Solved

Requesting Certificate from http://host/certsrv

Posted on 2010-09-02
11
2,419 Views
Last Modified: 2013-12-04
I am triing to request a certificate by going to http://[hostname]/certsrv. I will click on "Request certificate" and then "submit an advanced request certificate request." Next I select "Create and submit a request to this CA." Everytime I get an error. The CA does show a failed request with a status code "The parameter is incorrect. ox80070057 (WIN32:87)." In event viewer Application logs show Event 96 and event 77. The event 77 is listed for the following templates Workstation CAExchange; CrossCA; DirectoryEmailReplication; DomainControllerAuthentication; KeyRecoveryAgent; RASAndIASServer. If I remove these templates then event 77 will not show up. Each of these templates V2.

*********************************************************************************************
Event Type: Error
Event Source: CertSvc
Event Category: None
Event ID: 96
Date:  9/2/2010
Time:  10:36:16 AM
User:  N/A
Computer: SERVERNAME

Description:
Certificate Services could not create an encryption certificate.  Requested by DOMAIN\USERNAME.  The parameter is incorrect. 0x80070057 (WIN32: 87).

**************************************************************
Event Type: Warning
Event Source: CertSvc
Event Category: None
Event ID: 77
Date:  9/2/2010
Time:  10:35:57 AM
User:  N/A
Computer: SERVERNAME
The "Windows default" Policy Module logged the following warning: The Workstation Certificate Template could not be loaded.  Element not found. 0x80070490 (WIN32: 1168).

 **********************************************************************************
Not sure if it related but I am seeing a DCOM error as well. See the message below

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10016
Date:  9/2/2010
Time:  10:12:17 AM
User:  domain\username
Computer: servername
Description:
The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
{D99E6E73-FC88-11D0-B498-00A0C90312F3}
 to the user domain\username SID (S-1-5-21-1659004503-884357618-725345543-27800).  This security permission can be modified using the Component Services administrative tool.

**********************************************************************************************

For the CA I am using Win 2K3 Enterprise SP2 R2. The client requesting the cert is XP Pro. The DC's are 2003 using a 2003 schema.

Please help!
0
Comment
Question by:MountyTech
  • 6
  • 5
11 Comments
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33589818
Do you need to request a certificate for EFS?
0
 

Author Comment

by:MountyTech
ID: 33590017
No I am trying to get a computer cert using the advance option from http://hostname/certsrv > Request a Certificate > advanced certificate request > Create and submit a request to this CA. I can see that it is trying to use a CAExchange certificate template. See the attached screen shots.

Thanks
1.JPG
2.JPG
3.JPG
4.JPG
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33593957
Could you take a print screen of that template and its details, please? Did you try to request a certificate from other workstation/user ?
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 

Author Comment

by:MountyTech
ID: 33595663
Thanks iSiek.

I attached a screenshot of the cerificate below. Yes I have tried from other users and workstations and see the same errors.

Thank you,
CA-Exchange.JPG
0
 

Author Comment

by:MountyTech
ID: 33599050
Since the CAExchange certificate template is v2, do I need to create a duplicate of this cert before using?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33599986
Yes, you should duplicate it. Template should be raised to Windows 2003 level.
0
 

Author Comment

by:MountyTech
ID: 33600201
I am not sure I follow you. How would I go about raising template to windows 2003 level? I am using Windows Server 2003 Enterprise for the Subordinate.
Thanks,
0
 

Author Comment

by:MountyTech
ID: 33600548
iSiek,
Thank you for the help. I resolved the problem.

The OID container was missing from the schema. (Configuration>Services>Public Key Services>OID). I used agsiedit.msc to create the object. The class is set to msPKI-Enterprise-Old.

After that was created I had to remove all templates in the CA mmc and within adsiedit under the Certificate Templates container. Go back to CA mmc and recreate the templates. Once you create the templates open adsiedit again or refresh the Templates container. Set the perimission on each template as Authenticated User to read & enroll, Domain Admin, Enterprise Admin to Full.

Thank you.
0
 
LVL 39

Accepted Solution

by:
Krzysztof Pytko earned 250 total points
ID: 33606075
You're welcome :) and thanks for feedback. In any new case I would check also that :)

One remark, in CA Templates console each "gray" certificate is from Windows 2000 version. When you duplicate these template you automatically create Windows 2003 version.
0
 

Author Closing Comment

by:MountyTech
ID: 33607569
That make sense!
Thanks again for the help iSiek.
I decided to go ahead and give you the points. You helped clarify why I need to duplicate the templates.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33607613
You're welcome. Wish you luck :)
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question