XP client setup fails - certificate authority request blocked by policy module using either standard or administrator profile RRS feed

  • Question

  • I have been unable to connect an XP-SP3 laptop to the SBS 2011 Ess server. The connector setup process fails with 'unable to establish trust relationship'. Changed access rights on local directories per other discussions found on the web. Made sure the local clock is within a couple of seconds of the server. (Got black rooster, sacrificed to the computer gods at the appropriate hour...)

    Problems started in trying to setup the user -- there would be an error box briefly displayed (but not found in the error log) if I tried to create the user as 'standard' through the dashboard. Creating them as an administrator would go to completion without apparent errors.

    But trying to connect their laptop to the SBS network would not go to completion. Found that the event log on the server was logging a CertAuth error 53 when I would attempt to connect this standard user - message said 'Request denied by policy'. Looking at AD Users and computers I see that the default is to require domain admin membership to add a computer. But the client connect setup advises that one should use a standard user account to connect to the domain -- problem is that when one does that, the connect request is still rejected. But if one recreates the user as an admin it still fails. Or tries to do the connect with any other user profile.

    The interesting thing is that the AD shows a computer account has been created and the user is able to log onto the domain -- but the connect process fails before setting up the backup software on the client computer. Also, the dashboard shows the client computer but does not show any details -- even though they are in the AD computer record. And the 'system' function shows the machine as being set to the domain name.

    For what this person does, the current undead state might actually be workable except for no client backup functions. How do I fix this so they get the backup client working?

    Monday, September 5, 2011 4:54 PM


  • Installation has been completed so the 'problem' is notionally 'solved'. Prior installation attempts had been done under the local machine administrator account. On a whim I tried again signing on with the domain administrators account -- which had never been used on this machine. This time the setup went much further, blowing up in 'configuring machine'. The error in the log file said 'cannot find ldap server'. Checked the network configuration and found that the normal roundrobin of dns lookups would only return the ip address of the server when it did the lookup at the host dns. Hardwired the tcp config to only look at the server for dns. Now the install went all the way to completion and backup configuration. So it is done -- although I never did solve why the trust relationship create failed when running the install under the local user account, smells like a permissions issue although not logged as such. Reaffirms my belief that the true miracle is that anything works at all.
    • Marked as answer by GLatiak Thursday, September 8, 2011 5:33 PM
    Thursday, September 8, 2011 5:33 PM