Event Source: | Microsoft-Windows-EnrollmentPolicyWebService |
Event ID: | 10 (0xA) |
Event log: | Microsoft-Windows-EnrollmentPolicyWebService/Admin |
Event type: | Warning |
Event text (English): | There is no enterprise certification authority (CA) configured with the Certificate Enrollment Web Service in the current forest. Confirm that at least one enterprise CA is available in the forest and that at least one server running the Certificate Enrollment Web Service is configured to work with this CA. |
Event text (German): | The current forest does not contain an enterprise CA that has been configured with the Certificate Enrollment Web Service. Ensure that at least one enterprise CA is available in the forest and that at least one server running the Certificate Enrollment Web Service has been configured to work with the enterprise CA. |
The Certificate Enrollment Web Services (Certificate Enrollment Policy Web Service, CEP, and Certificate Enrollment Web Service, CES) enable the automatic request and renewal of certificates from a certification authority via a Web-based interface. This eliminates the need to contact the certification authority directly via Remote Procedure Call (RPC). For a more detailed description, see the article "Certificate request basics via Certificate Enrollment Web Services (CEP, CES)„.
Example events
There is no enterprise certification authority (CA) configured with the Certificate Enrollment Web Service in the current forest. Confirm that at least one enterprise CA is available in the forest and that at least one server running the Certificate Enrollment Web Service is configured to work with this CA.
Description
Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.
In order for certificates to be requested via the certification authority web services, the pKIEnrollmentService objects of the certification authorities must have an appropriately configured attribute
msPKI enrollment server have. The message appears if there is not a single certification authority in the network to which this applies.
In this case, it is also not possible to request certificates via the certificate registration web services. See also the article "Requesting certificates via the Certificate Enrollment Policy Web Service (CEP) fails with error message "A valid certification authority (CA) configured to issue certificates based on this template cannot be located, or the CA does not support this operation, or the CA is not trusted."„.
Possible causes can be:
- The Certificate Enrollment Web Service (CES) not yet installed.
- The certificate authority in question has been removed from the network (uninstalled).
- The certification authority in question was migrated to a new server and the certification authority role was uninstalled. The new pKIEnrollmentService object then no longer contains the necessary settings. See also the article "Migration of an Active Directory integrated certification authority (Enterprise Certification Authority) to another server„.
Safety assessment
The security assessment is based on the three dimensions of confidentiality, integrity and availability.
If this event occurs, there is usually no breach of confidentiality, but availability is affected as no certificates can be requested via the interface.
One thought on “Details zum Ereignis mit ID 10 der Quelle Microsoft-Windows-EnrollmentPolicyWebService”
Comments are closed.