Child domain new cert request - certificate template permissions do not allow current user to enroll 0x80094012

Question

Child domain new cert request - certificate template permissions do not allow current user to enroll 0x80094012

I have the following AD configuration:

rootca (standalone not domain connected)

mydom.local
- dc1.mydom.local
- svr1.mydom.local
- subca.mydom.local(enterprise subordinate CA)
- other.mydom.local
  - dc1.other.mydom.local
  - svr1.other.mydom.local

I can register webserver certificates OK for svr1.mydom.local, however I log into svr1.other.mydom.local with the child domain administrator and I get the following error:

Permissions on the certificate template do not allow the current user to enroll for this type of certificate (0x80094012)

I think this must related to permissions however I am not sure how to proceed - what is the best practice to allow child domain administrators to request certificates from the subordinate CA located in the parent domain?

My inf file is below:

[NewRequest]
Subject="CN=svr1.other.mydom.local"
Exportable=TRUE
KeyLength=2048
KeySpec=1
MachineKeySet=TRUE
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
OID=1.3.6.1.5.5.7.3.2 ; Client Authentication
[RequestAttributes]
CertificateTemplate = WebServer

and i am running the following commands on svr1.other.mydom.local as administrator@other.mydom.local below:

certreq -new c:\svr1.inf c:\svr1.req
certreq -submit c:\svr1.req c:\svr1.cer ; I get the error here

active-directory

ad-certificate-services

pki

asked on Server Fault Jul 19, 2012 by

morleyc • edited Jul 21, 2012 by

maweeras

1 Answer

Is the user a member of a security group that has Read and Enroll permission on the certificate template? That is required.

Administering Certificate Templates
http://technet.microsoft.com/en-us/library/cc725621%28v=ws.10%29

When you install certificates into the computer store and use auto-enrollment or manually request the certificate using the Certificates snap-in, the requesting computer account needs Read and Enroll permissions on the certificate template.

However, when you're using Certreq.exe to request certificates, even if they are computer certificates and use MachineKeySet = True, the requesting user needs Read and Enroll permissions on the certificate template. When you use Certreq.exe, the computer permissions are not used.

answered on Server Fault Jul 19, 2012 by

Greg Askew

User contributions licensed under CC BY-SA 3.0