Certificate Enrollment Web Services - Page 3

Details of the event with ID 3 of the source Microsoft-Windows-EnrollmentWebService

Event Source:	Microsoft Windows EnrollmentWebService
Event ID:	3 (0x3)
Event log:	Microsoft-Windows-EnrollmentWebService/Admin
Event type:	Error
Event text (English):	The Certificate Enrollment Web Service failed to start. The certification authority (CA) "%1" is not an enterprise CA.
Event text (German):	Error starting the certificate enrollment web service. The certificate authority "%1" is not an enterprise certificate authority.

Details of the event with ID 4 of the source Microsoft-Windows-EnrollmentWebService

Event Source:	Microsoft Windows EnrollmentWebService
Event ID:	4 (0x4)
Event log:	Microsoft-Windows-EnrollmentWebService/Admin
Event type:	Error
Event text (English):	The Certificate Enrollment Web Service failed to start. A valid certification authority (CA) configuration is not specified in the web.config file. Please specify a CA configuration in the web.config file.
Event text (German):	Error when starting the certificate enrollment web service. No valid certification authority configuration was specified in the "web.config" file. Specify a certification authority configuration in the "web.config" file.

Details of the event with ID 5 of the source Microsoft-Windows-EnrollmentWebService

Event Source:	Microsoft Windows EnrollmentWebService
Event ID:	5 (0x5)
Event log:	Microsoft-Windows-EnrollmentWebService/Admin
Event type:	Information
Event text (English):	The Certificate Enrollment Web Service has been stopped.
Event text (German):	The certificate enrollment web service has been terminated.

Details of the event with ID 6 of the source Microsoft-Windows-EnrollmentWebService

Event Source:	Microsoft Windows EnrollmentWebService
Event ID:	6 (0x6)
Event log:	Microsoft-Windows-EnrollmentWebService/Admin
Event type:	Warning
Event text (English):	The Certificate Enrollment Web Service is in renewal-only mode. New enrollment requests cannot be processed when the Certificate Enrollment Web Service is in renewal-only mode. If you want to enable new enrollment requests, configure both the CA and the Certificate Enrollment Web Service for new enrollment requests.
Event text (German):	The certificate enrollment web service is in renewal-only mode. New enrollment requests cannot be processed if the certificate enrollment web service is in renewal-only mode. If you want to enable new enrolment requests, configure the certification authority and the certificate enrolment web service for new enrolment requests.

Details of the event with ID 7 of the source Microsoft-Windows-EnrollmentWebService

Event Source:	Microsoft Windows EnrollmentWebService
Event ID:	7 (0x7)
Event log:	Microsoft-Windows-EnrollmentWebService/Admin
Event type:	Error
Event text (English):	The Certificate Enrollment Web Service is attempting to use renewal-only mode, but certification authority (CA) "%1" does not support this mode. To use renewal-only mode, configure the Certificate Enrollment Web Service to use a CA that is installed on a computer that is running at least Windows Server 2008 R2. Then, configure the CA by running the following command on the CA: certutil -setreg policy\editflags +EDITF_ENABLERENEWONBEHALFOF. Otherwise, disable renewal-only mode. If no action is taken, subsequent requests will be rejected.
Event text (German):	The certificate enrollment web service attempts to use renewal-only mode. However, this mode is not supported by the certification authority "%1". If you want to use renewal-only mode, configure the Certificate Enrollment Web Service to use a CA that is installed on a computer running Windows Server 2008 R2 or later, and then configure the CA itself by running the command "certutil -setreg policy\editflags +EDITF_ENABLERENEWONBEHALFOF". Otherwise, deactivate the renewal-only mode. If no action is performed, future requests will be rejected.

Details of the event with ID 2 of the source Microsoft-Windows-EnrollmentWebService

Event Source:	Microsoft Windows EnrollmentWebService
Event ID:	2 (0x2)
Event log:	Microsoft-Windows-EnrollmentWebService/Admin
Event type:	Error
Event text (English):	The Certificate Enrollment Web Service failed to start. Confirm that the Certificate Enrollment Web Service is properly installed, and restart Internet Information Services (IIS) by using iisreset.exe. If the problem persists, enable tracing in the web.config file, restart IIS, attempt to enroll for a certificate again from any client, and then contact Microsoft Customer Service and Support with the trace file information. %1
Event text (German):	Error starting the certificate registration web service. Ensure that the Certificate Enrollment Web Service is installed correctly and restart Internet Information Services (IIS) by using the iisreset.exe file. If the problem persists, enable tracing in the web.config file, restart IIS, retrieve policy information again from any client, and then contact Microsoft Customer Service and Support with the information in the tracing file. %1

Details of the event with ID 1 of the source Microsoft-Windows-EnrollmentWebService

Event Source:	Microsoft Windows EnrollmentWebService
Event ID:	1 (0x1)
Event log:	Microsoft-Windows-EnrollmentWebService/Admin
Event type:	Information
Event text (English):	The Certificate Enrollment Web Service has started.
Event text (German):	The certificate enrollment web service has been started.

Customize the Certificate Enrollment Web Service (CES) after migrating a certificate authority to a new server

If a Certificate Enrollment Web Service (CES) is operated in the network, it is necessary to use the "Migration of an Active Directory integrated certification authority (Enterprise Certification Authority) to another server" requires that the configuration of the CES is adapted to the new situation.

A configuration string (Config String) is stored in the configuration of the CES, which contains the server name of the connected certification authority. If this changes, the configuration must be adjusted accordingly.

Certificate Enrollment Policy Service does not display certificate templates configured for compatibility with Windows Server 2016 or Windows 10

There is a known bug in the Certificate Enrollment Policy Web Service (CEP) that causes certificate templates configured for compatibility with Windows Server 2016 or Windows 10 not to display.

Requesting certificates via Certificate Enrollment Web Services using Windows PowerShell fails with error message "Access was denied by the remote endpoint. 0x803d0005 (-2143485947 WS_E_ENDPOINT_ACCESS_DENIED)".

Assume the following scenario:

An attempt is made to request a certificate via Windows PowerShell using Certificate Enrollment Web Services.
The request fails with the following error message:

Get-Certificate : CX509EnrollmentPolicyWebService::LoadPolicy: Access was denied by the remote endpoint. 0x803d0005 (-2143485947 WS_E_ENDPOINT_ACCESS_DENIED)

Requesting certificates via Certificate Enrollment Web Services using Windows PowerShell fails with error message "Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)"

Assume the following scenario:

An attempt is made to request a certificate via Windows PowerShell using Certificate Enrollment Web Services. The name of the certificate template is included with the -Template argument.
The request fails with the following error message:

Get-Certificate : CertEnroll::CX509CertificateTemplates::get_ItemByName: Cannot find object or property. 0x80092004

(-2146885628 CRYPT_E_NOT_FOUND)

Windows Defender detects certutil as malware (Win32/Ceprolad.A)

Assume the following scenario:

One leads a Functional test for the Certificate Enrollment Policy Web Server (CEP) by.
For this, one uses a certutil command that uses Kerberos authentication, e.g.:

certutil -ping -kerberos -config "https://{Servername}/ADPolicyProvider_CEP_Kerberos/service.svc/CEP" CEP

The certutil command is incorrectly detected by Windows Defender or Windows Defenter Advanced Threat Protection as Win32/Ceprolad.A.

Required Windows security permissions for the Certificate Enrollment Policy Web Service (CEP)

Assuming one implements Microsoft's Active Directory Administrative Tiering Model, or applies similar hardening measures to one's servers, this will have an impact on the CEP components.

Using Microsoft Network Load Balancing (NLB) for Certificate Enrollment Web Services (CEP, CES)

It is generally a good idea to ensure the availability of the certificate enrollment Web services (Certificate Enrollment Policy Service, CEP, and Certificate Enrollment Web Service, CES) at all times.

The following describes how this can be achieved with the Windows feature "Network Load Balancing" (NLB).

Certificate enrollment policy check via Certificate Enrollment Policy (CEP) web service fails with error code "WS_E_ENDPOINT_FAULT_RECEIVED".

Assume the following scenario:

Users (or computers) should request certificates via the Certificate Enrollment Policy (CEP) web service.
For this purpose, a certificate enrollment policy is configured, which points to a Certificate Enrollment Policy Web Service (CEP).
Authentication is done via Kerberos.
When checking the address, the connection to the CEP fails and you get the following error message:

An error occurred while obtaining certificate enrollment policy.
 Url: https://cews.adcslabor.de/ADCSLaborIssuingCA1_CES_Kerberos/service.svc/CES
 Error: A message containing a fault was received from the remote endpoint. 0x803d0013 (-2143485933 WS_E_ENDPOINT_FAULT_RECEIVED)