Installation or uninstallation of a Windows feature fails with error message "The service is configured to not accept any remote shell requests."

Assume the following scenario:

  • A Windows role concerning Active Directory Certificate Services (Certification Authority, Network Device Enrollment Service (NDES), Certificate Authority Web Enrollment (CAWE), Certificate Enrollment Web Services (CEP, CES), or Online Certificate Service Provider (OCSP)) is to be installed or uninstalled.
  • The installation or uninstallation fails with the following error message:
The status of the role services on the target machine cannot be determined. Please retry. The error is The WS-Management service cannot process the request. The service is configured to not accept any remote shell requests.
Continue reading „Die Installation oder Deinstallation eines Windows-Features schlägt fehl mit Fehlermeldung „The service is configured to not accept any remote shell requests.““

Details of the event with ID 131 of the source Microsoft-Windows-CertificationAuthority

Event Source:Microsoft-Windows-CertificationAuthority
Event ID:131 (0x83)
Event log:Application
Event type:Warning
Event text (English):An invalid OID has been detected in the EKUOIDsForPublishExpiredCertInCRL configuration setting. To resolve, run: "certutil -getreg ca\EKUOIDsForPublishExpiredCertInCRL" to identify the invalid OID and correct it. The default OIDs ("1.3.6.1.5.5.7.3.3" and "1.3.6.1.4.1.311.61.1.1") will be used.
Event text (German):An invalid OID was detected in the EKUOIDsForPublishExpiredCertInCRL configuration setting. To fix it, run the certutil -getreg ca\EKUOIDsForPublishExpiredCertInCRL command to detect and correct the invalid OID. The default OIDs ("1.3.6.1.5.7.3.3" and "1.3.6.1.4.1.311.61.1.1") are used.
Continue reading „Details zum Ereignis mit ID 131 der Quelle Microsoft-Windows-CertificationAuthority“

Token for CDP and AIA configuration of a certification authority

The following is an overview of the tokens for the CDP and AIA configuration of a certification authority.

Continue reading „Token für die CDP- und AIA- Konfiguration einer Zertifizierungsstelle“

Querying the configured RPC endpoints of a certification authority

In the default configuration, the certificate authority's certificate request interface is configured to negotiate dynamic ports for the incoming RPC/DCOM connections (for more details, see the article "Firewall rules required for Active Directory Certificate Services„).

However, it is also possible to configure the certificate authority to a static port (see article "Configuring the certificate authority to a static port (RPC endpoint)„).

The following describes how to check the current configuration of the certification authority.

Continue reading „Abfrage der konfigurierten RPC-Endpunkte einer Zertifizierungsstelle“

Removing old certification authority certificates from the configuration of a certification authority

During the lifetime of a certification authority, certification authority certificates are renewed according to the planning for their life cycle. A new key pair can optionally be used here. The previous certification authority certificates expire or are revoked.

Expired certificate authority certificates can become a problem under certain circumstances if, for example, the associated private keys are stored on old hardware security modules (HSM) and these can only be migrated to new hardware with great difficulty.

In such a case, it may be useful to remove old certification authority certificates from the certification authority configuration.

Continue reading „Entfernen alter Zertifizierungsstellen-Zertifikate aus der Konfiguration einer Zertifizierungsstelle“

The Network Device Enrollment Service (NDES) logs the error message "The Network Device Enrollment Service cannot be started (0x80070002). The system cannot find the file specified."

Assume the following scenario:

  • An NDES server is configured on the network.
  • HTTP error 500 (Internal Server Error) is reported when accessing the NDES application web page (mscep) and the NDES administration web page (certsrv/mscep_admin).
  • It will be the Event No. 2 stored in the application event log:
The Network Device Enrollment Service cannot be started (0x80070002). The system cannot find the file specified.
Continue reading „Der Registrierungsdienst für Netzwerkgeräte (NDES) protokolliert die Fehlermeldung „The Network Device Enrollment Service cannot be started (0x80070002). The system cannot find the file specified.““

Configuring the Network Device Enrollment Service (NDES) to operate without a password.

There are situations in which you cannot operate NDES with changing passwords. This is usually the case when there is either no management solution for the devices to be managed, or when it cannot handle changing passwords. Some solutions cannot handle a password at all.

In this case, you can configure NDES not to generate or require a password.

Continue reading „Den Network Device Enrollment Service (NDES) für den Betrieb ohne Passwort konfigurieren“

Configuring the Network Device Enrollment Service (NDES) to work with a static password.

There are situations in which you cannot operate NDES with changing passwords. This is usually the case when there is either no management solution for the devices to be managed, or when it cannot handle changing passwords.

In this case, you can configure NDES to generate a static password that will not change afterwards.

Continue reading „Den Registrierungsdienst für Netzwerkgeräte (NDES) für den Betrieb mit einem statischen Passwort konfigurieren“

The Network Device Enrollment Service (NDES) logs the error message "The Network Device Enrollment Service cannot create or modify the registry key Software\Microsoft\Cryptography\MSCEP\EncryptedPassword."

Assume the following scenario:

  • An NDES server is configured on the network.
  • The NDES server is configured to work with a static password.
  • When accessing the NDES administration web page (certsrv/mscep_admin), users are repeatedly prompted for authentication despite having correct credentials.
  • The following event is stored in the application event log:
The Network Device Enrollment Service cannot create or modify the registry key "Software\Microsoft\Cryptography\MSCEP\EncryptedPassword". Grant Read and Write permissions on the registry key "Software\Microsoft\Cryptography\MSCEP" to the account that the Network Device Enrollment Service is running as.
Continue reading „Der Registrierungsdienst für Netzwerkgeräte (NDES) protokolliert die Fehlermeldung „The Network Device Enrollment Service cannot create or modify the registry key Software\Microsoft\Cryptography\MSCEP\EncryptedPassword.““

The Network Device Enrollment Service (NDES) Administration web page (certsrv/mscep_admin) reports "The password cache is full."

Assume the following scenario:

  • An NDES server is configured on the network.
  • When calling the administration web page (certsrv/mscep_admin) the following message appears:
The password cache is full.
Continue reading „Die Network Device Enrollment Service (NDES) Administrations-Webseite (certsrv/mscep_admin) meldet „The password cache is full.““

Publishing a certificate revocation list (CRL) fails with error message "The directory name is invalid. 0x8007010b (WIN32/HTTP: 267 ERROR_DIRECTORY)".

Assume the following scenario:

  • A new revocation list is created on the certification authority.
  • Publishing fails with the following error message:
The directory name is invalid. 0x8007010b (WIN32/HTTP: 267 ERROR_DIRECTORY)
Continue reading „Die Veröffentlichung einer Zertifikatsperrliste (CRL) schlägt fehl mit Fehlermeldung „The directory name is invalid. 0x8007010b (WIN32/HTTP: 267 ERROR_DIRECTORY)““

Requesting a certificate fails with the error message "A valid certification authority (CA) configured to issue certificates based on this template cannot be located, or the CA does not support this operation, or the CA is not trusted."

Assume the following scenario:

  • You try to apply for a certificate from an Active Directory-integrated certification authority (Enterprise Certification Authority).
  • To do this, use the Microsoft Management Console (MMC), either for the logged-in user (certmgr.msc) or for the computer (certlm.msc).
  • However, the desired certificate template is not displayed for selection, even though it has been correctly published on the certification authority.
  • The logged-in user (or computer) also has the necessary permissions to request certificates from the certificate template in question (enroll).
  • In the list of available certificate templates within the MMC, all certificate templates are displayed. At the desired certificate template is written:
A valid certification authority (CA) configured to issue certificates based on this template cannot be located, or the CA does not support this operation, or the CA is not trusted.
Continue reading „Die Beantragung eines Zertifikats schlägt fehl mit der Fehlermeldung „A valid certification authority (CA) configured to issue certificates based on this template cannot be located, or the CA does not support this operation, or the CA is not trusted.““
en_USEnglish