I wantmy users to be able to: Request a new Set of CertificateBut when they click on the link from the portal they get: "Current user does not have ccess to any Profile Template"Iam sure that I have setup ALL the necessary rights...Especially on the Profile Template in ADSI.But I guess I am missing other rights somewhere..Thanks for any hintsregardsJean-Philippe

The current user probably doesn't have all the required permissions (read and CLM Enroll) if that is what the portal is telling you. Does the auth agent account have read/write on the profile templates container?To get the most out of the forum, please read Peter's post here: http://social.technet.microsoft.com/Forums/en-US/identitylifecyclemanager/thread/137f58cd-ce2c-4b2b-bc1d-1a6effbd85a0AhmadAW

The current user is part of a Global Group that has read and CLMEnroll rights.I have also triple check that Auth Agent have read and write on the profile template.Any other idea where I could check for permission.ThanksJP

are you doing self-serve or not? open the profile template settings, can the user initiate the request?

When I initiate the request with an Admin Account for any user, it WORKSwhen I initiated the request from a users, this is where I get the error message.thanks

check clmAuthAgent also have explicit Read on the user

Hi Ntony,Sorry I am not sure where exactly to setup those rights...ThanksJP

AD Users and Computer right click the target user-->property-->security i suggest you verify the steps outline in relnote or kb on how to setup CM permission

Thanks for your reply,No luck, I got the same error.I didread the release note, but there are so many errors in the document.Plus, you have to admit, that the relnoteis really hard to follow ...regardsJP

The relevent information from KB952327 is: Access-checking methodology changed in Certificate Lifecycle Manager (CLM) Before this release, the CLM part of ILM used Kerberos delegation to perform operations in the Active Directory directory service. Therefore, CLM acted as the end-user to access the required Active Directory server objects, such as profile templates, subscribers, and other objects.This hotfix rollup package implements an access-checking methodology in ILM. With this methodology, you do not have to enable CLM to use impersonation to become the user. Additionally, you do not have to delegate access to a particular computer that acts as the end-user or as the enrollment agent when the computer contacts Active Directory. CLM still uses delegation when it contacts the certification authority (CA) that is located on a computer that is not the one that is running CLM.With this change, CLM now impersonates the CLM Auth Agent account before you make any read or write calls to the Active Directory. The CLM Auth Agent account then verifies whether the logged-on user has permissions to read the object or to make the changes that must be made on the Active Directory object. Therefore, the CLM Auth Agent account must have additional permissions. The CLM configuration wizard does not automatically make these changes. Therefore, you must manually add these permissions.The CLM Auth Agent account must have the following permissions: Read permission on all users and groups that use the portal or that are subscribers Read permissions on the certificate templates that are used with the profile templates Read and write permissions on all existing profile templates Permission to create a child on the profile templates container AhmadAW