| Event Source: | Microsoft Windows EnrollmentWebService |
| Event ID: | 9 (0x9) |
| Event log: | Microsoft-Windows-EnrollmentWebService/Admin |
| Event type: | Error |
| Event text (English): | The Certificate Enrollment Web Service is attempting to use renewal-only mode, but certification authority (CA) "%1" does not support this mode. To use renewal-only mode, configure the CA by running the following command on the CA: certutil -setreg policy\editflags +EDITF_ENABLERENEWONBEHALFOF. Otherwise, disable renewal-only mode. If no action is taken, subsequent requests will be rejected. |
| Event text (German): | The certificate enrollment web service tries to use the renewals-only mode. However, this mode is not supported by the "%1" certificate authority. If you want to use renewals-only mode, configure the certification authority. To do this, run the following command for the certification authority: "certutil -setreg policy\editflags +EDITF_ENABLERENEWONBEHALFOF". Otherwise, disable the renewals-only mode. If no action is taken, future requests are denied. |
Parameter
The parameters contained in the event text are filled with the following fields:
- %1: CAConfig (win:UnicodeString)
The Certificate Enrollment Web Services (Certificate Enrollment Policy Web Service, CEP, and Certificate Enrollment Web Service, CES) enable the automatic request and renewal of certificates from a certification authority via a Web-based interface. This eliminates the need to contact the certification authority directly via Remote Procedure Call (RPC). For a more detailed description, see the article "Certificate request basics via Certificate Enrollment Web Services (CEP, CES)„.
Example events
The Certificate Enrollment Web Service is attempting to use renewal-only mode, but certification authority (CA) "CA02.intra.adcslabor.de\ADCS Labor Issuing CA 1" does not support this mode. To use renewal-only mode, configure the CA by running the following command on the CA: certutil -setreg policy\editflags +EDITF_ENABLERENEWONBEHALFOF. Otherwise, disable renewal-only mode. If no action is taken, subsequent requests will be rejected.
Description
The event is logged only once, further failed attempts of the same type are not logged again.
Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.
The event occurs when Key Based Renewal is used and the certificate authority does not support it.
On the certification authority, the EDITF_ENABLERENEWONBEHALFOF flag must be enabled with the following command line command:
certutil -setreg policy\editflags +EDITF_ENABLERENEWONBEHALFOF
The certificate authority service must be restarted after setting the flag for it to be applied.
Clients will see the error code WS_E_ENDPOINT_FAULT_RECEIVED when they attempt a Key based Renewal.
After correcting the settings on the certificate authority, the IIS application pool or the entire web server service should be restarted.
Safety assessment
The security assessment is based on the three dimensions of confidentiality, integrity and availability.
No description has been written for this yet.
English 
Deutsch
One thought on “Details zum Ereignis mit ID 9 der Quelle Microsoft-Windows-EnrollmentWebService”
Comments are closed.