Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

CA configuration to publish certs in AD

902 views
Skip to first unread message

Patrik Nagel

unread,
Oct 2, 2006, 9:42:57 AM10/2/06
to
My Enterprise Root CA can't publish certificates to AD which are issued
for users in the child domain. I receive the following warning in the
event log:

Event Type: Warning
Event Source: CertSvc
Event Category: None
Event ID: 80
Date: 02.10.2006
Time: 13:18:16
User: N/A
Computer: RootDomainDC
Description:
Certificate Services could not publish a Certificate for request 66 to
the following location on server ChildDomainDC: ChildDomainUser.
Insufficient access rights to perform the operation. 0x80072098 (WIN32:
8344). ldap: 0x32: 00002098: SecErr: DSID-03150A45, problem 4003
(INSUFF_ACCESS_RIGHTS), data 0

The Enterprise Root CA is located on the DC in the root domain. I found
the following KB Article:
"Certification Authority configuration to publish certificates in Active
Directory of trusted domain" [Q281271]

In step number five - Delegate Control - on the child domain controller,
they describe how to add the "Cert Publishers" group from the parent
domain. But I can't add (find) this group, because the scope is set to
"domain local"!? I changed the scope to "universal" by using "dsmod" and
completed step number five and six as described. However, the warning
does still appear!

I'm also confused on step number 3. I have only the windows default exit
module with the property "allow certificates to be published to the
*file system*" and nothing like "...published in the *Active Directory*"
as described in the KB article.

Thanks in advance
Patrik

Brian Komar [MVP]

unread,
Oct 2, 2006, 4:28:00 PM10/2/06
to
What is the current group type? You did not have to change it when it was a domain local
group. Is therer a Certificate Publishers domain local group in the child domain? All that
you needed to do was add the CA;s computer account to the domain local group and the
permission assignments would be complete.

The bottom line is that the CA must belong to the Cert Publishers group, and the Cert
Publishers group must be assigned permissions on the userCertificate attribute. As stated in
the article, you must assign the group the Read and Write permissions on the userCertificate
attribute.

If the certificates are not publishing correctly, then it was one of a few possible issues:
1) Did you enable the option in the certificate template to publish to the directory (use
certtmpl.msc to view the certificate template property pages)
2) Verify that you correctly did the *three* procedures described in step 5 of the article.
These are three separate procedures that *all* must be done
3) If you did the three steps, did you wait for the change of the group type to universal to
replicate. If you performed the permissions in child domain, while the group is still domain
local, then the permission assignments will fail in the child domain.

Brian

In article <OgSzrii...@TK2MSFTNGP06.phx.gbl>, patrik.na...@THISsep.ch says...

Patrik Nagel

unread,
Oct 2, 2006, 5:10:57 PM10/2/06
to
Hi Brian,

Brian Komar [MVP] wrote:
> What is the current group type?

The current type of the root domain's Cert Publishers group is universal.

> Is therer a Certificate Publishers domain local group in the child domain?

Yes, there is one with domain local as group type.

> 1) Did you enable the option in the certificate template to publish to the directory (use
> certtmpl.msc to view the certificate template property pages)

Yes, the option is enabled.

> 2) Verify that you correctly did the *three* procedures described in step 5 of the article.
> These are three separate procedures that *all* must be done

hmmm, dumb question: which three steps are you referring to?

-assign read/write userCertificate permission to the local Cert
Publishers group

-assing read/write userCertificate permission to the local Cert
Publishers group at the "admindsholder" container

-third ?


What is the next step to do? Shall I revert the root domain's Cert
Publishers group type to domain local? And simply add the CA Server to
the child domain's Cert Publishers group and wait for the changes to
take effect?

Thanks a lot!
Patrik

BTW: already ordered your book!

Patrik Nagel

unread,
Oct 3, 2006, 3:31:19 AM10/3/06
to
Patrik Nagel wrote:
> What is the next step to do? Shall I revert the root domain's Cert
> Publishers group type to domain local? And simply add the CA Server to
> the child domain's Cert Publishers group and wait for the changes to
> take effect?

I've checked the permission for the child domain's Cert Publishers group
and added the CA computer. It seems to work now.

thx
Patrik

Brian Komar [MVP]

unread,
Oct 3, 2006, 2:39:58 PM10/3/06
to
In article <#REYs3r5...@TK2MSFTNGP02.phx.gbl>, patrik.na...@THISsep.ch says...
Not seems to... it does work <G>.
Glad to help
Brian
0 new messages