Unable to issue an Active Directory CA template

  • 197 Views
  • Last Post 26 September 2016
kbeahm posted this 26 September 2016

P.3ddfbc50-8afd-469f-8d67-24f5f61fd8b2 { MARGIN: 0cm 0cm 0pt } LI.3ddfbc50-8afd-469f-8d67-24f5f61fd8b2 { MARGIN: 0cm 0cm 0pt } DIV.3ddfbc50-8afd-469f-8d67-24f5f61fd8b2 { MARGIN: 0cm 0cm 0pt } TABLE.3ddfbc50-8afd-469f-8d67-24f5f61fd8b2Table { MARGIN: 0cm 0cm 0pt } DIV.Section1 { page: Section1 } P.522cf75a-c5a3-4763-b308-40859b290ef7 { MARGIN: 0cm 0cm 0pt } LI.522cf75a-c5a3-4763-b308-40859b290ef7 { MARGIN: 0cm 0cm 0pt } DIV.522cf75a-c5a3-4763-b308-40859b290ef7 { MARGIN: 0cm 0cm 0pt } TABLE.522cf75a-c5a3-4763-b308-40859b290ef7Table { MARGIN: 0cm 0cm 0pt } DIV.Section1 { page: Section1 }

How do I verify which certificate templates have been published for my domain?  I am trying to issue a "Web Server" certificate, but when I browse http://MyCAname/certsrv all I see is one template option in the template drop down … but I know I used to be able to select "Web Server".  When I open the CA Management MMC console I can see the "Web Server" template listed under "Certificate Templates", and if I right click that folder and select manage I see that the "Web Server" template has Full and Enroll rights for the users I have tested with.  What might I be overlooking, and would there be anything wrong with just coping the "Web Server" template and republishing it?   Thank you for your time and consideration.  

Keith D. Beahm | Messaging and Storage Architect | Stinson Leonard Street LLP
1201 Walnut Street, Suite 2900 | Kansas City, MO 64106-2150
T: 816.691.3374 | M: 816.808.8983 | F: 816.412.1022
kbeahm@xxxxxxxxxxxxxxxx | www.stinson.com

This communication (including any attachments) is from a law firm and may contain confidential and/or privileged information.  If it has been sent to you in error, please contact the sender for instructions concerning return or destruction, and do not use or disclose the contents to others.

Order By: Standard | Newest | Votes
BrianB posted this 26 September 2016



















Of you want all users to be able to enroll, try granting Authenticated Users - read and enroll privs. Otherwise grant similar to a specific security group.



Brian Britt



Get Outlook for Android


show

BrianB posted this 26 September 2016











show

kbeahm posted this 26 September 2016

P.a71d9dc3-3428-4fd8-9d7b-d842b3b222d0 {

MARGIN: 0cm 0cm 0pt

}

LI.a71d9dc3-3428-4fd8-9d7b-d842b3b222d0 {

MARGIN: 0cm 0cm 0pt

}

DIV.a71d9dc3-3428-4fd8-9d7b-d842b3b222d0 {

MARGIN: 0cm 0cm 0pt

}

TABLE.a71d9dc3-3428-4fd8-9d7b-d842b3b222d0Table {

MARGIN: 0cm 0cm 0pt

}

DIV.Section1 {

page: Section1

}















Thank you for your reply Brian.  If I update the template wont I have to re-publish it?  And if that is the fix, then how to verify what certificate templates have already been published (i.e., for proactive

monitoring in a multi admin environment)?

 







Keith

D.

Beahm |

Messaging and Storage Architect |

Stinson Leonard Street LLP


1201 Walnut Street, Suite 2900 |

Kansas City,

MO

64106-2150


T:

816.691.3374 |

M:

816.808.8983 |

F:

816.412.1022


kbeahm@xxxxxxxxxxxxxxxx |

www.stinson.com

show

BrianB posted this 26 September 2016















You wont have to republish if you change the security. Only if you duplicate it to a new template. I would run the mmc as a normal user or a user that is a member of whatever security group you are publishing to and see what templates are available to you.





Another way is to run certutil -templates as that user. Or some derivative of certutil. Sorry I may not have that command correctly memorized. There are also powershell commandlets that you can use which may be easier.



Brian Britt



Get Outlook for Android


show

kbeahm posted this 26 September 2016

P.c4f6481f-59cc-4502-97b8-2807b0581472 {

MARGIN: 0cm 0cm 0pt

}

LI.c4f6481f-59cc-4502-97b8-2807b0581472 {

MARGIN: 0cm 0cm 0pt

}

DIV.c4f6481f-59cc-4502-97b8-2807b0581472 {

MARGIN: 0cm 0cm 0pt

}

TABLE.c4f6481f-59cc-4502-97b8-2807b0581472Table {

MARGIN: 0cm 0cm 0pt

}

DIV.Section1 {

page: Section1

}















Using the MMC the old "Web Server" and a new duplicated "New Web Server" certificate are visible after I select Show All, but they are both marked as Status: Unavailable and the details state "The permissions

on the certificate template do not allow the current user to enroll for this type of certificate".  I have created and published new "Web Server" duplicate templates that are version "100.2".  One with minCA 2003Ent support and the other with minCA 2008Ent

support.  The CA is hosted on a Server 2008R2 Ent server.  Any additional thoughts or suggestions?

 







Keith

D.

Beahm |

Messaging and Storage Architect |

Stinson Leonard Street LLP


1201 Walnut Street, Suite 2900 |

Kansas City,

MO

64106-2150


T:

816.691.3374 |

M:

816.808.8983 |

F:

816.412.1022


kbeahm@xxxxxxxxxxxxxxxx |

www.stinson.com

show

SmitaCarneiro posted this 26 September 2016

It sounds like the users you are logged in as does not have permission to that template.

Change the permissions to ‘Domain users’ or ‘Authenticated Users’ and see if you get the same error.

 

 



Smita Carneiro, GCWN

Active Directory Systems Engineer

IT Security and Policy

Ross Enterprise Center

3495 Kent Avenue, Suite 100

West Lafayette, IN 47906



 

show

Close