user/computer in child domain cannot request certificate from 2008 Enterprise CA in root domain
-
Thursday, May 28, 2009 11:32 AMHi
Problem:
We cannot use the mmc certificate snapin on a win 2003R2 computer in a child domain, to request a certificate from a Enterprise CA in root domain
Details
After following the Certificate Request Wizard in the MMC Certificate
snap-in, the following error message appears:
---------------------------
Certificate Request Wizard
---------------------------
The certificate request failed because of one of the following
conditions:
- The certificate request was submitted to a Certification
Authority (CA) that is not started.
- You do not have the permissions to request certificates from the
available CAs.
Additional information
We have a win 2003 forest with 2003R2 Dc´s - root domain root.net and child domain child1.root.net & child2.root.net
All CA´s are installed in the root domain and are running Windows Server 2008:
CA01: Offline Root CA
CA02: Offline Policy CA
CA03: Enterprise Issuing CA
Autoenrollment to comuters in child2.root.net works fine!
We have tried the following:
Cert Publishers group in root and child domain has been changed to domain local.
The certificate templates are edited using the Certificate Templates
console (certtmpl.msc) - domain users/computers/administrators has been given read + enroll on a template that I´v created
http://support.microsoft.com/kb/281271 Certification Authority configuration to publish certificates in Active Directory of trusted domain
Running the following from a win2003R2 computer in the child domain
certutil -ping -config "ca03.root.net\Issuing CA1 --> CertUtil: -ping command completed successfully
Any suggestions on how to proceed?
danielu@avanade
All Replies
-
Thursday, May 28, 2009 8:35 PMHi Daniel,
If you do CERTUTIL -TEMPLATE from the command line of the machine in the child domain... do you see a list of available certificate templates?
I'd play around with CERTREQ if i were you from a test machine and try and use the -RPC function to eliminate the possibility of DCOM related issues. I don't work that much with root and child domains if i can help it but i'd start there first ;-)
I can send you a script that does enrollment using certreq for testing purposes if that'd help... just post back and let me know.
Regards,
Mylo -
Friday, May 29, 2009 8:50 AM
The problem seems to be solved, I have to do some additional testing before clossing this thread.
I found one additional hotfix that is required on win2003/XP when requesting certificates using SHA-2 hash algoritm.http://support.microsoft.com/kb/968730/en-us
You also have to verify the following on the certificate template: “Check the “Subject Name” tab. The option “Supply in the request” shouldn’t be checked”
Br, Daniel
danielu@avanade- Marked As Answer by Joson ZhouModerator Tuesday, June 09, 2009 3:05 AM
-
Friday, May 29, 2009 9:41 AM
Hi Daniel,
If you do CERTUTIL -TEMPLATE from the command line of the machine in the child domain... do you see a list of available certificate templates?
I'd play around with CERTREQ if i were you from a test machine and try and use the -RPC function to eliminate the possibility of DCOM related issues. I don't work that much with root and child domains if i can help it but i'd start there first ;-)
I can send you a script that does enrollment using certreq for testing purposes if that'd help... just post back and let me know.
Regards,
Mylo
Yes, Certutil - template displays the templates.
Br, Daniel
danielu@avanade
.png)
