Month: October 2020

Configure logging level for the certification authority event log.

Some Windows events generated by the certification authority are only generated from a certain logging level.

The following describes how to determine and change the logging level of a certification authority.

Continue reading „Protokollierungsebene (Log Level) für das Ereignisprotokoll der Zertifizierungsstelle konfigurieren“

Certificate or revocation list issuance fails with error code CERTSRV_E_NO_DB_SESSIONS

Assume the following scenario:

  • The Certification Authority cannot issue certificates and/or
  • The Certification Authority cannot issue revocation lists.
  • At least one of the following error messages is logged:

Event ID: 53 (Microsoft-Windows-CertificationAuthority)

Active Directory Certificate Services denied request 12345 because An attempt was made to open a Certification Authority database session, but there are already too many active sessions. The server may need to be configured to allow additional sessions. 0x8009400f (-2146877425 CERTSRV_E_NO_DB_SESSIONS). The request was for CN=Rudi Ratlos. Additional information: Denied by Policy Module

Event ID: 130 (Microsoft-Windows-CertificationAuthority)

Active Directory Certificate Services could not create a certificate revocation list. An attempt was made to open a Certification Authority database session, but there are already too many active sessions. The server may need to be configured to allow additional sessions 0x8009400f (-2146877425). This may cause applications that need to check the revocation status of certificates issued by this CA to fail. You can recreate the certificate revocation list manually by running the following command: "certutil -CRL". If the problem persists, restart Certificate Services.
Continue reading „Die Ausstellung von Zertifikaten oder Sperrlisten schlägt fehl mit Fehlercode CERTSRV_E_NO_DB_SESSIONS“

Installation of a certificate authority fails with error code ERROR_INVALID_PARAMETER

Assume the following scenario:

  • A certification authority is installed
  • The role configuration fails with the following error message:
CCertSrvSetupProperty: The parameter is incorrect. 0x80070057 (WIN32: ERROR_INVALID_PARAMETER).
Continue reading „Die Installation einer Zertifizierungsstelle schlägt fehl mit Fehlercode ERROR_INVALID_PARAMETER“

Role configuration for Network Device Enrollment Service (NDES) fails with error message "Failed to Enroll RA certificates. The requested certificate template is not supported by this CA. 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE)"

Assume the following scenario:

  • One installs a Network Device Enrollment Service (NDES) server
  • One has the necessary permissions to install the role (local administrator, enterprise administrator)
  • The role configuration fails with the following error message: 
Failed to enroll RA certificates. The requested certificate template is not supported by this CA. 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE)
Continue reading „Die Rollenkonfiguration für den Registrierungsdienst für Netzwerkgeräte (NDES) schlägt fehl mit Fehlermeldung „Failed to Enroll RA certificates. The requested certificate template is not supported by this CA. 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE)““

Analyze network problems with Wireshark without installing software on production systems

Often, problems with the public key infrastructure can be found in the underlying network - for example, if a firewall rule is missing from the network.

Thus, it is helpful if one is able to record network traffic in order to analyze it. Excellent tools exist for this purpose, such as Wiresharkbut these require that an installation be made on the system in question, which cannot and should not be done easily on a production system.

Fortunately, the Windows Server operating system has a built-in mechanism to capture network packets. However, the resulting files are not compatible with Wireshark. The Microsoft proprietary tool, Message Analyzer, was discontinued on Nov 25, 2019 and the download links removed.

The following therefore describes how such a recording can be generated and subsequently converted into a Wireshark-compatible format in order to be able to analyze the recording away from the server in question.

Continue reading „Netzwerkprobleme mit Wireshark analysieren, ohne Software auf produktiven Systemen installieren zu müssen“

The display name of a certificate template is not resolved. Only the object identifier (OID) of the certificate template is displayed.

Assume the following scenario:

  • For a certificate template, only the object identifier is shown, but not the display name and/or
  • Queries against the certificate authority database contain only the object identifier for the certificate template ("CertificateTemplate" field), but not the display name.
Continue reading „Der Anzeigename einer Zertifikatvorlage wird nicht aufgelöst. Es wird nur der Objektidentifizierer (OID) der Zertifikatvorlage angezeigt.“

Is there a dependency of the Network Devices Registration Service (NDES) with the NTAuthCertificates object?

The Network Device Registration Service (NDES) has two Registration Authority Certificates. With the enrollment agent certificate, certificate requests are signed and one can use the Configure NDES device template accordingly so that certificates are also only issued if the submitted certificate requests also have a corresponding signature..

Do you plan to use the Certification Authority connected to the NDES remove from the NTAuthCertificates objectThe question may arise as to whether mutual dependencies need to be taken into account here - after all, this requires Enroll on Behalf Of (EOBO) the presence of the certificate authority certificate in NTAuthCertificates.

Continue reading „Gibt es eine Abhängigkeit des Registrierungsdienstes für Netzwerkgeräte (NDES) mit dem NTAuthCertificates Objekt?“

Installation of a certificate authority fails with error code "Bad Data. 0x80090005 (-2146893819 NTE_BAD_DATA)."

Assume the following scenario:

  • An attempt is made to install a certificate authority
  • The role configuration fails with the following error message:
An error occurred when creating the new key container "ADCS Labor Issuing CA 3". Please make sure the CSP is installed correctly or select another CSP.
Bad Data. 0x80090005 (-2146893819 NTE_BAD_DATA).
Continue reading „Die Installation einer Zertifizierungsstelle schlägt fehl mit Fehlercode „Bad Data. 0x80090005 (-2146893819 NTE_BAD_DATA).““
en_USEnglish
de_DEDeutsch en_USEnglish