none
CertSrv Request DCOM Config Greyed Out RRS feed

  • Question

  •  

    Hi,

     

    I am trying to publish a Server 2008 Certificate Authority behind an ISA 2006 firewall. I've run into trouble because autoenrollment uses DCOM/RPC. I found a document (http://blogs.isaserver.org/pouseele/2007/10/ and http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx) on how to configure the CertSrv Request DCOM object to use a specific port.

     

    The problem is when I look at the properties of the CertSrv Request in the Component Services MMC, all the options are greyed out (on all tabs). I have checked other random dcom objects and some are normal, others are greyed out.

     

    Is there a way to fix it?

     

    Thanks!

     

    --Kyle

     

    (CA is Server 2008 Standard, Domain controllers are Server 2003 R2, Firewall is ISA 2006 w/ latest ISA updates)

    Tuesday, April 1, 2008 7:09 PM

Answers

  •  

     

    Hello Kyle,

     

    Due to security consideration, some system core components only grant Trustedinstaller full control permission instead of Administrators.

     

    To enable modification settings of 'CertSrv Request':

     

    1.    Open Register Editor to 'HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{D99E6E74-FC88-11D0-B498-00A0C90312F3}'

     

    2.    Right click the {D99E6E74-FC88-11D0-B498-00A0C90312F3} key (AppID of Certsrv Request), choose permission.

     

    3.    Take the ownership to Administrators. Then grant the Administrators 'full control' permission.

     

    4.    Restart the dcomcnfg.

     

     

    Hope it helps.

    Wednesday, April 2, 2008 5:51 AM
    Moderator

All replies

  •  

     

    Hello Kyle,

     

    Due to security consideration, some system core components only grant Trustedinstaller full control permission instead of Administrators.

     

    To enable modification settings of 'CertSrv Request':

     

    1.    Open Register Editor to 'HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{D99E6E74-FC88-11D0-B498-00A0C90312F3}'

     

    2.    Right click the {D99E6E74-FC88-11D0-B498-00A0C90312F3} key (AppID of Certsrv Request), choose permission.

     

    3.    Take the ownership to Administrators. Then grant the Administrators 'full control' permission.

     

    4.    Restart the dcomcnfg.

     

     

    Hope it helps.

    Wednesday, April 2, 2008 5:51 AM
    Moderator
  •  

    That worked great!

     

    As a note, I had to disable the firewall client on my computer in order for the request to go through (when done manually through the certificates mmc).

     

    Thanks for your help!

    Wednesday, April 2, 2008 2:10 PM
  • Hi Miles,

    I was just wondering if there are other ways to do this besides modifying the registry?

    Thanks!

    Monday, August 16, 2010 7:25 AM
  • I am having this same issue but the key which you refer to after AppID:

    'HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{D99E6E74-FC88-11D0-B498-00A0C90312F3}

    Does not exist....what do I do then?

    Thursday, October 7, 2010 6:21 PM
  • I am a member of the Administrators group and when I attempt to follow the instructions above, I received "Access Denied" message. I have disabled Windows Firewall as was suggested below. Thanks!
    Monday, December 27, 2010 8:01 PM
  • Try this jim

    I had a similar issue with with a different app, i did this as follows

    went to the registry key, right click and selected permission on the AppID

    Than gave the admin user full control but got an access denied error same as you i presume so selected the Advance button

    Went to the owner tab and just selected the admin option and made them the current owner. clicked ok, restarted the service

    And than the component optioni needed to change were not greyed out.

    Thursday, January 20, 2011 12:19 PM
  • Make sure you use the "Advanced"  button then click the "Owner" tab to "Change owner to: ( domanName\DomanAdminGod).. 

    Once I did that I was able to run a script to set the right for the service accounts I need to to have access to the COM component... 

    Thanks.. !

    Saturday, October 29, 2011 8:45 PM
  • Hi,

    I was also facing an issue related to SQL Server linked server that needed to change one of the DCOM component MSDAINITIALIZE under DCOM Config option but the options were inactive for me to change. 

    Finally I found a simple solution to change then instead of changing above registry key settings.

    Here is what I tried:

    Go to Component Services-->My Computer--> right click on My computer----> Default Properties---->Change the Default Impersonation Level from Identify to Default

    Once you are done with it, you will be able to getting DCOM Config options enabled for you to change the options such as security etc.

    Monday, November 17, 2014 6:32 AM