Event ID 13 - Autoenrollment Error

All replies

• 

  

  0

  Sign in to vote

  Hi Ivan,

   

  Thank you for posting here.

   

  According to your description, I understand that you got an CA autoenrollment Error in your environment.

   

  To troubleshoot Event ID 13 " autoenrollment", please follow the links below:

   

  http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows%20Operating%20System&ProdVer=5.2&EvtID=13&EvtSrc=autoenrollment&LCID=1033/  

   

  To the particular Event 44 Certsrv "Element not found" error, please check the following

   

   

  1. Verify the "Authenticated Users" have Read Permissions to the following location:
  
  "cn=Certificate Templates,cn=Public Key Services,cn=Services,cn=Configuration,dc=<Domain Component>,dc=<Domain Component>"
  
  283218 A Certification Authority Cannot Use a Certificate Template
  http://support.microsoft.com/default.aspx?scid=kb;EN-US;283218

   

  2. Check whether there is a pKIEnrollmentService Object at the following location:
  
  "cn=<CA Name>,cn=Enrollment Services,cn=Public Key Services,cn=Services,cn=Configuration,dc=<Domain Component>,dc=<Domain Component>"
  
  If you are missing this AD Object then follow the below steps:
  
  a) Right clicked on "CN=Enrollment Services" then selected "New" then "Object"
  b) We selected the object class of: "pKIEnrollmentService"
  c) For Attribute "cn" we gave it the name of the Certification Authority then clicked "Next"
  d) Then clicked on "Finish"
  e) We then Right clicked on the new "pKIEnrollementService" object and selected "Properties"
      i. cACertificateDN= This from the "Subject" field the the CA’s Certificate.
      ii. cACertificate - We got the information for this attribute by looking at another object that had the field defined within Active Directory.

  You can look at the following location for the CA Certifcate Object:

  
  "cn=<CA Name>,cn=Certification Authorities,cn=Public Key Services,cn=Services,cn=Configuration,dc=<Domain Component>,dc=<Domain Component>"

  
      iii. displayName = "<CA Name>" - We named this the same as the CA’s name.
      iv. dNSHostName = The Servers DNS name.
      v. flags = See NOTE below
  
  NOTE: The Flags attribute needs to be configure for the Type and OS version of the CA. Here are basically the different valid flags settings:

   

  Enterprise CA running on Standard Edition of the Operating System: "2"
  Enterprise CA running on Enterprise Edition of the Operating System: "10"
  Standalone CA running on Standard Edition of the Operating System: "5"
  Standalone CA running on Enterprise Edition of the Operating System: "9"
  
  f) Make sure that the CA's computer object has Full Control to this object via the Security Tab.
  g) We then clicked OK.

   

  In addition, please you can refer to:

   

  Event ID 44 — AD CS Policy Module Processing

  http://technet.microsoft.com/en-us/library/cc774512(WS.10).aspx

   

  Hope this helps.
  
  Regards,

  Wilson Jia

   

  ---

  This posting is provided "AS IS" with no warranties, and confers no rights.

  Monday, January 18, 2010 7:34 AM
• 

  

  0

  Sign in to vote

  For the Event 44 Certsrv "Element not found" error, I checked all the procedure you sent, BUT still have the same problem.
  
  Any other comments are welcome.
  
  Thanks,
  Ivan

  Monday, January 18, 2010 4:21 PM
• 

  

  0

  Sign in to vote

  Hi Ivan,
  
  Can you use LDP.exe tool to query Certificate Template information under "cn=Certificate Templates,cn=Public Key Services,cn=Services,cn=Configuration,dc=<Domain Component>,dc=<Domain Component>"?

   

  You can get the LDP tool from the following link:

  http://support.microsoft.com/kb/892777

   

  Regards,
  Wilson Jia

  ---

  This posting is provided "AS IS" with no warranties, and confers no rights.

  Tuesday, January 19, 2010 8:23 AM
• 

  

  0

  Sign in to vote

  Just to be 100% sure:  when you said "to query" you mean that on LDP.exe after connecting to the server and completing the Binding on the connection, I go to "Menu options = Browse\Search" and search for "cn=Certificate Templates,cn=Public Key Services,cn=Services,cn=Configuration,dc=<Domain Component>,dc=<Domain Component>" where "domain component" are my domain information?
  
  If that is the correct procedure: then the answer is YES, we can query Certificate Template under that path.
  
  Any comments are welcome.
  Ivan

  Tuesday, January 19, 2010 3:13 PM
• 

  

  1

  Sign in to vote

  Hi Ivan,
  
  Yes, you understand correctly. Please also try the following steps to resolve the issue

   

  1.     defined read and execute permissions for Authenticated users on C:\windows\system32\certsrv folder.

              283218 A Certification Authority Cannot Use a Certificate Template

              http://support.microsoft.com/default.aspx?scid=kb;EN-US;283218

  2.     Checked the group membership of Certsvc Service Dcom Access Made sure "domain user" "domain computers" and "domain controllers" were present

  3.     Restarted the CA

   

  If the issue continues, you may consider to Uninstall the CA service, reinstall the service and restore CA from backup.

  You can refer to:

   

  How to move a certification authority to another server :

  http://support.microsoft.com/kb/298138/en-us

   

  Regards,

  Wilson Jia

  
  

  ---

  This posting is provided "AS IS" with no warranties, and confers no rights.

  • Marked as answer by Wilson Jia Monday, January 25, 2010 1:30 AM

  Friday, January 22, 2010 7:02 AM
• 

  

  0

  Sign in to vote

  Wilson,
  
  Sorry for the delay in my response.
  
  I've just checked the procedure you suggested and here are the findings:
  
  1. We have read and execute permissions for Authenticated Users on C:\Windows\System32\certsrv folder.
  2. "Domain User", "Domain Computers" and "Domain Controllers" are member of the Certsvc Service Dcom Access group.
  
  We've just restore the CA from a Backup and have the same problem.
  
  Any other thoughts?
  
  Thanks,
  Ivan

  Monday, February 1, 2010 8:27 PM
• 

  

  0

  Sign in to vote

  Hi Ivan, actually to resolve this I just add "Domain Controllers" group on "CERTSVC_DCOM_ACCESS" group.
  The autoenrollment works in my new domain controller after reboot.
  
  
  Maybe this can help you,
  Rodrigo

  Monday, July 11, 2011 7:57 PM
• 

  

  0

  Sign in to vote

  Hi Wilson,

  This worked for me.

  However in step 2c, when you are creating new object, select "More attribute" and specify dNSHostName there. Also, I did not had to change value for "flags", I left it as 0.

  Thanks heaps.

  Bhargav

  ---

  MCTS: Microsoft Exchange Server 2007 and 2010 MCITP: Enterprise Administrator on Windows Server® 2008

  Friday, October 12, 2012 3:53 AM
• 

  

  0

  Sign in to vote

  For what it's worth, here's my complete implementation using PEAP, 802.1x, IAS and a Cisco AP 1231, and a thread link on the subject, in case anyone else is searching on this and finds this thread.

  802.1x Wireless Implementation
  http://blogs.msmvps.com/acefekay/2012/09/28/802-1x-wireless-implementation/

  Thread: "Windows XP Wireless GPO rollout" 9/9/2012
  Good outline on wireless 802.1x in a post by Lawrence Lv
  http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/63e204e1-5683-44ff-bf38-6b7fd5e18428

  ---

  Ace Fekay
  MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

  This post is provided AS-IS with no warranties or guarantees and confers no rights.

  

  
  

  • Edited by Ace Fekay [MCT] Friday, October 12, 2012 3:49 PM adjusted links posted

  Friday, October 12, 2012 3:48 PM