Hi
I wonder if someone can explain why I am seeing behaviour I do not expect from our PKI. It is a 2 tier CA hierarchy, offline stand-alone root with Server 2003 R2 SP2 Enterprise Issuing CA.
We have a few custom templates along with the basic default setup. The only significant change made is the removal of the Enroll security permission on the Windows 2000/v1 User certificate template.
As for the Group Policy settings autoenrollment is configured in the default domain policy to allow computers to autoenroll, renew, update, revoke etc. However users are currently denied autoenrollment in the same GPO and nothing overrides this further down.
The issue I have is that each time a user logs in the CA denies them a User certifcate on the grounds that they do not have permission. This is seen as a failed enrollment and the following event log entry:
Source: CertSvc
Event ID: 53
Certificate Services denied request 123 because The permissions on the certificate template do not allow the current user to enroll for this type of certificate. 0x80094012 (-2146877422). The request was for CN=SDAM. Additional information: Denied by Policy Module
Now I guess I could just remove the template from the CA but at some point we may (although it is highly unlikely) wish to use it for some users. What I really want to know though, is why is it trying to enroll it in the first place? It's a version 1 template and therefore can't be autoenrolled, autoenrollment is denied by Group Policy for users anyway so what is causing Windows to attempt to enroll the certificate at log on?
I guess there is something I am still missing in my understanding of Microsoft PKI so any advice would be greatly appreciated!
Thanks
Karl
I wonder if someone can explain why I am seeing behaviour I do not expect from our PKI. It is a 2 tier CA hierarchy, offline stand-alone root with Server 2003 R2 SP2 Enterprise Issuing CA.
We have a few custom templates along with the basic default setup. The only significant change made is the removal of the Enroll security permission on the Windows 2000/v1 User certificate template.
As for the Group Policy settings autoenrollment is configured in the default domain policy to allow computers to autoenroll, renew, update, revoke etc. However users are currently denied autoenrollment in the same GPO and nothing overrides this further down.
The issue I have is that each time a user logs in the CA denies them a User certifcate on the grounds that they do not have permission. This is seen as a failed enrollment and the following event log entry:
Source: CertSvc
Event ID: 53
Certificate Services denied request 123 because The permissions on the certificate template do not allow the current user to enroll for this type of certificate. 0x80094012 (-2146877422). The request was for CN=SDAM. Additional information: Denied by Policy Module
Now I guess I could just remove the template from the CA but at some point we may (although it is highly unlikely) wish to use it for some users. What I really want to know though, is why is it trying to enroll it in the first place? It's a version 1 template and therefore can't be autoenrolled, autoenrollment is denied by Group Policy for users anyway so what is causing Windows to attempt to enroll the certificate at log on?
I guess there is something I am still missing in my understanding of Microsoft PKI so any advice would be greatly appreciated!
Thanks
Karl