What Is Enterprise PKI ?
Enterprise PKI:
Indicates the validity and accessibility of authority information access (AIA) locations and certificate revocation list (CRL) distribution points
Reports various status levels such as:
• OK. The CA certificate or CRL at the referenced URL is valid.
• Expiring. The CA certificate or CRL at the referenced URL is close to the expiration date.
• Expired. The CA certificate or CRL at the referenced URL is expired.
• Unable to download. The CA certificate or CRL cannot be downloaded from the referenced URL.
Common AD CS Issues
Common AD CS troubleshooting issues are:
Client autoenrollment problems
Certificate validation errors
Web enrollment errors
Troubleshooting Client Autoenrollment
Problem Solution
Clients do not enroll for certificates automatically after autoenrollment is configured.
Wait for Group Policy to complete replication.
Alternatively, use the Gpupdate command to force replication to occur.
Ensure that the user is a member of a group that has enroll permissions on the certificate template being used.
Troubleshooting Certificate Validation Errors
Problem Solution
Validation errors occur when users access resources by using certificates.
Use Enterprise PKI to verify that the AIA and CDP locations and certificates are valid.
Installation Issues of AD LDS Instances
Problem:
The installation or removal of an AD LDS instance fails to complete successfully.
Solution:
If no screen message appears and setup fails to complete successfully, view the setup log at:
%windir%\Debug\adamsetup.log
If no screen message appears and Instance removal fails to complete successfully, view the uninstall log at:
%windir%\Debug\adamuninstall.log
Application Connection Issues of AD LDS
Problem:
A directory-enabled application cannot find the AD LDS instance.
Solution:
Refer to the correct communication port number when specifying an AD LDS instance. The communication port number is 389 or 636.
Problem:
A user is not able to connect to an AD LDS instance.
Solution:
Install certificates on the computer running the AD LDS instance and on all client computers, to enable SSL connections.
Initiating Issues of Instances
Problem:
An AD LDS instance will not start.
Solution:
Ensure that the service is running. If the service account that is specified for ADAM is a workstation or a domain user account, make sure that the account
possesses the Run as a service right.