Event ID 22€” AD CS Online Responder Service

Event ID 22 — AD CS Online Responder Service

Updated: November 27, 2007

Applies To: Windows Server 2008

The status and functioning of the Microsoft Online Responder service has dependencies on numerous features and components, including the ability to access timely certificate revocation data, the validity of the certification authority (CA) certificate and chain, and overall system response and availability.

Event Details

Product: Windows Operating System
ID: 22
Source: Microsoft-Windows-OnlineResponder
Version: 6.0
Symbolic Name: MSG_E_POSSIBLE_DENIAL_OF_SERVICE_ATTACK
Message: The Online Responder Services did not process an extremely long request from %1. This may indicate a denial-of-service attack. If the request was rejected in error, modify the MaxIncomingMessageSize property for the service. Unless verbose logging is enabled, this error will not be logged again for 20 minutes.

Resolve
Manage the maximum size of requests the Online Responder will process

Incoming messages larger than the default value of 64 MB can indicate a denial-of-service attack. To resolve this error:

  • Try to locate the originator of the request, which might be an unauthorized user or application trying to compromise the Online Responder. The originator may be identified in the failed request or in the event log message.
  • If the request was rejected in error, you can increase the maximum size of incoming messages by editing the registry.

Caution: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.

To perform this procedure, you must have membership in local Administrators, or you must have been delegated the appropriate authority.

To change the maximum size of incoming Online Responder messages:

  1. On the Online Responder, Start, type regedit, and then press ENTER.
  2. Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OcspSvc\Responder.
  3. Add a DWORD registry entry titled MaxIncomingMessageSize.
  4. Set this this value to any number of bytes required (1 MB = 1,024 bytes).
  5. Click Start, point to Administrative Tools, and click Services.
  6. Right-click Online Responder Service, and click Restart.

Verify

An Online Responder serves as an intermediary between clients that need to check certificate validity and a certification authority (CA) that issues certificates and certificate revocation lists (CRLs). To verify that the Online Responder service is functioning properly, you need to isolate the Online Responder and client from the CA and any CRL distribution points to confirm that revocation checking continues to take place and that revocation data is originating only from the Online Responder. The best way to confirm this scenario is to complete the following steps that involve the CA, the client, CRL distribution points, and the Online Responder:

  • Issue new certificates.
  • Revoke a certificate.
  • Publish a CRL.
  • Remove CRL distribution point extensions from the issuing CA.
  • Confirm that client computers can still obtain revocation data.

To perform these procedures, you must be a member of local Administrators on the computer hosting the Online Responder and on the client computer, and you must have Manage CA permissions on the computer hosting the CA, or you must have been delegated the appropriate authority.

Issue new certificates

To issue new certificates:

  1. On the computer hosting the CA, click Start, point to Administrative Tools, and then click Certification Authority.
  2. Configure several certificate templates to autoenroll certificates for a computer running Windows Vista or Windows XP Professional.
  3. When information about the new certificates has been published to Active Directory domain controllers, open a command prompt window on the client computer and enter the following command to start certificate autoenrollment: certutil -pulse.

    Note: It can take up to eight hours for information about new certificates to be replicated to Active Directory domain controllers.

  4. On the client computer, use the Certificates snap-in to confirm that the certificates have been issued to the user and to the computer, as appropriate. If they have not been issued, repeat step 2. You can also stop and restart the client computer to initiate certificate autoenrollment.

Revoke a certificate

To revoke a certificate:

  1. On the computer hosting the CA, click Start, point to Administrative Tools, and then click Certification Authority.
  2. In the console tree, click Issued Certificates, and then select the certificate you want to revoke.
  3. On the Action menu, point to All Tasks, and then click Revoke Certificate.
  4. Select the reason for revoking the certificate, and click Yes.

Publish a CRL

To publish a CRL:

  1. On the computer hosting the CA, clickStart, point to Administrative Tools, and then click Certification Authority.
  2. In the console tree, click Revoked Certificates.
  3. On the Action menu, point to All Tasks, and then click Publish.

Remove all CRL distribution point extensions from the issuing CA

To remove all CRL distribution point extensions from the issuing CA:

  1. On the computer hosting the CA, click Start, point to Administrative Tools, and then click Certification Authority.
  2. Select the CA.
  3. On the Action menu, click Properties.
  4. On the Extensions tab, confirm that Select extension is set to CRL Distribution Point (CDP).
  5. Click any CRL distribution points that are listed, click Remove, and click OK.
  6. Stop and restart the CA.
  7. Configure a new certificate template, and complete autoenrollment again.

Confirm that client computers can obtain revocation data

To confirm that client computers can obtain revocation data:

  1. Click Start, type mmc, and then press ENTER.
  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  3. On the File menu, click Add/Remove Snap-in, click Certificates, and then click Add.
  4. Select the user or computer account to whom the certificate was issued, click Finish, and then click OK.
  5. Open the Personal Certificates store, right-click the most recently issued certificate, point to All Tasks, and then click Export to start the Certificate Export Wizard. Export the certificate to a .cer file.
  6. Open a command prompt window.
  7. Type certutil -url<exportedcert.cer> and press ENTER.

    Exportedcert.cer is the file name of the certificate that was exported in the previous step.

  8. In the Verify and Retrieve dialog box that appears, click From CDP and From OCSP, and confirm that the revocation data is retrieved from the Online Responder and not from a CRL distribution point.

Related Management Information

AD CS Online Responder Service

Active Directory Certificate Services

Related:

Event ID 22 — AD CS Online Responder Service

Event ID 22 — AD CS Online Responder Service

Updated: November 27, 2007

Applies To: Windows Server 2008

The status and functioning of the Microsoft Online Responder service has dependencies on numerous features and components, including the ability to access timely certificate revocation data, the validity of the certification authority (CA) certificate and chain, and overall system response and availability.

Event Details

Product: Windows Operating System
ID: 22
Source: Microsoft-Windows-OnlineResponder
Version: 6.0
Symbolic Name: MSG_E_POSSIBLE_DENIAL_OF_SERVICE_ATTACK
Message: The Online Responder Services did not process an extremely long request from %1. This may indicate a denial-of-service attack. If the request was rejected in error, modify the MaxIncomingMessageSize property for the service. Unless verbose logging is enabled, this error will not be logged again for 20 minutes.

Resolve
Manage the maximum size of requests the Online Responder will process

Incoming messages larger than the default value of 64 MB can indicate a denial-of-service attack. To resolve this error:

  • Try to locate the originator of the request, which might be an unauthorized user or application trying to compromise the Online Responder. The originator may be identified in the failed request or in the event log message.
  • If the request was rejected in error, you can increase the maximum size of incoming messages by editing the registry.

Caution: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.

To perform this procedure, you must have membership in local Administrators, or you must have been delegated the appropriate authority.

To change the maximum size of incoming Online Responder messages:

  1. On the Online Responder, Start, type regedit, and then press ENTER.
  2. Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\OcspSvc\Responder.
  3. Add a DWORD registry entry titled MaxIncomingMessageSize.
  4. Set this this value to any number of bytes required (1 MB = 1,024 bytes).
  5. Click Start, point to Administrative Tools, and click Services.
  6. Right-click Online Responder Service, and click Restart.

Verify

An Online Responder serves as an intermediary between clients that need to check certificate validity and a certification authority (CA) that issues certificates and certificate revocation lists (CRLs). To verify that the Online Responder service is functioning properly, you need to isolate the Online Responder and client from the CA and any CRL distribution points to confirm that revocation checking continues to take place and that revocation data is originating only from the Online Responder. The best way to confirm this scenario is to complete the following steps that involve the CA, the client, CRL distribution points, and the Online Responder:

  • Issue new certificates.
  • Revoke a certificate.
  • Publish a CRL.
  • Remove CRL distribution point extensions from the issuing CA.
  • Confirm that client computers can still obtain revocation data.

To perform these procedures, you must be a member of local Administrators on the computer hosting the Online Responder and on the client computer, and you must have Manage CA permissions on the computer hosting the CA, or you must have been delegated the appropriate authority.

Issue new certificates

To issue new certificates:

  1. On the computer hosting the CA, click Start, point to Administrative Tools, and then click Certification Authority.
  2. Configure several certificate templates to autoenroll certificates for a computer running Windows Vista or Windows XP Professional.
  3. When information about the new certificates has been published to Active Directory domain controllers, open a command prompt window on the client computer and enter the following command to start certificate autoenrollment: certutil -pulse.

    Note: It can take up to eight hours for information about new certificates to be replicated to Active Directory domain controllers.

  4. On the client computer, use the Certificates snap-in to confirm that the certificates have been issued to the user and to the computer, as appropriate. If they have not been issued, repeat step 2. You can also stop and restart the client computer to initiate certificate autoenrollment.

Revoke a certificate

To revoke a certificate:

  1. On the computer hosting the CA, click Start, point to Administrative Tools, and then click Certification Authority.
  2. In the console tree, click Issued Certificates, and then select the certificate you want to revoke.
  3. On the Action menu, point to All Tasks, and then click Revoke Certificate.
  4. Select the reason for revoking the certificate, and click Yes.

Publish a CRL

To publish a CRL:

  1. On the computer hosting the CA, clickStart, point to Administrative Tools, and then click Certification Authority.
  2. In the console tree, click Revoked Certificates.
  3. On the Action menu, point to All Tasks, and then click Publish.

Remove all CRL distribution point extensions from the issuing CA

To remove all CRL distribution point extensions from the issuing CA:

  1. On the computer hosting the CA, click Start, point to Administrative Tools, and then click Certification Authority.
  2. Select the CA.
  3. On the Action menu, click Properties.
  4. On the Extensions tab, confirm that Select extension is set to CRL Distribution Point (CDP).
  5. Click any CRL distribution points that are listed, click Remove, and click OK.
  6. Stop and restart the CA.
  7. Configure a new certificate template, and complete autoenrollment again.

Confirm that client computers can obtain revocation data

To confirm that client computers can obtain revocation data:

  1. Click Start, type mmc, and then press ENTER.
  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  3. On the File menu, click Add/Remove Snap-in, click Certificates, and then click Add.
  4. Select the user or computer account to whom the certificate was issued, click Finish, and then click OK.
  5. Open the Personal Certificates store, right-click the most recently issued certificate, point to All Tasks, and then click Export to start the Certificate Export Wizard. Export the certificate to a .cer file.
  6. Open a command prompt window.
  7. Type certutil -url<exportedcert.cer> and press ENTER.

    Exportedcert.cer is the file name of the certificate that was exported in the previous step.

  8. In the Verify and Retrieve dialog box that appears, click From CDP and From OCSP, and confirm that the revocation data is retrieved from the Online Responder and not from a CRL distribution point.

Related Management Information

AD CS Online Responder Service

Active Directory Certificate Services

Related:

The time provider NtpServer encountered an error while digitally signing the NTP response for peer %1. NtpServer cannot provide secure (signed) time to the client and will ignore the request. The error was: %2

Details
Product: Windows Operating System
Event ID: 22
Source: w32time
Version: 5.2
Symbolic Name: MSG_CLIENT_COMPUTE_SERVER_DIGEST_FAILED
Message: The time provider NtpServer encountered an error while digitally signing the NTP response for peer %1. NtpServer cannot provide secure (signed) time to the client and will ignore the request. The error was: %2
   
Explanation

The NTP server cannot provide an authenticated NTP package either because the client is not in the domain and the server cannot send the package or because the client is in the correct domain but a domain controller has not replicated the database yet.

   
User Action

Check to ensure that the client is a member of the domain.

Related:

A conflict has been detected between two drivers which claimed two overlapping Io port regions. Driver %2, with device , claimed an IO port range with starting address in data address 0x28 and 0x2c, and length in data address 0x30.

Details
Product: Windows Operating System
Event ID: 22
Source: Various
Version: 5.0
Component: System Event Log
Message: A conflict has been detected between two drivers which claimed two overlapping Io port regions. Driver %2, with device , claimed an IO port range with starting address in data address 0x28 and 0x2c, and length in data address 0x30.
   
Explanation

Two drivers are requesting exclusive use of the same input/output (I/O) ports. The second driver cannot be loaded, and functionality dependent on this driver will not be available.

   
User Action

Change the set of I/O ports for the specified driver. Or, if you know which driver is competing with the specified driver for these ports, change ports for the competing driver. For information on how to change I/O ports, see your hardware documentation.

Related:

An error occurred while processing an association. The association will be terminated and restarted if necessary. [%1%2%3%4%5%6%7] (14)

Details
Product: Exchange
Event ID: 22
Source: MSExchangeMTA
Version: 6.5.0000.0
Message: An error occurred while processing an association. The association will be terminated and restarted if necessary. [%1%2%3%4%5%6%7] (14)
   
Explanation
The association will be stopped and restarted if necessary. Associations are paths that are opened to other systems. Each association is contained within a connection and is used to transfer messages to a system. You may have multiple associations in each connection.
   
User Action
No user action is needed.

Related: