pkwillis
asked on
When I try and request a Domain Controller certificate I get an error
I have a 2008 domain and one of my domain controllers (AD1) is my certificate authority. When I try and request a domain controller certificate for one of the other domain controllers (AD2 or AD3), I get an error (See below). I have added the Domain Controllers to the "Certificate Service DCOM Access" and restarted the Cert svc, to no avail. I turned off the firewall for "domain, private and public". Any ideas?
Log Name: Application
Source: Microsoft-Windows-CertificateServicesClient-CertEnroll
Date: 10/30/2009 3:04:14 PM
Event ID: 13
Task Category: None
Level: Error
Keywords: Classic
User: SYSTEM
Computer: AD2.xxxxxx.local
Description:
Certificate enrollment for Local system failed to enroll for a DomainController certificate from AD2.xxxxxx.local\xxxxxx-AD1-CA (Class not registered 0x80040154 (-2147221164)).
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-CertificateServicesClient-CertEnroll" Guid="{54164045-7C50-4905-963F-E5BC1EEF0CCA}" EventSourceName="CertEnroll" />
<EventID Qualifiers="49754">13</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2009-10-30T22:04:14.000Z" />
<EventRecordID>1099</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>AD2.xxxxxx.local</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="Context">Local system</Data>
<Data Name="TemplateName">DomainController</Data>
<Data Name="CA">AD2.xxxxxx.local\xxxxxx-AD1-CA</Data>
<Data Name="ErrorCode">Class not registered 0x80040154 (-2147221164)</Data>
</EventData>
</Event>
Are your users part of the CERTSVC_DCOM_ACCESS security group?
Hi
Your error message (Class not registered) seems similar to the problems outlined in this thread:
http://social.msdn.microsoft.com/forums/en-US/clr/thread/4d994962-35c2-44cc-b91c-28f7e6fe3b91
I realize this is 2000/2003 information but maybe it will point you in the right direction.
A possible solution could be the one outlined in this KB article:
http://support.microsoft.com/kb/840690/en-us
I would at least check your configuration to see if "Enable Session State" was checked as outlined in the article above.
Hope this helps :)
Bjorn
Your error message (Class not registered) seems similar to the problems outlined in this thread:
http://social.msdn.microsoft.com/forums/en-US/clr/thread/4d994962-35c2-44cc-b91c-28f7e6fe3b91
I realize this is 2000/2003 information but maybe it will point you in the right direction.
A possible solution could be the one outlined in this KB article:
http://support.microsoft.com/kb/840690/en-us
I would at least check your configuration to see if "Enable Session State" was checked as outlined in the article above.
Hope this helps :)
Bjorn
There are a number of suggestions here that may help you. If you're still having problems after going through these, let me know.
http://www.eventid.net/display.asp?eventid=13&eventno=2719&source=AutoEnrollment&phase=1
http://www.eventid.net/display.asp?eventid=13&eventno=2719&source=AutoEnrollment&phase=1
ASKER
none of the solutions posted here helped. We are about to call microsoft so anyone with further knowledge please post!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you all for your assistance. I believe it was all of you that helped keep my train of thought.
Excellent post, pkwillis! I spent just a few minutes reading up on this issue and found your post - pointed me directly to the incorrect information in AD. Thanks for posting your solution!