When you use the Certificates console on a client computer to request a certificate from a computer running Windows Server 2003 SP1, you receive:
The wizard cannot be started because of one or more of the following conditions:
- There are no trusted certification authorities (CAs) available.
- You do not have the permissions to request certificates from the available CAs.
- The available CAs issue certificates for which you do not have permissions.
The servers Application log contains events like:
Event Type: Warning
Event Source: CertSvc
Event Category: None
Event ID: 53
Date: MM/DD/YYYY
Time: HH:MM
User: N/A
Computer: <ServerName>
Description: Certificate Services denied request 5 because the requested certificate template is not supported by this CA.
0x80094800 (-2146875392). Additional information: Denied by Policy Module 0x80094800. The request was for a certificate template that is not supported
by the Certificate Services policy: SubCA.
Event Type: Error
Event Source: CertSvc
Event Category: None
Event ID: 21
Date: MM/DD/YYYY
Time: HH:MM
User: N/A
Computer: <ServerName>
Description: Certificate Services could not process request 5 due to an error: The request's current status does not allow this operation.
0x80094003 (-2146877437).
The client Application log will post Event ID: 13, Event Source: AutoEnrollment if you enable automatic enrollment of certificates in the domain. The client will be unable to obtain certificates automatically.
SP1 introduced rights that give an administrator independent control over local and remote permissions for:
- Starting Component Object Model (COM) servers.
- Activating COM server settings.
- Accessing COM servers.
A new CERTSVC_DCOM_ACCESS security group in the CN=Users container, which should have appropriate permissions, was created when SP1 was installed, and should have the Domain Users and Domain Computers global groups as members. If the Certificate Services service is running on a domain controller, the CERTSVC_DCOM_ACCESS is configured as a Domain Local group with the Enterprise Domain Controllers group as an additional member.
The problem behavior occurs if the membership of the CERTSVC_DCOM_ACCESS group, or DCOM permissions, is incorrect.
To fix the problem:
| 1. | Verify that the CERTSVC_DCOM_ACCESS group exists in the
domain that hosts the certification authority:
|
||||||||||||||||||||
| 2. | Verify that the CERTSVC_DCOM_ACCESS group
includes the following member groups: Domain Users
Domain Computers
Enterprise Domain Controllers if the Certificate Services service is running on a domain controller.
NOTE:
If users or computers in other domains need to enroll against the certification authority, you must add them to the
CERTSVC_DCOM_ACCESS group.
|
||||||||||||||||||||
| 3. | Verify that the CERTSVC_DCOM_ACCESS group has the appropriate DCOM
Access permissions and DCOM Launch and Activation permissions on the computer
that hosts the certification authority:
|
||||||||||||||||||||
| 4. | If any of the above are incorrect:
|
||||||||||||||||||||
| 5. | Repeat steps 1 through 3 to verify that all the settings are correct. |
NOTE: If you changed membership of the CERTSVC_DCOM_ACCESS group, you must restart the server for the changes to take effect.
NOTE: See tip 9834 » Description of the changes to DCOM security settings after you install Windows Server 2003 Service Pack 1.
