Re: Event ID 13 - automatic certificate enrollment error

I just had the same problem, have you installed SP 1 on your server?

If so, got to AD Users/Computers, built in, look for CERTSVC_DCOM_ACCESS and
add Domain Controllers to it and check enroll


"Jaycee" <jaycee131973@xxxxxxxxxxx> wrote in message
news:%23919dJbAGHA.2392@xxxxxxxxxxxxxxxxxxxxxxx
> I'm having problems understanding how to set permissions. When I open the
> MMC for the certificate authority I can see the certificate templates
> folder and when I select it I can then see Domain Controller on the
> right-side pane. However, when I view the properties it doesn't have a
> permissions tab.
>
> However, if I right click the certificate templates folder and select
> manage I can see the template Domain Controller. My network is running
> Windows 2003 and all Domain controllers are running Windows 2003. For the
> Domain Controller template it states minimum supported CA is Windows 2000
> and autoenrollment is set to Not Allowed.
>
> Under the security tab for this template it lists the following:
> Authenticated Users: READ
> Domain Admins: READ, WRITE, ENROLL
> Domain Controllers: READ, ENROLL
> Enterprise Admins READ, WRITE, ENROLL
> Enterprise Domain Controllers: READ, ENROLL
>
> Any advice on these permissions settings would be appreciated.
>
> Thanks.
>
> <skrubbeltrang@xxxxxxxxx> wrote in message
> news:1134674956.549145.326050@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>> Hi Jaycee.
>>
>> If you check the Microsoft Events and Errors Message Center you'll find
>> the following suggestions:
>>
>> No network connectivity is available
>> No domain controller was found
>> No certificate authorities are available
>> No certificate templates contain the READ and ENROLL permission for to
>> the computer or user in Active Directory
>>
>> You should check the above:
>> Most likely you should check the permissions on the domain controller
>> certificate template - the access denied implies that there is
>> connectivity but ACL's on the template are wrong.
>> It could also be that you removed the template from the list of
>> certificates issued by the server?
>> To check connectivity use telnet to test for TCP port 135 as well as
>> the dynamically assigned certificate services port (use netstat -na on
>> the CA to find the port).
>>
>> You'll find links for the Microsoft Events and Errors Message Center
>> and other resources on
>>
>> http://grubletrang.com/GrubleKB.aspx
>>
>> Hope this helps you solve your problem.
>>
>> Kind regards
>> Morten Skrubbeltrang
>> GrubleTrang Corporation
>>
>>
>> Jaycee wrote:
>>> I'm receiving the following event:
>>>
>>> Event Type: Error
>>> Event Source: AutoEnrollment
>>> Event Category: None
>>> Event ID: 13
>>> Computer: SERVER01
>>> Description:
>>> Automatic certificate enrollment for local system failed to enroll for
>>> one
>>> Domain Controller certificate (0x80070005). Access is denied.
>>>
>>> When I open the certificates MMC and manually renew the Domain
>>> Controller
>>> certificate with the same key I receive the following error:
>>>
>>> The certificate request failed because of one of the following
>>> conditions:
>>> - The certificate request was submitted to a Certification Authority
>>> (CA)
>>> that is not started.
>>> - You do not have permissions to request certificates from the available
>>> CAs.
>>>
>>> The CA is started. Anyone have any ideas on how to fix this one?
>>>
>>> Thanks.
>>
>
>


.

Relevant Pages

  • Re: Error enrolling machine certs
    ... failing to enroll using Domain Controller template. ... certificate templates and to the certificate services - everything that can ... > computer as a local admin to request a computer certificate either through ...
    (microsoft.public.windows.server.security)
  • Re: Win2003 server: certificate templates
    ... The best way will be to enroll from the web page. ... request a machine certificate from a user account. ... > I created a "serverCert" template by modifying the "computer" template, ... > but I cannot access "serverCert" through the mmc panel. ...
    (microsoft.public.win2000.security)
  • Re: Microsoft PKI: problem with autoenrollment for domain controllers
    ... Microsoft CAs are hard coded to request the Domain Controller certificate. ... WIndows SErver 2003 introduced the Domain Controller AUthentication certificate template, ...
    (microsoft.public.windows.server.security)
  • Issuing Domain Controller certificates manually
    ... this certificate template (as well as the Computer certificate ... generating a certificate request on the domain controller). ... If you use the web interface, you will notice that these two ...
    (microsoft.public.win2000.security)
  • Re: Event ID 13 - automatic certificate enrollment error
    ... I'm having problems understanding how to set permissions. ... MMC for the certificate authority I can see the certificate templates folder ... I can see the template Domain Controller. ...
    (microsoft.public.windows.server.active_directory)