Category: Troubleshooting

Requesting certificates via Network Device Enrollment Service (NDES) fails with error message "The operation timed out 0x80072ee2 (WinHttp: 12002 ERROR_WINHTTP_TIMEOUT)".

Assume the following scenario:

  • A network device enrollment service (NDES) is implemented in the network.
  • Requesting a certificate fails with the following error message:
The operation timed out 0x80072ee2 (WinHttp: 12002 ERROR_WINHTTP_TIMEOUT)
Continue reading „Die Beantragung von Zertifikaten über den Registrierungsdienst für Netzwerkgeräte (NDES) schlägt fehl mit Fehlermeldung „The operation timed out 0x80072ee2 (WinHttp: 12002 ERROR_WINHTTP_TIMEOUT)““

Requesting certificates via Network Device Enrollment Service (NDES) fails with HTTP error code 500

Assume the following scenario:

  • A network device enrollment service (NDES) is implemented in the network.
  • The NDES server uses a domain account for the identity of the SCEP IIS application pool.
  • Requesting certificates via NDES fails with HTTP error code 500 (Internal Server Error).
  • Calling the mscep and mscep_admin pages also fails with HTTP error code 500.
  • Even after an iisreset or restart of the NDES server, no event appears after calling the mscep or mscsp_admin page that the NDES service has started or that there were errors.
Continue reading „Die Beantragung von Zertifikaten über den Registrierungsdienst für Netzwerkgeräte (NDES) schlägt mit HTTP Fehlercode 500 fehl“

The Network Device Enrollment Service (NDES) logs the error message "The Network Device Enrollment Service cannot be started (0x80004005). Unspecified error"

Assume the following scenario:

  • An NDES server is configured on the network.
  • When accessing the NDES application web page (mscep) and the NDES administration web page (certsrv/mscep_admin), HTTP error 500 (Internal Server Error) is reported with error code 0x80004005.
  • The events are No. 2 and No. 8 stored in the application event log: 
The Network Device Enrollment Service cannot be started (0x80004005). Unspecified error
Continue reading „Der Registrierungsdienst für Netzwerkgeräte (NDES) protokolliert die Fehlermeldung „The Network Device Enrollment Service cannot be started (0x80004005). Unspecified error““

Certificate enrollment policy check via Certificate Enrollment Policy (CEP) web service fails with error code "WS_E_ENDPOINT_FAULT_RECEIVED".

Assume the following scenario:

  • Users (or computers) should request certificates via the Certificate Enrollment Policy (CEP) web service.
  • For this purpose, a certificate enrollment policy is configured, which points to a Certificate Enrollment Policy Web Service (CEP).
  • Authentication is done via Kerberos.
  • When checking the address, the connection to the CEP fails and you get the following error message: 
An error occurred while obtaining certificate enrollment policy.
 Url: https://cews.adcslabor.de/ADCSLaborIssuingCA1_CES_Kerberos/service.svc/CES
 Error: A message containing a fault was received from the remote endpoint. 0x803d0013 (-2143485933 WS_E_ENDPOINT_FAULT_RECEIVED)
Continue reading „Die Überprüfung der Zertifikatregistrierungsrichtlinie über den Zertifikatregistrierungs-Richtlinienwebdienst (CEP) schlägt fehl mit Fehlercode „WS_E_ENDPOINT_FAULT_RECEIVED““

Login via smart card using Remote Desktop (RDP) fails with error message "The requested key container does not exist on the smart card."

Assume the following scenario:

  • A user logs on to a remote desktop system using the smart card logon function.
  • The user uses a Yubico Yubikey as a smartcard. The required middleware is installed on both the local and the remote system.
  • The login fails with the following error message:
The system could not log you on. The requested key container does not exist on the smart card.
Continue reading „Die Anmeldung via Smartcard über Remotedesktop (RDP) schlägt fehl mit Fehlermeldung „The requested key container does not exist on the smart card.““

Effects of the failure of the online responder (OCSP) on the verification of the revocation status of a certificate

The following section examines how the revocation status check behaves if the online responder should fail. Depending on the configuration of the certificates issued, the behavior can vary considerably.

Continue reading „Auswirkungen des Ausfalls des Onlineresponders (OCSP) auf die Überprüfung des Sperrstatus eines Zertifikats“

Creation of a manual certificate request fails with error message "Expected INF file section name 0xe0000000".

Assume the following scenario:

  • An information file for a manual certificate request is created.
  • Creating the certificate request using the file fails with the following error message:
Expected INF file section name 0xe0000000 (INF: -536870912)
Continue reading „Die Erstellung einer manuellen Zertifikatanforderung schlägt fehl mit Fehlermeldung „Expected INF file section name 0xe0000000““

Certificate Enrollment Web Service (CES) request fails with error code "WS_E_ENDPOINT_FAULT_RECEIVED".

Assume the following scenario:

  • A Certificate Enrollment Web Service (CES) is implemented in the network.
  • A certificate request is sent to the CES.
  • The certificate request fails with the following error message:
A message containing a fault was received from the remote endpoint. 0x803d0013 (-2143485933 WS_E_ENDPOINT_FAULT_RECEIVED)
Continue reading „Die Beantragung eines Zertifikats über den Certificate Enrollment Web Service (CES) schlägt fehl mit dem Fehlercode „WS_E_ENDPOINT_FAULT_RECEIVED““

The SMTP Exit module does not work on Windows Server Core

Assume the following scenario:

  • A certificate authority is installed on Windows Server Core.
  • The SMTP file supplied with the certification authority is used. Exit module configured.
  • However, the Certification Authority does not send e-mails.
  • In the event log, the Event no. 46 logged with the following error message:
The "Windows default" Exit Module "Initialize" method returned an error. Class not registered The returned status code is 0x80040154 (-2147221164). The Certification Authority was unable to initialize email messaging objects.
Continue reading „Das SMTP Exit Modul funktioniert nicht auf Windows Server Core“

Certificate request fails with error message "The system cannot find the file specified. 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)".

Assume the following scenario:

  • A certificate request is sent to a certification authority.
  • The certificate request fails with the following error message:
Error Parsing Request The system cannot find the file specified. 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)
Continue reading „Die Beantragung eines Zertifikats schlägt fehl mit Fehlermeldung „The system cannot find the file specified. 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)““

Certificate request fails with error message "Bad Data. 0x80090005 (-2146893819 NTE_BAD_DATA)."

Assume the following scenario:

  • A user sends a certificate request to a certificate authority.
  • The certificate request fails with the following error message:
Bad Data. 0x80090005 (-2146893819 NTE_BAD_DATA).
Denied by Policy Module.
Continue reading „Die Beantragung eines Zertifikats schlägt fehl mit Fehlermeldung „Bad Data. 0x80090005 (-2146893819 NTE_BAD_DATA).““

Performing a functional test for the Certificate Enrollment Policy Web Service (CEP)

After installing a Certificate Enrollment Policy Web Service (CEP), or after more extensive maintenance work, an extensive functional test should be performed to ensure that all components are working as desired.

Continue reading „Funktionstest durchführen für den Certificate Enrollment Policy Web Service (CEP)“

The certification authority service does not start and throws the error message "Object was not found. 0x80090011 (-2146893807 NTE_NOT_FOUND)".

Assume the following scenario:

  • A certification authority is implemented in the network.
  • The certification authority service does not start.
  • When trying to start the Certification Authority service, you get the following error message:
Object was not found. 0x80090011 (-2146893807 NTE_NOT_FOUND)
Continue reading „Der Zertifizierungsstellen-Dienst startet nicht und wirft die Fehlermeldung „Object was not found. 0x80090011 (-2146893807 NTE_NOT_FOUND)““

Checking the connection to the private key of a certificate (e.g. when using a hardware security module)

For a function test or during troubleshooting, it can be useful to check whether the private key of a certificate is usable. If the key is secured with a hardware security module (HSM), for example, there are significantly more dependencies and possibilities for errors than with a software key.

Continue reading „Überprüfen der Verbindung zum privaten Schlüssel eines Zertifikate (z.B. bei Einsatz eines Hardware Security Moduls)“

Certificates for domain controllers do not contain the domain name in the Subject Alternative Name (SAN)

Assume the following scenario:

  • Certificates for domain controllers are issued by an Active Directory integrated certificate authority (Enterprise CA)
  • The certificate template used for this purpose was created by the user
  • The issued certificates contain in the Subject Alternative Name (SAN) only the fully qualified computer name of the respective domain controller, but not the fully qualified name and the NETBIOS name of the domain
Continue reading „Zertifikate für Domänencontroller enthalten nicht den Domänennamen im Subject Alternative Name (SAN)“
en_USEnglish
de_DEDeutsch en_USEnglish