Windows SSH ‘No Matching Key’

No Matching Key KB ID 0001900

Problem : No Matching Key

Typically I see this problem on my mac or within various Linux distributions. I’ve covered extensively how to fix this on a mac in the following article.

macOS – SSH Error ‘No Matching Exchange Method Found’

So when I saw the same question asked for a Windows client, I went and looked, and found some patchy information, so I thought I’d work it out and post it here for you. Essentially you will see an error when attempting to SSH to a device something like one of the following.

Unable to negotiate with {IP-Or-Hostname} port 22 : no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

Unable to negotiate with {IP-Or-Hostname} port 22 : no matching host key type found. Their offer: ssh-rsa

Solution : No Matching Key

With windows the fix is similar, less secure algorithms and ciphers have been depreciated by Windows, to re-enable them* you need to edit your ssh_config file this file lives in a folder called ssh, which is in a hidden folder on the root of your C Drive called ProgramData. On most Windows machines this file wont exist, but check first to make sure (particularly if you’re on a server that may be running SSH Services).

*Note: They are depreciated for a reason, this weakens your machines security. The following procedure will GLOBALLY allow these depreciated cyphers for all SSH sessions, if you want to operate a little more securely go to the individual SSH config section.

Showing Hidden Files and Folders : No Matching Key

Assuming like me you don’t already have an ssh_config file already then you need to create one and add the connection algorithms required. Open an administrative command window (if you don’t do this you will get access denied errors going forward!) Then execute the following commands.

[box]

copy nul > C:\ProgramData\ssh\ssh_config

notepad C:\ProgramData\ssh\ssh_config

[/box]

Note: If after you execute the first command, you get “copy : Cannot find path ‘C:\Windows\system32\nul’ because it does not exist.” don’t worry, it will still create the file.

A notepad window will open, remove any text withing it and paste in the following.

[box]

MACs hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96,hmac-sha2-256,hmac-sha2-512
KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
PubkeyAcceptedAlgorithms +ssh-rsa
HostKeyAlgorithms +ssh-rsa

[/box]

Save the notepad file then re-try your ssh command, this time it should succeed, or if it errors it will tell you which MAC, KexAlgorithms, or Key algorithm it’s missing that you can paste into the ssh_config file.

Individual Host SSH Settings

Its considered better practice to have a config for each target you will SSH to, for me that’s impractical because I have hundreds of clients and thousands of switches, routers and firewalls. (but you could add them as you go, I suppose). For this procedure you create a config file in your user profile, and in that config file you put the requirements in, on a host-by-host basis.

Firstly create the config file, open an administrative PowerShell window, and execute the following command.

[box]

New-Item -Path $HOME\.ssh\config -ItemType File

[/box]

Then to edit the config file.

[box]

C:\WINDOWS\System32\notepad.exe $HOME\.ssh\config

[/box]

A Notepad window will open with the blank config file, here’s an example of a config for two devices (my test Cisco ASA, and my test core switch).

Example.

[box]

# Config for my test firewall
  Host cisco-asa
  HostName 192.168.254.254
  User petelong
  Port 22
  StrictHostKeyChecking no
  UserKnownHostsFile /dev/null
  KexAlgorithms diffie-hellman-group1-sha1
  HostKeyAlgorithms +ssh-rsa

[/box]

Now simply issue an ssh cisco-asa command.

 

Related Articles, References, Credits, or External Links

SSH: Host Identification Has Changed

Printers “Some Of These Settings are Managed By Your Organisation”

Managed By Your Organisation KB ID 0001899

Problem

When attempting to add a printer, or engage with the printer settings dialog, you may see.

Some Of These Settings are Managed By Your Organisation

Solution : Managed By Your Organisation

This is usually because a policy is being applied, (or has been applied) that is making a change in your registry, to the following key.

[box]

HKEY_CURRENT_USER > Software > Microsoft > Windows > CurrentVersion > Policies > Explorer > NoAddPrinter 

[/box]

Values are.

  • ENABLED  = 1 (Printers cannot be added).
  • DISABLED = 0 (Printers can be added).

Of course if this IS being enforced by group policy changing the registry key will only fix the problem until the policy is re applied!

I’ve previously written about how to locate where a group policy is coming from. the policy you are looking for is

[box]

User Configuration > Administrative Templates > Control Panel > Printers > Prevent addition of printers  

[/box]

In this case it was being enforced by Local User Policies

Running gpedit.msc got me to the culprit.

If yours is being enforced from your domain, gpresult will point to the correct policy.

Related Articles, References, Credits, or External Links

Allow Users to Install Printers with Group Policy

Deploying Printers with Group Policy Preferences

What GPO are Applied?

What GPO KB ID 0001898

Problem

There are a number of reasons for you to test and demonstrate group policy application. Recently on Experts Exchange there was a question. where a user could not add a printer because those settings were “Controlled by their organisation’ but was pretty sure no printer GPOs were applied.

Or you may simply be setting up a new GPO and it’s not applying, or not working as you would expect.

Solution : What GPO

I’ve been doing this a long time! Back in the day you could create a new MMC console (run mmc.exe) then add the “Resultant Set Of Policy” Snap in and rung that to evaluate and model different GPO applications and results. You can still do that but now you can simply run the RSOP command from an administrative command window.

In this case it will produce a list of applied group policies for the logged in user and the machine it was ran on (if you want results for differennt users or computers you can add the RSOP snap-in to mmc, or run the modelling from a machinesthat had the group policy management console installed)

But RSOP will give you output like this, you can see what policies are being applied, and what is the name of the group policy that applying that change.

But this will produce a complete list of all GPO settings and their status (even if they are not defined (see above)). An easier way to search is to use GPRESULT and send the output of that to an HTML file that you can open in a browser.

[box]

gpresult /h C:\{Path}\GPresult.htm

[/box]

This produces an easier to read report

You can get the same report and change the input parameters for users and computers etc, by running the Group Policy Results wizard that included with the AD DS RSAT tools

Related Articles, References, Credits, or External Links

Group Policy: Item-Level Targeting

Apply Group Policy To a Security Group

Add The ‘Group Policy Management Console’

Windows – Setting Domain Time

Domain Time KB ID 0000112

Problem

If you have arrived here, you have either noticed that the time is wrong on your server(s) or client PC(s), or you have looked in the event viewer and seen one of the following events being logged. Event ID’s 12, 22, 29, 36, 38, 47, and 50.

Time Problem Events – On the PDC Emulator

Event ID 12 (W32 Time Time Provider NtpClient: This machine is configured to use {text omitted}, but it is the PDC emulator…).

Event ID 29 (The time provider NtpClient is configured to acquire time from one or more time sources…).

Event ID 36 (The time service has not synchronized the system time for 86400 seconds…).

Event ID 38 (The time provider NtpClient cannot reach or is currently receiving invalid time data from…).

Event ID 47 (Time Provider NtpClient: No valid response has been received from manually configured peer…).

Domain Time Problem Events – On Domain Members

Event ID 50 (The time service detected a time difference of greater than 5000 milliseconds for 900 seconds…).

Event ID 22 (The time provider NtpServer encountered an error while digitally signing the NTP response for peer…).

Solution : Domain Time Problems

Setting domain time is a TWO-STEP process, set the time correctly on the PDC emulator, then let the clients take their time from the PDC emulator.

Locate the PDC Emulator

1. On a domain controller, Windows Key+R > netdom query fsmo {Enter}.

2. Take note of the PDC name and go to that server.

NTP Firewall config (Domain Time)

1. Ensure UDP Port 123 is open outbound from the PDC Emulator. How this is done will vary depending on your firewall vendor. If you have a Cisco ASA or a Cisco PIX see my article here.

To Test Use NTPTool

Below either the port is blocked (or the hostname/IP of the external NTP server is incorrect);

This is how it should look, every-time you press query you should get a response, now you know the correct port is open;

Configure the PDC Emulator to collect Reliable Domain Time

There’s two ways to do this, 1. Use Group Policy, and 2. Use command line.

Setting PDC Emulator Time With Group Policy

Of course our PDC Emulator is also a domain controller, so we need to link a GPO to the domain controllers OU. But we dont want all DC’s getting their time from an external source, so we will create a WMI filter to ensure the policy will only apply to the PDC emulator server.

Administrative tools > Group Policy Management > WMI Filter > New > PDC-Emulator-Only > Add > Select * from Win32_ComputerSystem where DomainRole = 5 > OK.

Don’t panic if you see this error > OK > Save.

Create a new GPO linked to the Domain Controllers OU.

Change the policy so it uses your WMI filter;

Edit The Policy, and navigate to;

[box]Computer Configuration > Policies > Administrative eTemplates > System > Windows Time Service > Time Providers[/box]

Configure Windows NTP Client

Enable the policy > set the NtpServer setting to server-name(comma)stratum-type(space). If you get this wrong you wont sync, and you will see this error.

Enable Windows NTP Client

Enable the Policy (The server still needs to get its time from the external source!)

Enable Windows NTP Server

Enable the policy (The server also needs to provide time to the domain clients).

Save and exit the policy editor, then on the PDC emulator force a policy update  and resync the time. Finally run rsop to make sure the settings have applied.

Setting PDC Emulator Time From Command Line

 

1. On the PDC emulator Windows Key+R > cmd {Enter}.

2. At command line execute the following four commands;

[box]

w32tm /config /manualpeerlist:ntp2d.mcc.ac.uk /syncfromflags:manual /reliable:yes /update

net stop "windows time"

net start "windows time"

w32tm /resync 

[/box]

Note: If you are NOT in the UK or simply want to use a different NTP time server go here for alternatives.

3. Look in the servers Event log > System Log for Event ID 37.

 

---------------------------------------------------------------
Event Type: Information
Event Source: W32Time
Event Category: None
Event ID: 37
Date: xx/xx/xxxx
Time: xx:xx:xx
User: N/A
Computer: {servername}
Description:
The time provider NtpClient is currently receiving valid time 
data from ntp2d.mcc.ac.uk (ntp.m|0x0|10.0.0.1:123->130.88.203.64:123).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. —————————————————————

4. You will also see Event ID 35.

---------------------------------------------------------------
Event Type: Information
Event Source: W32Time
Event Category: None
Event ID: 35
Date: xx/xx/xxxx
Time: xx:xx:xx
User: N/A
Computer: {servername}
Description:
The time service is now synchronizing the system time with the time source 
ntp2d.mcc.ac.uk (ntp.m|0x0|10.0.0.1:123->130.88.203.64:123).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. —————————————————————

Step 2 Check the domain clients

This is all you should need to do, because, (by default) all Domain clients get their time from the PDC when they log on, but to check;

1. Windows Key+R > cmd {enter}.

2. Execute the following command;

[box] w32tm /monitor [/box]

3. You will see the time this client can see, on all the domain controllers.

[box]

C:Documents and SettingsAdministrator.yourdomain>w32tm /monitor
server-dc.yourdomain.co.uk [192.168.1.1]:
ICMP: 0ms delay.
NTP: +363.2032725s offset from server-pdc.yourdomain.co.uk
RefID: server-pdc.yourdomain.co.uk [192.168.69.6]
site2-dc.yourdomain.co.uk [192.168.2.1]:
ICMP: 70ms delay.
NTP: +0.0470237s offset from server-pdc.yourdomain.co.uk
RefID: dc.yourdomain.co.uk [192.168.69.4]
serverdc2.yourdomain.co.uk [192.168.1.4]:
ICMP: 0ms delay.
NTP: +0.0000553s offset from server-pdc.yourdomain.co.uk
RefID: server-pdc.yourdomain.co.uk [192.168.1.6]
server-pdc.yourdomain.co.uk *** PDC *** [192.168.1.6]:
ICMP: 0ms delay.
NTP: +0.0000000s offset from server-pdc.yourdomain.co.uk
RefID: scarp.mc.man.ac.uk [130.88.203.64]

[/box]

(In the case above the time on server-dc is way out, address that first – (it was an old Windows 2000 server and running “net time server-pdc” {enter} fixed it).

4. Once all the domain controllers have a time that’s accurate (like the last three in the example above), then proceed.

5. Execute the following commands on a client machine;

[box]

net stop "windows time"

net start "windows time"

w32tm /resync 

[/box]

6. The machines event log should show the following successful events;

Event ID 37 (The time provider NtpClient is currently receiving valid time data from..).

Event ID 35 (The time provider NtpClient is currently receiving valid time data from..).

Setting Domain Clients Time via GPO

As already outlined you should not need to do this, (as it’s the default setting,) but if there’s a problem you can force domain clients to look at your PDC emulator for reliable time.

Create a GPO, and link it to the OU containing the computers you want to sync’

Edit the policy and navigate to;

[box]Computer Configuration > Policies > Administrative eTemplates > System > Windows Time Service > Time Providers[/box]

Configure Windows NTP Client

Enable the policy > Set the NtpServer to {Your-PDC-Name},0x9  > Set the Type to NT5DS.

Enable Windows NTP Client

Enable this policy.

Testing Client NTP Settings

Either run;

[box]w32tm /query /status[/box]

Or run RSOP.

 

Related Articles, References, Credits, or External Links

PDC Emulator: PDC Emulator: Cannot Sync Time From External NTP Server

Cisco ASA – Configuring for NTP 

 

Take Ownership and Grant ‘Full Control’ Recursively

Take Ownership KB ID 0001200 

Problem

I had a bunch of old user profile folders I needed to delete today, When setup properly even the domain administrator can’t get in there and delete them;

You need permission to perform this action.

You don’t currently have persmission to access this folder

If it’s just one folder then simply take ownership, grant yourself rights and delete it! But I had a lot of folders so I needed a more robust (read less work) solution.

Solution: Take Ownership

Take Ownership of all Folders/Sub-Folders, and Files

Open an administrative command window, and execute the following command;

[box]

takeown /a /r /d Y /f C:\"Path-To-Folder"

[/box]

Grant ‘Full Control’ Rights to all Folders/Sub-Folders, and Files

Just because you are the owner, that does not mean you have any rights to the folders and files, to grant full control to the administrators group.

[box]

icacls C:\"Path-To-Folder" /grant administrators:F /t

[/box]

You can then delete the folder and its contents recursively with the following command.

[box]

Remove-Item -Path "Path-To-Folder" -Force -Recurse

[/box]

Related Articles, References, Credits, or External Links

Can’t Delete a File or Folder or Take Ownership

Microsoft Blue Screen of Death (BSOD)

BSOD KB ID 0001882

Problem

Recovering from a Microsoft Blue Screen of Death (BSOD) involves several steps to diagnose and resolve the issue. Here is a systematic approach to help you recover from a BSOD.

Solution : BSOD Resolution.

 

Note: If using Crowdstrike (18th Jul 2024) or you’re Stuck at the recovery screen. The problem is being worked on Ref:

TEMPORARY WORK AROUND

 

  1. Boot Windows into Safe Mode or WRE.
  2. Go to C:\Windows\System32\drivers\CrowdStrike
  3. Locate and delete file matching “C-00000291*.sys”
  4. Boot normally.

Alternative Crowdstrike Fix (from the recovery screen)

If you’re stuck at the recovery screen, try these steps:

  1. Click on ‘See advanced repair options’ on the Recovery screen.
  2. In the Advanced Repair Options menu, select ‘Troubleshoot’.
  3. Next, choose ‘Advanced options’.
  4. Select ‘Startup Settings’.
  5. Click on ‘Restart’.
  6. After your PC restarts, you will see a list of options. Press 4 or F4 to start your PC in Safe Mode.
  7. Open Command Prompt in Safe Mode.
  8. In the Command Prompt, navigate to the drivers directory: cd \windows\system32\drivers
  9. To rename the CrowdStrike folder, use ren CrowdStrike CrowdStrike_old

Alternative Crowdstrike Fix (For Virtual Machines)

  1. Attach an the system disk of the affected machine asunmanaged disk to another VM for offline repair (Note:Disks that are encrypted may need these additional instructions: Unlocking an encrypted disk for offline repair
  2. Once the disk is attached, customers can attempt to delete the following file. “Windows/System/System32/Drivers/CrowdStrike/C00000291*.sys
  3. The disk can then be detached and re-attached to the original VM.

 

1. Note the BSOD Error Code

When a BSOD occurs, an error code is displayed on the screen. This code can be crucial in diagnosing the problem. Write down the error code and any associated information.

2. Restart Your Computer

Sometimes, a simple restart can resolve the issue. However, if the BSOD persists, proceed to the next steps.

3. Boot into Safe Mode

Safe Mode loads a minimal set of drivers and services. Booting into Safe Mode can help you determine if a default setting or basic device driver is causing the issue.

  • Windows 10/11:
    1. Restart your computer.
    2. As soon as your computer starts, press the F8 key repeatedly until the Advanced Boot Options menu appears.
    3. Select “Safe Mode” or “Safe Mode with Networking.”

4. Check for Hardware Issues causing BSOD

  • Disconnect External Devices: Unplug all external devices (USB drives, printers, etc.) and restart your computer to see if the BSOD persists.
  • Run a Memory Check: Use Windows Memory Diagnostic tool to check for memory issues.
    • Press Windows + R, type mdsched.exe, and press Enter.
    • Choose “Restart now and check for problems.”

5. Update or Roll Back Drivers

  • Update Drivers:
    • Open Device Manager (Windows + X > Device Manager).
    • Expand categories and update any drivers with a yellow exclamation mark.
  • Roll Back Drivers:
    • In Device Manager, right-click the driver causing the issue, select “Properties,” go to the “Driver” tab, and select “Roll Back Driver.”

6. Check for Software Issues

  • Uninstall Recent Software: Uninstall any software or updates installed recently.
    • Go to Settings > Apps > Apps & features and uninstall the problematic software.
  • Run System File Checker (SFC):
    • Open Command Prompt as Administrator.
    • Type sfc /scannow and press Enter.

7. Perform a System Restore

If the BSOD started after a recent change, performing a System Restore can revert your computer to a previous state.

  • Go to Control Panel > System and Security > System > System Protection > System Restore.
  • Follow the prompts to choose a restore point.

8. Check Disk for Errors

  • Open Command Prompt as Administrator.
  • Type chkdsk /f /r and press Enter.
  • Restart your computer to allow the check to run.

9. Update Windows

Ensure your Windows operating system is up to date.

  • Go to Settings > Update & Security > Windows Update and check for updates.

10. Perform a Clean Boot

A clean boot helps eliminate software conflicts.

  • Press Windows + R, type msconfig, and press Enter.
  • Go to the “Services” tab, check “Hide all Microsoft services,” and click “Disable all.”
  • Go to the “Startup” tab, open Task Manager, and disable all startup items.
  • Restart your computer.

11. Reset or Reinstall Windows

If none of the above steps work, you may need to reset or reinstall Windows.

  • Reset This PC:
    • Go to Settings > Update & Security > Recovery > Reset this PC.
    • Choose whether to keep your files or remove everything.
  • Reinstall Windows: Backup your data and perform a clean installation using a bootable USB drive with the Windows installation media.

Additional Tools and Resources

  • BlueScreenView: A utility to view minidump files created during BSODs.
  • WhoCrashed: Analyzes crash dumps to determine the cause of the crash.

Related Articles, References, Credits, or External Links

NA

Install RSAT (Remote Server Administration Tools)

 RSAT KB ID 0000099

Problem

Windows RSAT (Remote Server Administration Tools) is a suite of tools from Microsoft that allows IT administrators to remotely manage and administer Windows Servers and other Microsoft services from a Windows client machine. These tools are essential for system administrators to perform various tasks without needing to log directly into the server.

Here is a list of some of the primary tools included in RSAT:

  • Active Directory Administrative Center (ADAC): A graphical interface for managing Active Directory.
  • Active Directory Users and Computers (ADUC): A tool to manage users, groups, computers, and organizational units in Active Directory.
  • Active Directory Sites and Services: Used to manage the configuration of Active Directory sites, subnets, and services.
  • Active Directory Domains and Trusts: Manages domain trusts and functional levels.
  • Active Directory Module for Windows PowerShell: Provides a set of cmdlets for administering Active Directory.
  • DHCP Server Tools: Includes the DHCP Management Console, DHCP Server cmdlets for Windows PowerShell, and the Netsh command-line tool.
  • DNS Server Tools: Includes the DNS Manager snap-in and the DNS Server cmdlets for Windows PowerShell.
  • Group Policy Management Tools: Includes the Group Policy Management Console (GPMC) and the Group Policy Object Editor.
  • Hyper-V Tools: Provides the Hyper-V Manager snap-in and the Hyper-V Module for Windows PowerShell for managing Hyper-V servers.
  • File Services Tools: Includes the File Server Resource Manager (FSRM) snap-in and command-line tools, and the Distributed File System (DFS) Management snap-in.
  • Network Policy and Access Services Tools: Includes the Network Policy Server (NPS) console and the Routing and Remote Access Service (RRAS) console.
  • Remote Desktop Services Tools: Includes the Remote Desktop Licensing Diagnoser Tool, the Remote Desktop Services Manager, and the Remote Desktop Connection Manager.
  • Server Manager: A tool for managing roles and features on Windows servers.
  • Windows Server Update Services (WSUS) Tools: Includes the WSUS console and PowerShell cmdlets for managing Windows updates.
  • Failover Clustering Tools: Includes the Failover Cluster Manager snap-in and PowerShell cmdlets for managing failover clusters.
  • Storage Explorer Tools: For managing storage area networks (SANs).
  • IP Address Management (IPAM) Tools: Includes the IPAM client console and PowerShell cmdlets for IP address management.
  • Best Practices Analyzer (BPA): Tools that help administrators ensure their servers are configured according to best practices.

Solution : Install RSAT

Installing RSAT with PowerShell

To see what can be installed open an administrative PowerShell Window and execute the following command.

[box]

Get-WindowsCapability -Name RSAT* -Online | Format-List Displayname

[/box]

To install them ALL use the following command.

[box]

Get-WindowsCapability -Name RSAT* -Online | Add-WindowsCapability -Online

[/box]

Installing RSAT with DISM

To see what can be installed open an administrative Command Window and execute the following command.

[box]

DISM.exe /Online /Get-Capabilities | find "Rsat"

[/box]

Below I’m checking to see if the RSAT tool I want (the Group Policy Management Tool) is already installed  – as it returned State: Not Present I then installed it

[box]

DISM.exe /Online /Get-CapabilityInfo /CapabilityName:Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0

DISM /Online /Add-Capability /CapabilityName:Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0

[/box]

Installing RSAT Graphically

You can of course install the RSAT tools without issuing a command! Settings > System > Optional Features.

View Features > Type RSAT in the search option > Select the tools required  > Next.

Add > Go and have a coffee it can take a while!

 

Related Articles, References, Credits, or External Links

Windows 8 – RSAT Tools Will Not Install?

Proxmox Windows Drive Missing

Proxmox Windows Drive Missing  KB ID 0001871

Problem

When attempting to deploy a Windows VM, in this case Server 2022, you do not see the local storage.

     

Solution

I’ve been in this situation a hundred times in the past, (usually on physical servers). The problem is simply Windows does not have the driver for the storage controller. There two ways you can approach the problem,

Option 1: Proxmox Windows Drive Missing

The simplest ‘fix’ is simply to redeploy the VM with a bus device type of IDE.

Option 2 : Proxmox Windows Drive Missing

The second option is to have an iso with the VirtIO driver on it, and Proxmox will present it for you is you use the following option. This will require you to have downloaded the drivers on an ISO file and have that file ready to present to the VM (in addition  to the Windows setup .ISO).

Then at the problem screen select ‘Load Drivers‘.

Browse.

Next > Follow the rest of the install procedure.

NOTE: Before I start getting emails! Yes you can also add the drivers to the Windows install media, this is a straight forward procedure using DISM and you can find instructions here.

Related Articles, References, Credits, or External Links

NA

C0090016 Error

C0090016 Error KB ID 0001848

Problem

C0090016 Error usually seen after a motherboard has been changed. when attempting to open an office 365 application, or something that requires Entra ID authentication.

Something went wrong.
Your computers Trusted Platform Module has malfunctioned. If this error persists, contact your system administrator with the error code C0090016.

Error Code: C0090016
Server Message: Unknown Error Code 0xC0090016

Solution: C0090016 Error

Settings > Privacy and Security > Device Security > Security Processor Details.

Security Processor Troubleshooting > Select  > “I am responding to this error 80090016.” > Follow the instructions.

Windows 10 Note: You can find these settings in Windows Defender Security App.

Related Articles, References, Credits, or External Links

NA

0x800094801 Certificate Issue Error

0x800094801 KB ID 0001843

Problem

Whilst attempting to get a certificate from a Windows server running certificate services, I got the following error:

The request contains no certificate template information. 0x80094801 (-2146875391 CERTSRV_E_NO_CERT_TYPE) Denied by policy module 0x80094801, The request does not contain a certificate template extension or the Certificate Template request attribute.

Solution 0x800094801 Error

Well that’s a descriptive error, as this is a certificate request I’ve created on third party piece of hardware, I’m not surprised there’s no template information. The only way to specify which template you want to use for the certificate issued is to resubmit the command via command line.

[box]

certreq -submit -attrib "CertificateTemplate:TEMPLATE-NAME" "C:\Folder\Request-file.csr"

[/box]

You will be prompted to select a certificate services server, then you will be asked where you want to save the certificate.

You can now use the issued certificate.

Related Articles, References, Credits, or External Links

Microsoft PKI Planning and Deploying Certificate Services

Moving Certificate Services To Another Server

Certificate Services – Migrate from SHA1 to SHA2 (SHA256)