RE: Certsrv and Autoenrollment problem

Hello Karl,

Thank you for posting to the SBS Newsgroup.

I understand that you notice that there are many Event IDs 77, 53 and 13 on
your SBS Server. If I have misunderstood your concern, please let me know.

The reason the Event ID 77 warnings at CertSvc startup was the CA looking
for the 2003 schema specific attribute msPKI-Template-Minor-Revision when
it attempted to enumerate the templates. That attribute does not exist in
the Windows 2000 schema, so it will not be instantiated on the template
object. Because the templates can not be successfully enumerated, they are
never loaded into the in-memory cache maintained by CertSvc. The
Certificate Authority snap-in will show the templates in the Certificate
Templates folder, and you can add or remove them at will, but this only
updated the pKIEnrollmentServices object in AD. When CertSvc attempts to
look at that object and see what templates it is supposed to load, it fails.

This behavior can occur for the following reasons:

- The Certificate Authority service is not running.

- You do not have Read and Enroll permission for the template of the
certificate that you are requesting.

Suggestions:
==========

1. Please check if the CA is running.

2. Grant Read and Enroll access for the template to the appropriate user or
group by using the Sites and Services snap-in.

- On the domain controller, run "dssite.msc" to launch the Active Directory
Sites and Services snap-in.

- On the View menu, select "Show Services Node".

- Browse to:

Services\Public Key Services\Certificate Templates

- On the Security tab, check the permissions of a template.

- Restart the server and check if the problem disappears.

3. The issue also will occur if the Authenticated Users group is removed
from the template''s access control list (ACL). The Authenticated Users
group is on a template ACL, by default. (The CA itself is included in this
group.) If the Authenticated Users group is removed, the (enterprise) CA
itself can no longer read the template in the Active Directory, and
therefore, certificate requests can be unsuccessful. For more information,
you can refer to the following Microsoft Knowledge Base article:

A Certification Authority Cannot Use a Certificate Template
http://support.microsoft.com/?id=283218

===========

If the issue persists, please help to gather following information for
further research:

a. Is there any CA installed on SBS Server or your member server?

b. Have you installed SBS 2K3 SP1 on your server?

c. How did you "attempting an Exchange database defrag"? Could you please
explain in detail what steps you have perform?

Please take your time to read through all my information including KB
articles. If you have any updates, please feel free to let me know. I am
looking forward to hearing from you!

Best regards,

Brandy Nee

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.



--------------------
>From: "Karl Middleton" <nospam@xxxxxxxxxx>
>Subject: Certsrv and Autoenrollment problem
>Date: Mon, 19 Dec 2005 20:36:46 +1100
>Lines: 110
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
>X-RFC2646: Format=Flowed; Original
>Message-ID: <#vuZ8#HBGHA.344@xxxxxxxxxxxxxxxxxxxx>
>Newsgroups: microsoft.public.windows.server.sbs
>NNTP-Posting-Host: 203-214-47-60.dyn.iinet.net.au 203.214.47.60
>Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
>Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.windows.server.sbs:231075
>X-Tomcat-NG: microsoft.public.windows.server.sbs
>
>Good evening NG
>
>Got a problem with a server since attempting an Exchange database defrag
>that filled the system drive.
>
>In the Application Event Log I keep getting the following series of events
>after a reboot.
>
>Trawling Google doesn't give much joy. Some similar problems but not
>identical.
>
>Event Type: Warning
>Event Source: CertSvc
>Event Category: None
>Event ID: 77
>Date: 19/12/2005
>Time: 6:06:41 PM
>User: N/A
>Computer: CALAIS
>Description:
>The "Windows default" Policy Module logged the following warning: The
>SmartcardLogon(v1.0): V1 Certificate Template could not be loaded.
Element
>not found. 0x80070490 (WIN32: 1168).
>
>
>For more information, see Help and Support Center at
>http://go.microsoft.com/fwlink/events.asp.
>
>Event Type: Warning
>Event Source: CertSvc
>Event Category: None
>Event ID: 77
>Date: 19/12/2005
>Time: 6:06:41 PM
>User: N/A
>Computer: CALAIS
>Description:
>The "Windows default" Policy Module logged the following warning: The
>SmartcardLogon Certificate Template could not be loaded. Element not
found.
>0x80070490 (WIN32: 1168).
>
>
>For more information, see Help and Support Center at
>http://go.microsoft.com/fwlink/events.asp.
>Event Type: Warning
>Event Source: CertSvc
>Event Category: None
>Event ID: 77
>Date: 19/12/2005
>Time: 6:06:41 PM
>User: N/A
>Computer: CALAIS
>Description:
>The "Windows default" Policy Module logged the following warning: The
>ClientAuth(v0.0): V1 Certificate Template could not be loaded. Element
not
>found. 0x80070490 (WIN32: 1168).
>
>
>For more information, see Help and Support Center at
>http://go.microsoft.com/fwlink/events.asp.
>
>... and a bunch of similar events
>
>...then the autoenrollment error...
>
>Event Type: Warning
>Event Source: CertSvc
>Event Category: None
>Event ID: 53
>Date: 19/12/2005
>Time: 6:07:20 PM
>User: N/A
>Computer: CALAIS
>Description:
>Certificate Services denied request 469 because The requested certificate
>template is not supported by this CA. 0x80094800 (-2146875392). The
request
>was for TICKINGCLOCK\CALAIS$. Additional information: Denied by Policy
>Module 0x80094800, The request was for a certificate template that is not
>supported by the Certificate Services policy: DomainController.
>
>
>For more information, see Help and Support Center at
>http://go.microsoft.com/fwlink/events.asp.
>Event Type: Error
>Event Source: AutoEnrollment
>Event Category: None
>Event ID: 13
>Date: 19/12/2005
>Time: 6:07:20 PM
>User: N/A
>Computer: CALAIS
>Description:
>Automatic certificate enrollment for local system failed to enroll for one
>Domain Controller certificate (0x80094800). The requested certificate
>template is not supported by this CA.
>
>
>For more information, see Help and Support Center at
>http://go.microsoft.com/fwlink/events.asp.
>
>
>The system seems to be running OK but clearly these events can't be good.
>
>Does anyone know how to fix these?
>
>TIA
>Karl from Oz
>
>
>
>

.

Relevant Pages

  • Re: Problems requesting computer certificates on an issuing CA
    ... The exact permissions on my template are: ... I tried to manually enroll for a computer certificate based on ... CA allows the computers to request certificates. ...
    (microsoft.public.windows.server.security)
  • Re: Error enrolling machine certs
    ... failing to enroll using Domain Controller template. ... certificate templates and to the certificate services - everything that can ... > computer as a local admin to request a computer certificate either through ...
    (microsoft.public.windows.server.security)
  • Re: Win2003 server: certificate templates
    ... The best way will be to enroll from the web page. ... request a machine certificate from a user account. ... > I created a "serverCert" template by modifying the "computer" template, ... > but I cannot access "serverCert" through the mmc panel. ...
    (microsoft.public.win2000.security)
  • Re: Certificates on Floppy Disk?
    ... I fired up my Windows 2003 domain controller to see how Certificate Services was ... template" of the ipsec offline template. ... computer store. ...
    (microsoft.public.windows.server.security)
  • Re: Encryption > access denied after importing key with Certificate
    ... > sec' template, do u think this could have something to do ... > The steps im taking to export the PFX key along with Cer ... >>Select option to export certificate along with Key ... > cant open the encrypted files & when i import the PFX/CER ...
    (microsoft.public.windowsxp.security_admin)