subordinate ent CAs don't publish certs to AD after Win 2k3 SP1

subordinate ent CAs don't publish certs to AD after Win 2k3 SP1
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
subordinate ent CAs don't publish certs to AD after Win 2k3 SP1 enriz 07-23-2005
Posted by =?Utf-8?B?ZW5yaXo=?= on July 23, 2005, 1:00 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi,

my system consists in a single windows 2003 domain.
I’ve got an enterprise root CA installed on a Domain Controller and a
subordinate enterprise CA on another server, which issues only secure email
purpose certificates.
These two servers runs both Win 2003 enterprise ed.
Before having the SP1 installed on both servers, everything goes well:
subordinate CA issued certificates and publish them to AD with autoenrollment
process.
After having SP1 installed on both servers, users cannot autoenrolls
certificates and, if enrollment is done manually, i.e. by web server,
subordinate ca issues the certificates but DOES NOT publish it on AD.
On event viewer I always see the warning (source: certsvc; event id: 80)

Certificate Services could not publish a Certificate for request 9 to the
following location on server testup.prova.upg:
CN=user_test,CN=Users,DC=prova,DC=upg. Insufficient access rights to perform
the operation. 0x80072098 (WIN32: 8344).
ldap: 0x32: 00002098: SecErr: DSID-03150A45, problem 4003
(INSUFF_ACCESS_RIGHTS), data 0

Note that if the same kind of certificate is requested to the domain
controller's CA (the root CA), this will be published to AD!
any ideas?
I've already checked that:
1) Both server with root CA and subordinate CA are members of Cert
Publishers Group, and this group has got permissions to read and write the
userCertificate attribute on users.
2) The brand new security group added by SP1 installation in the AD
structure CERTSVC_DCOM_ACCESS contains both Domain Users and Domain Computer
groups. I've added also the Domain Controllers group, but nothing changed.

PLEASE help me, I’m really in a mess!!!
Thanks in advance!!!

Posted by =?Utf-8?B?RGF5YQ==?= on August 1, 2005, 10:41 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Enriz,
I do not have the details infront of me, but this has to do with a GPO
setting for the domain. You will need to use the policy editor to ensure that
the GPO is set correctly and then gpforce... Sorry I don't have more
details...

Daya


--
Daya Puls, CISSP
IT Security, Sigma Systems, Marlborough, MA


"enriz" wrote:

> Hi,
>
> my system consists in a single windows 2003 domain.
> I’ve got an enterprise root CA installed on a Domain Controller and a
> subordinate enterprise CA on another server, which issues only secure email
> purpose certificates.
> These two servers runs both Win 2003 enterprise ed.
> Before having the SP1 installed on both servers, everything goes well:
> subordinate CA issued certificates and publish them to AD with autoenrollment
> process.
> After having SP1 installed on both servers, users cannot autoenrolls
> certificates and, if enrollment is done manually, i.e. by web server,
> subordinate ca issues the certificates but DOES NOT publish it on AD.
> On event viewer I always see the warning (source: certsvc; event id: 80)
>
> Certificate Services could not publish a Certificate for request 9 to the
> following location on server testup.prova.upg:
> CN=user_test,CN=Users,DC=prova,DC=upg. Insufficient access rights to perform
> the operation. 0x80072098 (WIN32: 8344).
> ldap: 0x32: 00002098: SecErr: DSID-03150A45, problem 4003
> (INSUFF_ACCESS_RIGHTS), data 0
>
> Note that if the same kind of certificate is requested to the domain
> controller's CA (the root CA), this will be published to AD!
> any ideas?
> I've already checked that:
> 1) Both server with root CA and subordinate CA are members of Cert
> Publishers Group, and this group has got permissions to read and write the
> userCertificate attribute on users.
> 2) The brand new security group added by SP1 installation in the AD
> structure CERTSVC_DCOM_ACCESS contains both Domain Users and Domain Computer
> groups. I've added also the Domain Controllers group, but nothing changed.
>
> PLEASE help me, I’m really in a mess!!!
> Thanks in advance!!!

Similar ThreadsPosted
cdp publish August 1, 2005, 6:08 pm
Root CA cannot publish to CRL December 19, 2005, 12:42 pm
Publish CRL with a CNAME December 13, 2007, 6:36 am
Unable to publish certificate to the GAL December 13, 2005, 4:42 pm
Outlook 2003 + Can't Publish to GAL July 4, 2006, 7:27 am
ldap Publish CRLs to this location October 11, 2007, 10:09 am
Unable to publish certificates into Active Directory August 10, 2005, 6:38 am
Auto Enrolled DC certificate failed to publish February 26, 2007, 4:38 pm
root ca/subordinate ca October 3, 2007, 9:11 am
PKI question, trusting subordinate CA January 1, 2006, 4:24 am

The site map in XML format XML site map

Contact Us | Privacy Policy