?
Solved

Requesting Certificate from http://host/certsrv

Posted on 2010-09-02
11
Medium Priority
?
2,443 Views
Last Modified: 2013-12-04
I am triing to request a certificate by going to http://[hostname]/certsrv. I will click on "Request certificate" and then "submit an advanced request certificate request." Next I select "Create and submit a request to this CA." Everytime I get an error. The CA does show a failed request with a status code "The parameter is incorrect. ox80070057 (WIN32:87)." In event viewer Application logs show Event 96 and event 77. The event 77 is listed for the following templates Workstation CAExchange; CrossCA; DirectoryEmailReplication; DomainControllerAuthentication; KeyRecoveryAgent; RASAndIASServer. If I remove these templates then event 77 will not show up. Each of these templates V2.

*********************************************************************************************
Event Type: Error
Event Source: CertSvc
Event Category: None
Event ID: 96
Date:  9/2/2010
Time:  10:36:16 AM
User:  N/A
Computer: SERVERNAME

Description:
Certificate Services could not create an encryption certificate.  Requested by DOMAIN\USERNAME.  The parameter is incorrect. 0x80070057 (WIN32: 87).

**************************************************************
Event Type: Warning
Event Source: CertSvc
Event Category: None
Event ID: 77
Date:  9/2/2010
Time:  10:35:57 AM
User:  N/A
Computer: SERVERNAME
The "Windows default" Policy Module logged the following warning: The Workstation Certificate Template could not be loaded.  Element not found. 0x80070490 (WIN32: 1168).

 **********************************************************************************
Not sure if it related but I am seeing a DCOM error as well. See the message below

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10016
Date:  9/2/2010
Time:  10:12:17 AM
User:  domain\username
Computer: servername
Description:
The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
{D99E6E73-FC88-11D0-B498-00A0C90312F3}
 to the user domain\username SID (S-1-5-21-1659004503-884357618-725345543-27800).  This security permission can be modified using the Component Services administrative tool.

**********************************************************************************************

For the CA I am using Win 2K3 Enterprise SP2 R2. The client requesting the cert is XP Pro. The DC's are 2003 using a 2003 schema.

Please help!
0
Comment
Question by:MountyTech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
11 Comments
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33589818
Do you need to request a certificate for EFS?
0
 

Author Comment

by:MountyTech
ID: 33590017
No I am trying to get a computer cert using the advance option from http://hostname/certsrv > Request a Certificate > advanced certificate request > Create and submit a request to this CA. I can see that it is trying to use a CAExchange certificate template. See the attached screen shots.

Thanks
1.JPG
2.JPG
3.JPG
4.JPG
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33593957
Could you take a print screen of that template and its details, please? Did you try to request a certificate from other workstation/user ?
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:MountyTech
ID: 33595663
Thanks iSiek.

I attached a screenshot of the cerificate below. Yes I have tried from other users and workstations and see the same errors.

Thank you,
CA-Exchange.JPG
0
 

Author Comment

by:MountyTech
ID: 33599050
Since the CAExchange certificate template is v2, do I need to create a duplicate of this cert before using?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33599986
Yes, you should duplicate it. Template should be raised to Windows 2003 level.
0
 

Author Comment

by:MountyTech
ID: 33600201
I am not sure I follow you. How would I go about raising template to windows 2003 level? I am using Windows Server 2003 Enterprise for the Subordinate.
Thanks,
0
 

Author Comment

by:MountyTech
ID: 33600548
iSiek,
Thank you for the help. I resolved the problem.

The OID container was missing from the schema. (Configuration>Services>Public Key Services>OID). I used agsiedit.msc to create the object. The class is set to msPKI-Enterprise-Old.

After that was created I had to remove all templates in the CA mmc and within adsiedit under the Certificate Templates container. Go back to CA mmc and recreate the templates. Once you create the templates open adsiedit again or refresh the Templates container. Set the perimission on each template as Authenticated User to read & enroll, Domain Admin, Enterprise Admin to Full.

Thank you.
0
 
LVL 39

Accepted Solution

by:
Krzysztof Pytko earned 1000 total points
ID: 33606075
You're welcome :) and thanks for feedback. In any new case I would check also that :)

One remark, in CA Templates console each "gray" certificate is from Windows 2000 version. When you duplicate these template you automatically create Windows 2003 version.
0
 

Author Closing Comment

by:MountyTech
ID: 33607569
That make sense!
Thanks again for the help iSiek.
I decided to go ahead and give you the points. You helped clarify why I need to duplicate the templates.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33607613
You're welcome. Wish you luck :)
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
OfficeMate Freezes on login or does not load after login credentials are input.
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
Suggested Courses
Course of the Month8 days, 14 hours left to enroll

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question