Category: Troubleshooting

Role configuration for Network Device Enrollment Service (NDES) fails with error message "Failed to Enroll RA certificates. The requested certificate template is not supported by this CA. 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE)"

Assume the following scenario:

  • One installs a Network Device Enrollment Service (NDES) server
  • One has the necessary permissions to install the role (local administrator, enterprise administrator)
  • The role configuration fails with the following error message: 
Failed to enroll RA certificates. The requested certificate template is not supported by this CA. 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE)
Continue reading „Die Rollenkonfiguration für den Registrierungsdienst für Netzwerkgeräte (NDES) schlägt fehl mit Fehlermeldung „Failed to Enroll RA certificates. The requested certificate template is not supported by this CA. 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE)““

Analyze network problems with Wireshark without installing software on production systems

Often, problems with the public key infrastructure can be found in the underlying network - for example, if a firewall rule is missing from the network.

Thus, it is helpful if one is able to record network traffic in order to analyze it. Excellent tools exist for this purpose, such as Wiresharkbut these require that an installation be made on the system in question, which cannot and should not be done easily on a production system.

Fortunately, the Windows Server operating system has a built-in mechanism to capture network packets. However, the resulting files are not compatible with Wireshark. The Microsoft proprietary tool, Message Analyzer, was discontinued on Nov 25, 2019 and the download links removed.

The following therefore describes how such a recording can be generated and subsequently converted into a Wireshark-compatible format in order to be able to analyze the recording away from the server in question.

Continue reading „Netzwerkprobleme mit Wireshark analysieren, ohne Software auf produktiven Systemen installieren zu müssen“

The display name of a certificate template is not resolved. Only the object identifier (OID) of the certificate template is displayed.

Assume the following scenario:

  • For a certificate template, only the object identifier is shown, but not the display name and/or
  • Queries against the certificate authority database contain only the object identifier for the certificate template ("CertificateTemplate" field), but not the display name.
Continue reading „Der Anzeigename einer Zertifikatvorlage wird nicht aufgelöst. Es wird nur der Objektidentifizierer (OID) der Zertifikatvorlage angezeigt.“

Installation of a certificate authority fails with error code "Bad Data. 0x80090005 (-2146893819 NTE_BAD_DATA)."

Assume the following scenario:

  • An attempt is made to install a certificate authority
  • The role configuration fails with the following error message:
An error occurred when creating the new key container "ADCS Labor Issuing CA 3". Please make sure the CSP is installed correctly or select another CSP.
Bad Data. 0x80090005 (-2146893819 NTE_BAD_DATA).
Continue reading „Die Installation einer Zertifizierungsstelle schlägt fehl mit Fehlercode „Bad Data. 0x80090005 (-2146893819 NTE_BAD_DATA).““

Lock check via online responder (OCSP) fails with HTTP error code 404 (HTTP_E_STATUS_NOT_FOUND)

Assume the following scenario:

Continue reading „Die Sperrprüfung über den Onlineresponder (OCSP) schlägt fehl mit HTTP Fehlercode 404 (HTTP_E_STATUS_NOT_FOUND)“

Installation of a certificate authority integrated into Active Directory using Windows PowerShell fails with error message "A value for the attribute was not in the acceptable range of values. 0x80072082 (WIN32: 8322 ERROR_DS_RANGE_CONSTRAINT)".

Assume the following scenario:

  • A certification authority (Enterprise CA) integrated into Active Directory is installed using Windows PowerShell (Install-AdcsCertificationAuthority).
  • The role configuration fails with the following error message:
Install-AdcsCertificationAuthority : Active Directory Certificate Services setup failed with the following error: A value for the attribute was not in the acceptable range of values. 0x80072082 (WIN32: 8322 ERROR_DS_RANGE_CONSTRAINT)
Continue reading „Die Installation einer ins Active Directory integrierten Zertifizierungsstelle mittels Windows PowerShell schlägt fehl mit Fehlermeldung „A value for the attribute was not in the acceptable range of values. 0x80072082 (WIN32: 8322 ERROR_DS_RANGE_CONSTRAINT)““

The certification authority service does not start and throws the error message "The device that is required by this cryptographic provider is not ready for use. 0x80090030 (-2146893776 NTE_DEVICE_NOT_READY)"

Assume the following scenario:

  • A certification authority is implemented in the network.
  • The certification authority service does not start.
  • When trying to start the Certification Authority service, you get the following error message:
The device that is required by this cryptographic provider is not ready for use. 0x80090030 (-2146893776 NTE_DEVICE_NOT_READY)
Continue reading „Der Zertifizierungsstellen-Dienst startet nicht und wirft die Fehlermeldung „The device that is required by this cryptographic provider is not ready for use. 0x80090030 (-2146893776 NTE_DEVICE_NOT_READY)““

The certification authority service does not start and throws the error message "The parameter is incorrect. 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)".

Assume the following scenario:

  • A certification authority is implemented in the network.
  • The certification authority service does not start.
  • When trying to start the Certification Authority service, you get the following error message:
The parameter is incorrect. 0x57 (WIN32: 87 ERROR_INVALID_PARAMETER)
Continue reading „Der Zertifizierungsstellen-Dienst startet nicht und wirft die Fehlermeldung „The parameter is incorrect. 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)““

Disabling the generation of cross-certification authority certificates on a root certification authority

Root certification authorities (root CA) generate so-called cross-certification authority certificates (cross signing) when the certification authority certificate is renewed.

Sometimes problems may occur in this process, as shown for example in the article "Certificate authority certificate request fails with error message "The certification authority's certificate contains invalid data. 0x80094005 (-2146877435 CERTSRV_E_INVALID_CA_CERTIFICATE)"." described.

In such a case, one may want to stop the creation of the cross-certification authority certificates.

Continue reading „Deaktivieren der Erzeugung der Kreuzzertifizierungsstellen-Zertifikate auf einer Stammzertifizierungsstelle“

Requesting certificates through the Network Device Enrollment Service (NDES) fails with HTTP error code 503 and there are no entries in the Event Viewer

Assume the following scenario:

  • A network device enrollment service (NDES) is implemented in the network.
  • The NDES server uses a domain account or a Group Managed Service Account (gMSA) for the identity of the SCEP IIS application pool.
  • Requesting certificates via NDES fails with HTTP error code 503 (Server Unavailable).
  • Calling the mscep and mscep_admin pages also fails with HTTP error code 500.
  • Even after an iisreset or restart of the NDES server, no event appears after calling the mscep or mscsp_admin page that the NDES service has started or that there were errors.
Continue reading „Die Beantragung von Zertifikaten über den Registrierungsdienst für Netzwerkgeräte (NDES) schlägt mit HTTP Fehlercode 503 fehl, und es gibt keine Einträge in der Ereignisanzeige“

Certificate Enrollment Policy Service does not display certificate templates configured for compatibility with Windows Server 2016 or Windows 10

There is a known bug in the Certificate Enrollment Policy Web Service (CEP) that causes certificate templates configured for compatibility with Windows Server 2016 or Windows 10 not to display.

Continue reading „Der Zertifikatregistrierungs-Richtliniendienst zeigt Zertifikatvorlagen, die auf Kompatibilität mit Windows Server 2016 oder Windows 10 konfiguriert sind, nicht an“

Requesting certificates via Certificate Enrollment Web Services using Windows PowerShell fails with error message "Access was denied by the remote endpoint. 0x803d0005 (-2143485947 WS_E_ENDPOINT_ACCESS_DENIED)".

Assume the following scenario:

  • An attempt is made to request a certificate via Windows PowerShell using Certificate Enrollment Web Services.
  • The request fails with the following error message:
Get-Certificate : CX509EnrollmentPolicyWebService::LoadPolicy: Access was denied by the remote endpoint. 0x803d0005 (-2143485947 WS_E_ENDPOINT_ACCESS_DENIED)
Continue reading „Die Beantragung eines Zertifikats über die Zertifikatregistrierungs-Webdienste mittels Windows PowerShell schlägt fehlt mit Fehlermeldung „Access was denied by the remote endpoint. 0x803d0005 (-2143485947 WS_E_ENDPOINT_ACCESS_DENIED)““

Requesting certificates via Certificate Enrollment Web Services using Windows PowerShell fails with error message "Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)"

Assume the following scenario:

  • An attempt is made to request a certificate via Windows PowerShell using Certificate Enrollment Web Services. The name of the certificate template is included with the -Template argument.
  • The request fails with the following error message:
Get-Certificate : CertEnroll::CX509CertificateTemplates::get_ItemByName: Cannot find object or property. 0x80092004

(-2146885628 CRYPT_E_NOT_FOUND)
Continue reading „Die Beantragung eines Zertifikats über die Zertifikatregistrierungs-Webdienste mittels Windows PowerShell schlägt fehlt mit Fehlermeldung „Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)““

Windows Defender detects certutil as malware (Win32/Ceprolad.A)

Assume the following scenario:

certutil -ping -kerberos -config "https://{Servername}/ADPolicyProvider_CEP_Kerberos/service.svc/CEP" CEP

The certutil command is incorrectly detected by Windows Defender or Windows Defenter Advanced Threat Protection as Win32/Ceprolad.A.

Continue reading „Windows Defender erkennt certutil als Schadsoftware (Win32/Ceprolad.A)“

Certificate request fails with error message "Error Parsing Request The request subject name is invalid or too long. 0x80094001 (-2146877439 CERTSRV_E_BAD_REQUESTSUBJECT)".

Assume the following scenario

  • A certificate request is sent to a certification authority.
  • The certificate request fails with the following error message:
Error Parsing Request The request subject name is invalid or too long. 0x80094001 (-2146877439 CERTSRV_E_BAD_REQUESTSUBJECT)
Continue reading „Die Beantragung eines Zertifikats schlägt fehl mit Fehlermeldung „Error Parsing Request The request subject name is invalid or too long. 0x80094001 (-2146877439 CERTSRV_E_BAD_REQUESTSUBJECT)““
en_USEnglish
de_DEDeutsch en_USEnglish