Collection Rule for event with source CertificationAuthority and ID 79 Rule

  • ID:  Microsoft.Windows.CertificateServices.CARole.6.2.CertSvcEvents.79
  • Description:  Certificate Services failed to publish an end-entity certificate.
  • Target:  Certificate Service (2012)
  • Enabled:  On Essential Monitoring

Run As Profiles

Name
Default

Rule Knowledgebase

Summary

One of the primary functions of a certification authority (CA) is to evaluate certificate requests from clients and, if predefined criteria are met, issue certificates to those clients. In order for certificate enrollment to succeed, a number of elements must be in place before the request is submitted, including a CA with a valid CA certificate; properly configured certificate templates, client accounts, and certificate requests; and a way for the client to submit the request to the CA, have the request validated, and install the issued certificate.

Causes
This rule does not contain any causes.
Resolutions

Enable publication of an end-entity certificate

In order to publish a certificate you need network connectivity and network permissions. To resolve this issue:

  • Confirm that you have network connectivity between the client and certification authority (CA).

  • Confirm that the CA has Read and Write permissions on the userCertificate attribute of the user or computer object of the entity requesting the certificate.

  • If you have more than one domain or a two-level (parent/child) domain hierarchy, you need to allow the Cert Publishers group from one domain (domain A) Read and Write permissions on the userCertificate attribute in another domain (domain B). To do this, follow the procedure in the "Correct cross-domain permission errors" section.

  • Publish the certificate.

To perform these procedures, you must have Manage CA permission, or you must have been delegated the appropriate authority.

Confirm network connectivity between a client and a CA

To confirm a client connection to a CA:

  • On the client, click Start, type cmd and press ENTER.

  • Type ping <server_FQDN>, where <server_FQDN> is the fully qualified domain name (FQDN) of the CA (for example, server1.contoso.com), and then press ENTER.

  • If the ping was successful, you will receive a reply similar to the following:

Reply from IP_address: bytes=32 time=3ms TTL=59

Reply from IP_address: bytes=32 time=20ms TTL=59

Reply from IP_address: bytes=32 time=3ms TTL=59

Reply from IP_address: bytes=32 time=6ms TTL=59 3

  • At the command prompt, type ping <IP_address>, where <IP_address> is the IP address of the CA, and then press ENTER.

  • If you can successfully connect to the CA by IP address but not by FQDN, this indicates a possible issue with Domain Name System (DNS) host name resolution. If you cannot successfully connect to the CA by IP address, this indicates a possible issue with network connectivity, firewall configuration, or Internet Protocol security (IPsec) configuration.

Confirm permissions on the Domain Computers and Domain Users containers in Active Directory

To confirm that the CA has necessary permissions on the Domain Computers and Domain Users containers:

  • Click Start, point to Administrative Tools, and click Active Directory Sites and Services.

  • On the View menu, click Show Services Node.

  • Double-click Services, double-click Public Key Services, right-click Domain Computers, and click Properties.

  • On the Security tab, confirm that the Cert Publishers group has Read and Write permissions.

  • Right-click Domain Users, and click Properties.

  • On the Security tab, confirm that the Cert Publishers group has Read and Write permissions.

Correct cross-domain permissions errors

To set these permissions by using use the Dsacls tool:

  • Click Start, type cmd and press ENTER, then run the following commands:

  • dsacls "dc=<domainB>,dc=<contoso>,dc=<com>" /I:S /G "<domainA>\Cert Publishers":RP;userCertificate,user

  • dsacls "dc=<domainB>,dc=<contoso>,dc=<com>" /I:S /G "<domainA>\Cert Publishers":WP;userCertificate,user

  • dsacls "cn=<adminsdholder>,cn=system,dc=<contoso>,dc=<com>" /I:S /G  \Cert Publishers":RP;userCertificate,user

  • dsacls "cn=<adminsdholder>,cn=system,dc=<domainB>,dc=<contoso>,dc=<com>" /I:S /G "<domainA>\Cert Publishers":WP;userCertificate,user

  • Substitute the correct names from your organization for the <domainname> and <com> placeholders in the example.

  • For more information, see article 281271 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=95695).

Publish a certificate

To publish a certificate:

  • On the computer hosting the CA, click Start, type cmd and press ENTER.

  • Type ping <ipaddress> where <ipaddress> is the IP address of a domain controller and press ENTER to confirm that you have a network connection.If you do not have a network connection, fix the problem and try again.

  • At a command prompt, type certutil -dspublish <cert.cer> ldap:///<network location included in the event log message> and press ENTER. <Cert.cer> is a certificate file exported by using the Certificate Export Wizard.

  • If you have connectivity but still cannot publish the certificate, use Active Directory Users and Computers to confirm that the computer hosting the CA has Read and Write permissions to the userCertificate attribute of the user or computer object. (This is generally by membership in the Cert Publishers group).

External References
This rule does not contain any external references.

See Also for Active Directory Certificate Services Management Pack


Downloads for Active Directory Certificate Services Management Pack

AZURE OPTIMIZATION ASSESSMENT GET STARTED
MIGRATION TO AZURE GET STARTED
SYSTEM CENTER MIGRATION TO AZURE GET STARTED
MIGRATION TO AZURE FOR SQL AND WINDOWS 2008 GET STARTED