There is a known bug in the Certificate Enrollment Policy Web Service (CEP) that causes certificate templates configured for compatibility with Windows Server 2016 or Windows 10 not to display.
Continue reading „Der Zertifikatregistrierungs-Richtliniendienst zeigt Zertifikatvorlagen, die auf Kompatibilität mit Windows Server 2016 oder Windows 10 konfiguriert sind, nicht an“Tag: Certificate Enrollment Policy Web Service (CEP)
Requesting certificates via Certificate Enrollment Web Services using Windows PowerShell fails with error message "Access was denied by the remote endpoint. 0x803d0005 (-2143485947 WS_E_ENDPOINT_ACCESS_DENIED)".
Assume the following scenario:
- An attempt is made to request a certificate via Windows PowerShell using Certificate Enrollment Web Services.
- The request fails with the following error message:
Get-Certificate : CX509EnrollmentPolicyWebService::LoadPolicy: Access was denied by the remote endpoint. 0x803d0005 (-2143485947 WS_E_ENDPOINT_ACCESS_DENIED)Continue reading „Die Beantragung eines Zertifikats über die Zertifikatregistrierungs-Webdienste mittels Windows PowerShell schlägt fehlt mit Fehlermeldung „Access was denied by the remote endpoint. 0x803d0005 (-2143485947 WS_E_ENDPOINT_ACCESS_DENIED)““
Requesting certificates via Certificate Enrollment Web Services using Windows PowerShell fails with error message "Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)"
Assume the following scenario:
- An attempt is made to request a certificate via Windows PowerShell using Certificate Enrollment Web Services. The name of the certificate template is included with the -Template argument.
- The request fails with the following error message:
Get-Certificate : CertEnroll::CX509CertificateTemplates::get_ItemByName: Cannot find object or property. 0x80092004Continue reading „Die Beantragung eines Zertifikats über die Zertifikatregistrierungs-Webdienste mittels Windows PowerShell schlägt fehlt mit Fehlermeldung „Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)““
(-2146885628 CRYPT_E_NOT_FOUND)
Required Windows security permissions for the Certificate Enrollment Policy Web Service (CEP)
Assuming one implements Microsoft's Active Directory Administrative Tiering Model, or applies similar hardening measures to one's servers, this will have an impact on the CEP components.
Continue reading „Benötigte Windows-Sicherheitsberechtigungen für den Certificate Enrollment Policy Web Service (CEP)“Classification of ADCS components in the Administrative Tiering Model
If, in addition to the Active Directory Certificate Services, the administrative tiering model is also implemented for the Active Directory directory service, the question arises as to how the individual PKI components are to be assigned to this model in order to be able to perform targeted security hardening.
Continue reading „Einordnung der ADCS-Komponenten in das administrative Schichtenmodell (Administrative Tiering Model)“Performing a functional test for the Certificate Enrollment Policy Web Service (CEP)
After installing a Certificate Enrollment Policy Web Service (CEP), or after more extensive maintenance work, an extensive functional test should be performed to ensure that all components are working as desired.
Continue reading „Funktionstest durchführen für den Certificate Enrollment Policy Web Service (CEP)“Configure the Certificate Enrollment Web Service (CES) to work with a Group Managed Service Account (gMSA).
For security reasons, it may make sense to operate the CES with a Group Managed Service Account (gMSA) instead of a normal domain account. This option offers the charming advantage that the password of the account is changed automatically, and thus this step does not have to be done manually, which is unfortunately forgotten far too often.
Continue reading „Den Certificate Enrollment Web Service (CES) für den Betrieb mit einem Group Managed Service Account (gMSA) konfigurieren“Required Firewall Rules for Certificate Enrollment Policy (CEP) Web Service
Implementing a Certificate Enrollment Policy (CEP) web service often requires planning the firewall rules to be created on the network. The following is a list of the required firewall rules and any pitfalls.
Continue reading „Benötigte Firewallregeln für den Zertifikatregistrierungsrichtlinien-Webdienst (CEP)“Requesting certificates via Certificate Enrollment Policy Web Service (CEP) fails with error message "The requested certificate template is not supported by this CA."
Assume the following scenario:
- You try to request a certificate via a Certificate Enrollment Policy Web Service (CEP) from an Active Directory-integrated certification authority (Enterprise Certification Authority).
- The operation fails with the following error message:
The requested certificate template is not supported by this CA.Continue reading „Die Beantragung eines Zertifkats über den Certificate Enrollment Policy Web Service (CEP) schlägt fehl mit Fehlermeldung „The requested certificate template is not supported by this CA.““
Enable debug logging for Certificate Enrollment Policy Web Service (CEP)
When trying to track down an error in the Certificate Enrollment Policy Web Service (CEP), it is helpful to enable debug logging.
Continue reading „Debug Protokollierung für den Certificate Enrollment Policy Web Service (CEP) aktivieren“Requesting certificates via Certificate Enrollment Policy Web Service (CEP) fails with error message "ERROR_WINHTTP_CONNECTION_ERROR".
Assume the following scenario:
- You try to request a certificate via a Certificate Enrollment Policy Web Service (CEP) from an Active Directory-integrated certification authority (Enterprise Certification Authority).
- The operation fails with the following error message:
Error: The server connection was terminated due to an error. 0x80072efe (WinHttp:12030) ERROR_WINHTTP_CONNECTION_ERRORContinue reading „Die Beantragung eines Zertifkats über den Certificate Enrollment Policy Web Service (CEP) schlägt fehl mit Fehlermeldung „ERROR_WINHTTP_CONNECTION_ERROR““
Requesting certificates via the Certificate Enrollment Policy Web Service (CEP) fails with error message "A valid certification authority (CA) configured to issue certificates based on this template cannot be located, or the CA does not support this operation, or the CA is not trusted."
Assume the following scenario:
- You try to request a certificate via a Certificate Enrollment Policy Web Service (CEP) from an Active Directory-integrated certification authority (Enterprise Certification Authority).
- To do this, use the Microsoft Management Console (MMC), either for the logged-in user (certmgr.msc) or for the computer (certlm.msc).
- However, the list of available certificate templates within the MMC is completely empty.
- In the list of available certificate templates within the MMC, all certificate templates are displayed. At all desired certificate templates it is written:
Cannot find Object or property. A valid certification authority (CA) configured to issue certificates based on this template cannot be located, or the CA does not support this operation, or the CA is not trusted.Continue reading „Die Beantragung eines Zertifikats über den Certificate Enrollment Policy Web Service (CEP) schlägt fehl mit Fehlermeldung „A valid certification authority (CA) configured to issue certificates based on this template cannot be located, or the CA does not support this operation, or the CA is not trusted.““
Requesting certificates via the Certificate Enrollment Policy Web Service (CEP) fails with error message "Error: Access was denied by the remote endpoint. 0x803d0005 -2143485947 WS_E_ENDPOINT_ACCESS_DENIED".
Assume the following scenario:
- A user requests a certificate.
- An enrollment policy is configured for this, which points to a Certificate Enrollment Policy Web Service (CEP).
- The connection to the CEP fails and the user receives the following error message:
Error: Access was denied by the remote endpoint. 0x803d0005 -2143485947 WS_E_ENDPOINT_ACCESS_DENIEDContinue reading „Die Beantragung eines Zertifikats über den Certificate Enrollment Policy Web Service (CEP) schlägt fehl mit Fehlermeldung „Error: Access was denied by the remote endpoint. 0x803d0005 -2143485947 WS_E_ENDPOINT_ACCESS_DENIED““
The role configuration for the Certificate Enrollment Policy Web Service (CEP) fails with error message "Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)".
Assume the following scenario:
- A role configuration for the Certificate Enrollment Policy Web Service (CEP) is performed.
- The role configuration fails with the following error message:
CCertificateEnrollmentPolicyServerSetup::InitializeInstallDefaults: Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)Continue reading „Die Rollenkonfiguration für den Certificate Enrollment Policy Web Service (CEP) schlägt fehl mit Fehlermeldung „Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)““
Role configuration for Certificate Enrollment Policy Web Service fails with error message "The argument is null or empty."
Assume the following scenario:
- A role configuration for the Certificate Enrollment Policy Web Service (CEP) is performed using PowersShell (Install-AdcsEnrollmentPolicyWebService).
- The role configuration fails with the following error message:
Cannot validate argument on parameter 'SSLCertThumbprint'. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again.Continue reading „Die Rollenkonfiguration für den Certificate Enrollment Policy Web Service schlägt fehl mit Fehlermeldung „The argument is null or empty.““
English 
Deutsch