Share via


Event ID 79 — AD CS Certificate Request (Enrollment) Processing

Applies To: Windows Server 2008

One of the primary functions of a certification authority (CA) is to evaluate certificate requests from clients and, if predefined criteria are met, issue certificates to those clients. In order for certificate enrollment to succeed, a number of elements must be in place before the request is submitted, including a CA with a valid CA certificate; properly configured certificate templates, client accounts, and certificate requests; and a way for the client to submit the request to the CA, have the request validated, and install the issued certificate.

Event Details

Product: Windows Operating System
ID: 79
Source: Microsoft-Windows-CertificationAuthority
Version: 6.0
Symbolic Name: MSG_E_CERT_PUBLICATION
Message: Active Directory Certificate Services could not publish a certificate for request %1 to the following location: %2. %3.%5%6

Resolve

Enable publication of an end-entity certificate

In order to publish a certificate you need network connectivity and network permissions. To resolve this issue:

  • Confirm that you have network connectivity between the client and certification authority (CA).
  • Confirm that the CA has Read and Write permissions on the userCertificate attribute of the user or computer object of the entity requesting the certificate.
  • If you have more than one domain or a two-level (parent/child) domain hierarchy, you need to allow the Cert Publishers group from one domain (domain A) Read and Write permissions on the userCertificate attribute in another domain (domain B). To do this, follow the procedure in the "Correct cross-domain permission errors" section.
  • Publish the certificate.

To perform these procedures, you must have Manage CA permission, or you must have been delegated the appropriate authority.

Confirm network connectivity between a client and a CA

To confirm a client connection to a CA:

  1. On the client, click Start, type cmd and press ENTER.

  2. Type ping <server_FQDN>, where <server_FQDN> is the fully qualified domain name (FQDN) of the CA (for example, server1.contoso.com), and then press ENTER.

  3. If the ping was successful, you will receive a reply similar to the following:

    Reply from IP_address: bytes=32 time=3ms TTL=59

    Reply from IP_address: bytes=32 time=20ms TTL=59

    Reply from IP_address: bytes=32 time=3ms TTL=59

    Reply from IP_address: bytes=32 time=6ms TTL=59 3

  4. At the command prompt, type ping <IP_address>, where <IP_address> is the IP address of the CA, and then press ENTER.

  5. If you can successfully connect to the CA by IP address but not by FQDN, this indicates a possible issue with Domain Name System (DNS) host name resolution. If you cannot successfully connect to the CA by IP address, this indicates a possible issue with network connectivity, firewall configuration, or Internet Protocol security (IPsec) configuration.

Confirm permissions on the Domain Computers and Domain Users containers in Active Directory

To confirm that the CA has necessary permissions on the Domain Computers and Domain Users containers:

  1. Click Start, point to Administrative Tools, and click Active Directory Sites and Services.
  2. On the View menu, click Show Services Node.
  3. Double-click Services, double-click Public Key Services, right-click Domain Computers, and click Properties.
  4. On the Security tab, confirm that the Cert Publishers group has Read and Write permissions.
  5. Right-click Domain Users, and click Properties.
  6. On the Security tab, confirm that the Cert Publishers group has Read and Write permissions.

Correct cross-domain permissions errors

To set these permissions by using use the Dsacls tool:

  • Click Start, type cmd and press ENTER, then run the following commands:

    dsacls "dc=<domainB>,dc=<contoso>,dc=<com>" /I:S /G "<domainA>\Cert Publishers":RP;userCertificate,user

    dsacls "dc=<domainB>,dc=<contoso>,dc=<com>" /I:S /G "<domainA>\Cert Publishers":WP;userCertificate,user

    dsacls "cn=<adminsdholder>,cn=system,dc=<contoso>,dc=<com>" /I:S /G  \Cert Publishers":RP;userCertificate,user

    dsacls "cn=<adminsdholder>,cn=system,dc=<domainB>,dc=<contoso>,dc=<com>" /I:S /G "<domainA>\Cert Publishers":WP;userCertificate,user

    Substitute the correct names from your organization for the <domainname> and <com> placeholders in the example.

For more information, see article 281271 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkID=95695).

Publish a certificate

To publish a certificate:

  1. On the computer hosting the CA, click Start, type cmd and press ENTER.
  2. Type ping <ipaddress> where <ipaddress> is the IP address of a domain controller and press ENTER to confirm that you have a network connection.If you do not have a network connection, fix the problem and try again.
  3. At a command prompt, type certutil -dspublish <cert.cer> ldap:///<network location included in the event log message> and press ENTER. <Cert.cer> is a certificate file exported by using the Certificate Export Wizard.
  4. If you have connectivity but still cannot publish the certificate, use Active Directory Users and Computers to confirm that the computer hosting the CA has Read and Write permissions to the userCertificate attribute of the user or computer object. (This is generally by membership in the Cert Publishers group).

Verify

To perform this procedure, you must have permission to request a certificate.

To confirm that certificate request processing is working properly:

  1. Click Start, type certmgr.msc, and then press ENTER.
  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  3. In the console tree, double-click Personal, and then click Certificates.
  4. On the Action menu, point to All Tasks, and click Request New Certificate to start the Certificate Enrollment wizard. 
  5. Use the wizard to create and submit a certificate request for any type of certificate that is available.
  6. Under Certificate Installation Results, confirm that the enrollment completes successfully and no errors are reported. You can also click Details to view additional information about the certificate.

AD CS Certificate Request (Enrollment) Processing

Active Directory Certificate Services