Details of the event with ID 31 of the source Microsoft-Windows-NetworkDeviceEnrollmentService

Event Source:	Microsoft-Windows-NetworkDeviceEnrollmentService
Event ID:	31 (0x1F)
Event log:	Application
Event type:	Error
Symbolic Name:	EVENT_MSCEP_FAIL_SUBMIT
Event text (English):	The Network Device Enrollment Service cannot submit the certificate request (%1). %2
Event text (German):	The certificate request cannot be submitted by the network device registration service (%1). %2

Parameter

The parameters contained in the event text are filled with the following fields:

• %1: ErrorCode (win:UnicodeString)
• %2: ErrorMessage (win:UnicodeString)

The Network Device Enrollment Service (NDES) provides a way for devices that do not have an identifier in Active Directory (for example, network devices such as routers, switches, printers, thin clients, or smartphones and tablets) to request certificates from a certification authority. For a more detailed description, see the article "Network Device Enrollment Service (NDES) Basics„.

Example events

The Network Device Enrollment Service cannot submit the certificate request (The public key does not meet the minimum size required by the specified certificate template.).  0x80004005

The Network Device Enrollment Service cannot submit the certificate request (0x800706ba). The RPC server is unavailable.

The Network Device Enrollment Service cannot submit the certificate request (The revocation function was unable to check revocation because the revocation server was offline.). 0x80004005

The Network Device Enrollment Service cannot submit the certificate request (The request subject name is invalid or too long.). 0x80004005

The Network Device Enrollment Service cannot submit the certificate request (The certificate has an invalid name. The name is not included in the permitted list or is explicitly excluded.)  0x80004005

The Network Device Enrollment Service cannot submit the certificate request (A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.).  0x80004005

The Network Device Enrollment Service cannot submit the certificate request (0x80010108). The object invoked has disconnected from its clients.

The Network Device Enrollment Service cannot submit the certificate request (The requested certificate template is not supported by this CA.). 0x80004005

Description

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

The public key does not meet the minimum size required by the specified certificate template.

See article "Requesting certificates via Network Device Enrollment Service (NDES) fails with error message "The public key does not meet the minimum size required by the specified certificate template. 0x80094811 (-2146875375 CERTSRV_E_KEY_LENGTH)".„.

The RPC server is unavailable.

See article "Requesting certificates via Network Device Enrollment Service (NDES) fails with error message "The operation timed out 0x80072ee2 (WinHttp: 12002 ERROR_WINHTTP_TIMEOUT)".„.

The object invoked has disconnected from its clients.

See article "Requesting certificates via Network Device Enrollment Service (NDES) fails with error message "The operation timed out 0x80072ee2 (WinHttp: 12002 ERROR_WINHTTP_TIMEOUT)".„.

The request subject name is invalid or too long.

See article "Certificate request fails with error message "Error Parsing Request The request subject name is invalid or too long. 0x80094001 (-2146877439 CERTSRV_E_BAD_REQUESTSUBJECT)".„.

The revocation function was unable to check revocation because the revocation server was offline.

A revocation list within the certificate chain either cannot be retrieved by the NDES server or has expired (the same return code is returned by CAPI in both cases).

The requested certificate template is not supported by this CA.

Occurs when the certificate template name configured on the NDES is incorrect - the certificate authority cannot process the certificate request because no corresponding template is known.

For configuration see article "Configure Device Template for Network Device Enrollment Service (NDES)„.

See also article "Certificate request fails with error message "The requested certificate template is not supported by this CA. 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE)."„.

The name is not included in the permitted list or is explicitly excluded.

Occurs when the certificate request is rejected because it violates the certification authority's Name restrictions has been violated. Also occurs for the same reason when the TameMyCerts Policy Module has been configured accordingly.

A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

May occur when one of the certificates in the NDES server's certificate chain has expired. If one of the NDES server's Registration Authority certificates has expired, it occurs together with Event no. 34 on.

Safety assessment

The security assessment is based on the three dimensions of confidentiality, integrity and availability.

No description has been written for this yet.

Related links:

• Overview of Windows events generated by the Network Device Enrollment Service (NDES).

External sources

• Active Directory Certificate Services (AD CS): Network Device Enrollment Service (NDES) (Microsoft)
• 0x80094800 error and Event ID 31 when devices fail to receive SCEP certificates (Microsoft)