Requesting Certificate for Another User - certreq inf File Error

I have an enterprise root CA with 2003 Enterprise server. I have set a user for the Enrollment agent and a user for the Key Recovery Agent. I have tested the Key Recovery agent and the account works correctly. I have created and published a custom user template and assigned the security rights accordingly. I basically just extended the certificate life and named the template Domain User. I have set an OU of some users to AutoEnroll. No problems with auto enrollment. No problems with getting the certificate from the web enrollment at http://server/certsrv. The problem is using certreq to request a certificate for another user by the Enrollment Agent with the custom template. I have used an inf file I created but get an error. The error is The Certificate Request Processor. The parameter is incorrect 0x80070057 (WIN32: 87). Any idea as to what is incorrect?
[Version]
Signature= "$Windows NT$"

[EnhancedKeyUsageExtension]
 OID = 1.3.6.1.5.5.7.3.2
 OID = 1.3.6.1.5.5.7.3.4
 OID = 1.3.6.1.4.1.311.10.3.4 

[RequestAttributes]
 CertificateTemplate = "Domain User"

[NewRequest]
 Exportable = TRUE
 SMIME = TRUE
 PrivateKeyArchive = TRUE
 UserProtected = TRUE
 MachineKeySet = TRUE
 KeySpec =  1 
 KeyUsage =  0xa4 
 ProviderType =  1 
 RequestType =  PKCS10 
 ProviderName = " Microsoft Enhanced Cryptographic Provider v1.0 "
 Subject = " CN=User Name,DC=Domain,DC=com "
 RequesterName =  Domain\user
 KeyLength =  1024

Open in new window

barrykeelAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

baraneCommented:
Hope the below link would be useful

http://support.microsoft.com/kb/305193
0
barrykeelAuthor Commented:
There was never an error in the setup or configuration, only when requesting a cert using certreq. This CA is on a single DC and all users are on the same DC and they have local logon rights. There are no other machines in this domain. This is a test server to prepare for a CA upgrade in our actual production environment. Exactly how is the kb article rleated to  this error I am getting? I don't see it or I must be missing something.
0
baraneCommented:

The Error code is The parameter is incorrect. 0x80070057 ? am i right
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

barrykeelAuthor Commented:
Correct, but the KB article talks about that error in this scenario:
If you try to subordinate an Enterprise Certificate Authority (CA) to a standalone root CA, and the configuration is such that the root CA is installed on a member server or domain controller in the parent domain and the Enterprise CA is installed in a child domain, you receive the following error message.
I am not trying to subordinate an Enterprise Certificate Authority (CA) to a standalone root CA. It may still relate to my issue. In doing some research I have found that "The parameter is incorrect. 0x80070057" is a fairly common error code for a variety of applications not just certificate services. The user at installation had the correct rights and the key is there, per kb article.
0
barrykeelAuthor Commented:
After some reading on the inf file I changed the RequestType to CMC. Now the error is the following:
Certificate Request Processor. The keyset is not defined. 0x80090019 (-2146893799)
0
barrykeelAuthor Commented:
I got it to work. It was some spacing in the syntax.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
barrykeelAuthor Commented:
I figured it out on my own.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.