none
CA certificate request error "Denied by Policy Module 0x80094800" Windows Server 2008 Standard

    Pergunta

  • When trying to request a certificate from the local CA I receive the following message:

    the requested certificate template is not supported by this CA. Denied by Policy Module 0x80094800. the request was for a certificate template that is not supported by the Active Directory Certificate Services policy:
    1.3.6.1.4.1.311.21.8.11247263.3238951.4867487.3598660.1281222.180.1.27

    The system is a domain controller running windows server 2008 Standard, with Enterprise CA.

    That happens to more than a single certificate template, checked that authenticated users have Read, the requesting user has Enroll and Auto Enroll rights.

    Any ideas?

    Thank you.

    segunda-feira, 19 de dezembro de 2011 11:43

Todas as Respostas

  • The appropriate forum for your post is below i.e. security forum which deal with certificates and other security related issues.

    http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads

     

    Regards


    Awinish Vishwakarma

    MY BLOG:  awinish.wordpress.com


    This posting is provided AS-IS with no warranties/guarantees and confers no rights.
    • Sugerido como Resposta Mr XMVP segunda-feira, 19 de dezembro de 2011 20:38
    segunda-feira, 19 de dezembro de 2011 13:52
  • When trying to request a certificate from the local CA I receive the following message:

    the requested certificate template is not supported by this CA. Denied by Policy Module 0x80094800. the request was for a certificate template that is not supported by the Active Directory Certificate Services policy:
    1.3.6.1.4.1.311.21.8.11247263.3238951.4867487.3598660.1281222.180.1.27

    The system is a domain controller running windows server 2008 Standard, with Enterprise CA.

    That happens to more than a single certificate template, checked that authenticated users have Read, the requesting user has Enroll and Auto Enroll rights.

    Any ideas?

    Thank you.


    Have you checked whether the template is assigned to CA server (in Certification Authority MMC select Certificate Template folder)?
    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki
    terça-feira, 20 de dezembro de 2011 06:37
  • Yes it is assigned. The failed requests are from User certificate template (I duplicated the template, modified permissions Domain Users - Enroll and AutoEnroll, checked that Authenticated Users have Read permissions, issued the template) and Workstation certificate templates  (same checked permissions Domain Computers Enroll and AutoEnroll, issued the template). I've chose to deploy the certs by group policy so everytime a workstation/user tries to autoenroll a certificate I get this message on CA and the workstation or user doesn't get the certificate. That's the same if I try to enroll manually a certificate of that type, I've also tried to enroll a code signing certificate with the same result.

     

    terça-feira, 20 de dezembro de 2011 07:33
  • Thank you for posting it for me at the right place :)
    terça-feira, 20 de dezembro de 2011 07:43
  • I think I narrowed it down. The error appears only with customized certificate templates, with default templates seems to be ok.

    Any ideas why?

    Thank you

    terça-feira, 20 de dezembro de 2011 07:55
  • Check that the CA server has read permission on the template. The Authenticated Users built-in group is granted Read permission by default and if you happen to remove that group the CA server must be granted permissions on the template.

    /Hasain

    terça-feira, 20 de dezembro de 2011 08:06
  • Every duplicated certificate template that I use (the ones in question) has Authenticated Users - Read on the ACL.

    terça-feira, 20 de dezembro de 2011 08:26
  • What was the problem? Same issue here help would be great..
    sábado, 16 de junho de 2012 20:59
  • I duplicated the certificate template and published it for distribution (a simple user certificate). After publishing the default template(not duplicated) everything worked out fine. So it would be only a workaround for you. Please reply here if it's ok like that.

    RR IT Professional

    segunda-feira, 18 de junho de 2012 14:22
  • I have just spent the last few days trying to figure out why the company I am at is getting this error.

    All the normal things didn't work.

    I finally found this posting:

    http://social.technet.microsoft.com/wiki/contents/articles/17694.troubleshooting-fim-cm-certificate-request-error-denied-by-policy-module.aspx

    basically, this place had done some "interesting" things on their issuing CA's Crls. and they had a lot of old ones in there.  I think they where injecting the Root and policy CRLS just like you would an offline Policy CA, and that they where staying.

    Once I cleaned the crls up.  I was able to get the CA to issue the cert.  the weird part is that this was only affecting the Version 1 templates.  most of the other certs published just fine.

    anyway, I am leaving this comment here as a bread cumb to others.


    Meow

    sexta-feira, 13 de dezembro de 2013 16:11