Collection Rule for event with source CertificationAuthority and ID 93

Microsoft.Windows.CertificateServices.CARole.2016.CertSvcEvents.93 (Rule)

Certificate Services cannot find the CA certificate in the NTAuth store.

Knowledge Base article:

Summary

Active Directory Certificate Services (AD CS) requires at least Read access, and in some instances Write access, to certain objects in Active Directory Domain Services (AD DS). Failure to access these Active Directory objects can prevent AD CS from starting.

Resolutions

Ensure that AD CS can publish the CA certificate to the NTAuth store

To resolve this problem:

If you have trouble locating the CA certificate in order to publish it to the NTAuth store, use the procedure in the "Locate the CA certificate file on a computer" section before publishing it to the NTAuth store.

To perform these procedures, you must have Manage CA permission, or you must have been delegated the appropriate authority.

Confirm NTAuth store permissions

To check the permissions of the CA on the NTAuth container:

Confirm contents of the NTAuth store

To check the contents of the NTAuth store in Active Directory Domain Services (AD DS):

Locate the CA certificate file on a computer

To locate the CA certificate file on the local file system:

By default, this file is stored in %systemroot%\system32\certsrv\certenroll.

Element properties:

TargetMicrosoft.Windows.CertificateServices.CARole.2016
CategoryEventCollection
EnabledTrue
Event_ID93
Event SourceMicrosoft-Windows-CertificationAuthority
Alert GenerateFalse
RemotableTrue
Event LogApplication

Member Modules:

ID Module Type TypeId RunAs 
DS DataSource Microsoft.Windows.EventProvider Default
WriteToCertSvcEvents WriteAction Microsoft.Windows.CertificateServices.CARole.CertSvcEvents.Publisher Default
WriteToDB WriteAction Microsoft.SystemCenter.CollectEvent Default

Source Code:

<Rule ID="Microsoft.Windows.CertificateServices.CARole.2016.CertSvcEvents.93" Enabled="true" Target="CSDisc!Microsoft.Windows.CertificateServices.CARole.2016" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>EventCollection</Category>
<DataSources>
<DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>Application</LogName>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">93</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">Microsoft-Windows-CertificationAuthority</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="WriteToDB" TypeID="SC!Microsoft.SystemCenter.CollectEvent"/>
<WriteAction ID="WriteToCertSvcEvents" TypeID="Microsoft.Windows.CertificateServices.CARole.CertSvcEvents.Publisher"/>
</WriteActions>
</Rule>