Re: Autoenrollment error

Hi Ace,

Thanks for your sharing!

Hope this can help Matthew, too!

Have a nice day!

Sincerely,
Tom Che
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


--------------------
From: "Ace Fekay [MVP]"
<PleaseSubstituteMyActualFirstName&LastNameHere@xxxxxxxxxxx>
References: <OMytfFCKGHA.2668@xxxxxxxxxxxxxxxxxxxx>
<P309fQHKGHA.3680@xxxxxxxxxxxxxxxxxxxxx>
Subject: Re: Autoenrollment error
Date: Fri, 3 Feb 2006 01:39:01 -0500
Lines: 80
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2527
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
X-RFC2646: Format=Flowed; Original
Message-ID: <#UAuGyIKGHA.2088@xxxxxxxxxxxxxxxxxxxx>
Newsgroups: microsoft.public.windows.server.active_directory
NNTP-Posting-Host: c-69-248-205-28.hsd1.pa.comcast.net 69.248.205.28
Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
Xref: TK2MSFTNGXA02.phx.gbl
microsoft.public.windows.server.active_directory:62588
X-Tomcat-NG: microsoft.public.windows.server.active_directory

In news:P309fQHKGHA.3680@xxxxxxxxxxxxxxxxxxxxx,
Tom Che [MSFT] <v-tomche@xxxxxxxxxxxxxxxxxxxx> stated, which I commented
on
below:
Hi Matthew,

Thanks for your posting.

I suggest you may refer to the following steps to troubleshoot the
Event ID 13 AutoEnrollment error:

BTW, you got an error when you try to use the following command maybe
because the server is not a CA:
"certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG"

1) Follow KB889101(Release notes for Windows Server 2003 Service Pack
1, Part:
Certificate Services: Effects of security enhancements to the DCOM
protocol)

2) Right click on Certficate Authority in the MMC on the Enterprise
CA. Checked if security authenticated users has read and enroll
permission.

3) Checked if Enterprise Admins has Full Control to
HKLM/System/CurrentControlSet/Services/CertSvc/Security and a read
ACE to CN=SubCA,CN=CertificateTemplates,CN=Public Key
Services,CN=Services,CN=Configuration.

4) Check DCOM configuration on the DC through DCOMCNFG command.
Component Services - > Computers -> My Computer -> Properties ->
Default Properties) "Enable Distributed COM on this computer"

5) There is a group that is created called CERTSVC_DCOM_ACCESS.
Checked in AD Users and Computers to verify that the members are
Domain Users, Domain Computers, and Domain Controllers.

6) Error can also occur if all other domain controllers in the forest
do not have permissions of Enroll, Change, Read. In order to
troubleshoot, open the Certificate Template MMC, Right click on the
Certificate you wish to assign permission and click Properties. In
the security tab, added Domain Computers group from each domain with
the permissions of Enroll, Change and Read.


Tom,

This actually helped me when I had a similar issue. Possiblity #5 above
was
what helped.


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows
you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.

Not sure how? It's easy:
How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Windows Server Directory Services
Microsoft Certified Trainer
Assimilation Imminent. Resistance is Futile.
Infinite Diversities in Infinite Combinations.

The only thing in life is change. Anything less is a blackhole consuming
unnecessary energy.
===========================





.

Relevant Pages

  • Re: Autoenrollment error
    ... I suggest you may refer to the following steps to troubleshoot the ... Certificate Services: Effects of security enhancements to the DCOM ... Domain Users, Domain Computers, and Domain Controllers. ... Certificate you wish to assign permission and click Properties. ...
    (microsoft.public.windows.server.active_directory)
  • Re: SBS2003Premium Certification Authority from HELL!!!
    ... The command-output shows a list of certificate templates that are attached ... Microsoft CSS Online Newsgroup Support ... | Yes all the grey templates have permission issues. ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS2003Premium Certification Authority from HELL!!!
    ... Can I assume that all the permission of this grey template encountered the ... Microsoft CSS Online Newsgroup Support ... | "No certificate templates could be found. ...
    (microsoft.public.windows.server.sbs)
  • RE: receive an SSL Certificate error message when you view public
    ... The certificate received from the remote server does not contain the ... > folder from OWA or outlook 2003? ... > Microsoft CSS Online Newsgroup Support ... > This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • RE: ssl certificate error on public folders
    ... click the Server Certificate button. ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... Restart the IIS Admin service in the services mmc. ...
    (microsoft.public.windows.server.sbs)