Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

subordinate ent CAs don't publish certs to AD after Win 2k3 SP1

0 views
Skip to first unread message

enriz

unread,
Jul 23, 2005, 1:00:03 PM7/23/05
to
Hi,

my system consists in a single windows 2003 domain.
I’ve got an enterprise root CA installed on a Domain Controller and a
subordinate enterprise CA on another server, which issues only secure email
purpose certificates.
These two servers runs both Win 2003 enterprise ed.
Before having the SP1 installed on both servers, everything goes well:
subordinate CA issued certificates and publish them to AD with autoenrollment
process.
After having SP1 installed on both servers, users cannot autoenrolls
certificates and, if enrollment is done manually, i.e. by web server,
subordinate ca issues the certificates but DOES NOT publish it on AD.
On event viewer I always see the warning (source: certsvc; event id: 80)

Certificate Services could not publish a Certificate for request 9 to the
following location on server testup.prova.upg:
CN=user_test,CN=Users,DC=prova,DC=upg. Insufficient access rights to perform
the operation. 0x80072098 (WIN32: 8344).
ldap: 0x32: 00002098: SecErr: DSID-03150A45, problem 4003
(INSUFF_ACCESS_RIGHTS), data 0

Note that if the same kind of certificate is requested to the domain
controller's CA (the root CA), this will be published to AD!
any ideas?
I've already checked that:
1) Both server with root CA and subordinate CA are members of Cert
Publishers Group, and this group has got permissions to read and write the
userCertificate attribute on users.
2) The brand new security group added by SP1 installation in the AD
structure CERTSVC_DCOM_ACCESS contains both Domain Users and Domain Computer
groups. I've added also the Domain Controllers group, but nothing changed.

PLEASE help me, I’m really in a mess!!!
Thanks in advance!!!

Daya

unread,
Aug 1, 2005, 10:41:14 AM8/1/05
to
Enriz,
I do not have the details infront of me, but this has to do with a GPO
setting for the domain. You will need to use the policy editor to ensure that
the GPO is set correctly and then gpforce... Sorry I don't have more
details...

Daya


--
Daya Puls, CISSP
IT Security, Sigma Systems, Marlborough, MA

enriz

unread,
Aug 22, 2005, 6:11:04 AM8/22/05
to
Hi all,

finally I solved this problem!
Win 2k3 with SP1 does not allow some operations to be done directly by the
Admnistrator account (I mean the DOMAIN_NAME\Administrator account).
I created one special new administrator account (I called it CAAdmin) member
of both Domain and Enterprise Administrators Groups.
Then I re-install the subordinate CA using this new account.
Now everything goes well!

bye
enrz

0 new messages