Re: Publishing Windows Server 2003 Certificates in Win2k Active Directory

From: David Cross [MS] (dcross_at_online.microsoft.com)
Date: 05/09/03

• Next message: Ilkka Peltonen: "Re: Kerberos - An error occured during logon"
• Previous message: David Cross [MS]: "Re: CA web component problems"
• In reply to: Amihai Bareket: "Publishing Windows Server 2003 Certificates in Win2k Active Directory"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 9 May 2003 06:52:09 -0700

The administrator account is special in that the CA cannot write to the
userCertificate attribute by default. You have to add this permission
explicitly - I think there is a KB article on this topic.

-- 
David B. Cross [MS]
--
This posting is provided "AS IS" with no warranties, and confers no rights.
http://support.microsoft.com
"Amihai Bareket" <amihai73@hotmail.com> wrote in message
news:uUKuaFWFDHA.2312@TK2MSFTNGP09.phx.gbl...
> I've installed an Enterprise CA on a Windows Server 2003 (RTM, Enterprise
> Edition).
> The server is a member of a Windows 2000 Domain (Domain controllers run
SP3,
> Domain is in native mode).
> The CA computer account is a member of the "Cert Publishers" group.
> I'm unable to publish new certificates to the active directory, although
> they are being generated properly.
> I'm recieving an error message on the application log -
> Source - CertSvc
> Type - Warning
> Event ID - 80
> Description -
> Certificate Services could not publish a Certificate for request 10 to the
> following location on server dc.pki.com:
> CN=administrator,CN=Users,DC=pki,DC=com. Insufficient access rights to
> perform the operation. 0x80072098 (WIN32: 8344).
> ldap: 0x32: 00002098: SecErr: DSID-03150620, problem 4003
> (INSUFF_ACCESS_RIGHTS), data 0
>
> Any ideas?
>
>

• Next message: Ilkka Peltonen: "Re: Kerberos - An error occured during logon"
• Previous message: David Cross [MS]: "Re: CA web component problems"
• In reply to: Amihai Bareket: "Publishing Windows Server 2003 Certificates in Win2k Active Directory"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Privilege Levels ... First double check if the administrator account is a member of the local ... Add the "Group Policy Object Editor" ... >I have a Windows 2003 Server whose only role is a File Server (it's ... (microsoft.public.windows.server.general) Cannot access Event Logs, Access Denied ... Make sure the Administrator account you are using is not ... a member of the builtin\guest group on the server. ... account is member of that group or a member of any other ... (microsoft.public.windows.server.general) RE: Addl Email Addresses ... What rights does the user that you are logged onto the server have? ... What group is that user a member of? ... Are you using the default administrator account to access this? ... This posting is provided "AS IS" with no warranties, and confers no rights. ... (microsoft.public.windows.server.sbs) Re: Unable to Browse to 2003 Server from 2000 server ... It is a domain member. ... domain administrator account. ... >> with an administrator account. ... >> Strange thing is from 2000 server that is a member ... (microsoft.public.windows.server.active_directory) RPC over HTTP, Microsoft solution ... Exchange Server 2003 RPC over HTTP Deployment Scenarios ... Place a check in the box next to 'Certificate Services' and click 'Yes' ... (microsoft.public.exchange.setup)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint