Limits of Microsoft Active Directory Certificate Services

Active Directory Certificate Services have existed (albeit under a different name) in their basic form since Windows NT 4.0. The architecture based on Active Directory used today was introduced with Windows 2000 Server. AD CS are very well integrated into the Windows ecosystem and continue to be very popular in enterprises and government agencies of all sizes worldwide.

People like to point out the many possibilities offered by Active Directory Certificate Services. Rarely, however, is reference made to what can be done with them. not is possible. In the meantime, the product has also reached its limits in many places.

What these are will be explained in more detail below in order to better decide whether the AD CS can be the right solution for planned projects.

Continue reading „Grenzen der Microsoft Active Directory Certificate Services“

Details of the event with ID 80 of the source Microsoft-Windows-CertificateServicesClient-CertEnroll

Event Source:Microsoft-Windows-CertificateServicesClient-CertEnroll
Event ID:80 (0x825A0050)
Event log:Application
Event type:Warning
Event text (English):Certificate enrollment for %1 cannot enroll for a %2 certificate because the certificate enrollment server %3 is ROBO and only renewal is supported
Event text (German):The certificate registration for %1 cannot register for a %2 certificate because the %3 certificate registration server is a ROBO server and only renewal is supported.
Continue reading „Details zum Ereignis mit ID 80 der Quelle Microsoft-Windows-CertificateServicesClient-CertEnroll“

The role configuration for the Certificate Enrollment Web Service (CES) fails with error message "Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)".

Assume the following scenario:

  • A role configuration for the Certificate Enrollment Web Service (CES) is performed.
  • The role configuration fails with the following error message:
CCertificateEnrollmenServerSetup::InitializeInstallDefaults: Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
Continue reading „Die Rollenkonfiguration für den Certificate Enrollment Web Service (CES) schlägt fehl mit Fehlermeldung „Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)““

The role configuration for the Certificate Enrollment Web Service (CES) fails with error message "The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE".

Assume the following scenario:

  • A role configuration for the Certificate Enrollment Web Service (CES) is performed.
  • The role configuration fails with the following error message:
The Certificate Enrollment Web Service Setup failed because the CA "CA02.intra.adcslabor.de\ADCS Labor Issuing CA 1" cannot be contacted. Check the name, and confirm that the CA is properly configured and available. The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_SERVER_UNAVAILABLE)   
Continue reading „Die Rollenkonfiguration für den Certificate Enrollment Web Service (CES) schlägt fehl mit Fehlermeldung „The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE““

Installation or uninstallation of a Windows feature fails with error message "The service is configured to not accept any remote shell requests."

Assume the following scenario:

  • A Windows role concerning Active Directory Certificate Services (Certification Authority, Network Device Enrollment Service (NDES), Certificate Authority Web Enrollment (CAWE), Certificate Enrollment Web Services (CEP, CES), or Online Certificate Service Provider (OCSP)) is to be installed or uninstalled.
  • The installation or uninstallation fails with the following error message:
The status of the role services on the target machine cannot be determined. Please retry. The error is The WS-Management service cannot process the request. The service is configured to not accept any remote shell requests.
Continue reading „Die Installation oder Deinstallation eines Windows-Features schlägt fehl mit Fehlermeldung „The service is configured to not accept any remote shell requests.““

Details of the event with ID 17 of the source Microsoft-Windows-EnrollmentPolicyWebService

Event Source: Microsoft-Windows-EnrollmentPolicyWebService
Event ID: 17 (0x11)
Event log: Microsoft-Windows-EnrollmentPolicyWebService/Admin
Event type: Information
Event text (English): A certification authority %1 has been loaded. For additional information, please refer to the EventData section of the Details pane.
Event text (German): The certification authority "%1" has been loaded. For more information, see the "Event data" section of the details pane.
Continue reading „Details zum Ereignis mit ID 17 der Quelle Microsoft-Windows-EnrollmentPolicyWebService“

Details of the event with ID 18 of the source Microsoft-Windows-EnrollmentPolicyWebService

Event Source: Microsoft-Windows-EnrollmentPolicyWebService
Event ID: 18 (0x12)
Event log: Microsoft-Windows-EnrollmentPolicyWebService/Admin
Event type: Information
Event text (English): For a list of the OIDs which are loaded please refer to the "Details" pane.
Event text (German): A list of loaded OIDs can be found in the details pane.
Continue reading „Details zum Ereignis mit ID 18 der Quelle Microsoft-Windows-EnrollmentPolicyWebService“

Details of the event with ID 19 of the source Microsoft-Windows-EnrollmentPolicyWebService

Event Source: Microsoft-Windows-EnrollmentPolicyWebService
Event ID: 19 (0x13)
Event log: Microsoft-Windows-EnrollmentPolicyWebService/Admin
Event type: Error
Event text (English): The Certificate Enrollment Policy Web Service cannot operate because Windows authentication is not compatible with key based renewal. To resolve this issue, remove the Certificate Enrollment Policy Web Service. Reconfigure the Setup options to disable key based renewal, or select either user name and password authentication or client certificate authentication, and then run Setup again.
Event text (German): The Certificate Enrollment Policy web service cannot run because Windows authentication is not compatible with key-based renewal. Remove the certificate enrollment policy web service to resolve the issue. Reconfigure Setup options to disable key-based renewal, or select either username/password authentication or client certificate authentication, and then run Setup again.
Continue reading „Details zum Ereignis mit ID 19 der Quelle Microsoft-Windows-EnrollmentPolicyWebService“

Details of the event with ID 20 of the source Microsoft-Windows-EnrollmentPolicyWebService

Event Source: Microsoft-Windows-EnrollmentPolicyWebService
Event ID: 20 (0x14)
Event log: Microsoft-Windows-EnrollmentPolicyWebService/Admin
Event type: Information
Event text (English): A service end point with URI %1 has been configured for this service. The client authentication scheme is %2. Only policies that contain certificate templates that are enabled for key based renewal will be returned to the client. Use the Group Policy Management Console or the Certificates snap-in to configure clients with this Certificate Enrollment Policy Web Service information.
Event text (German): A service endpoint with URI "%1" has been configured for this service. The client authentication scheme is "%2". Only policies with certificate templates configured for key-based renewal are returned to the client. Use the Group Policy Management Console or the Certificates snap-in to configure clients with information from this certificate enrollment policy web service.
Continue reading „Details zum Ereignis mit ID 20 der Quelle Microsoft-Windows-EnrollmentPolicyWebService“

Details of the event with ID 21 of the source Microsoft-Windows-EnrollmentPolicyWebService

Event Source: Microsoft-Windows-EnrollmentPolicyWebService
Event ID: 21 (0x15)
Event log: Microsoft-Windows-EnrollmentPolicyWebService/Admin
Event type: Information
Event text (English): A service end point with URI %1 has been configured for this service. The client authentication scheme is %2. Only policies that contain certificate templates that are enabled for key based renewal will be returned to the client. Client certificates without subject information in the Active Directory database can be used to retrieve certificate templates. Use the Group Policy Management Console or the Certificates snap-in to configure clients with this Certificate Enrollment Policy Web Service information.
Event text (German): A service endpoint with URI "%1" has been configured for this service. The client authentication scheme is "%2". Only policies with certificate templates configured for key-based renewal are returned to the client. Certificate templates can be retrieved with client certificates without applicant information in the Active Directory database. Use the Group Policy Management Console or the Certificates snap-in to configure clients with information from this Certificate Enrollment Policy Web service.
Continue reading „Details zum Ereignis mit ID 21 der Quelle Microsoft-Windows-EnrollmentPolicyWebService“

Details of the event with ID 8 of the source Microsoft-Windows-EnrollmentPolicyWebService

Event Source: Microsoft-Windows-EnrollmentPolicyWebService
Event ID: 8 (0x8)
Event log: Microsoft-Windows-EnrollmentPolicyWebService/Admin
Event type: Error
Event text (English): The Active Directory certificate enrollment policy provider failed to initialize. Try to restart Internet Information Services (IIS) by using iisreset.exe. If the problem persists, enable tracing in the web.config file, restart IIS, attempt to obtain policy information from any client, and then contact Microsoft Customer Service and Support with the trace file information. %1
Event text (German): Error initializing Active Directory certificate registration policy provider. Restart Internet Information Services (IIS) by running iisreset.exe. If the problem persists, enable tracing in the web.config file, restart IIS, retrieve policy information from any client, and then contact Microsoft Customer Service and Support with the information in the tracing file. %1
Continue reading „Details zum Ereignis mit ID 8 der Quelle Microsoft-Windows-EnrollmentPolicyWebService“

Details of the event with ID 9 of the source Microsoft-Windows-EnrollmentPolicyWebService

Event Source: Microsoft-Windows-EnrollmentPolicyWebService
Event ID: 9 (0x9)
Event log: Microsoft-Windows-EnrollmentPolicyWebService/Admin
Event type: Error
Event text (English): The Active Directory certificate enrollment policy provider failed to obtain policy information from Active Directory Domain Services (AD DS). The provider will attempt to read the information again in %1 milliseconds. If the problem persists, enable tracing in the web.config file, enable logging by using "certutil -setreg debug 0xffffffe3", restart IIS by using iisreset.exe, attempt to obtain policy information from any client, and then contact Microsoft Customer Service and Support with the information in the trace files and certenroll.log file. %2
Event text (German): The Active Directory certificate enrollment policy provider could not retrieve the policy information from Active Directory Domain Services. In "%1" milliseconds, it tries to read the information again. If the problem persists, enable tracing in the web.config file, enable logging by using certutil -setreg debug 0xffffffe3, restart IIS, retrieve policy information from any client, and then contact Microsoft Customer Service and Support with the information in the tracing files and the certenroll.log file. %2
Continue reading „Details zum Ereignis mit ID 9 der Quelle Microsoft-Windows-EnrollmentPolicyWebService“

Details of the event with ID 10 of the source Microsoft-Windows-EnrollmentPolicyWebService

Event Source: Microsoft-Windows-EnrollmentPolicyWebService
Event ID: 10 (0xA)
Event log: Microsoft-Windows-EnrollmentPolicyWebService/Admin
Event type: Warning
Event text (English): There is no enterprise certification authority (CA) configured with the Certificate Enrollment Web Service in the current forest. Confirm that at least one enterprise CA is available in the forest and that at least one server running the Certificate Enrollment Web Service is configured to work with this CA.
Event text (German): The current forest does not contain an enterprise certificate authority configured with the certificate enrollment web service. Ensure that at least one enterprise certificate authority is available in the forest and at least one server running the certificate enrollment web service is configured to work with the enterprise certificate authority.
Continue reading „Details zum Ereignis mit ID 10 der Quelle Microsoft-Windows-EnrollmentPolicyWebService“

Details of the event with ID 11 of the source Microsoft-Windows-EnrollmentPolicyWebService

Event Source: Microsoft-Windows-EnrollmentPolicyWebService
Event ID: 11 (0xB)
Event log: Microsoft-Windows-EnrollmentPolicyWebService/Admin
Event type: Warning
Event text (English): No certificate templates in the forest are configured to be sent as part of the policy response. Confirm that the server hosting the Certificate Enrollment Policy Web Service has Read permission to the required templates in this forest and that at least one server hosting the Certificate Enrollment Web Service is configured to work with the certification authorities (CAs) configured to issue the required templates.
Event text (German): No certificate templates have been configured in the forest to be sent as part of the policy response. Ensure that the server running the certificate enrollment policy web service has read permission for the required templates in the forest. Also, ensure that at least one server with the certificate enrollment web service is configured to work with the certificate authorities configured to issue the required templates.
Continue reading „Details zum Ereignis mit ID 11 der Quelle Microsoft-Windows-EnrollmentPolicyWebService“

Details of the event with ID 12 of the source Microsoft-Windows-EnrollmentPolicyWebService

Event Source: Microsoft-Windows-EnrollmentPolicyWebService
Event ID: 12 (0xC)
Event log: Microsoft-Windows-EnrollmentPolicyWebService/Admin
Event type: Error
Event text (English): The certification authority (CA) "%1" cannot be sent as part of the policy response. Confirm that this CA is running and that at least one Certificate Enrollment Web Service is configured to use this CA. %2
Event text (German): The certificate authority "%1" cannot be sent as part of the policy response. Ensure that the certificate authority is running and at least one certificate enrollment web service is configured to use the certificate authority. %2
Continue reading „Details zum Ereignis mit ID 12 der Quelle Microsoft-Windows-EnrollmentPolicyWebService“
en_USEnglish