asked on AD Certificate Services: Can't publish Certificate to AD: Insuffcient access
Background: DC1: 2008 R2, DC2: 2012 R2, Forest/Domain Level: 2008 R2. Existing 2008 Two Tier CA installed. New Install in parallel of 2012 R2 Two Tier CA. So I currently have two different CAs installed (Old 2008 CA, New 2012 R2 CA). I can issue certificates from the new 2012 R2 Sub-CA however they are not being published in AD.
Looking at the Event log on the 2012 R2 Sub-CA, I have the following: Event ID 80
Active Directory Certificate Services could not publish a Certificate for request 11 to the following location on server DC2.domain.com: CN=Craig,OU=Employee,DC=do
ldap: 0x32: 00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
Looking at PKIView > Manage AD Containers > Certification Authorities Container: I see the 2008 Root CA and an expired 2008 Sub CA certificate however I do not see the new 2012 R2 CAs listed. In the other tabs the 2012 R2 Sub-CA is listed where appropriate.
NOTE: When I first checked PKIView I found an error associated with the DeltaCRL Location #2 which has been resolved. I had a typo in the http url.
I checked some basic permissions which appear to be correct and ran certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDAT
AG, however I seem to be stuck with this error.
Thanks...
Looking at the Event log on the 2012 R2 Sub-CA, I have the following: Event ID 80
Active Directory Certificate Services could not publish a Certificate for request 11 to the following location on server DC2.domain.com: CN=Craig,OU=Employee,DC=do
ldap: 0x32: 00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
Looking at PKIView > Manage AD Containers > Certification Authorities Container: I see the 2008 Root CA and an expired 2008 Sub CA certificate however I do not see the new 2012 R2 CAs listed. In the other tabs the 2012 R2 Sub-CA is listed where appropriate.
NOTE: When I first checked PKIView I found an error associated with the DeltaCRL Location #2 which has been resolved. I had a typo in the http url.
I checked some basic permissions which appear to be correct and ran certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDAT
AG, however I seem to be stuck with this error.
Thanks...
Active DirectoryWindows Server 2012
Last Comment
Ricky Chand
Are you an enterprise administrator or domain admin only? I believe you need to be an enterprise admin for new CA / cert publishing.
ASKER
Thanks for the suggestion. I have verified that the account I used to setup the CA is in the Domain Admins, Enterprise Admins and Schema Admins groups.
I wonder if the old CA is taking precedence over the new CA, can I only have 1 CA used within AD at a time? Eventually I will be removing the old 2008 CA however I need the new 2012 R2 one to work completely before I can do that.
I wonder if the old CA is taking precedence over the new CA, can I only have 1 CA used within AD at a time? Eventually I will be removing the old 2008 CA however I need the new 2012 R2 one to work completely before I can do that.
ASKER
I fixed the PKIView > Manage AD Containers > Certification Authorities Container issue by adding the root certificate via the CMD (As Admin): certutil -f -dspublish Root-CA.cer RootCA
Though the CA still is not publishing user certificates to AD DS.
Though the CA still is not publishing user certificates to AD DS.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Found fix.
I had spent so much time trying to figure out what to do with these errors and it was just a matter of a reboot. thanks guys :)