Troubleshooting
To assist with troubleshooting, Autoenrollment writes an activity log. During troubleshooting, it is sometimes helpful to use a "higher" log level. The higher the log level, the more information is captured about an action or error.
Use the Autoenrollment Configuration Utility log properties to change the log level.
Additionally, Autoenrollment Server Configuration utility logs configuration events in a file called AEConfig.log, which is located here:
C:\Users\AE Administrator
Configuration errors include failing to establish a connection during the Connection Test, or failing to import the autoenrollment configuration file.
Other common Autoenrollment issues include:
Certificate pending in the client or Autoenrollment configuration utility
Certificates cannot be published
Import Autoenrollment configuration across subdomains
Handle multi-valued Active Directory Attributes
Error when restarting Autoenrollment Server
Certificate is pending in the client or the Autoenrollment Configuration utility
If Autoenrollment Server cannot complete a request with the DigiCert ONE CA, (for example, due to connection problems or to heavy server traffic), it sends a pending response to the client. Then this information is stored in RequestBufferFile.dat file in the installation directory as a queue. Autoenrollment Server retries the request periodically checking the file queue until a response is received from DigiCert ONE. The number of pending requests can also be checked from the Autoenrollment Configuration utility.
Once Autoenrollment Server can re-establish connection to the DigiCert ONE CA, the request is processed normally.
Certificates cannot be published (permission denied)
If your end-user certificates are not published to Active Directory and see the following error message in your log files, Autoenrollment Server does not have sufficient privileges in Active Directory.
ERROR in Publish Certificate: Cannot commit data to Active Directory: permission denied 0x80070005
Add the domain computer that runs Autoenrollment Server to the Active Directory group Cert Publishers. You may want to force Active Directory replication and perform a group policy update to make these changes available immediately.
Import the autoenrollment configuration file across subdomains
While importing the autoenrollment configuration file, you may encounter an error that states that the objects that have previously been created cannot be accessed for setting the Discretionary Access Control List (DACL) on the new object. Your Autoenrollment Server may be installed on a machine in part of a subdomain of your network. If this is the case, you need to force AD replication across your forest.
The following is a sample command that forces Active Directory replication for an Active Directory forest using the repadmin.exe
utility. Use the appropriate command or mechanism for your implementation.
Repadmin /syncall
This command forces Active Directory replication between the root domain controller and any subdomain domain controllers.
Once replication is complete, click OK in the Autoenrollment Configuration utility to retry setting the DACL on the object.
Handle multi-valued Active Directory attributes in the Autoenrollment Server
If you have mapped a multi-valued attribute to a certificate Subject Alternative Name or Subject Distinguished Name in the certificate profile, multiple values may be returned for these attributes from the Active Directory. In this situation, the Autoenrollment Server does not pick any value from the list, and autoenrollment fails if this attribute is mandatory. The Autoenrollment Server log displays a warning message similar to the following:
WARN Wed Oct 05 15:57:07 2011 [828] Attribute <CertificateProfile Configured AD attribute> has unexpected type: 8204
To avoid this issue, make sure that the multi-value attribute contains only one value.
Catastrophic error when restarting Autoenrollment Server
If Autoenrollment Server configuration file is not available when you restart Autoenrollment Server, it does not start. The Windows services report a catastrophic error for the AutoEnrollmentDCOMSrv service.
Additionally, the following error is written to the log file:
AutoEnrollmentDCOMSrv: cannot run: AEException: Could not access CA interface (plugin): Could not initialize connection to CA. Check connection parameters and network connectivity!
If you want to avoid this issue, make sure that the location where you imported the configuration file when you configured
Autoenrollment Server is accessible to the server when you restart it.