From: PG on
Hi everybody,

When I try to request a certificate from my Enterprise CA installed on
SBS2003Premium It gives the following error :"No certificate templates could
be found. You do not have permission to request a certificate from this CA,
or an error occurred while accessing the Active Directory." I went and
search for a solution and found this microsoft article
http://support.microsoft.com/default.aspx?scid=kb;en-us;811418 that didn't
help because the name of the server is the same in the certdat.inc and in
the AD!!! :(

When I go to the certification authority and click on "manage" on the
certificate templates, windows says that it detected that new certificate
templates should be installed, and ask if I want to install them now, and I
say "Yes", and gives an error saying "Windows could not install the new
certificate templates. Access is denied" :( I doing this as enterprise admin
and it says access denied!!!!! :( :(

I've tryed to reinstall the CA and the errors are still the same!

Can anyone help me with this issue, please?

Thanks in advance for any help you can give me....


From: "Charles Yang [MSFT]" on
HI PG,

Welcome to SBS newsgroup.

Issue description:
================

I understand that you encountered some problem when using CA on SBS 2003
premium.

Analyzing and suggestions:
================

Generally speaking, the error you encountered can be caused by many
factors, in order to make the issue more clear, please refer to my
suggestions below to gather more information:

1. If possible, please send me the event log for further research, it
should include more information which can help us determine which kinds of
error you encountered, you can send the log files to my email box.
v-chayan(a)microsoft.com.
2. Does the issue occur from the client's computer or from the server side?


Let's first check the following:

1. Go to the CA Server, go to Services.msc console, make sure that the
Certificate Service is started.
2. Open Certificate Authority, make sure that it can be opened.
3. If you are using Enterprise CA, go to the Certificate Template in the
Certificate Authority, make sure that necessary Certificate Template is
added and listed in the right panel.
4. On the CA Server, click Start -> Run, type MMC and click OK. Click File
-> Add/Remove Snap-in, click Add button, select Certificate, click Add,
select Computer Account and click next. Select Local Computer, click Finish
and then Close.
5. Expand the Certificate (Local Computer)\Personal\Certificate, check if
the Root certificate exists. It's 'issued by' and 'issued to' should be
itself. Then please check if the root certificate is still alive. If it is
expired, right click the Certificate, select All Tasks -> Renew Certificate
with Same Key. Then renew the user certificate and let me know how
everything is going.
NOTE: Please check the Certificate Authority to make sure that these client
certificate are not revoked before you renew the certificate.

If the issue still exists, please check if the CA computer where you start
the Certificate Web Enrollment from is set to trust for delegation. To do
so:
1. Log on as a domain administrator or equivalent account.
2. Click Start, point to Programs, point to Administrative Tools, and then
click "Active Directory Users and Computers".
3. In the left pane, locate the container or organizational unit (OU) on
which you want to enable delegation.
4. Right-click the computer account name, and then click Properties.
5. On the General tab, click Trust computer for delegation.
6. Click OK.
7. Quit Active Directory Users and Computers.

For more info, please refer to:
300867 Error Message: The Certification Authority Service Has Not Been
Started
http://support.microsoft.com/?id=300867


This issue may also occur if the Domain Users group on the child domain
does not have the right to enroll a user template. To have a check:

1. Logon to CA Server as Enterprise Administrator
2. Click Start, click Programs, click Administrative Tools, and then click
the "Active Directory Sites and Services" snap-in.
3. In MMC, right-click the "Active Directory Sites and Services" snap-in,
click View, and then click "Show Services Mode". This allows you to view
the Services folder, which is hidden from view by default.
4. From the "Active Directory Sites and Services" snap-in, click Services,
click Public Key Services, and then click Certificate Templates. This
reveals the complete list of published certificate templates in Active
Directory.
5. Double-click the User certificate template to view the properties.
6. On the Security tab, click Add to add the Domain Users group to the list.
7. For the Domain Users group, select the Read and Enroll rights.
8. Restart the computer.

For more info, please refer to:
271861 Windows Cannot Find a Certificate Authority That Processes the
Request
http://support.microsoft.com/?id=271861

NOTE: Request from MMC only works if it is a Enterprise CA. To stand alone
CA, you must request certificate by WEB.

I appreciate your understanding and please paste your results as your
convenience, It is important for us to isolate the issue. I am glad to help
you.



Best regards,

Charles Yang (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| From: "PG" <*@*.*>
| Subject: SBS2003Premium Certification Authority from HELL!!!
| Date: Fri, 16 Sep 2005 11:35:46 +0100
| Lines: 25
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| X-RFC2646: Format=Flowed; Original
| Message-ID: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl>
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: 62.48.233.71
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:153926
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Hi everybody,
|
| When I try to request a certificate from my Enterprise CA installed
on
| SBS2003Premium It gives the following error :"No certificate templates
could
| be found. You do not have permission to request a certificate from this
CA,
| or an error occurred while accessing the Active Directory." I went and
| search for a solution and found this microsoft article
| http://support.microsoft.com/default.aspx?scid=kb;en-us;811418 that
didn't
| help because the name of the server is the same in the certdat.inc and in
| the AD!!! :(
|
| When I go to the certification authority and click on "manage" on the
| certificate templates, windows says that it detected that new certificate
| templates should be installed, and ask if I want to install them now, and
I
| say "Yes", and gives an error saying "Windows could not install the new
| certificate templates. Access is denied" :( I doing this as enterprise
admin
| and it says access denied!!!!! :( :(
|
| I've tryed to reinstall the CA and the errors are still the same!
|
| Can anyone help me with this issue, please?
|
| Thanks in advance for any help you can give me....
|
|
|

From: PG on
Thanks for your reply Charles

Responses to your questions follow, and are in line:


""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in message
news:tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl...
> HI PG,
>
> Welcome to SBS newsgroup.
>
> Issue description:
> ================
>
> I understand that you encountered some problem when using CA on SBS 2003
> premium.
>
> Analyzing and suggestions:
> ================
>
> Generally speaking, the error you encountered can be caused by many
> factors, in order to make the issue more clear, please refer to my
> suggestions below to gather more information:
>
> 1. If possible, please send me the event log for further research, it
> should include more information which can help us determine which kinds of
> error you encountered, you can send the log files to my email box.
> v-chayan(a)microsoft.com.

There is nothing recorded in the logs, when the error's occur.

> 2. Does the issue occur from the client's computer or from the server
> side?

Both! It occur's when I request a certificate from the client and from the
server! :( Via Web request or MMC snap-in


>
>
> Let's first check the following:
>
> 1. Go to the CA Server, go to Services.msc console, make sure that the
> Certificate Service is started.

Check

> 2. Open Certificate Authority, make sure that it can be opened.

Check

> 3. If you are using Enterprise CA, go to the Certificate Template in the
> Certificate Authority, make sure that necessary Certificate Template is
> added and listed in the right panel.

Check

> 4. On the CA Server, click Start -> Run, type MMC and click OK. Click File
> -> Add/Remove Snap-in, click Add button, select Certificate, click Add,
> select Computer Account and click next. Select Local Computer, click
> Finish
> and then Close.

Check

> 5. Expand the Certificate (Local Computer)\Personal\Certificate, check if
> the Root certificate exists. It's 'issued by' and 'issued to' should be
> itself. Then please check if the root certificate is still alive. If it is
> expired, right click the Certificate, select All Tasks -> Renew
> Certificate
> with Same Key. Then renew the user certificate and let me know how
> everything is going.
> NOTE: Please check the Certificate Authority to make sure that these
> client
> certificate are not revoked before you renew the certificate.
>
> If the issue still exists, please check if the CA computer where you start
> the Certificate Web Enrollment from is set to trust for delegation. To do
> so:
> 1. Log on as a domain administrator or equivalent account.
> 2. Click Start, point to Programs, point to Administrative Tools, and then
> click "Active Directory Users and Computers".
> 3. In the left pane, locate the container or organizational unit (OU) on
> which you want to enable delegation.
> 4. Right-click the computer account name, and then click Properties.
> 5. On the General tab, click Trust computer for delegation.
> 6. Click OK.
> 7. Quit Active Directory Users and Computers.
>
> For more info, please refer to:
> 300867 Error Message: The Certification Authority Service Has Not Been
> Started
> http://support.microsoft.com/?id=300867

The certificate is alive until 16/9/2010! So I didn't renew it.


>
>
> This issue may also occur if the Domain Users group on the child domain
> does not have the right to enroll a user template. To have a check:
>
> 1. Logon to CA Server as Enterprise Administrator

check

> 2. Click Start, click Programs, click Administrative Tools, and then click
> the "Active Directory Sites and Services" snap-in.

check

> 3. In MMC, right-click the "Active Directory Sites and Services" snap-in,
> click View, and then click "Show Services Mode". This allows you to view
> the Services folder, which is hidden from view by default.

Check

> 4. From the "Active Directory Sites and Services" snap-in, click Services,
> click Public Key Services, and then click Certificate Templates. This
> reveals the complete list of published certificate templates in Active
> Directory.

Check

> 5. Double-click the User certificate template to view the properties.

Check

> 6. On the Security tab, click Add to add the Domain Users group to the
> list.

The group domain users wasn't there so I added it

> 7. For the Domain Users group, select the Read and Enroll rights.

When I tryed to apply the changes it gave the following error:

"Unable to save permission changes on
LDAP://SBS2003PDC.CONTIMETRA.LOCAL/CN=USER,CN=CERTIFICATE
TEMPLATES,CN=PUBLIC KEY
SERVICES,CN=SERVICES,CN=CONFIGURATION,DC=CONTIMETRA,DC=LOCAL

ACCESS IS DENIED"


> 8. Restart the computer.

Didn't do it because no changes were made!

>
> For more info, please refer to:
> 271861 Windows Cannot Find a Certificate Authority That Processes the
> Request
> http://support.microsoft.com/?id=271861
>
> NOTE: Request from MMC only works if it is a Enterprise CA. To stand alone
> CA, you must request certificate by WEB.
>
> I appreciate your understanding and please paste your results as your
> convenience, It is important for us to isolate the issue. I am glad to
> help
> you.
>
>
>
> Best regards,
>
> Charles Yang (MSFT)
>
> Microsoft CSS Online Newsgroup Support
>
> Get Secure! - www.microsoft.com/security
>
> ======================================================
> This newsgroup only focuses on SBS technical issues. If you have issues
> regarding other Microsoft products, you'd better post in the corresponding
> newsgroups so that they can be resolved in an efficient and timely manner.
> You can locate the newsgroup here:
> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>
> When opening a new thread via the web interface, we recommend you check
> the
> "Notify me of replies" box to receive e-mail notifications when there are
> any updates in your thread. When responding to posts via your newsreader,
> please "Reply to Group" so that others may learn and benefit from your
> issue.
>
> Microsoft engineers can only focus on one issue per thread. Although we
> provide other information for your reference, we recommend you post
> different incidents in different threads to keep the thread clean. In
> doing
> so, it will ensure your issues are resolved in a timely manner.
>
> For urgent issues, you may want to contact Microsoft CSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Any input or comments in this thread are highly appreciated.
> ======================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
> =====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> --------------------
> | From: "PG" <*@*.*>
> | Subject: SBS2003Premium Certification Authority from HELL!!!
> | Date: Fri, 16 Sep 2005 11:35:46 +0100
> | Lines: 25
> | X-Priority: 3
> | X-MSMail-Priority: Normal
> | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
> | X-RFC2646: Format=Flowed; Original
> | Message-ID: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl>
> | Newsgroups: microsoft.public.windows.server.sbs
> | NNTP-Posting-Host: 62.48.233.71
> | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
> | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:153926
> | X-Tomcat-NG: microsoft.public.windows.server.sbs
> |
> | Hi everybody,
> |
> | When I try to request a certificate from my Enterprise CA installed
> on
> | SBS2003Premium It gives the following error :"No certificate templates
> could
> | be found. You do not have permission to request a certificate from this
> CA,
> | or an error occurred while accessing the Active Directory." I went and
> | search for a solution and found this microsoft article
> | http://support.microsoft.com/default.aspx?scid=kb;en-us;811418 that
> didn't
> | help because the name of the server is the same in the certdat.inc and
> in
> | the AD!!! :(
> |
> | When I go to the certification authority and click on "manage" on
> the
> | certificate templates, windows says that it detected that new
> certificate
> | templates should be installed, and ask if I want to install them now,
> and
> I
> | say "Yes", and gives an error saying "Windows could not install the new
> | certificate templates. Access is denied" :( I doing this as enterprise
> admin
> | and it says access denied!!!!! :( :(
> |
> | I've tryed to reinstall the CA and the errors are still the same!
> |
> | Can anyone help me with this issue, please?
> |
> | Thanks in advance for any help you can give me....
> |
> |
> |
>





From: "Charles Yang [MSFT]" on
HI PG,

Thanks for updates.

In order to make the issue more clear, could you send me the application
log and system event log so that we can isolate the issue more clearly, you
can compress the log files and send to my mailbox.

v-chayan(a)microsoft.com

Thanks for your understanding.



Best regards,

Charles Yang (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| From: "PG" <*@*.*>
| References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl>
<tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl>
| Subject: Re: SBS2003Premium Certification Authority from HELL!!!
| Date: Tue, 20 Sep 2005 13:28:25 +0100
| Lines: 269
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
| X-RFC2646: Format=Flowed; Original
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| Message-ID: <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl>
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: 62.48.233.71
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:154800
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Thanks for your reply Charles
|
| Responses to your questions follow, and are in line:
|
|
| ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in message
| news:tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl...
| > HI PG,
| >
| > Welcome to SBS newsgroup.
| >
| > Issue description:
| > ================
| >
| > I understand that you encountered some problem when using CA on SBS 2003
| > premium.
| >
| > Analyzing and suggestions:
| > ================
| >
| > Generally speaking, the error you encountered can be caused by many
| > factors, in order to make the issue more clear, please refer to my
| > suggestions below to gather more information:
| >
| > 1. If possible, please send me the event log for further research, it
| > should include more information which can help us determine which kinds
of
| > error you encountered, you can send the log files to my email box.
| > v-chayan(a)microsoft.com.
|
| There is nothing recorded in the logs, when the error's occur.
|
| > 2. Does the issue occur from the client's computer or from the server
| > side?
|
| Both! It occur's when I request a certificate from the client and from the
| server! :( Via Web request or MMC snap-in
|
|
| >
| >
| > Let's first check the following:
| >
| > 1. Go to the CA Server, go to Services.msc console, make sure that the
| > Certificate Service is started.
|
| Check
|
| > 2. Open Certificate Authority, make sure that it can be opened.
|
| Check
|
| > 3. If you are using Enterprise CA, go to the Certificate Template in the
| > Certificate Authority, make sure that necessary Certificate Template is
| > added and listed in the right panel.
|
| Check
|
| > 4. On the CA Server, click Start -> Run, type MMC and click OK. Click
File
| > -> Add/Remove Snap-in, click Add button, select Certificate, click Add,
| > select Computer Account and click next. Select Local Computer, click
| > Finish
| > and then Close.
|
| Check
|
| > 5. Expand the Certificate (Local Computer)\Personal\Certificate, check
if
| > the Root certificate exists. It's 'issued by' and 'issued to' should be
| > itself. Then please check if the root certificate is still alive. If it
is
| > expired, right click the Certificate, select All Tasks -> Renew
| > Certificate
| > with Same Key. Then renew the user certificate and let me know how
| > everything is going.
| > NOTE: Please check the Certificate Authority to make sure that these
| > client
| > certificate are not revoked before you renew the certificate.
| >
| > If the issue still exists, please check if the CA computer where you
start
| > the Certificate Web Enrollment from is set to trust for delegation. To
do
| > so:
| > 1. Log on as a domain administrator or equivalent account.
| > 2. Click Start, point to Programs, point to Administrative Tools, and
then
| > click "Active Directory Users and Computers".
| > 3. In the left pane, locate the container or organizational unit (OU) on
| > which you want to enable delegation.
| > 4. Right-click the computer account name, and then click Properties.
| > 5. On the General tab, click Trust computer for delegation.
| > 6. Click OK.
| > 7. Quit Active Directory Users and Computers.
| >
| > For more info, please refer to:
| > 300867 Error Message: The Certification Authority Service Has Not Been
| > Started
| > http://support.microsoft.com/?id=300867
|
| The certificate is alive until 16/9/2010! So I didn't renew it.
|
|
| >
| >
| > This issue may also occur if the Domain Users group on the child domain
| > does not have the right to enroll a user template. To have a check:
| >
| > 1. Logon to CA Server as Enterprise Administrator
|
| check
|
| > 2. Click Start, click Programs, click Administrative Tools, and then
click
| > the "Active Directory Sites and Services" snap-in.
|
| check
|
| > 3. In MMC, right-click the "Active Directory Sites and Services"
snap-in,
| > click View, and then click "Show Services Mode". This allows you to view
| > the Services folder, which is hidden from view by default.
|
| Check
|
| > 4. From the "Active Directory Sites and Services" snap-in, click
Services,
| > click Public Key Services, and then click Certificate Templates. This
| > reveals the complete list of published certificate templates in Active
| > Directory.
|
| Check
|
| > 5. Double-click the User certificate template to view the properties.
|
| Check
|
| > 6. On the Security tab, click Add to add the Domain Users group to the
| > list.
|
| The group domain users wasn't there so I added it
|
| > 7. For the Domain Users group, select the Read and Enroll rights.
|
| When I tryed to apply the changes it gave the following error:
|
| "Unable to save permission changes on
| LDAP://SBS2003PDC.CONTIMETRA.LOCAL/CN=USER,CN=CERTIFICATE
| TEMPLATES,CN=PUBLIC KEY
| SERVICES,CN=SERVICES,CN=CONFIGURATION,DC=CONTIMETRA,DC=LOCAL
|
| ACCESS IS DENIED"
|
|
| > 8. Restart the computer.
|
| Didn't do it because no changes were made!
|
| >
| > For more info, please refer to:
| > 271861 Windows Cannot Find a Certificate Authority That Processes the
| > Request
| > http://support.microsoft.com/?id=271861
| >
| > NOTE: Request from MMC only works if it is a Enterprise CA. To stand
alone
| > CA, you must request certificate by WEB.
| >
| > I appreciate your understanding and please paste your results as your
| > convenience, It is important for us to isolate the issue. I am glad to
| > help
| > you.
| >
| >
| >
| > Best regards,
| >
| > Charles Yang (MSFT)
| >
| > Microsoft CSS Online Newsgroup Support
| >
| > Get Secure! - www.microsoft.com/security
| >
| > ======================================================
| > This newsgroup only focuses on SBS technical issues. If you have issues
| > regarding other Microsoft products, you'd better post in the
corresponding
| > newsgroups so that they can be resolved in an efficient and timely
manner.
| > You can locate the newsgroup here:
| > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| >
| > When opening a new thread via the web interface, we recommend you check
| > the
| > "Notify me of replies" box to receive e-mail notifications when there
are
| > any updates in your thread. When responding to posts via your
newsreader,
| > please "Reply to Group" so that others may learn and benefit from your
| > issue.
| >
| > Microsoft engineers can only focus on one issue per thread. Although we
| > provide other information for your reference, we recommend you post
| > different incidents in different threads to keep the thread clean. In
| > doing
| > so, it will ensure your issues are resolved in a timely manner.
| >
| > For urgent issues, you may want to contact Microsoft CSS directly.
Please
| > check http://support.microsoft.com for regional support phone numbers.
| >
| > Any input or comments in this thread are highly appreciated.
| > ======================================================
| > This posting is provided "AS IS" with no warranties, and confers no
| > rights.
| >
| >
| > =====================================================
| > When responding to posts, please "Reply to Group" via your newsreader so
| > that others may learn and benefit from your issue.
| > =====================================================
| >
| > This posting is provided "AS IS" with no warranties, and confers no
| > rights.
| >
| > --------------------
| > | From: "PG" <*@*.*>
| > | Subject: SBS2003Premium Certification Authority from HELL!!!
| > | Date: Fri, 16 Sep 2005 11:35:46 +0100
| > | Lines: 25
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| > | X-RFC2646: Format=Flowed; Original
| > | Message-ID: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl>
| > | Newsgroups: microsoft.public.windows.server.sbs
| > | NNTP-Posting-Host: 62.48.233.71
| > | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
| > | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:153926
| > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > |
| > | Hi everybody,
| > |
| > | When I try to request a certificate from my Enterprise CA
installed
| > on
| > | SBS2003Premium It gives the following error :"No certificate templates
| > could
| > | be found. You do not have permission to request a certificate from
this
| > CA,
| > | or an error occurred while accessing the Active Directory." I went and
| > | search for a solution and found this microsoft article
| > | http://support.microsoft.com/default.aspx?scid=kb;en-us;811418 that
| > didn't
| > | help because the name of the server is the same in the certdat.inc and
| > in
| > | the AD!!! :(
| > |
| > | When I go to the certification authority and click on "manage" on
| > the
| > | certificate templates, windows says that it detected that new
| > certificate
| > | templates should be installed, and ask if I want to install them now,
| > and
| > I
| > | say "Yes", and gives an error saying "Windows could not install the
new
| > | certificate templates. Access is denied" :( I doing this as enterprise
| > admin
| > | and it says access denied!!!!! :( :(
| > |
| > | I've tryed to reinstall the CA and the errors are still the same!
| > |
| > | Can anyone help me with this issue, please?
| > |
| > | Thanks in advance for any help you can give me....
| > |
| > |
| > |
| >
|
|
|
|
|
|

From: PG on
I've sent you the log's as you requested Charles...

Thanks for the help

""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in message
news:biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl...
> HI PG,
>
> Thanks for updates.
>
> In order to make the issue more clear, could you send me the application
> log and system event log so that we can isolate the issue more clearly,
> you
> can compress the log files and send to my mailbox.
>
> v-chayan(a)microsoft.com
>
> Thanks for your understanding.
>
>
>
> Best regards,
>
> Charles Yang (MSFT)
>
> Microsoft CSS Online Newsgroup Support
>
> Get Secure! - www.microsoft.com/security
>
> ======================================================
> This newsgroup only focuses on SBS technical issues. If you have issues
> regarding other Microsoft products, you'd better post in the corresponding
> newsgroups so that they can be resolved in an efficient and timely manner.
> You can locate the newsgroup here:
> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>
> When opening a new thread via the web interface, we recommend you check
> the
> "Notify me of replies" box to receive e-mail notifications when there are
> any updates in your thread. When responding to posts via your newsreader,
> please "Reply to Group" so that others may learn and benefit from your
> issue.
>
> Microsoft engineers can only focus on one issue per thread. Although we
> provide other information for your reference, we recommend you post
> different incidents in different threads to keep the thread clean. In
> doing
> so, it will ensure your issues are resolved in a timely manner.
>
> For urgent issues, you may want to contact Microsoft CSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Any input or comments in this thread are highly appreciated.
> ======================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
> =====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> --------------------
> | From: "PG" <*@*.*>
> | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl>
> <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl>
> | Subject: Re: SBS2003Premium Certification Authority from HELL!!!
> | Date: Tue, 20 Sep 2005 13:28:25 +0100
> | Lines: 269
> | X-Priority: 3
> | X-MSMail-Priority: Normal
> | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
> | X-RFC2646: Format=Flowed; Original
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
> | Message-ID: <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl>
> | Newsgroups: microsoft.public.windows.server.sbs
> | NNTP-Posting-Host: 62.48.233.71
> | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
> | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:154800
> | X-Tomcat-NG: microsoft.public.windows.server.sbs
> |
> | Thanks for your reply Charles
> |
> | Responses to your questions follow, and are in line:
> |
> |
> | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in message
> | news:tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl...
> | > HI PG,
> | >
> | > Welcome to SBS newsgroup.
> | >
> | > Issue description:
> | > ================
> | >
> | > I understand that you encountered some problem when using CA on SBS
> 2003
> | > premium.
> | >
> | > Analyzing and suggestions:
> | > ================
> | >
> | > Generally speaking, the error you encountered can be caused by many
> | > factors, in order to make the issue more clear, please refer to my
> | > suggestions below to gather more information:
> | >
> | > 1. If possible, please send me the event log for further research, it
> | > should include more information which can help us determine which
> kinds
> of
> | > error you encountered, you can send the log files to my email box.
> | > v-chayan(a)microsoft.com.
> |
> | There is nothing recorded in the logs, when the error's occur.
> |
> | > 2. Does the issue occur from the client's computer or from the server
> | > side?
> |
> | Both! It occur's when I request a certificate from the client and from
> the
> | server! :( Via Web request or MMC snap-in
> |
> |
> | >
> | >
> | > Let's first check the following:
> | >
> | > 1. Go to the CA Server, go to Services.msc console, make sure that the
> | > Certificate Service is started.
> |
> | Check
> |
> | > 2. Open Certificate Authority, make sure that it can be opened.
> |
> | Check
> |
> | > 3. If you are using Enterprise CA, go to the Certificate Template in
> the
> | > Certificate Authority, make sure that necessary Certificate Template
> is
> | > added and listed in the right panel.
> |
> | Check
> |
> | > 4. On the CA Server, click Start -> Run, type MMC and click OK. Click
> File
> | > -> Add/Remove Snap-in, click Add button, select Certificate, click
> Add,
> | > select Computer Account and click next. Select Local Computer, click
> | > Finish
> | > and then Close.
> |
> | Check
> |
> | > 5. Expand the Certificate (Local Computer)\Personal\Certificate, check
> if
> | > the Root certificate exists. It's 'issued by' and 'issued to' should
> be
> | > itself. Then please check if the root certificate is still alive. If
> it
> is
> | > expired, right click the Certificate, select All Tasks -> Renew
> | > Certificate
> | > with Same Key. Then renew the user certificate and let me know how
> | > everything is going.
> | > NOTE: Please check the Certificate Authority to make sure that these
> | > client
> | > certificate are not revoked before you renew the certificate.
> | >
> | > If the issue still exists, please check if the CA computer where you
> start
> | > the Certificate Web Enrollment from is set to trust for delegation. To
> do
> | > so:
> | > 1. Log on as a domain administrator or equivalent account.
> | > 2. Click Start, point to Programs, point to Administrative Tools, and
> then
> | > click "Active Directory Users and Computers".
> | > 3. In the left pane, locate the container or organizational unit (OU)
> on
> | > which you want to enable delegation.
> | > 4. Right-click the computer account name, and then click Properties.
> | > 5. On the General tab, click Trust computer for delegation.
> | > 6. Click OK.
> | > 7. Quit Active Directory Users and Computers.
> | >
> | > For more info, please refer to:
> | > 300867 Error Message: The Certification Authority Service Has Not Been
> | > Started
> | > http://support.microsoft.com/?id=300867
> |
> | The certificate is alive until 16/9/2010! So I didn't renew it.
> |
> |
> | >
> | >
> | > This issue may also occur if the Domain Users group on the child
> domain
> | > does not have the right to enroll a user template. To have a check:
> | >
> | > 1. Logon to CA Server as Enterprise Administrator
> |
> | check
> |
> | > 2. Click Start, click Programs, click Administrative Tools, and then
> click
> | > the "Active Directory Sites and Services" snap-in.
> |
> | check
> |
> | > 3. In MMC, right-click the "Active Directory Sites and Services"
> snap-in,
> | > click View, and then click "Show Services Mode". This allows you to
> view
> | > the Services folder, which is hidden from view by default.
> |
> | Check
> |
> | > 4. From the "Active Directory Sites and Services" snap-in, click
> Services,
> | > click Public Key Services, and then click Certificate Templates. This
> | > reveals the complete list of published certificate templates in Active
> | > Directory.
> |
> | Check
> |
> | > 5. Double-click the User certificate template to view the properties.
> |
> | Check
> |
> | > 6. On the Security tab, click Add to add the Domain Users group to the
> | > list.
> |
> | The group domain users wasn't there so I added it
> |
> | > 7. For the Domain Users group, select the Read and Enroll rights.
> |
> | When I tryed to apply the changes it gave the following error:
> |
> | "Unable to save permission changes on
> | LDAP://SBS2003PDC.CONTIMETRA.LOCAL/CN=USER,CN=CERTIFICATE
> | TEMPLATES,CN=PUBLIC KEY
> | SERVICES,CN=SERVICES,CN=CONFIGURATION,DC=CONTIMETRA,DC=LOCAL
> |
> | ACCESS IS DENIED"
> |
> |
> | > 8. Restart the computer.
> |
> | Didn't do it because no changes were made!
> |
> | >
> | > For more info, please refer to:
> | > 271861 Windows Cannot Find a Certificate Authority That Processes the
> | > Request
> | > http://support.microsoft.com/?id=271861
> | >
> | > NOTE: Request from MMC only works if it is a Enterprise CA. To stand
> alone
> | > CA, you must request certificate by WEB.
> | >
> | > I appreciate your understanding and please paste your results as your
> | > convenience, It is important for us to isolate the issue. I am glad to
> | > help
> | > you.
> | >
> | >
> | >
> | > Best regards,
> | >
> | > Charles Yang (MSFT)
> | >
> | > Microsoft CSS Online Newsgroup Support
> | >
> | > Get Secure! - www.microsoft.com/security
> | >
> | > ======================================================
> | > This newsgroup only focuses on SBS technical issues. If you have
> issues
> | > regarding other Microsoft products, you'd better post in the
> corresponding
> | > newsgroups so that they can be resolved in an efficient and timely
> manner.
> | > You can locate the newsgroup here:
> | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
> | >
> | > When opening a new thread via the web interface, we recommend you
> check
> | > the
> | > "Notify me of replies" box to receive e-mail notifications when there
> are
> | > any updates in your thread. When responding to posts via your
> newsreader,
> | > please "Reply to Group" so that others may learn and benefit from your
> | > issue.
> | >
> | > Microsoft engineers can only focus on one issue per thread. Although
> we
> | > provide other information for your reference, we recommend you post
> | > different incidents in different threads to keep the thread clean. In
> | > doing
> | > so, it will ensure your issues are resolved in a timely manner.
> | >
> | > For urgent issues, you may want to contact Microsoft CSS directly.
> Please
> | > check http://support.microsoft.com for regional support phone numbers.
> | >
> | > Any input or comments in this thread are highly appreciated.
> | > ======================================================
> | > This posting is provided "AS IS" with no warranties, and confers no
> | > rights.
> | >
> | >
> | > =====================================================
> | > When responding to posts, please "Reply to Group" via your newsreader
> so
> | > that others may learn and benefit from your issue.
> | > =====================================================
> | >
> | > This posting is provided "AS IS" with no warranties, and confers no
> | > rights.
> | >
> | > --------------------
> | > | From: "PG" <*@*.*>
> | > | Subject: SBS2003Premium Certification Authority from HELL!!!
> | > | Date: Fri, 16 Sep 2005 11:35:46 +0100
> | > | Lines: 25
> | > | X-Priority: 3
> | > | X-MSMail-Priority: Normal
> | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
> | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
> | > | X-RFC2646: Format=Flowed; Original
> | > | Message-ID: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl>
> | > | Newsgroups: microsoft.public.windows.server.sbs
> | > | NNTP-Posting-Host: 62.48.233.71
> | > | Path:
> TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
> | > | Xref: TK2MSFTNGXA01.phx.gbl
> microsoft.public.windows.server.sbs:153926
> | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
> | > |
> | > | Hi everybody,
> | > |
> | > | When I try to request a certificate from my Enterprise CA
> installed
> | > on
> | > | SBS2003Premium It gives the following error :"No certificate
> templates
> | > could
> | > | be found. You do not have permission to request a certificate from
> this
> | > CA,
> | > | or an error occurred while accessing the Active Directory." I went
> and
> | > | search for a solution and found this microsoft article
> | > | http://support.microsoft.com/default.aspx?scid=kb;en-us;811418 that
> | > didn't
> | > | help because the name of the server is the same in the certdat.inc
> and
> | > in
> | > | the AD!!! :(
> | > |
> | > | When I go to the certification authority and click on "manage"
> on
> | > the
> | > | certificate templates, windows says that it detected that new
> | > certificate
> | > | templates should be installed, and ask if I want to install them
> now,
> | > and
> | > I
> | > | say "Yes", and gives an error saying "Windows could not install the
> new
> | > | certificate templates. Access is denied" :( I doing this as
> enterprise
> | > admin
> | > | and it says access denied!!!!! :( :(
> | > |
> | > | I've tryed to reinstall the CA and the errors are still the
> same!
> | > |
> | > | Can anyone help me with this issue, please?
> | > |
> | > | Thanks in advance for any help you can give me....
> | > |
> | > |
> | > |
> | >
> |
> |
> |
> |
> |
> |
>


 |  Next  |  Last
Pages: 1 2 3 4
Prev: Backup error 0X80070458
Next: Remote Web Workplace