Troubleshooting Certificate Enrollment

AutoEnrollment & MMC Enrollment

Enrollment Dependencies:

• The Certificate Template has been published to the Certification Authority.
• If Service Pack 1 has been installed on the CA and the CA is on a DC:
  • Verify that the CERTSVC_DCOM_ACCESS group contains, Domain Users, Domain Computers, and Domain Controllers.
• If Service Pack 1 has been installed on the CA and the CA is a member server in a Windows 2000 domain.
  • Verify that the Windows Server 2003 Schema Extensions have been installed.

AutoEnrollment Dependencies:

• Client machine must be Windows XP or higher.
  • Certification Authority has been installed on a Windows Server 2003 Enterprise Edition server.
  • User/Computer has Read, Enroll, and AutoEnroll permissions on the certificate template.
  • The Group Policy for the Domain/OU containing the User/Computer has been configured for Autoenrollment.

Debug Logging Options

Client Settings:

• By default, errors/failures and successful enrollments are logged in the Application event log on the client machine.
• To enable enhanced logging of the Autoenrollment processes set the following values:
  • User AutoEnrollment
    HKEY_CURRENT_USER\Software\Microsoft\Cryptography\Autoenrollment: Create a new DWORD value named "AEEventLogLevel"; set value to 0.
  • Machine AutoEnrollment
    HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Autoenrollment: Create a new DWORD value named "AEEventLogLevel", set value to 0.

For information on available event log messages, see the following:
Troubleshooting (Certificate Autoenrollment in Windows Server 2003)
https://technet2.microsoft.com/WindowsServer/en/Library/8b1e8736-1574-44a0-802f-974f7aeedd9c1033.mspx?mfr=true

Certification Authority Settings

• Enable Certificate Services Debug Logging by running the following commands on the CA:
  certutil.exe -f -setreg ca\debug 0xffffffff
  Net Stop Certsvc && Net Start Certsvc
• The following log files will be created:
  %SystemRoot%\certsrv.log (Certsrv.exe) Certificate Services
  %SystemRoot%\certutil.log (Certutil.exe)
  %SystemRoot%\certreq.log (Certreq.exe)
  %SystemRoot%\certmmc.log (Certmmc.dll) Certificate Services MMC snap-in
  %SystemRoot%\certocm.log (Certocm.dll) Certificate Services Setup

Simultaneous Netmon Trace from both the client and the CA.

• Filter the trace on LDAP and RPC traffic.
• The client queries Active Directory for a list of available CAs and certificate templates that they are granted read and enroll permissions to.
• The client then makes an RPC bind to the ICertRequest DCOM Interface on the CA using Kerberos authentication.

Common Problems - Scenario #1: Clients are Not Autoenrolling and No Errors are being Reported in the Application Event Log

• Verify that the client can get a certificate using the Manual Enrollment via the MMC Certificate Wizard. You May get the following error at the beginning of the wizard:
  
• This error typically, means:
  • We could not contact the Active Directory
    • Use normal Active Directory troubleshooting methods. i.e. verify networking connectivity and name resolution.
  • We do not trust the Enrollment Certification Authority
    • The Enrollment Certification Authority is located at:
      CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=com
    • The Enrollment CA’s Certificate must be installed in the Trusted Root Certification Authority on the client if it’s a Root CA.
    • If the Enrollment CA is a subordinate CA then the Root CA certificate must be installed in the Trusted Root Certification Authority and the Enrollment CA should be installed in the Intermediate CA Store on the client.
    • All certificates are downloaded during Group Policy processing so make sure that Group Policy is applying to the client.
  • We do not have permissions to the Certification Authority.
    • Open the Certification Authority snap-in and right click on the CA name and select Properties.
    • Go to the Security tab and make sure that Authenticated Users, or the appropriate group, have "Read" and "Request Certificates" permissions.
  • We do not have permissions to any Certificate Templates.
    • To verify the templates that the machine has access to run the following command:
      Certutil -Template
    • To verify the templates that the user has access to run the following command:
      Certutil –user -Template
    • Verify that the CA can issue the template in question:
      Certutil –templateCAs <Template Name>

Common Problems - Scenario #2: Errors are being reported in the Client Application Event Log

Source: AutoEnrollment
Event IDs: 7,13,15

• Description

  • Automatic certificate enrollment for Haybuv\User1 failed to contact Active Directory (0x8007054b). The specified domain either does not exist or could not be contacted. Enrollment will not be performed.

• Resolution

  • Verify network connectivity and name resolution.

• Description

  • Automatic certificate enrollment for local system failed to contact a directory server (0x80072751). A socket operation was attempted to an unreachable host. Enrollment will not be performed.

• Resolution

  • This error most often occurs when a user is logged on to a machine with cached credentials and is offline. If the machine is not offline verify network connectivity and name resolution.

• Description

  • Automatic certificate enrollment for local system failed to enroll for one HAYBUV IPSEC certificate (0x800706ba). The RPC server is unavailable.

• Resolution

  • This error occurs when attempting to bind to the Certification Authority to generate the Certificate request. Troubleshooting includes:
    • Verify that the client can get a certificate using the Manual Enrollment via the MMC Certificate Wizard.
    • Check network connectivity to all of the available Certification Authorities listed in the Enrollment services object listed in the AD:
      CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=Domain,DC=com
    • Verify that the Certificate Services service is running on the Certification Authority.
    • Verify that you can ping the Certificate Request Interface by running the following command:
      Certutil –Ping –Config CAMachineName\CAName
      Note that you can run the following command to get the Config string of the available Certification Authorities:
      Certutil –Dump
  • The Certutil –Ping command runs under the context of the user. If the command works for the user but the AutoEnrollment failure errors for the computer account, then open a command prompt under the machine account and then re-run the ping command.
  • If the ping command fails for either the user or the computer:
    • Verify that Dcom is Enabled on the Certification Authority.
      For more information, see the following:
      How to disable DCOM support in Windows
      https://support.microsoft.com/default.aspx?scid=kb;en-us;825750
    • Check for firewalls and proxy settings.
    • Check for Checkpoint Firewalls which have issues with RPC traffic from a Windows Server 2003 SP1 server. For more information, see the following:
      Some firewalls may reject network traffic that originates from Windows Server 2003 Service Pack 1-based computer
      https://support.microsoft.com/kb/899148
    • Use Portqry to verify that the appropriate RPC ports are opened. For more information, please see the following:
      PortQryUI - User Interface for the PortQry Command Line Port Scanner
      https://www.microsoft.com/downloads/details.aspx?FamilyID=8355e537-1ea6-4569-aabb-f248f4bd91d0&DisplayLang=en

• Description

  • Automatic certificate enrollment for local system failed to renew one HAYBUV IPSEC certificate (0x8009400f). An attempt was made to open a Certification Authority database session, but there are already too many active sessions. The server may need to be configured to allow additional sessions.

• Resolution

  • By default, the Windows Server 2003 certification authority allows only 20 concurrent sessions to the CA database. To increase the maximum number of sessions to 30, which is the highest limit tested with the Windows Server 2003 certification authority:
    Certutil -setreg DBSessionCount 30
    Net Stop Certsvc && Net Start Certsvc
  • This behavior typically occurs when a CA has been introduced to the environment and clients are in the initial Autoenrollment phase.

• Description

  • Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80070005). Access is denied.

• Resolution

  • This error occurs when attempting to bind to the Certification Authority to generate the Certificate request. Troubleshooting includes:
    • If SP1 is installed on the Certification Authority, verify that DCOM permissions are set correctly per the following article:
      Description of the changes to DCOM security settings after you install Windows Server 2003 Service Pack 1
      https://support.microsoft.com/kb/903220/

• Description

  • The certificate request failed. The revocation function was unable to check revocation because the revocation server was offline.

• Resolution

  • The client does not a valid Certificate Revocation List (CRL) from the issuing CA. Therefore, verify that all Certification Authorities in chain have valid Certificates. To test, run the following command against the issuing Certification Authority certificate:
    Certutil –Verify –Urlfetch <Issuing CA Certificate>

How Certificate Services Works
https://technet2.microsoft.com/WindowsServer/en/library/d7cd44f4-b39a-4d35-bb56-a239f72b7e4c1033.mspx?mfr=true