Re: Windows 2003 - Child domain cannot request certificate from root domain
- From: "Brian Komar" <brian.komar@xxxxxxxxxxxxxxxxx>
- Date: Sun, 13 Jan 2008 03:49:23 -0600
The main thing is that you have to modify the permissions on the certificate templates you wish to issue.
By default, permissions assume a single domain forest.
You must change the permissions to allow users and computers from a child domain to request certificates from the CA>
- The certificate templates are edited using the Certificate Templates console (certtmpl.msc)
- By default, only Enterprise Admins and forest root Domain Admins have the permissions to edit the certificate templates.
- The certificate templates are stored in the Configuration naming context and replicated to all DCs in the forest (requiring the use of either global groups or universal groups for the permission assignments.
You can use of of two permission strategies.
1) Create a custom global group in each domain to represent the target users or target computers for the certificate template. Add both groups (based on the fact that you state you have a root domain and a child domain), and assign each group Read and Enroll permissions.
2) Create a custom global group in each domain to represent the target users or target computers for the certificate template. Add each global group to a custom universal group and assign the universal group Read and Enroll permission for the certificate template.
Brian
"JulioHM" <juliohm@xxxxxxxxx> wrote in message news:c608d1e5-9e29-45ef-b721-d981f9b89963@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi,
We have a forest setup (all servers are win2003) where we have one
root domain controller (actresses.net) and one child domain
(hot.actresses.net) controller.
Root domain has an Enterprise CA installed, and we are trying to allow
computers in the child domain to request certificates from the root
domain. We keep getting the same error message, no matter what we try.
After following the Certificate Request Wizard in the MMC Certificate
snap-in, the following error message appears.
---------------------------
Certificate Request Wizard
---------------------------
The certificate request failed because of one of the following
conditions:
- The certificate request was submitted to a Certification
Authority (CA) that is not started.
- You do not have the permissions to request certificates from the
available CAs.
---------------------------
OK
---------------------------
Apparently, as we have googled around, this message seems to have
several possible reasons to show up. We've tried changing all kinds of
permissions everywhere (templates, active directory) but without any
luck.
Would anyone have any clue of how work around this?
Any help is apreciated.
Thanks
Julio
.
- Follow-Ups:
- References:
- Prev by Date: Re: Strange; setting up CA for DC IPsec- how did the DCs autoenroll?
- Next by Date: Re: hidden firewall
- Previous by thread: Windows 2003 - Child domain cannot request certificate from root domain
- Next by thread: Re: Windows 2003 - Child domain cannot request certificate from root domain
- Index(es):
Relevant Pages
|
|
