RE: subordinate ent CAs don't publish certs to AD after Win 2k3 SP1
From: Daya (authenticdaya_at_yahoo.com.dontspam)
Date: 08/01/05
- Next message: Daya: "RE: 0x424 (WIN32: 1060) in Enterprise Root CA"
- Previous message: Daya: "Certificate Services Performance ---"
- Next in thread: enriz: "RE: subordinate ent CAs don't publish certs to AD after Win 2k3 SP"
- Reply: enriz: "RE: subordinate ent CAs don't publish certs to AD after Win 2k3 SP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 1 Aug 2005 07:41:14 -0700
Enriz,
I do not have the details infront of me, but this has to do with a GPO
setting for the domain. You will need to use the policy editor to ensure that
the GPO is set correctly and then gpforce... Sorry I don't have more
details...
Daya
-- Daya Puls, CISSP IT Security, Sigma Systems, Marlborough, MA "enriz" wrote: > Hi, > > my system consists in a single windows 2003 domain. > I’ve got an enterprise root CA installed on a Domain Controller and a > subordinate enterprise CA on another server, which issues only secure email > purpose certificates. > These two servers runs both Win 2003 enterprise ed. > Before having the SP1 installed on both servers, everything goes well: > subordinate CA issued certificates and publish them to AD with autoenrollment > process. > After having SP1 installed on both servers, users cannot autoenrolls > certificates and, if enrollment is done manually, i.e. by web server, > subordinate ca issues the certificates but DOES NOT publish it on AD. > On event viewer I always see the warning (source: certsvc; event id: 80) > > Certificate Services could not publish a Certificate for request 9 to the > following location on server testup.prova.upg: > CN=user_test,CN=Users,DC=prova,DC=upg. Insufficient access rights to perform > the operation. 0x80072098 (WIN32: 8344). > ldap: 0x32: 00002098: SecErr: DSID-03150A45, problem 4003 > (INSUFF_ACCESS_RIGHTS), data 0 > > Note that if the same kind of certificate is requested to the domain > controller's CA (the root CA), this will be published to AD! > any ideas? > I've already checked that: > 1) Both server with root CA and subordinate CA are members of Cert > Publishers Group, and this group has got permissions to read and write the > userCertificate attribute on users. > 2) The brand new security group added by SP1 installation in the AD > structure CERTSVC_DCOM_ACCESS contains both Domain Users and Domain Computer > groups. I've added also the Domain Controllers group, but nothing changed. > > PLEASE help me, I’m really in a mess!!! > Thanks in advance!!!
- Next message: Daya: "RE: 0x424 (WIN32: 1060) in Enterprise Root CA"
- Previous message: Daya: "Certificate Services Performance ---"
- Next in thread: enriz: "RE: subordinate ent CAs don't publish certs to AD after Win 2k3 SP"
- Reply: enriz: "RE: subordinate ent CAs don't publish certs to AD after Win 2k3 SP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
