The following is an overview of the tokens for the CDP and AIA configuration of a certification authority.
Continue reading „Token für die CDP- und AIA- Konfiguration einer Zertifizierungsstelle“Requesting certificates via Network Device Enrollment Service (NDES) fails with error message "The public key does not meet the minimum size required by the specified certificate template. 0x80094811 (-2146875375 CERTSRV_E_KEY_LENGTH)".
Assume the following scenario:
- A network device enrollment service (NDES) is implemented in the network.
- Requesting a certificate fails with the following error message:
"The public key does not meet the minimum size required by the specified certificate template. 0x80094811 (-2146875375 CERTSRV_E_KEY_LENGTH)"Continue reading „Die Beantragung von Zertifikaten über den Registrierungsdienst für Netzwerkgeräte (NDES) schlägt fehl mit Fehlermeldung „The public key does not meet the minimum size required by the specified certificate template. 0x80094811 (-2146875375 CERTSRV_E_KEY_LENGTH)““
Requesting certificates via Network Device Enrollment Service (NDES) fails with error message "The operation timed out 0x80072ee2 (WinHttp: 12002 ERROR_WINHTTP_TIMEOUT)".
Assume the following scenario:
- A network device enrollment service (NDES) is implemented in the network.
- Requesting a certificate fails with the following error message:
The operation timed out 0x80072ee2 (WinHttp: 12002 ERROR_WINHTTP_TIMEOUT)Continue reading „Die Beantragung von Zertifikaten über den Registrierungsdienst für Netzwerkgeräte (NDES) schlägt fehl mit Fehlermeldung „The operation timed out 0x80072ee2 (WinHttp: 12002 ERROR_WINHTTP_TIMEOUT)““
Requesting certificates via Network Device Enrollment Service (NDES) fails with HTTP error code 500
Assume the following scenario:
- A network device enrollment service (NDES) is implemented in the network.
- The NDES server uses a domain account for the identity of the SCEP IIS application pool.
- Requesting certificates via NDES fails with HTTP error code 500 (Internal Server Error).
- Calling the mscep and mscep_admin pages also fails with HTTP error code 500.
- Even after an iisreset or restart of the NDES server, no event appears after calling the mscep or mscsp_admin page that the NDES service has started or that there were errors.
The Network Device Enrollment Service (NDES) logs the error message "The Network Device Enrollment Service cannot be started (0x80004005). Unspecified error"
Assume the following scenario:
- An NDES server is configured on the network.
- When accessing the NDES application web page (mscep) and the NDES administration web page (certsrv/mscep_admin), HTTP error 500 (Internal Server Error) is reported with error code 0x80004005.
- The events are No. 2 and No. 8 stored in the application event log:
The Network Device Enrollment Service cannot be started (0x80004005). Unspecified errorContinue reading „Der Registrierungsdienst für Netzwerkgeräte (NDES) protokolliert die Fehlermeldung „The Network Device Enrollment Service cannot be started (0x80004005). Unspecified error““
Using Microsoft Network Load Balancing (NLB) for Certificate Enrollment Web Services (CEP, CES)
It is generally a good idea to ensure the availability of the certificate enrollment Web services (Certificate Enrollment Policy Service, CEP, and Certificate Enrollment Web Service, CES) at all times.
The following describes how this can be achieved with the Windows feature "Network Load Balancing" (NLB).
Continue reading „Verwenden von Microsoft Network Load Balancing (NLB) für die Zertifikatregistrierungs-Webdienste (CEP, CES)“Certificate enrollment policy check via Certificate Enrollment Policy (CEP) web service fails with error code "WS_E_ENDPOINT_FAULT_RECEIVED".
Assume the following scenario:
- Users (or computers) should request certificates via the Certificate Enrollment Policy (CEP) web service.
- For this purpose, a certificate enrollment policy is configured, which points to a Certificate Enrollment Policy Web Service (CEP).
- Authentication is done via Kerberos.
- When checking the address, the connection to the CEP fails and you get the following error message:
An error occurred while obtaining certificate enrollment policy.Continue reading „Die Überprüfung der Zertifikatregistrierungsrichtlinie über den Zertifikatregistrierungs-Richtlinienwebdienst (CEP) schlägt fehl mit Fehlercode „WS_E_ENDPOINT_FAULT_RECEIVED““
Url: https://cews.adcslabor.de/ADCS%20Labor%20Issuing%20CA%201_CES_Kerberos/service.svc/CES
Error: A message containing a fault was received from the remote endpoint. 0x803d0013 (-2143485933 WS_E_ENDPOINT_FAULT_RECEIVED)
Overview of audit events generated by the Certification Authority
The following is an overview of the audit events generated by the certification authority in the Windows Event Viewer.
In contrast to operational events, which are often understood under the term "monitoring", auditing for the certification authority is the configuration of logging of security-relevant events.
Continue reading „Übersicht über die von der Zertifizierungsstelle generierten Audit-Ereignisse“Login via smart card using Remote Desktop (RDP) fails with error message "The requested key container does not exist on the smart card."
Assume the following scenario:
- A user logs on to a remote desktop system using the smart card logon function.
- The user uses a Yubico Yubikey as a smartcard. The required middleware is installed on both the local and the remote system.
- The login fails with the following error message:
The system could not log you on. The requested key container does not exist on the smart card.Continue reading „Die Anmeldung via Smartcard über Remotedesktop (RDP) schlägt fehl mit Fehlermeldung „The requested key container does not exist on the smart card.““
Overview of Windows events generated by the certification authority
The following is an overview of the events generated by the certification authority in the Windows Event Viewer.
Continue reading „Übersicht über die von der Zertifizierungsstelle generierten Windows-Ereignisse“Overview of Windows events generated by the Certificate Enrollment Policy (CEP) service
The following is an overview of the events generated by the Certificate Enrollment Policy (CEP) service in the Windows Event Viewer.
The Certificate Registration Policy Service events are not officially documented. The following list was generated using the Windows Event Log Messages (WELM) tool.
Continue reading „Übersicht über die vom Zertifikatregistrierungs-Richtliniendienst (CEP) generierten Windows-Ereignisse“Overview of Windows events generated by the Certificate Enrollment Web Service (CES).
The following is an overview of the events generated by the Certificate Enrollment Web Service (CES) in the Windows Event Viewer.
The events of the Certificate Enrollment Web Service are not officially documented. The following list was generated using the Windows Event Log Messages (WELM) tool.
Continue reading „Übersicht über die vom Zertifikatregistrierungs-Webdienst (CES) generierten Windows-Ereignisse“Overview of Windows events generated by the Network Device Enrollment Service (NDES).
The following is an overview of the events generated by the Network Devices Registration Service (NDES) in the Windows Event Viewer.
The events of the Network Devices Registration Service are not officially documented. The following list was generated using the Windows Event Log Messages (WELM) tool.
Continue reading „Übersicht über die vom Registrierungsdienst für Netzwerkgeräte (NDES) generierten Windows-Ereignisse“Overview of Windows events generated by the online responder (OCSP)
The following is an overview of the events generated by the online responder (OCSP) in the Windows Event Viewer.
The events of the online responder are not officially documented. The following list was generated using the Windows Event Log Messages (WELM) tool.
Continue reading „Übersicht über die vom Onlineresponder (OCSP) generierten Windows-Ereignisse“Combination online responder (OCSP) with delta CRL and revocation list distribution point (CDP) without delta brevocation list for increased resilience
OCSP responses from a Microsoft OCSP resonder are valid for exactly as long as the underlying revocation list. In some scenarios, you may want to reduce OCSP validity times by using delta CRLs. At the same time, however, no delta CRL should be used for the revocation lists entered in the CDP paths in order to enable a fallback to a CRL with a longer validity.
Continue reading „Kombination Onlineresponder (OCSP) mit Delta CRL und Sperrlistenverteilpunkt (CDP) ohne Deltasperrliste für gesteigerte Resilienz“
English 
Deutsch