Event ID 108 — AD CS Certificate Request (Enrollment) Processing

  • Article

Applies To: Windows Server 2008

One of the primary functions of a certification authority (CA) is to evaluate certificate requests from clients and, if predefined criteria are met, issue certificates to those clients. In order for certificate enrollment to succeed, a number of elements must be in place before the request is submitted, including a CA with a valid CA certificate; properly configured certificate templates, client accounts, and certificate requests; and a way for the client to submit the request to the CA, have the request validated, and install the issued certificate.

Event Details

Product: Windows Operating System
ID: 108
Source: Microsoft-Windows-CertificationAuthority
Version: 6.0
Symbolic Name: MSG_E_CERT_DELETION
Message: Active Directory Certificate Services could not delete a certificate for request %1 from the following location: %2. %3.%5%6

Resolve

Manually delete the certificate

A connectivity or permissions problem can prevent you from deleting a certificate. To resolve this problem:

  • Confirm that you have network access to the location where the certificate is stored.
  • Try to delete the certificate mentioned in the event log message by using one of the following procedures.
  • If you confirm that you have network connectivity and still cannot delete the certificate, then confirm permissions on the Domain Users and Domain Computers containers in Active Directory Domain Services (AD DS) before attempting to delete the certificate again.

To perform these procedures, you must have Manage CA permission, or you must have been delegated the appropriate authority.

Delete a certificate

To delete a certificate by using the Certificates snap-in:

  1. Confirm that the certificate that you want to delete exists in the location identified in the event log message.
  2. If you are unable to access this location because of a connection issue, correct this issue and try again.
  3. Click Start, type mmc, and then press ENTER.
  4. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  5. On the File menu, click Add/Remove Snap-in, click Certificates, and then click Add.
  6. Select the user, service, or computer account, and click Next.
  7. If you want to delete a certificate for a computer or service, identify the computer or service. Click Finish, and then click OK.
  8. Select the certificate store where the certificate you intend to delete exists.
  9. Right-click the certificate you want to delete, and click Delete.
  10. When asked whether you want to delete this certificate, click Yes.

You can also remove an invalid certificate by using the Certutil command-line tool.

To delete a certificate by using Certutil:

  1. Open a command prompt window.
  2. Type certutil -viewdelstore <network location specified in the event log message> and press ENTER.
  3. Select the certificate you want to delete, and click OK.

If you are still unable to delete the certificate, follow the procedure in the "Confirm permissions on the Domain Computers and Domain Users containers in Active Directory Domain Services" section to confirm that the computer hosting the certification authority (CA) has Read and Write permissions to the location specified in the error message.

Confirm permissions on the Domain Computers and Domain Users containers in Active Directory Domain Services

To confirm that the CA has necessary permissions on the Domain Computers and Domain Users containers:

  1. On the computer hosting the CA, click Start, point to Administrative Tools, and click Active Directory Sites and Services.
  2. On the View menu, click Show Services Node.
  3. Double-click Services, double-click Public Key Services, right-click Domain Computers, and click Properties.
  4. On the Security tab, confirm that the Cert Publishers group has Read and Write permissions.
  5. Right-click Domain Users, and click Properties.
  6. On the Security tab, confirm that the Cert Publishers group has Read and Write permissions.

Verify

To perform this procedure, you must have permission to request a certificate.

To confirm that certificate request processing is working properly:

  1. Click Start, type certmgr.msc, and then press ENTER.
  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  3. In the console tree, double-click Personal, and then click Certificates.
  4. On the Action menu, point to All Tasks, and click Request New Certificate to start the Certificate Enrollment wizard. 
  5. Use the wizard to create and submit a certificate request for any type of certificate that is available.
  6. Under Certificate Installation Results, confirm that the enrollment completes successfully and no errors are reported. You can also click Details to view additional information about the certificate.

AD CS Certificate Request (Enrollment) Processing

Active Directory Certificate Services