Autoenrollment error with Win2K3 servers - Event IDs 13 and 17

October 27, 2008

Hi,

I recently installed an Enterprise Root CA on my domain and am running into

some issues with my servers autoenrolling a computer certificate while all of

my workstations can autoenroll without any issue. Also, the CA can

autoenroll itself for a computer certificate as well. Some background

regarding this listed below:

-All servers are Windows 2003 SP2 Enterprise

-All workstations are Windows 2000 SP4

-CA is installed on a member server in the domain

-Workstations are able to autoenroll and request a cert via MMC and Web

-Servers to include DC's are unable to autoenroll or request via MMC and Web

MMC error I get is "The certificate request failed because of one of the

following conditions: The certificate request was submitted to a

Certification Authority (CA) that is not started. You do not have the

permissions to request certificates from the available CAs."

Web error is "No certificate templates could not be found. You do not have

permission to request a certificate from this CA, or an error occurred while

accessing the Active Directory."

I have spent a decent amount of time searching for a solution for this issue

and everything that I have came across doesn't seem to fix my problem. I have

gracefully decommisioned my CA and rebuilt it without any resolution.

Some things I have tried to do to fix this issue:

-Located the CERTSVR_DCOM_ACCESS group on the CA and added "Domain Users,

Domain Computers, Domain Controllers and Domain Servers" groups, ran the

certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG, and then

rebooted the server.

-Verified the ACLs on the Machine Keys folder on each server so only System

and Administrators had Full Access and Everyone had Read

-Verified that sServerConfig value matched the Certdat.inc value

-Ran certutil -ping on CA from a server and verified success

-Verified certsvc and RDP ports are listening via portqry.exe

-Verified "Auth. Users" have 'Request Certs' permissions on root of CA

-Using dssite.msc, verified that "Auth Users" have Read and Enroll and

"Domain Computers" have 'Read and Enroll'

-All servers have CA cert in 'Trusted Root Certificate Authorites'

I am running out of ideas on why only workstations and the CA can autoenroll

and recieve a computer certificate. One thing I have yet to try is to

duplicate the computer certificate and adjust permissions in hopes of maybe

only a version 2 cert will work with Windows 2003 autorenrollment, but am

doubting it.

If anyone needs more information or event log info, I can provide it.

Thanks,

October 27, 2008

RE: Autoenrollment error with Win2K3 servers - Event IDs 13 and 17

I meant RPC port, not RDP in my post

"Boe" wrote:

> Hi,

>

> I recently installed an Enterprise Root CA on my domain and am running into

> some issues with my servers autoenrolling a computer certificate while all of

> my workstations can autoenroll without any issue. Also, the CA can

> autoenroll itself for a computer certificate as well. Some background

> regarding this listed below:

> -All servers are Windows 2003 SP2 Enterprise

> -All workstations are Windows 2000 SP4

> -CA is installed on a member server in the domain

> -Workstations are able to autoenroll and request a cert via MMC and Web

> -Servers to include DC's are unable to autoenroll or request via MMC and Web

> MMC error I get is "The certificate request failed because of one of the

> following conditions: The certificate request was submitted to a

> Certification Authority (CA) that is not started. You do not have the

> permissions to request certificates from the available CAs."

> Web error is "No certificate templates could not be found. You do not have

> permission to request a certificate from this CA, or an error occurred while

> accessing the Active Directory."

>

> I have spent a decent amount of time searching for a solution for this issue

> and everything that I have came across doesn't seem to fix my problem. I have

> gracefully decommisioned my CA and rebuilt it without any resolution.

>

> Some things I have tried to do to fix this issue:

> -Located the CERTSVR_DCOM_ACCESS group on the CA and added "Domain Users,

> Domain Computers, Domain Controllers and Domain Servers" groups, ran the

> certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG, and then

> rebooted the server.

> -Verified the ACLs on the Machine Keys folder on each server so only System

> and Administrators had Full Access and Everyone had Read

> -Verified that sServerConfig value matched the Certdat.inc value

> -Ran certutil -ping on CA from a server and verified success

> -Verified certsvc and RDP ports are listening via portqry.exe

> -Verified "Auth. Users" have 'Request Certs' permissions on root of CA

> -Using dssite.msc, verified that "Auth Users" have Read and Enroll and

> "Domain Computers" have 'Read and Enroll'

> -All servers have CA cert in 'Trusted Root Certificate Authorites'

>

> I am running out of ideas on why only workstations and the CA can autoenroll

> and recieve a computer certificate. One thing I have yet to try is to

> duplicate the computer certificate and adjust permissions in hopes of maybe

> only a version 2 cert will work with Windows 2003 autorenrollment, but am

> doubting it.

>

> If anyone needs more information or event log info, I can provide it.

>

> Thanks,

October 27, 2008

RE: Autoenrollment error with Win2K3 servers - Event IDs 13 and 17

Some event log information:

Event Type: Warning

Event Source: AutoEnrollment

Event Category: None

Event ID: 17

Date: 10/24/2008

Time: 8:45:13 AM

User: N/A

Computer: %hostname%

Description:

Automatic certificate enrollment for local system failed to enroll for one

Computer certificate from certificate authority %CA NAME% on %CA FQDN%

(0x80070005). Access is denied.

Another certificate authority will be contacted.

For more information, see Help and Support Center at

http://go.microsoft.com/fwlink/events.asp.

Event Type: Error