When trying to request a new certificate for DomainControllerAuthentication from our DC designated as the CA, we keep receiving an access denied error.
The following events are generated in the event viewer:
Log Name: Application
Source: Microsoft-Windows-CertificateServicesClient-CertEnroll
Date: 20/02/2013 2:54:32 PM
Event ID: 13
Task Category: None
Level: Error
Keywords: Classic
User: CONSOTO\adadmin
Computer: vmsrvdc-40.consoto.com
Description:
Certificate enrollment for Local system failed to enroll for a DomainControllerAuthentication certificate with request ID N/A from vmsrvdc-40.consoto.com\consoto-VMSRVDC-40-CA (Access is denied. 0x80070005 (WIN32: 5)).
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-CertificateServicesClient-CertEnroll" Guid="{54164045-7C50-4905-963F-E5BC1EEF0CCA}" EventSourceName="CertEnroll" />
<EventID Qualifiers="49754">13</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2013-02-20T19:54:32.000000000Z" />
<EventRecordID>5750</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>vmsrvdc-40.consoto.com</Computer>
<Security UserID="S-1-5-21-1518945024-1460817392-709122288-5797" />
</System>
<EventData>
<Data Name="Context">Local system</Data>
<Data Name="TemplateName">DomainControllerAuthentication</Data>
<Data Name="RequestId">vmsrvdc-40.consoto.com\consoto-VMSRVDC-40-CA</Data>
<Data Name="CA">N/A</Data>
<Data Name="ErrorCode">Access is denied. 0x80070005 (WIN32: 5)</Data>
</EventData>
</Event>
Log Name: Application
Source: Microsoft-Windows-CertificateServicesClient-CertEnroll
Date: 20/02/2013 2:54:29 PM
Event ID: 64
Task Category: None
Level: Information
Keywords: Classic
User: CONSOTO\adadmin
Computer: vmsrvdc-40.consoto.com
Description:
Certificate enrollment for Local system successfully load policy from policy server {C1BA95CA-8DD5-4350-B81C-BE7BB80AD305}
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-CertificateServicesClient-CertEnroll" Guid="{54164045-7C50-4905-963F-E5BC1EEF0CCA}" EventSourceName="CertEnroll" />
<EventID Qualifiers="33370">64</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2013-02-20T19:54:29.000000000Z" />
<EventRecordID>5749</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>vmsrvdc-40.consoto.com</Computer>
<Security UserID="S-1-5-21-1518945024-1460817392-709122288-5797" />
</System>
<EventData>
<Data Name="Context">Local system</Data>
<Data Name="ServerID">{C1BA95CA-8DD5-4350-B81C-BE7BB80AD305}</Data>
</EventData>
</Event>
Log Name: Application
Source: Microsoft-Windows-CertificateServicesClient-CertEnroll
Date: 20/02/2013 2:54:29 PM
Event ID: 65
Task Category: None
Level: Information
Keywords: Classic
User: CONSOTO\adadmin
Computer: vmsrvdc-40.consoto.com
Description:
Certificate enrollment for Local system is successfully authenticated by policy server {C1BA95CA-8DD5-4350-B81C-BE7BB80AD305}
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-CertificateServicesClient-CertEnroll" Guid="{54164045-7C50-4905-963F-E5BC1EEF0CCA}" EventSourceName="CertEnroll" />
<EventID Qualifiers="33370">65</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2013-02-20T19:54:29.000000000Z" />
<EventRecordID>5748</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>vmsrvdc-40.consoto.com</Computer>
<Security UserID="S-1-5-21-1518945024-1460817392-709122288-5797" />
</System>
<EventData>
<Data Name="Context">Local system</Data>
<Data Name="ServerURL">{C1BA95CA-8DD5-4350-B81C-BE7BB80AD305}</Data>
</EventData>
</Event>
So far we have:
- Verified the DCOM Certificate Enrollment group members to ensure that the proper DCs and users are added to the group.
- Verified the permissions on the CA and on the templates to ensure that the user and the DC requesting the new certificate has proper permissions to create a new certificate based on the template.
- Ensured that no objects remains in the tree for the old lost DC who had the CA role
However these steps did not allow us to request new certificates...
0 Answers