Auto Enrollment Troubleshooting

The following provides some troubleshooting tips to help you get back on track. 

General Troubleshooting

  • Confirm that Tomcat is running and listening on port 8443.
  • Confirm that the JKS files can be read with the supplied password via the keytool utility.
  • Check the directory syntax in the server.xml and *.properties files.

Confirm Loading of URLs

Load the following URLs via a Firefox browser to see if they resolve. Ensure to load the URLs from a client machine that will be requesting a certificate.

MSEnrollmentServlet

Load the following URL in a Firefox browser: https://tomcatserver.yourcompany.com:8443/autoenroll/MSEnrollmentServlet

  • If working properly, you should be prompted with a login prompt.
  • If not, it can indicate a DNS issue, SSL certificate issue (JKS password, misconfigured cert), or a Tomcat server-related configuration issue.

EJBCA Web Service WSDL

Load the following URL in a Firefox browser: https://ejbcaserver.yourcompany.com/ejbca/ejbcaws/ejbcaws?wsdl

  • If working properly, there will be an SSL server exception. The expected result is that the page will error out due to your browser not having a client auth cert to the EJBCA CA UI.
  • If not resulting in an SSL server exception, check DNS and if the client machine can telnet to the EJBCA Admin Web SSL port.

Check Logs

The following lists relevant logs and their locations.

Tomcat Log

Location of the Tomcat logs:

C:\Program Files\Apache Software Foundation\Tomcat 9.0\logs

Check for servlet exceptions in the localhost.<date>.log.

Windows Application Log

The Windows Application Log is relevant to check if the Windows Client is failing to get a certificate.

EJBCA Server Log

Location of the EJBCA server log:

/opt/wildfly/standalone/log/server.log 

To output what group policy is being applied to the client, run the following to output it to an HTML file:

gpresult -h c:\temp\gpresult.html

Enable Client Logging

If Auto Enrollment is failing, you can display more detailed logging on the client, by forcing the Auto enrollment and look into the Application log to view what happens when Auto enrollment takes place.

  1. Set a new registry key to enable more detailed Auto Enrollment auditing:
  2. In HKCU\Software\Microsoft\Cryptography\Autoenrollment and HKLM\Software\Microsoft\Cryptography\Autoenrollment, create a new DWORD value named AEEventLogLevel and set its value to 0.
  3. Open the Application Log in the Event Viewer (eventvwr.exe).
  4. Run the following to force Auto enrollment: gpupdate /force.
  5. In the Application event log, refresh the log to see what happens during Auto Enrollment.
  6. Two computer Auto Enrollment messages (start, stop) should occur initially, followed by two user Auto Enrollment messages (start, stop) in 30 sec. – 2 minutes. Any issued certs should appear in the log as Event ID 18’s or 19’s. Stop and Start messages are event IDs 2 and 3.
  7. If there are any valid Auto Enrollment certificates to be issued, they will issue here.

Web Service Invalid Format Error

An error in the EJBCA log for WS_E_INVALID_FORMAT, is probably caused by either the Java version is not Java8 on the Tomcat server, or the AutoEnroll.war file was compiled with an invalid java version. For more information, see Autoenrollment Requirements.