Collection Rule for event with source CertificationAuthority and ID 93 Rule

  • ID:  Microsoft.Windows.CertificateServices.CARole.6.3.CertSvcEvents.93
  • Description:  Certificate Services cannot find the CA certificate in the NTAuth store.
  • Target:  Certificate Service (2012 R2)
  • Enabled:  On Essential Monitoring

Run As Profiles

Name
Default

Rule Knowledgebase

Summary

Active Directory Certificate Services (AD CS) requires at least Read access, and in some instances Write access, to certain objects in Active Directory Domain Services (AD DS). Failure to access these Active Directory objects can prevent AD CS from starting.

Causes
This rule does not contain any causes.
Resolutions

Ensure that AD CS can publish the CA certificate to the NTAuth store

To resolve this problem:

  • Confirm permissions on the NTAuth store.

  • Check the NTAuth store and, if necessary, publish the certification authority (CA) certificate manually.

If you have trouble locating the CA certificate in order to publish it to the NTAuth store, use the procedure in the "Locate the CA certificate file on a computer" section before publishing it to the NTAuth store.

To perform these procedures, you must have Manage CA permission, or you must have been delegated the appropriate authority.

Confirm NTAuth store permissions

To check the permissions of the CA on the NTAuth container:

  • On a domain controller, click Start, point to Administrative Tools, and click Active Directory Sites and Services.

  • Click Active Directory Sites and Services [domainname] where [domainname] is the name of your domain.

  • On the View menu, click Show Services Node.

  • Double-click Services, double-click Public Key Services, right-click NTAuthCertificates, and click Properties.

  • Click the Security tab, and then confirm that the computer hosting the CA has Read permissions.

Confirm contents of the NTAuth store

To check the contents of the NTAuth store in Active Directory Domain Services (AD DS):

  • At a command prompt, type certutil -viewstore ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=<contoso>,DC=<com> and press ENTER. Replace <contoso> and <com> with the namespace of your Active Directory root domain.

  • If the CA certificate is not listed in the output, add it manually by typing the following command: certutil -dspublish  <cert.cer> ntauthca and pressing ENTER.Replace <cert.cer> with the CA certificate file.

Locate the CA certificate file on a computer

To locate the CA certificate file on the local file system:

  • Open a command prompt window.

  • Type certutil -getreg CA\CACertPublicationURLs and press ENTER.

By default, this file is stored in %systemroot%\system32\certsrv\certenroll.

External References
This rule does not contain any external references.

See Also for Active Directory Certificate Services Management Pack


Downloads for Active Directory Certificate Services Management Pack

AZURE OPTIMIZATION ASSESSMENT GET STARTED
MIGRATION TO AZURE GET STARTED
SYSTEM CENTER MIGRATION TO AZURE GET STARTED
MIGRATION TO AZURE FOR SQL AND WINDOWS 2008 GET STARTED