Event ID - 24

Event Id24
SourceMicrosoft-Windows-CertificationAuthority
DescriptionActive Directory Certificate Services did not start: Unable to get information about the cryptographic service provider (CSP) from the registry for %1.
Event InformationAccording to Microsoft :
Cause
This event is logged when Active Directory Certificate Services did not start: Unable to get information about the cryptographic service provider (CSP) from the registry.
Resolution
Enable AD CS to obtain needed startup information from Active Directory Domain Services
To correct this problem:
1.Confirm network connectivity to Active Directory Domain Services (AD DS).
2.Confirm that the certification authority (CA) has necessary permissions to essential AD DS containers and objects.
3.After confirming connectivity and permissions, restart the CA.
Note:
To perform these procedures, you must have membership in Domain Admins, or you must have been delegated the appropriate authority.
Confirm an AD CS connection to AD DS
To confirm an Active Directory Certificate Services (AD CS) connection to AD DS:
1.On the CA, open a command prompt window.
2.Type ping , where server_FQDN is the fully qualified domain name (FQDN) of the domain controller (for example, server1.contoso.com), and then press ENTER.
3.If the ping was successful, you will receive a reply similar to the following:
Reply from IP_address: bytes=32 time=3ms TTL=59,
Reply from IP_address: bytes=32 time=20ms TTL=59 ,
Reply from IP_address: bytes=32 time=3ms TTL=59,
Reply from IP_address: bytes=32 time=6ms TTL=59 3
4.At the command prompt, type ping , where IP_address is the IP address of the domain controller, and then press ENTER.
5.If you can successfully connect to the domain controller by IP address but not by FQDN, this indicates a possible issue with Domain Name System (DNS) host name resolution. If you cannot successfully connect to the domain controller by IP address, this indicates a possible issue with network connectivity, firewall configuration, or Internet Protocol security (IPsec) configuration.
Confirm permissions on essential AD DS containers and objects.
Confirm permissions on AD DS containers and objects
To confirm that the CA has necessary permissions on AD DS containers and objects within these containers:
1.On a domain controller, click Start, point to Administrative Tools, and click Active Directory Sites and Services.
2.Click Active Directory Sites and Services [domainname] where [domainname] is the name of your domain.
3.On the View menu, click Show Services Node.
4.Double-click Services, double-click Public Key Services, and right-click each container listed below, or the objects listed within the container, and click Properties.
5.On the Security tab, confirm the required permissions.
The following are all Active Directory permissions required by a computer hosting a CA. Some of these permissions are achieved via membership in the Cert Publishers group.
1.Enrollment Services container.The CA computer has Read and Write access to its own object.
2.AIA container. The Cert Publishers group has Full Control access on the AIA container and the CA computer has Full Control access on its own object within the AIA container.3.
CDP container. The Cert Publishers group has Full Control access on every CAs container under the CDP container, and the CA computer has Full Control access on every certification revocation list (CRL) object in its own container.
4.
Certification Authorities container. The Cert Publishers group has Full Control access on the objects within this container.
5.Certificate Templates container. The Enterprise Admins and Domain Admins groups (not the CA computer) have Full Control access or Read and Write access to this container and to most objects within it.
6.KRA container. The CA computer has Full Control access on its own object.
7.OID container. The Enterprise Admins and Domain Admins groups, not the CA computer, have Full Control access or Read and Write access to this container and to the containers and objects within it.
8.NTAuthCertificates object. The Enterprise Admins and Domain Admins groups, not the CA computer, have Full Control access or Read and Write access.<9.Domain Computers and Domain Users containers. The Cert Publishers group has Read and Write permissions on the userCertificate property of each user and computer object in the forest in which AD CS is deployed.
Restart a CA
To restart a CA:
1.On the computer hosting the CA, click Start, point to Administrative Tools, and click Certification Authority.
2.Select the CA name, and click Restart.
Verify
To perform this procedure, you must have membership in local Administrators on the computer hosting the certification authority (CA), or you must have been delegated the appropriate authority.
To check the connection between a CA and Active Directory Domain Services (AD DS):
1.Open a command prompt window on the computer hosting the CA.
2.Type nltest /sc_verify: [domainname] and press ENTER.
3.Use the following procedure to confirm permisssions on essential AD DS containers and objects.
Replace [domainname] with the name of the namespace in which the CA is installed.
Confirm permissions on essential AD DS containers and objects
To perform this procedure, you must have membership in Domain Admins, or you must have been delegated the appropriate authority.
To confirm that the CA has necessary permissions on AD DS containers and objects within these containers:
1.On a domain controller, click Start, point to Administrative Tools, and click Active Directory Sites and Services.
2.Click Active Directory Sites and Services [domainname] where [domainname] is the name of your domain.
3.On the View menu, click Show Services Node.
4.Double-click Services, double-click Public Key Services, and right-click each container listed below, or the objects listed within the container, and click Properties
5.On the Security tab, confirm the required permissions.
The following are all Active Directory permissions required by a computer hosting a CA. Some of these permissions are achieved via membership in the Cert Publishers group.
1.Enrollment Services container. The CA computer has Read and Write access to its own object.
2.AIA container. The Cert Publishers group has Full Control access on the AIA container and the CA computer has Full Control access on its own object within the AIA container.
3.CDP container. The Cert Publishers group has Full Control access on every CAs container under the CDP container, and the CA computer has Full Control access on every certification revocation list (CRL) object in its own container.
4.Certification Authorities container. The Cert Publishers group has Full Control access on the objects within this container.
5.Certificate Templates container. The Enterprise Admins and Domain Admins groups (not the CA computer) have Full Control access or Read and Write access to this container and to most objects within it.
6.KRA container. The CA computer has Full Control access on its own object.
7.OID container. The Enterprise Admins and Domain Admins groups, not the CA computer, have Full Control access or Read and Write access to this container and to the containers and objects within it.
8.NTAuthCertificates object. The Enterprise Admins and Domain Admins groups, not the CA computer, have Full Control access or Read and Write access.
9.Domain Computers and Domain Users containers.
Reference LinksEvent ID 24 from SourceMicrosoft-Windows-CertificationAuthority

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught

Did this information help you to resolve the problem?

Yes: My problem was resolved.
No: The information was not helpful / Partially helpful.
 Refresh