Autoenrollment error with Win2K3 servers - Event IDs 13 and 17

  • Thread starter Thread starter Boe
  • Start date Start date
B

Boe

Guest
Hi,

I recently installed an Enterprise Root CA on my domain and am running into
some issues with my servers autoenrolling a computer certificate while all of
my workstations can autoenroll without any issue. Also, the CA can
autoenroll itself for a computer certificate as well. Some background
regarding this listed below:
-All servers are Windows 2003 SP2 Enterprise
-All workstations are Windows 2000 SP4
-CA is installed on a member server in the domain
-Workstations are able to autoenroll and request a cert via MMC and Web
-Servers to include DC's are unable to autoenroll or request via MMC and Web
MMC error I get is "The certificate request failed because of one of the
following conditions: The certificate request was submitted to a
Certification Authority (CA) that is not started. You do not have the
permissions to request certificates from the available CAs."
Web error is "No certificate templates could not be found. You do not have
permission to request a certificate from this CA, or an error occurred while
accessing the Active Directory."

I have spent a decent amount of time searching for a solution for this issue
and everything that I have came across doesn't seem to fix my problem. I have
gracefully decommisioned my CA and rebuilt it without any resolution.

Some things I have tried to do to fix this issue:
-Located the CERTSVR_DCOM_ACCESS group on the CA and added "Domain Users,
Domain Computers, Domain Controllers and Domain Servers" groups, ran the
certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG, and then
rebooted the server.
-Verified the ACLs on the Machine Keys folder on each server so only System
and Administrators had Full Access and Everyone had Read
-Verified that sServerConfig value matched the Certdat.inc value
-Ran certutil -ping on CA from a server and verified success
-Verified certsvc and RDP ports are listening via portqry.exe
-Verified "Auth. Users" have 'Request Certs' permissions on root of CA
-Using dssite.msc, verified that "Auth Users" have Read and Enroll and
"Domain Computers" have 'Read and Enroll'
-All servers have CA cert in 'Trusted Root Certificate Authorites'

I am running out of ideas on why only workstations and the CA can autoenroll
and recieve a computer certificate. One thing I have yet to try is to
duplicate the computer certificate and adjust permissions in hopes of maybe
only a version 2 cert will work with Windows 2003 autorenrollment, but am
doubting it.

If anyone needs more information or event log info, I can provide it.

Thanks,
 
I meant RPC port, not RDP in my post

"Boe" wrote:

> Hi,
>
> I recently installed an Enterprise Root CA on my domain and am running into
> some issues with my servers autoenrolling a computer certificate while all of
> my workstations can autoenroll without any issue. Also, the CA can
> autoenroll itself for a computer certificate as well. Some background
> regarding this listed below:
> -All servers are Windows 2003 SP2 Enterprise
> -All workstations are Windows 2000 SP4
> -CA is installed on a member server in the domain
> -Workstations are able to autoenroll and request a cert via MMC and Web
> -Servers to include DC's are unable to autoenroll or request via MMC and Web
> MMC error I get is "The certificate request failed because of one of the
> following conditions: The certificate request was submitted to a
> Certification Authority (CA) that is not started. You do not have the
> permissions to request certificates from the available CAs."
> Web error is "No certificate templates could not be found. You do not have
> permission to request a certificate from this CA, or an error occurred while
> accessing the Active Directory."
>
> I have spent a decent amount of time searching for a solution for this issue
> and everything that I have came across doesn't seem to fix my problem. I have
> gracefully decommisioned my CA and rebuilt it without any resolution.
>
> Some things I have tried to do to fix this issue:
> -Located the CERTSVR_DCOM_ACCESS group on the CA and added "Domain Users,
> Domain Computers, Domain Controllers and Domain Servers" groups, ran the
> certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG, and then
> rebooted the server.
> -Verified the ACLs on the Machine Keys folder on each server so only System
> and Administrators had Full Access and Everyone had Read
> -Verified that sServerConfig value matched the Certdat.inc value
> -Ran certutil -ping on CA from a server and verified success
> -Verified certsvc and RDP ports are listening via portqry.exe
> -Verified "Auth. Users" have 'Request Certs' permissions on root of CA
> -Using dssite.msc, verified that "Auth Users" have Read and Enroll and
> "Domain Computers" have 'Read and Enroll'
> -All servers have CA cert in 'Trusted Root Certificate Authorites'
>
> I am running out of ideas on why only workstations and the CA can autoenroll
> and recieve a computer certificate. One thing I have yet to try is to
> duplicate the computer certificate and adjust permissions in hopes of maybe
> only a version 2 cert will work with Windows 2003 autorenrollment, but am
> doubting it.
>
> If anyone needs more information or event log info, I can provide it.
>
> Thanks,
 
Some event log information:
Event Type: Warning
Event Source: AutoEnrollment
Event Category: None
Event ID: 17
Date: 10/24/2008
Time: 8:45:13 AM
User: N/A
Computer: %hostname%
Description:
Automatic certificate enrollment for local system failed to enroll for one
Computer certificate from certificate authority %CA NAME% on %CA FQDN%
(0x80070005). Access is denied.
Another certificate authority will be contacted.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.



Event Type: Error
Event Source: AutoEnrollment
Event Category: None
Event ID: 13
Date: 10/24/2008
Time: 8:45:13 AM
User: N/A
Computer: %hostname%
Description:
Automatic certificate enrollment for local system failed to enroll for one
Computer certificate (0x80070005). Access is denied.


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


"Boe" wrote:

> Hi,
>
> I recently installed an Enterprise Root CA on my domain and am running into
> some issues with my servers autoenrolling a computer certificate while all of
> my workstations can autoenroll without any issue. Also, the CA can
> autoenroll itself for a computer certificate as well. Some background
> regarding this listed below:
> -All servers are Windows 2003 SP2 Enterprise
> -All workstations are Windows 2000 SP4
> -CA is installed on a member server in the domain
> -Workstations are able to autoenroll and request a cert via MMC and Web
> -Servers to include DC's are unable to autoenroll or request via MMC and Web
> MMC error I get is "The certificate request failed because of one of the
> following conditions: The certificate request was submitted to a
> Certification Authority (CA) that is not started. You do not have the
> permissions to request certificates from the available CAs."
> Web error is "No certificate templates could not be found. You do not have
> permission to request a certificate from this CA, or an error occurred while
> accessing the Active Directory."
>
> I have spent a decent amount of time searching for a solution for this issue
> and everything that I have came across doesn't seem to fix my problem. I have
> gracefully decommisioned my CA and rebuilt it without any resolution.
>
> Some things I have tried to do to fix this issue:
> -Located the CERTSVR_DCOM_ACCESS group on the CA and added "Domain Users,
> Domain Computers, Domain Controllers and Domain Servers" groups, ran the
> certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG, and then
> rebooted the server.
> -Verified the ACLs on the Machine Keys folder on each server so only System
> and Administrators had Full Access and Everyone had Read
> -Verified that sServerConfig value matched the Certdat.inc value
> -Ran certutil -ping on CA from a server and verified success
> -Verified certsvc and RDP ports are listening via portqry.exe
> -Verified "Auth. Users" have 'Request Certs' permissions on root of CA
> -Using dssite.msc, verified that "Auth Users" have Read and Enroll and
> "Domain Computers" have 'Read and Enroll'
> -All servers have CA cert in 'Trusted Root Certificate Authorites'
>
> I am running out of ideas on why only workstations and the CA can autoenroll
> and recieve a computer certificate. One thing I have yet to try is to
> duplicate the computer certificate and adjust permissions in hopes of maybe
> only a version 2 cert will work with Windows 2003 autorenrollment, but am
> doubting it.
>
> If anyone needs more information or event log info, I can provide it.
>
> Thanks,
 
Solved the issue! After rebuilding the server from scratch and carefully
making security configuration changes, I was able to pinpoint the cause of my
frustration. In the Local Security Policy, under Local Policies\Security
Options, our security checklist has us change the SDDL's under "DCOM:Machine
Access Restrictions in Security Descriptor Definition Language (SDDL) syntax"
and "DCOM:Machine Launch Restrictions in Security Descriptor Definition
Language (SDDL) syntax" from 'O:BAG:BAD:(A' on both items to something else
more restrictive. So with that, I am reading up on what these mean and what
I will need to do in order to comply with our security guidance and make this
work.

"Boe" wrote:

> Some event log information:
> Event Type: Warning
> Event Source: AutoEnrollment
> Event Category: None
> Event ID: 17
> Date: 10/24/2008
> Time: 8:45:13 AM
> User: N/A
> Computer: %hostname%
> Description:
> Automatic certificate enrollment for local system failed to enroll for one
> Computer certificate from certificate authority %CA NAME% on %CA FQDN%
> (0x80070005). Access is denied.
> Another certificate authority will be contacted.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
>
>
> Event Type: Error
> Event Source: AutoEnrollment
> Event Category: None
> Event ID: 13
> Date: 10/24/2008
> Time: 8:45:13 AM
> User: N/A
> Computer: %hostname%
> Description:
> Automatic certificate enrollment for local system failed to enroll for one
> Computer certificate (0x80070005). Access is denied.
>
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
>
> "Boe" wrote:
>
> > Hi,
> >
> > I recently installed an Enterprise Root CA on my domain and am running into
> > some issues with my servers autoenrolling a computer certificate while all of
> > my workstations can autoenroll without any issue. Also, the CA can
> > autoenroll itself for a computer certificate as well. Some background
> > regarding this listed below:
> > -All servers are Windows 2003 SP2 Enterprise
> > -All workstations are Windows 2000 SP4
> > -CA is installed on a member server in the domain
> > -Workstations are able to autoenroll and request a cert via MMC and Web
> > -Servers to include DC's are unable to autoenroll or request via MMC and Web
> > MMC error I get is "The certificate request failed because of one of the
> > following conditions: The certificate request was submitted to a
> > Certification Authority (CA) that is not started. You do not have the
> > permissions to request certificates from the available CAs."
> > Web error is "No certificate templates could not be found. You do not have
> > permission to request a certificate from this CA, or an error occurred while
> > accessing the Active Directory."
> >
> > I have spent a decent amount of time searching for a solution for this issue
> > and everything that I have came across doesn't seem to fix my problem. I have
> > gracefully decommisioned my CA and rebuilt it without any resolution.
> >
> > Some things I have tried to do to fix this issue:
> > -Located the CERTSVR_DCOM_ACCESS group on the CA and added "Domain Users,
> > Domain Computers, Domain Controllers and Domain Servers" groups, ran the
> > certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG, and then
> > rebooted the server.
> > -Verified the ACLs on the Machine Keys folder on each server so only System
> > and Administrators had Full Access and Everyone had Read
> > -Verified that sServerConfig value matched the Certdat.inc value
> > -Ran certutil -ping on CA from a server and verified success
> > -Verified certsvc and RDP ports are listening via portqry.exe
> > -Verified "Auth. Users" have 'Request Certs' permissions on root of CA
> > -Using dssite.msc, verified that "Auth Users" have Read and Enroll and
> > "Domain Computers" have 'Read and Enroll'
> > -All servers have CA cert in 'Trusted Root Certificate Authorites'
> >
> > I am running out of ideas on why only workstations and the CA can autoenroll
> > and recieve a computer certificate. One thing I have yet to try is to
> > duplicate the computer certificate and adjust permissions in hopes of maybe
> > only a version 2 cert will work with Windows 2003 autorenrollment, but am
> > doubting it.
> >
> > If anyone needs more information or event log info, I can provide it.
> >
> > Thanks,
 
You must log in or register to reply here.

Similar threads

N
setting up CES and CEP PKI in a trusted forest scenario
Replies
0
Views
12
NickSTL77
N
L
Problems with EFS on a shared folder of a domain file server
Replies
0
Views
6
Leonardo Izzo
L
K
Error enrolling certificates from our Enterprise Root CA - Some Servers and Some Certificates only
Replies
0
Views
31
KayZerSoze
K
K
Error enrolling certificates from our Enterprise Root CA - Some Servers and Some Certificates only
Replies
0
Views
5
KayZerSoze
K
B
The Kerberos protocol encountered an error while validating the KDC certificate during smartcard logon.
Replies
0
Views
8
Brandon Taylor3
B
Back
Top