none
Certutil access denied

    Question

  • Hi,
    I have a certificate authority running on a server 2008 machine. If I try to back it up using the certutil command from the regular command prompt, I get an access denied message but if I run it from the administrative command prompt, it executes perfectly. I am an administrator on the server. Any ideas as to why is this happening and if I can resolve it in any way?

    Thanks.
    Thursday, May 14, 2009 8:34 PM

Answers

  • Hi,

    It seems the account is not a Backup Operator or a Certification Authority Administrator.  Please try the steps in the article below to configure permission. 

    Add a certification authority backup operator
    http://technet.microsoft.com/en-us/library/cc759299.aspx

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Thursday, May 21, 2009 3:20 AM
    Moderator

All replies

  • Sounds like behavior of the UAC. Administrative tasks and tools require elevation. The builtin Administrator and domain Administrator account bypass the UAC, by default.
    • Proposed as answer by RichJimenez Saturday, February 07, 2015 2:38 AM
    Saturday, May 16, 2009 5:31 PM
  • Hi,

    I agree with Brandon, it may be caused by UAC. You can try the steps below to change UAC behavior.

    Create a new GPO for administrators and navigate to:

    [Computer Configuration/Policies/Windows Settings/Security Settings/Local Settings/Security Options]

    Configure the following policy.

    User Account Control: Run all administrators in Admin Approval Mode
    Configure User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode to "Elevate without prompting".

    Thanks.

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Monday, May 18, 2009 6:08 AM
    Moderator
  • Thanks a lot! I tried making the suggested changes in the Security Options but to no avail. The weird thing is its only the certutil -backupdb command that fails (at least till now). If I do a certutil -cainfo or a certutil -view, it works fine. I don't understand as to why does the backup command fail!
    Wednesday, May 20, 2009 6:07 PM
  • Hi,

    It seems the account is not a Backup Operator or a Certification Authority Administrator.  Please try the steps in the article below to configure permission. 

    Add a certification authority backup operator
    http://technet.microsoft.com/en-us/library/cc759299.aspx

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Thursday, May 21, 2009 3:20 AM
    Moderator
  • Hi,

    Thanks for your advice. I checked the link that you had suggested and followed the specified instructions but to no avail. I still get the exact same error message. Not sure what to try next.

    -p
    Tuesday, May 26, 2009 3:44 PM
  • P,
    Go the the shortcut for the command prompt in the start menu, right click on it, and launch the command prompt as an administrator.  From there, you should be fine.  This is an issue related to UAC.  So you can either turn UAC off, or deal with needing to run apps as an administrator when the need arises.  For programs you frequently need elevated rights to run as an administrator, open the shortcut properties, and on the advanced options, check the option to Run As Administator.

                                                         Jeff

    Wednesday, September 09, 2009 4:11 PM
  • Elevation is required to run this command.
    Brian
    Thursday, September 10, 2009 12:23 AM
  • If I wanted to run the backupdb from a bat file (to be run daily by Task Scheduler)  how do I get this "elevated" privs?   Do I just:

    • Make sure the destination folder has the CA added with write prives
    • have the bat file run as the local machine CA administrator
    • Have the security options set to "Run with Higher Privs" on the Task Schedule security options dialog box
    Thanks

    Tuesday, August 03, 2010 12:13 AM
  • Wow... it took me NINE hours to figure this out.... /d'oh!!
    Sunday, October 14, 2012 1:33 AM