Nachfolgend eine Übersicht über die für die von Windows-Zertifikat-Clients erzeugten Ereignisse in der Windows-Ereignisanzeige, deren Aktivierung und deren Identifikation.
Kennen Sie TameMyCerts? TameMyCerts ist ein Add-On für die Microsoft Zertifizierungsstelle (Active Directory Certificate Services). Es erweitert die Funktion der Zertifizierungsstelle und ermöglicht die Anwendung von Regelwerken, um die sichere Automatisierung von Zertifikat-Ausstellungen zu realisieren. TameMyCerts ist einzigartig im Microsoft-Ökosystem, hat sich bereits in unzähligen Unternehmen auf der ganzen Welt bewährt und steht unter einer freien Lizenz. Es kann über GitHub heruntergeladen und kostenlos verwendet werden. Professionelle Wartung wird ebenfalls angeboten.
Protokollierung konfigurieren
Damit Ereigniss, die über Fehler und Warnungen hinausgehen, protokolliert werden, muss im betreffenden Bereich (je nachdem, ob es sich um ein Benutzer- oder Computerzertifikat handelt) eine "LogLevel" Direktive (analog zur Zertifizierungsstelle) mit entsprechendem Inhalt angelegt werden.
Die LogLevel Direktive ersetzt die zuvor verwendete AEEventLogLevel Direktive.
| Pfad | Beschreibung |
|---|---|
| HKCU\Software\Microsoft\Cryptography\AutoEnrollment | Benutzereinstellungen, lokal konfiguriert |
| HKLM\Software\Microsoft\Cryptography\AutoEnrollment | Computereinstellungen, lokal konfiguriert |
Mit folgendem Kommandozeilenbefehl kann die erweiterte Protokollierung für den Benutzer- als auch den Systemkontext konfiguriert werden. Es werden alle Ereignisse der Typen "Error", "Warning" und "Information" ausgegeben.
certutil –setreg Enroll\LogLevel 4
Das Erhöhen der Protokollierungsebene kann sehr viele Ereignisse erzeugen. Entsprechend sollte sichergestellt sein, dass das Ereignisprotokoll entsprechend wachsen kann. Andernfalls werden frühere Ereignisse überschrieben. Es ist ratsam, die Protokollierungsebene nur vorübergehend zu erhöhen.
Die Änderungen werden direkt ohne Neuanmeldung bzw. Neustart aktiv.
Das Setzen des Schlüssels im Benutzerkontext mit dem Parameter -user hat keine Auswirkungen.
Die Zahlenwerte werden in folgende Variablen übersetzt:
| Wert | Bedeutung | Anmerkungen |
|---|---|---|
| 0 | CERTLOG_MINIMAL | |
| 1 | CERTLOG_TERSE | |
| 2 | CERTLOG_ERROR | |
| 3 | CERTLOG_WARNING | Aktiviert zusätzlich Ereignisse des Levels "Warning" (Standardeinstellung) |
| 4 | CERTLOG_VERBOSE | Aktiviert zusätzlich Ereignisse des Levels "Information" |
| 5 | CERTLOG_EXHAUSTIVE |
Das Zurücksetzen der Protokollierung auf die Standardwerte wird durch löschen des zuvor angelegten Schlüssels erreicht.
certutil –delreg Enroll\LogLevel
Ereignisquellen
- Microsoft-Windows-CertificateServicesClient-AutoEnrollment
- Microsoft-Windows-CertificateServicesClient
- Microsoft-Windows-CertificateServicesClient-CertEnroll
Ereignisse
Microsoft-Windows-CertificateServicesClient-AutoEnrollment
Mit folgendem Windows PowerShell Befehl können die Ereignisse ausgelesen werden:
Get-WinEvent -FilterHashtable @{
Logname='Application'
ProviderName='Microsoft-Windows-CertificateServicesClient-AutoEnrollment'
}
| ID | Typ | Ereignistext |
|---|---|---|
| 1 | Information | Automatic certificate enrollment for %1 failed to download certificates for %2 store from %3 (%4). %5 |
| 2 | Information | Automatic certificate enrollment for %1 started. |
| 3 | Information | Automatic certificate enrollment for %1 completed. |
| 4 | Information | Automatic certificate enrollment for %1 invoked the enrollment API. |
| 5 | Information | Automatic certificate enrollment for %1 returned from the enrollment API. |
| 6 | Error | Automatic certificate enrollment for %1 failed (%2) %3. |
| 15 | Warning | Automatic certificate enrollment for %1 failed to contact the active directory (%2). %3 Enrollment will not be performed. |
| 64 | Warning | Certificate for %1 with Thumbprint %2 is about to expire or already expired. |
Microsoft-Windows-CertificateServicesClient
Mit folgendem Windows PowerShell Befehl können die Ereignisse ausgelesen werden:
Get-WinEvent -FilterHashtable @{
Logname='Application'
ProviderName='Microsoft-Windows-CertificateServicesClient'
}
| ID | Typ | Ereignistext |
|---|---|---|
| 1 | Information | Certificate Services Client has been started successfully. |
| 2 | Information | Certificate Services Client has been stopped. |
| 3 | Information | Certificate Services Client has detected network connectivity. |
| 4 | Information | Certificate Services Client has detected network dis-connectivity. |
| 501 | Warning | Certificate Services Client is triggered with bad parameters: %1. |
| 502 | Warning | Certificate Services Client failed to register Group Policy notifications. Error code: %1. |
| 1001 | Error | Certificate Services Client failed to load Provider %1. Error code %2. |
| 1002 | Error | Certificate Services Client cannot find the required interface in Provider %1. Error code %2. |
| 1003 | Error | Certificate Services Client failed to invoke the Providers in response to event %1. Error code %2. |
| 1004 | Error | Certificate Services Client Provider %1 raised an exception. Exception code %2. |
Microsoft-Windows-CertificateServicesClient-CertEnroll
Mit folgendem Windows PowerShell Befehl können die Ereignisse ausgelesen werden:
Get-WinEvent -FilterHashtable @{
Logname='Application'
ProviderName='Microsoft-Windows-CertificateServicesClient-CertEnroll'
}
| ID | Typ | Ereignistext |
|---|---|---|
| 4 | Information | Certificate enrollment for %1 could not access local resources or retrieve %2 certificate template information (%3). Enrollment was not performed. |
| 5 | Information | Certificate enrollment for %1 could not find any valid certificate templates. Enrollment was not performed. |
| 6 | Error | Certificate enrollment for %1 could not find a valid certificate template to match %2. Enrollment was not performed. |
| 9 | Error | Certificate enrollment for %1 was denied by %3 when retrieving the pending request for a %2 certificate with request ID %4. |
| 10 | Information | Certificate enrollment for %1 archived or deleted, from the Personal certificate store, certificates that have expired, or been revoked or superseded. |
| 11 | Warning | Certificate enrollment for %1 could not find a certification authority in the enterprise. Enrollment was not performed. |
| 13 | Error | Certificate enrollment for %1 failed to enroll for a %2 certificate with request ID %4 from %3 (%5). |
| 14 | Success | Certificate enrollment for %1 received a %2 certificate with request ID %4 from %3 when retrieving pending requests. |
| 15 | Warning | Certificate enrollment for %1 failed to retrieve certificate template information from the Policy Server. Enrollment was not performed. |
| 16 | Error | Certificate enrollment for %1 failed to renew a %2 certificate with request ID %4 from %3 (%6). The certificate which failed to renew is %5 |
| 17 | Warning | Certificate enrollment for %1 failed to enroll for a %2 certificate from certification authority %3 (%4). Another certification authority will be contacted. |
| 18 | Warning | Certificate enrollment for %1 failed to renew a %2 certificate from certification authority %3 (%4). Another certification authority will be contacted. |
| 19 | Information | Certificate enrollment for %1 successfully received a %2 certificate with request ID %4 from certification authority %3. |
| 20 | Information | Certificate enrollment for %1 successfully renewed a %2 certificate with request ID %4 from certification authority %3. |
| 21 | Success | Certificate enrollment for %1 attempted to enroll for a %2 certificate with request ID %4 from certification authority %3. The request is pending. |
| 22 | Success | Certificate enrollment for %1 attempted to renew a %2 certificate with request ID %4 from certification authority %3. The request is pending. |
| 25 | Information | Certificate enrollment for %1 failed to update the %2 certificate in the Personal certificate store due to one of the following: Cannot find %2 certificate template from Active Directory. Enrollment access to this template is not allowed. |
| 27 | Information | Certificate enrollment for %1 was cancelled by the user. |
| 30 | Information | Certificate enrollment for %1 was cancelled by the user when requesting a %2 certificate. |
| 32 | Information | Certificate enrollment for %1 attempted to retrieve a %2 certificate from %3. The certificate request is still pending. |
| 33 | Information | Certificate enrollment for %1 deleted certificates that have expired, or have been revoked or superseded from the user object in Active Directory. |
| 35 | Error | Certificate enrollment for %1 detected that the DNS name in the %2 certificate does not match the DNS name of the local computer. A new enrollment for a %2 certificate will be attempted in %3 hours. |
| 36 | Error | Certificate enrollment for %1 detected that the DNS name in the %2 certificate does not match the DNS name of the local computer. No more enrollments for %2 certificates will be attempted until the current certificate is revoked or expires because the same error has occurred %3 times. |
| 38 | Warning | Certificate enrollment for %1 cannot enroll or renew %2 certificate because user interaction is required on the %2 template in Active Directory. |
| 41 | Information | To prevent simultaneous renewal or enrollment from another computer, certificate enrollment for %1 to renew or enroll for a %2 certificate has been skipped. |
| 42 | Warning | Certificate enrollment for %1 for the %2 template must be performed by using the machine context. |
| 43 | Warning | Certificate enrollment for %1 failed to find a smart card reader for the %2 template. Enrollment will not be performed. |
| 44 | Warning | Certificate enrollment for %1 failed to open the user interface (%2). |
| 45 | Error | Certificate enrollment for %1 failed to create an enrollment request for a %2 certificate (%3). |
| 46 | Warning | Certificate enrollment for %1 could not enroll for a %2 certificate. Read or enrollment access is not allowed for this template. |
| 47 | Warning | Certificate enrollment for %1 could not enroll for a %2 certificate. A valid certification authority cannot be found to issue this template. |
| 48 | Warning | Certificate enrollment for %1 could not enroll for a %2 certificate. Signature requirements for the certificate cannot be met. |
| 50 | Warning | Certificate enrollment for %1 failed to install the certificate response for a %2 certificate with request ID %3 (%4). |
| 51 | Warning | Certificate enrollment for %1 for the %2 certificate must be performed under the user context. |
| 52 | Warning | The CA certificate for %3 is not trusted. Certificate enrollment for %1 for a %2 certificate failed. |
| 53 | Warning | Certificate enrollment for %1 failed to retrieve a %2 certificate from certification authority %3 with request ID %4, and the error returned from the server is %5. Another certification authority will be contacted. |
| 54 | Warning | Certificate enrollment for %1 failed to retrieve a pending %2 certificate with request ID %4 from certification authority %3 (%5). The enrollment process will be attempted again later. |
| 55 | Warning | Certificate enrollment for %1 for the %2 template could not find specified CSPs on the local machine. Enrollment will not be performed. |
| 56 | Information | Certificate enrollment for %1 for the template %2 was not performed because this template has been superseded. |
| 57 | Warning | The "%2" provider was not loaded because initialization failed. |
| 58 | Warning | The "%3" algorithm for the "%2" provider was not loaded because initialization failed. |
| 59 | Warning | Could not determine the signature algorithm for %2 to sign an enrollment request. |
| 60 | Warning | Could not find a registered public key algorithm OID for %2 for an enrollment request. |
| 61 | Warning | Could not find a registered signature algorithm OID for %1 and %2 to sign an enrollment request. |
| 62 | Warning | Could not encode signature parameters for a %2 signature for an enrollment request. |
| 63 | Warning | Enrollment Policy Server %2 returned an error when retrieving templates for %1: %3 |
| 64 | Warning | Certificate enrollment for %1 successfully load policy from policy server %2 |
| 65 | Warning | Certificate enrollment for %1 is successfully authenticated by policy server %2 using authentication mechanism %5 (Credential: %4). Policy Id: %3 |
| 66 | Warning | Certificate enrollment for %1 is successfully authenticated by enrollment server %2 using authentication mechanism %5 (Credential: %4). Policy Id: %3 |
| 67 | Warning | Certificate enrollment for %1 failed to load policy from policy servers with ID %2 (%3) |
| 68 | Warning | Certificate enrollment for %1 failed in authentication to policy servers with ID %2 (%3) |
| 70 | Warning | Certificate enrollment for %1 failed because no valid policy can be obtained from policy servers with ID %2 |
| 71 | Warning | Certificate enrollment for %1 failed in adding credential to Vault for %2 (%3) |
| 72 | Warning | Certificate enrollment for %1 failed because the loaded policy from the policy server %2 is invalid (%3) |
| 73 | Warning | Certificate auto enrollment for %1 cannot be done because the policy server %2 turns it off. |
| 74 | Warning | Certificate enrollment for %1 failed to load policy from policy server %2 with ID %3 (%4) |
| 75 | Warning | Certificate enrollment for %1 failed in authentication to policy server %2 with ID %3 (%6). Authentication mechanism was %5 (Credential: %4) |
| 76 | Warning | Certificate enrollment for %1 failed in authentication to enrollment server %2 (%6). Policy Id: %3. Authentication mechanism was %5 (Credential: %4) |
| 77 | Warning | Certificate enrollment for %1 cannot enroll from user configured enrollment policy server since it is disabled by group policy |
| 78 | Warning | Certificate enrollment for %1 sent a request for template %2 to a ROBO certificate enrollment server %3 |
| 79 | Warning | Certificate enrollment for %1 sent a request for template %2 to a ANONYMOUS certificate enrollment server %3 |
| 80 | Warning | Certificate enrollment for %1 cannot enroll for a %2 certificate because the certificate enrollment server %3 is ROBO and only renewal is supported |
| 81 | Warning | Certificate enrollment for %1 cannot enroll for a %2 certificate because the certificate enrollment server %3 is ANONYMOUS and only renewal is supported |
| 82 | Warning | Certificate enrollment for %1 failed in authentication to all urls for enrollment server associated with policy id: %2 (%4). Failed to enroll for template: %3 |
| 83 | Warning | Certificate enrollment for %1 cannot find a credential that meets the selection criteria for url %2 with id %3 (%4) |
| 84 | Warning | The credential for URL %2 has been updated from certificate (%4) to certificate (%3) in context %1 |
| 85 | Warning | Certificate enrollment for %1 for the %2 template could not perform attestation due to an error with the cryptographic hardware using the provider: %3. Request Id: %4.%5 |
| 86 | Error | SCEP Certificate enrollment initialization for %1 via %2 failed: %3 Method: %4 Stage: %5 %6 |
| 87 | Error | SCEP Certificate enrollment for %1 via %2 failed: %3 Method: %4 Stage: %5 %6 |
| 88 | Information | SCEP Certificate enrollment for %1 via %2 succeeded: %3 Method: %4 Stage: %5 |
| 89 | Error | Could not find a Logon Certificate Template for %1 Template: %2 State: %3 Process: %4 %5 |
| 90 | Error | Found multiple Logon Certificate Templates for %1 Templates: %2 State: %3 Process: %4 %5 |
| 91 | Information | Successfully found Logon Certificate Template for %1 Template: %2 State: %3 Process: %4 |
| 92 | Error | Logon Certificate Request creation for %1 failed for the %2 template for key %3 %4 Process: %5 %6 |
| 93 | Information | Logon Certificate Request creation for %1 succeeded for the %2 template for key %3 Request thumbprint: %4 Process: %5 |
| 94 | Error | Failed to install Logon Certificate for %1 failed Request thumbprint: %2 Thumbprint: %3 %4 Process: %5 %6 |
| 95 | Information | Successfully installed Logon Certificate for %1 Request thumbprint: %2 Thumbprint: %3 Process: %4 |
| 96 | Error | Failed to remove Logon Certificate request for %1 Request thumbprint: %2 Process: %3 %4 |
| 97 | Warning | Successfully removed Logon Certificate request for %1 Request thumbprint: %2 Process: %3 |
| 98 | Error | Failed to import PFX Certificate for %1 Flags: %2 Provider: %3 Container: %4 Process: %5 %6 |
Weiterführende Links:
- Grundlagen manuelle und automatische Zertifikatbeantragung über Lightweight Directory Access Protocol (LDAP) und Remote Procedure Call / Distributed Common Object Model (RPC/DCOM)
- Manuelles Ausführen des Autoenrollment Prozesses
Externe Quellen
- Troubleshooting Autoenrollment (Microsoft)
- How to troubleshoot Certificate Enrollment in the MMC Certificate Snap-in (Microsoft)
- Active Directory Certificate Services (AD CS) Troubleshooting: Certificate Autoenrollment (Microsoft)
- Configure Certificate Autoenrollment (Microsoft)
- Troubleshooting Certificate Enrollment (Microsoft, Archivlink)
Deutsch 
English
4 Gedanken zu „Protokollierung für die automatische Zertifikatbeantragung (Autoenrollment) aktivieren“
Kommentare sind geschlossen.