Event Source: | Microsoft-Windows-CertificateServicesClient-CertEnroll |
Event ID: | 80 (0x825A0050) |
Event log: | Application |
Event type: | Warning |
Event text (English): | Certificate enrollment for %1 cannot enroll for a %2 certificate because the certificate enrollment server %3 is ROBO and only renewal is supported |
Event text (German): | The certificate registration for %1 cannot register for a %2 certificate because the %3 certificate registration server is a ROBO server and only renewal is supported. |
Tag: MS-WSTEP
The role configuration for the Certificate Enrollment Web Service (CES) fails with error message "Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)".
Assume the following scenario:
- A role configuration for the Certificate Enrollment Web Service (CES) is performed.
- The role configuration fails with the following error message:
CCertificateEnrollmenServerSetup::InitializeInstallDefaults: Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)Continue reading „Die Rollenkonfiguration für den Certificate Enrollment Web Service (CES) schlägt fehl mit Fehlermeldung „Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)““
The role configuration for the Certificate Enrollment Web Service (CES) fails with error message "The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE".
Assume the following scenario:
- A role configuration for the Certificate Enrollment Web Service (CES) is performed.
- The role configuration fails with the following error message:
The Certificate Enrollment Web Service Setup failed because the CA "CA02.intra.adcslabor.de\ADCS Labor Issuing CA 1" cannot be contacted. Check the name, and confirm that the CA is properly configured and available. The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_SERVER_UNAVAILABLE)Continue reading „Die Rollenkonfiguration für den Certificate Enrollment Web Service (CES) schlägt fehl mit Fehlermeldung „The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE““
Details of the event with ID 11 of the source Microsoft-Windows-EnrollmentWebService
Event Source: | Microsoft Windows EnrollmentWebService |
Event ID: | 11 (0xB) |
Event log: | Microsoft-Windows-EnrollmentWebService/Admin |
Event type: | Information |
Event text (English): | The Certificate Enrollment Web Service is enabled for key based renewal. Client certificates without subject information in the Active Directory database can be used to renew certificates. |
Event text (German): | The Certificate Enrollment Policy Web service is enabled for key-based renewal. Certificates can be renewed with client certificates without requester information in the Active Directory database. |
Details of the event with ID 4 of the source Microsoft-Windows-EnrollmentWebService
Event Source: | Microsoft Windows EnrollmentWebService |
Event ID: | 4 (0x4) |
Event log: | Microsoft-Windows-EnrollmentWebService/Admin |
Event type: | Error |
Event text (English): | The Certificate Enrollment Web Service failed to start. A valid certification authority (CA) configuration is not specified in the web.config file. Please specify a CA configuration in the web.config file. |
Event text (German): | Error when starting the certificate enrollment web service. No valid certification authority configuration was specified in the "web.config" file. Specify a certification authority configuration in the "web.config" file. |
Details of the event with ID 5 of the source Microsoft-Windows-EnrollmentWebService
Event Source: | Microsoft Windows EnrollmentWebService |
Event ID: | 5 (0x5) |
Event log: | Microsoft-Windows-EnrollmentWebService/Admin |
Event type: | Information |
Event text (English): | The Certificate Enrollment Web Service has been stopped. |
Event text (German): | The certificate enrollment web service has been terminated. |
Details of the event with ID 6 of the source Microsoft-Windows-EnrollmentWebService
Event Source: | Microsoft Windows EnrollmentWebService |
Event ID: | 6 (0x6) |
Event log: | Microsoft-Windows-EnrollmentWebService/Admin |
Event type: | Warning |
Event text (English): | The Certificate Enrollment Web Service is in renewal-only mode. New enrollment requests cannot be processed when the Certificate Enrollment Web Service is in renewal-only mode. If you want to enable new enrollment requests, configure both the CA and the Certificate Enrollment Web Service for new enrollment requests. |
Event text (German): | The certificate enrollment web service is in renewal-only mode. New enrollment requests cannot be processed if the certificate enrollment web service is in renewal-only mode. If you want to enable new enrolment requests, configure the certification authority and the certificate enrolment web service for new enrolment requests. |
Details of the event with ID 7 of the source Microsoft-Windows-EnrollmentWebService
Event Source: | Microsoft Windows EnrollmentWebService |
Event ID: | 7 (0x7) |
Event log: | Microsoft-Windows-EnrollmentWebService/Admin |
Event type: | Error |
Event text (English): | The Certificate Enrollment Web Service is attempting to use renewal-only mode, but certification authority (CA) "%1" does not support this mode. To use renewal-only mode, configure the Certificate Enrollment Web Service to use a CA that is installed on a computer that is running at least Windows Server 2008 R2. Then, configure the CA by running the following command on the CA: certutil -setreg policy\editflags +EDITF_ENABLERENEWONBEHALFOF. Otherwise, disable renewal-only mode. If no action is taken, subsequent requests will be rejected. |
Event text (German): | The certificate enrollment web service attempts to use renewal-only mode. However, this mode is not supported by the certification authority "%1". If you want to use renewal-only mode, configure the Certificate Enrollment Web Service to use a CA that is installed on a computer running Windows Server 2008 R2 or later, and then configure the CA itself by running the command "certutil -setreg policy\editflags +EDITF_ENABLERENEWONBEHALFOF". Otherwise, deactivate the renewal-only mode. If no action is performed, future requests will be rejected. |
Details of the event with ID 8 of the source Microsoft-Windows-EnrollmentWebService
Event Source: | Microsoft Windows EnrollmentWebService |
Event ID: | 8 (0x8) |
Event log: | Microsoft-Windows-EnrollmentWebService/Admin |
Event type: | Error |
Event text (English): | The Certificate Enrollment Web Service cannot read the version or the configuration flags from certification authority (CA) "%1." On the Security tab of the CA property sheet, grant Read permission to the account used by the Certificate Enrollment Web Service application pool. If no action is taken, subsequent requests will be rejected. |
Event text (German): | The version or configuration identifiers of the certification authority "%1" cannot be read by the Certificate Registration Web Service. On the Security tab of the Certification Authority Properties page, grant read permissions to the account used by the Certificate Enrollment Web Service application pool. If no action is taken, future requests are denied. |
Details of the event with ID 9 of the source Microsoft-Windows-EnrollmentWebService
Event Source: | Microsoft Windows EnrollmentWebService |
Event ID: | 9 (0x9) |
Event log: | Microsoft-Windows-EnrollmentWebService/Admin |
Event type: | Error |
Event text (English): | The Certificate Enrollment Web Service is attempting to use renewal-only mode, but certification authority (CA) "%1" does not support this mode. To use renewal-only mode, configure the CA by running the following command on the CA: certutil -setreg policy\editflags +EDITF_ENABLERENEWONBEHALFOF. Otherwise, disable renewal-only mode. If no action is taken, subsequent requests will be rejected. |
Event text (German): | The certificate enrollment web service tries to use the renewals-only mode. However, this mode is not supported by the "%1" certificate authority. If you want to use renewals-only mode, configure the certification authority. To do this, run the following command for the certification authority: "certutil -setreg policy\editflags +EDITF_ENABLERENEWONBEHALFOF". Otherwise, disable the renewals-only mode. If no action is taken, future requests are denied. |
Details of the event with ID 10 of the source Microsoft-Windows-EnrollmentWebService
Event Source: | Microsoft Windows EnrollmentWebService |
Event ID: | 10 (0xA) |
Event log: | Microsoft-Windows-EnrollmentWebService/Admin |
Event type: | Error |
Event text (English): | The Certificate Enrollment Web Service cannot operate because an incompatible configuration was selected. To resolve this issue, remove the Certificate Enrollment Web Service. If you want to use key based renewal, enable both client certificate authentication and renewal-only mode. If you want to use user name and password authentication or Windows authentication, disable key based renewal, and then run Setup again. |
Event text (German): | The certificate enrollment policy web service cannot be executed because an incompatible configuration has been selected. Remove the Certificate Enrollment Policy Web Service to resolve the issue. If you want to use key-based renewal, enable both client certificate authentication and renewal-only mode. If you want to use username and password authentication or Windows authentication, disable key-based renewal and run Setup again. |
Details of the event with ID 3 of the source Microsoft-Windows-EnrollmentWebService
Event Source: | Microsoft Windows EnrollmentWebService |
Event ID: | 3 (0x3) |
Event log: | Microsoft-Windows-EnrollmentWebService/Admin |
Event type: | Error |
Event text (English): | The Certificate Enrollment Web Service failed to start. The certification authority (CA) "%1" is not an enterprise CA. |
Event text (German): | Error starting the certificate enrollment web service. The certificate authority "%1" is not an enterprise certificate authority. |
Details of the event with ID 2 of the source Microsoft-Windows-EnrollmentWebService
Event Source: | Microsoft Windows EnrollmentWebService |
Event ID: | 2 (0x2) |
Event log: | Microsoft-Windows-EnrollmentWebService/Admin |
Event type: | Error |
Event text (English): | The Certificate Enrollment Web Service failed to start. Confirm that the Certificate Enrollment Web Service is properly installed, and restart Internet Information Services (IIS) by using iisreset.exe. If the problem persists, enable tracing in the web.config file, restart IIS, attempt to enroll for a certificate again from any client, and then contact Microsoft Customer Service and Support with the trace file information. %1 |
Event text (German): | Error starting the certificate registration web service. Ensure that the Certificate Enrollment Web Service is installed correctly and restart Internet Information Services (IIS) by using the iisreset.exe file. If the problem persists, enable tracing in the web.config file, restart IIS, retrieve policy information again from any client, and then contact Microsoft Customer Service and Support with the information in the tracing file. %1 |
Details of the event with ID 1 of the source Microsoft-Windows-EnrollmentWebService
Event Source: | Microsoft Windows EnrollmentWebService |
Event ID: | 1 (0x1) |
Event log: | Microsoft-Windows-EnrollmentWebService/Admin |
Event type: | Information |
Event text (English): | The Certificate Enrollment Web Service has started. |
Event text (German): | The certificate enrollment web service has been started. |
Customize the Certificate Enrollment Web Service (CES) after migrating a certificate authority to a new server
If a Certificate Enrollment Web Service (CES) is operated in the network, it is necessary to use the "Migration of an Active Directory integrated certification authority (Enterprise Certification Authority) to another server" requires that the configuration of the CES is adapted to the new situation.
A configuration string (Config String) is stored in the configuration of the CES, which contains the server name of the connected certification authority. If this changes, the configuration must be adjusted accordingly.
Continue reading „Den Zertifikatbeantragungs-Webdienst (CES) nach der Migration einer Zertifizierungsstelle auf einen neuen Server anpassen“