Troubleshooting the Auto-Enrollment Connector¶
This topic explains how to troubleshoot the Auto-Enrollment Connector using common tools and commands. It also presents common error scenarios and resolutions. If you encounter an error not described here, contact CyberArk Support.
Tools and commands¶
Use the following tools and commands to troubleshoot and maintain AEC.
AEC Maintenance page¶
In AEC, on the Maintenance page, you can:
-
Restart Services: Restart AEC, which runs as a Windows service. You'll need to restart AEC after making changes to CAs, templates, log settings, or the certificate issuance configuration.
-
Purge Records: Purge the AEC database, which associates the MS-WCCE request identifier generated by Windows with the certificate request sent to Zero Touch PKI for later retrieval. You can purge records older than 7, 14, and 21 days.
Purging the AEC database
To minimize disk use and improve performance, CyberArk recommends purging the database every six months.
Certutil¶
Use Certutil for these certificate-related operations:
| Operation | Command | Description |
|---|---|---|
| List the CA configuration | certutil -dump | Displays the CA configuration details |
| Ping a CA | certutil -ping | Tests connectivity to the CA |
| Pull a CA certificate chain | certutil -cainfo certchain | Retrieves the CA certificate chain |
| Examine certificate templates | certutil -cainfo templates | Lists certificate templates associated with a CA |
certreq¶
Use the certreq command to do the following:
- Create a new request from an
.inffile. - Request a certificate from a CA.
- Retrieve a response to a previous request from a CA.
- Accept and install a response to a certificate request.
Common error messages¶
This section describes common error messages you may encounter when using the Auto-Enrollment Connector and explains their likely causes.
Catastrophic failure: Unexpected method call sequence 0x8000FFFF¶
Indicates that the CA URL parameter is incorrect. This error appears in the Microsoft Management Console and the Auto-Enrollment Connector logs as:
Catastrophic failure Unexpected method call sequence. 0x8000FFFF (-2147418113 E_UNEXPECTED)
Resolution: Verify that the URL matches your Zero Touch PKI environment¶
- Americas:
https://ztpki.venafi.com - Europe:
https://ztpki.eu.venafi.com - Australia:
https://ztpki.au.venafi.com
Resolution: Verify that the URL does not include a trailing slash¶
Confirm that the URL has no trailing slash, for example https://ztpki.venafi.com/.
Unspecified Error 0x80004005¶
Indicates a bug with the DBLite database when the Windows host server has been configured to use FIPS-compliant algorithms. The bug was reported in 2020 and said to be fixed in a subsequent release.
This error appears in the Microsoft Management Console as:
Unspecified Error 0x80004005 (-2147467259 E_FAIL)
Here is an example from the AEC logs:
2022-08-01 15:43:13,007 [6] ERROR EnrollmentProxy.Util.DataStore - This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
at System.Security.Cryptography.SHA1Managed..ctor()
at LiteDB.StringExtensions.Sha1(String value)
at LiteDB.SharedEngine..ctor(EngineSettings settings)
at LiteDB.ConnectionString.CreateEngine()
at LiteDB.LiteDatabase..ctor(ConnectionString connectionString, BsonMapper mapper)
at EnrollmentProxy.Util.DataStore.EnsureIndexes()
2022-08-01 15:43:13,007 [6] ERROR EnrollmentProxy.Util.DataStore - This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
Resolution: Modify the proxy settings¶
-
In
EnrollmentProxy.exe.config, modify the<runtime>element as follows:<enforceFIPSPolicy enabled="false"/> -
In AEC, click Maintenance > Restart Services.