When enrolling for a Symantec Managed PKI Service (MPKI) end-entity certificate, you may receive the following error message:
CRITICAL (472/2496) vsaaldap.cpp(3823):Received error (id=97): Referral hop limit exceeded, while attempting a subtree search of server <IP_ADDRESS> with: base <DN_INFO> and filter <FILTER_INFO>
This error occurs when connection to the active directory is timing out.
To resolve this issue, narrow down the verification base dn as much as possible. In the vskmsrv.cfg (MPKI 6.1.3 and below) or vsrasrv.cfg (MPKI 7.0 and above, modify to VER_LDAP_BASE_DN and restart the service. Once completed, try another test enrollment.