Details of the event with ID 22 of the source Microsoft-Windows-CertificationAuthority

Event Source:	Microsoft-Windows-CertificationAuthority
Event ID:	22 (0x16)
Event log:	Application
Event type:	Error
Symbolic Name:	MSG_E_PROCESS_REQUEST_FAILED_WITH_INFO
Event text (English):	Active Directory Certificate Services could not process request %1 due to an error: %2. The request was for %3. Additional information: %4
Event text (German):	The request %1 could not be executed due to an error: %2. The request was for %3. More information: %4

Parameter

The parameters contained in the event text are filled with the following fields:

• %1: RequestId (win:UnicodeString)
• %2: ErrorCode (win:UnicodeString)
• %3: SubjectName (win:UnicodeString)
• %4: AdditionalInformation (win:UnicodeString)

Example events

Active Directory Certificate Services could not process request 16701 due to an error: The request subject name is invalid or too long. 0x80094001 (-2146877439 CERTSRV_E_BAD_REQUESTSUBJECT).  The request was for C=CLIENT2, C=DE, OU=ADCS Labor, OU=IT, S=Bavaria.  Additional information: Error Parsing Request

Active Directory Certificate Services could not process request 10 due to an error: The parameter is incorrect. 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER). The request was for INTRA\CLIENT2$. Additional information: Error Cannot Process TPM Attestation

Active Directory Certificate Services could not process request 20 due to an error: Cannot archive private key. The certification authority could not verify one or more key recovery certificates. 0x8009400b (-2146877429 CERTSRV_E_NO_VALID_KRA). The request was for INTRA\rudi. Additional information: Error Archiving Private Key

Active Directory Certificate Services could not process request 77 due to an error: The system cannot find the file specified. 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND). The request was for CN=WEB01.intra.adcslabor.de. Additional information: Error Parsing Request

Active Directory Certificate Services could not process request 193 due to an error: The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE). The request was for CN=SCEP test. Additional information: Error Verifying Request Signature or Signing Certificate.

Active Directory Certificate Services could not process request 767 due to an error: A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA).  The request was for INTRA\Administrator.  Additional information: Error Verifying Request Signature or Signing Certificate

Active Directory Certificate Services could not process request 12345 due to an error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. 0x800b0101 (-2146762495 CERT_E_EXPIRED). The request was for CN=Rudi Ratlos. Additional information: Error Verifying Request Signature or Signing Certificate

Active Directory Certificate Services could not process request 14 due to an error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. 0x800b0101 (-2146762495 CERT_E_EXPIRED). The request was for CN=www.bla.de. Additional information: Error Parsing Request

Active Directory Certificate Services could not process request 110868 due to an error: ASN1 bad tag value met. 0x8009310b (ASN: 267 CRYPT_E_ASN1_BADTAG).  The request was for INTRA\rudi.  Additional information: Error Parsing Request

Active Directory Certificate Services could not process request 5 due to an error: Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED). The request was for CN=Rudi Ratlos. Additional information: Error verifying access

Active Directory Certificate Services could not process request 12345 due to an error: A certificate chain could not be built to a trusted root authority. 0x800b010a (-2146762486 CERT_E_CHAINING). The request was for CN=Rudi Ratlos. Additional information: Error Verifying Request Signature or Signing Certificate

Active Directory Certificate Services could not process request 12345 due to an error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. 0x800b0109 (-2146762487 CERT_E_UNTRUSTEDROOT). The request was for CN=Rudi Ratlos. Additional information: Error Verifying Request Signature or Signing Certificate

Active Directory Certificate Services could not process request 12345 due to an error: The revocation function was unable to check revocation for the certificate. 0x80092012 (-2146885614 CRYPT_E_NO_REVOCATION_CHECK). The request was for CN=Rudi Ratlos. Additional information: Error Verifying Request Signature or Signing Certificate

Active Directory Certificate Services could not process request 111022 due to an error: ASN1 unexpected end of data. 0x80093102 (ASN: 258 CRYPT_E_ASN1_EOD).  The request was for INTRA\rudi.  Additional information: Error Parsing Request

Description

For this event, special attention should be paid to the error code entered in the event text (parameter %2, ErrorCode):

Error code CERTSRV_E_BAD_REQUESTSTATUS

This error occurs when a certificate request Key based Renewal is attempted but the EDITF_ENABLERENEWONBEHALFOF flag is not set on the certificate authority.

Error code CERTSRV_E_BAD_REQUESTSUBJECT

This error occurs when the certificate authority cannot verify the subject part of an incoming certificate request. See also the article "Certificate request fails with error message ".Error Parsing Request The request subject name is invalid or too long. 0x80094001 (-2146877439 CERTSRV_E_BAD_REQUESTSUBJECT)"„.

• As can be seen in the example event, the applicant's identity was accidentally entered in Country (C) rather than in the Common Name (CN) RDN. The Country field but allows only two digits (optimally the one after ISO 3166 defined country codes), so that the certificate request could not be processed by the certification authority and was therefore rejected.
• There was a unauthorized Relative Distinguisghed Name (RDN) in the subject of the certificate request.
• The Applicant (Subject) field in the certificate request is identical to that of the certification authority.
• An RDN requested in the Applicant (Subject) field (e.g. Common Name) is longer than allowed. See also article Certificate request fails with error message "Error Parsing Request The request subject name is invalid or too long. 0x80094001 (-2146877439 CERTSRV_E_BAD_REQUESTSUBJECT)"..

Error code ERROR_INVALID_PARAMETER

This error can occur when a Windows 10 client tries to obtain a certificate with Trusted Platform Module (TPM) key attestation from a Windows Server 2012 R2 certificate authority. The error was fixed with KB3154769, which is available in the June 2016 update rollup for Windows RT 8.1, Windows 8.1 and Windows Server 2012 R2 is included.

Error code CERTSRV_E_NO_VALID_KRA

See article "Certificate request fails with error message "Cannot archive private key. The certification authority could not verify one or more key recovery certificates. 0x8009400b (-2146877429 CERTSRV_E_NO_VALID_KRA)".„.

Error code ERROR_FILE_NOT_FOUND

See article "Certificate request fails with error message "The system cannot find the file specified. 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)".„.

Error code CERT_E_UNTRUSTEDCA

See article "Requesting certificates via Enroll on Behalf of (EOBO) fails with the error message "A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)"„.

Error code CRYPT_E_NO_REVOCATION_CHECK

Occurs when the revocation status of the certification authority certificate cannot be checked, e.g. because the revocation list is not available or has expired.

Occurs when the autoenrollment permission is set on a certificate template for OCSP password signing and thus certificate requests are signed with an OCSP password signing certificate. Revocation status checking is then not possible because these certificates do not contain revocation status information. See article "Certificate requests for the online responder (OCSP) fail sporadically with error message "The revocation function was unable to check revocation for the certificate. 0x80092012 (-2146885614 CRYPT_E_NO_REVOCATION_CHECK)"„.

Error code CRYPT_E_ASN1_BADTAG

Occurs when the submitted certificate request could not be processed, i.e. most likely invalid data was sent to the certification authority instead of a certificate request.

Error code CRYPT_E_ASN1_EOD

See error code CRYPT_E_ASN1_BADTAG.

Error code ERROR_ACCESS_DENIED

Occurs, for example, when a certificate is to be retrieved that was not requested by the requesting account. This can indicate an attack attempt and, if it occurs more frequently, should possibly be alerted.

Safety assessment

The security assessment is based on the three dimensions of confidentiality, integrity and availability.

No description has been written for this yet.

Microsoft rating

Microsoft evaluates this event in the Securing Public Key Infrastructure (PKI) Whitepaper with a severity score of "Low".

Related links:

• Overview of Windows events generated by the certification authority
• Overview of audit events generated by the Certification Authority
• Allowed Relative Distinguished Names (RDNs) in the Subject of Issued Certificates

External sources

• Event ID 22 - AD CS Certificate Request (Enrollment) Processing (Microsoft)
• Securing Public Key Infrastructure (PKI) (Microsoft)
• ISO-3166-1-Kodierliste (Wikipedia)