locked
Audit Certificate services No Event logs generated RRS feed

  • Question

  • Hi Guys, 

    I hope someone can help me with this. 

    I have created a new AD certificate server, both a standalone root CA and Enterprise SubCA, both on windows 2016 servers. 

    In terms of creating and allocating certificate everything looks to be working correctly. 

    The issue is that I am not getting any event logs generated, for request, accept, denial of certificates. 

    I have enabled audit logs   Certification Services                  Success and Failure

    and also confirm that Force Audit policy subcategory setting, to override audit policy category setting is enabled. 

    Yet I don't get any logs. I also tried to enable Basic Audit object access. Yet something seems to disable this as soon as its enabled. 

    I keep looking through event logs and cannot see any eventid between 4860 and 4899 which should cover all the certificate event logs. 

    I have confirm that the configuration shows up using Auditpol and also gpresults. 

    Has  anyone got any ideas how to get these audit events? What I might be doing wrong? 

    Thanks for your time in advance. 

    Craig 


    Craig G

    Wednesday, February 26, 2020 10:46 PM

Answers

  • Hi,

    Thanks for your email. Sorry for the slow response. 

    I have just reviewed this. 

    A1: Yesterday I spent a morning testing it. At the beginning I also created a new custom GPO and enabled the policy, but the policy did not take effect at all. Through the test in my lab, we must enable it in the Default Domain Policy object, if we enable the settings in other custom GPO object, it does not work.

    I can confirm that it does not seem to work in a sub policy. I have not tested in the default policy yet, but will hope to do that soon. 

    If it does work in the default domain policy, I then have the question, Is this not created excessive audit events on all machines?

    Thanks for your time again.

    Craig 


    Craig G

    • Marked as answer by Craig Garland Wednesday, March 4, 2020 4:49 AM
    Monday, March 2, 2020 2:40 AM

All replies

  • Hello,
    Thank you for posting in our TechNet forum.

    According to my research, we can understand the meaning of 4860 and 4899 as below:

    4899: A Certificate Services template was updated.

    4860: we can see the description about 4860 based on the following link, it seems the event ID is not related to AD CS.

    http://kb.eventtracker.com/evtpass/evtpages/EventId_4860_Microsoft-Windows-Complus_66875.asp


    Meanwhile, I think you are looking for all the event IDs here.

    Audit Certification Services
    https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services









    So we can try the following steps, and it works in my lab.

    1. On the CA server, open CA Properties and check all the options or some options according to our needs.


    2. On the DC, open Default Domain Policy object and enable the following two settings.

    Tip: we must enable it in the Default Domain Policy object, if we enable the settings in other custom GPO object, it does not work.

    Computer Configuration →  Policies → Windows Settings → Security Settings → Local Policies → Audit Policy→ Audit Object Access =>Success and Failure

    Computer Configuration →  Policies → Windows Settings → Security Settings →Advanced Audit Policy Configuration → Audit Policy→ Object Access →Audit Certificate service =>Success and Failure

    3. Run gpupdate /force on the CA server and other clients to refresh GPO settings.

    4. Then we can try to request certificate and check these event ID under security log on CA server.

    And here are some event IDs in my lab.





    Hope the information is helpful to you. If anything is unclear, please feel free to let us know.



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, February 27, 2020 6:47 AM
  • Hi

    The issue I have with this is that your pushing the Audit Object access to all machine in the domain. Is this not a bit excessive for just trying to create Audit for one machine? 

    So the option then in to create a group policy for this and limited it to just the one machine. Which seam like a poor design for one machine. I also thought that if I had audit certificate service enable then I would not need audit object access, as the certificate service overrides the audit object. Is this not the case?

    Thanks for your time.

    Craig 


    Craig G

    Thursday, February 27, 2020 9:15 PM
  • Hi,
    Q1:The issue I have with this is that your pushing the Audit Object access to all machine in the domain. Is this not a bit excessive for just trying to create Audit for one machine? 

    A1: Yesterday I spent a morning testing it. At the beginning I also created a new custom GPO and enabled the policy, but the policy did not take effect at all. Through the test in my lab, we must enable it in the Default Domain Policy object, if we enable the settings in other custom GPO object, it does not work.

    You can do a test in your lab to check it.


    Q2: I also thought that if I had audit certificate service enable then I would not need audit object access, as the certificate service overrides the audit object. Is this

    A2: We can see the answer on the Auditing tab of CA Properties.

    To start logging events to the security log, you must enable the "Audit object access"
     setting in Group Policy.




    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, February 28, 2020 2:48 AM
  • Hi,

    Thanks for your email. Sorry for the slow response. 

    I have just reviewed this. 

    A1: Yesterday I spent a morning testing it. At the beginning I also created a new custom GPO and enabled the policy, but the policy did not take effect at all. Through the test in my lab, we must enable it in the Default Domain Policy object, if we enable the settings in other custom GPO object, it does not work.

    I can confirm that it does not seem to work in a sub policy. I have not tested in the default policy yet, but will hope to do that soon. 

    If it does work in the default domain policy, I then have the question, Is this not created excessive audit events on all machines?

    Thanks for your time again.

    Craig 


    Craig G

    • Marked as answer by Craig Garland Wednesday, March 4, 2020 4:49 AM
    Monday, March 2, 2020 2:40 AM
  • Hi,

    Q: If it does work in the default domain policy, I then have the question, Is this not created excessive audit events on all machines?
    A: If it does work in the default domain policy, in my lab, I can see it will create excessive audit events on only CA server.

    I suggest you can test in your lab.





    Best Regards,
    Daisy Zhou


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, March 2, 2020 5:58 AM
  • Hi,
    If this question has any update or is this issue solved? Also, for the question, is there any other assistance we could provide?
    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, March 4, 2020 3:08 AM
  • Hi,

    Sorry I have not had time to test. I am going to mark your answer as correct as it looks like it will fix the issue.

    I will try and confirm later.

    Thanks.


    Craig G

    Wednesday, March 4, 2020 4:49 AM