Unable to renew or create new Exchange Certificate, receive Access is denied.
I'm trying to renew an Exchange self-signed certificate with this:Get-ExchangeCertificate -ThumbprintBEEFBEEFBEEFBEEFBEEFBEEFBEEFBEEFBEEFBEEF | New-ExchangeCertificateI receive this error message:New-ExchangeCertificate : Access is denied.At line:1 char:102+ get-exchangecertificate -thumbprint BEEFBEEFBEEFBEEFBEEFBEEFBEEFBEEFBEEFBEEF | new-exchangecertificate <<<<I am also unable to create a new certificate with this:New-ExchangeCertificate -IncludeAutoDiscover -IncludeAcceptedDomains -DomainName office.domain.com, mailserver.domain.localI get this error:New-ExchangeCertificate : Access is denied.At line:1 char:24+ New-ExchangeCertificate <<<< -IncludeAutoDiscover -IncludeAcceptedDomains -DomainName office.domain.com, mailserver.domain.localIt worked a year ago and I'm not sure what I'm being denied access to. The Exchange server is also a domain controller and I am logged in as administrator.
December 1st, 2009 2:01am

To run the New-ExchangeCertificate cmdlet, the account you use must be delegated the following: Exchange Server Administrator role and local Administrators group for the target server http://technet.microsoft.com/en-us/library/aa998327.aspx Does administrator have those permissions?
Free Windows Admin Tool Kit Click here and download it now
December 1st, 2009 2:18am

In Exchange Managment Console, Orginazation Configuration shows Administrator with the role Exchange Orginazation Administrator and is an administrator on the server.I added the Exchange Server Administrator role for this server in addition and there is no change.
December 1st, 2009 2:54am

Is there another account ( one that is not a admin), that has Exchange permissions you can test with?Anything in the event logs?Also check out:http://social.technet.microsoft.com/Forums/en-US/exchangesvradmin/thread/bd209455-7601-4e34-a7aa-c9a6d7eaf0c3http://technet.microsoft.com/en-us/library/bb510126.aspxHow to Troubleshoot Direct Trust Certificate Errors 1037 and 2019
Free Windows Admin Tool Kit Click here and download it now
December 1st, 2009 3:04am

also look @ below After some research on the internet I found the solution. The problem was thec:\documents and settings\all users\application data\microsoft\crypto\rsa\machinekeys directory, this is used for saving certificates, even if the creation fails. The problem was the c: \ documents and settings \ all users \ application data \ microsoft \ crypto \ rsa \ machine keys directory, this is used for saving certificates, even if the creation fails. In this case the network service only had the good rights to access the folder. In this case the network service only had the good access rights to the folder. When you have a look at the folder you will see that the administrator has full control on the folder itself but not on the sub-folders and files in it. When you have a look at the folder you will see that the administrator has full control on the folder itself but not on the sub-folders and files in it. Changing it to this option fixed the issue and the command could be executed succesfull Changing it to this option fixed the issue and the full command could be executed successfully Besided this fix you will find several other pages who say that giving the network service full control to the folder also fixes this issues. Besided fix this you will find several other pages who say that giving the Network Service full control to the folder also fixes this issues.Vinod |CCNA|MCSE 2003 +Messaging|MCTS|ITIL V3|
December 1st, 2009 12:58pm

I went ahead and opened a case with Microsoft support and the issue was determined to be the permissions on c:\documents and settings\all users\application data\microsoft\crypto\rsa\machinekeys directory. I just wish I would have checked back this morning before I got that started.
Free Windows Admin Tool Kit Click here and download it now
December 1st, 2009 8:45pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics