Event ID 77 — AD CS Policy Module Processing

  • Article

Applies To: Windows Server 2008

The policy module contains the set of rules governing issuance, renewal, and revocation of certificates. This policy is created from hard-coded values, registry settings, and, if you are using an enterprise certification authority (CA), certificate templates. The policy module determines whether a certificate request is approved, denied, or marked as pending for an administrator to approve or deny. Problems detected with a policy module can cause a CA to fail to start or to cease functioning.

Event Details

Product: Windows Operating System
ID: 77
Source: Microsoft-Windows-CertificationAuthority
Version: 6.0
Symbolic Name: MSG_POLICY_LOG_WARNING
Message: The "%1" policy module logged the following warning: %2

Resolve

Address policy module processing warnings

To determine how to fix this error condition, examine the error code reported in the event log message.

The event log message can include the following codes:

  • MSG_SIGNATURE_COUNT
  • MSG_DS_RECONNECTED
  • MSG_LOAD_TEMPLATE

Depending on the specific error message, use the following procedures to resolve problems with these policy module warnings:

MSG_SIGNATURE_COUNT

The certificate template named in the event description has been configured to require one or more authorized signatures on the certificate request. This issuance policy requirement was not met. Use the procedure Resolve signature count issues  to correct this problem.

MSG_DS_RECONNECTED

Certificate Services has re-connected to Active Directory at the network location specified in the event description. No action is needed.

MSG_LOAD_TEMPLATE

The certificate template named in the event description could not be loaded. This error can occur if a certificate template was removed from Active Directory Domain Services (AD DS) but one or more certification authorities (CAs) are still configured to issue certificates by using that template. Use the procedure Resolve certificate template loading issues  to resolve this error. 

To perform these procedures, you must have Manage CA permission, or you must have been delegated the appropriate authority.

Resolve signature count issues

To resolve signature count issues, you can either:

  • Make sure the enrollment request is signed with a sufficient number of authorized signatures before resubmitting the request. You may need to issue additional enrollment agent certificates or locate users who have been issued enrollment agent responsibilities and ask them to complete this task.
  • Alternately, you can modify the certificate template so that it requires fewer authorized signatures.

To modify certificate template signature requirements:

  1. On the computer hosting the CA, click Start, type certtmpl.msc, and then press ENTER.
  2. In the details pane, right-click the certificate template that you want to change, and then click Properties.
  3. Click the Issuance Requirements tab. Modify the number to next to This number of authorized signatures, or remove the check box next to this setting if you want to disable the signature requirement completely. Click OK.

Resolve certificate template loading issues 

Resolve certificate template loading issues:   

  1. On the CA that logged the event, click Start, point to Administrative Tools, and click Certification Authority
  2. Right-click the template within the Certificate Templates container, and click Delete.
  3. If the problem involves a misconfigured certificate template, open the Certificate Templates snap-in, right-click the certificate template identified in the error message, check all configuration settings, and fix the settings that have been configured incorrectly.

If there is a problem with a policy module and these warnings cannot be resolved by addressing related symptoms:

  • For a non-Microsoft policy module, contact the policy module provider for assistance.
  • For a Microsoft policy module, contact Microsoft Customer Service and Support. For more information, see https://go.microsoft.com/fwlink/?LinkId=89446.

Verify

To perform this procedure, you must have membership in local Administrators on the computer hosting the certification authority (CA), or you must have been delegated the appropriate authority.

To confirm that the policy module is operational:

  1. On the computer hosting the CA, click Start, point to Administrative Tools, and click Services.
  2. Right-click the Active Directory Certificate Services (AD CS) service, and click Restart.
  3. Open the event log, and confirm that it does not contain any errors relating to the policy module.

Errors relating to the policy module are:

  • Event 9: Source: Microsoft-Windows-CertificationAuthority. "Active Directory Certificate Services did not start: Unable to load a policy module."
  • Event 43: Microsoft-Windows-CertificationAuthority. "The "%1" policy module "%2" method caused an exception at address %4. The exception code is %3."
  • Event 44: Microsoft-Windows-CertificationAuthority. "The "%1" policy module "%2" method returned an error. %5 The returned status code is %3. %4"
  • Event 77: Microsoft-Windows-CertificationAuthority. "The "%1" policy module logged the following warning: %2"
  • Event 78: Microsoft-Windows-CertificationAuthority. "The "%1" policy module logged the following error: %2"

AD CS Policy Module Processing

Active Directory Certificate Services