Solved

Requesting Certificate from http://host/certsrv

Posted on 2010-09-02
11
2,408 Views
Last Modified: 2013-12-04
I am triing to request a certificate by going to http://[hostname]/certsrv. I will click on "Request certificate" and then "submit an advanced request certificate request." Next I select "Create and submit a request to this CA." Everytime I get an error. The CA does show a failed request with a status code "The parameter is incorrect. ox80070057 (WIN32:87)." In event viewer Application logs show Event 96 and event 77. The event 77 is listed for the following templates Workstation CAExchange; CrossCA; DirectoryEmailReplication; DomainControllerAuthentication; KeyRecoveryAgent; RASAndIASServer. If I remove these templates then event 77 will not show up. Each of these templates V2.

*********************************************************************************************
Event Type: Error
Event Source: CertSvc
Event Category: None
Event ID: 96
Date:  9/2/2010
Time:  10:36:16 AM
User:  N/A
Computer: SERVERNAME

Description:
Certificate Services could not create an encryption certificate.  Requested by DOMAIN\USERNAME.  The parameter is incorrect. 0x80070057 (WIN32: 87).

**************************************************************
Event Type: Warning
Event Source: CertSvc
Event Category: None
Event ID: 77
Date:  9/2/2010
Time:  10:35:57 AM
User:  N/A
Computer: SERVERNAME
The "Windows default" Policy Module logged the following warning: The Workstation Certificate Template could not be loaded.  Element not found. 0x80070490 (WIN32: 1168).

 **********************************************************************************
Not sure if it related but I am seeing a DCOM error as well. See the message below

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10016
Date:  9/2/2010
Time:  10:12:17 AM
User:  domain\username
Computer: servername
Description:
The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
{D99E6E73-FC88-11D0-B498-00A0C90312F3}
 to the user domain\username SID (S-1-5-21-1659004503-884357618-725345543-27800).  This security permission can be modified using the Component Services administrative tool.

**********************************************************************************************

For the CA I am using Win 2K3 Enterprise SP2 R2. The client requesting the cert is XP Pro. The DC's are 2003 using a 2003 schema.

Please help!
0
Comment
Question by:MountyTech
  • 6
  • 5
11 Comments
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33589818
Do you need to request a certificate for EFS?
0
 

Author Comment

by:MountyTech
ID: 33590017
No I am trying to get a computer cert using the advance option from http://hostname/certsrv > Request a Certificate > advanced certificate request > Create and submit a request to this CA. I can see that it is trying to use a CAExchange certificate template. See the attached screen shots.

Thanks
1.JPG
2.JPG
3.JPG
4.JPG
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33593957
Could you take a print screen of that template and its details, please? Did you try to request a certificate from other workstation/user ?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:MountyTech
ID: 33595663
Thanks iSiek.

I attached a screenshot of the cerificate below. Yes I have tried from other users and workstations and see the same errors.

Thank you,
CA-Exchange.JPG
0
 

Author Comment

by:MountyTech
ID: 33599050
Since the CAExchange certificate template is v2, do I need to create a duplicate of this cert before using?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33599986
Yes, you should duplicate it. Template should be raised to Windows 2003 level.
0
 

Author Comment

by:MountyTech
ID: 33600201
I am not sure I follow you. How would I go about raising template to windows 2003 level? I am using Windows Server 2003 Enterprise for the Subordinate.
Thanks,
0
 

Author Comment

by:MountyTech
ID: 33600548
iSiek,
Thank you for the help. I resolved the problem.

The OID container was missing from the schema. (Configuration>Services>Public Key Services>OID). I used agsiedit.msc to create the object. The class is set to msPKI-Enterprise-Old.

After that was created I had to remove all templates in the CA mmc and within adsiedit under the Certificate Templates container. Go back to CA mmc and recreate the templates. Once you create the templates open adsiedit again or refresh the Templates container. Set the perimission on each template as Authenticated User to read & enroll, Domain Admin, Enterprise Admin to Full.

Thank you.
0
 
LVL 39

Accepted Solution

by:
Krzysztof Pytko earned 250 total points
ID: 33606075
You're welcome :) and thanks for feedback. In any new case I would check also that :)

One remark, in CA Templates console each "gray" certificate is from Windows 2000 version. When you duplicate these template you automatically create Windows 2003 version.
0
 

Author Closing Comment

by:MountyTech
ID: 33607569
That make sense!
Thanks again for the help iSiek.
I decided to go ahead and give you the points. You helped clarify why I need to duplicate the templates.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33607613
You're welcome. Wish you luck :)
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
OfficeMate Freezes on login or does not load after login credentials are input.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question