Nachfolgend eine Übersicht über die vom Registrierungsdienst für Netzwerkgeräte (NDES) erzeugten Ereignisse in der Windows-Ereignisanzeige.
Die Ereignisse des Registrierungsdienst für Netzwerkgeräte sind nicht offiziell dokumentiert. Die nachfolgende Liste wurde mit Hilfe des Tools Windows Event Log Messages (WELM) erzeugt.
Der Registrierungsdienst für Netzwerkgeräte (Network Device Enrollment Service, NDES) bietet eine Möglichkeit, Geräten, welche nicht über eine Kennung im Active Directory verfügen (beispielsweise Netzwerkgeräte wie Router, Switches, Drucker, Thin Clients oder Smartphones und Tablets), Zertifikate von einer Zertifizierungsstelle zu beantragen. Für eine detailliertere Beschreibung siehe Artikel "Grundlagen Registrierungsdienst für Netzwerkgeräte (Network Device Enrollment Service, NDES)".
Ereignisquellen
Die Ereignisse des Netzwergkeräte-Registrierungsdienstes werden in das Anwendungs-Protokoll geschrieben. Folgende Quellen enthalten NDES-Ereignisse:
- NetworkDeviceEnrollmentService
Vordefinierte Ansicht in der Windows-Ereignisanzeige
Eine entsprechend gefilterte Ansicht ist in der Kategorie "Active Directory Certificate Services" auf jedem System, auf dem der Registrierungsdienst für Netzwerkgeräte installiert ist, bereits vorkonfiguriert.
Ereignisquelle NetworkDeviceEnrollmentService
Kennen Sie TameMyCerts? TameMyCerts ist ein Add-On für die Microsoft Zertifizierungsstelle (Active Directory Certificate Services). Es erweitert die Funktion der Zertifizierungsstelle und ermöglicht die Anwendung von Regelwerken, um die sichere Automatisierung von Zertifikat-Ausstellungen zu realisieren. TameMyCerts ist einzigartig im Microsoft-Ökosystem, hat sich bereits in unzähligen Unternehmen auf der ganzen Welt bewährt und steht unter einer freien Lizenz. Es kann über GitHub heruntergeladen und kostenlos verwendet werden. Professionelle Wartung wird ebenfalls angeboten.
| ID | Typ | Ereignistext |
|---|---|---|
| 1 | Information | The Network Device Enrollment Service started successfully. |
| 2 | Fehler | The Network Device Enrollment Service cannot be started (%1). %2 |
| 3 | Information | The Network Device Enrollment Service has been stopped. |
| 4 | Fehler | The Network Device Enrollment Service cannot be stopped (%1). %2 |
| 6 | Fehler | The Network Device Enrollment Service cannot provide its password because the user does not have Enroll permissions on the configured certificate template, or the certification authority is not enabled to issue certificates based on the configured certificate template. |
| 7 | Fehler | The Network Device Enrollment Service failed to return the certification authority certificate(s) to the caller (%1). %2 |
| 8 | Fehler | The Network Device Enrollment Service cannot retrieve information about the certification authority (%1). %2 |
| 9 | Fehler | The Network Device Enrollment Service cannot retrieve the certification authority certificate (%1). %2 |
| 10 | Fehler | The Network Device Enrollment Service cannot retrieve one of its required certificates (%1). %2 |
| 11 | Fehler | The Network Device Enrollment Service received an http message without the "Operation" tag, or with an invalid "Operation" tag. |
| 12 | Fehler | The Network Device Enrollment Service received an http request without the "Message" tag (or request body for POSTPKIOperation). |
| 13 | Fehler | The Network Device Enrollment Service cannot encrypt the response to a client request (%1). %2 |
| 14 | Fehler | The Network Device Enrollment Service cannot sign the response to a client request (%1). %2 |
| 15 | Fehler | The Network Device Enrollment Service cannot convert encoded portions of the client’s http message (or request body for POSTPKIOperation), or the converted message (or request body for POSTPKIOperation) is larger than 64K (%1). %2 |
| 16 | Fehler | The Network Device Enrollment Service cannot decode the http message from the client (%1). %2 |
| 17 | Fehler | The Network Device Enrollment Service cannot retrieve required information, such as the transaction ID, message type, or signing certificate, from the client’s PKCS7 message (%1). %2 |
| 18 | Fehler | The Network Device Enrollment Service cannot decrypt the client’s PKCS7 message (%1). %2 |
| 19 | Fehler | The Network Device Enrollment Service failed trying to retrieve a certificate from the certification authority (CA). Verify that the CA service is running. Use the Certification Authority management console to verify that the Network Device Enrollment Service account has Read permissions on the CA service. Verify that the serial number specified in the GETCERT request is correct, and that the CA service has successfully created a certificate with the specified serial number. The error returned was (%1). %2 |
| 23 | Fehler | The Network Device Enrollment Service cannot complete the PKCS7 request (%1). %2 |
| 24 | Fehler | The Network Device Enrollment Service cannot find the issuer name or serial number in the client’s PKCS7 message (%1). %2 |
| 25 | Fehler | The Network Device Enrollment Service cannot locate a valid certificate request ID that matches the transaction ID in the client’s PKCS7 message (%1). %2 |
| 26 | Fehler | The Network Device Enrollment Service was not able to query the certification authority (CA) for a previously submitted device certificate request. Verify that the CA service is running and that the Network Device Enrollment Service account has Read permission on the CA service. Use the Certification Authority management console to verify the permissions on the CA service. The error returned was (%1). %2 |
| 28 | Fehler | The Network Device Enrollment Service cannot locate a required password in the certificate request. Either a password must be present in the certificate request or the certificate request should be signed with a valid signing certificate. The signing certificate must chain up to a trusted root in the Enterprise store. The signing certificate and the certificate request must have the same subject name or subject alternate name. |
| 29 | Fehler | The password in the certificate request cannot be verified. It may have been used already. Obtain a new password to submit with this request. |
| 30 | Fehler | The Network Device Enrollment Service cannot add an alternative subject name extension to the certificate request (%1). %2 |
| 31 | Fehler | The Network Device Enrollment Service cannot submit the certificate request (%1). %2 |
| 32 | Fehler | The Network Device Enrollment Service cannot retrieve the certificate identified by this request ID (%1). %2 |
| 33 | Fehler | The Network Device Enrollment Service failed to cache this certificate ID and transaction ID (%1). %2 |
| 34 | Fehler | At least one of the certificates for the Network Device Enrollment Service has expired. Verify that both the encryption and signing certificates are valid and restart the service. |
| 35 | Fehler | At least one of the certificates for the Network Device Enrollment Service will expire soon. Check the validity period for both the encryption and signing certificates. Renew any certificates that are nearing the end of their validity period and restart the service. |
| 36 | Fehler | The Network Device Enrollment Service failed while attempting to write the header portion of an http response (%1). %2 |
| 37 | Fehler | The Network Device Enrollment Service failed while attempting to write the data portion of an http response (%1). %2 |
| 38 | Fehler | The Network Device Enrollment Service detected an invalid message type in the client’s PKCS7 message. |
| 39 | Fehler | The Network Device Enrollment Service cannot find key usage information in the certificate request and will use both the Signature and Exchange key usages. |
| 41 | Fehler | The Network Device Enrollment Service cannot issue a password because the requester is not an administrator of this computer. |
| 42 | Fehler | The Network Device Enrollment Service cannot decode an X509 certificate request. |
| 43 | Fehler | This password has already been used to request a (%1) certificate. Only one signing certificate and one exchange certificate can be issued per password. Obtain a new password to use with this request, or create a new request with a different key usage and the same password, then try again. |
| 44 | Fehler | The Network Device Enrollment Service cannot obtain the certificate revocation list (CRL) for key %1 from the certification authority. Verify that the CA service is running, the Network Device Enrollment Service account has Read permission on the CA service, and the CA service has successfully created the latest CRL. Use the Certification Authority management console to verify the permissions on the CA service. Use the command: Certutil -config "%2" -cainfo crl %3 to verify that the CA service has created the latest CRL. The error returned was (%4). %5 |
| 45 | Fehler | The Network Device Enrollment Service cannot match the issuer name and serial number in the device request to any certification authority (CA) certificate. Verify that the device request contains the correct CA certificate information, then resubmit the request. |
| 46 | Fehler | The Network Device Enrollment Service failed to load the hash algorithm specified at location %1. Use the command "certutil -v -csplist" to verify that the computer on which the Network Device Enrollment Service is installed supports the hash algorithm specified. Near the end of the command output, look for the section labeled "Hash Algorithms". If the algorithm specified in the registry is not listed, configure a different hash algorithm in the registry. The error returned was (%2). %3 |
| 47 | Information | The Network Device Enrollment Service loaded the Registration Authority (RA) key exchange certificate with serial number %1 from the "%2" store. |
| 48 | Information | The Network Device Enrollment Service loaded the Registration Authority (RA) signature certificate with serial number %1 from the "%2" store. |
| 49 | Fehler | The Network Device Enrollment Service has failed to decrypt the encrypted password or the decrypted password’s length doesn’t match the one configured in the registry. To fix this, delete the EncryptedPassword entry in the registry. |
| 50 | Information | The Network Device Enrollment Service is working in single password mode. The password can be used multiple times and will not expire. |
| 51 | Fehler | The Network Device Enrollment Service cannot create or modify the registry key "%1." Grant Read and Write permissions on the registry key "%2" to the account that the Network Device Enrollment Service is running as. |
| 52 | Information | The Network Device Enrollment Service policy module was started successfully. |
| 53 | Fehler | The Network Device Enrollment Service policy module could not be started (%1). %2 |
| 54 | Information | The Network Device Enrollment Service policy module was stopped successfully. |
| 55 | Fehler | The Network Device Enrollment Service policy module could not be stopped (%1). %2 |
Weiterführende Links:
- Übersicht über die von der Zertifizierungsstelle generierten Windows-Ereignisse
- Übersicht über die vom Onlineresponder (OCSP) generierten Windows-Ereignisse
- Übersicht über die vom Zertifikatregistrierungs-Richtliniendienst (CEP) generierten Windows-Ereignisse
- Übersicht über die vom Zertifikatregistrierungs-Webdienst (CES) generierten Windows-Ereignisse
Externe Quellen
- Windows Event Log Messages (WELM) (GitHub)
Deutsch 
English
5 Gedanken zu „Übersicht über die vom Registrierungsdienst für Netzwerkgeräte (NDES) generierten Windows-Ereignisse“
Kommentare sind geschlossen.