Troubleshooting (Certificate Autoenrollment in Windows Server 2003)

Applies To: Windows Server 2003 with SP1

This section outlines key scenarios that need to be considered when troubleshooting autoenrollment. It also covers how to prepare for autoenrollment failures and lists event logging messages.

Key Issues

The following key issues need to be considered when troubleshooting autoenrollment.

Infrastructure Requirements

Windows XP clients and Windows Server 2003 CAs will always request LDAP-signed communications with domain controllers as a security function. Before deploying autoenrollment or a Windows Server 2003 CA, all domain controllers running Windows 2000 should be upgraded to Service Pack 3 or greater.

Root and Cross-Certificate Download from Active Directory

Autoenrollment automatically downloads root certificates and cross-certificates from Active Directory whenever a change is detected in the directory or when a different domain controller is contacted. If a third-party root certificate or cross-certificate is deleted from the local machine store, autoenrollment will not download the certificates again until a change occurs in Active Directory or a new domain controller is contacted.

To manually force a new download, delete the following registry key and all subordinate keys on all affected machines. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\AutoEnrollment\AEDirectoryCache

EFS and Autoenrollment

EFS always attempts to enroll for the Basic EFS template by default. The EFS component driver generates an autoenrollment request that autoenrollment tries to fulfill. For customers who want to ensure that a specific template is used for EFS (such as to include key archival), the new template should supersede the Basic EFS template. The Basic EFS template should also be removed from any Enterprise CA. This will ensure that autoenrollment will not attempt enrollment for the Basic EFS template any more. For customers who wish to replace the Basic EFS template with a certificate and key that is archived through the Windows Server 2003, Enterprise Edition CA, the proper procedure is to supersede the Basic EFS template with a new version 2 certificate template.

Smartcard Renewal

The Smartcard Logon and Smartcard User version 1 templates may not be renewed through autoenrollment. To renew a version 1 Smartcard Logon or Smartcard User template, the proper procedure is to supersede these templates with a new version 2 template.

Autoenrollment always attempts to generate a new key when performing certificate renewal. For smart cards with limited space that do not support additional key generation, autoenrollment will attempt to reuse the key; however, additional space will still be required to install the new certificate. If no space is available on the card for these operations, the renewal through autoenrollment may fail.

Autoenrollment and Strong Private Key Protection

The version 2 certificate template properties on the Request Handling tab support the ability to require a user password when the private key is used by applications. This is set by selecting the Prompt the user during enrollment option and requires user input when the private key is used. It is important to never use this option for smart card certificates as smart card CSPs also do not support this capability. If this option is chosen, autoenrollment may fail.

Removal of Certificates on Domain Join/Change Domain

When a machine is removed from a domain or added to a new domain, all the downloaded certificates from Active Directory will be removed and refreshed if applicable. Certificates that were issued or autoenrolled from a previous forest will not be removed unless the machine is a domain controller. All client machines will automatically update certificates when the domain or machine information changes. When machines or users have certificates that are required for secure network communications, wireless communications, and so on, it may be necessary to delete the old certificates after joining a new domain or forest.

Autoenrollment Failures

Autoenrollment will warn the user with a warning dialog box when an autoenrollment failure occurs. This feature is only enabled when user interaction is required on the certificate template.

To enable the warning feature for an autoenrollment failure

  1. Open the specified template in the Certificate Templates MMC snap-in.

  2. Click the Request Handling tab.

  3. Click Prompt the user during enrollment on the Request Handling tab of the certificate template properties.

Re-Initialized Smart Cards

If enrollment for a certificate is based on the existence of a smart card certificate and if the smart card has been re-initialized, the smart card Insertion dialog box will ask the user to insert a smart card matching the key container identified by the old certificate. Since the key container has been deleted, the Insertion dialog box will continue to display despite the fact that the user has removed and inserted the card. The only choice is to click Cancel and fail the enrollment.

Enhanced Event Logging

By default, autoenrollment logs errors/failures and successful enrollments in the Application event log on the client machine.

To enable enhanced logging of autoenrollment processes to include warning and informational messages, the following registry values must be created.

User Autoenrollment

HKEY_CURRENT_USER\Software\Microsoft\Cryptography\Autoenrollment: Create a new DWORD value named AEEventLogLevel"; set value to 0.

Machine Autoenrollment

HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Autoenrollment: Create a new DWORD value named "AEEventLogLevel", set value to 0.

Note

All failures and errors are automatically logged. It is not necessary to enable the registry key to turn on failure logging.

Event Log Messages

The following event log messages only appear when additional event logging is enabled.

Success Event Log Messages

The following are samples of successful event log messages.

Event Type:

Information

Event Source:

AutoEnrollment

Event Category:

None

Event ID:

2

Date:

2/26/2001

Time:

12:52:02 PM

User:

N/A

Computer:

COMPUTER1

Description:

Automatic certificate enrollment for local system started.

Event Type:

Information

Event Source:

AutoEnrollment

Event Category:

None

Event ID:

3

Date:

2/26/2001

Time:

12:52:10 PM

User:

N/A

Computer:

COMPUTER1

Description:

Automatic certificate enrollment for local system completed.

Event Type:

Information

Event Source:

AutoEnrollment

Event Category:

None

Event ID:

27

Date:

2/26/2001

Time:

3:26:03 PM

User:

CONTOSO\USER1

Computer:

COMPUTER1

Description:

Automatic certificate enrollment for logged on user is cancelled.

Event Type:

None

Event Source:

AutoEnrollment

Event Category:

None

Event ID:

28

Date:

6/25/2001

Time:

7:36:16 AM

User:

CONTOSO\USER1

Computer:

COMPUTER1

Description:

Automatic certificate enrollment for CONTOSO\User1 successfully installed one AutoEnrollSmart cardEmail certificate when retrieving pending requests. User interaction was required.

Event Type:

None

Event Source:

AutoEnrollment

Event Category:

None

Event ID:

29

Date:

7/9/2001

Time:

6:39:29 AM

User:

CONTOSO\USER1

Computer:

COMPUTER1

Description:

Automatic certificate enrollment for CONTOSO\USER1 reused the private key when requesting one AutoEnrollSmart cardUser certificate.

Event Type:

None

Event Source:

AutoEnrollment

Event Category:

None

Event ID:

20

Date:

7/9/2001

Time:

6:39:29 AM

User:

CONTOSO\USER1

Computer:

COMPUTER1

Description:

Automatic certificate enrollment for CONTOSO\USER1successfully renewed one AutoEnrollSmart cardUser certificate from certification authority TestCA on Server1.contoso.com.

Event Type:

None

Event Source:

AutoEnrollment

Event Category:

None

Event ID:

29

Date:

7/17/2001

Time:

9:37:29 AM

User:

CONTOSO\user1

Computer:

TESTCA

Description:

Automatic certificate enrollment for CONTOSO\user1 reused the private key when requesting one Autoenroll Smart card User certificate.

Note

This event signifies the fact that the private key was reused during a certificate renewal.

Failed Event Log Messages

The following are samples of failed event log messages.

Event Type:

Error

Event Source:

AutoEnrollment

Event Category:

None

Event ID:

15

Date:

7/8/2001

Time:

3:09:41 PM

User:

N/A

Computer:

TEST1

Description:

Automatic certificate enrollment for CONTOSO\User1 failed to contact Active Directory (0x8007054b). The specified domain either does not exist or could not be contacted. Enrollment will not be performed.

Note

This error most often occurs when a user is logged on to a machine with cached credentials and is offline. Therefore, autoenrollment cannot continue and will be attempted later.

Event Type:

Error

Event Source:

AutoEnrollment

Event Category:

None

Event ID:

15

Date:

2/24/2001

Time:

10:36:08 AM

User:

N/A

Computer:

TEST1

Description:

Automatic certificate enrollment for local system failed to contact a directory server (0x80072751). A socket operation was attempted to an unreachable host. Enrollment will not be performed.

Note

This error most often occurs when a domain controller is not available or is not accessible by the client. Common causes include network errors, network connectivity, and so on.

Event Type:

Error

Event Source:

AutoEnrollment

Event Category:

None

Event ID:

13

Date:

7/5/2001

Time:

9:37:44 AM

User:

N/A

Computer:

TEST1

Description:

Automatic certificate enrollment for local system failed to enroll for one CONTOSO IPSEC certificate (0x800706ba). The RPC server is unavailable.

Note

This error typically occurs when the certification authority is not available on the network or the service is stopped.

Event Type:

Error

Event Source:

AutoEnrollment

Event Category:

None

Event ID:

13

Date:

7/5/2001

Time:

7:41:27 AM

User:

N/A

Computer:

TEST1

Description:

Automatic certificate enrollment for local system failed to enroll for one CONTOSO IPSEC certificate (0x8009400f). An attempt was made to open a certification authority database session, but there are already too many active sessions. The server may need to be configured to allow additional sessions.

Note

This is a rare event when the certification authority is under heavy load and cannot respond to the request in a timely manner. Autoenrollment will automatically try again at a later time.

Event Type:

Error

Event Source:

AutoEnrollment

Event Category:

None

Event ID:

16

Date:

7/5/2001

Time:

2:53:34 AM

User:

N/A

Computer:

TEST1

Description:

Automatic certificate enrollment for local system failed to renew one CONTOSO IPSEC certificate (0x8009400f). An attempt was made to open a Certification Authority database session, but there are already too many active sessions. The server may need to be configured to allow additional sessions.

Note

This is the same error as the previous one, but it involves a renewal.

Event Type:

Warning

Event Source:

AutoEnrollment

Event Category:

None

Event ID:

7

Date:

7/24/2001

Time:

7:48:27 PM

User:

CONTOSO\USER1

Computer:

TEST1

Description:

Automatic certificate enrollment for CONTOSO\USER1 could not enroll for Key Recovery Agent certificate template due to one of the following situations.

  • Enrollment access is not allowed to this template.

  • Template subject name, signature, or hardware requirements cannot be met.

  • No valid certification authority can be found to issue this template.

Note

This is an autoenrollment error that occurs when a user has a certificate and private key installed that corresponds to a given template that is now expiring. Autoenrollment attempts to automatically renew the certificate; however, the user does not have applicable permissions for this template and therefore autoenrollment fails. Autoenrollment is based on certificates in the store as well as certificate template settings.

Event Type:

Error

Event Source:

AutoEnrollment

Event Category:

None

Event ID:

13

Date:

7/17/2001

Time:

9:22:10 AM

User:

CONTOSO\user1

Computer:

TESTCA

Description:

Automatic certificate enrollment for CONTOSO\user1 failed to enroll for one Autoenroll smart card user certificate (0x80094812). The e-mail name is unavailable and cannot be added to the Subject or Subject Alternate name.

Note

This error occurs when the user account in Active Directory does not have a valid e-mail address on the user property page in Active Directory Users and Computers MMC snap-in. Enrollment for certificate templates in Active Directory requires an e-mail address to exist prior to enrollment.

Event Log Tools

A new tool (script) is included on the Windows XP Professional and Windows Server 2003 client to query a local system for various events. This script can be used to identify autoenrollment errors on the client and perform appropriate actions. The command line help for this tool is noted and provided as follows:

Z:\>eventquery /?  
Microsoft (R) Windows Script Host Version 5.6  
Copyright © Microsoft Corporation 1996-2001. All rights reserved.  
----------------------------------------------------------------------  
EVENTQUERY.vbs [/S system [/U user name [/P password]]] [/FI filter]  
        [/FO format] [/R range] [/NH] [/V] [/L logname | *]  
Description:  
  The EVENTQUERY.vbs script enables an administrator to list  
  the events and event properties from one or more event logs.  
Parameter List:  
  /S   system     Specifies the remote system to connect to.  
  /U   [domain\]user  Specifies the user context under which the  
              command should execute.  
  /P   password    Specifies the password for the given  
              user context.  
  /V           Specifies that the detailed information  
              should be displayed in the output.  
  /FI  filter     Specifies the types of events to  
              filter in or out of the query.  
  /FO  format     Specifies the format in which the output  
              is to be displayed.  
              Valid formats are "TABLE", "LIST", "CSV".  
  /R   range      Specifies the range of events to list.  
              Valid Values are:  
                'N' - Lists 'N' most recent events.  
               '-N' - Lists 'N' oldest events.  
              'N1-N2' - Lists the events N1 to N2.  
  /NH          Specifies that the "Column Header" should  
              not be displayed in the output.  
              Valid only for "TABLE" and "CSV" formats.  
  /L   logname     Specifies the log(s) to query.  
 /?           Displays this help/usage.  
  Valid Filters Operators allowed  Valid Values  
  ------------- ------------------ ------------  
  DATETIME    eq,ne,ge,le,gt,lt  mm/dd/yy(yyyy),hh:mm:ssAM(/PM)  
  TYPE      eq,ne        ERROR, INFORMATION, WARNING,  
                    SUCCESSAUDIT, FAILUREAUDIT  
  ID       eq,ne,ge,le,gt,lt  non-negative integer  
  USER      eq,ne        string  
  COMPUTER    eq,ne        string  
  SOURCE     eq,ne        string  
  CATEGORY    eq,ne        string  

Note

Filter "DATETIME" can be specified as "FromDate-ToDate"

   Only "eq" operator can be used for this format.  
Examples:  
  EVENTQUERY.vbs  
  EVENTQUERY.vbs /L system  
  EVENTQUERY.vbs /S system /U user /P password /V /L *  
  EVENTQUERY.vbs /R 10 /L Application /NH  
  EVENTQUERY.vbs /R -10 /FO LIST /L Security  
  EVENTQUERY.vbs /R 5-10 /L "DNS Server service"  
  EVENTQUERY.vbs /FI "Type eq Error" /L Application  
  EVENTQUERY.vbs /L Application /FI "Datetime eq 06/25/00,03:15:00AM-06/25/00,03:15:00PM"  
  EVENTQUERY.vbs /FI "Datetime gt 08/03/00,06:20:00PM"           /FI "Id gt 700" /FI "Type eq warning" /L System  
  EVENTQUERY.vbs /FI "Type eq error OR Id gt 1000 "