none
Event ID 13 - Autoenrollment Error

    Question

  • We are getting the following error on the application log of the CA server:

    Event Type: Error
    Event Source: AutoEnrollment
    Event Category: None
    Event ID: 13
    Date:  1/15/2010
    Time:  9:56:59 AM
    User:  N/A
    Computer: SU01DC
    Description:
    Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80070057).  The parameter is incorrect.


    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


    On the other DCs we receive these error on the application log:

    Event Type: Error
    Event Source: AutoEnrollment
    Event Category: None
    Event ID: 13
    Date:  1/15/2010
    Time:  12:37:32 PM
    User:  N/A
    Computer: SP01DC22K3
    Description:
    Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80070005).  Access is denied.


    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


    I went to the CA Server and Restart the Certificate Service and also got this error on its App Log:

    Event Type: Error
    Event Source: CertSvc
    Event Category: None
    Event ID: 44
    Date:  1/15/2010
    Time:  12:47:37 PM
    User:  N/A
    Computer: SU01DC
    Description:
    The "Windows default" Policy Module "Initialize" method returned an error. Element not found. The returned status code is 0x80070490 (1168).  Certificate Services could not find required Active Directory information.


    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


    Any ideas?

    Friday, January 15, 2010 4:55 PM

Answers

  • Hi Ivan,

    Yes, you understand correctly.
    Please also try the following steps to resolve the issue

     

    1.     defined read and execute permissions for Authenticated users on C:\windows\system32\certsrv folder.

                283218 A Certification Authority Cannot Use a Certificate Template

                http://support.microsoft.com/default.aspx?scid=kb;EN-US;283218

    2.     Checked the group membership of Certsvc Service Dcom Access Made sure "domain user" "domain computers" and "domain controllers" were present

    3.     Restarted the CA

     

    If the issue continues, you may consider to Uninstall the CA service, reinstall the service and restore CA from backup.

    You can refer to:

     

    How to move a certification authority to another server :

    http://support.microsoft.com/kb/298138/en-us

     

    Regards,

    Wilson Jia



    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by Wilson Jia Monday, January 25, 2010 1:30 AM
    Friday, January 22, 2010 7:02 AM

All replies

  • Hi Ivan,

     

    Thank you for posting here.

     

    According to your description, I understand that you got an CA autoenrollment Error in your environment.

     

    To troubleshoot Event ID 13 " autoenrollment", please follow the links below:

     

    http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows%20Operating%20System&ProdVer=5.2&EvtID=13&EvtSrc=autoenrollment&LCID=1033/  

     

    To the particular Event 44 Certsrv "Element not found" error, please check the following

     

     

    1. Verify the "Authenticated Users" have Read Permissions to the following location:

    "cn=Certificate Templates,cn=Public Key Services,cn=Services,cn=Configuration,dc=<Domain Component>,dc=<Domain Component>"

    283218 A Certification Authority Cannot Use a Certificate Template
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;283218

     

    2. Check whether there is a pKIEnrollmentService Object at the following location:

    "cn=<CA Name>,cn=Enrollment Services,cn=Public Key Services,cn=Services,cn=Configuration,dc=<Domain Component>,dc=<Domain Component>"

    If you are missing this AD Object then follow the below steps:

    a) Right clicked on "CN=Enrollment Services" then selected "New" then "Object"
    b) We selected the object class of: "pKIEnrollmentService"
    c) For Attribute "cn" we gave it the name of the Certification Authority then clicked "Next"
    d) Then clicked on "Finish"
    e) We then Right clicked on the new "pKIEnrollementService" object and selected "Properties"
        i. cACertificateDN= This from the "Subject" field the the CA’s Certificate.
        ii. cACertificate - We got the information for this attribute by looking at another object that had the field defined within Active Directory.

    You can look at the following location for the CA Certifcate Object:


    "cn=<CA Name>,cn=Certification Authorities,cn=Public Key Services,cn=Services,cn=Configuration,dc=<Domain Component>,dc=<Domain Component>"


        iii. displayName = "<CA Name>" - We named this the same as the CA’s name.
        iv. dNSHostName = The Servers DNS name.
        v. flags = See NOTE below

    NOTE: The Flags attribute needs to be configure for the Type and OS version of the CA. Here are basically the different valid flags settings:

     

    Enterprise CA running on Standard Edition of the Operating System: "2"
    Enterprise CA running on Enterprise Edition of the Operating System: "10"
    Standalone CA running on Standard Edition of the Operating System: "5"
    Standalone CA running on Enterprise Edition of the Operating System: "9"

    f) Make sure that the CA's computer object has Full Control to this object via the Security Tab.
    g) We then clicked OK.

     

    In addition, please you can refer to:

     

    Event ID 44 — AD CS Policy Module Processing

    http://technet.microsoft.com/en-us/library/cc774512(WS.10).aspx

     

    Hope this helps.

    Regards,

    Wilson Jia

     


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Monday, January 18, 2010 7:34 AM
  • For the Event 44 Certsrv "Element not found" error, I checked all the procedure you sent, BUT still have the same problem.

    Any other comments are welcome.

    Thanks,
    Ivan

    Monday, January 18, 2010 4:21 PM
  • Hi Ivan,

    Can you use LDP.exe tool to query Certificate Template information under "cn=Certificate Templates,cn=Public Key Services,cn=Services,cn=Configuration,dc=<Domain Component>,dc=<Domain Component>"?

     

    You can get the LDP tool from the following link:

    http://support.microsoft.com/kb/892777

     

    Regards,
    Wilson Jia


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Tuesday, January 19, 2010 8:23 AM
  • Just to be 100% sure:  when you said "to query" you mean that on LDP.exe after connecting to the server and completing the Binding on the connection, I go to "Menu options = Browse\Search" and search for "cn=Certificate Templates,cn=Public Key Services,cn=Services,cn=Configuration,dc=<Domain Component>,dc=<Domain Component>" where "domain component" are my domain information?

    If that is the correct procedure: then the answer is YES, we can query Certificate Template under that path.

    Any comments are welcome.
    Ivan

    Tuesday, January 19, 2010 3:13 PM
  • Hi Ivan,

    Yes, you understand correctly.
    Please also try the following steps to resolve the issue

     

    1.     defined read and execute permissions for Authenticated users on C:\windows\system32\certsrv folder.

                283218 A Certification Authority Cannot Use a Certificate Template

                http://support.microsoft.com/default.aspx?scid=kb;EN-US;283218

    2.     Checked the group membership of Certsvc Service Dcom Access Made sure "domain user" "domain computers" and "domain controllers" were present

    3.     Restarted the CA

     

    If the issue continues, you may consider to Uninstall the CA service, reinstall the service and restore CA from backup.

    You can refer to:

     

    How to move a certification authority to another server :

    http://support.microsoft.com/kb/298138/en-us

     

    Regards,

    Wilson Jia



    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by Wilson Jia Monday, January 25, 2010 1:30 AM
    Friday, January 22, 2010 7:02 AM
  • Wilson,

    Sorry for the delay in my response.

    I've just checked the procedure you suggested and here are the findings:

    1. We have read and execute permissions for Authenticated Users on C:\Windows\System32\certsrv folder.
    2. "Domain User", "Domain Computers" and "Domain Controllers" are member of the Certsvc Service Dcom Access group.

    We've just restore the CA from a Backup and have the same problem.

    Any other thoughts?

    Thanks,
    Ivan
    Monday, February 1, 2010 8:27 PM
  • Hi Ivan, actually to resolve this I just add "Domain Controllers" group on "CERTSVC_DCOM_ACCESS" group.
    The autoenrollment works in my new domain controller after reboot.


    Maybe this can help you,
    Rodrigo

    Monday, July 11, 2011 7:57 PM
  • Hi Wilson,

    This worked for me.

    However in step 2c, when you are creating new object, select "More attribute" and specify dNSHostName there. Also, I did not had to change value for "flags", I left it as 0.

    Thanks heaps.

    Bhargav


    MCTS: Microsoft Exchange Server 2007 and 2010 MCITP: Enterprise Administrator on Windows Server® 2008

    Friday, October 12, 2012 3:53 AM
  • For what it's worth, here's my complete implementation using PEAP, 802.1x, IAS and a Cisco AP 1231, and a thread link on the subject, in case anyone else is searching on this and finds this thread.

    802.1x Wireless Implementation
    http://blogs.msmvps.com/acefekay/2012/09/28/802-1x-wireless-implementation/

    Thread: "Windows XP Wireless GPO rollout" 9/9/2012
    Good outline on wireless 802.1x in a post by Lawrence Lv
    http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/63e204e1-5683-44ff-bf38-6b7fd5e18428


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBookTwitterLinkedIn


    • Edited by Ace Fekay [MCT] Friday, October 12, 2012 3:49 PM adjusted links posted
    Friday, October 12, 2012 3:48 PM