none
Issuing PKI cert from CA to ADDC

    Question

  • We are having difficulties issuing our Domain Controller a PKI certificate from our Certificate Authority. Both systems are running Windows Server 2008 x64 Standard edition, and apart of the same domain. The CA is running Active Directive Certificate Service (ADCS). We have set the permissions of the certificate templates on the CA to allow any user and domain controller to read, enroll, and auto-enroll.

    When we use the MMC certificates snap-in on the DC to request the certificate there are no certificate templates available for selection. All of the templates are grayed out and marked unavailable. We can read new templates that were created so we believe there is an underlying permissions issue stopping use from making the request.

    Is there a way to put the template on the certserv website on the CA so that the DC can access the site and request the cert that way?  Permissions seem to be the issue when using the MMC route.

    Friday, May 15, 2009 7:37 PM

Answers

  • I went a head and rebuilt the CA.  Luckily we were early in our build so data loss was not an issue.  For some reason this worked.  I am now able to set permissions for the templates, and more importantly am able to request the certs from the other machines. 

    Thanks for your help though Brandon.

    Quick question though, how come on the CA machine we do not have access to all the templates?  We are running all Server 2008 and the AD forest is set at the 2008 functional level.  It is not a big deal (at least not yet anyway) because we were able to get by with what we do have access to. 
    • Marked as answer by J-Will Tuesday, May 19, 2009 10:05 PM
    Tuesday, May 19, 2009 6:58 PM

All replies

  • Check over the CA's configuration. The defaults should work for Domain Controller certificates, but just take a glance to make sure it is configured to issue the certificate.

    1. Make sure that the CA is configure to issue the Domain Controller certificate. Within the Certificate Authority MMC, open the Certificate Templates folder and verify that the "Domain Controller" certificate is in the list. If it is no, right-click Certificate Templates and select New Certificate Template To Issue. From the list, select the Domain Controller template and click OK.
    2. Verify that the security of the CA is configure to allow "Domain Controllers" global group the "Request Certificate" permission. Right-click on the CA in the Certificate Authoirty MMC and select Properties. Click on the Security tab and check that DOMAIN\Domain Controllers is listed with the allow "Request Certificates" permission.
    • Proposed as answer by pjanaqi Tuesday, May 13, 2014 2:59 PM
    Saturday, May 16, 2009 5:03 PM
  • Thanks for the suggestion. 

    The domain controller cer template was in the list, so that was ok.  The somain controllers global group did not have any permissions at all (however we were able to see all the certs so I assume somewhere the DC had read permission), after giving the DC permission nothing changed. 

    When we attempt to request a cert the initial box is blank, however after clicking the see all box at the bottom, we can view all the certs, but they are greyed out and unavailable. 
    Monday, May 18, 2009 3:04 PM
  • When you open the Certificates MMC, are you specifying the "My user acccount" or "Computer account" certificates store? Domain Controller certificate can only be issued to a computer, thus you must open the "Computer account" certificate store when performing the request. The template will be unavailable when requesting under the "My user account" store.

    If you are using the correct store for the request, check the reason of why the Domain Controller certificate template is unavailable. The certificate request wizard provides a reason just below the certificate template name and the status (Available or Unavailable). For example, you might see something like:  "The specified role was not configured for the application. This type of certificate can be issued only to a computer."

    The permissions for viewing the certificate types are stored on the templates in Active Directory. In addition to those permissions, the requesting account must have permissions on the CA to request certificates. If you do not have permissions, you will see something like this in the reason for why the certificate is unavailable: "A valid certificate authority (CA) configured to issue certificates based on this template cannot be located, or the CA is not trusted." Since you granted "DOMAIN\Domain Controllers" the "Request Certificate" permissions on the CA, you should be good on that side.

    If everything checks out OK, you may be running into some other problem that may be a little more difficult to troubleshoot. The reason I say this is that typically when you bring an Enterprise CA online in the domain, the domain controller(s) automatically enroll a Domain Controller certificate, without user interaction. If this is the case, I imagine you should see something in either the Application or System Event Viewer logs.

    Monday, May 18, 2009 3:41 PM
  • I was using the computer account.  I will double check the error I am given and get back to you.
    Monday, May 18, 2009 10:16 PM
  • The error is permissions based. 

    All templates are unavailable with the error "The permissions on the certificate template do not allow the current user to enroll for this type of certificate.  You do not have permission to view this type of certificate". 

    On the ADDC I am logged on as the administrator user, and have given full permissions to the specific template I would like to enroll with for that user, and even the computer.
    Tuesday, May 19, 2009 1:53 PM
  • You can verify that the permissions are in fact being set by running:
    dsacls "CN=DomainController,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=com"

    You should get back a list that includes:
    Allow DOMAIN\Domain Controllers              Enroll

    Allow NT AUTHORITY\Authenticated Users SPECIAL ACCESS
                                                                          READ PERMISSONS
                                                                          LIST CONTENTS
                                                                          READ PROPERTY
                                                                          LIST OBJECT

    Dsacls.exe can reset permissions on an object back to the default for that object class. For example, to reset the Domain Controller template back to the defaults you would run:

    dsacls "CN=DomainController,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=com" /resetDefaultDACL

    Hope this helps some, for I may be running out of ideas.
    Tuesday, May 19, 2009 3:37 PM
  • I went a head and rebuilt the CA.  Luckily we were early in our build so data loss was not an issue.  For some reason this worked.  I am now able to set permissions for the templates, and more importantly am able to request the certs from the other machines. 

    Thanks for your help though Brandon.

    Quick question though, how come on the CA machine we do not have access to all the templates?  We are running all Server 2008 and the AD forest is set at the 2008 functional level.  It is not a big deal (at least not yet anyway) because we were able to get by with what we do have access to. 
    • Marked as answer by J-Will Tuesday, May 19, 2009 10:05 PM
    Tuesday, May 19, 2009 6:58 PM
  • Are you running Standard or Enterprise Edition? I cannot say for certain about 2008, but in Windows 2003, you only get access to all templates with Enterprise Editition. I issue "RAS and IAS Server" certificates within my organization, and I know for sure that template is only available with an Enterprise Edition CA.

    Tuesday, May 19, 2009 7:15 PM
  • That could be the issue.  We are running Server 2008 Standard ed. 

    Thanks again for your assistance.
    Tuesday, May 19, 2009 10:05 PM