none
Help me with CA permissions RRS feed

  • Pergunta


  • Hi,

    I have problem with CA template and its permissions. So in general:

    I have 2008R2 Ent CA. I have new template configured which issues certificates for computers. There is one group which has all computers accounts and which has read, Enroll and autoenroll permissions for this template. I added few computer accounts and when policy was refreshed on them certificates were issued for these computers. But now I've added few more computers. And when policy is refreshed on them all I get is error:

    The permissions on the certificate template do not allow the current user to enroll for this type of certificate. 0x80094012 (-2146877422)

    Active Directory Certificate Services denied request 19 because The permissions on the certificate template do not allow the current user to enroll for this type of certificate. 0x80094012 (-2146877422).  The request was for DOMAIN\COMPUTERNAME$.  Additional information: Denied by Policy Module

    I double checked this group membership, forced replication betweel all of DCs, completely restarted server with CA - nothing has helped:/

    When I granted permissions directly for computer account for this template - computer was able to get certificate. What Is goung on? Where could be my problem?

    One of my thoughts is that maybe CA can't read this group membership but then how was it able to issue certificates to few other computers which are in this group too?:/
    terça-feira, 23 de fevereiro de 2010 15:35

Todas as Respostas

  • What is the scope of the group. You can only use Global groups or Universal groups for certificate template permissions
    Domain Local groups cannot be used because the certificate template objects are stored in the Configuration naming contect (which is replicated to all DCs in the forest (all domains))
    Brian

    terça-feira, 23 de fevereiro de 2010 15:52
  • Was able to reproduce this. Added my own computer account into this group. Replicated between all Dcs. Restarted CA just in any case. Refreshed policy onto CA just in any case.

    And now - when I issue the following command onto my computer:

    gpupdate /target:computer /force - I get this error:/

    It seems that CA somehow caches group membership for some time:/ How can I avoid this? I want certificate to be issued right when computer is added into required group and when group policy is refreshed on it. Kerberos ticket lifetime maybe?
    terça-feira, 23 de fevereiro de 2010 15:54
  • OK, this is really basic Windows stuff.
    When you add a user/computer to a group, the group membership is only recognized the next time the account logs in to the network.
    So, for a user, you logon and logoff.
    For a computer, you wait 8 hours or you reboot the computer
    This is *not* the CA caching group membership.
    This, as I stated in the beginning is basic Windows stuff.
    Brian
    • Sugerido como Resposta Vadims PodansMVP terça-feira, 23 de fevereiro de 2010 19:55
    terça-feira, 23 de fevereiro de 2010 18:15
  • Are you talking about Universal group caching? If so I have this caching disabled. So I'm interested why do I need to wait for 8 hours.

    Brian, what would be your approach to this problem? Because as for now if I put a lot of computers accounts into this group and if they are mostly online all of the time - I simply will end with a lot of failed requests on CA:(
    terça-feira, 23 de fevereiro de 2010 19:58
  • > Are you talking about Universal group caching?

    No. Brian talks about kerberos token. When computer starts or user logs on to a domain, he receives security token from KDC that contains all security group SID's where exist particular account. When you change computer/user membership (remove from group or add to a group) these changes will take effect when client renew his token. For users you will have to wait up to 10 hours or just logoff and logon again to force these changes immediately. To immediately force security group membership change for computer account you need to restart this computer.
    http://www.sysadmins.lv
    terça-feira, 23 de fevereiro de 2010 20:17
  • In my initial posts I mentioned kerberos ticket lifetime btw:) Maybe one solution would be to shorten kerberos ticket lifetime?

    What would be your solution for my problem? I want to avoid these failed certs requests from showing up on my precious CA:)
    terça-feira, 23 de fevereiro de 2010 20:23
  • restart them?

    Also you have nothing telled about kerberos ticket. You said that you have refreshed policy. In that case security token remains the same and is not changed.


    http://www.sysadmins.lv
    terça-feira, 23 de fevereiro de 2010 20:25
  • What do you want to know about this ticket? It has default lifetime. I'm interested in finding some solution which avoids computers restart. Because if I'll add 100 computer accounts at one time into this group I simply will not be able to restart all of them. And if I'll not restart them I'll get tons of failed requests as GPO refresh is a lot of shorter that 10 hours:( And thanks for your help to your neighbor from LT:)
    terça-feira, 23 de fevereiro de 2010 20:48
  • Actually there is only 2 solutions: reduce ticket lifetime in group policy kerberos section or restart computers.
    http://www.sysadmins.lv
    terça-feira, 23 de fevereiro de 2010 20:51
  • Actually, there is a third option.
    PATIENCE! <G>
    Brian
    terça-feira, 23 de fevereiro de 2010 20:52
  • Brian, actually its not a good solution, because this solution will end up with a lot of failed requests in "Failed requests" folder on my CA. I do not want to have unneeded garbage which I can avoid without having some kind of big side effects:) But I'll keep your solution in mind:)
    terça-feira, 23 de fevereiro de 2010 21:04
  • Actually there is only 2 solutions: reduce ticket lifetime in group policy kerberos section or restart computers.
    http://www.sysadmins.lv
    Are you talking about service ticket or user ticket lifetime?
    terça-feira, 23 de fevereiro de 2010 21:10
  • user.
    http://www.sysadmins.lv
    terça-feira, 23 de fevereiro de 2010 21:16
  • But I still can't understand this damn group membership thing:( Example:

    Added two computer accounts to required group at 17:30. Both computers were online till this morning. The results:

    I can't see neither failed request nor issued certificate for one computer today (it's 8:00 now). As for another computer I see failed request at 7:39.

    I can see that 10 hours time has passed so why do I have such behavior?

    And why have I had only one failed request during 10 hours time frame? As I know GPO refreshes more frequently.
    quarta-feira, 24 de fevereiro de 2010 05:48
  • Ugh I'm such a derp.  That makes perfect sense.

    ZdPav

    quarta-feira, 8 de julho de 2015 21:19
  • In case anyone else ends up here looking for an answer to avoiding reboots, you can also just purge the kerberos tickets (not sure it's "really basic Windows stuff" like Brian called out, but it was useful to our use case).  If Windows is challenged to produce a kerberos ticket and it doesn't have one, it will go ask the KDC for one, and then finish what it was doing.  So by purging the ticket that didn't have the security group membership SID, you can get it to reacquire once it's there.

    Use klist to purge the system's tickets (0:0x3e7 equates to the LogonId for the local system. This command won't purge user tickets):
    klist -lh 0 -li 0x3e7 purge 

    Pulse again:
    certutil -pulse

    When the pulse is attempted without a kerberos ticket cached, Windows will request a new one, then the request will be made with appropriate group membership (without requiring a reboot).

    quinta-feira, 9 de julho de 2020 19:37