Windows – Certificate Enrollment Fails
KB ID 0000921 Problem I first saw this problem a few years ago trying to get some Windows clients to auto enrol with server 2008, then this week my colleagues could not get new 2019 Domain Controller to enrol for a Kerberos certificate, and the this was caused by the same problem. Symtoms (RPC Error) 1. Test to make sure the client can see the CA, and is able to communicate with it, issue the following command; certutil -pulse As...
ADFS: Changing the Certificate
KB ID 0001634 Problem I needed to change the certificate used by an ADFS server today. I’d used a temporary self signed wildcard cert to get me up and running now I needed to replace it with a new publicly signed one. I found a number of ways of doing this INCORRECTLY, so hopefully I will save you making the same mistakes! Solution Firstly you need to import your certificate, here from a PFX file, (if you want a PFX file import...
Windows Server – Locate CA / Certificate Services
KB ID 0001163 Problem A colleague was having some certificate problems onsite the other week. Someone suggested just using Certificate Services to simplify matters. I said I’d spin it up and configure it for him, (I’ve done a lot of Microsoft CA work, search the site!) My fist question was, “Do they already have certificate services?’, unsurprisingly the answer was “I don’t know”. So if...
Certificate Services – Disable CRL Checking
KB ID 0001144 Problem Sometimes the services on your CA server will stop and complain about not being able to see your CRL, and some times the service will just refuse to start with the following error; The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE). Solution OK the way to fix this permanently is to fix your CRL and make sure...
Event ID 13
KB ID 0000520 Problem Seen every few hours in the application log: Source: AutoEnrollment Description: Automatic certificate enrollment for the local system failed to enroll for one Domain Controller certificate (0x80070005). Access is denied. Solution 1. Go to your domain controller > Open Active Directory users and computers > Locate the CERTSVC_DCOM_ACCESS group. 2. Add in the “Domain Controllers” group. 3. On...