When trying to request a certificate from the local CA I receive the following message: the requested certificate template is not supported by this CA. Denied by Policy Module 0x80094800. the request was for a certificate template that is not supported by the Active Directory Certificate Services policy: 1.3.6.1.4.1.311.21.8.11247263.3238951.4867487.3598660.1281222.180.1.27 The system is a domain controller running windows server 2008 Standard, with Enterprise CA. That happens to more than a single certificate template, checked that authenticated users have Read, the requesting user has Enroll and Auto Enroll rights. Any ideas? Thank you.

The appropriate forum for your post is below i.e. security forum which deal with certificates and other security related issues. http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads Regards Awinish Vishwakarma MY BLOG: awinish.wordpress.comThis posting is provided AS-IS with no warranties/guarantees and confers no rights.

When trying to request a certificate from the local CA I receive the following message: the requested certificate template is not supported by this CA. Denied by Policy Module 0x80094800. the request was for a certificate template that is not supported by the Active Directory Certificate Services policy: 1.3.6.1.4.1.311.21.8.11247263.3238951.4867487.3598660.1281222.180.1.27 The system is a domain controller running windows server 2008 Standard, with Enterprise CA. That happens to more than a single certificate template, checked that authenticated users have Read, the requesting user has Enroll and Auto Enroll rights. Any ideas? Thank you. Have you checked whether the template is assigned to CA server (in Certification Authority MMC select Certificate Template folder)?My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Yes it is assigned. The failed requests are from User certificate template (I duplicated the template, modified permissions Domain Users - Enroll and AutoEnroll, checked that Authenticated Users have Read permissions, issued the template) and Workstation certificate templates (same checked permissions Domain Computers Enroll and AutoEnroll, issued the template). I've chose to deploy the certs by group policy so everytime a workstation/user tries to autoenroll a certificate I get this message on CA and the workstation or user doesn't get the certificate. That's the same if I try to enroll manually a certificate of that type, I've also tried to enroll a code signing certificate with the same result.

Thank you for posting it for me at the right place :)

I think I narrowed it down. The error appears only with customized certificate templates, with default templates seems to be ok. Any ideas why? Thank you

Check that the CA server has read permission on the template. The Authenticated Users built-in group is granted Read permission by default and if you happen to remove that group the CA server must be granted permissions on the template. /Hasain

Every duplicated certificate template that I use (the ones in question) has Authenticated Users - Read on the ACL.

What was the problem? Same issue here help would be great..

I duplicated the certificate template and published it for distribution (a simple user certificate). After publishing the default template(not duplicated) everything worked out fine. So it would be only a workaround for you. Please reply here if it's ok like that.RR IT Professional