P
PaulLG
An old 2003 DC with Root CA was decomissioned and replaced with a new 2008
server.
The CA was backed up on the old server, and restored onto the new 2008 DC
with the same name. The certificate database appears intact.
We can request new user certificates via the web interface, but
auto-enrolment fails. Nothing is shown in the Failed Requests list.
User certificates can be requested via the MMC, but computer certificates
fail with
"The certificate requrest failed because of one of the following conditions:
-The certificate requrest was submitted to a Certification Authority 9CA)
that is not started.
-You do not have the permissions ot request certificates from the available
CAs."
I have followed the troubleshooting guide
http://blogs.technet.com/askds/archive/200...te-snap-in.aspx
(as I haven't found a 2008 version) and everything seems OK except for the
guide's reference to the group CERTSVC_DCOM_ACCESS, which does not exist in
our AD. The certutil -setreg fix does not create the group, and our
correctly-working lab network does not contain the group either.
The Application log on the client shows:
Event Type: Error
Event Source: AutoEnrollment
Event Category: None
Event ID: 13
Date: 24/08/2009
Time: 14:04:42
User: N/A
Computer: FF8
Description:
Automatic certificate enrollment for local system failed to enroll for one
Computer certificate (0x80070005). Access is denied.
The System log on the client shows:
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10006
Date: 24/08/2009
Time: 14:04:42
User: N/A
Computer: FF8
Description:
DCOM got error "General access denied error " from the computer
FF1.domain.local when attempting to activate the server:
{D99E6E74-FC88-11D0-B498-00A0C90312F3}
I have checked the DCOM permissions for "CertSrv Request" against our
working lab server, and they are identical.
Any idea what I'm missing?
Paul
server.
The CA was backed up on the old server, and restored onto the new 2008 DC
with the same name. The certificate database appears intact.
We can request new user certificates via the web interface, but
auto-enrolment fails. Nothing is shown in the Failed Requests list.
User certificates can be requested via the MMC, but computer certificates
fail with
"The certificate requrest failed because of one of the following conditions:
-The certificate requrest was submitted to a Certification Authority 9CA)
that is not started.
-You do not have the permissions ot request certificates from the available
CAs."
I have followed the troubleshooting guide
http://blogs.technet.com/askds/archive/200...te-snap-in.aspx
(as I haven't found a 2008 version) and everything seems OK except for the
guide's reference to the group CERTSVC_DCOM_ACCESS, which does not exist in
our AD. The certutil -setreg fix does not create the group, and our
correctly-working lab network does not contain the group either.
The Application log on the client shows:
Event Type: Error
Event Source: AutoEnrollment
Event Category: None
Event ID: 13
Date: 24/08/2009
Time: 14:04:42
User: N/A
Computer: FF8
Description:
Automatic certificate enrollment for local system failed to enroll for one
Computer certificate (0x80070005). Access is denied.
The System log on the client shows:
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10006
Date: 24/08/2009
Time: 14:04:42
User: N/A
Computer: FF8
Description:
DCOM got error "General access denied error " from the computer
FF1.domain.local when attempting to activate the server:
{D99E6E74-FC88-11D0-B498-00A0C90312F3}
I have checked the DCOM permissions for "CertSrv Request" against our
working lab server, and they are identical.
Any idea what I'm missing?
Paul