We help IT Professionals succeed at work.

you do not have permission to request this type of certificate

I am trying to set up a Server 2008 Direct Access Server for testing. and am getting error
 "you do not have permission to request this type of certificate"
when attempting to request a certificate from  my CA server for the DA server. the cert template says that domain admins have full access to this cert and I am a domain admin, yet no go.

help. thanks
Watch Question

Distinguished Expert 2018

Very likely the version of Windows Server you are running. As I recall, DA is listed as a feature only in "Enterprise Edition" and above. There are differences in the types of certificates and auto-enrollments allowed between standard and enterprise.


I am running Server 2008 R2 Datacenter and the Direct Access feature is present and installed fine, I am trying to enroll to get the proper certificates for authentication and that is saying I don't have the correct permissions, I tried logging into the machine as the builtin domain admin account and got the same error


here is the exact error
Distinguished Expert 2018

Two points just to be sure, because I've never seen this when things are set up properly:

Even if you have a Datacenter Edition license, that doesn't necessarily mean that is the version installed.  I see downgrade rights exercised just often enough. Best to double-check the computer properties.

Is the CA running on datacenter edition? The CA is the certificate issuer and is responsible for throwing the error you are seeing.  Even if you have DA set up on an enterprise or datacenter version, if the CA is on standard then it'll be a no-go.


data center is the version installed,  if I right click computer under basic info about your computer is says 2008 r2 datacenter,

the CA is not running on datacenter. it is on a 2008 Enterprise machine, that also acts as the domain controller, dhcp server and dns server

Distinguished Expert 2018
You most perform this on your CA server then:
1. Open the Certificate Templates snap-in
2. Open Certificates Templates tree.
3. In the contents pane, right-click the Web Server template, and then click Duplicate Template.
4. Click Windows Server 2008 Enterprise, and then click OK.
5. In Template display name, type Web Server 2008.
6. Security tab.
7. Authenticated Users->select Enroll in the Allow column.
8. Add->Domain Computers
9. Domain Computers->select Enroll in the Allow column.
10. Request Handling tab.
11. Allow private key to be exported.
12. Close all windows
13. Open Certification Authority snap-in.
14. Expand the CA->right-click Certificate Templates->New->Certificate Template To Issue.
15. Select Web Server 2oo8 and close

Should resolve your issue.


perfect, that was exactly what I needed to do.