Re: Problems requesting computer certificates on an issuing CA
- From: "Anette Andresen" <anette_andresen@xxxxxxxxxxx>
- Date: Tue, 21 Mar 2006 14:42:24 +0100
The exact permissions on my template are:
"Authenticated Users" - read
"CA Admins" - read and write
"Domain Admins" - read and write
"Enterprise Admins" - read and write
"Service computers (the computer group)" - read, enroll and autoenroll
By the way, I tried to manually enroll for a computer certificate based on
the default template, but I get the same error as I did with the customized
computer certificate template.
Regards,
Anette
"Paul Adare" <padare@xxxxxxxxxxx> wrote in message
news:MPG.1e89c5b0a397a48d98a07e@xxxxxxxxxxxxxxxxxxxxxxx
In article <uFpiwfOTGHA.4452@xxxxxxxxxxxxxxxxxxxx>, in the
microsoft.public.windows.server.security news group, Anette Andresen
<anette_andresen@xxxxxxxxxxx> says...
I have a windows server 2003 domain with an enterprise issuing CA. The CA
is
set up to allow autoenrollment of computer certificates to a number of
computers in our domain. The computers are given the read, enroll and
autoenroll rights on the computer certificate template. The computer
certificate template is enabled on the issuing CA, and the security on
the
CA allows the computers to request certificates. All the other computers
except the CA itself have been able to automatically (or manually)
request
certificates, and the CA has signed the requests. However, the CA
computer
itself tries to request a computer certificate using autoenrollment every
eight hour, but the CA denies the request with the following Request
Status
Code message: "The permissions on this certification authority do not
allow
the current user to enroll for certificates" and the following Request
Disposition Message: "Denied by Policy Module". When trying to manully
enroll for a computer certificate using certificate manager mmc, I am
able
to open the certificate request wizard and complete the steps there, but
after finishing the wizard I receive the message: "The certification
authority denied the request. The permissions on this certification
authority do not allow the current user to enroll for certificates."
Do anyone know how to solve this problem? Is there some setting I have
forgotten? Or isn't it possible to issue a computer certificate to an
enterprise CA?
Since you've enabled the Autoenroll permission on the template you're
obviously not using the default Computer certificate template as that is
a V1 template and only V2 templates support autoenrollment.
What _exactly_ are the permissions on the V2 template?
--
Paul Adare - MVP Virtual Machines
It all began with Adam. He was the first man to tell a joke--or a lie.
How lucky Adam was. He knew when he said a good thing, nobody had said
it before. Adam was not alone in the Garden of Eden, however, and does
not deserve all the credit; much is due to Eve, the first woman, and
Satan, the first consultant." - Mark Twain
.
- Follow-Ups:
- Re: Problems requesting computer certificates on an issuing CA
- From: Paul Adare
- Re: Problems requesting computer certificates on an issuing CA
- References:
- Problems requesting computer certificates on an issuing CA
- From: Anette Andresen
- Re: Problems requesting computer certificates on an issuing CA
- From: Paul Adare
- Problems requesting computer certificates on an issuing CA
- Prev by Date: Re: Problems requesting computer certificates on an issuing CA
- Next by Date: Re: Problems requesting computer certificates on an issuing CA
- Previous by thread: Re: Problems requesting computer certificates on an issuing CA
- Next by thread: Re: Problems requesting computer certificates on an issuing CA
- Index(es):
Relevant Pages
|
