Server 2012 Certificate Authority - No Templates Found

The title says it all. I have a 2012 Standard root CA in a single domain single forest. I connect to the site https://servername.domani.corp/certserv using Internet Explorer 11 and am prompted for domain credentials. I have tried both my regular user credentials and my domain admin credentials. The CA server was rebooted less than a month ago. When I authenticate, I get the normal menu options:

Request a certificate --> Create and submit a request to this CA. --> I get this pop-up:

---------------------------
Web Access Confirmation
---------------------------
This Web site is attempting to perform a digital certificate operation on your behalf:

https://servername.domain.corp/certsrv/certrqma.asp

You should only allow known Web sites to perform digital certificate operations on your behalf.

Do you want to allow this operation?
---------------------------
Yes   No  
---------------------------

I click yes and see the request form, but in the Certificate Templates drop down it says "(No Templates found!)" and then I get this pop-up:

---------------------------
Message from webpage
---------------------------
No certificate templates could be found. You do not have permission to request a certificate from this CA, or an error occurred while accessing the Active Directory.
---------------------------
OK  
---------------------------

I have followed the guidance in these articles, and as far as I can tell, everything looks good. I'm stumped...and my Gogle-fu is failing me. everything I have found so far does not help.

I have checked this; https://support.microsoft.com/en-us/kb/811418

and this: http://theadminsguide.net/2012/08/29/no-certificate-templates-could-be-found-you-do-not-have-permission-to-request-a-certificate-from-this-ca/

I don't see anything standing out in the Application or system Logs.

any guidance would be most appreciated.

Thanks,

Jonathan
LVL 3
JonathanSpitfireSenior Solutions EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Zephyr ICTCloud ArchitectCommented:
These things can be hard to troubleshoot, so many variables.
Did you check if templates are configured for enrollment? In other words, can the Domain Admin enroll certain certificate templates? Are there only v3 templates available maybe, if there are, you can't enroll them via the web interface anymore, you could enable older templates if there aren't any yet and try like that...
0
JonathanSpitfireSenior Solutions EngineerAuthor Commented:
Hi Spravtek,

This is a default installation of the CA role in server 2012. I migrated the Root CA from server 2003, and it worked just fine (again, a default installation in 2003).

If I go into the Certificate Templates Console, and open the properties for the Web Server Template, on the security tab, Authenticated Users have the Read and Enroll permissions.

When I login with my domain admin credentials to the Certsrv page, I get the same result as a regular end user, as described in my original post.

When I look at them in the Certificate Templates Console, I see some that are 3.1, some that are 4.1, 5.1, 7.1, 8.1, and a number of them that are 100.x

Thanks,

Jonathan
0
JonathanSpitfireSenior Solutions EngineerAuthor Commented:
templates console
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Zephyr ICTCloud ArchitectCommented:
Try adding the Domain Admin group to a template (or the parent folder) and give it the necessary rights... Had this once and adding the group specifically solved the issue strangely enough.
0
JonathanSpitfireSenior Solutions EngineerAuthor Commented:
Apologies for the delay in responding - I've been out of the office quite a bit since posting. I won't be able to look at this until next week, but I will look at it.

Thanks,

Jonathan
0
JonathanSpitfireSenior Solutions EngineerAuthor Commented:
Ok, so I FINALLY got back to this.....

another thing to note - This CA is running on Server 2012 R2. Our domain functional level is still 2003. I ran across one small note here that mentions this:

Missing certificate templates while requesting certificate from MMC Certificates snap-in

I tried a couple of things and this is what I found that finally worked!

"Another thing you could try would be creating a duplicate of the Web Server template, and allowing Everyone read and enroll permissions.  Then go to the Certificate management snap-in and right click "Certificate Templates", select "New > Certificate Template to Issue", and choose the newly created template.  Restart the Certificate Services, then check the web site again. "

That was from this article:

Experts Exchange: Cannot request certificates Question by:  deewave On 2014-09-08

My question is.....if "Authenticated Users" already have Read and Enroll Security permissions, and I AM  an Authenticated User.....why would I not see the others? why is adding "everyone" necessary?

Edit - Well, it worked for a copy of the "Web Server" template, but not the "SSL Certificate" template. Now I'm scratching my head again. :-/

Thanks,

Jonathan
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Zephyr ICTCloud ArchitectCommented:
Well... Some certificates probably require special permissions, I also found it quite confusing at times why one would work and not another...

Did you try as I suggested with adding the Domain Admin group instead of Everyone, using Everyone seems like a security risk more than a convenience...
0
JonathanSpitfireSenior Solutions EngineerAuthor Commented:
I believe I found my own answer ultimately. I believe it has to do with the DFL being 2003 when our CA is 2012R2.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.