Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Cannot request certificates

Posted on 2014-09-08
6
Medium Priority
?
5,095 Views
Last Modified: 2014-09-09
Hi
If I go on my http://CAservername/certsrv, and click on "Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.", I get this error:

"No certificate templates could be found. You do not have permission to request a certificate from this CA, or an error occurred while accessing the Active Directory"

My CA server is a domain member (not a DC) Windows 2008 R2 server. Using the Certificate Template Console, all templates are present.

Thanks for helping,

Sebastien
0
Comment
Question by:deewave
  • 3
  • 3
6 Comments
 
LVL 6

Expert Comment

by:Steve Whitcher
ID: 40310030
When you access the certsrv page, are you doing so as a standard user or an administrator?
Is there a specific template you're trying to use?
If you know the template you need, pull up the properties of that template in the Certificate Templates snap-in.  On the security tab, confirm that the account you are using has permission to enroll a certificate with that template.

Regarding the last part: "Using the certificate template console, all templates are present" - The certificate templates console lists templates that exist on the server, but not all of those templates are necessarily available to be issued by the server.  Check in the Certification Authority snap-in.  Expand your server name, and select the Certificate Templates folder.  Here you'll find a list of templates that the server can issue.  If the template you need is not listed here, right click and select "New > Certificate Template to Issue".  From there you can select a template from the templates that are listed in the certificate template snap-in.
0
 

Author Comment

by:deewave
ID: 40310074
Hi Steve
Thanks for the quick reply

I'm doing it as an administrator. I would use the Web Server template, but their is no template available in the drop-down list.
templates.jpg
Yes I verified the permission for the template and I (administrator) do have the rights

In the Certification Authority snap-in, the template is listed
certificate.jpg
Thanks,
Sebastien
0
 
LVL 6

Accepted Solution

by:
Steve Whitcher earned 2000 total points
ID: 40310201
Unfortunately, there are quite a variety of problems which might cause the behavior you're seeing.  Hopefully a few more questions can help to narrow it down:

Is this a single forest/single domain environment?  If not, is the CA in the root domain or a child domain?  How about the admin account you're using?

Are you being prompted to log into the certsrv web page at any point?  If not, check the authentication settings in IIS manager for the CertSrv site.  If Anonymous Authentication is enabled, you may not actually be authenticating to the web site with your domain account, which would explain why you don't have the right permissions.  

It could be helpful to check your IIS logs  - %SystemDrive%\inetpub\logs\LogFiles\w3svc1\ - You should find a record of the individual requests coming in to the server.  Find the time stamps that match your request (the logs will be recorded in UTC, so adjust for your time zone as needed.)  It should include the account used to authenticate to the server.  Is it the account you expected?

Another thing you could try would be creating a duplicate of the Web Server template, and allowing Everyone read and enroll permissions.  Then go to the Certificate management snap-in and right click "Certificate Templates", select "New > Certificate Template to Issue", and choose the newly created template.  Restart the Certificate Services, then check the web site again.

Lastly, have you checked event viewer on the server for any errors that might be relevant?  

Steve
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 

Author Comment

by:deewave
ID: 40310400
I've rebooted the server, and now everything is fine!!??

Oh well... thanks for your help Steve.

Sebastien
0
 
LVL 6

Expert Comment

by:Steve Whitcher
ID: 40310407
Glad you got it working!
0
 

Author Closing Comment

by:deewave
ID: 40311990
I'll accept Steve's solution, because he did suggest to have a look at the Event Viewer ("Lastly, have you checked event viewer on the server for any errors that might be relevant?"). If I did, I'd have seen that my server was achy and needed a reboot.
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Know what services you can and cannot, should and should not combine on your server.
Preparing an email is something we should all take special care with – especially when the email is for somebody you may not know very well. The pressures of everyday working life stacked with a hectic office environment can make this a real challen…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
How can you see what you are working on when you want to see it while you to save a copy? Add a "Save As" icon to the Quick Access Toolbar, or QAT. That way, when you save a copy of a query, form, report, or other object you are modifying, you…
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question