Solved

Requesting Certificate from http://host/certsrv

Posted on 2010-09-02
11
2,405 Views
Last Modified: 2013-12-04
I am triing to request a certificate by going to http://[hostname]/certsrv. I will click on "Request certificate" and then "submit an advanced request certificate request." Next I select "Create and submit a request to this CA." Everytime I get an error. The CA does show a failed request with a status code "The parameter is incorrect. ox80070057 (WIN32:87)." In event viewer Application logs show Event 96 and event 77. The event 77 is listed for the following templates Workstation CAExchange; CrossCA; DirectoryEmailReplication; DomainControllerAuthentication; KeyRecoveryAgent; RASAndIASServer. If I remove these templates then event 77 will not show up. Each of these templates V2.

*********************************************************************************************
Event Type: Error
Event Source: CertSvc
Event Category: None
Event ID: 96
Date:  9/2/2010
Time:  10:36:16 AM
User:  N/A
Computer: SERVERNAME

Description:
Certificate Services could not create an encryption certificate.  Requested by DOMAIN\USERNAME.  The parameter is incorrect. 0x80070057 (WIN32: 87).

**************************************************************
Event Type: Warning
Event Source: CertSvc
Event Category: None
Event ID: 77
Date:  9/2/2010
Time:  10:35:57 AM
User:  N/A
Computer: SERVERNAME
The "Windows default" Policy Module logged the following warning: The Workstation Certificate Template could not be loaded.  Element not found. 0x80070490 (WIN32: 1168).

 **********************************************************************************
Not sure if it related but I am seeing a DCOM error as well. See the message below

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10016
Date:  9/2/2010
Time:  10:12:17 AM
User:  domain\username
Computer: servername
Description:
The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
{D99E6E73-FC88-11D0-B498-00A0C90312F3}
 to the user domain\username SID (S-1-5-21-1659004503-884357618-725345543-27800).  This security permission can be modified using the Component Services administrative tool.

**********************************************************************************************

For the CA I am using Win 2K3 Enterprise SP2 R2. The client requesting the cert is XP Pro. The DC's are 2003 using a 2003 schema.

Please help!
0
Comment
Question by:MountyTech
  • 6
  • 5
11 Comments
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33589818
Do you need to request a certificate for EFS?
0
 

Author Comment

by:MountyTech
ID: 33590017
No I am trying to get a computer cert using the advance option from http://hostname/certsrv > Request a Certificate > advanced certificate request > Create and submit a request to this CA. I can see that it is trying to use a CAExchange certificate template. See the attached screen shots.

Thanks
1.JPG
2.JPG
3.JPG
4.JPG
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33593957
Could you take a print screen of that template and its details, please? Did you try to request a certificate from other workstation/user ?
0
 

Author Comment

by:MountyTech
ID: 33595663
Thanks iSiek.

I attached a screenshot of the cerificate below. Yes I have tried from other users and workstations and see the same errors.

Thank you,
CA-Exchange.JPG
0
 

Author Comment

by:MountyTech
ID: 33599050
Since the CAExchange certificate template is v2, do I need to create a duplicate of this cert before using?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33599986
Yes, you should duplicate it. Template should be raised to Windows 2003 level.
0
 

Author Comment

by:MountyTech
ID: 33600201
I am not sure I follow you. How would I go about raising template to windows 2003 level? I am using Windows Server 2003 Enterprise for the Subordinate.
Thanks,
0
 

Author Comment

by:MountyTech
ID: 33600548
iSiek,
Thank you for the help. I resolved the problem.

The OID container was missing from the schema. (Configuration>Services>Public Key Services>OID). I used agsiedit.msc to create the object. The class is set to msPKI-Enterprise-Old.

After that was created I had to remove all templates in the CA mmc and within adsiedit under the Certificate Templates container. Go back to CA mmc and recreate the templates. Once you create the templates open adsiedit again or refresh the Templates container. Set the perimission on each template as Authenticated User to read & enroll, Domain Admin, Enterprise Admin to Full.

Thank you.
0
 
LVL 39

Accepted Solution

by:
Krzysztof Pytko earned 250 total points
ID: 33606075
You're welcome :) and thanks for feedback. In any new case I would check also that :)

One remark, in CA Templates console each "gray" certificate is from Windows 2000 version. When you duplicate these template you automatically create Windows 2003 version.
0
 

Author Closing Comment

by:MountyTech
ID: 33607569
That make sense!
Thanks again for the help iSiek.
I decided to go ahead and give you the points. You helped clarify why I need to duplicate the templates.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33607613
You're welcome. Wish you luck :)
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
OfficeMate Freezes on login or does not load after login credentials are input.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now