What causes NTE_Provider_DLL failure?

Read Time: 3 minutes

In this blog, we are covering an error where the ADCS Service stopped working on Issuing CA. The issue was related to the HSM side as the SafeNet Key Storage provider failed to initialize properly.

Issue

ADCS Service failing to start.

Error Code

Description

Active Directory Certificate Services did not start: Could not load or verify the current CA certificate. Issuing CA Provider DLL failed to initialize correctly. 0x8009001d (-2146893795 NTE_PROVIDER_DLL_FAIL).

This error comes in the case of Luna; if it’s Ncipher, you’ll see that the provider of the Ncipher will fail.

Steps done

• We did run certutil -csplist to check whether the SafeNet Key Storage Provider was configured correctly.
• If there is a provider failed to pass the test. You can check the configuration under the registry entries under
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration \CA NAME\CSP

Solution

This issue often occurs when CA uses the HSM and HSM is incorrectly configured.

• Verify that the connectivity of HSM is properly configured.
• HSM’s cryptographic service provider should be loaded/initialized properly (re-register and reconfiguring along with a reboot).