PowerShell PKI Module Documentation

Documentation Home
This command requires installed Remote Server Administration Tools (RSAT)
This command is obsolete and may be removed in future versions. Consider the use of ‘Get-AdcsDatabaseRow -Table Failed’ command.

Get-FailedRequest

Synopsis

Retrieves failed certificate requests from Certification Authority (CA) database.

Syntax

Get-FailedRequest [-CertificationAuthority] <CertificateAuthority[]> [[-RequestID] <Int32[]>] [[-Page] <Int32>] [[-PageSize] <Int32>] [[-Property] <String[]>] [[-Filter] <String[]>] [<CommonParameters>]

Description

Retrieves failed certificate requests from Certification Authority (CA) database. Failed requests are requests that were either manually denied by CA Administrator or CA Manager, or denied by policy module due to some error in submitted request.

Since CA server may contain many failed certificate requests, you may specify various filters by using 'RequestID' or 'Filter' parameters.

Note: certain output object properties may have dots, for example: $object.Request.RawRequest. In order to access property value, it must be enclosed in double quotes: $object."Request.RawRequest".

Parameters

-CertificationAuthority <CertificateAuthority[]>

Specifies the Certification Authority to process. This object can be retrieved by running Get-CertificationAuthority command.

Required? True
Position? 0
Default value
Accept pipeline input? true (ByValue, ByPropertyName)
Accept wildcard characters? False

-RequestID <Int32[]>

Use this parameter if you know desired request ID or IDs. You may specify more than one ID and command will return only failed requests with matching IDs.

If this parameter is used, 'Filter' parameter is ignored.

Required? False
Position? 1
Default value
Accept pipeline input? false
Accept wildcard characters? False

-Property <String[]>

By default, the command returns only common certificate request properties (database columns). Use this parameter to show additional properties if necessary. List of possible properties depends on CA server operating system version. To retrieve valid property list run Get-CertificationAuthorityDbSchema command.

In order to display all properties for output objects set this parameter to asterisk '*'. However, all property retrieval may affect Certification Authority's performance.

Required? False
Position? 4
Default value
Accept pipeline input? false
Accept wildcard characters? False

-Filter <String[]>

Specifies the query filter to restrict output objects to ones that matches query filter rule. Query filter rule consist of three components: <RequestProperty>, <comparison operator> and <value>. Query filter is composed in the following format: "<RequestProperty> <comparison operator> <value>" where:
<RequestProperty> – is a certificate request property name. To retrieve valid property list run Get-CertificationAuthorityDbSchema command.
<comparison operator> – specifies the logical operator of the data-query qualifier for the column.
<value> – specifies the data query qualifier applied to the certificate request property.

Possible operators are:
-eq (equal to) – the value in the <value> field equals to a value stored in the certificate request property.
-le (less or equal to) – the value in the <value> field is less or equal to a value stored in the certificate request property. See below about operator behavior with string qualifiers.
-lt (less than) – the value in the <value> field is less then a value stored in the certificate request property. See below about operator behavior with string qualifiers.
-ge (greater or equal to) – the value in the <value> field is greater or equal to a value stored in the certificate request property. See below about operator behavior with string qualifiers.
-gt (greater than) – the value in the <value> field is greater than a value stored in the certificate request property. See below about operator behavior with string qualifiers.

There are special rules when processing the following operators: '-ge', '-gt', '-le' and '-lt' with string qualifiers. In this case, CA server performs binary comparison between strings (column value and qualifier value). For example, "A" is less than "B" ("A" is placed before "B", therefore "B" is greater than "A"), "AC" is greater than "AB", "ABC" is less than "BRC".
If column value length is larger than qualifier string, a wild card is virtually added to the query qualifier value. For example, column value is "a large string" and qualifier value is "a large", then column value is greater than qualifier value. In other words, "AA" > "A" and "A" < "AA".

An example of the filter: Request.RequesterName -eq domain\username
this filter returnes requests that were requested by 'domain\username' user account. See examples section for more filter examples.

You can specify multiple filters. All filters are applied to requests with logical AND operator. This means that output requests must match all filters.

Note: wildcard characters are not supported.

Note: if 'RequestID' parameter is specified, all filters are ignored.

Required? False
Position? 5
Default value
Accept pipeline input? false
Accept wildcard characters? False

-Page <Int32>

Specifies the page number to read from CA database. This parameter is part of CA database paging functionality and works in conjunction with 'PageSize' parameter.

Required? False
Position? 2
Default value 1
Accept pipeline input? false
Accept wildcard characters? False

-PageSize <Int32>

Specifies the page size to load from CA database. This parameter can limit the number of database rows returned by this command at once. When not specified, no limits are set and CA will return all rows associated with the query.

Required? False
Position? 3
Default value
Accept pipeline input? false
Accept wildcard characters? False

<CommonParameters>

This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, InformationAction, InformationVariable,
WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).

Inputs

PKI.CertificateServices.CertificateAuthority

Outputs

SysadminsLV.PKI.Management.CertificateServices.Database.AdcsDbRow

You can pipe this object to Remove-AdcsDatabaseRow to delete specified objects from CA database.

Notes

Examples

Example 1

PS C:\> Get-CertificationAuthority -Name "company-CA" | Get-FailedRequest

Retrieves all failed certificate requests from "company-CA" certification authority.

Example 2

PS C:\> Get-CertificationAuthority -Name "company-CA" | Get-FailedRequest -RequestID 5,80,105 -Property "Request.RawRequest"

Retrieves failed requests with RequestID equals to 5, 80 and 105. Also this command will add "Request.RawRequest" property for further request contents examination.

Example 3

PS C:\> Get-CertificationAuthority | Get-FailedRequest -Filter "CertificateTemplate -eq WebServer", "Request.SubmittedWhen -gt $((Get-Date).AddHours(-1)" -Property "*"

In this example, the command will return all failed requests from all enterprise certification authorities that were submitted within last hour and based on a "WebServer" certificate template. This example is useful, when user reports about unsuccessful attempts to enroll for a certificate. Returned objects can be used to determine exact reason why reqest was failed.

Related links

Get-CertificationAuthority
Connect-CertificationAuthority
Get-CertificationAuthorityDbSchema
Get-IssuedRequest
Get-PendingRequest
Get-RevokedRequest
Remove-AdcsDatabaseRow

Minimum PowerShell version support

  • Windows PowerShell 3.0

Operating System Support

  • Windows 7
  • Windows 8
  • Windows 8.1
  • Windows 10
  • Windows 11
  • Windows Server 2008 R2 all editions
  • Windows Server 2012 all editions
  • Windows Server 2012 R2 all editions
  • Windows Server 2016 all editions
  • Windows Server 2019 all editions
  • Windows Server 2022 all editions