Hi, I have my Server 2008 CA up and running and was able to easily give myself and a few other Domain Admins a User cert from the web enrollment page. I noticed though, that a regular user wasn't able to request a cert without having to create and submit a request, where as myself and other domain admins, have the easy option of just clicking hyperlinks to request a certificate.
I have played with the permissions on the User Template on the CA server (given domain users the same permissions as domain admins on the template), but that doesn't work. For whatever reason, unless a user is part of the Domain Admins group, they have to create and submit a request, rather than doing the easier process of clicking links.
I thought it may have been related to group policy, but so far haven't found anything that would prevent that.
Any other thoughts or ideas of why this is happening?
Thanks for the reply and idea. It was a place I hadn't looked. Authenticated users we set to be able to Request Certificates, so it didn't seem like the issue. I gave my test user more permissions and it didn't seem to make a difference.
What is odd is that unless I am a domain admin, I have to create the cert request rather than just clicking a few hyperlinks. Either way I can get a certificate, but I am trying to make this as user friendly as possible.
If I understand correctly, the issue you encounter is that the "user certificate" hyperlink does not appear when you access the certificate enrollment page with a domain user.
Generally, the "user certificate" hyperlink missing indicates that the user does not have permission to enroll a certificate against the user certificate template.
I suggest that we chekc the following:
1. When you logon with a domain user, can you select "User" in Certificate Template list of Advanced Certificate Request page? 2. Can you request user certificate via MMC with the domain user?
Meanwhile, please run the command certutil -dstemplate -v user on the CA server and post the output here for research.This posting is provided "AS IS" with no warranties, and confers no rights.
I think I have this figured out. I missed sharing some information before, which likely would have helped. We aren't using the regular user certificate, we made a duplicate of it and changed it a bit. I updated the web enrollment pages so that my customized cert showed up.
A user could still select the customized cert in the advanced request box, so I thought as well it was a permissions issue. But changing the permissions on the customized cert made no difference. I ended making it work by giving the users permissions to the original user cert as well. My guess is that somewhere in the ASP web code, it was still looking for the original user certificate permissions, but since the permissions didn't exist on that original cert, it jumped straight to an advanced request.
So now it works as expected...not perfect, but I am satisfied. The only issue is that a user can submit an advanced request for the original cert, but I don't expect them to, as the instructions will guide them to the correct one.
Thanks!
Marked As Answer byChrisM1234Wednesday, November 18, 2009 8:23 PM
Microsoft is conducting an online survey to understand your opinion of the Technet Web site. If you choose to participate, the online survey will be presented to you when you leave the Technet Web site.
Web Enrollment - User Template question
.png)
