Re: Problems requesting computer certificates on an issuing CA



In article <uFpiwfOTGHA.4452@xxxxxxxxxxxxxxxxxxxx>, in the
microsoft.public.windows.server.security news group, Anette Andresen
<anette_andresen@xxxxxxxxxxx> says...

I have a windows server 2003 domain with an enterprise issuing CA. The CA is
set up to allow autoenrollment of computer certificates to a number of
computers in our domain. The computers are given the read, enroll and
autoenroll rights on the computer certificate template. The computer
certificate template is enabled on the issuing CA, and the security on the
CA allows the computers to request certificates. All the other computers
except the CA itself have been able to automatically (or manually) request
certificates, and the CA has signed the requests. However, the CA computer
itself tries to request a computer certificate using autoenrollment every
eight hour, but the CA denies the request with the following Request Status
Code message: "The permissions on this certification authority do not allow
the current user to enroll for certificates" and the following Request
Disposition Message: "Denied by Policy Module". When trying to manully
enroll for a computer certificate using certificate manager mmc, I am able
to open the certificate request wizard and complete the steps there, but
after finishing the wizard I receive the message: "The certification
authority denied the request. The permissions on this certification
authority do not allow the current user to enroll for certificates."

Do anyone know how to solve this problem? Is there some setting I have
forgotten? Or isn't it possible to issue a computer certificate to an
enterprise CA?

Since you've enabled the Autoenroll permission on the template you're
obviously not using the default Computer certificate template as that is
a V1 template and only V2 templates support autoenrollment.
What _exactly_ are the permissions on the V2 template?

--
Paul Adare - MVP Virtual Machines
It all began with Adam. He was the first man to tell a joke--or a lie.
How lucky Adam was. He knew when he said a good thing, nobody had said
it before. Adam was not alone in the Garden of Eden, however, and does
not deserve all the credit; much is due to Eve, the first woman, and
Satan, the first consultant." - Mark Twain
.



Relevant Pages

  • Re: Create a computer certificate for non-connected machine?
    ... Are you saying I should request on my inside-the-network PC and export ... Would that mean if I already have a computer certificate on the ... inside of the network it would be identical when imported on the ...
    (microsoft.public.security)
  • Re: Computer and User Certificates Issues
    ... You created a custom V2 template but is this CA running Windows Server ... > Can you request any certificate at all via the mmc snapin for either user ... > users have the allow permission for request certificates. ... I have also tried manually enrolling for a computer certificate ...
    (microsoft.public.security)
  • Re: Problems requesting computer certificates on an issuing CA
    ... The exact permissions on my template are: ... I tried to manually enroll for a computer certificate based on ... CA allows the computers to request certificates. ...
    (microsoft.public.windows.server.security)
  • 2nd try: 922706 Update and certificate for computer
    ... 922706 Microsoft certificate enrollment website? ... But there are always external computers that require a computer certificate ... these computers opened the certsrv website on their ...
    (microsoft.public.windows.server.security)
  • Re: Autoenrollment problems - Enrollment access is not allowed to this template computer
    ... have the GPO setup to perform autoenrollemtn and Automatic Certificate ... Request to request a computer certificate as specified in a number of ... Enrollment access is not allowed to this template. ... So it obviously seeing the autoenrollment policy. ...
    (microsoft.public.windows.server.security)