Solved

Cannot request certificates

Posted on 2014-09-08
6
2,907 Views
Last Modified: 2014-09-09
Hi
If I go on my http://CAservername/certsrv, and click on "Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.", I get this error:

"No certificate templates could be found. You do not have permission to request a certificate from this CA, or an error occurred while accessing the Active Directory"

My CA server is a domain member (not a DC) Windows 2008 R2 server. Using the Certificate Template Console, all templates are present.

Thanks for helping,

Sebastien
0
Comment
Question by:deewave
  • 3
  • 3
6 Comments
 
LVL 6

Expert Comment

by:Steve Whitcher
ID: 40310030
When you access the certsrv page, are you doing so as a standard user or an administrator?
Is there a specific template you're trying to use?
If you know the template you need, pull up the properties of that template in the Certificate Templates snap-in.  On the security tab, confirm that the account you are using has permission to enroll a certificate with that template.

Regarding the last part: "Using the certificate template console, all templates are present" - The certificate templates console lists templates that exist on the server, but not all of those templates are necessarily available to be issued by the server.  Check in the Certification Authority snap-in.  Expand your server name, and select the Certificate Templates folder.  Here you'll find a list of templates that the server can issue.  If the template you need is not listed here, right click and select "New > Certificate Template to Issue".  From there you can select a template from the templates that are listed in the certificate template snap-in.
0
 

Author Comment

by:deewave
ID: 40310074
Hi Steve
Thanks for the quick reply

I'm doing it as an administrator. I would use the Web Server template, but their is no template available in the drop-down list.
templates.jpg
Yes I verified the permission for the template and I (administrator) do have the rights

In the Certification Authority snap-in, the template is listed
certificate.jpg
Thanks,
Sebastien
0
 
LVL 6

Accepted Solution

by:
Steve Whitcher earned 500 total points
ID: 40310201
Unfortunately, there are quite a variety of problems which might cause the behavior you're seeing.  Hopefully a few more questions can help to narrow it down:

Is this a single forest/single domain environment?  If not, is the CA in the root domain or a child domain?  How about the admin account you're using?

Are you being prompted to log into the certsrv web page at any point?  If not, check the authentication settings in IIS manager for the CertSrv site.  If Anonymous Authentication is enabled, you may not actually be authenticating to the web site with your domain account, which would explain why you don't have the right permissions.  

It could be helpful to check your IIS logs  - %SystemDrive%\inetpub\logs\LogFiles\w3svc1\ - You should find a record of the individual requests coming in to the server.  Find the time stamps that match your request (the logs will be recorded in UTC, so adjust for your time zone as needed.)  It should include the account used to authenticate to the server.  Is it the account you expected?

Another thing you could try would be creating a duplicate of the Web Server template, and allowing Everyone read and enroll permissions.  Then go to the Certificate management snap-in and right click "Certificate Templates", select "New > Certificate Template to Issue", and choose the newly created template.  Restart the Certificate Services, then check the web site again.

Lastly, have you checked event viewer on the server for any errors that might be relevant?  

Steve
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:deewave
ID: 40310400
I've rebooted the server, and now everything is fine!!??

Oh well... thanks for your help Steve.

Sebastien
0
 
LVL 6

Expert Comment

by:Steve Whitcher
ID: 40310407
Glad you got it working!
0
 

Author Closing Comment

by:deewave
ID: 40311990
I'll accept Steve's solution, because he did suggest to have a look at the Event Viewer ("Lastly, have you checked event viewer on the server for any errors that might be relevant?"). If I did, I'd have seen that my server was achy and needed a reboot.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Prologue It is often required to host multiple websites on a single instance of IIS, mostly in development environments instead of on production servers. I am sure it is not much a preferred solution on production servers but this is at least a pos…
When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now