| Event Source: | Microsoft-Windows-CertificationAuthority |
| Event ID: | 21 (0x15) |
| Event log: | Application |
| Event type: | Error |
| Symbolic Name: | MSG_E_PROCESS_REQUEST_FAILED |
| Event text (English): | Active Directory Certificate Services could not process request %1 due to an error: %2. The request was for %3. |
| Event text (German): | The request %1 could not be executed due to an error: %2. The request was for %3. |
Parameter
The parameters contained in the event text are filled with the following fields:
- %1: RequestId (win:UnicodeString)
- %2: ErrorCode (win:UnicodeString)
- %3: SubjectName (win:UnicodeString)
Example events
Active Directory Certificate Services could not process request 769 due to an error: The operation is denied. It can only be performed by a certificate manager that is allowed to manage certificates for the current requester. 0x80094009 (-2146877431 CERTSRV_E_RESTRICTEDOFFICER). The request was for INTRA\Administrator.
Active Directory Certificate Services could not process request 12345 due to an error: The request's current status does not allow this operation. 0x80094003 (-2146877437 CERTSRV_E_BAD_REQUESTSTATUS). The request was for CN=Rudi Ratlos.
Active Directory Certificate Services could not process request 547858 due to an error: The requested property value is empty. 0x80094004 (-2146877436 CERTSRV_E_PROPERTY_EMPTY). The request was for CN=Rudi Ratlos.
Active Directory Certificate Services could not process request 7398 due to an error: Disk IO error 0x0 (WIN32: 0). The request was for INTRA\CLIENT1$.
Description
Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.
The operation is denied. It can only be performed by a certificate manager that is allowed to manage certificates for the current requester. 0x80094009 (-2146877431 CERTSRV_E_RESTRICTEDOFFICER).
Occurs when the request for a certificate was made through the Enroll on Behalf of (EOBO) mechanism by a certificate enrollment agent, who has no authorization for the user in question.
The request's current status does not allow this operation. 0x80094003 (-2146877437 CERTSRV_E_BAD_REQUESTSTATUS)
Probably occurs when too many simultaneous certificate requests are made to the certification authority. The underlying problem seems to lie here in the DCOM interface.
Safety assessment
The security assessment is based on the three dimensions of confidentiality, integrity and availability.
In the case of an unauthorized application, a closer investigation should definitely be made, as this may be an attempted attack.
Microsoft rating
Microsoft evaluates this event in the Securing Public Key Infrastructure (PKI) Whitepaper with a severity score of "Low".
Related links:
- Overview of Windows events generated by the certification authority
- Overview of audit events generated by the Certification Authority
External sources
- Event ID 21 - AD CS Certificate Request (Enrollment) Processing (Microsoft)
- Securing Public Key Infrastructure (PKI) (Microsoft)
- Error message when a client computer requests a certificate from a computer that is running Windows Server 2003 with Service Pack 1: "The wizard cannot be started because of one or more of the following conditions". (Microsoft, archive link)
English 
Deutsch
One thought on “Details zum Ereignis mit ID 21 der Quelle Microsoft-Windows-CertificationAuthority”
Comments are closed.