Re: Certsrv and Autoenrollment problem

Got no answers to this one so I guess I must be the first!

I think I solved this one myself.

I loaded the certtmpl.msc console and had a look at the certificates. Guess
what? I got a whole lot of access denied messages. A sure indicator of
broken security.

So after finding some obscure references on eventid.net I applied the same
logic to my problem and loaded ADSIEdit from the support tools. I navigated
down the Configuration tree until I found the PKI stuff. In there was an
Active Directory listing of the certificates that also appeared in the
certtmpl.msc console.

Using a known good SBS site, I manually one by one made the security setting
identical between my broken server and the good server.

A reboot and the problem was gone.

The only issue remaining is that I am still getting the autoenrollment
problem. If I turn off the RPC filter in ISA 2004 it goes away.However I
suspect that turning off the RPC filter will break something else. It may
be coincidental with my certsvc problems. IE: some certificates were due to
expire anyway and ISA would have blocked them anyway. I doubt that I will be
able to accurately determine this until the certificates next try to renew
and consequently try to autoenroll.

Can anyone shed any light on what the RPC filter and certificates issue
might be?

TIA
Karl from Oz




"Karl Middleton" <nospam@xxxxxxxxxx> wrote in message
news:%23vuZ8%23HBGHA.344@xxxxxxxxxxxxxxxxxxxxxxx
> Good evening NG
>
> Got a problem with a server since attempting an Exchange database defrag
> that filled the system drive.
>
> In the Application Event Log I keep getting the following series of events
> after a reboot.
>
> Trawling Google doesn't give much joy. Some similar problems but not
> identical.
>
> Event Type: Warning
> Event Source: CertSvc
> Event Category: None
> Event ID: 77
> Date: 19/12/2005
> Time: 6:06:41 PM
> User: N/A
> Computer: CALAIS
> Description:
> The "Windows default" Policy Module logged the following warning: The
> SmartcardLogon(v1.0): V1 Certificate Template could not be loaded.
> Element not found. 0x80070490 (WIN32: 1168).
>
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
> Event Type: Warning
> Event Source: CertSvc
> Event Category: None
> Event ID: 77
> Date: 19/12/2005
> Time: 6:06:41 PM
> User: N/A
> Computer: CALAIS
> Description:
> The "Windows default" Policy Module logged the following warning: The
> SmartcardLogon Certificate Template could not be loaded. Element not
> found. 0x80070490 (WIN32: 1168).
>
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
> Event Type: Warning
> Event Source: CertSvc
> Event Category: None
> Event ID: 77
> Date: 19/12/2005
> Time: 6:06:41 PM
> User: N/A
> Computer: CALAIS
> Description:
> The "Windows default" Policy Module logged the following warning: The
> ClientAuth(v0.0): V1 Certificate Template could not be loaded. Element
> not found. 0x80070490 (WIN32: 1168).
>
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
> ... and a bunch of similar events
>
> ...then the autoenrollment error...
>
> Event Type: Warning
> Event Source: CertSvc
> Event Category: None
> Event ID: 53
> Date: 19/12/2005
> Time: 6:07:20 PM
> User: N/A
> Computer: CALAIS
> Description:
> Certificate Services denied request 469 because The requested certificate
> template is not supported by this CA. 0x80094800 (-2146875392). The
> request was for TICKINGCLOCK\CALAIS$. Additional information: Denied by
> Policy Module 0x80094800, The request was for a certificate template that
> is not supported by the Certificate Services policy: DomainController.
>
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
> Event Type: Error
> Event Source: AutoEnrollment
> Event Category: None
> Event ID: 13
> Date: 19/12/2005
> Time: 6:07:20 PM
> User: N/A
> Computer: CALAIS
> Description:
> Automatic certificate enrollment for local system failed to enroll for one
> Domain Controller certificate (0x80094800). The requested certificate
> template is not supported by this CA.
>
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
>
> The system seems to be running OK but clearly these events can't be good.
>
> Does anyone know how to fix these?
>
> TIA
> Karl from Oz
>
>
>


.

Relevant Pages

  • Certsrv and Autoenrollment problem
    ... The "Windows default" Policy Module logged the following warning: ... V1 Certificate Template could not be loaded. ... see Help and Support Center at ...
    (microsoft.public.windows.server.sbs)
  • RE: netsh error - 1312
    ... \par Running the example from the article I was able to create the certificate ... \par Scott Norberg ... \par> Microsoft MSDN Online Support Lead ...
    (microsoft.public.dotnet.framework.webservices)
  • Re: American Currency
    ... but a leaning to the left does not support that there is one. ... but that does not create evidence for the claim Obama was born ... And this will all depend on IF the supreme court will even try ... And you'll notice that he did provide his birth certificate too. ...
    (comp.sys.mac.advocacy)
  • Re: Using Server 2003 to sign Sonicwall VPN certificate
    ... Sonicwall 3.1 network appliance. ... signing the internally generated certificate on the Sonicwall. ... When I try to "Submit new request" on my online issuing CA, ... The request does not contain a certificate template ...
    (microsoft.public.security)
  • Re: Stand Alone CA Problem
    ... Support Services by telephone so that a dedicated Support Professional can ... assist you further with your request. ... but I DO want the certificate to be checked against a CRL. ...
    (microsoft.public.win2000.security)