locked
CA certificate request error "Denied by Policy Module 0x80094800" Windows Server 2008 Standard RRS feed

  • Question

  • When trying to request a certificate from the local CA I receive the following message:

    the requested certificate template is not supported by this CA. Denied by Policy Module 0x80094800. the request was for a certificate template that is not supported by the Active Directory Certificate Services policy:
    1.3.6.1.4.1.311.21.8.11247263.3238951.4867487.3598660.1281222.180.1.27

    The system is a domain controller running windows server 2008 Standard, with Enterprise CA.

    That happens to more than a single certificate template, checked that authenticated users have Read, the requesting user has Enroll and Auto Enroll rights.

    Any ideas?

    Thank you.

    • Moved by Yan Li_ Tuesday, December 20, 2011 2:58 AM (From:Directory Services)
    Monday, December 19, 2011 11:43 AM

All replies

  • The appropriate forum for your post is below i.e. security forum which deal with certificates and other security related issues.

    http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads

     

    Regards


    Awinish Vishwakarma

    MY BLOG:  awinish.wordpress.com


    This posting is provided AS-IS with no warranties/guarantees and confers no rights.
    • Proposed as answer by Mr XMVP Monday, December 19, 2011 8:38 PM
    Monday, December 19, 2011 1:52 PM
  • When trying to request a certificate from the local CA I receive the following message:

    the requested certificate template is not supported by this CA. Denied by Policy Module 0x80094800. the request was for a certificate template that is not supported by the Active Directory Certificate Services policy:
    1.3.6.1.4.1.311.21.8.11247263.3238951.4867487.3598660.1281222.180.1.27

    The system is a domain controller running windows server 2008 Standard, with Enterprise CA.

    That happens to more than a single certificate template, checked that authenticated users have Read, the requesting user has Enroll and Auto Enroll rights.

    Any ideas?

    Thank you.


    Have you checked whether the template is assigned to CA server (in Certification Authority MMC select Certificate Template folder)?
    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki
    • Proposed as answer by amercat37 Friday, November 21, 2014 7:50 PM
    Tuesday, December 20, 2011 6:37 AM
  • Yes it is assigned. The failed requests are from User certificate template (I duplicated the template, modified permissions Domain Users - Enroll and AutoEnroll, checked that Authenticated Users have Read permissions, issued the template) and Workstation certificate templates  (same checked permissions Domain Computers Enroll and AutoEnroll, issued the template). I've chose to deploy the certs by group policy so everytime a workstation/user tries to autoenroll a certificate I get this message on CA and the workstation or user doesn't get the certificate. That's the same if I try to enroll manually a certificate of that type, I've also tried to enroll a code signing certificate with the same result.

     

    Tuesday, December 20, 2011 7:33 AM
  • Thank you for posting it for me at the right place :)
    Tuesday, December 20, 2011 7:43 AM
  • I think I narrowed it down. The error appears only with customized certificate templates, with default templates seems to be ok.

    Any ideas why?

    Thank you

    Tuesday, December 20, 2011 7:55 AM
  • Check that the CA server has read permission on the template. The Authenticated Users built-in group is granted Read permission by default and if you happen to remove that group the CA server must be granted permissions on the template.

    /Hasain

    • Proposed as answer by buzzingmaxx Tuesday, October 13, 2015 9:45 AM
    Tuesday, December 20, 2011 8:06 AM
  • Every duplicated certificate template that I use (the ones in question) has Authenticated Users - Read on the ACL.

    Tuesday, December 20, 2011 8:26 AM
  • What was the problem? Same issue here help would be great..
    Saturday, June 16, 2012 8:59 PM
  • I duplicated the certificate template and published it for distribution (a simple user certificate). After publishing the default template(not duplicated) everything worked out fine. So it would be only a workaround for you. Please reply here if it's ok like that.

    RR IT Professional

    Monday, June 18, 2012 2:22 PM
  • I have just spent the last few days trying to figure out why the company I am at is getting this error.

    All the normal things didn't work.

    I finally found this posting:

    http://social.technet.microsoft.com/wiki/contents/articles/17694.troubleshooting-fim-cm-certificate-request-error-denied-by-policy-module.aspx

    basically, this place had done some "interesting" things on their issuing CA's Crls. and they had a lot of old ones in there.  I think they where injecting the Root and policy CRLS just like you would an offline Policy CA, and that they where staying.

    Once I cleaned the crls up.  I was able to get the CA to issue the cert.  the weird part is that this was only affecting the Version 1 templates.  most of the other certs published just fine.

    anyway, I am leaving this comment here as a bread cumb to others.


    Meow

    Friday, December 13, 2013 4:11 PM
  • I's because you have created a certificate request on different template than you are trying to generate on CA
    Thursday, August 17, 2017 11:46 AM
  • Use the 'Template Name' value from the General tab of the Certificate Templates MMC. (Usually the name you entered when creating the template without spaces).

    Also apologies for raising the dead on a post from 2011, hopefully future visitors see this answer

    • Edited by jumpinf00l_ Wednesday, January 17, 2018 10:31 AM Add note about the age of the post
    Wednesday, January 17, 2018 10:30 AM
  • You need to make sure the template you are using supports the cryptography the certificate request was generated in.  In my case this ended up being that my "Web Server" certificate template was configured with a minimum key size of 4096 and the certificate request was generated with 2048.  Modifying the certificate template to allow for a minimum key size of 2048 or increasing the certificate requests key size to 4096 solved my issue.
    Tuesday, March 6, 2018 8:03 PM
  • After publishing a new crl, the template worked ok, thanks Script Kitty
    Wednesday, May 30, 2018 8:29 AM