Child domain new cert request - certificate template permissions do not allow current user to enroll 0x80094012
Is the user a member of a security group that has Read and Enroll permission on the certificate template? That is required.
Administering Certificate Templates
http://technet.microsoft.com/en-us/library/cc725621%28v=ws.10%29
When you install certificates into the computer store and use auto-enrollment or manually request the certificate using the Certificates snap-in, the requesting computer account needs Read and Enroll permissions on the certificate template.
However, when you're using Certreq.exe to request certificates, even if they are computer certificates and use MachineKeySet = True, the requesting user needs Read and Enroll permissions on the certificate template. When you use Certreq.exe, the computer permissions are not used.
Related videos on Youtube
morleyc
Updated on September 18, 2022Comments
-
morleyc almost 2 years
I have the following AD configuration:
rootca (standalone not domain connected)
- mydom.local
- dc1.mydom.local
- svr1.mydom.local
- subca.mydom.local(enterprise subordinate CA)
- other.mydom.local
- dc1.other.mydom.local
- svr1.other.mydom.local
I can register webserver certificates OK for svr1.mydom.local, however I log into svr1.other.mydom.local with the child domain administrator and I get the following error:
Permissions on the certificate template do not allow the current user to enroll for this type of certificate (0x80094012)
I think this must related to permissions however I am not sure how to proceed - what is the best practice to allow child domain administrators to request certificates from the subordinate CA located in the parent domain?
My inf file is below:
[NewRequest] Subject="CN=svr1.other.mydom.local" Exportable=TRUE KeyLength=2048 KeySpec=1 MachineKeySet=TRUE [EnhancedKeyUsageExtension] OID=1.3.6.1.5.5.7.3.1 ; Server Authentication OID=1.3.6.1.5.5.7.3.2 ; Client Authentication [RequestAttributes] CertificateTemplate = WebServer
and i am running the following commands on
svr1.other.mydom.local
as[email protected]
below:certreq -new c:\svr1.inf c:\svr1.req certreq -submit c:\svr1.req c:\svr1.cer ; I get the error here
- mydom.local
-
morleyc almost 12 yearsthanks, the user requesting is the child domain administrator, looking at template permissions I see enterprise and domain admins, is it acceptable/good-practice to add the child domain admin group to these permissions?
-
Greg Askew almost 12 yearsI'm not sure if this is a good-practice scenario. Seems like the only option for someone to use a template to enroll a cert is to have permission to do so. It's not as if you have another choice for where the templates are located or which template location to use.