Dear All,

I have a 2008 Domain Controller with the CA Server role installed with the issue that the Web-Enrolement procedure is not working proper. I can´t request any cert´s using the web-browser. Cert requests via powershell works fin thought.

I get the following error:

"No Certificate templates could be found. You do not have the permissions to request a certificate from this CA, or an error occured while accessing the Active Directory"

I allready compared the the sServerConfig value in the Certdat.inc file with the dNSHostName attribute at the pkiEnrollmentService object. The values are the same (case sensitive).

I also checked the permissions on the certificate templates - they are o.k. since I do the request with a domain admin account.

I appreciate an help and thanks in advanced,

Chris

 

 

 

to successfully enroll certificates via Enrollment Web Pages you need to configure at least the following:

1) enable SSL on Web Pages web site in IIS.

2) enable Integrated authentication in IIS for this web site.

hi, I solved the issue with Vadims tip.

In addition, I had to set login credentials in IIS for the CertSrv physikal path. In IIS Manager goto Default Web Site->CertSrv and edit "Basic Settings" of the Application. Set "Connect as" in the Physikal path section with an appropiate account and Test settings.

Thanks alot,

Chris

• Marked as answer by Tass IT Thursday, March 25, 2010 2:20 PM

hmm..there is no need to configure credentials for phisical folder access (except cases when anonymous authentication is used).

I was able to resolve the issue in IIS 7 by creating a separate Application Pool for the CertSrv web app., and changing the Identity from ApplicationPoolIdentity to NetworkService in the advanced settings (of the app pool).

It's a pity that the CertSrv web application doesn't (always) work out-of-the-box in IIS 7 on Windows Server 2008.

Good luck,

 

Peter

• Proposed as answer by Applied Maths NV Wednesday, March 30, 2011 9:48 AM

which of the two above solutions should I rely mostly on? Seems a bit strange to have to set the credentials for access.

This issue came up out of nowhere, I still don't know what caused it. I used Applied Maths NV's workaround and I was able to request and download a certificate after that. 

I created the apppool as Applied Maths NV said and everything started working again. 

the problem is that it worked before and with no change it started failing!.

thanks!

• Edited by elchepas1 Thursday, September 26, 2013 4:26 PM

Thanks!! it worked for me!

hi Vadims, would you mind elaborate more how to do this please :)

hi Tass, can you explain Vadims comments step by step please :)

There are multiple scenarios and configuration settings that worked as a solution for many users who were experiencing the same error while 

I tried the following steps and it resolved my issue .

It turned out that by using IIS Manager and changing the DefaultAppPool Identity to NetworkService from ApplicationPoolIdentity:

1. Open IIS on the server hosting CA
2. Got to Application Pools and right click to choose "Advanced Settings.." for DefaultAppPool
3. Look for the "Identity" value under Process Model and change to NetworkService.
4. Once completed perform an iisreset on the CA.

Hope it helps those who have tried all other tips suggested in this post or any other forums

Thanks, worked for me.