Autoenrollment - Page 7 - Uwe Gradenegger

Details of the event with ID 75 of the source Microsoft-Windows-CertificateServicesClient-CertEnroll

Event Source:	Microsoft-Windows-CertificateServicesClient-CertEnroll
Event ID:	75 (0x825A004B)
Event log:	Application
Event type:	Warning
Event text (English):	Certificate enrollment for %1 failed in authentication to policy server %2 with ID %3 (%6). Authentication mechanism was %5 (Credential: %4).
Event text (German):	Certificate enrollment error for %1 when authenticating for policy server %2 with ID %3 (%6). Authentication mechanism used %5 (credentials: %4).

Details of the event with ID 86 of the source Microsoft-Windows-CertificateServicesClient-CertEnroll

Event Source:	Microsoft-Windows-CertificateServicesClient-CertEnroll
Event ID:	86 (0xC25A0056)
Event log:	Application
Event type:	Error
Event text (English):	SCEP Certificate enrollment initialization for %1 via %2 failed: %3 Method: %4 Stage: %5 %6
Event text (German):	Error during initialization of SCEP certificate registration for %1 via %2: %3 Method: %4 Phase: %5 %6

Details of the event with ID 87 of the source Microsoft-Windows-CertificateServicesClient-CertEnroll

Event Source:	Microsoft-Windows-CertificateServicesClient-CertEnroll
Event ID:	87 (0xC25A0057)
Event log:	Application
Event type:	Error
Event text (English):	SCEP Certificate enrollment for %1 via %2 failed: %3 Method: %4 Stage: %5 %6
Event text (German):	SCEP certificate registration error for %1 over %2: %3 Method: %4 Phase: %5 %6

No certificate is requested via autoenrollment if a user is connected via Virtual Private Network (VPN)

Assume the following scenario:

A user works remotely via Virtual Private Network (VPN)
Actually, a certificate should be requested via autoenrollment, but this is not done
A connection test (certutil -ping) to the certification authority throws the following error message:

Server could not be reached: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_SERVER_UNAVAILABLE) -- (31ms)

CertUtil: -ping command FAILED: 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)
CertUtil: The RPC server is unavailable.

New certificates are regularly requested via Autoenrollment

Assume the following scenario:

A certificate template is configured for automatic request and issuance (AutoEnrollment).
Users or computers apply for new certificates at regular intervals and long before the defined renewal period.

Automatic renewal of manually requested certificates without intervention of a certificate manager

Assuming a use case is implemented for certificates where users specify the identity contained in the certificate in the certificate request, and this requires manual intervention by the certificate managers, the question arises as to how to proceed when the certificates expire or the certificate template is moved to another certification authority in order to minimize tickets at the help desk and thus the resulting work for the certificate managers.

Details of the event with ID 4 of the source Microsoft-Windows-CertificateServicesClient-CertEnroll

Event Source:	Microsoft-Windows-CertificateServicesClient-CertEnroll
Event ID:	4 (0x425A0004)
Event log:	Application
Event type:	Information
Event text (English):	Certificate enrollment for %1 could not access local resources or retrieve %2 certificate template information (%3). Enrollment was not performed.
Event text (German):	Certificate enrollment for %1 could not access local resources or retrieve certificate template information for %2 (%3). No registration is performed.

Details of the event with ID 13 of the source Microsoft-Windows-CertificateServicesClient-CertEnroll

Event Source:	Microsoft-Windows-CertificateServicesClient-CertEnroll
Event ID:	13 (0xC25A000D)
Event log:	Application
Event type:	Error
Event text (English):	Certificate enrollment for %1 failed to enroll for a %2 certificate with request ID %4 from %3 (%5).
Event text (German):	The certificate enrollment for %1 failed to enroll for a certificate %2 with request ID %4 of %3 (%5).

Details of the event with ID 57 of the source Microsoft-Windows-CertificateServicesClient-CertEnroll

Event Source:	Microsoft-Windows-CertificateServicesClient-CertEnroll
Event ID:	57 (0x825A0039)
Event log:	Application
Event type:	Information, Warning and Error
Event text (English):	The "%2" provider was not loaded because initialization failed.
Event text (German):	The "%2" provider was not loaded due to an initialization error.

Details of the event with ID 82 of the source Microsoft-Windows-CertificateServicesClient-CertEnroll

Event Source:	Microsoft-Windows-CertificateServicesClient-CertEnroll
Event ID:	82 (0x825A0052)
Event log:	Application
Event type:	Warning
Event text (English):	Certificate enrollment for %1 failed in authentication to all urls for enrollment server associated with policy id: %2 (%4). Failed to enroll for template: %3
Event text (German):	Certificate registration error for %1 when authenticating for all URLs for the registration server associated with the following policy ID: %2 (%4). Error registering for template: %3

Planning of certificate validity and renewal period of end entity certificates with autoenrollment

If autoenrollment is used, participants apply for and renew certificates independently.

Regarding the validity of the certificates and the period for their automatic renewal, there are two values that can be configured in the General tab of a certificate template:

Validity period: Describes the overall validity of the issued certificate.
Renewal period: Describes from which time window, viewed backwards from the expiration date of the certificate, automatic renewal is attempted for the first time (e.g. 6 weeks before expiration).

Have certificate holders automatically renew all certificates issued for a certificate template

When operating a certification authority, it may be necessary to renew all issued certificates for a specific certificate template, for example due to major configuration changes or a change of the issuing certification authority. The following describes a mechanism with which this can be achieved automatically.

Clients connected via Virtual Private Network (VPN) do not renew certificates automatically

Assume the following scenario:

Client computers automatically obtain certificates from an Active Directory integrated certificate authority (Enterprise Certification Authority).
Expiring certificates are renewed automatically when the clients are on the internal network.
However, expiring certificates are not automatically renewed when clients are connected via Virtual Private Network (VPN).
This can result in clients not renewing their certificate in time before it expires and no longer being able to connect to the VPN.

Basics of manual and automatic Certificate Enrollment via Lightweight Directory Access Protocol (LDAP) and Remote Procedure Call / Distributed Common Object Model (RPC/DCOM)

The following describes the process that runs in the background when certificates are requested manually or automatically in order to achieve the highest possible level of automation.

Manually running the autoenrollment process

By default, all domain members automatically replicate the Public Key Services object he Active Directory forest through the autoenrollment process. The triggers for this are:

When the user logs in (for computers, when the computer account logs in, i.e. at system startup).
By timer every 8 hours.
When updating group policies, assuming there has been a change.

If you do not want to wait for the autoenrollment to be triggered automatically, you can start it manually. The different ways to run the autoenrollment process are described below.