We're getting an error on our subordinate certificate authority logged very frequently (probably for each provisioning attempt).
The "Windows default" Exit Module "Notify" method returned an error. The requested property value is empty. The returned status code is 0x80094004 (-2146877436). The Certification Authority was unable to send an email notification for EXITEVENT_CERTISSUED to ???.
I just found a thread over on the Microsoft Technet forums from October 2008 by some guy named Matt Royer It sounds like he knows what he's talking about.
Matt, could you possibly expand on what your issue was back then? What exactly did you mean by an "expired CRL"?
The errors that you and I have experienced are slightly different, but it appears that there may be an issue related to our subordinate CA configuration somehow.
For this issues...
Error: CTaskRequestClientCert::RevokeExistedCertificate failed to get serial number from the certificate binary.
... the CRL or Certificate Revocation List was expired on the Subordinate/Issuing CA.
I would take a look at the following TechNet Articles.
So, the issue was related to an expired CRL on the subordinate CA. There are two locations on the subordinate CA that the CRL is stored, and one of them was out of date. The CRL is stored in c:\inetpub\wwwroot\certsrv (I think), and also c:\windows\system32\certsrv\certenroll. The copy of the CRL in the former location was correct, but for some reason, the CRL was being pulled from the System32 location. This was validated by using the command: certutil -urlfetch -verify vProClientCert.cer.
I've attached two log files with the output from the certutil command, before and after fixing the problem. In the badlog.txt file, you'll see a lot more errors about failing the revocation check than in the goodlog.txt.