Troubleshooting - Page 9 - Uwe Gradenegger

Requesting certificates via Certificate Enrollment Web Service (CES) fails with error code "WS_E_ENDPOINT_FAILURE".

Assume the following scenario:

You try to request a certificate via a Certificate Enrollment Web Service (CEP) from an Active Directory-integrated certification authority (Enterprise Certification Authority).
The operation fails with the following error message:

The remote endpoint could not process the request. 0x803d000f (-2143485937 WS_E_ENDPOINT_FAILURE)

Certificate Enrollment Web Service (CES) request fails with error code "WS_E_INVALID_ENDPOINT_URL".

Assume the following scenario:

You try to request a certificate via a Certificate Enrollment Web Service (CEP) from an Active Directory-integrated certification authority (Enterprise Certification Authority).
The operation fails with the following error message:

Certificate Request Processor: The endpoint address URL is invalid. 0x803d0020 (-2143485920 WS_E_INVALID_ENDPOINT_URL)

Requesting certificates via Certificate Enrollment Web Service (CES) fails with error code "WS_E_ENDPOINT_UNREACHABLE".

Assume the following scenario:

You try to request a certificate via a Certificate Enrollment Web Service (CEP) from an Active Directory-integrated certification authority (Enterprise Certification Authority).
The operation fails with the following error message:

The remote endpoint was not reachable. 0x803d0010 (-2143485936 WS_E_ENDPOINT_UNREACHABLE)

Requesting certificates via Certificate Enrollment Web Service (CES) fails with error code "ERROR_WINHTTP_CANNOT_CONNECT".

Assume the following scenario:

You try to request a certificate via a Certificate Enrollment Web Service (CEP) from an Active Directory-integrated certification authority (Enterprise Certification Authority).
The operation fails with the following error message:

Certificate Request Processor: A connection with the server could not be established 0x80072efd (WinHttp: 12029 ERROR_WINHTTP_CANNOT_CONNECT)

Requesting certificates via Certificate Enrollment Web Service (CES) fails with error code "ERROR_WINHTTP_TIMEOUT".

Assume the following scenario:

You try to request a certificate via a Certificate Enrollment Web Service (CEP) from an Active Directory-integrated certification authority (Enterprise Certification Authority).
The operation fails with the following error message:

Certificate Request Processor: The operation timed out 0x80072ee2 (WinHttp: 12002 ERROR_WINHTTP_TIMEOUT)

Requesting certificates via Certificate Enrollment Web Service (CES) fails with error code "ERROR_WINHTTP_NAME_NOT_RESOLVED".

Assume the following scenario:

You try to request a certificate via a Certificate Enrollment Web Service (CEP) from an Active Directory-integrated certification authority (Enterprise Certification Authority).
The operation fails with the following error message:

Certificate Request Processor: The server name or address could not be resolved 0x80072ee7 (WinHttp: 12007 ERROR_WINHTTP_NAME_NOT_RESOLVED)

Requesting certificates via Certificate Enrollment Web Service (CES) fails with error code "ERROR_WINHTTP_INVALID_CA".

Assume the following scenario:

You try to request a certificate via a Certificate Enrollment Web Service (CEP) from an Active Directory-integrated certification authority (Enterprise Certification Authority).
The operation fails with the following error message:

The certificate authority is invalid or corrupt. 0x80072f0d (WinHttp: 12045 ERROR_WINHTTP_SECURE_INVALID_CA)

Requesting certificates via Certificate Enrollment Web Service (CES) fails with error code "WS_E_OPERATION_TIMED_OUT".

Assume the following scenario:

You try to request a certificate via a Certificate Enrollment Web Service (CEP) from an Active Directory-integrated certification authority (Enterprise Certification Authority).
The operation fails with the following error message:

Certificate Request Processor: The operation did not complete within the time allotted. 0x803d0006 (-2143485946 WS_E_OPERATION_TIMED_OUT)

Requesting certificates via Certificate Enrollment Policy Web Service (CEP) fails with error message "The requested certificate template is not supported by this CA."

Assume the following scenario:

You try to request a certificate via a Certificate Enrollment Policy Web Service (CEP) from an Active Directory-integrated certification authority (Enterprise Certification Authority).
The operation fails with the following error message:

The requested certificate template is not supported by this CA.

Enable debug logging for Certificate Enrollment Policy Web Service (CEP)

When trying to track down an error in the Certificate Enrollment Policy Web Service (CEP), it is helpful to enable debug logging.

Requesting certificates via Certificate Enrollment Policy Web Service (CEP) fails with error message "ERROR_WINHTTP_CONNECTION_ERROR".

Assume the following scenario:

You try to request a certificate via a Certificate Enrollment Policy Web Service (CEP) from an Active Directory-integrated certification authority (Enterprise Certification Authority).
The operation fails with the following error message:

Error: The server connection was terminated due to an error. 0x80072efe (WinHttp:12030) ERROR_WINHTTP_CONNECTION_ERROR

Requesting certificates via the Certificate Enrollment Policy Web Service (CEP) fails with error message "A valid certification authority (CA) configured to issue certificates based on this template cannot be located, or the CA does not support this operation, or the CA is not trusted."

Assume the following scenario:

You try to request a certificate via a Certificate Enrollment Policy Web Service (CEP) from an Active Directory-integrated certification authority (Enterprise Certification Authority).
To do this, use the Microsoft Management Console (MMC), either for the logged-in user (certmgr.msc) or for the computer (certlm.msc).
However, the list of available certificate templates within the MMC is completely empty.
In the list of available certificate templates within the MMC, all certificate templates are displayed. At all desired certificate templates it is written:

Cannot find Object or property.
A valid certification authority (CA) configured to issue certificates based on this template cannot be located, or the CA does not support this operation, or the CA is not trusted.

Requesting certificates via the Certificate Enrollment Policy Web Service (CEP) fails with error message "Error: Access was denied by the remote endpoint. 0x803d0005 -2143485947 WS_E_ENDPOINT_ACCESS_DENIED".

Assume the following scenario:

A user requests a certificate.
An enrollment policy is configured for this, which points to a Certificate Enrollment Policy Web Service (CEP).
The connection to the CEP fails and the user receives the following error message:

Error: Access was denied by the remote endpoint. 0x803d0005 -2143485947 WS_E_ENDPOINT_ACCESS_DENIED

The role configuration for the Certificate Enrollment Policy Web Service (CEP) fails with error message "Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)".

Assume the following scenario:

A role configuration for the Certificate Enrollment Policy Web Service (CEP) is performed.
The role configuration fails with the following error message:

CCertificateEnrollmentPolicyServerSetup::InitializeInstallDefaults: Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)

Role configuration for Certificate Enrollment Policy Web Service fails with error message "The argument is null or empty."

Assume the following scenario:

A role configuration for the Certificate Enrollment Policy Web Service (CEP) is performed using PowersShell (Install-AdcsEnrollmentPolicyWebService).
The role configuration fails with the following error message:

Cannot validate argument on parameter 'SSLCertThumbprint'. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again.