Windows Server Certification Authority (Events)

Version 1

    This template assesses the status and overall performance of Windows Server Certification Authority Services by checking Windows log files for specific events.


    Prerequisites: WMI access to the target server.

    Credentials: Windows Administrator on the target server.

    Note: All monitors in this template look for specific event IDs in the Application log file with Microsoft-Windows-CertificationAuthority and CertificationAuthority source Names. If any monitor returns non-zero statistics, it is recommended to check the Windows Event log for additional error information.


    Monitored Components

    Startup Problems

    This monitor returns error and warning events when Active Directory Certificate Services could not start due to different reasons. It monitors the following event IDs:

    9 - Unable to load a policy module.

    15 - Version does not match certif.dll.

    16 - Unable to initialize OLE.

    17 - Unable to initialize the database connection.

    19 - The Subject Name Template string in the registry is invalid.

    20 - The Certificate Date Validity Period string in the registry is invalid.

    24 - Unable to get information about the cryptographic service provider (CSP) from the registry.

    27 - Hierarchical setup is incomplete.

    28 - The Certificate Revocation List Period string is invalid in the registry.

    30 - Not enough memory or other system resources.

    31 - The chain of Certification Authority certificates is not properly configured.

    33 - Could not create the Certificate Services service thread.

    34 - Could not initialize RPC.

    35 - Could not initialize OLE.

    39 - The Certification Authority DCOM class could not be registered.

    40 - Could not initialize DCOM class factories.

    59 - Could not connect to the Active Directory.

    63 - Active Directory Certificate Services did not start.

    89 - Active Directory Certificate Services detected an exception during startup.

    100 - Could not load or verify the current CA certificate.

    To correct the issue:

    9 - Enable AD CS to load a policy module.

    15 - Resolve a version mismatch on core AD CS files.

    16 - Fix problems with OLE components.

    17 - Enable the connection between the CA and the certificates database.

    19 - Fix the SubjectTemplate registry key.

    20 - Fix the ValidityPeriod registry key.

    24 - Confirm network connectivity to Active Directory Domain Services (AD DS). Confirm that the certification authority (CA) has necessary permissions to essential AD DS containers and objects. After confirming connectivity and permissions, restart the CA.

    27 - Complete installation by importing a newly issued CA certificate.

    28 - Fix the CRLPeriod registry key.

    30 - Fix resource problems.

    31 - You need to confirm that a valid certification authority (CA) certificate is accessible in order for certificate chain validation to take place.

    33 - Fix problems with AD CS service threads.

    34 - Fix problems with remote procedure call (RPC).

    35 - Fix problems with OLE components.

    39 - Check the status of Active Directory Certificate Services. Use the Services snap-in to change the logon context for the certification authority. It should work under Local System account.

    40 - Fix problems with class factories.

    59 - Confirm network connectivity to Active Directory Domain Services (AD DS). Confirm that the certification authority (CA) has necessary permissions to essential AD DS containers and objects. After confirming connectivity and permissions, restart the CA.

    63, 89 - Correct general problems that prevent Active Directory Certificate Services from starting.

    100 - Load and confirm a valid CA certificate and chain.

     

    Upgrade Failure

    This monitor returns error and warning events when Active Directory Certificate Services upgrade failed due to different reasons. It monitors the following event IDs:

    92 - Active Directory Certificate Services could not update security permissions.

    111 - Upgrade path could not be determined.

    112 - Information required for the upgrade was unavailable.

    113 - The CertEnroll folder and/or shared folder could not be created with proper permissions.

    114 - Virtual roots could not be created.

    115 - Server registry entries could not be updated.

    116 - A web configuration file could not be created.

    117 - A revocation page could not be created.

    118 - Key containers could not be upgraded.

    119 - The CertSrv request could not be created.

    120 - CertSrv admin could not be registered.

    121 - New templates could not be installed.

    122 - The service description could not be updated.

    123 - Security settings could not be updated.

    125 - Active Directory Certificate Services settings have not been upgraded.

    To correct the issue:

    92 - Confirm that the user who attempted to update security permissions has been authorized to set permissions on Active Directory Certificate Services (AD CS) objects.

    111 - Follow upgrade path requirements for Active Directory Certificate Services.

    113 - Allow the CertEnroll folder to be created.

    112,114-123 - Resolve issues causing portions of a certification authority upgrade to fail. The information in the event log message and the following resolutions can help you correct problems that prevented a portion of the CA upgrade from succeeding.

    125 - Resolve issues preventing a certification authority upgrade.

     

    Process Request Problems

    This monitor returns error and warning events when Active Directory Certificate Services upgrade failed due to different reasons. It monitors the following event IDs:

    21-23 - Active Directory Certificate Services could not process request due to an error.

    To correct the issue:

    21, 22 - Confirm the certificate chain for the certification authority (CA). Generate and publish new certificate revocation lists (CRLs). Confirm the configured CRL distribution points. If these steps do not resolve the problem, check the failed requests queue on the CA for information about why the request failed.

    23 - Submit a new certificate request with fields measuring less than 127 bytes for the field specified in the event log description.

     

    Publish CRL and Certificate Problems

    This monitor returns error and warning events when Active Directory Certificate Services could not publish certificate revocation list (CRL) or certificate for requests. It monitors the following event IDs:

    65, 74 - Active Directory Certificate Services could not publish a base certificate revocation list (CRL) for specific key.

    66, 75 - Active Directory Certificate Services could not publish a delta certificate revocation list (CRL) for specific key.

    67 - Active Directory Certificate Services made several attempts to publish a certificate revocation list (CRL) and will not attempt to publish a CRL until the next CRL is generated.

    79, 80 - Active Directory Certificate Services could not publish a certificate for request.

    130 - Active Directory Certificate Services could not create a certificate revocation list (CRL).

    To correct the issue:

    65,66,74,75 - If the event log message specifies an Active Directory location that has been formatted as a Lightweight Directory Access Protocol (LDAP) address, confirm that the certification authority (CA) has Write permissions to this location. Check the access control list on any file locations referenced in the event log message to confirm that the CA computer has Write permissions to those locations. Check network connectivity between the CA and domain controller. Publish a new CRL. If you still cannot publish a new CRL, confirm that the CRL distribution point is valid.

    67 - Correct any problems with your certificate revocation list (CRL) distribution point information, including permissions problems. Check network connectivity to Active Directory Domain Services (AD DS) and computers hosting CRL distribution points.

    79, 80 - Confirm that you have network connectivity between the client and certification authority (CA). Confirm that the CA has Read and Write permissions on the user Certificate attribute of the user or computer object of the entity requesting the certificate. If you have more than one domain or a two-level (parent/child) domain hierarchy, you need to allow the Cert Publishers group from one domain (domain A) Read and Write permissions on the user Certificate attribute in another domain (domain B). To do this, follow the procedure in the "Correct cross-domain permission errors" section. Publish the certificate.

    130 - Recreate the CRL manually.

     

    Denied Requests

    This monitor returns error and warning events when Active Directory Certificate Services denied requests. It monitors the following event IDs:

    7,53,56,57 - Active Directory Certificate Services denied request.

    To correct the issue:

    Confirm user account information in Active Directory Domain Services (AD DS). Confirm certificate template information. Confirm the certificate chain for the CA. Check the most recent certificate revocation lists (CRLs). Publish a new CRL.

     

    Enrollment Errors

    This monitor returns error and warning enrollment events in Active Directory Certificate Services denied. It monitors the following event IDs:

    108,109 - Active Directory Certificate Services could not delete a certificate for request.

    128 - An Authority Key Identifier was passed as part of the certificate request. This feature has not been enabled.

    132 - The certification authority (CA) was unable to perform a decryption operation. This error can occur when an advanced encryption algorithm such as Advanced Encryption Standard (AES) is used and the CA has not been configured to use a CryptoAPI Next Generation (CNG) key storage provider.

    To correct the issue:

    108,109 - Confirm that you have network access to the location where the certificate is stored. Try to delete the certificate mentioned in the event log message by using one of the following procedures. If you confirm that you have network connectivity and still cannot delete the certificate, then confirm permissions on the Domain Users and Domain Computers containers in Active Directory Domain Services (AD DS) before attempting to delete the certificate again.

    128 - To fix this problem, enable Online Responder revocation checking for all time-valid certificates issued by the certification authority (CA).

    132 - If this error occurred during certificate enrollment, check the certificate template to confirm that advanced encryption for key archival is not enabled.

     

    Domain Services Connection

    This monitor returns error and warning events related with connections to domain controller. It monitors the following event IDs:

    64 - Active Directory Certificate Services cannot publish enrollment access changes to Active Directory.

    91 - A connection to Active Directory Directory Services could not be established. Active Directory Certificate Services will try to connect again when it needs Active Directory access.

    93 - The certificate does not exist in the certificate store at CN=NTAuthCertificates,CN=Public Key Services,CN=Services in the Active Directory's configuration container. The directory replication may not be completed.

    94 - Active Directory Certificate Services cannot open the certificate store at CN=NTAuthCertificates,CN=Public Key Services,CN=Services in the Active Directory's configuration container.

    106 - Active Directory Certificate Services cannot add certificate.

    107 - Active Directory Certificate Services cannot delete invalid CA certificate

    To correct the issue:

    64 - Confirm the CA's connection to a domain controller. Confirm that the certification authority (CA) has necessary permissions to essential AD DS containers and objects, which will allow enrollment configuration changes to be published.

    91 - Confirm that the CA can connect to AD DS. Confirm that the CA has necessary permissions to essential AD DS containers and objects.

    93 - Confirm permissions on the NTAuth store. Check the NTAuth store and, if necessary, publish the certification authority (CA) certificate manually.

    94 - Confirm that the certification authority (CA) has necessary permissions to essential Active Directory Domain Services (AD DS) containers and objects. If the CA certificate is missing from the NTAuth store, publish it manually.

    106 - Confirm that the CA has permissions to essential AD DS containers and objects. Determine if the CA certificate exists in the AIA container. If it does not exist, publish the CA certificate to the AIA container manually.

    107 - Confirm that the CA has necessary permissions to essential AD DS containers and objects. Confirm that the CA certificate exists in the AIA container. Confirm the status of the CA certificate. After these conditions have been addressed, delete the certificate manually.

     

    CA Certificate and Chain Validation

    This monitor returns error and warning events related with certification authority (CA) certificate and chain validation. It monitors the following event IDs:

    42 - A certificate chain could not be built for CA certificate.

    48 - Revocation status for a certificate in the chain for specific CA certificate could not be verified because a server is currently unavailable.

    49 - A certificate in the chain for specific CA certificate could not be verified because no information is available describing how to check the revocation status.

    51 - A certificate in the chain for specific CA certificate has been revoked.

    58 - A certificate in the chain for specific CA certificate has expired.

    64 - Certificate is about to expire or has already expired.

    103 - Active Directory Certificate Services temporarily added the root certificate of certificate chain to the downloaded Enterprise Root store.

    To correct the issue:

    42 - You need to confirm that a valid certification authority (CA) certificate is accessible in order for certificate chain validation to take place.

    48 - You need to confirm that a valid certification authority (CA) certificate is accessible in order for certificate chain validation to take place.

    49 - You need to confirm that a valid certification authority (CA) certificate is accessible in order for certificate chain validation to take place.

    51 - Confirm that the CA certificate has been revoked. Ask a CA administrator if the revocation was deliberate or unintended. If the certificate was revoked intentionally, then no further action is needed. If it was revoked unintentional, the CA certificate and every certificate in the branch must be reissued through enrollment or auto-enrollment. If the problem persists, enable CryptoAPI 2.0 Diagnostics to identify and resolve additional errors that might be causing the problem.

    58 - Check whether the certificate has expired. Confirm the certificate chain. If the problem persists, enable CryptoAPI 2.0 Diagnostics, resolve any errors found, and then reissue and reinstall the expired certificates.

    64 - Renew a CA certificate.

    103 - Publish a root CA certificate to Active Directory Domain Services

     

    Key Archival and Recovery

    This monitor returns error and warning events related with key archival and recovery. It monitors the following event IDs:

    83 - Active Directory Certificate Services encountered an error loading key recovery certificates. Requests to archive private keys will not be accepted.

    84 - Active Directory Certificate Services will not use key recovery certificate because it could not be verified for use as a Key Recovery Agent.

    85 - Active Directory Certificate Services ignored key recovery certificate because it could not be loaded.

    86 - Active Directory Certificate Services could not use the provider specified in the registry for encryption keys.

    87 - Active Directory Certificate Services could not use the default provider for encryption keys.

    88 - Active Directory Certificate Services switched to the default provider for encryption keys.

    96 - Active Directory Certificate Services could not create an encryption certificate.

    98 - Active Directory Certificate Services encountered errors validating configured key recovery certificates. Requests to archive private keys will no longer be accepted.

    127 - Key recovery certificate is about to expire and will not be used after it has expiration.

    To correct the issue:

    83, 98 - Configure the correct number of key recovery agent certificates.

    84, 85 - Identify and use a valid key recovery agent certificate.

    86-88, 96 - Use a cryptographic service provider that supports key archival and recovery.

    127 - Renew the key recovery agent certificate that is about to expire.

     

    Cross-Certification Problems

    This monitor returns error and warning events related with Cross-Certification problems. It monitors the following event IDs:

    99,102 - Active Directory Certificate Services could not create cross certificate to certify its own root certificates.

    To correct the issue, create a missing cross-CA certificate.

     

    Certificate Request (Enrollment) Processing

    This monitor returns error and warning events related with certificate request processing. It monitors the following event IDs:

    3 - The certificate request failed.

    10 - Active Directory Certificate Services was unable to build a new certificate or certificate chain

    60 - Active Directory Certificate Services refused to process an extremely long request.

    To correct the issue:

    3 - Confirm the certificate chain for the certification authority (CA). Generate and publish new certificate revocation lists (CRLs). Confirm the configured CRL distribution points. If these steps do not resolve the problem, check the failed requests queue on the CA for information about why the request failed.

    10 - Confirm the certificates in the chain for the certification authority (CA). Identify and correct resource problems that could be preventing revocation checking. Enable CryptoAPI 2.0 Diagnostics to identify and resolve more advanced issues that can prevent revocation checking.

    60 - This may indicate a denial-of-service attack. The source should be identified in the event log message. Review failed certificate requests to determine whether or not the failed request is from a known or trusted source. If the request was rejected in error, modify the MaxIncomingMessageSize setting in the registry to allow larger certificate requests. If the request was not rejected in error, identify the source of the request and prevent requests from being submitted from that source.

     

    Performance Counters Availability

    This monitor returns event when Active Directory Certificate Services could not initialize performance counters (Event ID: 110).

    To correct the issue, restart the certification authority (CA) and register the performance counters for a CA.

     

    Program Resource Availability

    This monitor returns error and warning events related with program resource availability. It monitors the following event IDs:

    38 - Active Directory Certificate Services was stopped.

    90 - Active Directory Certificate Services detected an exception.

    To fix problem, do the following:

    38, 90 - Restart the certification authority

     

    Registry Settings

    This monitor returns error and warning events related with registry settings. It monitors the following event IDs:

    5 - Active Directory Certificate Services could not find required registry information. The certification authority may need to be reinstalled.

    95 - Security permissions are corrupted or missing. Active Directory Certificate Services needs to be reinstalled.

    To correct the issue:

    5 - Correct CA-related registry values.

    95 - Fix certification authority security permissions.

     

    Portions of this document are based on the following sources: http://technet.microsoft.com/en-us/library/cc/774508(v=ws.10).aspx

    Last updated: 8/19/2014