Event ID - 10

Event Id10
SourceHRA
DescriptionThe Health Registration Authority was unable to acquire a certificate for request with the correlation-id %1 at %2 (principal: %3). The Certificate Server %4 denied the request with the following error: %6 (%7). This failure was possibly due to a network related issue. The request will be discarded if no other certificate servers are available. This server will not be tried again for %5 minutes. See the Certificate Server administrator for more information.
Event InformationAccording to Microsoft :
Diagnose :
This error might be caused by one of the following conditions:
  • HRA has a CA server configuration that is not valid.
  • Active Directory Certificate Services (AD CS) is not responding to HRA.
  • CA servers are not configured to issue health certificates with HRA.
Cause :
CA server(s) are not correctly configured to issue health certificates with HRA
Resolution :
Configure AD CS
This error condition indicates that HRA contacted a CA server, but that the CA server is not configured to issue NAP health certificates.
To perform this procedure, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.
To configure CA servers to issue health certificates, HRA must be granted permission to request and issue health certificates on behalf of NAP clients. If the CA server is an enterprise CA, you must also publish a certificate template with application policy extensions for client authentication and system health authentication. The CA must also be able to issue certificates automatically, without administrator approval.
If your HRA and NAP CA are running on the same computer, Network Service must be granted permissions to issue, manage, and request certificates. If your HRA and NAP CA are running on different computers, these permissions must be granted to the computer name for your HRA server. HRA should be granted permission to manage the CA server so that it can remove expired records from the CA database.
  • Configure CA settings
  • Configuring a NAP certificate template
HRA must be granted permission to enroll or autoenroll a NAP health certificate. If only enroll permissions are set, then you must manually enroll HRA with a system health authentication certificate. Depending on the group membership of the user account you are using to configure HRA, you might already have the permissions required to enroll.
Next, the new certificate template must be made available for enrollment requests.
Cause :
Active Directory Certificate Services (AD CS) is not responding to HRA
Resolution :
Install or enable AD CS
This error condition indicates that HRA was unable to contact the CA server, possibly due to a network issue. Check the names and availability of CA servers configured in HRA and confirm that Active Directory Certificate Services (AD CS) is running on each CA server.
To perform this procedure, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.
  • Check network connectivity
  • Check AD CS service availability
Start AD CS
To start AD CS:
  1. On the CA server used in the preceding procedure, in the command window, type net start certsvc, and then press ENTER.
  2. Confirm that AD CS starts successfully.
Cause :
Health Registration Authority (HRA) does not have a valid Certification Authority (CA) server configuration
Resolution :
Configure CA servers in HRA
This error condition indicates that HRA has a CA server configuration that is not valid. Check the names of CA servers configured in HRA, and make sure that HRA is configured with the correct CA server properties and certificate settings.
To perform this procedure, you must be a member of the Administrators group, or you must have been delegated the appropriate authority.
Add or remove a CA
To add a CA to HRA:
  1. On the computer where HRA is installed, click Start, click Run, type hcscfg.msc, and then press ENTER.
  2. In the console tree, right-click Certification Authority, and then click Add Certification Authority. The Add Certification Authority dialog box opens.
  3. Click Browse. The Select Certification Authority dialog box opens.
  4. Under CA, click the name of the CA that will be used to issue NAP health certificates, and then click OK twice.
To remove a CA from HRA:
  1. On the computer where HRA is installed, click Start, click Run, type hcscfg.msc, and then press ENTER.
  2. In the console tree, click Certification Authority.
  3. In the details pane, under Certification Authority Name, right-click the name of the CA you want to remove, and then click Delete.

Configure CA settings in HRA
To configure certification authority wait time, certificate validity period, operational mode, policyOID settings, and template settings:
  1. On the computer where HRA is installed, click Start, click Run, type hcscfg.msc, and then press ENTER.
  2. In the console tree, right-click Certification Authority, and then click Properties.
  3. To configure the number of minutes to wait between requests before identifying a CA as unavailable, enter a value next to Number of minutes between requests when a server is identified as unavailable.
  4. After choosing a unit of time from the drop-down list, enter the number of units, and then click OK.
  5. If you are using an enterprise CA, perform the following steps to override the validity period that is configured in your certificate templates:
    a.On the computer where an enterprise CA is installed, click Start, right-click Command Prompt, and then click Run as administrator.
    b.In the command window, type Certutil.exe -setreg policy\EditFlags +EDITF_ATTRIBUTEENDDATE, and then press ENTER.
    c.Confirm that the command completed successfully.
    d.In the command window, type net stop certsvc && net start certsvc, and then press ENTER.
    e.Confirm that Active Directory Certificate Services (AD CS) stops and starts successfully.
  6. If you are using a standalone CA, choose Use standalone certification authority.
  7. Do not select the check box next to Enable PolicyOIDs unless you are using client extended state information for Network Access Control.
  8. If you are using an Active Directory-integrated enterprise CA, or if you have configured HRA to use both enterprise and standalone CAs, choose Use enterprise certification authority, and then use the drop-down list to select Authenticated compliant certificate template and Anonymous complaint certificate template. These templates must be configured and published on your enterprise CA before you configure HRA to use an enterprise CA.
Reference LinksEvent ID 10 from HRA

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught

Did this information help you to resolve the problem?

Yes: My problem was resolved.
No: The information was not helpful / Partially helpful.
 Refresh