Event ID 92 — AD CS Access Control

  • Article

Applies To: Windows Server 2008

Certification authority (CA) access control permissions ensure that authorized components and users can complete required tasks. Access control errors can identify potential problems associated with insufficient or inappropriate use of permissions.

Event Details

Product: Windows Operating System
ID: 92
Source: Microsoft-Windows-CertificationAuthority
Version: 6.0
Symbolic Name: MSG_E_CANNOT_SET_PERMISSIONS
Message: Active Directory Certificate Services could not update security permissions. %1

Resolve

Update security permissions with an authorized user account

Confirm that the user who attempted to update security permissions has been authorized to set permissions on Active Directory Certificate Services (AD CS) objects.

If you did not intend for the user to be blocked from modifying permissions on AD CS objects, you need to:

  • Enable auditing on the certification authority (CA).
  • Grant the user the needed CA administrator and certificate manager permissions on the CA.
  • Complete the operation as an authorized user.

To perform these procedures, you must have Manage CA permission, or you must have been delegated the appropriate authority.

Enable auditing on a CA

To enable auditing on a CA:

  1. On the computer hosting the CA, click Start, point to Administrative Tools, and click Certification Authority.
  2. Right-click the name of the CA, and click Properties.
  3. Click the Auditing tab, and click Change CA security settings.
  4. Restart the CA.
  5. Audit administrative actions on the CA for several weeks or until you are satisfied that no other attacks are likely before disabling CA auditing.

Note: To audit events, the computer must also be configured for auditing of object access. Audit policy options can be viewed and managed in local or domain Group Policy under Computer Configuration\Windows Settings\Security Settings\Local Policies.

Grant administrator and certificate manager permissions on the CA

To set CA administrator and certificate manager security permissions for a CA:

  1. On the computer hosting the CA, click Start, point to Administrative Tools, and click Certification Authority.
  2. In the console tree, click the name of the CA.
  3. On the Action menu, click Properties.
  4. Click the Security tab, and specify the security permissions.
  5. Complete the CA management operation as an authorized user.

For more information about the roles and security permissions available for a CA, see "Implement Role-Based Administration" in the Certification Authority Help (https://go.microsoft.com/fwlink/?LinkId=104188).

Verify

To perform this procedure, you must have membership in local Administrators on the computer hosting the certification authority (CA), or you must have been delegated the appropriate authority.

To confirm that the CA logon context is correct:

  1. On the computer hosting the CA, click Start, point to Administrative Tools, and click Services.
  2. Confirm that the word Started  appears in the Status belong for the Active Directory Certificate Services service.

AD CS Access Control

Active Directory Certificate Services