Overview of Windows events generated by the Certificate Enrollment Web Service (CES).

The following is an overview of the events generated by the Certificate Enrollment Web Service (CES) in the Windows Event Viewer.

The events of the Certificate Enrollment Web Service are not officially documented. The following list was generated using the Windows Event Log Messages (WELM) tool.

The Certificate Enrollment Web Services (Certificate Enrollment Policy Web Service, CEP, and Certificate Enrollment Web Service, CES) enable the automatic request and renewal of certificates from a certification authority via a Web-based interface. This eliminates the need to contact the certification authority directly via Remote Procedure Call (RPC). For a more detailed description, see the article "Certificate request basics via Certificate Enrollment Web Services (CEP, CES)„.

Event Sources

Certificate Enrollment Web Service events are written to the application log. The following sources contain CES events:

  • Microsoft-Windows-EnrollmentWebService/Admin

Predefined view in the Windows Event Viewer

An appropriately filtered view is preconfigured in the Active Directory Certificate Services category on each system where the Certificate Enrollment Web Service is installed.

Event source Microsoft-Windows-EnrollmentWebService

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

IDTypeEvent text
1InformationThe Certificate Enrollment Web Service has started.
2ErrorThe Certificate Enrollment Web Service failed to start. Confirm that the Certificate Enrollment Web Service is properly installed, and restart Internet Information Services (IIS) by using iisreset.exe. If the problem persists, enable tracing in the web.config file, restart IIS, attempt to enroll for a certificate again from any client, and then contact Microsoft Customer Service and Support with the trace file information. %1
3ErrorThe Certificate Enrollment Web Service failed to start. The certification authority (CA) "%1" is not an enterprise CA.
4ErrorThe Certificate Enrollment Web Service failed to start. A valid certification authority (CA) configuration is not specified in the web.config file. Please specify a CA configuration in the web.config file.
5InformationThe Certificate Enrollment Web Service has been stopped.
6WarningThe Certificate Enrollment Web Service is in renewal-only mode. New enrollment requests cannot be processed when the Certificate Enrollment Web Service is in renewal-only mode. If you want to enable new enrollment requests, configure both the CA and the Certificate Enrollment Web Service for new enrollment requests.
7ErrorThe Certificate Enrollment Web Service is attempting to use renewal-only mode, but certification authority (CA) "%1" does not support this mode. To use renewal-only mode, configure the Certificate Enrollment Web Service to use a CA that is installed on a computer that is running at least Windows Server 2008 R2. Then, configure the CA by running the following command on the CA: certutil -setreg policy\editflags +EDITF_ENABLERENEWONBEHALFOF. Otherwise, disable renewal-only mode. If no action is taken, subsequent requests will be rejected.
8ErrorThe Certificate Enrollment Web Service cannot read the version or the configuration flags from certification authority (CA) "%1." On the Security tab of the CA property sheet, grant Read permission to the account used by the Certificate Enrollment Web Service application pool. If no action is taken, subsequent requests will be rejected.
9ErrorThe Certificate Enrollment Web Service is attempting to use renewal-only mode, but certification authority (CA) "%1" does not support this mode. To use renewal-only mode, configure the CA by running the following command on the CA: certutil -setreg policy\editflags +EDITF_ENABLERENEWONBEHALFOF. Otherwise, disable renewal-only mode. If no action is taken, subsequent requests will be rejected.
10ErrorThe Certificate Enrollment Web Service cannot operate because an incompatible configuration was selected. To resolve this issue, remove the Certificate Enrollment Web Service. If you want to use key based renewal, enable both client certificate authentication and renewal-only mode. If you want to use user name and password authentication or Windows authentication, disable key based renewal, and then run Setup again.
11InformationThe Certificate Enrollment Web Service is enabled for key based renewal. Client certificates without subject information in the Active Directory database can be used to renew certificates.

Related links:

External sources

2 thoughts on “Übersicht über die vom Zertifikatregistrierungs-Webdienst (CES) generierten Windows-Ereignisse”

Comments are closed.

en_USEnglish