April 2020 - Page 5 - Uwe Gradenegger

Requesting certificates via Certificate Enrollment Web Service (CES) fails with error code "ERROR_WINHTTP_INVALID_CA".

Assume the following scenario:

You try to request a certificate via a Certificate Enrollment Web Service (CEP) from an Active Directory-integrated certification authority (Enterprise Certification Authority).
The operation fails with the following error message:

The certificate authority is invalid or corrupt. 0x80072f0d (WinHttp: 12045 ERROR_WINHTTP_SECURE_INVALID_CA)

Requesting certificates via Certificate Enrollment Web Service (CES) fails with error code "WS_E_OPERATION_TIMED_OUT".

Assume the following scenario:

You try to request a certificate via a Certificate Enrollment Web Service (CEP) from an Active Directory-integrated certification authority (Enterprise Certification Authority).
The operation fails with the following error message:

Certificate Request Processor: The operation did not complete within the time allotted. 0x803d0006 (-2143485946 WS_E_OPERATION_TIMED_OUT)

Requesting certificates via Certificate Enrollment Policy Web Service (CEP) fails with error message "The requested certificate template is not supported by this CA."

Assume the following scenario:

You try to request a certificate via a Certificate Enrollment Policy Web Service (CEP) from an Active Directory-integrated certification authority (Enterprise Certification Authority).
The operation fails with the following error message:

The requested certificate template is not supported by this CA.

Enable debug logging for Certificate Enrollment Policy Web Service (CEP)

When trying to track down an error in the Certificate Enrollment Policy Web Service (CEP), it is helpful to enable debug logging.

Requesting certificates via Certificate Enrollment Policy Web Service (CEP) fails with error message "ERROR_WINHTTP_CONNECTION_ERROR".

Assume the following scenario:

You try to request a certificate via a Certificate Enrollment Policy Web Service (CEP) from an Active Directory-integrated certification authority (Enterprise Certification Authority).
The operation fails with the following error message:

Error: The server connection was terminated due to an error. 0x80072efe (WinHttp:12030) ERROR_WINHTTP_CONNECTION_ERROR

Requesting certificates via the Certificate Enrollment Policy Web Service (CEP) fails with error message "A valid certification authority (CA) configured to issue certificates based on this template cannot be located, or the CA does not support this operation, or the CA is not trusted."

Assume the following scenario:

You try to request a certificate via a Certificate Enrollment Policy Web Service (CEP) from an Active Directory-integrated certification authority (Enterprise Certification Authority).
To do this, use the Microsoft Management Console (MMC), either for the logged-in user (certmgr.msc) or for the computer (certlm.msc).
However, the list of available certificate templates within the MMC is completely empty.
In the list of available certificate templates within the MMC, all certificate templates are displayed. At all desired certificate templates it is written:

Cannot find Object or property.
A valid certification authority (CA) configured to issue certificates based on this template cannot be located, or the CA does not support this operation, or the CA is not trusted.

Requesting certificates via the Certificate Enrollment Policy Web Service (CEP) fails with error message "Error: Access was denied by the remote endpoint. 0x803d0005 -2143485947 WS_E_ENDPOINT_ACCESS_DENIED".

Assume the following scenario:

A user requests a certificate.
An enrollment policy is configured for this, which points to a Certificate Enrollment Policy Web Service (CEP).
The connection to the CEP fails and the user receives the following error message:

Error: Access was denied by the remote endpoint. 0x803d0005 -2143485947 WS_E_ENDPOINT_ACCESS_DENIED

The role configuration for the Certificate Enrollment Policy Web Service (CEP) fails with error message "Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)".

Assume the following scenario:

A role configuration for the Certificate Enrollment Policy Web Service (CEP) is performed.
The role configuration fails with the following error message:

CCertificateEnrollmentPolicyServerSetup::InitializeInstallDefaults: Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)

Role configuration for Certificate Enrollment Policy Web Service fails with error message "The argument is null or empty."

Assume the following scenario:

A role configuration for the Certificate Enrollment Policy Web Service (CEP) is performed using PowersShell (Install-AdcsEnrollmentPolicyWebService).
The role configuration fails with the following error message:

Cannot validate argument on parameter 'SSLCertThumbprint'. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again.

Installing a Certificate Enrollment Policy Web Service (CEP)

The following describes how to install the Certificate Enrollment Policy Web Service (CEP).

Configure the Certificate Enrollment Policy Web Service (CEP) to work with a domain account.

The following describes how to set up a Certificate Enrollment Policy Web Service (CEP) that the service runs under a domain account.

Configure the Certificate Enrollment Policy Web Service (CEP) to work with a Group Managed Service Account (gMSA).

For security reasons, it may make sense to operate the CEP with a Group Managed Service Account (gMSA) instead of a normal domain account. This option offers the charming advantage that the password of the account is changed automatically, and thus this step does not have to be done manually, which is unfortunately forgotten far too often.

Use Authentication Mechanism Assurance (AMA) to secure administrative account logins.

Authentication Mechanism Assurance (AMA) is a feature designed to ensure that a user is a member of a security group only if they can be shown to have logged in using a strong authentication method (i.e., a smart card). If the user logs in via username and password instead, he or she will not have access to the requested resources.

Originally intended for access to file servers, however, AMA can also be used (with some restrictions) for administrative logon. Thus, for example, it would be conceivable for a user to be unprivileged when logging in with a username and password, and to have administrative rights when logging in with a certificate.

Signing in via smart card fails with error message "Signing in with a security device isn't supported for your account."

Assume the following scenario:

A user has a Smartcard Logon certificate and logs on to the Active Directory domain with it.
The login fails. The following error message is returned to the user's computer:

Signing in with a security device isn't supported for your account. For more info, contact your administrator.

View and clear the certificate enrollment policy cache for the Certificate Enrollment Policy Web Service (CEP).

After a certificate enrollment policy is configured and used by a subscriber, the results are cached locally (Enrollment Policy Cache).

If changes are now made to the infrastructure, for example by publishing or removing a new certificate template on a certification authority accessible via Certificate Enrollment Web Service (CES), these changes are not immediately visible to subscribers due to the cache.

For this reason, it may be helpful to view or clear the cache.