What causes NTE_Provider_DLL failure?
In this blog, we are covering an error where the ADCS Service stopped working on Issuing CA. The issue was related to the HSM side as the SafeNet Key Storage provider failed to initialize properly.
Issue
ADCS Service failing to start.
Error Code
| Log Name | Application |
| Source | Microsoft-Windows-CertificationAuthority |
| Event ID | 100 |
| Level | Error |
Description
Active Directory Certificate Services did not start: Could not load or verify the current CA certificate. Issuing CA Provider DLL failed to initialize correctly. 0x8009001d (-2146893795 NTE_PROVIDER_DLL_FAIL).
This error comes in the case of Luna; if it’s Ncipher, you’ll see that the provider of the Ncipher will fail.
Steps done
- We did run certutil -csplist to check whether the SafeNet Key Storage Provider was configured correctly.
- If there is a provider failed to pass the test. You can check the configuration under the registry entries under
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration \CA NAME\CSP
Solution
This issue often occurs when CA uses the HSM and HSM is incorrectly configured.
- Verify that the connectivity of HSM is properly configured.
- HSM’s cryptographic service provider should be loaded/initialized properly (re-register and reconfiguring along with a reboot).
