Error reading certificate private key when permissions applied through Domain Local Groups

I'm pretty sure this might not be a certificate problem per-se so I'm
posting to this newsgroup too.

We are attempting to use Domain Local Groups to restrict permissions to a
certificate private key.

We have a service account provisioned into a Domain Global Group, and then
have the Domain Global Group added to a Domain Local Group, and then apply
the Domain Local Group to the private key properties granting read, and read
& execute.

We than have an account that runs an ASP application that tries to read the
private key - if the account is given access through the DLG - it fails with
a file permission access denied, if it is given access directly, or if the
Everyone group is applied - it succeeds.

Is this a known bug, and is there a way around it?


Jediah L.