Nachfolgend eine Übersicht über die für die von Windows-Zertifikat-Clients erzeugten Ereignisse in der Windows-Ereignisanzeige, deren Aktivierung und deren Identifikation.
Connaissez-vous TameMyCerts? TameMyCerts est un add-on pour l'autorité de certification Microsoft (Active Directory Certificate Services). Il étend la fonction de l'autorité de certification et permet de Application de la réglementationIl s'agit d'un logiciel de gestion des certificats qui permet d'automatiser l'émission de certificats en toute sécurité. TameMyCerts est unique dans l'écosystème Microsoft, a déjà fait ses preuves dans d'innombrables entreprises du monde entier et est disponible sous une licence libre. Il peut téléchargé via GitHub et être utilisé gratuitement. Une maintenance professionnelle est également proposée.
Protokollierung konfigurieren
Damit Ereigniss, die über Fehler und Warnungen hinausgehen, protokolliert werden, muss im betreffenden Bereich (je nachdem, ob es sich um ein Benutzer- oder Computerzertifikat handelt) eine „LogLevel“ Direktive (analog zur Zertifizierungsstelle) mit entsprechendem Inhalt angelegt werden.
Die LogLevel Direktive ersetzt die zuvor verwendete AEEventLogLevel Direktive.
| Chemin d'accès | Description |
|---|---|
| HKCU\Logiciel\Microsoft\Cryptography\AutoEnrollment | Paramètres utilisateur, configurés localement |
| HKLM\Logiciel\Microsoft\Cryptography\AutoEnrollment | Paramètres de l'ordinateur, configurés localement |
Mit folgendem Kommandozeilenbefehl kann die erweiterte Protokollierung für den Benutzer- als auch den Systemkontext konfiguriert werden. Es werden alle Ereignisse der Typen „Error“, „Warning“ und „Information“ ausgegeben.
certutil –setreg Enroll\LogLevel 4
L'augmentation du niveau de journalisation peut générer un grand nombre d'événements. Il faut donc s'assurer que le journal des événements peut croître en conséquence. Dans le cas contraire, les événements antérieurs seront écrasés. Il est conseillé de n'augmenter le niveau de journalisation que temporairement.
Die Änderungen werden direkt ohne Neuanmeldung bzw. Neustart aktiv.
Das Setzen des Schlüssels im Benutzerkontext mit dem Parameter -user hat keine Auswirkungen.
Les valeurs numériques sont traduites dans les variables suivantes :
| Valeur | Signification | Notes |
|---|---|---|
| 0 | CERTLOG_MINIMAL | |
| 1 | CERTLOG_TERSE | |
| 2 | CERTLOG_ERROR | |
| 3 | CERTLOG_WARNING | Aktiviert zusätzlich Ereignisse des Levels „Warning“ (réglage par défaut) |
| 4 | CERTLOG_VERBOSE | Aktiviert zusätzlich Ereignisse des Levels „Information“ |
| 5 | CERTLOG_EXHAUSTIF |
Das Zurücksetzen der Protokollierung auf die Standardwerte wird durch löschen des zuvor angelegten Schlüssels erreicht.
certutil –delreg Enroll\LogLevel
Sources d'événements
- Microsoft-Windows-CertificateServicesClient-AutoEnrollment
- Microsoft-Windows-CertificateServicesClient
- Microsoft-Windows-CertificateServicesClient-CertEnroll
Événements
Microsoft-Windows-CertificateServicesClient-AutoEnrollment
Mit folgendem Windows PowerShell Befehl können die Ereignisse ausgelesen werden:
Get-WinEvent -FilterHashtable @{
Logname='Application'
ProviderName='Microsoft-Windows-CertificateServicesClient-AutoEnrollment'
}
| ID | Type | Texte de l'événement |
|---|---|---|
| 1 | Information | Automatic certificate enrollment for %1 failed to download certificates for %2 store from %3 (%4). %5 |
| 2 | Information | Automatic certificate enrollment for %1 started. |
| 3 | Information | Automatic certificate enrollment for %1 completed. |
| 4 | Information | Automatic certificate enrollment for %1 invoked the enrollment API. |
| 5 | Information | Automatic certificate enrollment for %1 returned from the enrollment API. |
| 6 | Erreur | Automatic certificate enrollment for %1 failed (%2) %3. |
| 15 | Avertissement | Automatic certificate enrollment for %1 failed to contact the active directory (%2). %3 Enrollment will not be performed. |
| 64 | Avertissement | Certificate for %1 with Thumbprint %2 is about to expire or already expired. |
Microsoft-Windows-CertificateServicesClient
Mit folgendem Windows PowerShell Befehl können die Ereignisse ausgelesen werden:
Get-WinEvent -FilterHashtable @{
Logname='Application'
ProviderName='Microsoft-Windows-CertificateServicesClient'
}
| ID | Type | Texte de l'événement |
|---|---|---|
| 1 | Information | Certificate Services Client has been started successfully. |
| 2 | Information | Certificate Services Client has been stopped. |
| 3 | Information | Certificate Services Client has detected network connectivity. |
| 4 | Information | Certificate Services Client has detected network dis-connectivity. |
| 501 | Avertissement | Certificate Services Client is triggered with bad parameters: %1. |
| 502 | Avertissement | Certificate Services Client failed to register Group Policy notifications. Error code: %1. |
| 1001 | Erreur | Certificate Services Client failed to load Provider %1. Error code %2. |
| 1002 | Erreur | Certificate Services Client cannot find the required interface in Provider %1. Error code %2. |
| 1003 | Erreur | Certificate Services Client failed to invoke the Providers in response to event %1. Error code %2. |
| 1004 | Erreur | Certificate Services Client Provider %1 raised an exception. Exception code %2. |
Microsoft-Windows-CertificateServicesClient-CertEnroll
Mit folgendem Windows PowerShell Befehl können die Ereignisse ausgelesen werden:
Get-WinEvent -FilterHashtable @{
Logname='Application'
ProviderName='Microsoft-Windows-CertificateServicesClient-CertEnroll'
}
| ID | Type | Texte de l'événement |
|---|---|---|
| 4 | Information | L'inscription au certificat pour %1 n'a pas permis d'accéder aux ressources locales ou de récupérer les informations du modèle de certificat %2 (%3). L'enrôlement n'a pas été effectué. |
| 5 | Information | Certificate enrollment for %1 could not find any valid certificate templates. Enrollment was not performed. |
| 6 | Erreur | Certificate enrollment for %1 could not find a valid certificate template to match %2. Enrollment was not performed. |
| 9 | Erreur | Certificate enrollment for %1 was denied by %3 when retrieving the pending request for a %2 certificate with request ID %4. |
| 10 | Information | Inscription de certificats pour %1 archivés ou supprimés, à partir du magasin de certificats personnels, certificats expirés, révoqués ou remplacés. |
| 11 | Avertissement | Certificate enrollment for %1 could not find a certification authority in the enterprise. Enrollment was not performed. |
| 13 | Erreur | L'inscription au certificat pour %1 a échoué pour un certificat %2 avec l'ID de demande %4 de %3 (%5). |
| 14 | Success | Certificate enrollment for %1 received a %2 certificate with request ID %4 from %3 when retrieving pending requests. |
| 15 | Avertissement | Certificate enrollment for %1 failed to retrieve certificate template information from the Policy Server. Enrollment was not performed. |
| 16 | Erreur | Certificate enrollment for %1 failed to renew a %2 certificate with request ID %4 from %3 (%6). The certificate which failed to renew is %5 |
| 17 | Avertissement | Certificate enrollment for %1 failed to enroll for a %2 certificate from certification authority %3 (%4). Another certification authority will be contacted. |
| 18 | Avertissement | Certificate enrollment for %1 failed to renew a %2 certificate from certification authority %3 (%4). Another certification authority will be contacted. |
| 19 | Information | Certificate enrollment for %1 successfully received a %2 certificate with request ID %4 from certification authority %3. |
| 20 | Information | Certificate enrollment for %1 successfully renewed a %2 certificate with request ID %4 from certification authority %3. |
| 21 | Success | Certificate enrollment for %1 attempted to enroll for a %2 certificate with request ID %4 from certification authority %3. The request is pending. |
| 22 | Success | Certificate enrollment for %1 attempted to renew a %2 certificate with request ID %4 from certification authority %3. The request is pending. |
| 25 | Information | Certificate enrollment for %1 failed to update the %2 certificate in the Personal certificate store due to one of the following: Cannot find %2 certificate template from Active Directory. Enrollment access to this template is not allowed. |
| 27 | Information | Certificate enrollment for %1 was cancelled by the user. |
| 30 | Information | Certificate enrollment for %1 was cancelled by the user when requesting a %2 certificate. |
| 32 | Information | Certificate enrollment for %1 attempted to retrieve a %2 certificate from %3. The certificate request is still pending. |
| 33 | Information | Certificate enrollment for %1 deleted certificates that have expired, or have been revoked or superseded from the user object in Active Directory. |
| 35 | Erreur | Certificate enrollment for %1 detected that the DNS name in the %2 certificate does not match the DNS name of the local computer. A new enrollment for a %2 certificate will be attempted in %3 hours. |
| 36 | Erreur | Certificate enrollment for %1 detected that the DNS name in the %2 certificate does not match the DNS name of the local computer. No more enrollments for %2 certificates will be attempted until the current certificate is revoked or expires because the same error has occurred %3 times. |
| 38 | Avertissement | Certificate enrollment for %1 cannot enroll or renew %2 certificate because user interaction is required on the %2 template in Active Directory. |
| 41 | Information | To prevent simultaneous renewal or enrollment from another computer, certificate enrollment for %1 to renew or enroll for a %2 certificate has been skipped. |
| 42 | Avertissement | Certificate enrollment for %1 for the %2 template must be performed by using the machine context. |
| 43 | Avertissement | Certificate enrollment for %1 failed to find a smart card reader for the %2 template. Enrollment will not be performed. |
| 44 | Avertissement | Certificate enrollment for %1 failed to open the user interface (%2). |
| 45 | Erreur | Certificate enrollment for %1 failed to create an enrollment request for a %2 certificate (%3). |
| 46 | Avertissement | Certificate enrollment for %1 could not enroll for a %2 certificate. Read or enrollment access is not allowed for this template. |
| 47 | Avertissement | Certificate enrollment for %1 could not enroll for a %2 certificate. A valid certification authority cannot be found to issue this template. |
| 48 | Avertissement | Certificate enrollment for %1 could not enroll for a %2 certificate. Signature requirements for the certificate cannot be met. |
| 50 | Avertissement | Certificate enrollment for %1 failed to install the certificate response for a %2 certificate with request ID %3 (%4). |
| 51 | Avertissement | Certificate enrollment for %1 for the %2 certificate must be performed under the user context. |
| 52 | Avertissement | The CA certificate for %3 is not trusted. Certificate enrollment for %1 for a %2 certificate failed. |
| 53 | Avertissement | Certificate enrollment for %1 failed to retrieve a %2 certificate from certification authority %3 with request ID %4, and the error returned from the server is %5. Another certification authority will be contacted. |
| 54 | Avertissement | Certificate enrollment for %1 failed to retrieve a pending %2 certificate with request ID %4 from certification authority %3 (%5). The enrollment process will be attempted again later. |
| 55 | Avertissement | Certificate enrollment for %1 for the %2 template could not find specified CSPs on the local machine. Enrollment will not be performed. |
| 56 | Information | Certificate enrollment for %1 for the template %2 was not performed because this template has been superseded. |
| 57 | Avertissement | Le fournisseur „%2“ n'a pas été chargé car l'initialisation a échoué. |
| 58 | Avertissement | The „%3“ algorithm for the „%2“ provider was not loaded because initialization failed. |
| 59 | Avertissement | Could not determine the signature algorithm for %2 to sign an enrollment request. |
| 60 | Avertissement | Could not find a registered public key algorithm OID for %2 for an enrollment request. |
| 61 | Avertissement | Could not find a registered signature algorithm OID for %1 and %2 to sign an enrollment request. |
| 62 | Avertissement | Could not encode signature parameters for a %2 signature for an enrollment request. |
| 63 | Avertissement | Enrollment Policy Server %2 returned an error when retrieving templates for %1: %3 |
| 64 | Avertissement | Certificate enrollment for %1 successfully load policy from policy server %2 |
| 65 | Avertissement | Certificate enrollment for %1 is successfully authenticated by policy server %2 using authentication mechanism %5 (Credential: %4). Policy Id: %3 |
| 66 | Avertissement | Certificate enrollment for %1 is successfully authenticated by enrollment server %2 using authentication mechanism %5 (Credential: %4). Policy Id: %3 |
| 67 | Avertissement | Certificate enrollment for %1 failed to load policy from policy servers with ID %2 (%3) |
| 68 | Avertissement | Certificate enrollment for %1 failed in authentication to policy servers with ID %2 (%3) |
| 70 | Avertissement | Certificate enrollment for %1 failed because no valid policy can be obtained from policy servers with ID %2 |
| 71 | Avertissement | Certificate enrollment for %1 failed in adding credential to Vault for %2 (%3) |
| 72 | Avertissement | Certificate enrollment for %1 failed because the loaded policy from the policy server %2 is invalid (%3) |
| 73 | Avertissement | Certificate auto enrollment for %1 cannot be done because the policy server %2 turns it off. |
| 74 | Avertissement | Certificate enrollment for %1 failed to load policy from policy server %2 with ID %3 (%4) |
| 75 | Avertissement | Certificate enrollment for %1 failed in authentication to policy server %2 with ID %3 (%6). Authentication mechanism was %5 (Credential: %4) |
| 76 | Avertissement | Certificate enrollment for %1 failed in authentication to enrollment server %2 (%6). Policy Id: %3. Authentication mechanism was %5 (Credential: %4) |
| 77 | Avertissement | Certificate enrollment for %1 cannot enroll from user configured enrollment policy server since it is disabled by group policy |
| 78 | Avertissement | Certificate enrollment for %1 sent a request for template %2 to a ROBO certificate enrollment server %3 |
| 79 | Avertissement | Certificate enrollment for %1 sent a request for template %2 to a ANONYMOUS certificate enrollment server %3 |
| 80 | Avertissement | Certificate enrollment for %1 cannot enroll for a %2 certificate because the certificate enrollment server %3 is ROBO and only renewal is supported |
| 81 | Avertissement | Certificate enrollment for %1 cannot enroll for a %2 certificate because the certificate enrollment server %3 is ANONYMOUS and only renewal is supported |
| 82 | Avertissement | L'inscription au certificat pour %1 a échoué dans l'authentification à toutes les url pour le serveur d'inscription associé à l'identifiant de politique : %2 (%4). Echec de l'inscription pour le modèle : %3 |
| 83 | Avertissement | Certificate enrollment for %1 cannot find a credential that meets the selection criteria for url %2 with id %3 (%4) |
| 84 | Avertissement | The credential for URL %2 has been updated from certificate (%4) to certificate (%3) in context %1 |
| 85 | Avertissement | Certificate enrollment for %1 for the %2 template could not perform attestation due to an error with the cryptographic hardware using the provider: %3. Request Id: %4.%5 |
| 86 | Erreur | SCEP Certificate enrollment initialization for %1 via %2 failed: %3 Method: %4 Stage: %5 %6 |
| 87 | Erreur | SCEP Certificate enrollment for %1 via %2 failed: %3 Method: %4 Stage: %5 %6 |
| 88 | Information | SCEP Certificate enrollment for %1 via %2 succeeded: %3 Method: %4 Stage: %5 |
| 89 | Erreur | Could not find a Logon Certificate Template for %1 Template: %2 State: %3 Process: %4 %5 |
| 90 | Erreur | Found multiple Logon Certificate Templates for %1 Templates: %2 State: %3 Process: %4 %5 |
| 91 | Information | Successfully found Logon Certificate Template for %1 Template: %2 State: %3 Process: %4 |
| 92 | Erreur | Logon Certificate Request creation for %1 failed for the %2 template for key %3 %4 Process: %5 %6 |
| 93 | Information | Logon Certificate Request creation for %1 succeeded for the %2 template for key %3 Request thumbprint: %4 Process: %5 |
| 94 | Erreur | Failed to install Logon Certificate for %1 failed Request thumbprint: %2 Thumbprint: %3 %4 Process: %5 %6 |
| 95 | Information | Successfully installed Logon Certificate for %1 Request thumbprint: %2 Thumbprint: %3 Process: %4 |
| 96 | Erreur | Failed to remove Logon Certificate request for %1 Request thumbprint: %2 Process: %3 %4 |
| 97 | Avertissement | Successfully removed Logon Certificate request for %1 Request thumbprint: %2 Process: %3 |
| 98 | Erreur | Failed to import PFX Certificate for %1 Flags: %2 Provider: %3 Container: %4 Process: %5 %6 |
Liens complémentaires :
- Bases de la demande manuelle et automatique de certificats via Lightweight Directory Access Protocol (LDAP) et Remote Procedure Call / Distributed Common Object Model (RPC/DCOM)
- Exécution manuelle du processus d'auto-enrollment
Sources externes
- Troubleshooting Autoenrollment (Microsoft)
- How to troubleshoot Certificate Enrollment in the MMC Certificate Snap-in (Microsoft)
- Active Directory Certificate Services (AD CS) Troubleshooting: Certificate Autoenrollment (Microsoft)
- Configure Certificate Autoenrollment (Microsoft)
- Troubleshooting Certificate Enrollment (Microsoft, lien archive)
Français 
Deutsch 
English
Les commentaires sont fermés.