Solved

Cannot request certificates

Posted on 2014-09-08
6
3,436 Views
Last Modified: 2014-09-09
Hi
If I go on my http://CAservername/certsrv, and click on "Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.", I get this error:

"No certificate templates could be found. You do not have permission to request a certificate from this CA, or an error occurred while accessing the Active Directory"

My CA server is a domain member (not a DC) Windows 2008 R2 server. Using the Certificate Template Console, all templates are present.

Thanks for helping,

Sebastien
0
Comment
Question by:deewave
  • 3
  • 3
6 Comments
 
LVL 6

Expert Comment

by:Steve Whitcher
ID: 40310030
When you access the certsrv page, are you doing so as a standard user or an administrator?
Is there a specific template you're trying to use?
If you know the template you need, pull up the properties of that template in the Certificate Templates snap-in.  On the security tab, confirm that the account you are using has permission to enroll a certificate with that template.

Regarding the last part: "Using the certificate template console, all templates are present" - The certificate templates console lists templates that exist on the server, but not all of those templates are necessarily available to be issued by the server.  Check in the Certification Authority snap-in.  Expand your server name, and select the Certificate Templates folder.  Here you'll find a list of templates that the server can issue.  If the template you need is not listed here, right click and select "New > Certificate Template to Issue".  From there you can select a template from the templates that are listed in the certificate template snap-in.
0
 

Author Comment

by:deewave
ID: 40310074
Hi Steve
Thanks for the quick reply

I'm doing it as an administrator. I would use the Web Server template, but their is no template available in the drop-down list.
templates.jpg
Yes I verified the permission for the template and I (administrator) do have the rights

In the Certification Authority snap-in, the template is listed
certificate.jpg
Thanks,
Sebastien
0
 
LVL 6

Accepted Solution

by:
Steve Whitcher earned 500 total points
ID: 40310201
Unfortunately, there are quite a variety of problems which might cause the behavior you're seeing.  Hopefully a few more questions can help to narrow it down:

Is this a single forest/single domain environment?  If not, is the CA in the root domain or a child domain?  How about the admin account you're using?

Are you being prompted to log into the certsrv web page at any point?  If not, check the authentication settings in IIS manager for the CertSrv site.  If Anonymous Authentication is enabled, you may not actually be authenticating to the web site with your domain account, which would explain why you don't have the right permissions.  

It could be helpful to check your IIS logs  - %SystemDrive%\inetpub\logs\LogFiles\w3svc1\ - You should find a record of the individual requests coming in to the server.  Find the time stamps that match your request (the logs will be recorded in UTC, so adjust for your time zone as needed.)  It should include the account used to authenticate to the server.  Is it the account you expected?

Another thing you could try would be creating a duplicate of the Web Server template, and allowing Everyone read and enroll permissions.  Then go to the Certificate management snap-in and right click "Certificate Templates", select "New > Certificate Template to Issue", and choose the newly created template.  Restart the Certificate Services, then check the web site again.

Lastly, have you checked event viewer on the server for any errors that might be relevant?  

Steve
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 

Author Comment

by:deewave
ID: 40310400
I've rebooted the server, and now everything is fine!!??

Oh well... thanks for your help Steve.

Sebastien
0
 
LVL 6

Expert Comment

by:Steve Whitcher
ID: 40310407
Glad you got it working!
0
 

Author Closing Comment

by:deewave
ID: 40311990
I'll accept Steve's solution, because he did suggest to have a look at the Event Viewer ("Lastly, have you checked event viewer on the server for any errors that might be relevant?"). If I did, I'd have seen that my server was achy and needed a reboot.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Install Predefined Certificate on Ubunto 4 48
How safe is emailing credit card information? 10 84
Need to disable SSL Cipher 7 150
IIS 8.5 WebDav Shared Handler Mappings 6 42
Remote Apps is a feature in server 2008 which allows users to run applications off Remote Desktop Servers without having to log into them to run the applications.  The user can either have a desktop shortcut installed or go through the web portal to…
Preparing an email is something we should all take special care with – especially when the email is for somebody you may not know very well. The pressures of everyday working life stacked with a hectic office environment can make this a real challen…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question