A client I am working with has a two tier PKI hierarchy (standalone root - Win 2008 r2, enterprise sub - Win 2008 r2) and they are planning to use it to support a Lync deployment (Lync 2010 on Win 2008 R2. During the Lync installation, the installer automatically attempts to requests a web certificate from the Issuing CA but fails but the administrator can manually enrol for a certificate using the Certificates MMC with no problems. My customer has done some troubleshooting and believe that by adding the READ permission on the CA security tab to Authenticated users they are able to resolve the Lync automatic request issue. Authenticated Users now has: READRequest Certificates Additionally each Lync server has read and enrolment rights on the relevant template and this template has been published. With this in mind I have three questions: a) What rights does the READ permissions on the CA security tab assign?Should giving authenticated users this right resolve the problem described above?Are there any implications of leaving this configuration in place? Many thanks.

> What rights does the READ permissions on the CA security tab assign? they assign permissions on enrollment interfaces. If someone hasn't Read permissions in the CA security, a user will unable to contact enrollment interfaces. > Should giving authenticated users this right resolve the problem described above? yes. BTW, by default Authenticated Users have Read and Request Certificates permissions. This means that someone edited default permissions. > Are there any implications of leaving this configuration in place? as I already said, it is default configuration when Authenticated Users have Read and Request Certificates permissions.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Check out new: PowerShell FCIV tool.

Vadims Thanks for your response, I thought it was the default as well (auth users have "read" and "request cert"), but if I stand up a new Enterprise Sub CA in a test lab Authenticated Users only have "request certificates" permissions. Also why are we able to request certificates using the certificates MMC on a domain member but not automatically through the Lync installer. Amit

> Also why are we able to request certificates using the certificates MMC on a domain member but not automatically through the Lync installer. I think this is due to security permissions issue. Computer certificate enrollment via MMC and during software installation uses different security contexts. In the first case -- computer account context is used, in the second -- current user context.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Check out new: PowerShell FCIV tool.

Vadims We did some more testing and the certificate request within the Lync software installation appears to be running under the system context. The solution to the issue was a space in the template name. In the Lync cert request wizard we specified a template name that had a space in it. This is obviously not the certificate templates display name and not its actual name. Lesson for the future is avoid spaces in certificate names. Thanks for your help.