All Windows 2008 R2. Stand-alone RootCA in workgroup. Enterprise SubCA in domain. Under Certificate Templates I have given my spefic user account, as well as all authenticated users read, enroll and autoenroll perms.
Attempting to generate a web server certificate I can successfully generate the request from the IIS Manglement Console.
1) If I go tohttp://subca/certsrv, choose submit a CSR by using file, I get "No certificate templates could be found. You do not have permission to request a certificate from this CA, or an error occurred while accessing the Active Directory".
No helpful eventlog messages follow this error.
2) If I go into Certificate Auth MMC, Submit a new request, load the CSR, I get "The request contains no certificate template information. 0x80094901. Denied by Policy Module 0x80094901 The request does not contain a certificate template extension of the certificate template request attribute.
This is accompanied by an Event 53, warning, CertificationAuthority. Same error message as above, with CN string of the request.
Things tried to date:
1) Fixed perms on cert templates, followed by AD CS restart. No effect.
2) http://support.microsoft.com/kb/811418
"No Certificate Templates Could Be Found" error message when a user requests certificate from CA Web enrollment pages
Result: values all check out OK
3) Publish to Active Directory is enabled for the Cert Templates in question.
4) Manually submit to the CA and specify the template type perhttp://pdconsec.net/blogs/davidr/archive/2008/08/13/No_2D00_Certificate_2D00_Template_2D00_In_2D00_Request.aspx
- returns the same error message
Regardless of the name (full name, display name) used the error message “The requested certificat etemplate is not supported by this CA” results.
5) Applies to Windows 2000, doesn’t help as perms are correctly applied.
http://support.microsoft.com/kb/239452
"Access Denied" When Requesting Certificate Through Web Access
6) I can confirm that AC CS is starting properly, the offline RootCA prep step to ignore the offline RootCA was taken, however the RootCA is currently not turned off yet.
I'm running out of ideas...