RE: sbs 2k3 - certificate authority web server template - not being able to issue a certificate

Hi Pedro,

Thanks for posting here.

From the description, I understand the issue is that you got event id 53
error when you request certificate. If I am off base, please don't hesitate
to let me know.

Let us refer to the following steps to troubleshoot the issue:

1.Added the following member groups to the CERTSVC_DCOM_ACCESS security
group:
? Domain Users
? Domain Computers
? Enterprise Domain Controllers

2.
? Certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG
? Net stop certsvc
? Net start certsvc

you must restart the server for the changes to take effect.

Verify that the CERTSVC_DCOM_ACCESS group has the appropriate DCOM Access
permissions and DCOM Launch and Activation permissions on the computer that
hosts the certification authority.
a. Click Start, point to Program, point to Administrative Tools, and then
click Component Services.
b. Expand the Component Services node.
c. Expand the Computers node.
d. Right-click the My Computer node, and then click Properties.
e. Click the COM Security tab.
f. Under Access Permission, click Edit Limits.
g. Verify that the CERTSVC_DCOM_ACCESS group has Allow Local Access and
Allow Remote Access permissions, and then click Cancel.
h. Under Launch and Activation Permissions, click Edit Limits.
i. Verify that the CERTSVC_DCOM_ACCESS group has Allow Local Activation
and Allow Remote Activation permissions, and then click Cancel.
j. Click Cancel, and then close the Component Services console.


3.view any of the Certificate templates by using ADSIEdit.msc or by using
LDP.exe. You can check if the following attributes are missing:
? msPKI-Certificate-Application-Policy
? msPKI-Certificate-Name-Flag
? msPKI-Certificate-Policy
? msPKI-Cert-Template-OID
? msPKI-Enrollment-Flag
? msPKI-Minimal-Key-Size
Note You can find the Certificate template at the following location:
CN=Certificate Templates,CN=Public Key
Services,CN=Services,CN=Configuration,dc= DomainComponent ,dc=
DomainComponent

4.Update the templates by reregistering the %windir%\System32\Certcli.dll
file on the CA server. To do this, follow these steps:
a. Click Start, click Run, type cmd , and then click OK.
b. At the command prompt, type the following command, and then press
ENTER:
regsvr32 /i:i /n /s %windir%\system32\certcli.dll
c. Type the following commands. Press ENTER after each command.
net stop certsvc
net start certsvc
d. Type exit , and then press ENTER to close the Command Prompt window.


If the issue persists, please help me collect the following information for
analysis:

verify that templates have not loaded by enabling debug logging for the
CertSvc service and then restarting the service. To do this, follow these
steps:
1. Click Start, click Run, type cmd , and then click OK.
2. At the command prompt, type the following command, and then press
ENTER:
certutil -setreg ca\debug 0xfffffffe3
3. Type the following commands. Press ENTER after each command.
net stop certsvc
net start certsvc
4. Type exit , and then press ENTER to close the Command Prompt window.

send %windir%\Certsrv.log file to me at v-jaluo@xxxxxxxxxxxxx


More useful information:

http://support.microsoft.com/?id=931354

http://support.microsoft.com/?id=932457

http://support.microsoft.com/?id=927066


I appreciate your time. I am happy to be of assistance and look forward to
your reply.

Have a nice day!

Best regards,

Jacky Luo (MSFT)
Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security
====================================================
PLEASE NOTE: The partner managed newsgroups are provided to
assist with break/fix issues and simple how to questions.
We also love to hear your product feedback! Let us know what you think by
posting

from the web interface: Partner Feedback
from your newsreader: microsoft.private.directaccess.partnerfeedback.

We look forward to hearing from you!
====================================================
When responding to posts, please "Reply to Group" via your newsreader
so that others may learn and benefit from this issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
====================================================

.

Relevant Pages

  • Re: sbs 2k3 - certificate authority web server template - not being able to issue a certific
    ... i had to export the root certificate from fedora and import to the trusted ... Net start certsvc ... msPKI-Certificate-Application-Policy ... At the command prompt, type the following command, and then press ...
    (microsoft.public.windows.server.sbs)
  • RE: RPc server is unavailable since SP1
    ... I ran the command and it created the group and also placed the Domain Users ... DC to Member Server and Member Server to DC and also to clients. ... >>> when the member server update certificate you get the error message RPC ... >>> interface security settings before the installation of SP1 will be lost. ...
    (microsoft.public.windows.server.sbs)
  • Re: Entropy sources under WinXP
    ... you can depict the certificate much more ... If the so-called forums can say pretty, the retail ... holly may command more columns. ...
    (sci.crypt)
  • Re: Certificate Installation Question
    ... Command looks like: ... You can ask about RADIUS, IAS, 802.1x, Active directory configuration and Certificate services, related to IAS and RADIUS ... It needs to be in the local computer store. ... > I have the cert as a file. ...
    (microsoft.public.internet.radius)