ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Certificate Authority management console displaying certificate templates and security event logs
Event ID 4868WarningSecurityWindows

Windows Event ID 4868 – Security: Certificate Services Denied Request

Event ID 4868 fires when Active Directory Certificate Services denies a certificate request due to policy violations, insufficient permissions, or template restrictions.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4868Security 5 methods 12 min
Event Reference

What This Event Means

Event ID 4868 represents a critical security audit event generated by Windows Certificate Services when denying certificate requests. This event occurs within the certificate enrollment process when AD CS evaluates incoming requests against configured security policies, certificate templates, and user permissions. The Certificate Authority performs multiple validation checks including template permissions, subject name restrictions, key usage policies, and enrollment agent authorization before issuing certificates.

When any validation step fails, Certificate Services immediately logs Event ID 4868 with detailed information about the denial. The event captures the requesting user's identity, the certificate template being requested, the specific denial reason, and contextual information about the CA processing the request. This granular logging enables administrators to distinguish between configuration errors and potential security threats.

The event plays a crucial role in PKI security monitoring by providing visibility into failed certificate requests. Security teams use these events to detect unauthorized certificate requests, identify template misconfigurations, and investigate potential certificate-based attacks. The event data supports compliance requirements for certificate lifecycle management and provides forensic evidence for security incident investigations.

Modern PKI environments generate significant volumes of Event ID 4868 entries, particularly in large Active Directory deployments with complex certificate template configurations. Proper filtering and analysis of these events is essential for maintaining PKI security while avoiding alert fatigue from legitimate configuration issues.

Applies to

Windows Server 2019Windows Server 2022Windows Server 2025
Analysis

Possible Causes

  • Certificate template permissions deny access to the requesting user or computer account
  • Subject name restrictions in the template conflict with the requested certificate subject
  • Key usage or enhanced key usage policies in the template don't match the request parameters
  • Certificate template enrollment agent requirements not met by the requesting entity
  • CA security policies block the certificate request based on configured restrictions
  • Invalid or expired enrollment agent certificates used in the request process
  • Certificate template validity period or renewal settings prevent issuance
  • Cryptographic provider or key length requirements not satisfied by the request
  • Certificate Services database corruption or connectivity issues during request processing
Resolution Methods

Troubleshooting Steps

01

Analyze Event Details in Event Viewer

Start by examining the complete Event ID 4868 details to understand the specific denial reason and context.

  1. Open Event Viewer on the Certificate Authority server
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 4868 using the filter option
  4. Double-click the most recent 4868 event to view full details
  5. Record the following key information from the event:
    • Subject name requested
    • Certificate template name
    • Requesting user account
    • Denial reason code
    • CA name and server
  6. Use PowerShell to extract multiple events for pattern analysis:
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4868} -MaxEvents 50 | Select-Object TimeCreated, @{Name='User';Expression={$_.Properties[1].Value}}, @{Name='Template';Expression={$_.Properties[4].Value}}, @{Name='Reason';Expression={$_.Properties[6].Value}} | Format-Table -AutoSize

This method provides immediate visibility into certificate denial patterns and helps identify whether issues are isolated incidents or systematic problems.

02

Verify Certificate Template Permissions

Check certificate template security settings to ensure proper permissions are configured for the requesting users or computers.

  1. Open Certificate Authority management console on the CA server
  2. Expand the CA name and click Certificate Templates
  3. Right-click the template mentioned in Event ID 4868 and select Properties
  4. Click the Security tab to review permissions
  5. Verify the requesting user or computer account has appropriate permissions:
    • Read - Required for all certificate requests
    • Enroll - Required for standard certificate enrollment
    • Autoenroll - Required for automatic enrollment scenarios
  6. Use PowerShell to audit template permissions across multiple templates:
Import-Module ActiveDirectory
$Templates = Get-ADObject -Filter {objectClass -eq 'pKICertificateTemplate'} -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,$((Get-ADDomain).DistinguishedName)"
foreach ($Template in $Templates) {
    $ACL = Get-ACL "AD:$($Template.DistinguishedName)"
    Write-Host "Template: $($Template.Name)"
    $ACL.Access | Where-Object {$_.IdentityReference -like "*Domain Users*" -or $_.IdentityReference -like "*Authenticated Users*"} | Format-Table IdentityReference, ActiveDirectoryRights, AccessControlType
}

Add the requesting user or appropriate security group to the template permissions if access is legitimately required.

03

Examine Certificate Template Configuration

Review the certificate template settings to identify configuration issues that might cause request denials.

  1. In the Certificate Authority console, right-click the problematic template and select Properties
  2. Review the General tab for validity period and renewal settings
  3. Check the Request Handling tab for:
    • Purpose settings (Encryption, Signature, etc.)
    • Key usage requirements
    • Minimum key size settings
    • Cryptographic provider requirements
  4. Examine the Subject Name tab for subject name restrictions
  5. Review the Extensions tab for enhanced key usage and application policy settings
  6. Use PowerShell to export template configuration for analysis:
$TemplateName = "WebServer"  # Replace with your template name
$Template = Get-ADObject -Filter {Name -eq $TemplateName -and objectClass -eq 'pKICertificateTemplate'} -Properties *
$Template | Select-Object Name, DisplayName, @{Name='ValidityPeriod';Expression={$_.pKIDefaultKeySpec}}, @{Name='KeyUsage';Expression={$_.pKIKeyUsage}}, @{Name='EKU';Expression={$_.pKIExtendedKeyUsage}} | Format-List
  • Compare template requirements with the denied request parameters from Event ID 4868
  • Modify template settings if the denial is due to overly restrictive configuration

    • Warning: Template modifications affect all future certificate requests. Test changes in a non-production environment first.

    04

    Investigate CA Policy and Database Issues

    Examine Certificate Authority policies and database health to identify system-level issues causing certificate denials.

    1. Check CA policy settings using the Certificate Authority console:
      • Right-click the CA name and select Properties
      • Review the Policy Module tab settings
      • Check the Exit Module configuration
    2. Verify CA database connectivity and health:
    # Check CA service status
Get-Service -Name CertSvc | Format-List Name, Status, StartType

# Verify CA database integrity
certutil -v -db

# Check CA configuration
certutil -cainfo

# Review recent CA database transactions
certutil -view -restrict "RequestId>=$((Get-Date).AddDays(-1).ToString('yyyy-MM-dd'))" csv > CARequests.csv
  • Examine CA event logs for related errors:
    • Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='Microsoft-Windows-CertificationAuthority'} -MaxEvents 100 | Where-Object {$_.LevelDisplayName -eq 'Error' -or $_.LevelDisplayName -eq 'Warning'} | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap
  • Check CA registry settings for policy restrictions:
    • # Review CA policy settings
Get-ItemProperty -Path "HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\*" | Select-Object PSChildName, ValidityPeriod, ValidityPeriodUnits
  • If database corruption is suspected, perform CA database repair using certutil -repairstore

    • Pro tip: Enable CA auditing for detailed certificate request logging by configuring audit policies in Group Policy or local security policy.

    05

    Advanced PKI Troubleshooting and Monitoring

    Implement comprehensive PKI monitoring and use advanced troubleshooting techniques for complex certificate denial scenarios.

    1. Enable detailed CA logging for enhanced troubleshooting:
    # Enable CA debug logging
certutil -setreg ca\Debug 0xffffffe3
Restart-Service CertSvc

# Configure CA to log all certificate operations
certutil -setreg ca\AuditFilter 127
  • Set up automated monitoring for Event ID 4868 patterns:
    • # Create scheduled task to monitor certificate denials
$Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-Command Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4868; StartTime=(Get-Date).AddHours(-1)} | Export-Csv C:\Logs\CertDenials.csv -Append"
$Trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Hours 1)
Register-ScheduledTask -TaskName "Monitor-CertificateDenials" -Action $Action -Trigger $Trigger
  • Analyze certificate request patterns using PowerShell:
    • # Analyze denial patterns by template and user
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4868; StartTime=(Get-Date).AddDays(-7)}
$Analysis = $Events | ForEach-Object {
    [PSCustomObject]@{
        Time = $_.TimeCreated
        User = $_.Properties[1].Value
        Template = $_.Properties[4].Value
        Reason = $_.Properties[6].Value
        CA = $_.Properties[7].Value
    }
}
$Analysis | Group-Object Template | Sort-Object Count -Descending | Format-Table Name, Count
  • Implement certificate request validation testing:
    • # Test certificate request using certreq
$TestINF = @"
[NewRequest]
Subject = "CN=TestCert,OU=IT,O=Company,C=US"
KeyLength = 2048
KeySpec = 1
MachineKeySet = TRUE
RequestType = PKCS10
[RequestAttributes]
CertificateTemplate = WebServer
"@
$TestINF | Out-File -FilePath C:\temp\test.inf
certreq -new C:\temp\test.inf C:\temp\test.req
certreq -submit -config "CA-Server\CA-Name" C:\temp\test.req C:\temp\test.cer
  • Review and optimize certificate template deployment using Group Policy or SCCM for consistent configuration across the environment

    • Pro tip: Use Windows Performance Toolkit (WPT) to capture detailed certificate enrollment traces for complex troubleshooting scenarios involving multiple CAs or cross-forest certificate requests.

    Overview

    Event ID 4868 appears in the Security log when Active Directory Certificate Services (AD CS) denies a certificate request. This event fires on Certificate Authority servers when incoming certificate requests fail validation against configured certificate templates, security policies, or user permissions. The event captures critical details including the requesting user, certificate template name, denial reason, and the CA that processed the request.

    This event is essential for PKI security monitoring as it reveals potential security violations, misconfigurations, or unauthorized certificate requests. Certificate Services generates this event immediately when a request fails any validation step, whether due to template restrictions, insufficient user rights, or policy violations. The event provides forensic data for investigating certificate-related security incidents and helps administrators identify configuration issues in their PKI infrastructure.

    Unlike informational certificate events, Event ID 4868 indicates a security-relevant denial that requires investigation. The event details help distinguish between legitimate configuration issues and potential security threats targeting your certificate infrastructure.

    Frequently Asked Questions

    What does Event ID 4868 mean and when does it occur?+
    Event ID 4868 indicates that Active Directory Certificate Services denied a certificate request. This event occurs when a Certificate Authority evaluates an incoming certificate request and determines it violates configured security policies, template restrictions, or user permissions. The event fires immediately when any validation step fails, including template access rights, subject name restrictions, key usage policies, or enrollment agent requirements. It's a security audit event that helps administrators monitor PKI security and identify both configuration issues and potential security threats targeting certificate infrastructure.
    How can I identify the specific reason why a certificate request was denied?+
    The specific denial reason is contained within the Event ID 4868 details in the Security log. Open Event Viewer, navigate to Windows Logs → Security, and filter for Event ID 4868. Double-click the event to view full details including the denial reason code, requested certificate template, subject name, and requesting user account. You can also use PowerShell to extract denial reasons: Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4868} -MaxEvents 10 | Select-Object @{Name='Reason';Expression={$_.Properties[6].Value}}. Common reasons include insufficient template permissions, subject name policy violations, or key usage restrictions.
    What are the most common causes of certificate request denials that trigger Event ID 4868?+
    The most frequent causes include: 1) Certificate template permissions that don't grant Read and Enroll rights to the requesting user or computer account, 2) Subject name restrictions in templates that conflict with the requested certificate subject, 3) Key usage or enhanced key usage policies that don't match request parameters, 4) Missing or invalid enrollment agent certificates for templates requiring enrollment agents, 5) CA security policies blocking requests based on configured restrictions, and 6) Template validity period or cryptographic requirements not met by the request. Template permission issues account for approximately 60% of certificate denials in typical enterprise environments.
    How do I fix certificate template permission issues causing Event ID 4868?+
    To resolve template permission issues: 1) Open the Certificate Authority management console, 2) Navigate to Certificate Templates and right-click the problematic template, 3) Select Properties and click the Security tab, 4) Verify the requesting user or appropriate security group has Read and Enroll permissions (Autoenroll if needed for automatic enrollment), 5) Add missing permissions by clicking Add and selecting the appropriate users or groups, 6) Apply changes and test certificate enrollment. For computer certificates, ensure the computer account or Domain Computers group has appropriate permissions. Always follow the principle of least privilege and avoid granting overly broad permissions to certificate templates.
    Can Event ID 4868 indicate a security threat, and how should I investigate potential attacks?+
    Yes, Event ID 4868 can indicate security threats including unauthorized certificate requests, privilege escalation attempts, or reconnaissance activities targeting PKI infrastructure. Investigate potential threats by: 1) Analyzing request patterns for unusual subject names, templates, or requesting accounts, 2) Correlating with other security events like failed logons or privilege escalation attempts, 3) Reviewing requests for high-value certificate templates like Domain Controller or Code Signing certificates, 4) Checking for requests from unexpected network locations or outside business hours, 5) Monitoring for repeated denial attempts from the same account. Implement automated alerting for denials involving sensitive templates and maintain baseline metrics for normal certificate request volumes to detect anomalies.
    Documentation

    References (2)

    1
    Microsoft Learn - Certificate Services Security EventsOfficial documentation covering Certificate Services security event logging including Event ID 4868 and related PKI audit events.https://learn.microsoft.com/en-us/windows-server/identity/ad-cs/certificate-services-security-events
    2
    Microsoft Docs - Active Directory Certificate ServicesComprehensive guide to AD CS deployment, configuration, and management including certificate template security and troubleshooting.https://docs.microsoft.com/en-us/windows-server/identity/ad-cs/active-directory-certificate-services-overview
    Emanuel DE ALMEIDA
    Written by

    Emanuel DE ALMEIDA

    Senior IT Journalist & Cloud Architect

    Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

    Tags
    #event-id-4868#certificate-services#pki-security

    Related Windows Events

    Windows security monitoring dashboard displaying audit events and privilege tracking logs
    Event 6276
    Microsoft-Windows-Security-Auditing
    Windows EventInformation

    Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

    Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

    March 189 min
    Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
    Event 6274
    Microsoft-Windows-Security-Auditing
    Windows EventInformation

    Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

    Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

    March 189 min
    Network Policy Server monitoring dashboard showing authentication events and security logs
    Event 6273
    Microsoft-Windows-Security-Auditing
    Windows EventInformation

    Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

    Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

    March 189 min
    Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
    Event 6272
    Microsoft-Windows-Security-Auditing
    Windows EventInformation

    Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

    Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

    March 1812 min

    Discussion

    Share your thoughts and insights

    You must be logged in to comment.

    Log in
    Loading comments...