|
Posted by Philippe Bonatti on August 24, 2005, 10:27 am
Please log in for more thread options Hi Brian,
Yes, I give the permission on template,
Domain Controllers are on CERTSVC_DCOM_ACCESS group
I know for v2 certificate, but we dosen't need it now,
We're planning to install a second IssuerCA on Windows 2003 Enterprise
Edition later.
I do some test, found on a french forum :
On child DC, run an MMC with SYSTEM account (with at ...)
We test to connect to computer managment of Parent DC with error,
access denied.
We share a folder on Parent DC with Share and NTFS Permission for child
DC and when we try to connect it, we got access denied too.
We're seaching for a Kerberos or RPC COM trouble.
Thanks for help, if you have more idea ...
Best regards
Philippe
Brian Komar a couché sur son écran :
> Some answers inline:
>
> philippe@teo.home____unix.net says...
>> Hi,
>>
>> I have a big problem with our PKI
>>
>> Trouble:
>> -------
>> When a computer request (by autoenrollment), the IssuerCA accept the
>> certificate (I can show it on Issue Certificate Folder) but a few
>> minutes late, the following error appear on CA MMC, on Failled Request
>> Folder :
>> The authorizations on the model of certificate do not authorize the
>> current user to be a registrered for this type of certificate.
>> 0x80094012 (-2146877422)
>>
>> Refused by the module of strategy.
>>
>
> Did you modify the permissions of the certificate template to allow
> computers/users in the child domains to Read/Enroll certificates. This
> is done in the Certificate Templates console (certtmpl.msc)
>
>> When a child domain controller ask for a domain controller certificate,
>> I got this message on child DC :
>> The request for certificate failed because of one of the following
>> conditions :
>> - Autorithy of certification did not start.
>> - You do not have the authorizations to ask for certificates starting
>> from the authorities of certification available.
>>
>
> Same case here. In addition, because you are running on a DC, make sure
> that you add each domain's DOMAIN\Domain Controllers group to the
> CERTSVC_DCOM_ACCESS in the domain where the CA exists.
>
>> I checked, CA has stard and I thing I have right for enroll
>> certificate.
>>
>> Where can I search information about ?
>>
>> note : Error message has been translate from french ...
>>
>> Our structure :
>> ---------------
>> Root domain : toto.com
>> 5 Childs domains : a.toto.com, b.toto.com, c.toto.com, ...
>>
>> We're migrating domain from windows 2000 (native) to Windows 2003.
>> Parent domain is migrated a few week ago.
>>
>> Old PKI:
>> --------
>> First we've a simple PKI with a DC Win2000 SP4 as Enterprise CA and
>> worked not perfectly, but worked.
>> This old PKI has been removed now.
>>
>> Current PKI:
>> ------------
>> We have a Autonome Offline CA (Windows 2003)
>> We have one Intermediate Enterprise CA design to issue CA Certificates
>> All enterprise CA are on root domain and are Windows 2003 Standard SP1
>> Domain Controller only.
>
> A CA needs to run on Windows Server 2003 Enterprise Edition to issue v2
> certificates with autoenrollment. Not really an issue here, but will get
> you in the future,
--
Philippe Bonatti
-------------------------
| 
XML Sitemap