|
Posted by Anette Andresen on March 21, 2006, 8:42 am
Please log in for more thread options The exact permissions on my template are:
"Authenticated Users" - read
"CA Admins" - read and write
"Domain Admins" - read and write
"Enterprise Admins" - read and write
"Service computers (the computer group)" - read, enroll and autoenroll
By the way, I tried to manually enroll for a computer certificate based on
the default template, but I get the same error as I did with the customized
computer certificate template.
Regards,
Anette
> microsoft.public.windows.server.security news group, Anette Andresen
>
>> I have a windows server 2003 domain with an enterprise issuing CA. The CA
>> is
>> set up to allow autoenrollment of computer certificates to a number of
>> computers in our domain. The computers are given the read, enroll and
>> autoenroll rights on the computer certificate template. The computer
>> certificate template is enabled on the issuing CA, and the security on
>> the
>> CA allows the computers to request certificates. All the other computers
>> except the CA itself have been able to automatically (or manually)
>> request
>> certificates, and the CA has signed the requests. However, the CA
>> computer
>> itself tries to request a computer certificate using autoenrollment every
>> eight hour, but the CA denies the request with the following Request
>> Status
>> Code message: "The permissions on this certification authority do not
>> allow
>> the current user to enroll for certificates" and the following Request
>> Disposition Message: "Denied by Policy Module". When trying to manully
>> enroll for a computer certificate using certificate manager mmc, I am
>> able
>> to open the certificate request wizard and complete the steps there, but
>> after finishing the wizard I receive the message: "The certification
>> authority denied the request. The permissions on this certification
>> authority do not allow the current user to enroll for certificates."
>>
>> Do anyone know how to solve this problem? Is there some setting I have
>> forgotten? Or isn't it possible to issue a computer certificate to an
>> enterprise CA?
>
> Since you've enabled the Autoenroll permission on the template you're
> obviously not using the default Computer certificate template as that is
> a V1 template and only V2 templates support autoenrollment.
> What _exactly_ are the permissions on the V2 template?
>
> --
> Paul Adare - MVP Virtual Machines
> It all began with Adam. He was the first man to tell a joke--or a lie.
> How lucky Adam was. He knew when he said a good thing, nobody had said
> it before. Adam was not alone in the Garden of Eden, however, and does
> not deserve all the credit; much is due to Eve, the first woman, and
> Satan, the first consultant." - Mark Twain
| 
XML Sitemap