Limits of Microsoft Active Directory Certificate Services

Active Directory Certificate Services have existed (albeit under a different name) in their basic form since Windows NT 4.0. The architecture based on Active Directory used today was introduced with Windows 2000 Server. AD CS are very well integrated into the Windows ecosystem and continue to be very popular in enterprises and government agencies of all sizes worldwide.

People like to point out the many possibilities offered by Active Directory Certificate Services. Rarely, however, is reference made to what can be done with them. not is possible. In the meantime, the product has also reached its limits in many places.

What these are will be explained in more detail below in order to better decide whether the AD CS can be the right solution for planned projects.

Continue reading „Grenzen der Microsoft Active Directory Certificate Services“

Details of the event with ID 80 of the source Microsoft-Windows-CertificateServicesClient-CertEnroll

Event Source:Microsoft-Windows-CertificateServicesClient-CertEnroll
Event ID:80 (0x825A0050)
Event log:Application
Event type:Warning
Event text (English):Certificate enrollment for %1 cannot enroll for a %2 certificate because the certificate enrollment server %3 is ROBO and only renewal is supported
Event text (German):The certificate registration for %1 cannot register for a %2 certificate because the %3 certificate registration server is a ROBO server and only renewal is supported.
Continue reading „Details zum Ereignis mit ID 80 der Quelle Microsoft-Windows-CertificateServicesClient-CertEnroll“

The role configuration for the Certificate Enrollment Web Service (CES) fails with error message "Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)".

Assume the following scenario:

  • A role configuration for the Certificate Enrollment Web Service (CES) is performed.
  • The role configuration fails with the following error message:
CCertificateEnrollmenServerSetup::InitializeInstallDefaults: Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
Continue reading „Die Rollenkonfiguration für den Certificate Enrollment Web Service (CES) schlägt fehl mit Fehlermeldung „Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)““

The role configuration for the Certificate Enrollment Web Service (CES) fails with error message "The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE".

Assume the following scenario:

  • A role configuration for the Certificate Enrollment Web Service (CES) is performed.
  • The role configuration fails with the following error message:
The Certificate Enrollment Web Service Setup failed because the CA "CA02.intra.adcslabor.de\ADCS Labor Issuing CA 1" cannot be contacted. Check the name, and confirm that the CA is properly configured and available. The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_SERVER_UNAVAILABLE)   
Continue reading „Die Rollenkonfiguration für den Certificate Enrollment Web Service (CES) schlägt fehl mit Fehlermeldung „The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE““

Installation or uninstallation of a Windows feature fails with error message "The service is configured to not accept any remote shell requests."

Assume the following scenario:

  • A Windows role concerning Active Directory Certificate Services (Certification Authority, Network Device Enrollment Service (NDES), Certificate Authority Web Enrollment (CAWE), Certificate Enrollment Web Services (CEP, CES), or Online Certificate Service Provider (OCSP)) is to be installed or uninstalled.
  • The installation or uninstallation fails with the following error message:
The status of the role services on the target machine cannot be determined. Please retry. The error is The WS-Management service cannot process the request. The service is configured to not accept any remote shell requests.
Continue reading „Die Installation oder Deinstallation eines Windows-Features schlägt fehl mit Fehlermeldung „The service is configured to not accept any remote shell requests.““

Details of the event with ID 17 of the source Microsoft-Windows-EnrollmentPolicyWebService

Event Source:Microsoft-Windows-EnrollmentPolicyWebService
Event ID:17 (0x11)
Event log:Microsoft-Windows-EnrollmentPolicyWebService/Admin
Event type:Information
Event text (English):A certification authority %1 has been loaded. For additional information, please refer to the EventData section of the Details pane.
Event text (German):The certification authority "%1" has been loaded. For more information, see the "Event data" section of the details pane.
Continue reading „Details zum Ereignis mit ID 17 der Quelle Microsoft-Windows-EnrollmentPolicyWebService“

Details of the event with ID 18 of the source Microsoft-Windows-EnrollmentPolicyWebService

Event Source:Microsoft-Windows-EnrollmentPolicyWebService
Event ID:18 (0x12)
Event log:Microsoft-Windows-EnrollmentPolicyWebService/Admin
Event type:Information
Event text (English):For a list of the OIDs which are loaded please refer to the "Details" pane.
Event text (German):A list of loaded OIDs can be found in the details pane.
Continue reading „Details zum Ereignis mit ID 18 der Quelle Microsoft-Windows-EnrollmentPolicyWebService“

Details of the event with ID 19 of the source Microsoft-Windows-EnrollmentPolicyWebService

Event Source:Microsoft-Windows-EnrollmentPolicyWebService
Event ID:19 (0x13)
Event log:Microsoft-Windows-EnrollmentPolicyWebService/Admin
Event type:Error
Event text (English):The Certificate Enrollment Policy Web Service cannot operate because Windows authentication is not compatible with key based renewal. To resolve this issue, remove the Certificate Enrollment Policy Web Service. Reconfigure the Setup options to disable key based renewal, or select either user name and password authentication or client certificate authentication, and then run Setup again.
Event text (German):The Certificate Enrollment Policy Web Service cannot run because Windows authentication is not compatible with key-based renewal. Remove the Certificate Enrollment Policy Web Service to resolve the issue. Reconfigure the setup options to disable key-based renewal, or select either username/password authentication or client certificate authentication, and then run Setup again.
Continue reading „Details zum Ereignis mit ID 19 der Quelle Microsoft-Windows-EnrollmentPolicyWebService“

Details of the event with ID 20 of the source Microsoft-Windows-EnrollmentPolicyWebService

Event Source:Microsoft-Windows-EnrollmentPolicyWebService
Event ID:20 (0x14)
Event log:Microsoft-Windows-EnrollmentPolicyWebService/Admin
Event type:Information
Event text (English):A service end point with URI %1 has been configured for this service. The client authentication scheme is %2. Only policies that contain certificate templates that are enabled for key based renewal will be returned to the client. Use the Group Policy Management Console or the Certificates snap-in to configure clients with this Certificate Enrollment Policy Web Service information.
Event text (German):A service endpoint with URI "%1" has been configured for this service. The client authentication scheme is "%2". Only policies with certificate templates configured for key-based renewal are returned to the client. Use the Group Policy Management Console or the Certificates snap-in to configure clients with information from this Certificate Enrollment Policy Web Service.
Continue reading „Details zum Ereignis mit ID 20 der Quelle Microsoft-Windows-EnrollmentPolicyWebService“

Details of the event with ID 21 of the source Microsoft-Windows-EnrollmentPolicyWebService

Event Source:Microsoft-Windows-EnrollmentPolicyWebService
Event ID:21 (0x15)
Event log:Microsoft-Windows-EnrollmentPolicyWebService/Admin
Event type:Information
Event text (English):A service end point with URI %1 has been configured for this service. The client authentication scheme is %2. Only policies that contain certificate templates that are enabled for key based renewal will be returned to the client. Client certificates without subject information in the Active Directory database can be used to retrieve certificate templates. Use the Group Policy Management Console or the Certificates snap-in to configure clients with this Certificate Enrollment Policy Web Service information.
Event text (German):A service endpoint with URI "%1" has been configured for this service. The client authentication scheme is "%2". Only policies with certificate templates configured for key-based renewal are returned to the client. Certificate templates can be retrieved with client certificates without requestor information in the Active Directory database. Use the Group Policy Management Console or the Certificates snap-in to configure clients with information from this Certificate Enrollment Policy Web Service.
Continue reading „Details zum Ereignis mit ID 21 der Quelle Microsoft-Windows-EnrollmentPolicyWebService“

Details of the event with ID 11 of the source Microsoft-Windows-EnrollmentPolicyWebService

Event Source:Microsoft-Windows-EnrollmentPolicyWebService
Event ID:11 (0xB)
Event log:Microsoft-Windows-EnrollmentPolicyWebService/Admin
Event type:Warning
Event text (English):No certificate templates in the forest are configured to be sent as part of the policy response. Confirm that the server hosting the Certificate Enrollment Policy Web Service has Read permission to the required templates in this forest and that at least one server hosting the Certificate Enrollment Web Service is configured to work with the certification authorities (CAs) configured to issue the required templates.
Event text (German):No certificate templates have been configured in the forest to be sent as part of the policy response. Ensure that the server with the Certificate Enrollment Policy Web Service has read permission for the required templates in the forest. Also ensure that at least one server with the Certificate Enrollment Web Service is configured to work with the CAs configured to issue the required templates.
Continue reading „Details zum Ereignis mit ID 11 der Quelle Microsoft-Windows-EnrollmentPolicyWebService“

Details of the event with ID 12 of the source Microsoft-Windows-EnrollmentPolicyWebService

Event Source:Microsoft-Windows-EnrollmentPolicyWebService
Event ID:12 (0xC)
Event log:Microsoft-Windows-EnrollmentPolicyWebService/Admin
Event type:Error
Event text (English):The certification authority (CA) "%1" cannot be sent as part of the policy response. Confirm that this CA is running and that at least one Certificate Enrollment Web Service is configured to use this CA. %2
Event text (German):The certificate authority "%1" cannot be sent as part of the policy response. Ensure that the certificate authority is running and at least one certificate enrollment web service has been configured to use the certificate authority. %2
Continue reading „Details zum Ereignis mit ID 12 der Quelle Microsoft-Windows-EnrollmentPolicyWebService“

Details of the event with ID 13 of the source Microsoft-Windows-EnrollmentPolicyWebService

Event Source:Microsoft-Windows-EnrollmentPolicyWebService
Event ID:13 (0xD)
Event log:Microsoft-Windows-EnrollmentPolicyWebService/Admin
Event type:Error
Event text (English):The certificate template "%1" cannot be sent as part of the policy response. Use the Certificate Templates snap-in to confirm that this is a valid certificate template. Also confirm that at least one running certification authority (CA) has this template enabled and that at least one Certificate Enrollment Web Service is configured to use this CA. %2
Event text (German):The certificate template "%1" cannot be sent as part of the policy response. Use the certificate template snap-in to confirm that it is a valid certificate template. Ensure that the template is enabled on at least one running certificate authority and that at least one certificate enrollment web service has been configured to use this certificate authority. %2
Continue reading „Details zum Ereignis mit ID 13 der Quelle Microsoft-Windows-EnrollmentPolicyWebService“

Details of the event with ID 14 of the source Microsoft-Windows-EnrollmentPolicyWebService

Event Source:Microsoft-Windows-EnrollmentPolicyWebService
Event ID:14 (0xE)
Event log:Microsoft-Windows-EnrollmentPolicyWebService/Admin
Event type:Error
Event text (English):The certification authority (CA) "%1" associated with the template "%2" cannot be sent as part of the policy response. Confirm that the CA is running and that at least one Certificate Enrollment Web Service is configured to use this CA. %3
Event text (German):The certificate authority "%1" associated with the template "%2" cannot be sent as part of the policy response. Ensure that the certificate authority is running and at least one certificate enrollment web service has been configured to use this certificate authority. %3
Continue reading „Details zum Ereignis mit ID 14 der Quelle Microsoft-Windows-EnrollmentPolicyWebService“

Details of the event with ID 15 of the source Microsoft-Windows-EnrollmentPolicyWebService

Event Source:Microsoft-Windows-EnrollmentPolicyWebService
Event ID:15 (0xF)
Event log:Microsoft-Windows-EnrollmentPolicyWebService/Admin
Event type:Error
Event text (English):The URI %2 used by the Certificate Enrollment Web Service for certification authority (CA) "%1" is invalid. Use Server Manager to configure the Certificate Enrollment Web Service to use a valid CA. %3
Event text (German):The URI "%2" used by the certificate enrollment web service for the certification authority "%1" is invalid. Use Server Manager to configure the certificate enrollment web service to use a valid certificate authority. %3
Continue reading „Details zum Ereignis mit ID 15 der Quelle Microsoft-Windows-EnrollmentPolicyWebService“
en_USEnglish