XADM: Cannot Renew Signing Key After Applying SP2 for Exchange Server version 5.5

ID: Q231751

The information in this article applies to:

Microsoft Exchange Server, version 5.5 SP2

SYMPTOMS

After applying Service Pack 2 (SP2) for Microsoft Exchange Server 5.5, you cannot renew certificates from the Key Management Server. Clients receive e-mail saying the request failed, and error 5006 is received on the server.

CAUSE

A missed case caused the Key Management Server component to return an error code.

RESOLUTION

A supported fix that corrects this problem is now available from Microsoft, but it has not been fully regression tested and should be applied only to systems experiencing this specific problem. If you are not severely affected by this specific problem, Microsoft recommends that you wait for the next Microsoft Exchange Server version 5.5 service pack that contains this fix.

To resolve this problem immediately, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information on support costs, please go to the following address on the World Wide Web:

http://www.microsoft.com/support/supportnet/overview/overview.asp

The English version of this fix should have the following file attributes or later:

Component: KM Server

File name	Version
Kmserver.exe	5.5.2602.0

NOTE: If this product was already installed on your computer when you purchased it from the Original Equipment Manufacturer (OEM) and you need this fix, please call the Pay Per Incident number listed on the above Web site. If you contact Microsoft to obtain this fix, and if it is determined that you only require the fix you requested, no fee will be charged. However, if you request additional technical support, and if your no-charge technical support period has expired, or if you are not eligible for standard no-charge technical support, you may be charged a non-refundable fee.

For more information about eligibility for no-charge technical support, see the following article in the Microsoft Knowledge Base:

Q154871 Determining If You Are Eligible for No-Charge Technical Support

STATUS

Microsoft has confirmed this to be a problem in Microsoft Exchange Server 5.5 Service Pack 2.

MORE INFORMATION

Even after the hotfix is applied, you will need to recover these accounts because accounts that fail to renew generate a new signing key and send that to the server. Then, when they fail to renew, they are never given back that signing key. So now the client still has the first signing key (1) and the server has the new signing key (2). After the hotfix is applied and the account tries to renew again, it signs its request with signing key 1, but the server is expecting signing key 2. The account must be recovered to get the same signing key to the client and the server. After the recovery, the client and server are in sync, and any renewal or recovery works fine.

Additional query words:


Keywords          : 
Version           : winnt:5.5 SP2
Platform          : winnt 
Issue type        : kbbug

Last Reviewed: July 2, 1999