Details of the event with ID 86 of the source Microsoft-Windows-CertificateServicesClient-CertEnroll

Event Source:Microsoft-Windows-CertificateServicesClient-CertEnroll
Event ID:86 (0xC25A0056)
Event log:Application
Event type:Error
Event text (English):SCEP Certificate enrollment initialization for %1 via %2 failed: %3 Method: %4 Stage: %5 %6
Event text (German):Error during initialization of SCEP certificate registration for %1 via %2: %3 Method: %4 Phase: %5 %6

The Network Device Enrollment Service (NDES) provides a way for devices that do not have an identifier in Active Directory (for example, network devices such as routers, switches, printers, thin clients, or smartphones and tablets) to request certificates from a certification authority. For a more detailed description, see the article "Network Device Enrollment Service (NDES) Basics„.

Since Windows 8.1, a client for the Simple Certificate Enrollment Protocol (SCEP) has been integrated into the Windows operating system. For a usage example, see the article "Certificate Enrollment for Windows Systems via the Network Device Enrollment Service (NDES) with Windows PowerShell„.

Parameter

The parameters contained in the event text are filled with the following fields:

  • %1: Context (win:UnicodeString)
  • %2: Url (win:UnicodeString)
  • %3: MessageText (win:UnicodeString)
  • %4: Method (win:UnicodeString)
  • %5: Stage (win:UnicodeString)
  • %6: ErrorCode (win:UnicodeString)

Example events

SCEP Certificate enrollment initialization for INTRA\rudi via https://ndes01.intra.adcslabor.de/certsrv/mscep/mscep.dll/pkiclient.exe failed: GetCACaps Method: GET(47ms) Stage: GetCACaps A security error occurred 0x80072f8f (WinHttp: 12175 ERROR_WINHTTP_SECURE_FAILURE)
Error initializing SCEP certificate registration for WORKGROUP\CLIENT1$ via https://IFX-KeyId-18b1af70b93f991972f362556a9a3fbf4bb24e0d.microsoftaik.azure.net/templates/Aik/scep:
 GetCACaps
 Method: GET(15ms)
 Phase: GetCACaps
 The server name or address could not be resolved 0x80072ee7 (WinHttp: 12007 ERROR_WINHTTP_NAME_NOT_RESOLVED)

Description

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

Occurs when the first operation (GetCACaps) of a certificate request via the Simple Certificate Enrollment Protocol (SCEP) fails (see also article "Network Device Enrollment Service (NDES) Basics„).

Error code ERROR_WINHTTP_SECURE_FAILURE

Occurs when the certificate request is made over HTTPS and the SCEP server's certificate could not be verified.

The use of SSL is possible for the SCEP protocol but usually not necessary. See also article "Should HTTPS be used for the Network Device Enrollment Service (NDES)?„.

Attestation Identity Key (AIK) Certificate

Windows 10 requests an Attestation Identity Key (AIK) certificate from a Microsoft cloud service via SCEP protocol if the computer has a compatible Trusted Platform Module (TPM).

This is triggered by the scheduled task named "AikCertEnrollTask" under "\Microsoft\Windows\CertificateServicesClient".

The Certificate Enrollment is made when the Trusted Platform Module installed in the computer has an Endorsement Certificate (EKCert).

Part of the called DNS domain is formed from attributes of the EKCert (TPM manufacturer from the Subject Alternative Name and the Subject Key Identifier (SKI)).

If the certificate request was successful and no application is accessing the AIK certificate, the task will not be executed again.

If the certificate request was not successful, it will be retried a few times at irregular intervals. The error message is logged, for example, if the computer does not have an Internet connection at the first startup, and accordingly the cloud service cannot be invoked (e.g. error code ERROR_WINHTTP_NAME_NOT_RESOLVED).

If the AIK certificate is used by an application, the task is executed again to replace it.

The "AikCertEnrollTask" can be disabled for operation in a compartmentalized environment.

Safety assessment

The security assessment is based on the three dimensions of confidentiality, integrity and availability.

No description has been written for this yet.

Related links:

External sources

en_USEnglish