none
Template does not show up in Web Enrollment pages. RRS feed

  • Question

  • We duplicated the Web Server version 1 template on our Windows 2003 Server CA and published it to the CA for issuence.  Set the permissions accordingly, Domain Admins: Read, Write, Enroll  

     

    Then when we go to a Windows Server 2008 R2 Enterprise server login with an account with Domain Admins and run http://OurServer/certsrv to submit an Advanced Certificate Request we can not see that template.  Days went by from the time we made the template and tried the request.  The CA was stopped and restarted.

     

    Other duplicate temples do show up just not this one, any ideas?

    Tuesday, March 23, 2010 3:54 PM

Answers

  • I had a similar situation with a copy of a Computer template not showing up on the CertSrv site.  I called Microsoft and the technician said to change the setting from "Build from this Active Directory information" to "Supply in the request" on the "Subject Name" tab of the certificate template.  I don't know if this is the best option for you, but it worked to make it available via CertSrv...
    Tuesday, March 23, 2010 4:43 PM
  • Hi,

    It is true that we need to select the "Supply in the request" option in order for the certificate template to be visible in the web enrollment page. We don't need to select the option for the User and Basic EFS certificate templates because they are User type certificate templates.

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Monday, March 29, 2010 6:38 AM
    Moderator
  • Try to do the following:

    1) Duplicate Web Server tamplate;

    2) In Template Display name type 'Web Server V2'

    3) Make sure if template common name is 'WebServerV2' (this name is automatically generated if you type display name as specified).

    4) add this template to issue on your issuing CA.

    5) connect to enrollment web pages and check if duplicated template appears.


    http://www.sysadmins.lv
    Monday, March 29, 2010 4:43 PM

All replies

  • I had a similar situation with a copy of a Computer template not showing up on the CertSrv site.  I called Microsoft and the technician said to change the setting from "Build from this Active Directory information" to "Supply in the request" on the "Subject Name" tab of the certificate template.  I don't know if this is the best option for you, but it worked to make it available via CertSrv...
    Tuesday, March 23, 2010 4:43 PM
  • at first, Windows Server 2008 and higher requires that you access to Web Enrollment Pages using HTTPS only.
    http://www.sysadmins.lv
    • Proposed as answer by SlySpy Tuesday, August 25, 2015 2:58 PM
    Tuesday, March 23, 2010 5:11 PM
  • I had a similar situation with a copy of a Computer template not showing up on the CertSrv site.  I called Microsoft and the technician said to change the setting from "Build from this Active Directory information" to "Supply in the request" on the "Subject Name" tab of the certificate template.  I don't know if this is the best option for you, but it worked to make it available via CertSrv...

    Joe I tried your advice and the template did show up, however that makes no sense since I have two other templates, a User template and a Basic EFS template that build the Subject Name from Active Directory and those two show up fine.  I bet it's some built in feature of the Web Enrollment pages that treats different templates differently, just like the IIS certificate Wizard and the Web Server template.  I hope I am wrong.
    Tuesday, March 23, 2010 5:31 PM
  • at first, Windows Server 2008 and higher requires that you access to Web Enrollment Pages using HTTPS only.
    http://www.sysadmins.lv

    I was thinking about that, but I just tested and both HTTP: and HTTPS: work for us from a Windows 2008 box to a Windows 2003 CA.
    Tuesday, March 23, 2010 5:33 PM
  • Hey G-r-e-g.  I agree - it makes no sense.  I saw the other posts about https, but I believe that's mostly the browser version that is being used (unless you've secured the web site).  As for my situation - what the tech said was OK, because I did need to supply the info in the request (for those certificates).

    I noticed that some of my computer or user based templates didn't show up until I set the security to allow the specific user read access (I've enabled URL Authorization) or granted read access to Domain User (or Authenticated Users).  I'll poke around a bit if I get a chance...

    Wednesday, March 24, 2010 3:00 AM
  • Is this a version 2 or version 3 template? Version 3 templates are not supported by Web Enrollment Pages (see for example http://blogs.technet.com/ad/archive/2008/06/30/2008-web-enrollment-and-version-3-templates.aspx or http://support.microsoft.com/kb/2015796).

     

    Martin

    • Proposed as answer by LRA-M Wednesday, January 18, 2017 3:43 PM
    Wednesday, March 24, 2010 8:05 AM
  • Hi,

    It is true that we need to select the "Supply in the request" option in order for the certificate template to be visible in the web enrollment page. We don't need to select the option for the User and Basic EFS certificate templates because they are User type certificate templates.

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Monday, March 29, 2010 6:38 AM
    Moderator
  • I have worked on the similar issue with one customer. The issue was caused due of the following:

    1) in certificate template Subject tab wasn't switched to Supply in request.

    2) certificate template was configured for validity greather than one year.

    When we configured *both* values, certificate template appears in EWP (Enrollment Web Pages).


    http://www.sysadmins.lv
    Monday, March 29, 2010 3:28 PM
  • Is this a version 2 or version 3 template? Version 3 templates are not supported by Web Enrollment Pages (see for example http://blogs.technet.com/ad/archive/2008/06/30/2008-web-enrollment-and-version-3-templates.aspx  or http://support.microsoft.com/kb/2015796 ).

     

    Martin

    Since our CA servers are Windows 2003 I will say with 97% confidence, lol that they are version 2 templates.
    Monday, March 29, 2010 4:01 PM
  • Try to do the following:

    1) Duplicate Web Server tamplate;

    2) In Template Display name type 'Web Server V2'

    3) Make sure if template common name is 'WebServerV2' (this name is automatically generated if you type display name as specified).

    4) add this template to issue on your issuing CA.

    5) connect to enrollment web pages and check if duplicated template appears.


    http://www.sysadmins.lv
    Monday, March 29, 2010 4:43 PM
  • Since our CA servers are Windows 2003 I will say with 97% confidence, lol that they are version 2 templates.


    Sorry I just skimmed your question and saw a 2008 Server, by mistake I thought you use 2008 server for CA as well. My bad.

     

    • Proposed as answer by S Rodgues Wednesday, November 26, 2014 6:07 PM
    Tuesday, March 30, 2010 8:23 AM
  • Hello,

    I Think the Problem ist quite simple. Looks like a Bug in the Installa Wizard.

    Your newly Created User (SBSAdmin) has no Rights for the Template!

    Solution:

    1. Activate the regular Administrator

    2. Do the Request with the regular Administrator

    OR

    1. Open MMC

    2. Load Certificate Service Snapin

    3. Go to Properties auf the WEBSERVER Template

    4. Give the New User Rights to the WEBSERVER Template

    5. Do the Procedure again / Reload the Page.

    6. The Webserver Template should show up

    Greetings

    Ritchy

     

     

    • Proposed as answer by autoxrcbr Thursday, September 8, 2011 10:05 PM
    • Unproposed as answer by autoxrcbr Thursday, September 8, 2011 10:05 PM
    • Proposed as answer by Fred_Larracuente Friday, February 21, 2014 4:56 PM
    Friday, June 3, 2011 9:57 AM
  • I'm using my MS PKI for my native mode sccm deployment and ran into an issue with when setting up the certificates as per the following doc.:

     

    http://technet.microsoft.com/en-us/library/cc707697(d=printer).aspx

     

    I noticed that the my Certificate Templates ConfigMgrWebServerCertificate and ConfigMgrClientCertificate were not showing up on the enrollment web page.  Based on the answers above, I was able to figure out what was needed.  I needed to select the "Supply in the request" option.  In addition, I needed to give Domain Admins (or whatever group you need) the Enroll Permission.  After doing these steps, I had to unpublish the template and then republish it. Hope this is helpful.

    Thursday, September 8, 2011 10:11 PM
  • What I missed was that I didn#t know how to bublish the new template.

    I found the solution under http://thoughtsonopsmgr.blogspot.com/2010/04/windows-server-2008-r2-ca-scom.html, Step 3.

    In the MMC, go to Certification Authority > collapse this node > click with right mouse button on Certificate Templates > New > Certificate Template To Issue.

    Hope this helps,

    Jens

    • Proposed as answer by MaxiPalle Wednesday, January 11, 2012 7:52 AM
    Wednesday, January 11, 2012 7:52 AM
  • "...version 3 templates cannot be requested via web enrollment using the “out of box” certificate web enrollment pages.  All other methods for enrolling in a Version 3 template based certificate will work fine."

    http://blogs.technet.com/b/ad/archive/2008/06/30/2008-web-enrollment-and-version-3-templates.aspx


    Dan Visan

    • Proposed as answer by chrislehr Wednesday, June 20, 2012 6:51 PM
    Saturday, May 26, 2012 2:44 PM
  • i had a similar problem on windows server 2012. i only saw 2 certificate templates: basic and user.

    I was able to get all the certificates listed when i first started an elevated internet explorer (with the known 'Run as administrator...').

    At that time i could select a lot more templates. maybe this can help,

    sincerely.

    • Proposed as answer by Code Chief Wednesday, January 23, 2019 2:46 PM
    Friday, May 3, 2013 12:50 PM
  • In my case it was helpful to grant full access to all Users/Groups listed on the security tab of the duplicated template, and restart of the CA. When the new template shown up in the enrollment page, i changed all Users/Groups back to the defaults, and restart the CA service again. The template still stays available on the enrollment pages. Also a new created template was showing up on the enrollment pages, without changing something in the security tab. Looks like a bug.
    Monday, November 4, 2013 11:47 AM
  • Very many answers here are right, saying, that the user needs to have the Enroll rights for the certificate template, they need to have "Supply in the request" specified, but one more important thing everyone forgets is that the CA computer account itself needs to have proper permissions to that certificate template (Read and Enroll).

    It is explained very nicely in here:

    http://social.technet.microsoft.com/wiki/contents/articles/12039.active-directory-certificate-services-ad-cs-error-in-order-to-complete-certificate-enrollment-the-web-site-for-the-ca-must-be-configured-to-use-https-authentication.aspx

    Ensure that the computer account hosting the CA Web Enrollment pages is selected and then select the Allow checkbox that corresponds to Enroll permission. Click OK

    Saturday, January 25, 2014 12:50 AM
  • Very many answers here are right, saying, that the user needs to have the Enroll rights for the certificate template, they need to have "Supply in the request" specified, but one more important thing everyone forgets is that the CA computer account itself needs to have proper permissions to that certificate template (Read and Enroll).

    It is explained very nicely in here:

    http://social.technet.microsoft.com/wiki/contents/articles/12039.active-directory-certificate-services-ad-cs-error-in-order-to-complete-certificate-enrollment-the-web-site-for-the-ca-must-be-configured-to-use-https-authentication.aspx

    Ensure that the computer account hosting the CA Web Enrollment pages is selected and then select the Allow checkbox that corresponds to Enroll permission. Click OK

    That is only required if you are using the MMC to request the certificate, and that you're going to be requesting the certificate for the CA itself. In the case where you're going to be requesting a certificate via the web enrollment web site, there is no need for the CA to have Enroll permissions on the certificate template.

    Saturday, January 25, 2014 8:13 AM
  • For me the solution was exactly similar that Roeland... My problem was resolve only open IE with Administrator level.

    Guys, first try with this!!!

    Morice RDZ (Partner)


    Morice Flores

    • Proposed as answer by Code Chief Wednesday, January 23, 2019 12:46 PM
    • Unproposed as answer by Code Chief Wednesday, January 23, 2019 2:46 PM
    Monday, March 24, 2014 11:01 PM
  • HI all,

      Try to setup  Cisco ASA for VPN Users i have noticed that we need IPsec template and some says web server template. but i cannot see the Ipsec template

      

    So how do i see the IPsec Template?

    As

    Thursday, July 17, 2014 2:02 AM
  • On Thu, 17 Jul 2014 02:02:14 +0000, AUSSUPPORT wrote:

      Try to setup  Cisco ASA for VPN Users i have noticed that we need IPsec template and some says web server template. but i cannot see the Ipsec template

      

    So how do i see the IPsec Template?

    The answer to your question has already been posted in this thread. The
    IPSec template is a computer template and is configured to build the
    subject from AD so it won't be available through web enrollment.


    Paul Adare - FIM CM MVP
    Fsck, either way I'm screwed. -- petro
    Now that is the Sysadmin's motto. -- Peter da Silva

    Thursday, July 17, 2014 7:29 AM
  • Hello,

    I Think the Problem ist quite simple. Looks like a Bug in the Installa Wizard.

    Your newly Created User (SBSAdmin) has no Rights for the Template!

    Solution:

    1. Activate the regular Administrator

    2. Do the Request with the regular Administrator

    OR

    1. Open MMC

    2. Load Certificate Service Snapin

    3. Go to Properties auf the WEBSERVER Template

    4. Give the New User Rights to the WEBSERVER Template

    5. Do the Procedure again / Reload the Page.

    6. The Webserver Template should show up

    Greetings

    Ritchy

     

     

    Great Solution,

    this worked for me. Thanks a lot.

    Mustafa Yildiz

    Friday, September 19, 2014 9:52 AM
  • For Windows 2003 advanced server, add the following steps:

    • Once you have created your new template (duplicate)
    • Close the Certificate Templates console and return to the Certificate Authority console.
    • In the console tree of the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue for your new template.
    • In the Enable Certificate Templates dialog box click the new certificate template that you just configured and then clickOK.
    • Now it works

    Thursday, November 6, 2014 2:12 AM
  • I made test you need to do this:

    duplicate a model

    choose what you want

    and the important thing: change security for your specific group/user to just read and enroll, uncheck write permissions and that's working

    just to be sure closed your browser

    Friday, November 7, 2014 4:57 PM
  • I know this post is old but I was banging my head against the wall for, IDK weeks, on this issue and if nothing else this will keep my part of the solution available if I need it in the future. I followed this and other posts suggestions to but never got a resolution. It made sence that it was a permissions issue but I couldn't find where it was until I steped back for a second and checked the Security tab of the CA itself and I noticed that Domain Computers was not listed. For no other reason but to try it I added Domain Computers, by default the "Request Certificates" permission was set to allow. I clicked apply then hit refresh on the certsrv site and bang my duplicate Web Server Certificate Template, which was named VMware Certificate, was in the list and I could go on my merry way.
    Tuesday, November 25, 2014 9:25 PM
  • All these post failed to mention is MS Active directory Certification services are based on the AD Domain forest level. So if your forest level is 2003, then you cannot use a 2008 and up custom templates in ADCS Web services. Most people having this issue is because the CA Custom template is 2008 and above. Try Duplicating your Template in certificate template console, the first question when duplicating the template is to choose 2003 or 2008. 

    Choose 2003, then go into the Certification Authorities MMC (certsrv.msc) and there then right-click the Certificate Templates folder and issue the template that you just created. Now go to your ADCS web site and you should be able to see you custom template now. I know what about the 2008 Templates... Your AD forest level will need to be raised to 2008 R2 for the ADCS web to show the newer 2008 Custom Templates. Good Luck my hard earned .2 cents. I hope this helps someone out there because it took me weeks to figure this out. 

    Wednesday, July 1, 2015 4:04 PM
  • I read on one of MS link that says "To enable enrollment through the Certificates snap-in, Web-based enrollment, or automatic renewal, assign Read and Enroll permissions to either domain or universal groups."

    I also review settings on my CA server wherever i have Global Group to be part of the read & enrol those certificates that Certificate is not visible on Portal but whichever configured with Universal or domain Local that is visible on the Portal.

    Link for the same : https://technet.microsoft.com/en-us/library/cc770794(v=ws.10).aspx


    Vicky Rajdev


    • Edited by VicK_Rajdev Wednesday, August 19, 2015 10:10 AM
    Wednesday, August 19, 2015 10:08 AM
  • This is incorrect information - domain and forest functional level has NO impact on the template version you choose.

    The wen enrollment pages have not changed since Server 2003 and as a result, they were never changed to support V3 or V4 templates. It has nothing to do with functional levels of AD.


    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. Connect with Mark at http://www.pkisolutions.com

    Wednesday, August 19, 2015 3:11 PM
  • I know this is a very old post. but the same problem keeps coming up. so I wanted to add the answer at the top of the list.

    many issues to look at before moving forward.

    verify permissions on the template make sure the account in question has read and enroll permissions

    Very important and I think this is something that Microsoft should have fixed by now but: make sure the template is not a 2008 Template and it's a 2003 template (if you are having issues with custom OIDs).

    there are a few other things but dependent on where you missed the mark. Good luck!


    G-EDGE

    • Proposed as answer by G-EDGE Tuesday, August 15, 2017 8:38 PM
    Tuesday, August 15, 2017 8:38 PM
  • Thanks Carlos, this helped me...

    then go into the Certification Authorities MMC (certsrv.msc) and there then right-click the Certificate Templates folder and issue the template that you just created

    FYI I have a 2016 Domain functional level, Win server 2016 CA and windows 10 client, issuing a Web Server Certificate.  Changed the Certification authority compatibility to  Windows server 2016 and Certificate Recipient to Windows 10 / Windows Server 2016 on the duplicated template and it shows up in the https://myserver/CertSrv pull down.
    • Edited by swirch Thursday, June 7, 2018 2:09 PM More info
    Thursday, June 7, 2018 1:53 PM
  • Someone proposed this as an answer and then unproposed it but I was also banging me head for ages trying to get a template to appear in the new certificate to issue list. Having made the addition to permissions that Michael suggested I too found that it worked as well so thanks to the author for his suggestion.
    Wednesday, September 5, 2018 1:08 PM
  • Well, I'm aware about V2 and V3 template versions limitations, but I noticed another behavior in Windows 10 / Windows Server 2016. For some reason, in Web Enrollment Page, I'm not able to see the templates, while everything is fine with IE11 on Windows 8.1 / Windows Server 2012R2. 

    On Windows 10, IE11 with default settings shows the templates but CSP remains on status loading... so you can enroll nothing

    Solution is to:

    1. Add the CA FQDN / URL under IE Trusted Sites / Intranet zone. After that CSP will load but the templates with enabled "Archive subject's encryption private key" option are missing from the list. 

    2. In order to view the missing templates, go to IE11 debug mode (by pressing F12), then go to Emulation and under "User agent string" switch to "Internet Explorer 10". Refresh the page and you should be able to see the full list as it is in Windows 8.1 / Windows 2012R2.

    3. Enjoy 



    Thursday, April 18, 2019 3:18 PM
  • This was my issue!
    Thursday, November 21, 2019 12:15 AM
  • Give enroll access  in the  property -->Security tab of that template and it will show up. :)
    • Edited by Shong Chen Wednesday, January 22, 2020 1:56 PM
    Wednesday, January 22, 2020 1:54 PM