The following is an overview of the Windows Event Viewer events generated for Windows certificate clients, their activation, and their identification.
Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.
Configure logging
In order to log events beyond errors and warnings, a "LogLevel" directive must be set in the relevant section (depending on whether it is a user or computer certificate) (analogous to the Certification Authority) can be created with corresponding content.
The LogLevel directive replaces the previously used AEEventLogLevel directive.
| Path | Description |
|---|---|
| HKCU\Software\Microsoft\Cryptography\AutoEnrollment | User settings, locally configured |
| HKLM\Software\Microsoft\Cryptography\AutoEnrollment | Computer settings, locally configured |
The following command line command can be used to configure the extended logging for the user context as well as the system context. All events of the types "Error", "Warning" and "Information" are output.
certutil -setreg Enroll\LogLevel 4
Increasing the logging level can generate a lot of events. Accordingly, it should be ensured that the event log can grow accordingly. Otherwise, earlier events will be overwritten. It is advisable to increase the logging level only temporarily.
The changes become active directly without a new login or restart.
Setting the key in the user context with the -user parameter has no effect.
The numerical values are translated into the following variables:
| Value | Meaning | Notes |
|---|---|---|
| 0 | CERTLOG_MINIMAL | |
| 1 | CERTLOG_TERSE | |
| 2 | CERTLOG_ERROR | |
| 3 | CERTLOG_WARNING | Additionally activates events of the "Warning" level (default setting) |
| 4 | CERTLOG_VERBOSE | Additionally activates events of the "Information" level |
| 5 | CERTLOG_EXHAUSTIVE |
Resetting the logging to the default values is achieved by deleting the previously created key.
certutil -delreg Enroll\LogLevel
Event Sources
- Microsoft-Windows-CertificateServicesClient-AutoEnrollment
- Microsoft-Windows-CertificateServicesClient
- Microsoft-Windows-CertificateServicesClient-CertEnroll
Events
Microsoft-Windows-CertificateServicesClient-AutoEnrollment
The following Windows PowerShell command can be used to read out the events:
Get-WinEvent -FilterHashtable @{
Logname='Application
ProviderName='Microsoft-Windows-CertificateServicesClient-AutoEnrollment'
}
| ID | Type | Event text |
|---|---|---|
| 1 | Information | Automatic certificate enrollment for %1 failed to download certificates for %2 store from %3 (%4). %5 |
| 2 | Information | Automatic certificate enrollment for %1 started. |
| 3 | Information | Automatic certificate enrollment for %1 completed. |
| 4 | Information | Automatic certificate enrollment for %1 invoked the enrollment API. |
| 5 | Information | Automatic certificate enrollment for %1 returned from the enrollment API. |
| 6 | Error | Automatic certificate enrollment for %1 failed (%2) %3. |
| 15 | Warning | Automatic certificate enrollment for %1 failed to contact the active directory (%2). %3 enrollment will not be performed. |
| 64 | Warning | Certificate for %1 with Thumbprint %2 is about to expire or already expired. |
Microsoft-Windows-CertificateServicesClient
The following Windows PowerShell command can be used to read out the events:
Get-WinEvent -FilterHashtable @{
Logname='Application
ProviderName='Microsoft-Windows-CertificateServicesClient'
}
| ID | Type | Event text |
|---|---|---|
| 1 | Information | Certificate Services Client has been started successfully. |
| 2 | Information | Certificate Services Client has been stopped. |
| 3 | Information | Certificate Services Client has detected network connectivity. |
| 4 | Information | Certificate Services Client has detected network dis-connectivity. |
| 501 | Warning | Certificate Services Client is triggered with bad parameters: %1. |
| 502 | Warning | Certificate Services Client failed to register Group Policy notifications. Error code: %1. |
| 1001 | Error | Certificate Services Client failed to load Provider %1. Error code %2. |
| 1002 | Error | Certificate Services Client cannot find the required interface in Provider %1. Error code %2. |
| 1003 | Error | Certificate Services Client failed to invoke the Providers in response to event %1. Error code %2. |
| 1004 | Error | Certificate Services Client Provider %1 raised an exception. Exception code %2. |
Microsoft-Windows-CertificateServicesClient-CertEnroll
The following Windows PowerShell command can be used to read out the events:
Get-WinEvent -FilterHashtable @{
Logname='Application
ProviderName='Microsoft-Windows-CertificateServicesClient-CertEnroll'
}
| ID | Type | Event text |
|---|---|---|
| 4 | Information | Certificate enrollment for %1 could not access local resources or retrieve %2 certificate template information (%3). Enrollment was not performed. |
| 5 | Information | Certificate enrollment for %1 could not find any valid certificate templates. Enrollment was not performed. |
| 6 | Error | Certificate enrollment for %1 could not find a valid certificate template to match %2. Enrollment was not performed. |
| 9 | Error | Certificate enrollment for %1 was denied by %3 when retrieving the pending request for a %2 certificate with request ID %4. |
| 10 | Information | Certificate enrollment for %1 archived or deleted, from the Personal certificate store, certificates that have expired, or been revoked or superseded. |
| 11 | Warning | Certificate enrollment for %1 could not find a certification authority in the enterprise. Enrollment was not performed. |
| 13 | Error | Certificate enrollment for %1 failed to enroll for a %2 certificate with request ID %4 from %3 (%5). |
| 14 | Success | Certificate enrollment for %1 received a %2 certificate with request ID %4 from %3 when retrieving pending requests. |
| 15 | Warning | Certificate enrollment for %1 failed to retrieve certificate template information from the Policy Server. Enrollment was not performed. |
| 16 | Error | Certificate enrollment for %1 failed to renew a %2 certificate with request ID %4 from %3 (%6). The certificate which failed to renew is %5 |
| 17 | Warning | Certificate enrollment for %1 failed to enroll for a %2 certificate from certification authority %3 (%4). Another certification authority will be contacted. |
| 18 | Warning | Certificate enrollment for %1 failed to renew a %2 certificate from certification authority %3 (%4). Another certification authority will be contacted. |
| 19 | Information | Certificate enrollment for %1 successfully received a %2 certificate with request ID %4 from certification authority %3. |
| 20 | Information | Certificate enrollment for %1 successfully renewed a %2 certificate with request ID %4 from certification authority %3. |
| 21 | Success | Certificate enrollment for %1 attempted to enroll for a %2 certificate with request ID %4 from certification authority %3. The request is pending. |
| 22 | Success | Certificate enrollment for %1 attempted to renew a %2 certificate with request ID %4 from certification authority %3. The request is pending. |
| 25 | Information | Certificate enrollment for %1 failed to update the %2 certificate in the Personal certificate store due to one of the following: Cannot find %2 certificate template from Active Directory. Enrollment access to this template is not allowed. |
| 27 | Information | Certificate enrollment for %1 was canceled by the user. |
| 30 | Information | Certificate enrollment for %1 was cancelled by the user when requesting a %2 certificate. |
| 32 | Information | Certificate enrollment for %1 attempted to retrieve a %2 certificate from %3. The certificate request is still pending. |
| 33 | Information | Certificate enrollment for %1 deleted certificates that have expired, or have been revoked or superseded from the user object in Active Directory. |
| 35 | Error | Certificate enrollment for %1 detected that the DNS name in the %2 certificate does not match the DNS name of the local computer. A new enrollment for a %2 certificate will be attempted in %3 hours. |
| 36 | Error | Certificate enrollment for %1 detected that the DNS name in the %2 certificate does not match the DNS name of the local computer. No more enrollments for %2 certificates will be attempted until the current certificate is revoked or expires because the same error has occurred %3 times. |
| 38 | Warning | Certificate enrollment for %1 cannot enroll or renew %2 certificate because user interaction is required on the %2 template in Active Directory. |
| 41 | Information | To prevent simultaneous renewal or enrollment from another computer, certificate enrollment for %1 to renew or enroll for a %2 certificate has been skipped. |
| 42 | Warning | Certificate enrollment for %1 for the %2 template must be performed by using the machine context. |
| 43 | Warning | Certificate enrollment for %1 failed to find a smart card reader for the %2 template. Enrollment will not be performed. |
| 44 | Warning | Certificate enrollment for %1 failed to open the user interface (%2). |
| 45 | Error | Certificate enrollment for %1 failed to create an enrollment request for a %2 certificate (%3). |
| 46 | Warning | Certificate enrollment for %1 could not enroll for a %2 certificate. Read or enrollment access is not allowed for this template. |
| 47 | Warning | Certificate enrollment for %1 could not enroll for a %2 certificate. A valid certification authority cannot be found to issue this template. |
| 48 | Warning | Certificate enrollment for %1 could not enroll for a %2 certificate. Signature requirements for the certificate cannot be met. |
| 50 | Warning | Certificate enrollment for %1 failed to install the certificate response for a %2 certificate with request ID %3 (%4). |
| 51 | Warning | Certificate enrollment for %1 for the %2 certificate must be performed under the user context. |
| 52 | Warning | The CA certificate for %3 is not trusted. Certificate enrollment for %1 for a %2 certificate failed. |
| 53 | Warning | Certificate enrollment for %1 failed to retrieve a %2 certificate from certification authority %3 with request ID %4, and the error returned from the server is %5. Another certification authority will be contacted. |
| 54 | Warning | Certificate enrollment for %1 failed to retrieve a pending %2 certificate with request ID %4 from certification authority %3 (%5). The enrollment process will be attempted again later. |
| 55 | Warning | Certificate enrollment for %1 for the %2 template could not find specified CSPs on the local machine. Enrollment will not be performed. |
| 56 | Information | Certificate enrollment for %1 for the template %2 was not performed because this template has been superseded. |
| 57 | Warning | The "%2" provider was not loaded because initialization failed. |
| 58 | Warning | The "%3" algorithm for the "%2" provider was not loaded because initialization failed. |
| 59 | Warning | Could not determine the signature algorithm for %2 to sign an enrollment request. |
| 60 | Warning | Could not find a registered public key algorithm OID for %2 for an enrollment request. |
| 61 | Warning | Could not find a registered signature algorithm OID for %1 and %2 to sign an enrollment request. |
| 62 | Warning | Could not encode signature parameters for a %2 signature for an enrollment request. |
| 63 | Warning | Enrollment Policy Server %2 returned an error when retrieving templates for %1: %3 |
| 64 | Warning | Certificate enrollment for %1 successfully load policy from policy server %2 |
| 65 | Warning | Certificate enrollment for %1 is successfully authenticated by policy server %2 using authentication mechanism %5 (Credential: %4). Policy Id: %3 |
| 66 | Warning | Certificate enrollment for %1 is successfully authenticated by enrollment server %2 using authentication mechanism %5 (Credential: %4). Policy Id: %3 |
| 67 | Warning | Certificate enrollment for %1 failed to load policy from policy servers with ID %2 (%3) |
| 68 | Warning | Certificate enrollment for %1 failed in authentication to policy servers with ID %2 (%3) |
| 70 | Warning | Certificate enrollment for %1 failed because no valid policy can be obtained from policy servers with ID %2 |
| 71 | Warning | Certificate enrollment for %1 failed in adding credential to Vault for %2 (%3) |
| 72 | Warning | Certificate enrollment for %1 failed because the loaded policy from the policy server %2 is invalid (%3) |
| 73 | Warning | Certificate auto enrollment for %1 cannot be done because the policy server %2 turns it off. |
| 74 | Warning | Certificate enrollment for %1 failed to load policy from policy server %2 with ID %3 (%4) |
| 75 | Warning | Certificate enrollment for %1 failed in authentication to policy server %2 with ID %3 (%6). Authentication mechanism was %5 (Credential: %4). |
| 76 | Warning | Certificate enrollment for %1 failed in authentication to enrollment server %2 (%6). Policy Id: %3. Authentication mechanism was %5 (Credential: %4). |
| 77 | Warning | Certificate enrollment for %1 cannot enroll from user configured enrollment policy server since it is disabled by group policy |
| 78 | Warning | Certificate enrollment for %1 sent a request for template %2 to a ROBO certificate enrollment server %3 |
| 79 | Warning | Certificate enrollment for %1 sent a request for template %2 to an ANONYMOUS certificate enrollment server %3 |
| 80 | Warning | Certificate enrollment for %1 cannot enroll for a %2 certificate because the certificate enrollment server %3 is ROBO and only renewal is supported |
| 81 | Warning | Certificate enrollment for %1 cannot enroll for a %2 certificate because the certificate enrollment server %3 is ANONYMOUS and only renewal is supported |
| 82 | Warning | Certificate enrollment for %1 failed in authentication to all urls for enrollment server associated with policy id: %2 (%4). Failed to enroll for template: %3 |
| 83 | Warning | Certificate enrollment for %1 cannot find a credential that meets the selection criteria for url %2 with id %3 (%4) |
| 84 | Warning | The credential for URL %2 has been updated from certificate (%4) to certificate (%3) in context %1 |
| 85 | Warning | Certificate enrollment for %1 for the %2 template could not perform attestation due to an error with the cryptographic hardware using the provider: %3. Request Id: %4.%5 |
| 86 | Error | SCEP Certificate enrollment initialization for %1 via %2 failed: %3 Method: %4 Stage: %5 %6 |
| 87 | Error | SCEP Certificate enrollment for %1 via %2 failed: %3 Method: %4 Stage: %5 %6 |
| 88 | Information | SCEP Certificate enrollment for %1 via %2 succeeded: %3 Method: %4 Stage: %5 |
| 89 | Error | Could not find a Logon Certificate Template for %1 Template: %2 State: %3 Process: %4 %5 |
| 90 | Error | Found multiple Logon Certificate Templates for %1 Templates: %2 State: %3 Process: %4 %5 |
| 91 | Information | Successfully found Logon Certificate Template for %1 Template: %2 State: %3 Process: %4 |
| 92 | Error | Logon Certificate Request creation for %1 failed for the %2 template for key %3 %4 Process: %5 %6 |
| 93 | Information | Logon Certificate Request creation for %1 succeeded for the %2 template for key %3 Request thumbprint: %4 Process: %5 |
| 94 | Error | Failed to install Logon Certificate for %1 failed Request thumbprint: %2 Thumbprint: %3 %4 Process: %5 %6 |
| 95 | Information | Successfully installed Logon Certificate for %1 Request thumbprint: %2 Thumbprint: %3 Process: %4 |
| 96 | Error | Failed to remove Logon Certificate request for %1 Request thumbprint: %2 Process: %3 %4 |
| 97 | Warning | Successfully removed Logon Certificate request for %1 Request thumbprint: %2 Process: %3 |
| 98 | Error | Failed to import PFX Certificate for %1 Flags: %2 Provider: %3 Container: %4 Process: %5 %6 |
Related links:
- Basics of manual and automatic Certificate Enrollment via Lightweight Directory Access Protocol (LDAP) and Remote Procedure Call / Distributed Common Object Model (RPC/DCOM)
- Manually running the autoenrollment process
External sources
- Troubleshooting Autoenrollment (Microsoft)
- How to troubleshoot Certificate Enrollment in the MMC Certificate Snap-in (Microsoft)
- Active Directory Certificate Services (AD CS) Troubleshooting: Certificate Autoenrollment (Microsoft)
- Configure Certificate Autoenrollment (Microsoft)
- Troubleshooting Certificate Enrollment (Microsoft, archive link)
English 
Deutsch
4 thoughts on “Protokollierung für die automatische Zertifikatbeantragung (Autoenrollment) aktivieren”
Comments are closed.