No certificate template information

[newguy42]

I recently started testing TameMyCerts but started noticing occasional Event 10 with the text:
No certificate template information for request ######### could be retrieved from the local certificate template cache. The request will get denied.

I know from documentation that TameMyCerts refreshes its template cache every 5 minutes (assuming this depends on the flow of certificate requests), so these messages tend to go away after the 5 minute mark.

ADCS gave us no other indication of this kind of problem before installing TameMyCerts.

We ran procmon to see if any processes were messing up the template cache and we do see that, what appears to be during the cache update, that the cache is cleared but is repopulated within milliseconds.

Any help or suggestions would be appreciated.

[Sleepw4lker]

TMC needs information on template settings, which are stored in the Configuration partition of the Forest.
To avoid too much AD queries, each machine maintains a local copy of these settings in the registry under the HLKM hive (under SOFTWARE\Microsoft\Cryptography\CertificateTemplateCache), which is what TMC uses for performance reasons – and it holds an in-memory cache of this information that is refreshed every 5 Minutes.

However, this Registry path will only be present if a certain Group Policy (“Update certificates that use certificates templates”) is applied to the machine hosting the Certification Authority. This Setting sets the 0x1 bit to the “AEPolicy” key under HKLM:\Software\Policies\Microsoft\Cryptography\AutoEnrollment.

Can you ensure that the required data is available under HKLM:\SOFTWARE\Microsoft\Cryptography\CertificateTemplateCache? Might it be that there was also a GPO change that might have disabled the “AEPolicy” Key?

Does this error occur on a regular basis?

[newguy42]

We would be very interested in tested this update.

[Sleepw4lker]

Contact me via email then, please.

[gnugnug]

I can confirm the observations of @newguy42, however we only see the error every few weeks or even months, not daily.
The problem appears at random times at day or night. All certificate requests are denied for five minutes, then normal operations are resumed. It could very well be a race condition, if the local template cache is refreshed exaxtly at the same time when TameMyCerts tries to read it and stores this negative result in its in-memory cache.

[Sleepw4lker]

Yes I can confirm the race condition. I've refactored the code in #96 to skip in such a case and re-use the cache. Happy to hear your feedback.

[newguy42]

We have been testing the new code in our sandbox but I've had to simulate the issue by literally deleting part of the template cache (from the registry). Based on the code if any templates are present while TameMyCerts is updating its own cache then the in-memory cache will update (but with missing templates).
We monitored the registry during the systems cache update and it appears that one of the first steps is the deletion of the TimeStamp value, which isn't repopulated until almost the end of the cache update. Can anyone confirm this?