Event Source: | Microsoft-Windows-CertificateServicesClient-CertEnroll |
Event ID: | 75 (0x825A004B) |
Event log: | Application |
Event type: | Warning |
Event text (English): | Certificate enrollment for %1 failed in authentication to policy server %2 with ID %3 (%6). Authentication mechanism was %5 (Credential: %4). |
Event text (German): | Certificate enrollment error for %1 when authenticating for policy server %2 with ID %3 (%6). Authentication mechanism used %5 (credentials: %4). |
Tag: Autoenrollment
Details of the event with ID 86 of the source Microsoft-Windows-CertificateServicesClient-CertEnroll
Event Source: | Microsoft-Windows-CertificateServicesClient-CertEnroll |
Event ID: | 86 (0xC25A0056) |
Event log: | Application |
Event type: | Error |
Event text (English): | SCEP Certificate enrollment initialization for %1 via %2 failed: %3 Method: %4 Stage: %5 %6 |
Event text (German): | Error during initialization of SCEP certificate registration for %1 via %2: %3 Method: %4 Phase: %5 %6 |
Details of the event with ID 87 of the source Microsoft-Windows-CertificateServicesClient-CertEnroll
Event Source: | Microsoft-Windows-CertificateServicesClient-CertEnroll |
Event ID: | 87 (0xC25A0057) |
Event log: | Application |
Event type: | Error |
Event text (English): | SCEP Certificate enrollment for %1 via %2 failed: %3 Method: %4 Stage: %5 %6 |
Event text (German): | SCEP certificate registration error for %1 over %2: %3 Method: %4 Phase: %5 %6 |
No certificate is requested via autoenrollment if a user is connected via Virtual Private Network (VPN)
Assume the following scenario:
- A user works remotely via Virtual Private Network (VPN)
- Actually, a certificate should be requested via autoenrollment, but this is not done
- A connection test (certutil -ping) to the certification authority throws the following error message:
Server could not be reached: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_SERVER_UNAVAILABLE) -- (31ms) CertUtil: -ping command FAILED: 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE) CertUtil: The RPC server is unavailable.Continue reading „Es wird kein Zertifikat per Autoenrollment beantragt, wenn ein Benutzer per Virtual Private Network (VPN) verbunden ist“
New certificates are regularly requested via Autoenrollment
Assume the following scenario:
- A certificate template is configured for automatic request and issuance (AutoEnrollment).
- Users or computers apply for new certificates at regular intervals and long before the defined renewal period.
Automatic renewal of manually requested certificates without intervention of a certificate manager
Assuming a use case is implemented for certificates where users specify the identity contained in the certificate in the certificate request, and this requires manual intervention by the certificate managers, the question arises as to how to proceed when the certificates expire or the certificate template is moved to another certification authority in order to minimize tickets at the help desk and thus the resulting work for the certificate managers.
Continue reading „Automatische Erneuerung manuell beantragter Zertifikate ohne Eingriff eines Zertifikatmanagers“Details of the event with ID 4 of the source Microsoft-Windows-CertificateServicesClient-CertEnroll
Event Source: | Microsoft-Windows-CertificateServicesClient-CertEnroll |
Event ID: | 4 (0x425A0004) |
Event log: | Application |
Event type: | Information |
Event text (English): | Certificate enrollment for %1 could not access local resources or retrieve %2 certificate template information (%3). Enrollment was not performed. |
Event text (German): | Certificate enrollment for %1 could not access local resources or retrieve certificate template information for %2 (%3). No registration is performed. |
Details of the event with ID 13 of the source Microsoft-Windows-CertificateServicesClient-CertEnroll
Event Source: | Microsoft-Windows-CertificateServicesClient-CertEnroll |
Event ID: | 13 (0xC25A000D) |
Event log: | Application |
Event type: | Error |
Event text (English): | Certificate enrollment for %1 failed to enroll for a %2 certificate with request ID %4 from %3 (%5). |
Event text (German): | The certificate enrollment for %1 failed to enroll for a certificate %2 with request ID %4 of %3 (%5). |
Details of the event with ID 57 of the source Microsoft-Windows-CertificateServicesClient-CertEnroll
Event Source: | Microsoft-Windows-CertificateServicesClient-CertEnroll |
Event ID: | 57 (0x825A0039) |
Event log: | Application |
Event type: | Information, Warning and Error |
Event text (English): | The "%2" provider was not loaded because initialization failed. |
Event text (German): | The "%2" provider was not loaded due to an initialization error. |
Details of the event with ID 82 of the source Microsoft-Windows-CertificateServicesClient-CertEnroll
Event Source: | Microsoft-Windows-CertificateServicesClient-CertEnroll |
Event ID: | 82 (0x825A0052) |
Event log: | Application |
Event type: | Warning |
Event text (English): | Certificate enrollment for %1 failed in authentication to all urls for enrollment server associated with policy id: %2 (%4). Failed to enroll for template: %3 |
Event text (German): | Certificate registration error for %1 when authenticating for all URLs for the registration server associated with the following policy ID: %2 (%4). Error registering for template: %3 |
Planning of certificate validity and renewal period of end entity certificates with autoenrollment
If autoenrollment is used, participants apply for and renew certificates independently.
Regarding the validity of the certificates and the period for their automatic renewal, there are two values that can be configured in the General tab of a certificate template:
- Validity period: Describes the overall validity of the issued certificate.
- Renewal period: Describes from which time window, viewed backwards from the expiration date of the certificate, automatic renewal is attempted for the first time (e.g. 6 weeks before expiration).
Have certificate holders automatically renew all certificates issued for a certificate template
When operating a certification authority, it may be necessary to renew all issued certificates for a specific certificate template, for example due to major configuration changes or a change of the issuing certification authority. The following describes a mechanism with which this can be achieved automatically.
Continue reading „Alle für eine Zertifikatvorlage ausgestellten Zertifikate automatisch von den Zertifikatinhabern erneuern lassen“Clients connected via Virtual Private Network (VPN) do not renew certificates automatically
Assume the following scenario:
- Client computers automatically obtain certificates from an Active Directory integrated certificate authority (Enterprise Certification Authority).
- Expiring certificates are renewed automatically when the clients are on the internal network.
- However, expiring certificates are not automatically renewed when clients are connected via Virtual Private Network (VPN).
- This can result in clients not renewing their certificate in time before it expires and no longer being able to connect to the VPN.
Basics of manual and automatic certificate requests via Lightweight Directory Access Protocol (LDAP) and Remote Procedure Call / Distributed Common Object Model (RPC/DCOM) with the MS-WCCE protocol
The following describes the process that runs in the background when certificates are requested manually or automatically in order to achieve the highest possible level of automation.
Continue reading „Grundlagen manuelle und automatische Zertifikatbeantragung über Lightweight Directory Access Protocol (LDAP) und Remote Procedure Call / Distributed Common Object Model (RPC/DCOM) mit dem MS-WCCE Protokoll“Manually running the autoenrollment process
By default, all domain members automatically replicate the Public Key Services object he Active Directory forest through the autoenrollment process. The triggers for this are:
- When the user logs in (for computers, when the computer account logs in, i.e. at system startup).
- By timer every 8 hours.
- When updating group policies, assuming there has been a change.
If you do not want to wait for the autoenrollment to be triggered automatically, you can start it manually. The different ways to run the autoenrollment process are described below.
Continue reading „Manuelles Ausführen des Autoenrollment Prozesses“