I have set up a Enterprise Root CA in a test environment since we want to authenticate our Clients with 802.1x and enrypt network communication by ssl. I installed the CA on a domain controller and the web enrollment (CertSrv) on a Member server. Autonerollment of computer certificates is working, also the Domain Controller has issued a Comain Controller certificate, so everything seams to be fine.
For our interal web servers i try to create a SAN certificate. I duplicated the "Web Server" Template on the CA and selected "Windows Enterprise 2003", i made no further changes. After that i opend the "Computer Certificate" store (with an Account having "Domain Admin" membership) on a Webserver an tried to request a Certificate based on this template, but in the Certificate Enrollment dialog "Status:Unavailable" is displayed, running "certutil -TCAinfo" also shows me "No Access" to the template.
If i open the "Computer Certificate" store mmc.exe with the build in Domain Administrator i am able to request a certificate based on the duplicated template.
I created a group "CA-Admin" and applied this group to the Security settings of the Template with "Read/Write/Enroll" permission and added the account with the Domain Admin membership, and now the template is displayed as available in"certutil -TCAinfo".
I do not understand this behavior, since the User is member of the "Domain Admin" group he should be able to request the certificate in both scenarios, "Domain Admin" also have "Read/Write/Enroll" permissions on the template, can someone explain that to me?