Avatar of DigitalInfuzion
Flag for United States of America asked on

AD Certificate Services: Can't publish Certificate to AD: Insuffcient access

Background: DC1: 2008 R2, DC2: 2012 R2, Forest/Domain Level: 2008 R2.  Existing 2008 Two Tier CA installed.  New Install in parallel of 2012 R2 Two Tier CA.  So I currently have two different CAs installed (Old 2008 CA, New 2012 R2 CA).   I can issue certificates from the new 2012 R2 Sub-CA however they are not being published in AD.

Looking at the Event log on the 2012 R2 Sub-CA, I have the following:  Event ID 80
Active Directory Certificate Services could not publish a Certificate for request 11 to the following location on server DC2.domain.com: CN=Craig,OU=Employee,DC=domain,DC=com.  Insufficient access rights to perform the operation. 0x80072098 (WIN32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS).
ldap: 0x32: 00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

Looking at PKIView > Manage AD Containers > Certification Authorities Container:  I see the 2008 Root CA and an expired 2008 Sub CA certificate however I do not see the new 2012 R2 CAs listed.  In the other tabs the 2012 R2 Sub-CA is listed where appropriate.
NOTE:  When I first checked PKIView I found an error associated with the DeltaCRL Location #2 which has been resolved.  I had a typo in the http url.

I checked some basic permissions which appear to be correct and ran certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FL
AG,  however I seem to be stuck with this error.

Active DirectoryWindows Server 2012

Avatar of undefined
Last Comment
Ricky Chand

8/22/2022 - Mon
Raymond Peng

Are you an enterprise administrator or domain admin only? I believe you need to be an enterprise admin for new CA / cert publishing.

Thanks for the suggestion.  I have verified that the account I used to setup the CA is in the  Domain Admins, Enterprise Admins and Schema Admins groups.  
I wonder if the old CA is taking precedence over the new CA, can I only have 1 CA used within AD at a time?  Eventually I will be removing the old 2008 CA however I need the new 2012 R2 one to work completely before I can do that.

I fixed the  PKIView > Manage AD Containers > Certification Authorities Container issue by adding the root certificate via the CMD (As Admin): certutil -f -dspublish Root-CA.cer RootCA

Though the CA still is not publishing user certificates to AD DS.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.

Found fix.
Ricky Chand

I had spent so much time trying to figure out what to do with these errors and it was just a matter of a reboot. thanks guys :)