CAPI2 Event ID 11 errors on machines that don't have access to the Internet

  • Article

See also http://blogs.technet.com/b/instan/archive/2011/09/27/capi2-event-id-11-retake.aspx for further details .

Before you start chasing this event - check that you actually have a problem related to it. In essence this event just means that a caller on the server failed to verify a CRL.

By itself it doesn't mean that the revocation checking failure caused a problem.
Whether it does cause a problem is entirely up to the caller.

Imagine you work in a bar and call a credit-checking company when someone comes in and presents their ID to you, there can ultimately be many different causes as to why you can't check the validity of the ID.

  • If the phone line is dead, you obviously won't be able to complete the validity checking of the ID
  • if you suffer from acute amnesia and immediately forget whatever the person on the other end of the line says concerning the verification then you won't be able to do much with it either
  • if the person on the other end of the phone spontaneously loses all vocal ability after you reach them you won't be able to get back any validation even if your call has gone through.

I.e., you've tried to verify the ID but that attempt failed. What you do next is up to you - if the picture on the ID looks like a match with the person you're talking to and they look old enough to be allowed to buy a drink then you might end up accepting that as good enough.
...or you might say "I can't verify you're who you claim to be as I can't verify your ID hasn't been revoked - so I won't serve you".

In short; this event simply means something on the lines of: I tried to call the credit-checking company but I was unable to verify it.

Somewhere in the event you should however see a more detailed guess that the client makes as to why it was unable to do so (f.x. 80092013 - The revocation function was unable to check revocation because the revocation server was offline.)

CAPI event ID 11 is a very generic event that can have many different causes behind it, for example; if the server doesn't have access to the Internet it will assume that the server is offline and report this error.

The event should include a reference to the CRL location it is failing to download from, for example http://crl.microsoft.com/pki/crl/products/CSPCA.crl or http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab.

If the server doesn't have Internet access or can't be allowed to download CRL's, one possible alternative is to manually download this and install on the server with the certutil command.

This can also be logged because the cache contains an older root update CTL with an expired signer - to be able to download the updated CTL with the current signer the server needs connectivity to http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab.

If you're seeing CAPI2 Event ID 4107 on a Windows Server 2008 R2 box, purging any stale Certificate Trust Lists (CTL's) on the machine might also be required if one of the signing certificates has changed using the following command:
certutil –setreg chain\ChainCacheResyncFiletime @now

Note that the reference to the CA Service in the command output is generic - if you're not running this on a CA server you're obviously not going to restart the service as per the recommendations in the output.

Source: Microsoft-Windows-CAPI2

Date: 30.7.2010 12:32:22

Event ID: 11

Task Category: None

Level: Error

Keywords: Classic

User: N/A

Computer: Exch01.contoso.com

Description:

Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

.

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

  <System>

    <Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" EventSourceName="Microsoft-Windows-CAPI2" />

    <EventID Qualifiers="49154">11</EventID>

    <Version>0</Version>

    <Level>2</Level>

    <Task>0</Task>

    <Opcode>0</Opcode>

    <Keywords>0x80000000000000</Keywords>

    <TimeCreated SystemTime="2010-07-30T09:32:22.000Z" />

    <EventRecordID>125595</EventRecordID>

    <Correlation />

    <Execution ProcessID="0" ThreadID="0" />

    <Channel>Application</Channel>

    <Computer>Exch01.contoso.com</Computer>

    <Security />

  </System>

  <EventData>

    <Data> http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab</Data >

    <Data>A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

</Data>

  </EventData>

</Event>

 

 

Further details:

Event ID 11 — Automatic Root Certificates Update Configuration
http://technet.microsoft.com/en-us/library/cc734018(WS.10).aspx