none
CA - no certificate templates could be found. RRS feed

  • Question

  • Dear All,

    I have a 2008 Domain Controller with the CA Server role installed with the issue that the Web-Enrolement procedure is not working proper. I can´t request any cert´s using the web-browser. Cert requests via powershell works fin thought.

    I get the following error:

    "No Certificate templates could be found. You do not have the permissions to request a certificate from this CA, or an error occured while accessing the Active Directory"

    I allready compared the the sServerConfig value in the Certdat.inc file with the dNSHostName attribute at the pkiEnrollmentService object. The values are the same (case sensitive).

    I also checked the permissions on the certificate templates - they are o.k. since I do the request with a domain admin account.

    I appreciate an help and thanks in advanced,

    Chris

     

     

     

    Wednesday, March 24, 2010 10:59 AM

Answers

  • to successfully enroll certificates via Enrollment Web Pages you need to configure at least the following:

    1) enable SSL on Web Pages web site in IIS.

    2) enable Integrated authentication in IIS for this web site.


    http://www.sysadmins.lv
    Wednesday, March 24, 2010 5:15 PM
  • hi, I solved the issue with Vadims tip.

    In addition, I had to set login credentials in IIS for the CertSrv physikal path. In IIS Manager goto Default Web Site->CertSrv and edit "Basic Settings" of the Application. Set "Connect as" in the Physikal path section with an appropiate account and Test settings.

    Thanks alot,

    Chris

    • Marked as answer by Tass IT Thursday, March 25, 2010 2:20 PM
    Thursday, March 25, 2010 9:27 AM

All replies

  • to successfully enroll certificates via Enrollment Web Pages you need to configure at least the following:

    1) enable SSL on Web Pages web site in IIS.

    2) enable Integrated authentication in IIS for this web site.


    http://www.sysadmins.lv
    Wednesday, March 24, 2010 5:15 PM
  • hi, I solved the issue with Vadims tip.

    In addition, I had to set login credentials in IIS for the CertSrv physikal path. In IIS Manager goto Default Web Site->CertSrv and edit "Basic Settings" of the Application. Set "Connect as" in the Physikal path section with an appropiate account and Test settings.

    Thanks alot,

    Chris

    • Marked as answer by Tass IT Thursday, March 25, 2010 2:20 PM
    Thursday, March 25, 2010 9:27 AM
  • hmm..there is no need to configure credentials for phisical folder access (except cases when anonymous authentication is used).
    http://www.sysadmins.lv
    Thursday, March 25, 2010 4:01 PM
  • I was able to resolve the issue in IIS 7 by creating a separate Application Pool for the CertSrv web app., and changing the Identity from ApplicationPoolIdentity to NetworkService in the advanced settings (of the app pool).

    It's a pity that the CertSrv web application doesn't (always) work out-of-the-box in IIS 7 on Windows Server 2008.

    Good luck,

     

    Peter


    Wednesday, March 30, 2011 9:44 AM
  • which of the two above solutions should I rely mostly on? Seems a bit strange to have to set the credentials for access.
    Tuesday, January 31, 2012 7:52 AM
  • This issue came up out of nowhere, I still don't know what caused it. I used Applied Maths NV's workaround and I was able to request and download a certificate after that. 
    Tuesday, July 3, 2012 1:44 PM
  • I created the apppool as Applied Maths NV said and everything started working again. 

    the problem is that it worked before and with no change it started failing!.

    thanks!


    • Edited by elchepas1 Thursday, September 26, 2013 4:26 PM
    Thursday, September 26, 2013 4:24 PM
  • Thanks!! it worked for me!
    Thursday, September 26, 2013 4:25 PM
  • hi Vadims, would you mind elaborate more how to do this please :)

    Wednesday, December 25, 2013 10:48 AM
  • hi Tass, can you explain Vadims comments step by step please :)

    Wednesday, December 25, 2013 10:50 AM
  • There are multiple scenarios and configuration settings that worked as a solution for many users who were experiencing the same error while 

    I tried the following steps and it resolved my issue .

    It turned out that by using IIS Manager and changing the DefaultAppPool Identity to NetworkService from ApplicationPoolIdentity:

    1. Open IIS on the server hosting CA
    2. Got to Application Pools and right click to choose "Advanced Settings.." for DefaultAppPool
    3. Look for the "Identity" value under Process Model and change to NetworkService.
    4. Once completed perform an iisreset on the CA.

    Hope it helps those who have tried all other tips suggested in this post or any other forums

    • Proposed as answer by Eddy Wu Thursday, December 31, 2015 7:51 AM
    Wednesday, May 7, 2014 1:48 PM
  • Thanks, worked for me.

    Tuesday, June 2, 2015 6:23 AM
  • This can happen if your root CA certificate expired.  It's very easy to renew, just open Certification Authority Console, right click your CA name, All Tasks > Renew CA Certificate.
    Wednesday, December 9, 2015 10:44 PM
  • You save my day, Thanks.

    • Edited by Eddy Wu Thursday, December 31, 2015 7:52 AM
    Thursday, December 31, 2015 7:51 AM
  • Hello all,

    I just fixed this on our network.  For me, the steps above were only part of the solution. 

    A little history, I had recently moved from a 2003 domain to a 2012 domain (domain controller upgrade).  The certificate site lived on the old domain controller, so installing certificate services on the new domain controller.

    I couldn't access the site from any domain desktop or from the server console; got the message "No Certificate templates could be found. You do not have the permissions to request a certificate from this CA, or an error occured while accessing the Active Directory"

    Working through this post and a few others here's what found

    SSL was not enabled <sitename> -> SSL Setting -> Require SSL (checked)

    Windows Authentication was not enabled

        <sitename> -> Authentication -> Anonymous Authentication (disabled)

        <sitename> -> Authentication -> Windows Authentication (enabled)

    The app pool was set to "Application Pool Identity".  So, I created a new app pool "CertSrv" and set the identity to Network Service and assigned the site to use that app pool

    Then, I had add the site to the trusted sites zone in internet explorer.

    All works now.  I would think the installation of certificate services would configure all this for you.  Instead, I wasted about 8 hours trying to figure this out.  Thanks, Microsoft!

    Friday, April 8, 2016 3:11 PM
  • I had the same issue. It just pop out of the blue. After creating a new application pool, assigning it to the directory, and restarting the web page, the issue was resolved. 
    Thursday, May 5, 2016 1:31 PM
  • For those finding this via searching as I did, this is one of many potential issues that can cause this problem. 

    Another problem relates to the domain functional level. In our case, although the Domain Controller was 2012, the domain was still at a 2003 level. This prevents ALL existing templates from being usable (thanks Microsoft!) the solution is to create a copy of the template you need (usually Web Server) and make sure in its properties that it is usable by 2003 and above, then make sure to "issue" the new template and it should show up in the list if that was the problem.
    • Proposed as answer by Hanson Yang Thursday, November 24, 2016 6:45 AM
    Tuesday, August 23, 2016 8:35 PM
  • This is misleading. The use and availability of a template has NO impact based on your domain or forest function level. In your case, having a 2012 DC and 2003 DFL, will not impact your template. Sorry if something in the troubleshooting process caused this confusion.

    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. He is also co-founder of Revocent (revocent.com) and its CertAccord product that offers Linux certificate enrollment from a Microsoft CA. Connect with Mark at https://www.pkisolutions.com

    Wednesday, August 24, 2016 1:37 AM
  • Thanks....big time. This solved my problem. :-)
    Monday, September 26, 2016 11:57 AM
  • In my case, the article https://support.microsoft.com/en-us/help/811418/-no-certificate-templates-could-be-found-error-message-when-a-user-req contained the answer.  However, the pkiEnrollmentService object was MISSING from my server.  I had to manually recreate it by referencing another server that did have it, and updating the values to match.  It works now.
    Thursday, July 27, 2017 2:57 PM
  • For me , restarting the server has solved the problem.
    Monday, July 31, 2017 7:25 AM
  • Thanks for this tip.  In my case, the root CA certificate was expired. I needed to renew it, and that resolved the error.

    Best Regards, Todd Heron | Active Directory Consultant

    Tuesday, October 23, 2018 2:47 AM