DetailPage-MSS-KB

Microsoft small business knowledge base

Article ID: 2642485 - Last Review: April 2, 2014 - Revision: 12.0

Summary

The "Public Key Infrastructure (PKI) Diagnostic" support diagnostic package was designed to collect information interactively to help troubleshoot Active Directory Certificate Services (ADCS) and PKI-related issues.

If you are working together with Microsoft Product Support Services, you should receive instructions about which selections to make during the manifest execution.

The manifest offers two execution modes: Basic and Advanced.
Collapse this imageExpand this image
PKIDiag Data Collection



In Basic mode, the manifest collects logs and tool output that already exist on the computer. When you select this mode, the manifest runs and offers to upload or save the resulting file.

In Advanced mode, you can gather data about a problem reproduction attempt, and the manifest prompts you for the kinds of logs and traces to collect.

Collapse this imageExpand this image
Advanced Data Collection Options


The items have the following meaning:

  • Network capture, …: Gathers interface trace data on the named components during a replication attempt, contains data that is exchanged with other computers in the environment.
  • Schannel Logging: This logs the activity of the SSL/TSL component on the computer during a problem reproduction.
  • CAPI2 Logging: In this logging, the activity of the certificate client component during a problem reproduction.
  • SmartCard Logging: Logging of hte Smartcard Servioce activity.
  • ADCS information: If checked, the manifest gathers information about the Certificate Authority configuration of the machine.
  • NDES Information: “Network Device Enrollment Services” is a standard where a “desktop client” enrolls certificates on behalf of network devices like routers or switches. If you want to collect information for such a scenario, please check this box.
  • OCSP Information: The “Online Certificate Status Protocol” helps ensuring certificates are valid while avoiding delays or lots of network traffic. If you suspect problems verifying certificates, check this box.
  • CertUtil General Information: Runs various CertUtil commands to gather information about the configuration regarding PKI.

After you click Next, the manifest asks you to prepare for the problem reproduction phase of the manifest execution.

Collapse this imageExpand this image
Begin Logging Dialogue


When you click Next, begin at the problem reproduction. The manifest waits while you click the radio button at the top of the dialog box, and then click Next to stop the data gathering.

Collapse this imageExpand this image
Logging Underway/Stop Loggin Selection


When the problem reproduction data collection is finished, the diagnostic will automatically begin. The manifest execution collects the static data of the system.

The logs should also contain events that were logged during the reproduction attempt. After this data is collected, you can start the upload.

More information

This article describes the information that may be collected from a machine when you run the Directory Services PKI Interactive – Windows troubleshooter.

Information Collected

Event Logs (System and Application)
Collapse this tableExpand this table
DescriptionFile Name
Event Logs (System and Application){Computername}_evt_Application.csv

{Computername}_evt_Application.evtx

{Computername}_evt_Application.txt

{Computername}_evt_System.csv

{Computername}_evt_System.evtx

{Computername}_evt_System.txt

Event Logs (CAPI2)
Collapse this tableExpand this table
DescriptionFile Name
Event Logs (CAPI2){Computername}_evt_CAPI2-Operational_evt_.csv

{Computername}_evt_CAPI2-Operational_evt_.evtx

{Computername}_evt_CAPI2-Operational_evt_.txt

WinHTTP
Collapse this tableExpand this table
DescriptionFile Name
WinHTTP registry output

WinHTTP proxy settings
{Computername}_WinHTTP_reg_output.txt

{Computername}_WinHTTP_netsh_proxy-settings.txt

ADCS
Collapse this tableExpand this table
DescriptionFile Name
CertUtil commands and Registry output for ADCS{Computername}_ADCS_CertUtil_CA.txt

{Computername}_ADCS_CertUtil_CAExitRegistry.txt

{Computername}_ADCS_CertUtil_CAPolicyRegistry.txt

{Computername}_ADCS_CertUtil_CATemplates.txt

{Computername}_ADCS_CertUtil_DBLocations.txt

{Computername}_ADCS_CertUtil_DCInfo.txt

{Computername}_ADCS_CertUtil_DSCerts.txt

{Computername}_ADCS_CertUtil_DSCRLs.txt

{Computername}_ADCS_CertUtil_DSTemplates.txt

{Computername}_ADCS_CertUtil_PublishedCAs.txt

{Computername}_ADCS_CertUtil_TCAInfo.txt

{Computername}_ADCS_CertUtil_verifyntauth.txt

{Computername}_ADCS_CertUtil_verifyroot.txt

{Computername}_ADCS_reg_.txt

{Computername}_ADCS_DCOM_reg_.txt

Certificates
Collapse this tableExpand this table
DescriptionFile Name
General Certificate information{Computername}_Certificates-machinestore.txt

{Computername}_Certificates-userstore.txt

{Computername}_Certificates_reg_.txt
Information about recently expired or soon-to-expire certificates.ResultReport.xml

CertUtil General Information
Collapse this tableExpand this table
DescriptionFile Name
CertUtil General Information{Computername}_CertUtil_CSPList.txt

{Computername}_CertUtil_dynamicfilelist.txt

{Computername}_CertUtil_KeyContainerList.txt

{Computername}_CertUtil_URLCache.txt

{Computername}_CertUtil_UserKeyContainerList.txt

{Computername}_CertUtil_verifykeys.txt

{Computername}_CertUtil_view.txt

{Computername}_CertUtil_viewAttrib.txt

{Computername}_CertUtil_viewCRL.txt

{Computername}_CertUtil_viewExt.txt

{Computername}_CertUtil_viewLog.txt

{Computername}_CertUtil_viewLogFail.txt

{Computername}_CertUtil_viewQ.txt

{Computername}_CertUtil_viewRev.txt

Cryptography
Collapse this tableExpand this table
DescriptionFile Name
Cryptography registry key output{Computername}_Cryptography_reg_.txt

Resultant Set of Policy (RSoP)
Collapse this tableExpand this table
DescriptionFile Name
Resultant Set of Policy (RSoP){Computername}_GPResult.htm

{Computername}_GPResult.txt

Active Directory Information

Collapse this tableExpand this table
Description                 File Name
User Logon Information (user identity, user status, logon authentication method, domain controller and global catalog used, and logon computer details){Computername}_UserLogonInfo.txt and in ResultReport.xml


DHCP Client Information 
Collapse this tableExpand this table
Description                 File Name
DHCP Client Registry Key{Computername}_ DhcpClient_reg_.TXT

IPSec Information
 
Collapse this tableExpand this table
Description                 File Name
IPsec Powershell Cmdlets{Computername}_ IPsec_info_pscmdlets.TXT
IPsec Registry keys{Computername}_IPsec_reg_.TXT
IPsec netsh dynamic show all{Computername}_IPsec_netsh_dynamic.TXT
IPsec netsh static show all{Computername}_IPsec_netsh_static.TXT
IPsec Local Policy Export (.ipsec):{Computername}_netsh_LocalPolicyExport.ipsec

DNS Client Information 
Collapse this tableExpand this table
Description                 File Name
DnsClient Registry Keys{Computername}_ DnsClient_reg_.TXT
Ipconfig /displaydns{Computername}_ DnsClient_ipconfig-displaydns.TXT
DNS Client - HOSTS file{Computername}_ DnsClient_HostsFile.TXT
DNS Client Powershell Cmdlets{Computername}_ DnsClient_info_pscmdlets.TXT
DNS Client netsh show state (for DirectAccess){Computername}_ DnsClient_netsh_dnsclient-show-state.TXT

Firewall Information 
Collapse this tableExpand this table
Description                 File Name
Firewall PowerShell Cmdlets{Computername}_Firewall_info_pscmdlets.txt
Firewall Registry Keys{Computername}_Firewall_reg.txt
NETSH Advanced Firewall{Computername}_netsh_advFirewall.txt
NETSH Advanced Firewall Export{Computername}_netsh_advFirewall-export.wfw
NETSH Advanced Firewall Rules ConSec{Computername}_netsh_advFirewall-consec-rules.txt
NETSH Advanced Firewall Rules ConSec Active{Computername}_netsh_advFirewall-consec-rules-active.txt
NETSH Advanced Firewall Rules{Computername}_netsh_advFirewall-firewall-rules.txt
NETSH Advanced Firewall Rules Active{Computername}_netsh_advFirewall-firewall-rules-active.txt
NETSH WFP Show Events{Computername}_netsh_wfp_show_netevents.xml
NETSH WFP Show BootTimePolicy{Computername}_netsh_wfp_show.boottimepolicy.xml
NETSH WFP Show Filters{Computername}_netsh_wfp-show-filters.xml
NETSH WFP Show Options OptionsForNetEvents{Computername}_netsh_wfp-show-options-optionsfornetevents.txt
NETSH WFP Show Options OptionsForKeyWords{Computername}_netsh_wfp-show-options-optionsforkeywords.txt
NETSH WFP Show Security Net Events{Computername}_netsh_wfp-show-security-netevents.txt
NETSH WFP Show State{Computername}_netsh_wfp-show-state.xml
NETSH WFP Show Sysports{Computername}_netsh_wfp-show-sysports.xml
Microsoft-Windows-Windows Firewall With Advanced Security/Firewall{Computername}_evt_WindowsFirewallWithAdvancedSecurity-Firewall_evt_.*

TCP Information 
Collapse this tableExpand this table
Description                 File Name
TCPIP Info{Computername}_ TCPIP_info.TXT
TCPIP registry output{Computername}_ TCPIP_reg_output.TXT
TCP OFFLOAD{Computername}_TCPIP_OFFLOAD.TXT
TCPIP Services File{Computername}_TCPIP_ServicesFile.TXT
TCPIP Net Powershell Cmdlets{Computername}_TCPIP_info_pscmdlets_net.TXT
TCPIP IPv6 Transition Technology Info{Computername}_TCPIP_info_pscmdlets_IPv6Transition.TXT
TCPIP netsh output{Computername}_TCPIP_netsh_info.TXT
Microsoft-Windows-Iphlpsvc/Operational{Computername}_evt_Iphlpsvc-Operational_evt_.*

RPC Information 
Collapse this tableExpand this table
Description                 File Name
RPC netsh output{Computername}_ RPC_netsh_output.TXT
RPC registry output{Computername}_ RPC_reg_output.TXT

SMB Information 
Collapse this tableExpand this table
Description                 File Name
SMB Client registry output{Computername}_SmbClient_reg_output.TXT
SMB Client Information from Net.exe {Computername}_SmbClient_info.TXT
SMB Server registry output{Computername}_SmbServer_reg_output.TXT
SMB Server Information from tools like net.exe{Computername}_SmbServer_info.txt

Internet Explorer
Collapse this tableExpand this table
DescriptionFile Name
Internet Explorer registry information{Computername}_InternetExplorer_reg_output.txt

NDES
Collapse this tableExpand this table
DescriptionFile Name
NDES output (Appcmd and Certutil){Computername}_NDES_appcmd-list-config.txt

{Computername}_NDES_CertUtil_computerTemplateCache.txt

{Computername}_NDES_CertUtil_userAllowedTemplates.txt

{Computername}_NDES_CertUtil_userTemplateCache.txt

OCSP
Collapse this tableExpand this table
DescriptionFile Name
OCSP Certutil output{Computername}_OCSP_CertUtil_computerMyStore.txt

{Computername}_OCSP_CertUtil_dump.txt

{Computername}_OCSP_CertUtil_userMyStore.txt

SmartCard
Collapse this tableExpand this table
DescriptionFile Name
SmartCard (Certutil){Computername}_SmartCard_CertUtil_CSPTest.txt

{Computername}_SmartCard_CertUtil_SCinfo.txt

Software Publishing
Collapse this tableExpand this table
DescriptionFile Name
Software Publishing{Computername}_SoftwarePublishing_reg_.txt

Information Collected for the Advanced Version (all sections above plus the following)

ETL Tracing (Network Capture, WinHTTP and WebIO)
Collapse this tableExpand this table
DescriptionFile Name
Netsh Trace: ETL (Network Capture, WinHTTP and WebIO ETL logging)

Netsh Trace: CAB
netshtrace-winhttp-webio.etl

netshtrace-winhttp-webio.cab

ETL Logging (SChannel)
Collapse this tableExpand this table
DescriptionFile Name
SChannel ETL Logging{Computername}_SChannel_schannel.etl


ETL Logging (SmartCard)
Collapse this tableExpand this table
DescriptionFile Name
SmartCard ETL logging{Computername}_SmartCard_basecsp.etl
{Computername}_SmartCard_certprop.etl
{Computername}_SmartCard_winsc.etl
{Computername}_SmartCard_scardsvr.etl
{Computername}_SmartCard_credprov.etl
{Computername}_SmartCard_msclmd.etl

In additon to the files collected and listed previously, this diagnostic can detect one or more of the following situations:
  • Problem detection for certificates that will expire soon or that have expired within the past seven days.
  • Problem detection for identifying certificates that have weak keys (RSA keys less than 1024 bits).
  • Problem detection: Cryptographic Cipher Configuration Detection to detect whether cipher uses have been configured explicitly on the computer or through group policy.
  • Problem detection for identifying problems with certificates that are signed with unsupported encryption types for use with TLS 1.2.
  • Problem detection for certificates that fail chaining validation. All certificates in the User and Computer personal (also known as the "My" store) are checked. Certificates that fail are reported in ResultReport.xml. All certificate results (success or failure) are reported in a text file.
  • Problem detection for domain user token sizing problems that can effect all domain-based authorization scenarios.
  • Problem detection to see whether the local domain secure channel has problems (domain members only).
  • Problem detection to see whether the secure channels to trusted domains are having problems.

References

For more information about the Support Diagnostic Tool, click the following article number to go the article in the Microsoft Knowledge Base:
973559  (http://support.microsoft.com/kb/973559/ ) Frequently asked questions about the Microsoft Support Diagnostic Tool (MSDT) when it is used with Windows 7 or Windows Server 2008 R2

Applies to
  • Windows Server 2012 Datacenter
  • Windows Server 2012 Standard
  • Windows 8 Pro
  • Windows 8
  • Windows Server 2008 R2 Datacenter
  • Windows Server 2008 R2 Standard
  • Windows Server 2008 Datacenter
  • Windows Server 2008 Standard
Keywords: 
KB2642485
Share
Additional support options
Ask The Microsoft Small Business Support Community
Contact Microsoft Small Business Support
Find Microsoft Small Business Support Certified Partner
Find a Microsoft Store For In-Person Small Business Support