none
Server 2019 Web Enrollment "No templates found!" RRS feed

  • Question

  • Configuration:

    2 Tier PKI (prototype configuration, so anything can be changed)

    Standalone Root CA: Windows Server 2019 Core Build 17763

    Enterprise CA: Windows Server 2019 Core Build 17763

    Roles: CA, CA Web Enrollment, IIS Web Server and Mgmt Tools

    Client: Windows 10 domain joined machine

    Problem: When accessing the web enrollment site, and navigating to the Advanced Certificate Request page, I'm presented with a dialog box stating:

    "No certificate templates could be found. You do not have permission to request a certificate from this CA, or an error occurred while accessing the Active Directory."

    Question: Why are the templates not appearing in the Certificate Templates selection drop down?  I would expect to at least see the User certificate.  I'm concerned that I'm chasing a ghost with this being Server 2019 and a potential bug.  Any help would be appreciated and I can supply as much info as requested.

    Additional Info:

    Several duplicated templates have been created for both User and Computer.  For the user template I've added my user account to the Security tab with Read and Enroll permissions.  I've added the template via certutil -SetCATemplates to ensure that it can be issued.  I've verified the the dNSHostName entry if AD matches that of the certDat.inc file in CertSrv.


    Mike Gerlach

    Thursday, September 5, 2019 5:43 PM

All replies

  • Hi,

    Sorry for the delayed reply.

    Based on the complexity and the specific situation, we need do more researches.

    If we have any updates or any thoughts about this issue, we will keep you posted as soon as possible. Your kind understanding is appreciated.

    If you have further information during this period, you could post it on the forum, which help us understand and analyze this issue comprehensively.

    Best Regards,

    William


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, September 9, 2019 11:36 AM
  • Hi William,

    Thanks for the reply.  Yes this is issue is definitely one that I have't found much support on the web.

    Some additional information:

    IIS Configuration on issuingCA. Most of this configuration is default:

    Application Pools:

    DefaultAppPool: Status: Started Managed PipelineIntegrated Identity: ApplicationPoolIdentity Applications: 2

    Site:

    Authentication - Anonymous

    SSL Settings - Require SSL, Ignore Client certificate

    Bindings - Type: http Port: 80 IP Address: *

                    Type: https Port: 443 IP Address: *

                                SSL Certificate: using EnterpriseCA issued cert

    User Certificate Template settings:

    Template Display Name: XYZ User

    TemplateName: XYZUser

    Validity period: 2 year

    Renewal period: 6 wks

    Publish Certificate in AD: checked

    Compatibility: Certificate Authority - Server 2003, Certificate recipient - Windows XP / Server 2003

    I chose those settings because I want to be able to use Mac Profiles to request certificates

    Request Handling

    Purpose: Signature and Encryption

    Include symmetric algorithms allowed by the subject: checked

    Allow private key to be exported: checked

    Enroll subject without requiring any user input: selected

    Cryptography

    Determine by CSP: selected

    Minimum key size: 2048

    Request must use one of the following providers: Microsoft Enhanced Cryptographic Providers v1.0

    Security

    I've given my user account Read & Enroll permissions

    Domain Users also have Enroll

    Subject Name:

    Supply in the request: selected

    Issuance Requirements

    Require the following for enrollment: CA certificate manager approval

    I can provide more information if needed, or if I think of something else


    Mike Gerlach

    Monday, September 9, 2019 3:36 PM
  • Hi,

    Sorry for the delayed reply.

    After my deepen research, I couldn’t the possible reason which could cause the issue.

    For further troubleshooting, I will suggest you contact Microsoft Business support team.

    Thanks for your understanding and support.

    https://support.microsoft.com/en-us/hub/4343728/support-for-business

    Have a nice day!

    Best Regards,

    William


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, September 17, 2019 7:38 AM