Collection Rule for event with source CertificationAuthority and ID 108 Rule

  • ID:  Microsoft.Windows.CertificateServices.CARole.6.2.CertSvcEvents.108
  • Description:  Active Directory Certificate Services could not delete a Certificate for request from specified location.
  • Target:  Certificate Service (2012)
  • Enabled:  On Essential Monitoring

Run As Profiles

Name
Default

Rule Knowledgebase

Summary

One of the primary functions of a certification authority (CA) is to evaluate certificate requests from clients and, if predefined criteria are met, issue certificates to those clients. In order for certificate enrollment to succeed, a number of elements must be in place before the request is submitted, including a CA with a valid CA certificate; properly configured certificate templates, client accounts, and certificate requests; and a way for the client to submit the request to the CA, have the request validated, and install the issued certificate.

Causes
This rule does not contain any causes.
Resolutions

Manually delete the certificate

  • Confirm that you have network access to the location where the certificate is stored.

  • Try to delete the certificate mentioned in the event log message by using one of the following procedures.

  • If you confirm that you have network connectivity and still cannot delete the certificate, then confirm permissions on the Domain Users and Domain Computers containers in Active Directory Domain Services (AD DS) before attempting to delete the certificate again.

To perform these procedures, you must have Manage CA permission, or you must have been delegated the appropriate authority.

Delete a certificate

To delete a certificate by using the Certificates snap-in:

  • Confirm that the certificate that you want to delete exists in the location identified in the event log message.

  • If you are unable to access this location because of a connection issue, correct this issue and try again.

  • Click Start, type mmc, and then press ENTER.

  • If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  • On the File menu, click Add/Remove Snap-in, click Certificates, and then click Add.

  • Select the user, service, or computer account, and click Next.

  • If you want to delete a certificate for a computer or service, identify the computer or service. Click Finish, and then click OK.

  • Select the certificate store where the certificate you intend to delete exists.

  • Right-click the certificate you want to delete, and click Delete.

  • When asked whether you want to delete this certificate, click Yes.

You can also remove an invalid certificate by using the Certutil command-line tool.

To delete a certificate by using Certutil:

  • Open a command prompt window.

  • Type certutil -viewdelstore <network location specified in the event log message> and press ENTER.

  • Select the certificate you want to delete, and click OK.

If you are still unable to delete the certificate, follow the procedure in the "Confirm permissions on the Domain Computers and Domain Users containers in Active Directory Domain Services" section to confirm that the computer hosting the certification authority (CA) has Read and Write permissions to the location specified in the error message.

Confirm permissions on the Domain Computers and Domain Users containers in Active Directory Domain Services

To confirm that the CA has necessary permissions on the Domain Computers and Domain Users containers:

  • On the computer hosting the CA, click Start, point to Administrative Tools, and click Active Directory Sites and Services.

  • On the View menu, click Show Services Node.

  • Double-click Services, double-click Public Key Services, right-click Domain Computers, and click Properties.

  • On the Security tab, confirm that the Cert Publishers group has Read and Write permissions.

  • Right-click Domain Users, and click Properties.

  • On the Security tab, confirm that the Cert Publishers group has Read and Write permissions.

External References
This rule does not contain any external references.

See Also for Active Directory Certificate Services Management Pack


Downloads for Active Directory Certificate Services Management Pack

AZURE OPTIMIZATION ASSESSMENT GET STARTED
MIGRATION TO AZURE GET STARTED
SYSTEM CENTER MIGRATION TO AZURE GET STARTED
MIGRATION TO AZURE FOR SQL AND WINDOWS 2008 GET STARTED