Certsrv site not showing any template and not able to request cert RRS feed

  • Question

  • Hi All, 

    I am facing issue with Cert Srv site- when i login with domain/Enterprise/builtin administrator user in certsrv site and request for advanced certificate i do see any template - earlier there was an template which i deleted not i do not see the any default template ie. webserver.

    Under application event log - see the warning message - Element not found. 

    The "Windows default" Policy Module logged the following warning: The XMS_Template Certificate Template could not be loaded.  Element not found. 0x80070490 (WIN32: 1168 ERROR_NOT_FOUND).

    Other one --The "Windows default" Policy Module logged the following warning: The Active Directory connection to has been reestablished to

    i checked all the permissions all are good 

    i checked IIS site and pool all are good 

    check the site and services for PKi permissions all are good . is an Enterprise root CA. 

    I face 2 more issue on same DC

    1 When i try to generate/request the any CA from MMC it crash.

    2. I am not able to generate CA request from IIS i am getting error.

    We have CA like below.

    XMLAB-DC01-CA -- Enterprise CA - All 5 fsmo running on DC1

    XMLAB-DC02-CA -- Enterprise subordinate CA - another GC in Server - No this server i am able to request cert using MMC

    Sub1-Sub1-DC03-CA -- Enterprise subordinate CA  - childe domain 

    Please help - let me know if you need any details 

    Thanks -Suman


    Friday, June 22, 2018 7:38 AM


All replies

  • Hi Suman,

    One issue at a time. They might be related, but that way we keep overview.

    So the certsrv site has a problem loading the XMS_Template. Could you do a Certutil -CATemplates and report back the output? Then do a Certutil -CATemplates -v XMS_Template and report that output too.

    Kind Regards,

    Friday, June 22, 2018 9:54 AM
  • Hi Couwenbreg,

    Thank you for reply,

    Actually i am new to forum - i thought posting on multiple forums may get more visibility an may get help from experts. 

    below is the output of -  certutil -CATemplates

    PS C:\Users\Administrator> certutil -CATemplates
    DirectoryEmailReplication: Directory Email Replication -- Auto-Enroll: Access is denied.
    DomainControllerAuthentication: Domain Controller Authentication -- Auto-Enroll: Access is denied.
    KerberosAuthentication: Kerberos Authentication -- Auto-Enroll: Access is denied.
    EFSRecovery: EFS Recovery Agent -- Auto-Enroll: Access is denied.
    EFS: Basic EFS -- Auto-Enroll: Access is denied.
    DomainController: Domain Controller -- Auto-Enroll: Access is denied.
    WebServer: Web Server -- Auto-Enroll: Access is denied.
    Machine: Computer -- Auto-Enroll: Access is denied.
    User: User -- Auto-Enroll: Access is denied.
    SubCA: Subordinate Certification Authority -- Auto-Enroll: Access is denied.
    Administrator: Administrator -- Auto-Enroll: Access is denied.
    CertUtil: -CATemplates command completed successfully. 
    Friday, June 22, 2018 3:51 PM
  • Hi Suman,

    There we have problem #1. The certificate template you mentioned: XMS_Template, is not in the list. Therefore the CA can't issue certificates on it. So first you have to add it to the list on the CA. This is done by taking the following steps:

    1. Log on to the CA.

    2. Open the Certification Authority Snap-In.

    3. Navigate to Certificate Templates.

    4. Right-click Certificate Templates, point to New and Click Certificate Template to Issue.

    5. Find the XMS_Template and add it.

    After that, check the results. Let's see if we get the same error, something different, or resolve it completely.

    Kind Regards,

    Tuesday, June 26, 2018 8:22 AM
  • Hi Couwenbreg,

    I had the XMS_Template duplicated from webserver and it XMS_Template used to show in web enrollment page certsrv. But none of other template use to show apart from - XMS_Template, hence i had deleted the XMS_Template to see what happens after deleting so i see that i give an error mentioned below. 

    So here i am trying to figure out what is stopping to show the template in certsrv.

    please help 

    Tuesday, June 26, 2018 10:09 AM
  • Hi Suman,

    Would you mind confirming that you followed the instructions in my previous post to keep things clear where we're standing?

    That said, the next problem might be that you still have no templates found. Note that in addition to having activated the CA template the way I described, the template can not be of a schema version of 3 or higher (Windows Server 2008 or higher). This because the certsrv pages do not support those schema versions.

    Kind Regards,

    Tuesday, June 26, 2018 1:33 PM
  • Thank you Couwenbreg,

    i was able to resolve the issue after creating new apppool in iis for certsrv site and assigning the network services. 

    there was nothing to do with old template.

    Thanks again for you help  

    Wednesday, June 27, 2018 4:32 AM
  • Hi Suman,

    Ah, that one. Thanks for the update and glad it was solved.

    Kind Regards,

    • Marked as answer by suman bishnoi Sunday, July 1, 2018 11:11 AM
    Wednesday, June 27, 2018 6:31 AM
  • aside from the other technicalities mentioned by other posters, i have found an additional key ingredient to success is to be sure and run IE in an elevated administrator mode. there are permissions buried in the depths of all of this and not clear to me how they should be set up or if my installation is not quite right either.  by default, IE uses an account that might be unauthenticated or anonymous.  When i used a straight IE session i got only a couple templates (user authentication, EFS).  when i ran in elevated mode, i get all the templates that are assigned to the certificate authority.

    > Kamal

    Monday, January 7, 2019 2:13 PM
  • Hi Suman,

    I have managed to solve the problem of the not loaded templates. Just set the read permission on to the problematic certificate template for Authenticated Users. It can be done by ADSI editor (connect to configuration) or by "AD Sites and Services" (View - Show Service Node - Services - Public Key Services - Certificate Templates - The Problematic Template).


    Friday, October 4, 2019 1:45 PM