Troubleshooting - Page 8 - Uwe Gradenegger

Certificate request fails with error message "Cannot archive private key. The certification authority could not verify one or more key recovery certificates. 0x8009400b (-2146877429 CERTSRV_E_NO_VALID_KRA)".

Assume the following scenario:

A user requests a certificate from an Active Directory integrated certification authority (Enterprise Certification Authority).
The certificate template is set up for archiving private keys.
The certificate request fails with the following error message:

Cannot archive private key. The certification authority could not verify one or more key recovery certificates. 0x8009400b (-2146877429 CERTSRV_E_NO_VALID_KRA)

After installing or migrating a certificate authority to a new server, you can no longer publish your own certificate templates

Assume the following scenario:

An Active Directory integrated certificate authority (Enterprise CA) is integrated in the network.
The certification authority was migrated to a new server (see also article "Migration of an Active Directory integrated certification authority (Enterprise Certification Authority) to another server„).
When publishing the certificate templates, one notices that only the Standard certificate templates to be selected for publication. Own certificate templates are not displayed.

Clients connected via Virtual Private Network (VPN) do not renew certificates automatically

Assume the following scenario:

Client computers automatically obtain certificates from an Active Directory integrated certificate authority (Enterprise Certification Authority).
Expiring certificates are renewed automatically when the clients are on the internal network.
However, expiring certificates are not automatically renewed when clients are connected via Virtual Private Network (VPN).
This can result in clients not renewing their certificate in time before it expires and no longer being able to connect to the VPN.

Requesting certificates via Certificate Authority Web Enrollment (CAWE) fails with HTTP error code 401 "Unauthorized: Access is denied due to invalid credentials."

Assume the following scenario:

A Certificate Authority Web Enrollment (CAWE) server is installed on the network.
The role is installed on a separate server, not on the certification authority directly.
A user attempts to request a certificate via the certification authority web enrollment or submit an existing certificate request to the certification authority.
The user's login to CAWE fails with HTTP code 401 "Unauthorized: Access is denied due to invalid credentials.":

You do not have permission to view this directory or page using the credentials that you supplied.

Requesting certificates via the Certificate Authority Web Enrollment (CAWE) fails with HTTP error code 403 "Forbidden: Access is denied."

Assume the following scenario:

A Certificate Authority Web Enrollment (CAWE) server is installed on the network.
The role is installed on a separate server, not on the certification authority directly.
A user attempts to request a certificate via the certification authority web enrollment or submit an existing certificate request to the certification authority.
The user's login to CAWE fails with HTTP code 403 "Forbidden: Access is denied.":

You do not have permission to view this directory or page using the credentials that you supplied.

Requesting certificates via the Certificate Authority Web Enrollment (CAWE) fails with error message "No certificate templates could be found.", or the desired certificate template is not displayed

Assume the following scenario:

A Certificate Authority Web Enrollment (CAWE) server is installed on the network.
The role is installed on a separate server, not on the certification authority directly.
A user attempts to submit an existing certificate request to the certification authority via the certification authority web enrollment.
The desired certificate template is missing from the list of selectable certificate templates, or the list is completely empty.
If the list is empty, the following error message is also issued:

No certificate templates could be found. You do not have permission to request a certificate from this CA, or an error occurred while accessing the Active Directory.

Perform functional test for certification authority web registration (CAWE)

After installing and configuring Certificate Authority Web Enrollment (CAWE), it is essential to test the component extensively before releasing it to users. Below are instructions for a detailed functional test.

Requesting certificates via Certificate Authority Web Enrollment (CAWE) fails with HTTP error code 500 "Internal Server error".

Assume the following scenario:

A Certificate Authority Web Enrollment (CAWE) server is installed on the network.
The role is installed on a separate server, not on the certification authority directly.
A user attempts to request a certificate via the certification authority web enrollment or submit an existing certificate request to the certification authority.
The request takes a very long time and finally fails with HTTP code 500 "Internal server error":

There is a problem with the resource you are looking for, and it cannot be displayed.

Requesting certificates via Certificate Authority Web Enrollment (CAWE) fails with error code "ERROR_ACCESS_DENIED".

Assume the following scenario:

A Certificate Authority Web Enrollment (CAWE) server is installed on the network.
The role is installed on a separate server, not on the certification authority directly.
A user attempts to request a certificate via the certification authority web enrollment or submit an existing certificate request to the certification authority.
The request fails with the following error message:

Your request failed. An error occurred while the server was processing your request. Contact your administrator for further assistance.

In the details of the error message you will find the following note:

CCertRequest::Submit: Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)

Requesting certificates via the Certification Authority Web Enrollment (CAWE) takes a very long time

Assume the following scenario:

A Certificate Authority Web Enrollment (CAWE) server is installed on the network.
The role is installed on a separate server, not on the certification authority directly.
A user attempts to request a certificate via the certification authority web enrollment or submit an existing certificate request to the certification authority.
The process is successful, but the application takes a long time (up to several minutes).

Requesting certificates via Certificate Authority Web Enrollment (CAWE) fails with error code "RPC_S_SERVER_UNAVAILABLE".

Assume the following scenario:

A Certificate Authority Web Enrollment (CAWE) server is installed on the network.
The role is installed on a separate server, not on the certification authority directly.
A user attempts to request a certificate via the certification authority web enrollment or submit an existing certificate request to the certification authority.
The request fails with the following error message:

Your request failed. An error occurred while the server was processing your request. Contact your administrator for further assistance.

In the details of the error message you will find the following note:

CCertRequest::Submit: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_SERVER_UNAVAILABLE)

Requesting a certificate fails with the error message "You cannot request a certificate at this time because no certificate types are available."

Assume the following scenario:

You try to apply for a certificate from an Active Directory-integrated certification authority (Enterprise Certification Authority).
To do this, use the Microsoft Management Console (MMC), either for the logged-in user (certmgr.msc) or for the computer (certlm.msc).
The logged-in user also has the necessary permissions to request certificates from the certificate template in question (enroll).
You don't get any certificate templates to choose from, even though they are correctly published on the certificate authorities.
There is also no "Show hidden templates" option. This usually appears at the bottom left of the dialog.
The following error message is displayed:

Certificate types are not available. You cannot request a certificate at this time because no certificate types are available. If you need a certificate, contact your administrator.

Publishing a certificate template on a CA fails with error message "The template information on the CA cannot be modified at this time. This is most likely because the CA service is not running or there are replication delays. Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)".

Assume the following scenario:

An administrator publishes a certificate template on a certificate authority.
The operation fails with the following error message:

The template information on the CA cannot be modified at this time. This is most likely because the CA service is not running or there are replication delays. Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)

Requesting certificates via Certificate Enrollment Web Service (CES) fails with error code "ERROR_INTERNET_NAME_NOT_RESOLVED".

Assume the following scenario:

You try to request a certificate via a Certificate Enrollment Web Service (CEP) from an Active Directory-integrated certification authority (Enterprise Certification Authority).
The operation fails with the following error message:

The name or address could not be resolved 0x80072ee7 (INet: 12007 ERROR_INTERNET_NAME_NOT_RESOLVED)

Requesting certificates via Certificate Enrollment Web Service (CES) fails with error code "ERROR_INTERNET_TIMEOUT".

Assume the following scenario:

You try to request a certificate via a Certificate Enrollment Web Service (CEP) from an Active Directory-integrated certification authority (Enterprise Certification Authority).
The operation fails with the following error message:

The operation timed out 0x80072ee2 (INet: 12002 ERROR_INTERNET_TIMEOUT)