locked
The request contains no certificate template information 0x80094801 (-2146875391). Denied by Policy Module 0x80094801 RRS feed

  • Question

  • I tried to Issue a certificate on the Windows 2008 Enterprise installed as a Domain Controller with Certificate Authority installed but it came up with the following error.

    The request contains no certificate template information 0x80094801 (-2146875391). Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the Certificate Template request attribute.
     

    The certificate was issued through the IIS7 on the same machine.

    I tried the following work around

    http://technet.microsoft.com/en-us/library/cc783835.aspx


    But still got the same error.

    I tried to use the web certsrv but since the web site is not HTTPS enabled, I can't use that, I can only go through the MMC to request Certificates.

    Any ideas why this does not work?

    Friday, April 17, 2009 5:14 PM

Answers

  • Hi,

    I understand you can get a certificate if you have already created a request, but there is still error when trying to submit from MMC.

    This issue may be caused by incorrect Certificate Template permission settings. Let’s give Authenticated user Enroll permission:

    1.    Open MMC, click File menu, choose Add/Remove Snap-in, choose Certificate Templates, click OK.
    2.    Double-click Web Server template, switch to Security tab, selected Authenticated users, click Enroll option. Click OK.
    3.    Open CA console, stop CA service and restart it.
    4.    Try to open MMC->Certificates of Local Computer, try to request Web Server certificates.

    At the same time, we can disable IE SEC and change IE security settings to bypass HTTPS requirement. To do so:

    1.    Open  Server Manager, click Server Manger in the left panel, click Configure IE SEC in the right panel.
    2.    Click Off at least for administrator.  Click OK.
    3.    Open Internet Options, switch to Security tab, click Trusted sites, move the slide bar to bottom. Click Local intranet, move the slide bar to bottom, click OK.

    4.    Restart IE and try to visit http://localhost/certsrv, you should be able submit request.

    If there is any error, please let us know the detailed error message.

    Thanks.

    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by Mervyn Zhang Thursday, April 23, 2009 12:49 AM
    Tuesday, April 21, 2009 2:34 AM
  • Hi,

    Glad to hear you could request certificate from CA web service.

    Based on my test, the Enroll button disabled in MMC Certificate Enrollment window may be caused by lack of enough information. Under Web Server template in Certificate Enrollment window, there should be a Yellow triangle, click it. If there is yellow triangle, click Detailed button, click Properties, switch to Subject tab, in the subject name section, choose Common name or Title or any option, type a valid Value, click Add, click OK. The Enroll button should be activated.

    Thanks.

    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by Mervyn Zhang Thursday, April 23, 2009 12:49 AM
    Wednesday, April 22, 2009 1:11 AM
  • Great, that was it. Thanks for your help.
    • Marked as answer by signup Wednesday, April 22, 2009 5:41 PM
    Wednesday, April 22, 2009 3:14 PM

All replies

  • I think enterprise ca's require certificate template information.  What steps did you do to create the certificate request and submit it to the ca?

    If you are trying to obtain an SSL server cert then you can always use the MMC to request a "WebServer" certificate for the computer and bind that certificate in IIS.
    You may also consider submitting the certificate request to a standalone ca OR creating the certificate request using the "certreq" tool.

    Andrew
    Friday, April 17, 2009 6:53 PM
  • The problem I have is because I am using Enterprise CA where Standalone CA does not use certificate template, certreq fixed the problem I have.

    http://support.microsoft.com/default.aspx/kb/910249


    In Microsoft Windows Server 2003, when you use the Certification Authority Microsoft Management Console (MMC) snap-in to submit a certificate signing request (CSR) to an enterprise certification authority (CA), you may receive the following error message:
    Certificate Request Processor

    The request contains no certificate template information. 0x80094801 (-2146875391)
    Denied by Policy Module 0x80094801, the request does not contain a certificate template extension or the Certificate Template request attribute.
    The message indicates that there is no certificate template information in the request. However, there is no option in the Certification Authority MMC snap-in to select a certificate template.

    Note Stand-alone CAs do not use certificate templates. Therefore, this issue occurs only when you use the Certification Authority MMC snap-in to request a certificate from an enterprise CA.
    • Proposed as answer by Brent Brogan Tuesday, December 10, 2013 4:19 PM
    Friday, April 17, 2009 9:40 PM

  • You say the following:
      "The message indicates that there is no certificate template information in the request. However, there is no option in the Certification Authority MMC snap-in to select a certificate template. "

    To request a certificate, you should be using the certmgr snap-in. For Vista and below, if you are domain joined you should be able to select a certificate template after you select "Request New..." from the right click menu of the "Personal" folder.

    Andrew
    Sunday, April 19, 2009 6:43 AM
  • I am not able to select the Web Server template (after you select "Request New..." from the right click menu of the "Personal" folder) because it says "The permissions on the certificate template do not allow the current user to enroll for this type of certificate. You do not have permission to view this type of certificate."

    I am login as the domain administrator with local admin rights of the machine which is the DC and CA of the domain.

    I am loggin as the same user and it works on the console but not the snap-in, any reasons why?

    • Proposed as answer by EonBleu Wednesday, November 26, 2014 2:32 PM
    Sunday, April 19, 2009 8:13 PM
  • Hi,

    Before we go further, I suggest we try to configure the web CA service.

    1.    Add http://localhost/certsrv to your Trusted sites.
    2.    Open Internet Options, switch to Security tab, click Trusted sites, move the slide bar to bottom. Click OK.
    3.    Try to visit http://localhost/certsrv and request new certificate. Please let us know which template you choose to request and detailed error message if any.

    4.    If we still cannot get the certificate, please let us know how did you configure the Certificate Template.

    5.    Run "certutil –template >>c:\ca.txt" and send c:\ca.txt file to tfwst@microsoft.com for research.

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Monday, April 20, 2009 6:57 AM
  • If I have already created the certificate request and just submitting it, it works fine when I select "Submit a certificate by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file". I choose the "WebServer" template.

    If I do "Create and submit a request to this CA", I get the error "In order to complete certificate enrollment, the web site for the CA must be configured to use HTTPS authentication"

    So the question still remains with MMC as I am not able to select the Web Server template (after you select "Request New..." from the right click menu of the "Personal" folder) because it says "The permissions on the certificate template do not allow the current user to enroll for this type of certificate. You do not have permission to view this type of certificate."
    Monday, April 20, 2009 11:05 PM
  • Hi,

    I understand you can get a certificate if you have already created a request, but there is still error when trying to submit from MMC.

    This issue may be caused by incorrect Certificate Template permission settings. Let’s give Authenticated user Enroll permission:

    1.    Open MMC, click File menu, choose Add/Remove Snap-in, choose Certificate Templates, click OK.
    2.    Double-click Web Server template, switch to Security tab, selected Authenticated users, click Enroll option. Click OK.
    3.    Open CA console, stop CA service and restart it.
    4.    Try to open MMC->Certificates of Local Computer, try to request Web Server certificates.

    At the same time, we can disable IE SEC and change IE security settings to bypass HTTPS requirement. To do so:

    1.    Open  Server Manager, click Server Manger in the left panel, click Configure IE SEC in the right panel.
    2.    Click Off at least for administrator.  Click OK.
    3.    Open Internet Options, switch to Security tab, click Trusted sites, move the slide bar to bottom. Click Local intranet, move the slide bar to bottom, click OK.

    4.    Restart IE and try to visit http://localhost/certsrv, you should be able submit request.

    If there is any error, please let us know the detailed error message.

    Thanks.

    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by Mervyn Zhang Thursday, April 23, 2009 12:49 AM
    Tuesday, April 21, 2009 2:34 AM
  • For the first section, I can see the WebServer check box appears in the Certificate MMC for requesting new certificate request, but when I select it, the enroll button does not get enabled. All the others Domain Controller, Domain Controller Authentication enabled the Enroll button when I select it. Even if I select Domain Controller then WebServer it gets disabled, actually disables it after it was enabled.

    For the web section, it works as you described and I am able to generate and install the certificate and save the certificate request.

    Let me know what you think about the first section.

    • Proposed as answer by shaun8875 Tuesday, June 12, 2018 2:25 AM
    • Unproposed as answer by shaun8875 Tuesday, June 12, 2018 2:25 AM
    Tuesday, April 21, 2009 3:49 PM
  • Hi,

    Glad to hear you could request certificate from CA web service.

    Based on my test, the Enroll button disabled in MMC Certificate Enrollment window may be caused by lack of enough information. Under Web Server template in Certificate Enrollment window, there should be a Yellow triangle, click it. If there is yellow triangle, click Detailed button, click Properties, switch to Subject tab, in the subject name section, choose Common name or Title or any option, type a valid Value, click Add, click OK. The Enroll button should be activated.

    Thanks.

    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by Mervyn Zhang Thursday, April 23, 2009 12:49 AM
    Wednesday, April 22, 2009 1:11 AM
  • Great, that was it. Thanks for your help.
    • Marked as answer by signup Wednesday, April 22, 2009 5:41 PM
    Wednesday, April 22, 2009 3:14 PM
  • It doesn't display web server template by default, because you connect to "certificates" snap-in as a computer account. Which is funny, because you can't enroll web server certficicate as a user account (role not meant for that), and only domain admins [not computers] have access to web server enrollment by default.

    Which makes me wonder what's the proper way to enroll a web server certificate on w2k8..

    Tuesday, January 19, 2010 7:31 PM
  • It depends on what type oF CA you are using for the symantics of the submission.
    1) generate the request using the IIS Manager console
         
    2) For Enterprise CAs, use the Domain Certificate request option (this does a direct submission to the CA, hard-coded for the Web Server certificate template. Just change permissions to allow a custom global or universal group Read and Enroll permissions
    3) For standalone CAs, use the certificate request, this creates a PKCS#10 request, that must be submitted to the CA. (You can also do this for an enterprise CA). Then submit the request using certreq or the Web enrollment pages. (submitting a PKCS#10 request) and selecting the associated certificate template if submitting to an enterprise CA. (this method allows you to use a custom certificate template rather than Web Server).
    4) COmplete the request at the IIS Manager console.

    Brian
    Tuesday, January 19, 2010 7:54 PM
  • Hi,

    We are working on an authentication application whereby user will be authenticated against Microsoft Active Directory server. The server has to be set up with an X.509 SSL server certificate and has SSL enabled.

    I am trying to generate an SSL certificate using the process described inhttp://support.microsoft.com/kb/321051 ;In this process a .inf file is created and is used to create a .req file which in turn is submitted to CA to generate a certificate. My .req file gets created successfully but when I submit that file to CA, I get an error saying "The request contains no certificate template information.................."

    I don't know how to "request Web Server certificates........." as given in the solution above because I do not get any such option. 

    I also went through the http://technet.microsoft.com/en-us/library/bb727068.aspx;I am able to generate the certificate, but I do not get any option to install the certificate. ( Click Install Certificate to install the certificate to the certificate store....)

    Any solutions, please let me know.

    Regards
    Tuesday, March 23, 2010 5:56 AM
  • To use the method described in the KB article to submit a request to an Enterprise CA you need to add the following to the INF file:

    [RequestAttributes]

    CertificateTemplate=WebServer

     


    Paul Adare CTO IdentIT Inc. ILM MVP
    Tuesday, March 23, 2010 7:49 AM
  • Just try this in the commandline:

    certreq -submit -attrib „CertificateTemplate:Webserver“ <certrequest.req-file>

    where the <certrequest.req-file> is the whole path and filename to your request file

    • Proposed as answer by John Rivers Friday, May 20, 2016 9:58 PM
    Tuesday, March 1, 2011 4:26 PM
  • Thank you Mervyn,

    your procedure is ok.

    • Proposed as answer by Oveimar Vahos Thursday, May 24, 2012 9:02 PM
    Thursday, May 24, 2012 9:02 PM
  • Hi

    I tried 

    certreq -submit -attrib „CertificateTemplate:Webserver“ <certrequest.req-file>
    where the <certrequest.req-file> is the whole path and filename to your request file

    But I have the same message:
    Active Directory Enrollment Policy

      {39AB995E-8927-4A86-931A-FCA69C10D852}
      ldap:
    RequestId: 734
    RequestId: "734"
    Certificate not issued (Denied) Denied by Policy Module  0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute.
     The request contains no certificate template information. 0x80094801 (-2146875391)
    Certificate Request Processor: The request contains no certificate template information. 0x80094801 (-2146875391)
    Denied by Policy Module  0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute.

    Any other ideas? :-)


    Wednesday, May 28, 2014 11:01 AM
  • Thank you, very good for me

    rfcc

    Thursday, April 9, 2015 1:19 PM