Details of the event with ID 44 of the source Microsoft-Windows-CertificationAuthority

Event Source:Microsoft-Windows-CertificationAuthority
Event ID:44 (0x2C)
Event log:Application
Event type:Error
Symbolic Name:MSG_E_POLICY_ERROR
Event text (English):The "%1" Policy Module "%2" method returned an error. %5 The returned status code is %3. %4
Event text (German):Policy module "%1", method "%2", has caused an error. %5 Returned status code: %3. %4

Parameter

The parameters contained in the event text are filled with the following fields:

  • %1: PolicyModuleDescription (win:UnicodeString)
  • %2: MethodName (win:UnicodeString)
  • %3: ErrorCode (win:UnicodeString)
  • %4: param4 (win:UnicodeString)
  • %5: ErrorString (win:UnicodeString)

Example events

The "Windows default" Policy Module "Initialize" method returned an error. The specified domain either does not exist or could not be contacted. The returned status code is 0x8007054b (1355).  The Active Directory containing the Certification Authority could not be contacted.
The "Windows default" Policy Module "Initialize" method returned an error. Element not found. The returned status code is 0x80070490 (1168).  Active Directory Certificate Services could not find required Active Directory information.
The "Windows default" Policy Module "Initialize" method returned an error. Cannot find object or property. The returned status code is 0x80092004 (-2146885628). The Active Directory Certificate Services Policy contains no valid Certificate Templates.
The "Windows default" Policy Module "Initialize" method returned an error. There is a time and/or date difference between the client and server. The returned status code is 0x80070576 (1398).  Active Directory Certificate Services could not find required Active Directory information.
The "My First Policy Module" Policy Module "Initialize" method returned an error. Error 0x80131604 (-2146232828) The returned status code is 0x80131604 (-2146232828).  
The "My First Policy Module" Policy Module "Initialize" method returned an error. Invalid pointer The returned status code is 0x80004003 (-2147467261).  

Description

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

Error message "The Active Directory Certificate Services Policy contains no valid Certificate Templates."

This message occurs when no certificate templates have been published on a certification authority, for example, when the certification authority has just been reinstalled. The certification authority's policy module cannot operate its certificate templates and therefore cannot be loaded by the certification authority. The error can be ignored accordingly.

Error message "The specified domain either does not exist or could not be contacted."

In this case the connection to the Active Directory is disturbed. This event should definitely be investigated. See also events no. 91, 94 and 9.

Error message "Active Directory Certificate Services could not find required Active Directory information."

May occur if the Enrollment Services object for the certification authority is not present in Active Directory, for example, because the certification authority role (e.g., as part of a Migration to another server) was uninstalled and an older snapshot of the server was booted.

Error message "There is a time and/or date difference between the client and server."

Occurs when the certification authority server's date/time differs significantly from that of the connected domain controller. May also occur if a virtualization server is used which propagates its (possibly misconfigured) system time to the guest system.

Also causes that no certificate templates can be published to the certificate authority with the following error message:

The template information on the CA cennot be modified at this time. This is most likely because the CA service is not running or there are replication delays. There is a time and/or date difference between the client and server. 0x80070576 (WIN32: 1398 ERROR_TIME_SKEW)

Error message "Error 0x80131604 (-2146232828)".

This error code translated means: "Exception has been thrown by the target of an invocation. In this case, it is the configured policy module, which means that it cannot be loaded. Occurs in conjunction with Event #9 on.

Invalid pointer" error message

I encountered this error during the development of my Policy Module have come across. I have tried to configure the Windows Default Policy Module with "Activator.CreateInstance" and then load the MethodBase.Invoke method to initialize it.

Unfortunately, this procedure is not possible in this case, because the Windows Default Policy module does not have a Metadata exposed. Therefore had to Type.InvokeMember be used.

Safety assessment

The security assessment is based on the three dimensions of confidentiality, integrity and availability.

Depending on the event content, the availability may be disturbed, so that an alarm can be useful.

Microsoft rating

Microsoft evaluates this event in the Securing Public Key Infrastructure (PKI) Whitepaper with a severity score of "Low".

Related links:

External sources

en_USEnglish