Auto Enrolment failure after migration to server 2008

From: "PaulLG" <PaulLG@xxxxxxxxxxxxxxxx>
Date: Fri, 28 Aug 2009 16:10:40 +0100

An old 2003 DC with Root CA was decomissioned and replaced with a new 2008
server.

The CA was backed up on the old server, and restored onto the new 2008 DC
with the same name. The certificate database appears intact.

We can request new user certificates via the web interface, but
auto-enrolment fails. Nothing is shown in the Failed Requests list.

User certificates can be requested via the MMC, but computer certificates
fail with
"The certificate requrest failed because of one of the following conditions:
-The certificate requrest was submitted to a Certification Authority 9CA)
that is not started.
-You do not have the permissions ot request certificates from the available
CAs."

I have followed the troubleshooting guide
http://blogs.technet.com/askds/archive/2007/11/06/how-to-troubleshoot-certificate-enrollment-in-the-mmc-certificate-snap-in.aspx
(as I haven't found a 2008 version) and everything seems OK except for the
guide's reference to the group CERTSVC_DCOM_ACCESS, which does not exist in
our AD. The certutil -setreg fix does not create the group, and our
correctly-working lab network does not contain the group either.

The Application log on the client shows:
Event Type: Error
Event Source: AutoEnrollment
Event Category: None
Event ID: 13
Date: 24/08/2009
Time: 14:04:42
User: N/A
Computer: FF8
Description:
Automatic certificate enrollment for local system failed to enroll for one
Computer certificate (0x80070005). Access is denied.

The System log on the client shows:
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10006
Date: 24/08/2009
Time: 14:04:42
User: N/A
Computer: FF8
Description:
DCOM got error "General access denied error " from the computer
FF1.domain.local when attempting to activate the server:
{D99E6E74-FC88-11D0-B498-00A0C90312F3}

I have checked the DCOM permissions for "CertSrv Request" against our
working lab server, and they are identical.

Any idea what I'm missing?

Paul

.

Follow-Ups:
- RE: Auto Enrolment failure after migration to server 2008
  - From: "Joson Zhou (MSFT)"

Prev by Date: Re: Infected computer
Next by Date: removing norton/symantec
Previous by thread: Windows 2008 dcom security problems
Next by thread: RE: Auto Enrolment failure after migration to server 2008
Index(es):
- Date
- Thread

Relevant Pages

Re: Cannot request certificate on client computer
... re-connect both computer and user account on the server. ... PC and the certificate request now works. ... (I'd check both the server and the client PC). ...
(microsoft.public.windows.server.sbs)
Re: Cannot request certificate on client computer
... re-connect both computer and user account on the server. ... one PC and the certificate request now works. ... (I'd check both the server and the client PC). ...
(microsoft.public.windows.server.sbs)
RE: Wireless connection problem from XP Pro SP2 to SBS 2003
... the screen I'm seeing under advanced request is a little different than what ... In Type of Certificate needed, click Server Authentication Certificate. ...
(microsoft.public.windows.server.sbs)
Re: Generate SSL certificate request from ISA server
... when you receive the certificate from the authority, install it on the ISA ... Server instead of the web server. ... > request to send to them, which doesn't appear to be possible directly from ...
(microsoft.public.isa.configuration)
Re: Cannot request computer certificate.
... I did a cerutil -ping from the server again and now it is working: ... >>whole problem since you can not request a certificate while logged onto ... >> I would verify that the certificate services service is running and set ... >>> The redir is bound to 1 NetBt transport. ...
(microsoft.public.windows.server.security)