Troubleshooting for Microsoft Standalone CA Issues

This section helps you troubleshoot the common problems that you might encounter when using functionalities like setting addition, certificate enrollment, renewal, revocation, suspension, reinstation, discovery, and other actions associated with Microsoft Standalone.

Supported Web Browsers

Browser Version Notes
Firefox Till latest (Version 84.0.4147.135) NA
Chrome Till latest (Version 80.0) NA
IE Limited support in 9, Full support from 10+ No support for IE9 post AppViewX Version 11.0
Safari

Till latest (Windows - Version 5.1.7,

macOS - Version 13.1.2)

 From AppViewX Version 11.1
Opera Till latest (Version 70) From AppViewX Version 11.1

Supported Devices

Device OS Resolution
Desktop Windows 1024 X 768 onwards, 1366x768, 1920x1080, Higher
Desktop Linux 1024 X 768 onwards, 1366x768, 1920x1080, Higher
Desktop Mac 1024 X 768 onwards, 1366x768, 1920x1080, Higher
iPad iOS 1024 X 768

Issues in Microsoft Standalone CA Setting Addition and Fetch CAs

Table 1. Error messages and resolutions
Error Message Possible Cause Possible Solution
Unable to save CA settings CA Settings name already exists. A CA setting with the same name for Microsoft Enterprise already exists in inventory. Check the CA Setting name, it should be unique.

1) This field should not be null or empty

2) Mandatory Field(s) - <Field name> is/are empty

3) CA Settings - [ <Fields>] mandatory fields cannot be empty.

 Some of the mandatory fields might be missing or might be invalid. Add all the valid information in the mandatory section.
Unable to establish connection with CA

  1. The configured CA details may be incorrect.

  2. Proxy details may not be configured.

  3. AppViewX may not be able to reach CA.
  1. Check the CA details configured in the CA settings page.
  2. Check whether proxy details are configured in proxy settings.
  3. Check whether network access is available.
767cf2b6-bfc3-45a0-9490-a95cf841e693: Connecting to remote server <SERVER> failed with the following error message : WinRM cannot process the request. The following error occurred while using Kerberos authentication: The computer <SERVER> is unknown to Kerberos. Verify that the computer exists on the network, that the name provided is spelled correctly, and that the Kerberos configuration for accessing the computer is correct. The most common Kerberos configuration issue is that an SPN with the format HTTP/<SERVER> is not configured for the target. If Kerberos is not required, specify the Negotiate authentication mechanism and resubmit the operation. For more information, see the about_Remote_Troubleshooting Help topic Kerberos configuration is not configured for target machine

The issue occurs with “Powershell Remoting” since it uses Kerberos Authentication

  1. In Agent Machine start command prompt as Administrator and execute the following command.
  2. setspn –s http/machinename domain\username.
  3. Please note this will work in environments where Kerberos Authentication is setup and there is an AD Domain Setup.
  4. If no kerberos authentication is set up then we need to communicate via WMI.

PowerShell ScriptExecution Error: Access is denied. 0x80070005 (WIN32: 5)

OR

Error Code 0x80070005 - Access is denied

 Access is denied
  1. The username should be configured as "Username@Domain"
  2. The user should have admin access to the Remote machine (Target Machine) or should be part of Local Administrator group
  3. Navigate to local Users and Groups and access "Administrators". Check if the configured username is part of administrator group
The WinRM client received an HTTP status code of 502 from the remote WS-Management service. For more information, see the about_Remote_Troubleshooting Help topic Powershell remoting not configured
  1. Check if WinRM service is running.
  2. Navigate to Powershell on the target machine and run "WinRM QuickConfig".
  3. Execute "Enable-PSRemoting -force". Execute "netsh winhttp show proxy" and if a proxy is configured then we need to reset it via "netsh winhttp reset proxy".
41783361-015b-453f-b321-e31709b1850c: Connecting to remote server <SERVER> failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic. Access is denied
  1. The username should be configured as "Username@Domain".
  2. The user should have admin access to the Remote machine (Target Machine) or should be part of the Local Administrator group.
  3. Navigate to local Users and Groups and access "Administrators". Check if the configured username is part of the administrator group.
  4. Check if WinRM service is running.
  5. Navigate to Powershell on the target machine and run "WinRM QuickConfig".
  6. Execute "Enable-PSRemoting -force".

The client cannot connect to the destination specified in the request. Verify that the service on the dest

ination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running o

n the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the

destination to analyze and configure the WinRM service: "winrm quickconfig"

 Powershell remoting is not configured
  1. Check if WinRM service is running.
  2. Navigate to Powershell on the target machine and run "WinRM QuickConfig".
  3. Execute "Enable-PSRemoting -force".
d4f98a6a-41ef-4864-9848-03a07e113d75: CCertRequest::Submit: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE) Remote Procedure Call Service is not responding Navigate to the target machine and start RPC service if it has stopped.
727838ed-151e-46bf-883c-07ccb3a3989f: Connecting to remote server ptpld005 failed with the following error message : The user name or password is incorrect. For more information, see the about_Remote_Troubleshooting Help topic. The username or password is incorrect.
  1. The username should be configured as "Username@Domain".
  2. The user should have admin access to the Remote machine (Target Machine) or should be part of the Local Administrator group.
  3. Navigate to local Users and Groups and access "Administrators". Check if the configured username is part of the administrator group.
  4. Check if WinRM service is running.
  5. Navigate to Powershell on the target machine and run "WinRM QuickConfig".
  6. Execute "Enable-PSRemoting -force".
fd3812f9-030a-421c-81e7-0e0510ce49e0: Access to the path <PATH> is denied. The username or password is incorrect
  1. The username should be configured as "Username@Domain".
  2. The user should have admin access to the Remote machine (Target Machine) or should be part of the Local Administrator group.
  3. Navigate to local Users and Groups and access "Administrators".
  4. Check if the configured username is part of the administrator group.
This site can’t be reached This site can’t be reached
  1. Windows Gateway is not reachable from AppViewX.
  2. Windows Gateway service is down.
Html response : Access is denied Access is denied
  1. In Target machine's Local Computer certificate store, Trusted Root Certification Authorities should have Root CA certificates and Intermediate Certification Authorities should have intermediate certificates only.
  2. Client certificates used in AppViewX are not imported in Target machine's Local computer store.
More than 5 connections are not allowed Powershell configuration has restricted access for concurrent script executions Run Powershell as Administrator.
  1. Check existing config.
  2. winrm get winrm/config.
  3. Change the settings to increase the maxshellsperUser to 100 on the Remote machine wherein this issue is occurring.
    • winrm set winrm/config/winrs '@{MaxConcurrentUsers="20"}'.
    • winrm set winrm/config/winrs '@{MaxShellsPerUser="100"}'.
    • winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="512"}'.

Connecting to the remote server failed with the following error message : The WS-Management service cannot process the request.

This user is allowed a maximum number of 4 concurrent shells, which has been exceeded.

Close existing shells or raise the quota for this user.

 Powershell configuration has restricted access for concurrent script executions

Run Powershell as Administrator

  1. Check existing config.
  2. winrm get winrm/config.
  3. Change the settings to increase the maxshellsperUser to 100 on the Remote machine wherein this issue is occurring.
    • winrm set winrm/config/winrs '@{MaxConcurrentUsers="20"}'.
    • winrm set winrm/config/winrs '@{MaxShellsPerUser="100"}'.
    • winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="512"}'.

Client Certificate gives Permission Denied 403 error.

This can happen in certain environment and its intermittent

 CA Store mismatch or invalid client certificate used
  1. Check if the Client certificate is installed correctly by checking the chain in the Personal Store.
  2. Root of the client certificate should be available in the Trusted Root Certification Store of the Server.
  3. Intermediate of the client certificate can be available in the Intermediate Certification authorities of the Server.
  4. If all the above looks good then go to agent server and do following steps
    1. MMC.
    2. Add “Add/Remove SnapIn.
    3. select certificates.
    4. select “LocalMachine”
    5. Navigate to the Personal Store and click on the client certificate.
    6. Navigate to Chain.
    7. Export the Root certificate and save as Root.cer in a location.
    8. Import the “Root.cer” into trusted Root back again.
    9. If this also doesn’t solve the issue then check if the Trusted root contains and non-root certificates.
    10. Click on “Trusted Root” store and check if there are any certificates which have different IssuedTo and IssuedBy.
    11. Take backup of such certificates and move it to respective stores.
    12. Even after this if it doesn't solve then add the root certificate to "Client Certificate Issuers".
An attempt was made to open a Certification Authority database session, but there are already too many active sessions" on a request using CERTADMINLib.IenumCERTVIEWROW.Next(). Certification Authority database has too many active sessions

In CA server navigate to registry via regedit command and set the following

  1. HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\DBSessionCount to 64 hex (100 Dec)
  2. HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\DBMaxReadSessionCount is also set to 64 hex (100 Dec)
803f4314-3a11-486a-87e5-367b8c5c6f9f: The user name or password is incorrect.\r\n The username or password is incorrect
  1. The username should be configured as "Username@Domain".
  2. The user should have admin access to the Remote machine (Target Machine) or should be part of the Local Administrator group.
  3. Navigate to local Users and Groups and access "Administrators". Check if the configured username is part of the administrator group.
42abe1ef-2bff-40e8-82e2-c97c5707a0c1: Connecting to remote server avxstca failed with the following error message : The user name or password is incorrect. For more information, see the about_Remote_Troubleshooting Help topic. The username or password is incorrect The username or password is incorrect.
Connecting to remote server ptpld334 failed with the following error message : WinRM cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles limits access to remote computers within the same local subnet. For more information, see the about_Remote_Troubleshooting Help topic. Powershell remoting is not configured

C:\Windows\system32>WinRM quickconfig

WinRM service is already running on this machine.

WinRM is not set up to allow remote access to this machine for management.

The following changes must be made:

  • Create a WinRM listener on HTTP://* to accept WS-Man requests to any IP on this machine.
  • Make these changes [y/n]? y
  • WinRM has been updated for remote management.
  • Created a WinRM listener on HTTP://* to accept WS-Man requests to any IP on this machine.

1. There is not enough space on the disk

2. The WSMan service could not launch a host process to process the given request. Make sure the WSMan provider host server and proxy are properly registered. For more information, see the about_Remote_Troubleshooting Help topic.

3. Execute process failed Machinename mspwvadsnybcc01.csc.nycnet, ProcessName Powershell -NoProfile - ExecutionPolicy Bypass -Command C:\\Windows\\Temp\\1jmtip3g.sjl\1jmtip3g.sjl.ps1, Error is, Stack trace Management Cannect to remote machine mspwvadsnybcc01.csc.nycnet as user failed with the following error Value does not fail within the expected range.

 There is not enough space on the disk Ensure that your hard disk has enough free space.
Management Connect to remote machine VMEUSWPCA021.us.int.safelite.net as user failed with the following error User credentials cannot be used for local connections User credentials cannot be used for local connections
  1. The username should be configured as "Username@Domain".
  2. The user should have admin access to the Remote machine (Target Machine) or should be part of the Local Administrator group.
  3. Navigate to local Users and Groups and access "Administrators". Check if the configured username is part of the administrator group.or configure the credentials in AppViewX.CertPlus.Service Logon option.
Device Communication failed while using Native option to connect to CA remotely Local System Account doesn’t have access to CA. Please change the logon credentials in service.
  1. Navigate to the agent machine.
  2. Open services.msc using Start>>Run command on the windows machine.
  3. Find the service "AppViewXCertPlus".
  4. Right click and view properties.
  5. Click on "log on" tab.
  6. Change the option to this account and enter the user account and password information.
  7. Click on "Apply" and a message will popup to add an account as "Log on as service". Click "OK" and save the changes.
  8. Click on restart the service.
  9. Remove the username and password from AppViewX.

Issues in Enrolling, Fetching, Renewing, and Regenerating Microsoft Standalone Certificates

Table 2. Error messages and resolutions
Error Message Possible Cause Possible Solution
Unable to establish connection with CA

  1. The configured CA details may be incorrect.

  2. Proxy details may not be configured.

  3. AppViewX may not be able to reach CA
  1. Check the CA details configured in the CA settings page.
  2. Check whether proxy details are configured in proxy settings.
  3. Check whether network access is available.
Empty response received from windows gateway.

  1. CA certificate stores may have mixed type certificates.

  2. Client certificate may be wrong.
  1. Enable custom client authentication or Check Local Machine's Root certificate store should have Root certificates only and Intermediate certificate store should have Intermediate certificates only.
  2. Check whether the client certificate is valid.
DATA is invalid log message Invalid header for CSR Replace (----BEGIN NEW CERTIFICATE REQUEST----) with (----BEGIN CERTIFICATE REQUEST----) and Replace (----END NEW CERTIFICATE REQUEST----) with (----END CERTIFICATE REQUEST----)
Error Code 0x80070005 - Access is denied Access not available
  1. Agent and CA Should be under the same domain.
  2. ApplicationPoolIdentity of IIS Agent site should be a Custom account with admin credentials.
Retrieving the COM class factory for remote component with CLSID Unable to connect to certificate authority
  1. The Component used for accessing CA (certadm.dll) is not installed or has permission issues.
  2. Check if DLL is available in C:\Windows\System32 folder else install Microsoft Remote Server Administration Tools (RSAT) for respective OS. EX: for Windows 10 https://www.microsoft.com/en-in/download/details.aspx?id=45520.

PowerShell ScriptExecution Error: Access is denied. 0x80070005 (WIN32: 5)

OR

Error Code 0x80070005 - Access is denied

 Access is denied
  1. The username should be configured as "Username@Domain".
  2. The user should have admin access to the Remote machine (Target Machine) or should be part of the Local Administrator group.
  3. Navigate to local Users and Groups and access "Administrators". Check if the configured username is part of the administrator group.
An attempt was made to open a Certification Authority database session, but there are already too many active sessions" on a request using CERTADMINLib.IenumCERTVIEWROW.Next(). Certification Authority database has too many active sessions

In CA server navigate to registry via regedit command and set the following

1) HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\DBSessionCount to 64 hex (100 Dec)

2) HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\DBMaxReadSessionCount is also set to 64 hex (100 Dec)
The WinRM client received an HTTP status code of 502 from the remote WS-Management service. For more information, see the about_Remote_Troubleshooting Help topic Powershell remoting not configured
  1. Check if WinRM service is running.
  2. Navigate to Powershell on the target machine and run "WinRM QuickConfig".
  3. Execute "Enable-PSRemoting -force".
  4. Execute "netsh winhttp show proxy" and if a proxy is configured then we need to reset it via "netsh winhttp reset proxy".

The client cannot connect to the destination specified in the request. Verify that the service on the dest

ination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running o

n the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the

destination to analyze and configure the WinRM service: "winrm quickconfig"

 Powershell remoting is not configured.
  1. Check if WinRM service is running.
  2. Navigate to Powershell on the target machine and run "WinRM QuickConfig".
  3. Execute "Enable-PSRemoting -force".
More than 5 connections are not allowed Powershell configuration has restricted access for concurrent script executions.

Run Powershell as Administrator

  1. Check existing config
  2. winrm get winrm/config.
  3. Change the settings to increase the maxshellsperUser to 100 on the Remote machine wherein this issue is occurring.
    • winrm set winrm/config/winrs '@{MaxConcurrentUsers="20"}'
    • winrm set winrm/config/winrs '@{MaxShellsPerUser="100"}'
    • winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="512"}'

Connecting to the remote server failed with the following error message : The WS-Management service cannot process the request.

This user is allowed a maximum number of 4 concurrent shells, which has been exceeded.

Close existing shells or raise the quota for this user.

 Powershell configuration has restricted access for concurrent script executions.

Run Powershell as Administrator

  1. Check existing config
  2. winrm get winrm/config.
  3. Change the settings to increase the maxshellsperUser to 100 on the Remote machine wherein this issue is occurring.
    • winrm set winrm/config/winrs '@{MaxConcurrentUsers="20"}'
    • winrm set winrm/config/winrs '@{MaxShellsPerUser="100"}'
    • winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="512"}'

Client Certificate gives Permission Denied 403 error.

This can happen in certain environment and its intermittent

  1. Certificate store mismatch.

  2. Invalid client certificate specified.
  1. Check if the Client certificate is installed correctly by checking the chain in the Personal Store.
  2. Root of the client certificate should be available in the Trusted Root Certification Store of the Server.
  3. Intermediate of the client certificate can be available in the Intermediate Certification authorities of the Server.
  4. If all the above looks good then go to agent server and do following steps:
    1. MMC .
    2. Add “Add/Remove SnapIn
    3. select certificates.
    4. select “LocalMachine”.
    5. Navigate to the Personal Store and click on the client certificate.
    6. Navigate to Chain.
    7. Export the Root certificate and save as Root.cer in a location.
    8. Import the “Root.cer” into trusted Root back again.
    9. If this also doesn’t solve the issue then check if the Trusted root contains and non-root certificates.
    10. Click on “Trusted Root” store and check if there are any certificates which have different IssuedTo and IssuedBy.
    11. Take backup of such certificates and move it to respective stores.
    12. Even after this if it doesn't solve then add the root certificate to "Client Certificate Issuers"
Certificate Request (CSR) is using different account to request certificate from CA as compared to account configured in AppViewX
  1. Navigate to the agent machine.
  2. Open services.msc using Start>>Run command on the windows machine.
  3. Find the service "AppViewXCertPlus".
  4. Right click and view properties.
  5. Click on the "log on" tab.
  6. Change the option to this account and enter the user account and password information.
  7. Click on "Apply" and a message will popup to add an account as "Log on as service". Click "OK" and save the changes.
  8. Click on restart the service.
  9. Remove the username and password from AppViewX.
Connecting to remote server ptpld334 failed with the following error message : WinRM cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles limits access to remote computers within the same local subnet. For more information, see the about_Remote_Troubleshooting Help topic. Powershell remoting is not configured
  1. C:\Windows\system32>WinRM quickconfig.
  2. WinRM service is already running on this machine.
  3. WinRM is not set up to allow remote access to this machine for management.
  4. The following changes must be made:
    • Create a WinRM listener on HTTP://* to accept WS-Man requests to any IP on this machine.
    • Make these changes [y/n]? y
    • WinRM has been updated for remote management.
    • Created a WinRM listener on HTTP://* to accept WS-Man requests to any IP on this machine.

Issues in Revoking a Microsoft Standalone Certificate

Error Message Possible Cause Possible Solution
Invalid reason specified. Invalid reason specified for revocation Please use the correct reason which is supported by the CA
Unable to establish connection with CA

  1. The configured CA details may be incorrect.

  2. Proxy details may not be configured.

  3. AppViewX may not be able to reach CA.

  1. Check the CA details configured in the CA settings page.

  2. Check whether proxy details are configured in proxy settings.

  3. Check whether network access is available
Empty response received from windows gateway.

  1. CA certificate stores may have mixed type certificates.

  2. Client certificate may be wrong.

  1. Enable custom client authentication or Check Local Machine's Root certificate store should have Root certificates only and Intermediate certificate store should have Intermediate certificates only.

  2. Check whether the client certificate is valid.

Issues in Suspending a Microsoft Standalone Certificate

Error Message Possible Cause Possible Solution
Invalid reason specified. Invalid reason specified for suspension Please use the correct reason which is supported by the CA
Unable to establish connection with CA

  1. The configured CA details may be incorrect.

  2. Proxy details may not be configured.

  3. AppViewX may not be able to reach CA.

  1. Check the CA details configured in the CA settings page.

  2. Check whether proxy details are configured in proxy settings.

  3. Check whether network access is available.
Empty response received from windows gateway.

  1. CA certificate stores may have mixed type certificates.

  2. Client certificate may be wrong.

  1. Enable custom client authentication or Check Local Machine's Root certificate store should have Root certificates only and Intermediate certificate store should have Intermediate certificates only.

  2. Check whether the client certificate is valid.

Issues in Reinstating Microsoft Standalone certificate

Error Message Possible Cause Possible Solution
Invalid reason specified. Invalid reason specified for reinstatement Please use the correct reason which is supported by the CA
Unable to establish connection with CA

  1. The configured CA details may be incorrect.

  2. Proxy details may not be configured.

  3. AppViewX may not be able to reach CA.

  1. Check the CA details configured in the CA settings page.

  2. Check whether proxy details are configured in proxy settings.

  3. Check whether network access is available
Empty response received from windows gateway.

  1. CA certificate stores may have mixed type certificates.

  2. Client certificate may be wrong.

  1. Enable custom client authentication or Check Local Machine's Root certificate store should have Root certificates only and Intermediate certificate store should have Intermediate certificates only.

  2. Check whether the client certificate is valid.

Issues in Discovering Microsoft Standalone certificates

Error Message Possible Cause Possible Solution
Unable to establish connection with CA

  1. The configured CA details may be incorrect.

  2. Proxy details may not be configured.

  3. AppViewX may not be able to reach CA.

  1. Check the CA details configured on the CA settings page.

  2. Check whether proxy details are configured in proxy settings.

  3. Check whether network access is available.
Empty response received from windows gateway.

  1. CA certificate stores may have mixed type certificates.

  2. Client certificate may be wrong.

  1. Enable custom client authentication or Check Local Machine's Root certificate store should have Root certificates only and Intermediate certificate store should have Intermediate certificates only.

  2. Check whether client certificate is valid