Collection Rule for event with source CertificationAuthority and ID 94 Rule

  • ID:  Microsoft.Windows.CertificateServices.CARole.6.3.CertSvcEvents.94
  • Description:  Certificate Services cannot open the NTAuth store.
  • Target:  Certificate Service (2012 R2)
  • Enabled:  On Essential Monitoring

Overridable Parameters

Parameter Name Default Value Description Override
Priority 2  
Severity 2  

Run As Profiles

Name
Default

Alert Details

Message Priority Severity
AD CS Active Directory Domain Services Connection High Critical

Rule Knowledgebase

Summary

Active Directory Certificate Services (AD CS) requires at least Read access, and in some instances Write access, to certain objects in Active Directory Domain Services (AD DS). Failure to access these Active Directory objects can prevent AD CS from starting.

Causes
This rule does not contain any causes.
Resolutions

Enable the CA to open AD DS containers

To resolve this problem:

  • Confirm that the certification authority (CA) has necessary permissions to essential Active Directory Domain Services (AD DS) containers and objects.

  • If the CA certificate is missing from the NTAuth store, publish it manually.

To perform this procedure, you must have membership in Domain Admins, or you must have been delegated the appropriate authority.

Confirm permissions on essential AD DS containers and objects

To confirm that the CA has necessary permissions on AD DS containers and objects within these containers:

  • On a domain controller, click Start, point to Administrative Tools, and click Active Directory Sites and Services.

  • Click Active Directory Sites and Services [domainname] where [domainname] is the name of your domain.

  • On the View menu, click Show Services Node.

  • Double-click Services, double-click Public Key Services, and right-click each container listed below, or the objects listed within the container, and click Properties. 

  • On the Security tab, confirm the required permissions.

The following are all Active Directory permissions required by a computer hosting a CA. Some of these permissions are achieved via membership in the Cert Publishers group.

  • Enrollment Services container. The CA computer has Read and Write access to its own object.

  • AIA container. The Cert Publishers group has Full Control access on the AIA container and the CA computer has Full Control access on its own object within the AIA container.

  • CDP container. The Cert Publishers group has Full Control access on every CA's container under the CDP container, and the CA computer has Full Control access on every certification revocation list (CRL) object in its own container.

  • Certification Authorities container. The Cert Publishers group has Full Control access on the objects within this container.

  • Certificate Templates container. The Enterprise Admins and Domain Admins groups (not the CA computer) have Full Control access or Read and Write access to this container and to most objects within it.

  • KRA container. The CA computer has Full Control access on its own object. 

  • OID container. The Enterprise Admins and Domain Admins groups, not the CA computer, have Full Control access or Read and Write access to this container and to the containers and objects within it.

  • NTAuthCertificates object. The Enterprise Admins and Domain Admins groups, not the CA computer, have Full Control access or Read and Write access.

  • Domain Computers and Domain Users containers. The Cert Publishers group has Read and Write permissions on the userCertificate property of each user and computer object in the forest in which AD CS is deployed.

To perform these procedures, you must have Manage CA permission, or you must have been delegated the appropriate authority.

Publish a CA certificate

To manually publish the CA certificate:

  • On the CA, open a command prompt window.

  • Type certutil -viewstore ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=<domainname>,DC=<com> and press ENTER to check whether the CA certificate is in the NTAuth store.

  • If it is not, type the following command: certutil -f -dspublish <cert.cer> NTAuthCA and press ENTER.

Note:  The placeholders <domainname> and <com> are the namespace names of the domain in which the CA is installed. <Cert.cer> is the name of the CA certificate file. The "-f" option re-creates the object even if it has been deleted.

If you do not know where your CA certificate is located, you can identify it by completing the following procedure on the computer hosting your CA. By default, this file is stored in %systemroot%\system32\certsrv\certenroll.

Locate the CA certificate file on a computer

To locate the CA certificate file on the local file system:

  • On the CA, open a command prompt window.

  • Type certutil -getreg CA\CACertPublicationURLs and press ENTER.

External References
This rule does not contain any external references.

See Also for Active Directory Certificate Services Management Pack


Downloads for Active Directory Certificate Services Management Pack

AZURE OPTIMIZATION ASSESSMENT GET STARTED
MIGRATION TO AZURE GET STARTED
SYSTEM CENTER MIGRATION TO AZURE GET STARTED
MIGRATION TO AZURE FOR SQL AND WINDOWS 2008 GET STARTED
admin
Posted : Wednesday, March 13, 2019 11:22:34 AM(UTC)

Comments: 169,073

Hello rcooley77,

We want to pay your attention that for different versions of Microsoft services and packs documentation can differ.

Please have a look at the information below:

A complete list of ADCS containers is

• AIA
• CDP
• Certificate Templates
• Certification Authorities
• Enrollment Services
• KRA
• OID

You can read more about it here https://www.tech-coffee.net/public-key-infrastructure-part-5-registry-key-certutil-active-directory/
or here https://sysadmins.lv/blog-en/understanding-active-directory-certificate-services-containers-in-active-directory.aspx

Best regards,
IT Support of VIAcode
AZURE OPTIMIZATION ASSESSMENT GET STARTED
MIGRATION TO AZURE GET STARTED
SYSTEM CENTER MIGRATION TO AZURE GET STARTED
MIGRATION TO AZURE FOR SQL AND WINDOWS 2008 GET STARTED