Troubleshooting for Microsoft Enterprise CA Issues

This section helps you troubleshoot the common problems that you might encounter when using functionalities like setting addition, certificate enrollment, renewal, revocation, suspension, reinstation, discovery, and other actions associated with Microsoft Enterprise.

Issues in Configuring Microsoft Enterprise CA and Fetch CAs

Table 1. Error messages and resolutions
Error Message Possible Cause Possible Solution
Unable to save CA settings CA Settings name already exists. A CA setting with the same name for Microsoft Enterprise already exists in inventory. Check the CA Setting name, it should be unique.
  • This field should not be null or empty
  • Mandatory Field(s) - <Field name> is/are empty
  • CA Settings - [ <Fields>] mandatory fields cannot be empty.
 Some of the mandatory fields might be missing or invalid. Add all the valid information in the mandatory section.
Unable to establish connection with CA The configured CA details may be incorrect. Check the CA details configured on the CA settings page.
Proxy details may not be configured. heck whether proxy details are configured in proxy settings.
AppViewX may not be able to reach CA. Check whether network access is available.
767cf2b6-bfc3-45a0-9490-a95cf841e693: Connecting to remote server <SERVER> failed with the following error message : WinRM cannot process the request. The following error occurred while using Kerberos authentication: The computer <SERVER> is unknown to Kerberos. Verify that the computer exists on the network, that the name provided is spelled correctly, and that the Kerberos configuration for accessing the computer is correct. The most common Kerberos configuration issue is that an SPN with the format HTTP/<SERVER> is not configured for the target. If Kerberos is not required, specify the Negotiate authentication mechanism and resubmit the operation. For more information, see the about_Remote_Troubleshooting Help topic Kerberos configuration is not configured for the target machine. The most common Kerberos configuration issue is that an SPN with the format HTTP/<SERVER> is not configured for the target. The issue occurs with Powershell Remoting since it uses Kerberos Authentication.
  • In Agent Machine start command prompt as Administrator and execute the following command
  • setspn –s http/machinename domain\username.
  • Please note this will work in environments where Kerberos Authentication is set up and there is an AD Domain Setup
  • If no kerberos authentication is set up then we need to communicate via WMI.
  • Verify that the computer exists on the network, that the name provided is spelled correctly, and that the Kerberos configuration for accessing the computer is correct.
  • If Kerberos is not required, specify the Negotiate authentication mechanism and resubmit the operation. For more information, see the about_Remote_Troubleshooting Help topic.
PowerShell ScriptExecution Error: Access is denied. 0x80070005 (WIN32: 5)

OR

Error Code 0x80070005 - Access is denied

 Access is denied.
  • The username should be configured as "Username@Domain".
  • The user should have admin access to the Remote machine (Target Machine) or should be part of Local Administrator group.
  • Navigate to Local Users and Groups and access "Administrators". Check if the configured username is part of the administrator group.
The WinRM client received an HTTP status code of 502 from the remote WS-Management service. For more information, see the about_Remote_Troubleshooting Help topic Powershell remoting not configured.
  1. Check if WinRM service is running.
  2. Navigate to Powershell on the target machine and run "WinRM QuickConfig".
  3. Execute "Enable-PSRemoting -force".
  4. Execute "netsh winhttp show proxy" and if a proxy is configured then we need to reset it via "netsh winhttp reset proxy".
  5. For more information, see the about_Remote_Troubleshooting Help topic.
41783361-015b-453f-b321-e31709b1850c: Connecting to remote server <SERVER> failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic. Access is denied.
  • The username should be configured as "Username@Domain".
  • The user should have admin access to the Remote machine (Target Machine) or should be part of Local Administrator group.
  • Navigate to Local Users and Groups and access "Administrators". Check if the configured username is part of the administrator group.
  • Check if WinRM service is running.
  • Navigate to Powershell on the target machine and run "WinRM QuickConfig".
  • Execute "Enable-PSRemoting -force".
  • For more information, see the about_Remote_Troubleshooting Help topic.
The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig" Powershell remoting is not configured.
  1. Check if WinRM service is running.
  2. Navigate to Powershell on the target machine and run "WinRM QuickConfig".
  3. Execute "Enable-PSRemoting -force".
  4. Verify that the service on the destination is running and is accepting requests.
  5. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM.
  6. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig".
d4f98a6a-41ef-4864-9848-03a07e113d75: CCertRequest::Submit: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE) The Remote Procedure Call Service is not responding. Navigate to the target machine and start RPC service if it has stopped.
727838ed-151e-46bf-883c-07ccb3a3989f: Connecting to remote server ptpld005 failed with the following error message : The user name or password is incorrect. For more information, see the about_Remote_Troubleshooting Help topic. The username or password is incorrect.
  • The username should be configured as "Username@Domain".
  • The user should have admin access to the Remote machine (Target Machine) or should be part of Local Administrator group.
  • Navigate to Local Users and Groups and access "Administrators". Check if the configured username is part of the administrator group.
  • Check if WinRM service is running.
  • Navigate to Powershell on the target machine and run "WinRM QuickConfig".
  • Execute "Enable-PSRemoting -force".
  • For more information, see the about_Remote_Troubleshooting Help topic.
fd3812f9-030a-421c-81e7-0e0510ce49e0: Access to the path <PATH> is denied. The username or password is incorrect.
  • The username should be configured as "Username@Domain".
  • The user should have admin access to the Remote machine (Target Machine) or should be part of Local Administrator group.
  • Navigate to Local Users and Groups and access "Administrators". Check if the configured username is part of the administrator group.
This site can’t be reached This site can’t be reached.
  • Windows Gateway is not reachable from AppViewX.
  • Windows Gateway service is down.
Html response : Access is denied Access is denied.
  • In Target machine's Local Computer certificate store, Trusted Root Certification Authorities should have Root CA certificates and Intermediate Certification Authorities should have intermediate certificates only.
  • Client certificate used in AppViewX is not imported in Target machine's Local computer store.
More than 5 connections are not allowed Powershell configuration has restricted access for concurrent script executions.

Run Powershell as Administrator

  1. Check existing config winrm get winrm/config.
  2. Change the settings to increase the maxshellsperUser to 100 on the Remote machine wherein this issue is occurring winrm set winrm/config/winrs '@{MaxConcurrentUsers="20"}'

    winrm set winrm/config/winrs '@{MaxShellsPerUser="100"}'

    winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="512"}'

    .

Connecting to the remote server failed with the following error message : The WS-Management service cannot process the request.

This user is allowed a maximum number of 4 concurrent shells, which has been exceeded.

Close existing shells or raise the quota for this user.

 Powershell configuration has restricted access for concurrent script executions.

Run Powershell as Administrator

  1. Check existing config winrm get winrm/config.
  2. Change the settings to increase the maxshellsperUser to 100 on the Remote machine wherein this issue is occurring winrm set winrm/config/winrs '@{MaxConcurrentUsers="20"}'

    winrm set winrm/config/winrs '@{MaxShellsPerUser="100"}'

    winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="512"}'

    .

Client Certificate gives Permission Denied 403 error.

This can happen in certain environment and its intermittent

 CA Store mismatch or invalid client certificate used. Check if the Client certificate is installed correctly by checking the chain in the Personal Store.
  • Root of the client certificate should be available in the Trusted Root Certification Store of the Server.
  • Intermediate of the client certificate can be available in the Intermediate Certification authorities of the Server.
  • If all the above looks good then go to the agent server and do the following steps
    1. MMC.
    2. Add “Add/Remove SnapIn.
    3. select certificates.
    4. select “LocalMachine”.
    5. Navigate to the Personal Store and click on the client certificate.
    6. Navigate to Chain.
    7. Export the Root certificate and save it as Root.cer in a location.
    8. Import the “Root.cer” into trusted Root back again.
    9. If the issue still remains unsolved, then check if the Trusted root contains and non-root certificates.
    10. Click on the “Trusted Root” store and check if there are certificates that have different IssuedTo and IssuedBy.
    11. Take a backup of such certificates and move it to respective stores.
    12. If the issue remains unsolved, then add the root certificate to "Client Certificate Issuers".
The permission on the certificate template do not allow the current user to enroll for this type of certificate User does not have access to the certificate template used for enrollment.
  1. Navigate to CA Server.
  2. Open Certificate Authority.
  3. Select the CA Server.
  4. Right click on properties.
  5. Click on Security Tab.
  6. Check if the user used in Agent has necessary permissions to read, issue and manage certificates and request certificates.
  7. If a user is part of a group then please ensure that the group has permissions.
  8. Click on Certificate Templates and right-click to manage templates.
  9. Right-click on the template which has the issue and navigate to security.
  10. Add permission to the user or group.
An attempt was made to open a Certification Authority database session, but there are already too many active sessions" on a request using CERTADMINLib.IenumCERTVIEWROW.Next(). The Certification Authority database has too many active sessions. In CA server navigate to registry via regedit command and set the following:
  1. HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\DBSessionCount to 64 hex (100 Dec).
  2. HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\DBMaxReadSessionCount is also set to 64 hex (100 Dec).
803f4314-3a11-486a-87e5-367b8c5c6f9f: The user name or password is incorrect.\r\n The user name or password is incorrect.
  • The username should be configured as "Username@Domain".
  • The user should have admin access to the Remote machine (Target Machine) or should be part of the Local Administrator group.
  • Navigate to Local Users and Groups and access "Administrators". Check if the configured username is part of the administrator group
42abe1ef-2bff-40e8-82e2-c97c5707a0c1: Connecting to remote server avxstca failed with the following error message : The user name or password is incorrect. For more information, see the about_Remote_Troubleshooting Help topic. The user name or password is incorrect. Check if the credentials are valid.
Connecting to remote server ptpld334 failed with the following error message : WinRM cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles limits access to remote computers within the same local subnet. For more information, see the about_Remote_Troubleshooting Help topic. Powershell remoting is not configured.
  1. C:\Windows\system32>WinRM quickconfig
  2. WinRM service is already running on this machine.
  3. WinRM is not set up to allow remote access to this machine for management.
  4. The following changes must be made:
    • Create a WinRM listener on HTTP://* to accept WS-Man requests to any IP on this machine.
    • Make these changes [y/n]? y
    • WinRM has been updated for remote management.
    • Created a WinRM listener on HTTP://* to accept WS-Man requests to any IP on this machine.
  • There is not enough space on the disk
  • The WSMan service could not launch a host process to process the given request. Make sure the WSMan provider host server and proxy are properly registered. For more information, see the about_Remote_Troubleshooting Help topic.
  • Execute process failed Machinename mspwvadsnybcc01.csc.nycnet, ProcessName Powershell -NoProfile - ExecutionPolicy Bypass -Command C:\\Windows\\Temp\\1jmtip3g.sjl\1jmtip3g.sjl.ps1, Error is, Stack trace Management Cannect to remote machine mspwvadsnybcc01.csc.nycnet as user failed with the following error Value does not fail within the expected range.
 There is not enough space on the disk. Ensure that your hard disk has enough free space.
Management Connect to remote machine VMEUSWPCA021.us.int.safelite.net as user failed with the following error User credentials cannot be used for local connections User credentials cannot be used for local connections.
  • The username should be configured as "Username@Domain".
  • The user should have admin access to the Remote machine (Target Machine) or should be part of the Local Administrator group.
  • Navigate to Local Users and Groups and access "Administrators". Check if the configured username is part of the administrator group.
  • or configure the credentials in AppViewX.CertPlus.Service Logon option.
Device Communication failed while using Native option to connect to CA remotely Local System Account doesn't have access to CA. Please change the logon credentials in service.
  1. Navigate to agent machine..
  2. Open services.msc using Start>>Run command on the windows machine.
  3. Find the service "AppViewXCertPlus".
  4. Right-click and view properties.
  5. Click "log on" tab.
  6. Change the option to this account and enter the user account and password information.
  7. Click on "Apply" and a message will pop up to add an account as "Log on as service". Click "OK" and save the changes.
  8. Click on restart the service
  9. Remove the username and password from AppViewX.

Issues in Enrolling, Renewing, and Regenerating a Microsoft Enterprise CA Certificate

Table 2. Error messages and resolutions
Error Message Possible Cause Possible Solution
Unable to establish connection with CA
  1. The configured CA details may be incorrect.
  2. Proxy details may not be configured.
  3. AppViewX may not be able to reach CA.
 Check the CA details configured on the CA settings page.

Check whether proxy details are configured in proxy settings.

Check whether network access is available.
Empty response received from windows gateway.
  1. CA certificate stores may have mixed type certificates.
  2. Client certificate may be wrong.
  1. Enable custom client authentication or Check Local Machine's Root certificate store should have Root certificates only and Intermediate certificate store should have Intermediate certificates only.
  2. Check whether the client certificate is valid.
The account configured in Application pool identity don't have access to the requested Template User doesn’t have access to the template. Please give access to the user.
DATA is invalid log message Invalid header for CSR. Replace (----BEGIN NEW CERTIFICATE REQUEST----) with (----BEGIN CERTIFICATE REQUEST----) and Replace (----END NEW CERTIFICATE REQUEST----) with (----END CERTIFICATE REQUEST----)
Error Code 0x80070005 - Access is denied Access not available.
  1. Agent and CA Should be under the same domain.
  2. ApplicationPoolIdentity of IIS Agent site should be a Custom account with admin credentials.
  3. To verify template name, Go to CA portal, Right. Click on Certificate templates, Select Manage, Select the template, right-click on it, and select properties, In General Tab, you can find Template name which needs to be used in AppViewX.
  4. To check Template permission, Go to the CA portal, Right. Click on Certificate templates, Select Manage, Select the template, right-click on it and select properties, in the security tab check all permissions given for the user.
Retrieving the COM class factory for remote component with CLSID Unable to connect to certificate authority.
  1. The Component used for accessing CA (certadm.dll) is not installed or has permission issues.
  2. Check if dll is available in C:\Windows\System32 folder else install Microsoft Remote Server Administration Tools (RSAT) for the respective OS. EX: for Windows 10 https://www.microsoft.com/en-in/download/details.aspx?id=45520

PowerShell ScriptExecution Error: Access is denied. 0x80070005 (WIN32: 5)

OR

Error Code 0x80070005 - Access is denied

 Access is denied.
  1. The username should be configured as "Username@Domain".
  2. The user should have admin access to the Remote machine (Target Machine) or should be part of Local Administrator group
  3. Navigate to Local Users and Groups and access "Administrators". Check if the configured username is part of the administrator group.
the permission on the certificate template do not allow the current user to enroll for this type of certificate User does not have access to the certificate template used for enrollment.
  1. Navigate to CA Server.
  2. Open Certificate Authority.
  3. Select the CA Server.
  4. Right-click on properties.
  5. Click on Security Tab.
  6. Check if the user used in Agent has the necessary permissions to read, issue and manage certificates and request certificates.
  7. If a user is part of a group then please ensure that the group has permissions.
  8. Click on Certificate Templates and right-click to manage templates.
  9. Right-click on the template which has the issue and navigate to security.
  10. Add permission to the user or group.
An attempt was made to open a Certification Authority database session, but there are already too many active sessions" on a request using CERTADMINLib.IenumCERTVIEWROW.Next(). The Certification Authority database has too many active sessions. In CA server navigate to registry via regedit command and set the following:
  1. HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\DBSessionCount to 64 hex (100 Dec).
  2. HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\DBMaxReadSessionCount is also set to 64 hex (100 Dec).
The WinRM client received an HTTP status code of 502 from the remote WS-Management service. For more information, see the about_Remote_Troubleshooting Help topic Powershell remoting not configured.
  1. Check if WinRM service is running.
  2. Navigate to Powershell on the target machine and run "WinRM QuickConfig".
  3. Execute "Enable-PSRemoting -force".
  4. Execute "netsh winhttp show proxy" and if a proxy is configured then we need to reset it via "netsh winhttp reset proxy".
The client cannot connect to the destination specified in the request. Verify that the service on the dest

ination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running o

n the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the

destination to analyze and configure the WinRM service: "winrm quickconfig"

 Powershell remoting is not configured.
  1. Check if WinRM service is running.
  2. Navigate to Powershell on the target machine and run "WinRM QuickConfig".
  3. Execute "Enable-PSRemoting -force".
More than 5 connections are not allowed Powershell configuration has restricted access for concurrent script executions. Run Powershell as Administrator
  1. Check existing config
  2. winrm get winrm/config.
  3. Change the settings to increase the maxshellsperUser to 100 on the Remote machine wherein this issue is occurring:
    • winrm set winrm/config/winrs '@{MaxConcurrentUsers="20"}
    • 'winrm set winrm/config/winrs '@{MaxShellsPerUser="100"}
    • 'winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="512"}'.
Connecting to the remote server failed with the following error message : The WS-Management service cannot process the request.

This user is allowed a maximum number of 4 concurrent shells, which has been exceeded.

Close existing shells or raise the quota for this user.

 Powershell configuration has restricted access for concurrent script executions Run Powershell as Administrator
  1. Check existing config
  2. winrm get winrm/config.
  3. Change the settings to increase the maxshellsperUser to 100 on the Remote machine wherein this issue is occurring:
    • winrm set winrm/config/winrs '@{MaxConcurrentUsers="20"}
    • 'winrm set winrm/config/winrs '@{MaxShellsPerUser="100"}
    • 'winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="512"}'.
Client Certificate gives Permission Denied 403 error.

This can happen in certain environment and its intermittent
  1. Certificate store mismatch.
  2. Invalid client certificate specified.
  1. Check if the Client certificate is installed correctly by checking the chain in the Personal Store.
  2. Root of the client certificate should be available in the Trusted Root Certification Store of the Server.
  3. Intermediate of the client certificate can be available in the Intermediate Certification authorities of the Server.
  4. If all the above looks good then go to the agent server and do the following steps:
    1. MMC.
    2. Add “Add/Remove SnapIn.
    3. select certificates.
    4. select “LocalMachine”.
    5. Navigate to the Personal Store and click on the client certificate.
    6. Navigate to Chain.
    7. Export the Root certificate and save it as Root.cer in a location.
    8. Import the “Root.cer” into trusted Root back again.
    9. If this also doesn’t solve the issue then check if the Trusted root contains and non-root certificates.
    10. Click on the “Trusted Root” store and check if there are certificates that have different IssuedTo and IssuedBy.
    11. Take a backup of such certificates and move it to respective stores.
    12. Even after this if it doesn't solve then add the root certificate to "Client Certificate Issuers".
Certificate Request (CSR) is using different account to request certificate from CA as compared to account configured in AppViewX
  1. Navigate to the agent machine.
  2. Open services.msc using Start>>Run command on the windows machine.
  3. Find service "AppViewXCertPlus"
  4. Right-click and view properties.
  5. Click on "log on" tab
  6. Change the option to this account and enter the user account and password information.
  7. Click on "Apply" and a popup message will appear and ask you to add an account as "Log on as service". Click "OK" and save the changes.
  8. Click on restart the service.
  9. Remove the username and password from AppViewX.
CSR Parameters invalid error CSR Parameters supplied mismatch with Selected template/CA's Policy. Supply valid CSR values accepted by template or CA policy.
Denied by Policy Module 0x80094800, The request was for a certificate template that is not supported by the Active Directory Certificate Services policy: WebServer1. Incorrect certificate template used. Use template name instead of the template display name.
Connecting to remote server ptpld334 failed with the following error message : WinRM cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles limits access to remote computers within the same local subnet. For more information, see the about_Remote_Troubleshooting Help topic. Powershell remoting is not configured. C:\Windows\system32>WinRM quickconfig

WinRM service is already running on this machine.

WinRM is not set up to allow remote access to this machine for management.

The following changes must be made:

  • Create a WinRM listener on HTTP://* to accept WS-Man requests to any IP on this machine.
  • Make these changes [y/n]? y
  • WinRM has been updated for remote management.
  • Created a WinRM listener on HTTP://* to accept WS-Man requests to any IP on this machine.

Issues in Revoking Microsoft Enterprise certificate

Table 3. Error messages and resolutions
Error Message Possible Cause Possible Solution
Invalid reason specified. Invalid reason specified for revocation Please use the correct reason supported by the CA.
Unable to establish connection with CA
  1. The configured CA details may be incorrect.
  2. Proxy details may not be configured.
  3. AppViewX may not be able to reach CA.
  1. Check the CA details configured on the CA settings page.
  2. Check whether proxy details are configured in proxy settings.
  3. Check whether network access is available.
Empty response received from windows gateway.
  1. CA certificate stores may have mixed type certificates.
  2. Client certificate may be wrong.
  1. Enable custom client authentication or Check Local Machine's Root certificate store should have Root certificates only and Intermediate certificate store should have Intermediate certificates only.
  2. Check whether client certificate is valid.

Issues in Suspending Microsoft Enterprise certificate

Table 4. Error messages and resolutions
Error Message Possible Cause Possible Solution
Invalid reason specified. Invalid reason specified for suspension. Please use the correct reason supported by the CA.
Unable to establish connection with CA
  1. The configured CA details may be incorrect.
  2. Proxy details may not be configured.
  3. AppViewX may not be able to reach CA.
  1. Check the CA details configured in the CA settings page.
  2. Check whether proxy details are configured in proxy settings.
  3. Check whether network access is available.
Empty response received from windows gateway.
  1. CA certificate stores may have mixed type certificates.
  2. Client certificate may be wrong.
  1. Enable custom client authentication or Check Local Machine's Root certificate store should have Root certificates only and Intermediate certificate store should have Intermediate certificates only.
  2. Check whether client certificate is valid.

Issues in Reinstating Microsoft Enterprise certificate

Table 5. Error messages and resolutions
Error Message Possible Cause Possible Solution
Invalid reason specified. Invalid reason specified for reinstatement. Please use the correct reason supported by the CA.
Unable to establish connection with CA
  1. The configured CA details may be incorrect.
  2. Proxy details may not be configured.
  3. AppViewX may not be able to reach CA.
  1. Check the CA details configured in the CA settings page.
  2. Check whether proxy details are configured in proxy settings.
  3. Check whether network access is available.
Empty response received from windows gateway.
  1. CA certificate stores may have mixed type certificates.
  2. Client certificate may be wrong.

  1. Enable custom client authentication or Check Local Machine's Root certificate store should have Root certificates only and Intermediate certificate store should have Intermediate certificates only.Check whether the client certificate is valid.

Issues in Discovering Microsoft Enterprise certificates

Table 6. Error messages and resolutions
Error Message Possible Cause Possible Solution
Unable to establish connection with CA
  1. The configured CA details may be incorrect.
  2. Proxy details may not be configured.
  3. AppViewX may not be able to reach CA.
  1. Check the CA details configured on the CA settings page.
  2. Check whether proxy details are configured in proxy settings.
  3. Check whether network access is available.
Empty response received from windows gateway.
  1. CA certificate stores may have mixed type certificates.
  2. Client certificate may be wrong.
  1. Enable custom client authentication or Check Local Machine's Root certificate store should have Root certificates only and Intermediate certificate store should have Intermediate certificates only.
  2. Check whether the client certificate is valid.