Windows AD CA Code Signing Cert Request for Wrong User

0

I am having an odd problem with a Code Signing certificate request from my Windows 10 workstation. We have a Windows Server 2012R2 CA setup with the Code Signing template and everything works fine if I do the request from another machine. But, if I do the request through MMC->Certificates->Current User->Request New Certificate I get the error:

The EMail name in unavailable and cannot be added to the Subject or Subject Alternate name. 0x80094812 (-2146875374 CERTSRV_E_SUBJECT_EMAIL_REQUIRED)

If I look at the failed request on the server I see the same error but the requester name is incorrect. Instead of my user name (DOMAIN\User) I see my admin user name (DOMAIN\UserAdmin). This obviously fails as my admin user does not have an AD email address.

I cannot for the life of me figure out where the request is getting my admin name from? If I look at my workstations event log I see the following error:

- System 
  - Provider 
   [ Name]  Microsoft-Windows-CertificateServicesClient-CertEnroll 
   [ Guid]  {54164045-7C50-4905-963F-E5BC1EEF0CCA} 
   [ EventSourceName]  CertEnroll 
  - EventID 13 
   [ Qualifiers]  49754 
   Version 0 
   Level 2 
   Task 0 
   Opcode 0 
   Keywords 0x80000000000000 
  - TimeCreated 
   [ SystemTime]  2021-01-19T13:27:15.5372014Z 
   EventRecordID 118908 
   Correlation 
  - Execution 
   [ ProcessID]  0 
   [ ThreadID]  0 
   Channel Application 
   Computer workstation.domain.com 
  - Security 
   [ UserID]  S-1-5-21-507921405-651377827-682003330-2622 
- EventData 
  Context DOMAIN\user
  TemplateName CodeSigningCertificate 
  CA CertServ.domain.com\Domain-Issuing-CA 
  RequestId 12919 
  ErrorCode The EMail name is unavailable and cannot be added to the Subject or Subject Alternate name. 0x80094812 (-2146875374 CERTSRV_E_SUBJECT_EMAIL_REQUIRED)

So it looks like it is making the request with my standard user but the server gets the request with my admin user.

Any ideas?

active-directory
windows-server-2012-r2
windows-10
certificate-authority
ad-certificate-services
asked on Server Fault Jan 19, 2021 by Caynadian

1 Answer

0

If you see different requester name, then it may indicate that either, you logged in with wrong account or application (MMC.exe or certmgr.msc) has hardcoded credentials to run in elevated mode with admin user credentials. This is configured through Compatibility tab in executable/shortcut properties.

answered on Server Fault Jan 19, 2021 by Crypt32

User contributions licensed under CC BY-SA 3.0