ADCS - How can I diagnose the exact reason a certificate request was denied by a policy module?

certificate-authority ad-certificate-services pki
9,000

This link describes how to extract more logging from the certificate service. A restart may be required.

To enable debug logging for the native Windows CertEnroll client, execute the following command:

Certutil –setreg enroll\debug 0xffffffe3 The log file is in the following location: %windir%\CertEnroll.log

certutil –setreg ca\debug 0xffffffe3 The log file is in the following location: %windir%\certsrv.log

Share:
9,000

Related videos on Youtube

Juanjo Daza
Author by

Juanjo Daza

Updated on September 18, 2022

Comments

  • Juanjo Daza
    Juanjo Daza almost 2 years

    I need to develop operational procedures to audit and understand why a specific request was rejected by an Active Directory Certificate Services (ADCS) Policy Module.

    I've attempted turning on all logging (checkboxes) in the GUI, and checked the Eventlog. I only see one event log entry per failed request, however I don't have a clear way of determining what caused it to fail. An example of a failure is below:

    Active Directory Certificate Services denied request 4 because The certification authority's certificate contains invalid data. 0x80094005 (-2146877435 CERTSRV_E_INVALID_CA_CERTIFICATE). The request was for CN=Issue01a, CN=Bits.com, OU=For email security, O=Bits LLC, C=US. Additional information: Denied by Policy Module

    The above example is a sub-ca that intentionally had a validity period that would extend beyond the validity of the parent CA.

    I'm hoping to derive that reason from the error code above, or some other location.

    What I've done: Searching for the error "2146877435" in google, results in this very post being pulled up. None of the results on the first few pages are a list of error codes and reasons.

  • mr.spuratic
    mr.spuratic over 7 years
    FWIW, another possible cause of that error code is the policy being incompatible with the attempted action: specifically trying to sign a new CA with a CA whose pathlen is 0 (so there's nothing "invalid" about the CA data, it's merely an inappropriate action). The debug flag works, sadly it simply prints that error out more times instead of explaining the problem...

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Group security permissions for certificate template not working
Removing LDAP from CDP & AIA in a Microsoft PKI
How can I get SBS2011 to issue certificates?
Domain Controller promotion and certificate autoenrollment
How to autoenroll certificates from a Certification Authority in a trusted domain?
Microsoft Standalone CA - Set expiration date of an individual request
Cross Forest Certificate Authority
ERR_CERT_COMMON_NAME_INVALID with internal AD CA wildcard
How to publish a CRL for an internal Windows certification authority?
Does a domain computer trust certs from domain CA