Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,569 questions
A message containing a fault was received from the remote endpoint. 0x803d0013 (-2143485933 WS_E_ENDPOINT_FAULT_RECEIVED)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 44%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
AL1723
0
Reputation points
Dear Community,
I have the following CES error message when using a CEP CES instance (installed on Windows Server 2019) coming from a foreign domain connected via a forest trust:
A message containing a fault was received from the remote endpoint. 0x803d0013 (-2143485933 WS_E_ENDPOINT_FAULT_RECEIVED)
The CEP and also the CES work within the forest they are installed in.
CEP/CES (Certificate Enrollment Policy Web Service / Certificate Enrollment Web Service) are not set up on the same machine as the Microsoft SubCA. Delegation has been configured for the CES CEP service account.
For Cross Forest use, the setting "Enable LDAP referrals" was made on the CA. (certutil -setreg Policy\EditFlags +EDITF_ENABLELDAPREFERRALS).
In the foreign domain, the CA chain were made known via "certutil -dspublish".
The following two commands also do not bring errors when run in the foreign domain:
certutil -ping -kerberos -config "https://cepces.muc.idp/ADPolicyProvider_CEP_Kerberos/service.svc/CEP" CEP
certutil -ping -kerberos -config "https://cepces.muc.idp/IDp%20Infra%20CA_CES_Kerberos/service.svc/CES" CES
The CEP URL can be included without problems and the certificate templates for which the foreign domain machine or user is authorized are displayed.
The error only occurs when I try to enroll the certificates and is only related to the CES.
Through debugging in IIS I get a warning in conjunction with an HTTP error 500 message. The authentication does not work.
However, when I look at the Kerberos tickets (cmd command: klist -li 3e7) in the foreign domain, I see valid tickets for the CEP CES server.
In the event log on the maschine in the foreign domain I see errors with ID 13 for the CertificateServicesClient-CertEnroll source.
Error description:
Certificate enrollment for Local system failed to enroll for a certificate <Template Name> with request ID N/A from https://cepces.muc.idp/IDp%20Infra%20CA_CES_Kerberos/service.svc/CES . A message containing a fault was received from the remote endpoint. 0x803d0013 (-2143485933 WS_E_ENDPOINT_FAULT_RECEIVED)".
This error constellation seems to be very special. I can't find a solution on the Internet.
Maybe someone has a hint why the authentication fails at the CES?
Thanks for any help, AL
{count} votes
-
AL1723 0 Reputation points
2023-07-20T12:26:55.5733333+00:00 Endpoint security software was disabled but did not had an effect. Still looking for a explanation.
-
AL1723 0 Reputation points
2023-07-26T09:07:02.72+00:00 It seemed to be a firewall problem. After the temporary any-any firewall rule activation between the forest networks, the CES also worked.
Sign in to comment