Autoenrollment Event 13 Error
Contents |
additional information might be available elsewhere. Thank you for searching on this message; your search helps us identify those event id 13 certificate enrollment for local system failed areas for which we need to provide more information. If the product or version you are looking for is not listed, you can use this search box to search TechNet, the Microsoft Knowledge Base, and TechNet Blogs for more information. Enter the product name, event source, and event ID. For example: Vista Application Error 1001.
Arnar StangelandDecember 7, 20091 0 0 0 From my colleague Maria in the Domains team – a collection of useful bits for troubleshooting autoenrollment issues: On a Windows Server 2003-based or Windows XP-based computer, you cannot obtain
Event Id 6 Certificateservicesclient-autoenrollment
certificates from a Windows Server 2008-based certification authority (CA). This issue can occur event id 82 if the CA is configured to use SHA2 256 encryption or higher encryption (SHA2 384 or SHA2 512) and event id 82 certificateservicesclient-autoenrollment the enrolling clients are legacy clients. See KB 968730 (Hotfix) Event id 80; Source Microsoft-Windows-CertificationAuthority on a windows 2008 certificate server Active Directory Certificate Services could not publish a Certificate for request http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows%20Operating%20System&ProdVer=5.2&EvtID=13&EvtSrc=autoenrollment&LCID=1033/ ##### to the following location on server DC.DOMAIN.COM: CN=user,OU=OU, DC=domain,DC=com. Insufficient access rights to perform the operation. 0x80072098 (WIN32: 8344). ldap: 0x32: 00002098: SecErr: DSID-03150E8A, problem 4003 (INSUFF_ACCESS_RIGHTS) Check that the Cert Publishers group has permission to read and write to the userCertificate attribute on the user object in AD that is specified in the event. Enhanced Event Logging By default, autoenrollment logs errors/failures and https://blogs.technet.microsoft.com/instan/2009/12/07/troubleshooting-autoenrollment/ successful enrollments in the Application event log on the client machine. To enable enhanced logging of the autoenrollment process to include warning and informational messages, the following registry values must be created. - SOFTWAREMicrosoftCryptographyAutoEnrollment AEEventLogLevel (Create a new DWORD value named "AEEventLogLevel", set value to 0.) NOTE: This value can be created under either HKLM or HKCU, depending on which context you need to troubleshoot. In this case I’d like us to set it on both. If you enable logging and don't see any events, check to see if Autoenrollment has been disabled: SOFTWAREPoliciesMicrosoftCryptographyAutoEnrollmentAEPolicy If it’s set to 0x00008000 hex (32768 dec ) then it’s disabled (0x00008000==AUTO_ENROLLMENT_DISABLE_ALL). Again, this should be checked under HKLM or HKCU depending on the whether computer or user Autoenrollment is of interest. Permissions On the CA server: - Verify membership of the CERTSVC_DCOM_ACCESS group. If you have more issuing CA’s on member servers, this will need to be checked on all of them for the local groups. verify that the following groups are members: Domain Users and Domain Computers. If there are users or computers in other domains in the forest that also need to enroll agains
Question Answer Questions My Profile ShortcutsDiscussion GroupsFeature RequestsHelp and SupportHow-tosIT Service ProvidersMy QuestionsApp CenterRatings and ReviewsRecent ActivityRecent PostsScript CenterSpiceListsSpiceworks BlogVendor PagesWindows Events Event 13 https://community.spiceworks.com/windows_event/show/311-autoenrollment-13 (Error) Source: AutoEnrollment How important is this event? (3 votes) 1 2 3 http://www.techrepublic.com/forums/discussions/event-id-13-autoenrollment-failed/ 4 5 not important very important Description The event 13 from Autoenrollment message may be related to the new DCOM security enhancement of Windows Server 2003 SP1. Windows Server 2003 Certificate Services provides enrollment and administration services by using the DCOM protocol. Certificate Services provides several DCOM interfaces to event id make these services available. For correct access and usage of these services, Certificate Services assumes that its DCOM interfaces are set to allow remote activation and access permissions. However, Windows Server 2003 SP1 introduces enhanced default security settings for the DCOM protocol. Specifically, SP1 introduces more precise rights that give an administrator independent control over local and remote permissions for launching, event id 13 activating, and accessing COM servers. Therefore, because of the enhanced default security settings for DCOM that are introduced by SP1, you may have to update these security settings to make sure of the continued availability of these services after you install SP1. The event 13 from Autoenrollment message may be related to the new DCOM security enhancement of Windows Server 2003 SP1. Windows Server 2003 Certificate Services provides enrollment and administration services by using the DCOM protocol. Certificate Services provides several DCOM interfaces to make these services available. For correct access and usage of these services, Certificate Services assumes that its DCOM interfaces are set to allow remote activation and access permissions. However, Windows Server 2003 SP1 introduces enhanced default security settings for the DCOM protocol. Specifically, SP1 introduces more precise rights that give an administrator independent control over local and remote permissions for launching, activating, and accessing COM servers. Therefore, because of the enhanced default security settings for DCOM that are introduced by SP1, you may have to update these security settings to make sure of the continued availability of these se
Editions: US United States Australia United Kingdom Japan Newsletters Forums Resource Library Tech Pro Free Trial Membership Membership My Profile People Subscriptions My stuff Preferences Send a message Log Out TechRepublic Search GO Topics: CXO Cloud Big Data Security Innovation Software Data Centers Networking Startups Tech & Work All Topics Sections: Photos Videos All Writers Newsletters Forums Resource Library Tech Pro Free Trial Editions: US United States Australia United Kingdom Japan Membership Membership My Profile People Subscriptions My stuff Preferences Send a message Log Out TechRepublic | Forums | Networks Networks Register Now or Log In to post Welcome back, My Profile Log Out Recent Activity FAQs Guidelines Question 0 Votes Locked Event ID 13 Autoenrollment failed By otaku_lord ยท 6 years ago Here are the full errors:Automatic certificate enrollment for local system failed to enroll for one Domain Controller Authentication certificate (0x800706ba). The RPC server is unavailable.Automatic certificate enrollment for local system failed to enroll for one Directory Email Replication certificate (0x800706ba). The RPC server is unavailable.I have inherited these errors so I can only tell you what I have done so far.1. The Domain Controllers/Admins/Computers have been added to CERTSVC_DCOM_ACCESS security group. Then ran following commands:"certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG""net stop certsvc && net start certsvc" 2. CA (Certificate Authority) has been installed on the primary DC. At one point it was installed on a previous DC but that DC was rebuilt and no longer exits. I have removed all mention of that DC in AD (that I know of).3. Domain Controllers/Admins/Computers have been added to Security group under PROPERTIES in the CA.So far, nothing has worked. I am still getting the event on my primary DC. I am also receiving KDC warnings on several computers with a message stating basically that the certificates are no longer valid and when attempting to retrieve new ones the server couldn't be found or didn't respond.I am open to any a