Re: Can't publish Windows Server 2003 Certificates in Win2k Active Directory properly
From: David Cross [MS] (dcross_at_online.microsoft.com)
Date: Sat, 15 May 2004 07:57:22 -0700
make sure the machine account of your CA is a member of the "Cert
Publishers" global group in each domain - that should work...
-- David B. Cross [MS] -- This posting is provided "AS IS" with no warranties, and confers no rights. http://support.microsoft.com "Dean" <email@example.com> wrote in message news:firstname.lastname@example.org... > I have set up an Enterprise CA on Windows 2003 Server, Entprise > Edition. After I issued a user certificate, I can get the certificate > down to the local store, but the user account does not have the user > certificate published in "Published Certificates" tab. In other words, > the user certificate was not published into Active Directory properly. > The event log shows: > > Source: CertSvc > Event ID: 80 > > Certificate Services could not publish a Certificate for request 7 to > the following location on server dc.pki.com: > CN=pkiuser,CN=Users,DC=pki,DC=com. Insufficient access rights to > perform the operation. 0x80072098 (WIN32: 8344). > ldap: 0x32: 00002098: SecErr: DSID-031509EE, problem 4003 > (INSUFF_ACCESS_RIGHTS), data 0 > > My Active Directory was Windows 2000 but it has run ForestPrep and > DomainPrep and has been upgraded to Windows 2003 AD schema. All DC are > now Windows 2003 but Active Directory level still stays at "Windows > 2000 native". > > There was a discussion that I have to add the permission to > userCertification attribution and there is an article that addresses > this issue. Does anyone know this issue and see this article? > > My lab is fresh Windows 2003 Active Directory with "Windows 2003" > level. I don't have this problem in my lab. So, would it work if I > raise the Active Directory level to "Windows 2003"? > > If someone can help me with this, I really appreciate it. > > Thanks in advance, > > Dean