none
Certificate Server admin user problem

    Question

  • Hello,

    I have a Windows 2008 certificate server member of a  Windows 2008 R2 domain. If I use my domain administrador user (domain\myuser) I can not generate any certificate. But if I use the domain\administrator user I can generate all kind of certificates. My user belongs to the same  domain groups than the user “administrator”.

    What is happening? Which group I have to add to domain\myuser?

    Thanks in advance.

    José Manuel.

    Friday, May 21, 2010 12:37 PM

Answers

  • Hi,

    Yes, the users should be included in the local groups as far as I know.

    According to the output of the nltest commands, it seems there is something wrong with the secure channel between the CA server and DC1. Is there any netlogon 3210 or Kerberos 4 event on the CA?

    Meanwhile, please check the AD replication status between the DCs.

     


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Friday, May 28, 2010 2:20 AM
    Moderator
  • I have a solution.

    The issue is a bit ridiculous. I only have to execute the browser as an administrator, that simple.

    After review permissions, groups, replication between domain controllers, firewalls, even after considering a conspiracy ... I though that it could be the same that occurs with virtual server and you have to run the window as administrator.

    Greetings to all and thank you very much for your cooperation.
    Friday, May 28, 2010 5:11 PM

All replies

  • More information, the event viewer shows this error:

    The configuration of application-specific permission does not grant Local Activation permission for the COM Server application with CLSID
    (D99E6E74-FC88-11D0-B498-00A0C90312F3)
     
    to the user domain\myuser with SID (S-1-5-21-...) on the localhost address (with LRPC). This security permission can be modified using the Component Services administrative tool.

    Any idea?

    Thanks in advance.

    Jose Manuel

    Tuesday, May 25, 2010 4:41 PM
  • Hello

    Try adding to the Certificate Service DCOM Access group. Are you saying you sre also a member of the Domain Admins group?


    Isaac Oben MCITP:EA, MCSE
    Tuesday, May 25, 2010 5:15 PM
  • Thank you Issac,

    I have added my user to the local Certificate Service DCOM Access group (the Certificate Server is installed on a member server) and I have restarted the CS service and the web service. The problem continues.

    And it is right that my user are a member of the Domain Admins Group.

    Thank you.

    Tuesday, May 25, 2010 9:00 PM
  • Hi,

    The solution in the following thread should be able to help you resolve the issue:

    http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/8ec757e0-2e01-4f61-9b43-be7b32bb1c9d

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Wednesday, May 26, 2010 5:48 AM
    Moderator

  • Joson,

    I have checked all the permissions and they are correct. But I have a doubt, the CA server is installed on a member server, not on a domain server so users should be included in the local groups in the member server, isn’t it? I have the group Certificate Service DCOM Access in Active Directory –builtin container- but without any user included.

    When I execute nltest /sc_verify:domain on the CA server I get:
    I_NetLogonControl: Status = 5 0x5 ERROR_ACCESS_DENIED

    And when I execute nltest /server:dc1.domain.com /sc_verify:domain on the CA server I get:
    I_NetLogonControl: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
    Dc1 is the first domain controller installed.

    And when I execute nltest /server:dc2.domain.com /sc_verify:domain on the CA server I get a successful message.
    Dc2 is the secondary domain controller installed.

    I hope this could help for knowing what is happening.

    Thank you in advance.
    Thursday, May 27, 2010 11:02 PM
  • Hi,

    Yes, the users should be included in the local groups as far as I know.

    According to the output of the nltest commands, it seems there is something wrong with the secure channel between the CA server and DC1. Is there any netlogon 3210 or Kerberos 4 event on the CA?

    Meanwhile, please check the AD replication status between the DCs.

     


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Friday, May 28, 2010 2:20 AM
    Moderator
  • I have a solution.

    The issue is a bit ridiculous. I only have to execute the browser as an administrator, that simple.

    After review permissions, groups, replication between domain controllers, firewalls, even after considering a conspiracy ... I though that it could be the same that occurs with virtual server and you have to run the window as administrator.

    Greetings to all and thank you very much for your cooperation.
    Friday, May 28, 2010 5:11 PM