Event Source: | Microsoft-Windows-CertificationAuthority |
Event ID: | 53 (0x35) |
Event log: | Application |
Event type: | Warning |
Symbolic Name: | MSG_DN_CERT_DENIED_WITH_INFO |
Event text (English): | Active Directory Certificate Services denied request %1 because %2. The request was for %3. Additional information: %4 |
Event text (German): | The request %1 was rejected because %2. The request was for %3. More information: %4 |
Tag: Certificate Template
Certificate Enrollment Policy Service does not display certificate templates configured for compatibility with Windows Server 2016 or Windows 10
There is a known bug in the Certificate Enrollment Policy Web Service (CEP) that causes certificate templates configured for compatibility with Windows Server 2016 or Windows 10 not to display.
Continue reading „Der Zertifikatregistrierungs-Richtliniendienst zeigt Zertifikatvorlagen, die auf Kompatibilität mit Windows Server 2016 oder Windows 10 konfiguriert sind, nicht an“How are the compatibility settings for certificate templates technically mapped?
Since the Certificate Services management tools in Windows Server 2012, you can select the desired compatibility for the certificate authority and certificate recipient when configuring a certificate template.
In the following, this function is described in more detail, as well as possible effects in practice.
Continue reading „Wie sind die Kompatibilitätseinstellungen für Zertifikatvorlagen technisch abgebildet?“Overview of the availability of options when changing the compatibility settings of a certificate template
Since the Certificate Services management tools in Windows Server 2012, you can select the desired compatibility for the certificate authority and certificate recipient when configuring a certificate template.
The following is an overview of which options become available in each case when the compatibility settings for the certificate authority and/or the certificate recipients are changed.
Continue reading „Übersicht über die Verfügbarkeit von Optionen bei Veränderung der Kompatibilitätseinstellungen einer Zertifikatvorlage“Requesting certificates via Network Device Enrollment Service (NDES) fails with error message "The public key does not meet the minimum size required by the specified certificate template. 0x80094811 (-2146875375 CERTSRV_E_KEY_LENGTH)".
Assume the following scenario:
- A network device enrollment service (NDES) is implemented in the network.
- Requesting a certificate fails with the following error message:
"The public key does not meet the minimum size required by the specified certificate template. 0x80094811 (-2146875375 CERTSRV_E_KEY_LENGTH)"Continue reading „Die Beantragung von Zertifikaten über den Registrierungsdienst für Netzwerkgeräte (NDES) schlägt fehl mit Fehlermeldung „The public key does not meet the minimum size required by the specified certificate template. 0x80094811 (-2146875375 CERTSRV_E_KEY_LENGTH)““
Manually requesting a Remote Desktop (RDP) certificate
There are cases in which you cannot or do not want to obtain Remote Desktop certificates from a certificate authority in your own Active Directory forest, for example, if the system in question is not a domain member.
In this case, the use of certificate templates is not possible, and one must manually create a Certificate Signing Request (CSR).
Continue reading „Manuelle Beantragung eines Remotedesktop (RDP) Zertifikats“Perform functional test for a Certification Authority
After installing a certification authority, after migrating to a new server, or after more extensive maintenance work, an extensive functional test should be performed to ensure that all components of the certification authority are working as desired.
Continue reading „Funktionstest durchführen für eine Zertifizierungsstelle“Planning of certificate validity and renewal period of end entity certificates with autoenrollment
If autoenrollment is used, participants apply for and renew certificates independently.
Regarding the validity of the certificates and the period for their automatic renewal, there are two values that can be configured in the General tab of a certificate template:
- Validity period: Describes the overall validity of the issued certificate.
- Renewal period: Describes from which time window, viewed backwards from the expiration date of the certificate, automatic renewal is attempted for the first time (e.g. 6 weeks before expiration).
Certificates for domain controllers do not contain the domain name in the Subject Alternative Name (SAN)
Assume the following scenario:
- Certificates for domain controllers are issued by an Active Directory integrated certificate authority (Enterprise CA)
- The certificate template used for this purpose was created by the user
- The issued certificates contain in the Subject Alternative Name (SAN) only the fully qualified computer name of the respective domain controller, but not the fully qualified name and the NETBIOS name of the domain
Configuring a Certificate Template for Remote Desktop (RDP) Certificates
To use Remote Desktop certificates, it is necessary to configure an appropriate certificate template.
Continue reading „Konfigurieren einer Zertifikatvorlage für Remotedesktop (RDP) Zertifikate“Identify the active Remote Desktop (RDP) certificate
If one has a Remote Desktop Certificate Template and a appropriate group guidelines configured, or manually assigned a remote desktop certificateYou may want to verify that the certificates on the participating computers are being used correctly by the Remote Desktop session host.
Continue reading „Identifizieren des aktiven Remotedesktop (RDP) Zertifikats“Have certificate holders automatically renew all certificates issued for a certificate template
When operating a certification authority, it may be necessary to renew all issued certificates for a specific certificate template, for example due to major configuration changes or a change of the issuing certification authority. The following describes a mechanism with which this can be achieved automatically.
Continue reading „Alle für eine Zertifikatvorlage ausgestellten Zertifikate automatisch von den Zertifikatinhabern erneuern lassen“Description of certificate template generations
Below is a description of the different generations of certificate templates (schema versions) and the innovations introduced with them.
Continue reading „Beschreibung der Generationen von Zertifikatvorlagen“Use Authentication Mechanism Assurance (AMA) to secure administrative account logins.
Authentication Mechanism Assurance (AMA) is a feature designed to ensure that a user is a member of a security group only if they can be shown to have logged in using a strong authentication method (i.e., a smart card). If the user logs in via username and password instead, he or she will not have access to the requested resources.
Originally intended for access to file servers, however, AMA can also be used (with some restrictions) for administrative logon. Thus, for example, it would be conceivable for a user to be unprivileged when logging in with a username and password, and to have administrative rights when logging in with a certificate.
Continue reading „Verwenden von Authentication Mechanism Assurance (AMA) für die Absicherung der Anmeldung administrativer Konten“Basics of manual and automatic certificate requests via Lightweight Directory Access Protocol (LDAP) and Remote Procedure Call / Distributed Common Object Model (RPC/DCOM) with the MS-WCCE protocol
The following describes the process that runs in the background when certificates are requested manually or automatically in order to achieve the highest possible level of automation.
Continue reading „Grundlagen manuelle und automatische Zertifikatbeantragung über Lightweight Directory Access Protocol (LDAP) und Remote Procedure Call / Distributed Common Object Model (RPC/DCOM) mit dem MS-WCCE Protokoll“