found matching entry in Template/Requester table. [31.1.2024 10.26.16] Reading request extensions. [31.1.2024 10.26.16] Found 10 extensions. [31.1.2024 10.26.16] Found SAN extension at index 5. [31.1.2024 10.26.16] Executing principal search from UPN. [31.1.2024 10.26.16] Alt principal name: OMITED [31.1.2024 10.26.16] Returned SID: S-1-5-21-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Pending requests

[Crypt32]

@NeLeSism can you show the output of the following command:

certutil -getreg policy\RequestDisposition

[NeLeSism]

C:\Windows\system32>certutil -getreg policy\RequestDisposition HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\Root CA\PolicyModules\PKISolutions_SID.Policy\RequestDisposition: CertUtil: -getreg command FAILED: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND) CertUtil: The system cannot find the file specified.

[NeLeSism]

Seems to work now that I added the missing dword to the registry. Thanks for the help

[Crypt32]

That's the problem. It seems that source policy module settings weren't copied to target policy module. I need to take a look into install script. Try to reinstall the module for now.

[Crypt32]

I'm closing this issue which is mainly related to cert template cache update. A new issue is created instead: #10