ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Certificate Authority management console displaying certificate templates and security audit events
Event ID 4871WarningMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4871 – Microsoft-Windows-Security-Auditing: Certificate Services Denied Request

Event ID 4871 fires when Active Directory Certificate Services denies a certificate request due to policy violations, insufficient permissions, or template restrictions.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4871Microsoft-Windows-Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Event ID 4871 represents a security audit event generated by Microsoft Windows Security Auditing subsystem when Active Directory Certificate Services denies a certificate enrollment request. This event occurs exclusively on servers running the Certificate Authority role and indicates that an incoming certificate request failed to meet the established security criteria, template requirements, or policy constraints.

The event contains comprehensive information about the denied request, including the requesting user's identity, the certificate template being requested, the specific reason for denial, and contextual information about the CA server processing the request. Common denial reasons include insufficient permissions on the certificate template, violation of template security settings, invalid subject name formats, or attempts to request certificates with unauthorized key usage extensions.

From a security perspective, Event ID 4871 serves as a critical component of PKI monitoring strategies. Unusual patterns of certificate denials may indicate reconnaissance activities, privilege escalation attempts, or misconfigurations that could impact business operations. The event integrates with Windows Security Auditing framework, allowing centralized collection through tools like Windows Event Forwarding or SIEM solutions for enterprise-wide certificate security monitoring.

Applies to

Windows Server 2019Windows Server 2022Windows Server 2025
Analysis

Possible Causes

  • User lacks enrollment permissions on the requested certificate template
  • Certificate template security settings restrict access to the requesting user or computer
  • Subject name format violates template naming requirements or organizational policies
  • Requested certificate contains unauthorized extensions or key usage parameters
  • Certificate template is disabled or not published to the Certificate Authority
  • Request contains invalid or malformed certificate signing request (CSR) data
  • CA server policy modules reject the request due to custom validation rules
  • Template version mismatch between client and server certificate template definitions
  • Certificate request exceeds maximum allowed key length or uses prohibited algorithms
Resolution Methods

Troubleshooting Steps

01

Analyze Event Details in Event Viewer

Start by examining the specific details of Event ID 4871 to understand the denial reason and context.

  1. Open Event Viewer on the Certificate Authority server
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 4871 using the filter option
  4. Double-click the most recent 4871 event to view details
  5. Review the General tab for key information:
    • Subject: The certificate subject that was denied
    • Template: Certificate template name
    • Requester: User or computer making the request
    • Reason: Specific denial code and description
  6. Check the Details tab for additional context including request ID and CA information
  7. Use PowerShell to query multiple events:
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4871} -MaxEvents 50 | Select-Object TimeCreated, @{Name='Subject';Expression={($_.Message -split '\n' | Where-Object {$_ -match 'Subject:'}) -replace 'Subject:', ''}}, @{Name='Template';Expression={($_.Message -split '\n' | Where-Object {$_ -match 'Template:'}) -replace 'Template:', ''}}
Pro tip: Look for patterns in denial reasons across multiple events to identify systematic issues rather than isolated problems.
02

Verify Certificate Template Permissions

Check if the requesting user has appropriate permissions on the certificate template being requested.

  1. Open Certificate Authority management console (certsrv.msc)
  2. Expand the CA server and navigate to Certificate Templates
  3. Right-click the template mentioned in the 4871 event and select Properties
  4. Click the Security tab to review permissions
  5. Verify the requesting user or group has the following permissions:
    • Read permission (minimum required)
    • Enroll permission for user certificates
    • Autoenroll permission if using automatic enrollment
  6. Use PowerShell to check template permissions programmatically:
# Get certificate template permissions
$TemplateName = "WebServer"  # Replace with actual template name
$Template = Get-CATemplate -Name $TemplateName
$Template.Security | Format-Table IdentityReference, AccessControlType, CertificateRights -AutoSize
  1. If permissions are missing, add the appropriate user or group:
  2. Click Add to add users or groups
  3. Select the user/group and assign Enroll permissions
  4. Click Apply and OK to save changes
Warning: Be cautious when modifying certificate template permissions as overly permissive settings can create security vulnerabilities.
03

Examine Certificate Template Configuration

Review the certificate template settings to identify configuration issues that might cause request denials.

  1. Open Certificate Templates console (certtmpl.msc) on a domain controller or CA server
  2. Locate the template referenced in the Event ID 4871
  3. Right-click the template and select Properties
  4. Review critical configuration areas:
    • General tab: Verify template is not disabled
    • Request Handling tab: Check purpose and key requirements
    • Subject Name tab: Verify subject name format requirements
    • Extensions tab: Review key usage and application policy extensions
  5. Use PowerShell to analyze template configuration:
# Get detailed template information
$TemplateName = "WebServer"
Get-CATemplate -Name $TemplateName | Select-Object Name, DisplayName, SchemaVersion, MinimumKeySize, KeyUsage, ApplicationPolicy
  1. Check if template is published to the CA:
# Verify template is available on CA
Get-CATemplate | Where-Object {$_.Name -eq $TemplateName} | Select-Object Name, IssuingCA
  1. Compare template requirements with the denied request details from Event ID 4871
  2. If template settings are incorrect, modify them appropriately or create a new template version
Pro tip: Template schema version mismatches between Windows versions can cause denials. Ensure template compatibility with your CA server version.
04

Investigate CA Policy Module Settings

Examine Certificate Authority policy module configuration that might be causing request denials.

  1. Open Certificate Authority management console
  2. Right-click the CA server name and select Properties
  3. Navigate to the Policy Module tab
  4. Click Properties to view policy module settings
  5. Review configuration options that might affect certificate issuance:
    • Subject name requirements
    • Key length restrictions
    • Certificate validity period limits
    • Extension requirements
  6. Check CA registry settings for additional policy configurations:
# Check CA policy registry settings
$CAName = "YourCA-Name"  # Replace with actual CA name
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\$CAName\PolicyModules\CertificateAuthority_MicrosoftDefault.Policy" | Format-List
  1. Review CA audit settings to ensure proper logging:
# Check CA audit settings
certutil -getreg CA\AuditFilter
  1. If policy module settings are too restrictive, adjust them according to organizational requirements
  2. Restart Certificate Services after making policy changes:
Restart-Service -Name CertSvc -Force
Warning: Policy module changes affect all certificate requests. Test changes in a non-production environment first.
05

Advanced Troubleshooting with CA Logs and Network Traces

Perform comprehensive analysis using Certificate Authority detailed logging and network packet analysis.

  1. Enable detailed CA logging for comprehensive request analysis:
# Enable maximum CA logging
certutil -setreg CA\LogLevel 5
Restart-Service -Name CertSvc
  1. Check CA database for request details:
# Query CA database for denied requests
certutil -view -restrict "Disposition=30" -out "RequestID,RequesterName,CommonName,NotBefore,NotAfter" csv > denied_requests.csv
  1. Analyze Certificate Services operational logs:
  2. Navigate to Event ViewerApplications and Services LogsMicrosoftWindowsCertificateServicesClient-CertEnroll
  3. Review operational events around the time of Event ID 4871
  4. Use PowerShell to correlate events:
# Get related certificate enrollment events
$StartTime = (Get-Date).AddHours(-2)
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-CertificateServicesClient-CertEnroll/Operational'; StartTime=$StartTime} | Where-Object {$_.LevelDisplayName -eq 'Error' -or $_.LevelDisplayName -eq 'Warning'}
  1. If network issues are suspected, capture network traffic during certificate requests:
  2. Use Wireshark or Network Monitor to capture HTTPS traffic on port 443
  3. Filter for certificate enrollment traffic and analyze request/response patterns
  4. Review IIS logs on CA servers running Certificate Enrollment Web Service:
# Analyze IIS logs for certificate enrollment errors
Get-Content "C:\inetpub\logs\LogFiles\W3SVC1\*.log" | Where-Object {$_ -match "certsrv" -and $_ -match "40[0-9]|50[0-9]"}
  1. After analysis, disable verbose logging to prevent log file growth:
certutil -setreg CA\LogLevel 3
Restart-Service -Name CertSvc
Pro tip: Correlate Event ID 4871 timestamps with IIS logs and network captures to build a complete picture of certificate request failures.

Overview

Event ID 4871 appears in the Security log when Active Directory Certificate Services (AD CS) denies a certificate request. This event fires on Certificate Authority servers when incoming certificate requests fail validation against configured certificate templates, security policies, or user permissions. The event captures critical details including the requesting user, certificate template, denial reason, and CA server information.

This event is essential for PKI security monitoring as it reveals potential security violations, misconfigurations, or unauthorized certificate requests. Certificate Services generates this event immediately when denying requests, making it valuable for real-time security monitoring and compliance auditing. The event typically includes the request ID, template name, subject information, and specific denial reason code.

Understanding Event ID 4871 patterns helps administrators identify certificate template misconfigurations, permission issues, or potential certificate-based attacks. Regular monitoring of these events ensures proper PKI governance and helps maintain certificate infrastructure security across enterprise environments.

Frequently Asked Questions

What does Event ID 4871 mean and when does it occur?+
Event ID 4871 is a security audit event that occurs when Active Directory Certificate Services denies a certificate request. It fires immediately when a Certificate Authority server rejects an incoming certificate enrollment request due to policy violations, insufficient permissions, template restrictions, or malformed request data. The event appears in the Security log of CA servers and contains detailed information about the denial reason, requesting user, certificate template, and request context.
How can I determine why a specific certificate request was denied?+
To determine the denial reason, examine the Event ID 4871 details in Event Viewer. The event message contains specific information including the denial reason code, certificate template name, subject information, and requesting user identity. Common denial reasons include insufficient template permissions, subject name format violations, or template configuration mismatches. You can also use PowerShell to extract denial reasons from multiple events: Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4871} and parse the message content for detailed analysis.
What permissions are required for successful certificate enrollment?+
Successful certificate enrollment requires specific permissions on the certificate template. The requesting user or computer must have 'Read' permission (minimum) and 'Enroll' permission on the target certificate template. For automatic enrollment scenarios, 'Autoenroll' permission is also required. These permissions are configured in the Certificate Templates console (certtmpl.msc) under the Security tab of each template. Domain computers typically need 'Enroll' permission for computer certificates, while users need appropriate permissions for user certificates based on organizational security policies.
Can Event ID 4871 indicate a security attack or malicious activity?+
Yes, patterns of Event ID 4871 events can indicate potential security threats. Multiple denied certificate requests from the same user or computer might suggest reconnaissance activities, privilege escalation attempts, or compromised accounts trying to obtain unauthorized certificates. Unusual subject name requests, attempts to enroll high-privilege certificate templates, or requests for certificates with suspicious extensions should be investigated. Implement monitoring rules to alert on excessive 4871 events or denials for sensitive certificate templates to detect potential certificate-based attacks early.
How do I troubleshoot certificate template configuration issues causing Event ID 4871?+
To troubleshoot template configuration issues, first verify the template is published to the CA using Get-CATemplate PowerShell cmdlet. Check template permissions in the Certificate Templates console, ensuring appropriate users have 'Enroll' permissions. Review template settings including subject name requirements, key usage extensions, and validity periods that might conflict with request parameters. Verify template schema version compatibility with your CA server version. Use certutil -CATemplates to list available templates on the CA. If template modifications are needed, create a new template version rather than modifying existing ones to maintain compatibility with existing certificates.
Documentation

References (2)

1
Microsoft Learn - Certificate Services Security AuditingOfficial documentation covering Certificate Services security auditing events including Event ID 4871 and PKI security monitoring best practices.https://learn.microsoft.com/en-us/windows-server/identity/ad-cs/security-auditing
2
Windows Security Audit Events ReferenceComprehensive reference for Windows security audit events with detailed explanations of audit categories and event meanings.https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4871#certificate-services#security-auditing

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...