|
Posted by Brian Komar [MVP] on October 2, 2006, 4:28 pm
Please log in for more thread options
What is the current group type? You did not have to change it when it was a
domain local
group. Is therer a Certificate Publishers domain local group in the child
domain? All that
you needed to do was add the CA;s computer account to the domain local group and
the
permission assignments would be complete.
The bottom line is that the CA must belong to the Cert Publishers group, and the
Cert
Publishers group must be assigned permissions on the userCertificate attribute.
As stated in
the article, you must assign the group the Read and Write permissions on the
userCertificate
attribute.
If the certificates are not publishing correctly, then it was one of a few
possible issues:
1) Did you enable the option in the certificate template to publish to the
directory (use
certtmpl.msc to view the certificate template property pages)
2) Verify that you correctly did the *three* procedures described in step 5 of
the article.
These are three separate procedures that *all* must be done
3) If you did the three steps, did you wait for the change of the group type to
universal to
replicate. If you performed the permissions in child domain, while the group is
still domain
local, then the permission assignments will fail in the child domain.
Brian
says...
> My Enterprise Root CA can't publish certificates to AD which are issued
> for users in the child domain. I receive the following warning in the
> event log:
>
> Event Type: Warning
> Event Source: CertSvc
> Event Category: None
> Event ID: 80
> Date: 02.10.2006
> Time: 13:18:16
> User: N/A
> Computer: RootDomainDC
> Description:
> Certificate Services could not publish a Certificate for request 66 to
> the following location on server ChildDomainDC: ChildDomainUser.
> Insufficient access rights to perform the operation. 0x80072098 (WIN32:
> 8344). ldap: 0x32: 00002098: SecErr: DSID-03150A45, problem 4003
> (INSUFF_ACCESS_RIGHTS), data 0
>
> The Enterprise Root CA is located on the DC in the root domain. I found
> the following KB Article:
> "Certification Authority configuration to publish certificates in Active
> Directory of trusted domain" [Q281271]
>
> In step number five - Delegate Control - on the child domain controller,
> they describe how to add the "Cert Publishers" group from the parent
> domain. But I can't add (find) this group, because the scope is set to
> "domain local"!? I changed the scope to "universal" by using "dsmod" and
> completed step number five and six as described. However, the warning
> does still appear!
>
> I'm also confused on step number 3. I have only the windows default exit
> module with the property "allow certificates to be published to the
> *file system*" and nothing like "...published in the *Active Directory*"
> as described in the KB article.
>
> Thanks in advance
> Patrik
>
>
>
>
| 
XML Sitemap