No announcement yet.

CA errors

  • Filter
  • Time
  • Show
Clear All
new posts

  • CA errors


    I am receiving the following error message when I try and renew a certificate -

    You do not have permission to request a certificate based on the selected certificate template.

    The server is Windows Server 2003 SP1

    The following error is in the application log after CA services is restarted -

    The "Windows default" Policy Module logged the following warning: The Administrator Certificate Template could not be loaded. Element not found. 0x80070490 (WIN32: 116.

    I found the following information on the Microsoft website relating to the problem I am having -

    When Certificate Services starts on a Certification Authority (CA), a certificate template is unable to load and certificate requests are unsuccessful using the same template.

    The behavior can occur because the Authenticated Users group is removed from the template's access control list (ACL). The Authenticated Users group is on a template ACL, by default. (The CA itself is included in this group.) If the Authenticated Users group is removed, the (enterprise) CA itself can no longer read the template in the Active Directory, and therefore, certificate requests can be unsuccessful.

    If an administrator wants to remove the Authenticated Users group, each and every CA's computer account must be added to the template ACLs and set to Read.

    If authenticated users have been removed from the ACLs of a template, the following errors may be observed when the CA starts and when a certificate is requested against the template.

    Does anyone know who to add authenticated users back to the ACL of a template?

    I have been researching this for a while and can't find a solution. Any help would be great.


  • #2
    Re: CA errors

    Hi sniksahs.
    Maybe this will address your questions
    Certificate templates are published to the configuration naming context, which is stored on every domain controller in the forest in the path CN=Certificate Templates, CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoo tDomain. Each certificate template exists as an object in the configuration naming context and has an associated DACL, which defines what specific operations a security principal can do with the certificate.

    Use the following recommendations for permissions assignments:

    Assign permissions only to global groups or to universal groups. Certificate templates are defined in the configuration naming context. Permissions should only be assigned to global groups or to universal groups. It is not recommended to assign permissions to domain local groups. They are only recognized in the domain where the domain local group exists and can result in inconsistent application of permissions. It is recommended to never assign permissions directly to an individual user or computer account.

    To enable auto-enrollment, a user or computer must belong to domain groups that are granted Read, Enroll, and Autoenroll permissions.

    To enable enrollment via the Certificates MMC console, through Web-based enrollment, or through auto-renewal, set either domain or universal groups with Read and Enroll permissions.

    For certificate renewal, a user or computer must belong to a domain security group with Read and Enroll permissions. This is true whether the certificate is manually renewed or the renewal is implemented using auto-enrollment.

    Restrict Write and Full Control permissions to CA managers to ensure that the templates are not improperly configured.
    Taken from

    Network Consultant/Engineer
    Baltimore - Washington area and beyond