I just installed the ADCS role on one of my DCs a few days ago to provide certificates for our new RDS farm. Since then, a few of our PCs have requested Web Server certificates, and have been denied. Any ideas why these clients have requested certificates? The domain is 2000 native functional level (slowly moving us toward 2008, this mess was handed to me to fix).

Where exactly are you seeing these errors, what are the corresponding error messages (Web Server certificates of which particular Web server) and what are the circumstances in which they appear? hth Marcin

Hello, I just installed the ADCS role on one of my DCs a few days ago to provide certificates for our new RDS farm. this is not recommended for security reasons especially if this is the root CA. For more information, ask them here: http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner 2010 / 2011 Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows 7, Configuring Microsoft Certified IT Professional: Enterprise Administrator Microsoft Certified IT Professional: Server Administrator

Where exactly are you seeing these errors, what are the corresponding error messages (Web Server certificates of which particular Web server) and what are the circumstances in which they appear? hth Marcin I'm seeing them in the event log, and in the "Failed Requests" folder of the CA. The error in the event log is as follows: "Active Directory Certificate Services denied request 15 because The permissions on the certificate template do not allow the current user to enroll for this type of certificate. 0x80094012 (-2146877422). The request was for CN=FDAX1. Additional information: Denied by Policy Module" In the failed requests view, I see an entry for each failed request (there have only been 4, we have ~300 clients in this domain). The certificate template listed is "Web Server (WebServer).

Hello, I just installed the ADCS role on one of my DCs a few days ago to provide certificates for our new RDS farm. this is not recommended for security reasons especially if this is the root CA. For more information, ask them here: http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner 2010 / 2011 Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows 7, Configuring Microsoft Certified IT Professional: Enterprise Administrator Microsoft Certified IT Professional: Server Administrator I realized this while I was setting it up. ADCS will be moved to another box in a few months. I'm up to my neck in a huge ERP integration at the moment and didn't have another box handy to do ADCS. My next project is a complete rework of the AD infrastructure and I'll make sure this is on the list. None of these servers, including the servers that were issued the certificates, are web facing. Everything is intranet only. I'm not sure if that makes any difference. Thank you for the advice!

Check permissions on the template - as the message indicates - and compare it with the group membership of computers where you are seeing the error messages. Check if there are any other errors in the Event Log on these machines indicating authentication issues. As far as CA move, refer to http://support.microsoft.com/kb/298138 Btw. you might want to seek further assistance regarding this on the Security forum http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads hth Marcin

Users do not have permissions to request this type of certificate, nor should I expect them to have them. I'll repost this over at security and see if anyone has ideas. Thanks!