Troubleshoot Connector for AD error codes - Amazon Private Certificate Authority
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Troubleshoot Connector for AD error codes

Connector for AD sends error messages for several reasons. For information on each error and recommendations about resolving them, see the following table. You can receive these errors by subscribing to Amazon EventBridge Scheduler events (event source: aws.pca-connector-ad) or by using manual enrollment in Windows.

Error code Root cause Remediation

0x8FFFA000

Kerberos authentication failed.

Make sure that your directory is reachable and the client is either a user or computer. If you're using auto-enrollment, then fix your Amazon resource service principal. If you're using the Active Directory UI to get a cert, run gpupdate /force.

0x8FFFA001

The SOAP message must contain an action header.

Add an action header.

0x8FFFA002

The connector does not have access to the private CA it is connected to.

Share your private CA with the connector by creating an Amazon Resource Access Manager (RAM) to share between your private CA and the Connector for AD service.

0x8FFFA003

The private CA for this connector is not active.

Move the private CA to Active state. If your private CA is in the pending certificate state, then install the CA certificate.

0x8FFFA004

The private CA for this connector does not exist.

Move your certificate authority to the Active state if it is in the Deleted state. If your private CA is permanently deleted then create a new connector with a different CA.

0x8FFFA005

The template specified the directoryGuid attribute for the certificate subject or the subject alternate name, but the attribute was not found in the AD object for the requester.

Active Directory did not generate a directoryGuid for your directory. Troubleshoot in Active Directory.

0x8FFFA006

The template specified the dnsHostName attribute for the certificate subject or the subject alternate name, but the attribute was not found in the AD object for the requester.

Add the dnsHostName attribute to your AD object.

0x8FFFA007

The template specified the email attribute to be included in the certificate subject or the subject alternate name, but the attribute was not found in the AD object for the requester.

Add the email attribute to your AD object

0x8FFFA008

The SOAP message must have an action header of either http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy/IPolicy/GetPolicies or http://schemas.microsoft.com/windows/pki/2009/01/enrollment/RST/wstep.

Update the action header to use one of the specified values.

0x8FFFA009

The BinarySecurityToken must be encoded in http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary.

Update the binary security token type.

0x8FFFA00A

The BinarySecurityToken is invalid.

Check that the CSR is generated correctly.

0x8FFFA00B

The BinarySecurityToken must have a value type of either http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#PKCS7 or http://schemas.microsoft.com/windows/pki/2009/01/enrollment#PKCS10.

Update the binary security token value type to a valid value.

0x8FFFA00C

The BinarySecurityToken contained invalid CMS.

The Base64 is valid but the cryptographic message syntax (CMS) is invalid. Review the CMS syntax.

0x8FFFA00D

The BinarySecurityToken contained an invalid CSR.

Check that the CSR was generated correctly.

0x8FFFA00E

The private CA was unable to issue a certificate using the specific template.

Review the validation exception from Amazon Private CA. You can view the validation exception in Amazon EventBridge or Amazon CloudTrail.

0x8FFFA00F

The SOAP message must have a request type of http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue.

Set the request type to http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue.

0x8FFFA010

The SOAP message must have a to header of either the connector's CertificateEnrollmentPolicyServerEndpoint field or the URI field in the XCEP response.

Set the header of the request security token to either the CertificateEnrollmentPolicyServerEndpoint field or the URI field in the XCEP response.

0x8FFFA011

The SOAP message must have only one action header.

Review the SOAP message header of the request security token and set the header correctly.

0x8FFFA012

The SOAP message must have only one messageId header.

Review the SOAP message header of the request security token and set the header correctly.

0x8FFFA013

The SOAP message must have only one to header.

Review the SOAP message header of the request security token and set the header correctly.

0x8FFFA014

The requester does not have access to the requested template.

Allow the requester's group to enroll using the requested template by creating an Access Control Entry.

0x8FFFA015

Either the CertificateTemplateInformation or the CertificateTemplateName extension must be present in the BinarySecurityToken.

Add the security extension to your CSR.

0x8FFFA016

The requested template was not found for the given connector.

Templates are child resources to each connector. Create the template for the connector using createTemplate.

0x8FFFA017

The request was denied due to request throttling.

Slow down the rate of requests.

0x8FFFA018

The SOAP message must contain a to header.

Review the header of the SOAP message.

0x8FFFA019

Could not process the SOAP message due to an unrecognized header.

Review the header of the SOAP message.

0x8FFFA01A

The template specified the UPN attribute to be included in the certificate subject or the subject alternate name, but the attribute was not found in the AD object for the requester.

Add an UPN to the Active Directory object.