Share via


Event ID 78 — AD CS Policy Module Processing

Applies To: Windows Server 2008

The policy module contains the set of rules governing issuance, renewal, and revocation of certificates. This policy is created from hard-coded values, registry settings, and, if you are using an enterprise certification authority (CA), certificate templates. The policy module determines whether a certificate request is approved, denied, or marked as pending for an administrator to approve or deny. Problems detected with a policy module can cause a CA to fail to start or to cease functioning.

Event Details

Product: Windows Operating System
ID: 78
Source: Microsoft-Windows-CertificationAuthority
Version: 6.0
Symbolic Name: MSG_POLICY_LOG_ERROR
Message: The "%1" policy module logged the following error: %2

Resolve

Address policy module processing errors

To determine how to fix this error condition, examine the error code reported in the event log message.

The event log message can include the following codes:

  • MSG_NO_CA_OBJECT, MSG_NO_DOMAIN
  • MSG_NO_CERT_TYPES
  • MSG_DOMAIN_INIT

If these error messages contain no specific information, check for and resolve any additional related errors either before or after this error.

If the warnings cannot be resolved by addressing related symptoms and there is a problem with a policy module:

  • For a non-Microsoft policy module, contact the policy module provider for assistance.
  • For a Microsoft policy module, contact Microsoft Customer Service and Support. For more information, see https://go.microsoft.com/fwlink/?LinkId=89446.

MSG_NO_CA_OBJECT, MSG_NO_DOMAIN

This error code indicates that teh certification authority (CA) could not connect to Active Directory Domain Services, or it could not find the required Active Directory information. Failure to connect to a domain controller is normally due to a network connectivity problem or a permissions problem. 

To check and correct potential connectivity problems:

  • Check that AD DS is running by confirming that Active Directory services are running on each domain controller. For more information about Active Directory monitoring, see the Active Directory Management Pack for MOM (https://go.microsoft.com/fwlink/?LinkID=95697).  
  • Use network diagnostic tools, such as the Ping and Nltest command-line tools, to check the status of the network connection from the certification authority (CA) to AD DS.
  • Use the procedure Confirm permissions on essential AD DS containers and objects below to confirm that the CA has the correct permissions to objects and containers in AD DS.

MSG_NO_CERT_TYPES

This error code indicates that the CA looked for a list of certificate templates in the CertificateTemplates container in AD DS, but either could not find the list, or the list was empty.

To check and correct potential certificate template problems:

  • Use the procedure Confirm certificate template configuration and availability to check the permissions and other settings on the certificate template and that it has been added to the CA.

MSG_DOMAIN_INIT

This error code indicates that the CA could not connect to AD DS. This failure may be the result of a network connectivity problem or, more likely, a permissions problem.

To check and correct DOMAIN_INIT problems:

  • Use network diagnostic tools, such as the Ping and Nltest command-line tools, to check the status of the network connection from the CA to AD DS.
  • Use the procedure Confirm permissions on essential AD DS containers and objects below to confirm that the CA has the correct permissions to objects and containers in AD DS.

To perform these procedures, you must have Manage CA permission, or you must have been delegated the appropriate authority.

Confirm certificate template configuration and availability

To confirm certificate template configuration and availability:

  1. Click Start, type certtmpl.msc, and then press ENTER.
  2. Select the certificate template associated with the error.
  3. Correct any security permissions or other configuration issues that might prevent a CA from issuing certificates based on the certificate template, and click OK.
  4. Open the Certification Authority snap-in, and double-click the name of the CA.
  5. Right-click Certificate Templates, click New, and then click Certificate Template to Issue.
  6. Select the certificate template, and click OK.

Confirm permissions on essential AD DS containers and objects

To confirm that the CA has needed permissions on AD DS containers and objects within these containers:

  1. On a domain controller, click Start, point to Administrative Tools, and click Active Directory Sites and Services.
  2. Click Active Directory Sites and Services [domainname].
  3. On the View menu, click Show Services Node.
  4. Double-click Services, double-click Public Key Services, and right-click each container listed below, or the objects listed within the container, and click Properties
  5. On the Security tab, confirm the required permissions.

The following are all Active Directory permissions required by a computer hosting a CA. Some of these permissions are achieved via membership in the Cert Publishers group.

  • Enrollment Services container. The CA computer has Read and Write access to its own object.
  • AIA container. The Cert Publishers group has Full Control access on the AIA container and the CA computer has Full Control access on its own object within the AIA container.
  • CDP container. The Cert Publishers group has Full Control access on every CA's container under the CDP container, and the CA computer has Full Control access on every certification revocation list (CRL) object in its own container.
  • Certification Authorities container. The Cert Publishers group has Full Control access on the objects within this container.
  • Certificate Templates container. The Enterprise Admins and Domain Admins groups (not the CA computer) have Full Control access or Read and Write access to this container and to most objects within it.
  • KRA container. The CA computer has Full Control access on its own object. 
  • OID container. The Enterprise Admins and Domain Admins groups, not the CA computer, have Full Control access or Read and Write access to this container and to the containers and objects within it.
  • NTAuthCertificates object. The Enterprise Admins and Domain Admins groups, not the CA computer, have Full Control access or Read and Write access.
  • Domain Computers and Domain Users containers. The Cert Publishers group has Read and Write permissions on the userCertificate property of each user and computer object in the forest in which AD CS is deployed.

Verify

To perform this procedure, you must have membership in local Administrators on the computer hosting the certification authority (CA), or you must have been delegated the appropriate authority.

To confirm that the policy module is operational:

  1. On the computer hosting the CA, click Start, point to Administrative Tools, and click Services.
  2. Right-click the Active Directory Certificate Services (AD CS) service, and click Restart.
  3. Open the event log, and confirm that it does not contain any errors relating to the policy module.

Errors relating to the policy module are:

  • Event 9: Source: Microsoft-Windows-CertificationAuthority. "Active Directory Certificate Services did not start: Unable to load a policy module."
  • Event 43: Microsoft-Windows-CertificationAuthority. "The "%1" policy module "%2" method caused an exception at address %4. The exception code is %3."
  • Event 44: Microsoft-Windows-CertificationAuthority. "The "%1" policy module "%2" method returned an error. %5 The returned status code is %3. %4"
  • Event 77: Microsoft-Windows-CertificationAuthority. "The "%1" policy module logged the following warning: %2"
  • Event 78: Microsoft-Windows-CertificationAuthority. "The "%1" policy module logged the following error: %2"

AD CS Policy Module Processing

Active Directory Certificate Services