Cannot request certificates

Hi
If I go on my http://CAservername/certsrv, and click on "Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.", I get this error:

"No certificate templates could be found. You do not have permission to request a certificate from this CA, or an error occurred while accessing the Active Directory"

My CA server is a domain member (not a DC) Windows 2008 R2 server. Using the Certificate Template Console, all templates are present.

Thanks for helping,

Sebastien
deewaveAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Steve WhitcherSystems AdministratorCommented:
When you access the certsrv page, are you doing so as a standard user or an administrator?
Is there a specific template you're trying to use?
If you know the template you need, pull up the properties of that template in the Certificate Templates snap-in.  On the security tab, confirm that the account you are using has permission to enroll a certificate with that template.

Regarding the last part: "Using the certificate template console, all templates are present" - The certificate templates console lists templates that exist on the server, but not all of those templates are necessarily available to be issued by the server.  Check in the Certification Authority snap-in.  Expand your server name, and select the Certificate Templates folder.  Here you'll find a list of templates that the server can issue.  If the template you need is not listed here, right click and select "New > Certificate Template to Issue".  From there you can select a template from the templates that are listed in the certificate template snap-in.
0
deewaveAuthor Commented:
Hi Steve
Thanks for the quick reply

I'm doing it as an administrator. I would use the Web Server template, but their is no template available in the drop-down list.
templates.jpg
Yes I verified the permission for the template and I (administrator) do have the rights

In the Certification Authority snap-in, the template is listed
certificate.jpg
Thanks,
Sebastien
0
Steve WhitcherSystems AdministratorCommented:
Unfortunately, there are quite a variety of problems which might cause the behavior you're seeing.  Hopefully a few more questions can help to narrow it down:

Is this a single forest/single domain environment?  If not, is the CA in the root domain or a child domain?  How about the admin account you're using?

Are you being prompted to log into the certsrv web page at any point?  If not, check the authentication settings in IIS manager for the CertSrv site.  If Anonymous Authentication is enabled, you may not actually be authenticating to the web site with your domain account, which would explain why you don't have the right permissions.  

It could be helpful to check your IIS logs  - %SystemDrive%\inetpub\logs\LogFiles\w3svc1\ - You should find a record of the individual requests coming in to the server.  Find the time stamps that match your request (the logs will be recorded in UTC, so adjust for your time zone as needed.)  It should include the account used to authenticate to the server.  Is it the account you expected?

Another thing you could try would be creating a duplicate of the Web Server template, and allowing Everyone read and enroll permissions.  Then go to the Certificate management snap-in and right click "Certificate Templates", select "New > Certificate Template to Issue", and choose the newly created template.  Restart the Certificate Services, then check the web site again.

Lastly, have you checked event viewer on the server for any errors that might be relevant?  

Steve
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

deewaveAuthor Commented:
I've rebooted the server, and now everything is fine!!??

Oh well... thanks for your help Steve.

Sebastien
0
Steve WhitcherSystems AdministratorCommented:
Glad you got it working!
0
deewaveAuthor Commented:
I'll accept Steve's solution, because he did suggest to have a look at the Event Viewer ("Lastly, have you checked event viewer on the server for any errors that might be relevant?"). If I did, I'd have seen that my server was achy and needed a reboot.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SSL / HTTPS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.