RE: Autoenrollment error

Hi Matthew,

Thanks for your posting.

I suggest you may refer to the following steps to troubleshoot the Event ID
13 AutoEnrollment error:

BTW, you got an error when you try to use the following command maybe
because the server is not a CA:
"certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG"

1) Follow KB889101(Release notes for Windows Server 2003 Service Pack 1,
Part:
Certificate Services: Effects of security enhancements to the DCOM protocol)

2) Right click on Certficate Authority in the MMC on the Enterprise CA.
Checked if security authenticated users has read and enroll permission.

3) Checked if Enterprise Admins has Full Control to
HKLM/System/CurrentControlSet/Services/CertSvc/Security and a read ACE to
CN=SubCA,CN=CertificateTemplates,CN=Public Key
Services,CN=Services,CN=Configuration.

4) Check DCOM configuration on the DC through DCOMCNFG command. Component
Services - > Computers -> My Computer -> Properties -> Default Properties)
"Enable Distributed COM on this computer"

5) There is a group that is created called CERTSVC_DCOM_ACCESS. Checked in
AD Users and Computers to verify that the members are Domain Users, Domain
Computers, and Domain Controllers.

6) Error can also occur if all other domain controllers in the forest do
not have permissions of Enroll, Change, Read. In order to troubleshoot,
open the Certificate Template MMC, Right click on the Certificate you wish
to assign permission and click Properties. In the security tab, added
Domain Computers group from each domain with the permissions of Enroll,
Change and Read.

Hope this helps!

Have a nice day!

Sincerely,
Tom Che
Microsoft Online Partner Support

======================================================
PLEASE NOTE the newsgroup SECURE CODE and PASSWORD will be updated at 9:00
AM PST, February 14, 2006. Please complete a re-registration process by
entering the secure code mmpng2006 when prompted. Once you have entered the
secure code mmpng2006, you will be able to update your profile and access
the partner newsgroups.
======================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
Business-Critical Phone Support (BCPS) provides you with technical phone
support at no charge during critical LAN outages or "business down"
situations. This benefit is available 24 hours a day, 7 days a week to all
Microsoft technology partners in the United States and Canada.

This and other support options are available here:
BCPS:
https://partner.microsoft.com/US/technicalsupport/supportoverview/40010469
Others: https://partner.microsoft.com/US/technicalsupport/supportoverview/

If you are outside the United States, please visit our International
Support page: http://support.microsoft.com/common/international.aspx.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
Date: Thu, 02 Feb 2006 11:52:01 -0600
From: Matthew Clark <MD-Clark@xxxxxxxxxxxxxx>
User-Agent: Thunderbird 1.5 (Windows/20051201)
MIME-Version: 1.0
Subject: Autoenrollment error
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Message-ID: <OMytfFCKGHA.2668@xxxxxxxxxxxxxxxxxxxx>
Newsgroups: microsoft.public.windows.server.active_directory
NNTP-Posting-Host: matt.wiu.edu 143.43.192.31
Lines: 1
Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
Xref: TK2MSFTNGXA02.phx.gbl
microsoft.public.windows.server.active_directory:62507
X-Tomcat-NG: microsoft.public.windows.server.active_directory

I posted this in General with no response so I thought I might try here
as well...

I have a 2003 server that keeps getting the error -

Event Type: Error
Event Source: AutoEnrollment
Event Category: None
Event ID: 13
Date: 2/1/2006
Time: 11:28:51 AM
User: N/A
Computer: xxxxxxx
Description:
Automatic certificate enrollment for local system failed to enroll for one
Domain Controller certificate (0x80070005). Access is denied.


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

I read in a couple places to try "certutil -setreg SetupStatus
-SETUP_DCOM_SECURITY_UPDATED_FLAG". I tried that and it produced the
error -

CertUtil: -setreg command FAILED: 0x80070002 (WIN32: 2)
CertUtil: The system cannot find the file specified.

Does anyone have a suggestion on where to go from here?

Thanks!


.

Relevant Pages

  • RE: netsh error - 1312
    ... \par Running the example from the article I was able to create the certificate ... \par Scott Norberg ... \par> Microsoft MSDN Online Support Lead ...
    (microsoft.public.dotnet.framework.webservices)
  • Re: American Currency
    ... but a leaning to the left does not support that there is one. ... but that does not create evidence for the claim Obama was born ... And this will all depend on IF the supreme court will even try ... And you'll notice that he did provide his birth certificate too. ...
    (comp.sys.mac.advocacy)
  • RE: OWA/Mobile not working + 1054 and 506 errors
    ... Regarding OMA in SBS 2003 server, ... untrusted certificate, or that simply do not support adding certificates at ...
    (microsoft.public.windows.server.sbs)
  • RE: Does OpenSSH support X.509 Certificate format?
    ... debug1: sshd version OpenSSH_3.5p1 ... debug1: private host key: #0 type 1 RSA ... Does OpenSSH support X.509 Certificate format? ...
    (SSH)
  • Re: 0x80072f17 - Cert problem?
    ... after changing to a third-party certificate created by an Intermediate CA, ... cert for my CA? ... I am getting the same support code: ... In Windows Mobile 5.0 it's easier. ...
    (microsoft.public.pocketpc.activesync)