Certificate Enrollment Web Services - Page 3

Details of the event with ID 9 of the source Microsoft-Windows-EnrollmentWebService

Event Source:	Microsoft Windows EnrollmentWebService
Event ID:	9 (0x9)
Event log:	Microsoft-Windows-EnrollmentWebService/Admin
Event type:	Error
Event text (English):	The Certificate Enrollment Web Service is attempting to use renewal-only mode, but certification authority (CA) "%1" does not support this mode. To use renewal-only mode, configure the CA by running the following command on the CA: certutil -setreg policy\editflags +EDITF_ENABLERENEWONBEHALFOF. Otherwise, disable renewal-only mode. If no action is taken, subsequent requests will be rejected.
Event text (German):	The certificate enrollment web service tries to use the renewals-only mode. However, this mode is not supported by the "%1" certificate authority. If you want to use renewals-only mode, configure the certification authority. To do this, run the following command for the certification authority: "certutil -setreg policy\editflags +EDITF_ENABLERENEWONBEHALFOF". Otherwise, disable the renewals-only mode. If no action is taken, future requests are denied.

Details of the event with ID 10 of the source Microsoft-Windows-EnrollmentWebService

Event Source:	Microsoft Windows EnrollmentWebService
Event ID:	10 (0xA)
Event log:	Microsoft-Windows-EnrollmentWebService/Admin
Event type:	Error
Event text (English):	The Certificate Enrollment Web Service cannot operate because an incompatible configuration was selected. To resolve this issue, remove the Certificate Enrollment Web Service. If you want to use key based renewal, enable both client certificate authentication and renewal-only mode. If you want to use user name and password authentication or Windows authentication, disable key based renewal, and then run Setup again.
Event text (German):	The certificate enrollment policy web service cannot be executed because an incompatible configuration has been selected. Remove the Certificate Enrollment Policy Web Service to resolve the issue. If you want to use key-based renewal, enable both client certificate authentication and renewal-only mode. If you want to use username and password authentication or Windows authentication, disable key-based renewal and run Setup again.

Details of the event with ID 3 of the source Microsoft-Windows-EnrollmentWebService

Event Source:	Microsoft Windows EnrollmentWebService
Event ID:	3 (0x3)
Event log:	Microsoft-Windows-EnrollmentWebService/Admin
Event type:	Error
Event text (English):	The Certificate Enrollment Web Service failed to start. The certification authority (CA) "%1" is not an enterprise CA.
Event text (German):	Error starting the certificate enrollment web service. The certificate authority "%1" is not an enterprise certificate authority.

Details of the event with ID 4 of the source Microsoft-Windows-EnrollmentWebService

Event Source:	Microsoft Windows EnrollmentWebService
Event ID:	4 (0x4)
Event log:	Microsoft-Windows-EnrollmentWebService/Admin
Event type:	Error
Event text (English):	The Certificate Enrollment Web Service failed to start. A valid certification authority (CA) configuration is not specified in the web.config file. Please specify a CA configuration in the web.config file.
Event text (German):	Error when starting the certificate enrollment web service. No valid certification authority configuration was specified in the "web.config" file. Specify a certification authority configuration in the "web.config" file.

Details of the event with ID 5 of the source Microsoft-Windows-EnrollmentWebService

Event Source:	Microsoft Windows EnrollmentWebService
Event ID:	5 (0x5)
Event log:	Microsoft-Windows-EnrollmentWebService/Admin
Event type:	Information
Event text (English):	The Certificate Enrollment Web Service has been stopped.
Event text (German):	The certificate enrollment web service has been terminated.

Details of the event with ID 2 of the source Microsoft-Windows-EnrollmentWebService

Event Source:	Microsoft Windows EnrollmentWebService
Event ID:	2 (0x2)
Event log:	Microsoft-Windows-EnrollmentWebService/Admin
Event type:	Error
Event text (English):	The Certificate Enrollment Web Service failed to start. Confirm that the Certificate Enrollment Web Service is properly installed, and restart Internet Information Services (IIS) by using iisreset.exe. If the problem persists, enable tracing in the web.config file, restart IIS, attempt to enroll for a certificate again from any client, and then contact Microsoft Customer Service and Support with the trace file information. %1
Event text (German):	Error starting the certificate registration web service. Ensure that the Certificate Enrollment Web Service is installed correctly and restart Internet Information Services (IIS) by using the iisreset.exe file. If the problem persists, enable tracing in the web.config file, restart IIS, retrieve policy information again from any client, and then contact Microsoft Customer Service and Support with the information in the tracing file. %1

Details of the event with ID 1 of the source Microsoft-Windows-EnrollmentWebService

Event Source:	Microsoft Windows EnrollmentWebService
Event ID:	1 (0x1)
Event log:	Microsoft-Windows-EnrollmentWebService/Admin
Event type:	Information
Event text (English):	The Certificate Enrollment Web Service has started.
Event text (German):	The certificate enrollment web service has been started.

Customize the Certificate Enrollment Web Service (CES) after migrating a certificate authority to a new server

If a Certificate Enrollment Web Service (CES) is operated in the network, it is necessary to use the "Migration of an Active Directory integrated certification authority (Enterprise Certification Authority) to another server" requires that the configuration of the CES is adapted to the new situation.

A configuration string (Config String) is stored in the configuration of the CES, which contains the server name of the connected certification authority. If this changes, the configuration must be adjusted accordingly.

Certificate Enrollment Policy Service does not display certificate templates configured for compatibility with Windows Server 2016 or Windows 10

There is a known bug in the Certificate Enrollment Policy Web Service (CEP) that causes certificate templates configured for compatibility with Windows Server 2016 or Windows 10 not to display.

Requesting certificates via Certificate Enrollment Web Services using Windows PowerShell fails with error message "Access was denied by the remote endpoint. 0x803d0005 (-2143485947 WS_E_ENDPOINT_ACCESS_DENIED)".

Assume the following scenario:

An attempt is made to request a certificate via Windows PowerShell using Certificate Enrollment Web Services.
The request fails with the following error message:

Get-Certificate : CX509EnrollmentPolicyWebService::LoadPolicy: Access was denied by the remote endpoint. 0x803d0005 (-2143485947 WS_E_ENDPOINT_ACCESS_DENIED)

Requesting certificates via Certificate Enrollment Web Services using Windows PowerShell fails with error message "Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)"

Assume the following scenario:

An attempt is made to request a certificate via Windows PowerShell using Certificate Enrollment Web Services. The name of the certificate template is included with the -Template argument.
The request fails with the following error message:

Get-Certificate : CertEnroll::CX509CertificateTemplates::get_ItemByName: Cannot find object or property. 0x80092004

(-2146885628 CRYPT_E_NOT_FOUND)

Windows Defender detects certutil as malware (Win32/Ceprolad.A)

Assume the following scenario:

One leads a Functional test for the Certificate Enrollment Policy Web Server (CEP) by.
For this, one uses a certutil command that uses Kerberos authentication, e.g.:

certutil -ping -kerberos -config "https://{Servername}/ADPolicyProvider_CEP_Kerberos/service.svc/CEP" CEP

The certutil command is incorrectly detected by Windows Defender or Windows Defenter Advanced Threat Protection as Win32/Ceprolad.A.

Required Windows security permissions for the Certificate Enrollment Policy Web Service (CEP)

Assuming one implements Microsoft's Active Directory Administrative Tiering Model, or applies similar hardening measures to one's servers, this will have an impact on the CEP components.

Using Microsoft Network Load Balancing (NLB) for Certificate Enrollment Web Services (CEP, CES)

It is generally a good idea to ensure the availability of the certificate enrollment Web services (Certificate Enrollment Policy Service, CEP, and Certificate Enrollment Web Service, CES) at all times.

The following describes how this can be achieved with the Windows feature "Network Load Balancing" (NLB).

Certificate enrollment policy check via Certificate Enrollment Policy (CEP) web service fails with error code "WS_E_ENDPOINT_FAULT_RECEIVED".

Assume the following scenario:

Users (or computers) should request certificates via the Certificate Enrollment Policy (CEP) web service.
For this purpose, a certificate enrollment policy is configured, which points to a Certificate Enrollment Policy Web Service (CEP).
Authentication is done via Kerberos.
When checking the address, the connection to the CEP fails and you get the following error message:

An error occurred while obtaining certificate enrollment policy.
 Url: https://cews.adcslabor.de/ADCSLaborIssuingCA1_CES_Kerberos/service.svc/CES
 Error: A message containing a fault was received from the remote endpoint. 0x803d0013 (-2143485933 WS_E_ENDPOINT_FAULT_RECEIVED)