Re: Publishing Windows Server 2003 Certificates in Win2k Active Directory

From: David Cross [MS] (dcross_at_online.microsoft.com)
Date: 05/09/03

• Next message: Ilkka Peltonen: "Re: Kerberos - An error occured during logon"
• Previous message: David Cross [MS]: "Re: CA web component problems"
• In reply to: Amihai Bareket: "Publishing Windows Server 2003 Certificates in Win2k Active Directory"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Fri, 9 May 2003 06:52:09 -0700

The administrator account is special in that the CA cannot write to the
userCertificate attribute by default. You have to add this permission
explicitly - I think there is a KB article on this topic.

-- 
David B. Cross [MS]
--
This posting is provided "AS IS" with no warranties, and confers no rights.
http://support.microsoft.com
"Amihai Bareket" <amihai73@hotmail.com> wrote in message
news:uUKuaFWFDHA.2312@TK2MSFTNGP09.phx.gbl...
> I've installed an Enterprise CA on a Windows Server 2003 (RTM, Enterprise
> Edition).
> The server is a member of a Windows 2000 Domain (Domain controllers run
SP3,
> Domain is in native mode).
> The CA computer account is a member of the "Cert Publishers" group.
> I'm unable to publish new certificates to the active directory, although
> they are being generated properly.
> I'm recieving an error message on the application log -
> Source - CertSvc
> Type - Warning
> Event ID - 80
> Description -
> Certificate Services could not publish a Certificate for request 10 to the
> following location on server dc.pki.com:
> CN=administrator,CN=Users,DC=pki,DC=com. Insufficient access rights to
> perform the operation. 0x80072098 (WIN32: 8344).
> ldap: 0x32: 00002098: SecErr: DSID-03150620, problem 4003
> (INSUFF_ACCESS_RIGHTS), data 0
>
> Any ideas?
>
>

---

• Next message: Ilkka Peltonen: "Re: Kerberos - An error occured during logon"
• Previous message: David Cross [MS]: "Re: CA web component problems"
• In reply to: Amihai Bareket: "Publishing Windows Server 2003 Certificates in Win2k Active Directory"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: No admin login ... It has Windows server 2008 on it, ... different machine with your RDP session than the one you think? ... The account I'm using is the built in administrator account. ... it's membership and it is a member of the right groups, (administrators, ... (microsoft.public.windows.server.general) Re: Privilege Levels ... First double check if the administrator account is a member of the local ... Add the "Group Policy Object Editor" ... >I have a Windows 2003 Server whose only role is a File Server (it's ... (microsoft.public.windows.server.general) Cannot access Event Logs, Access Denied ... Make sure the Administrator account you are using is not ... a member of the builtin\guest group on the server. ... account is member of that group or a member of any other ... (microsoft.public.windows.server.general) RE: Addl Email Addresses ... What rights does the user that you are logged onto the server have? ... What group is that user a member of? ... Are you using the default administrator account to access this? ... This posting is provided "AS IS" with no warranties, and confers no rights. ... (microsoft.public.windows.server.sbs) RPC over HTTP, Microsoft solution ... Exchange Server 2003 RPC over HTTP Deployment Scenarios ... Place a check in the box next to 'Certificate Services' and click 'Yes' ... (microsoft.public.exchange.setup)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(18)