Windows Certificate Authority server (access denied)

McKuser
McKuser used Ask the Experts™
on
We have been running our Windows CA server for a few years now.  Today, I tried accessing the CA console on the Win2003 server and received "Access Denied. 0x80070005 (Win32:5)) error msg.
Whenever I clicked on the "Revoked Certificates", "Issued Certificates", "Pending Requests" and "Failed Requests", I get this error msg.  However, when I clicked on "Certificate Templates", it's fine.
I noticed I get a lot of these errors in my Event Log.  Wonder if this has anything to do with it?

Event Type:      Error
Event Source:      DCOM
Event Category:      None
Event ID:      10016
Date:            1/29/2010
Time:            10:05:57 AM
User:            Domain1\Admin1
Computer:      SERVER8
Description:
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D99E6E73-FC88-11D0-B498-00A0C90312F3}
 to the user MCKENZIE1\AdminMcK1 SID (S-1-5-21-197287265-861765437-1439788725-500).  This security permission can be modified using the Component Services administrative tool.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
ParanormasticCryptographic Engineer

Commented:
You need to grant CERTSRV_DCOM_ACCESS group local launch permissions to the CertSrv object in DCOM.

Author

Commented:
Is this "CertSrv" object found in Component services?  If so, I granted the permission but still got access denied error even after I've restarted the Certificate services.
Cryptographic Engineer
Commented:
Yes, that would be the spot.  I believe that you need to bounce the server afterwards if memory serves, not just certsvc (sorry, been over a year on that one here).  Should be under DCOM Config - CertSrv.

On the Security tab - Launch and Activation Permissions - Edit  - select CERTSRV_DCOM_ACCESS group - add check for allow Local Launch (should already have Local & Remote Activation I believe).




Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial