OK, I have a complicated issues that I have been banging my head against all day and I need a little help.Two AD forests (well call them Resource and Principal).A one way forest level trust has been created where Resource trusts Principal.Certificate services has been installed into Resource which contains an offline root, and an issuing CA, both installed as Enterprise CAs.A certificate template has been created to allow for Server and Client Authentication.The permissions on the template are set to allow Authenticated Users to Read/Enroll.The template has been set to allow the Subject Name to be submitted as part of the request.DCOM permissions are correct per all documentation using the local group CERTSVC_DCOM_ACCESSNT AUTHORITY\Authenticated Users has been added to the above local group.All containers in AD seem to have appropriate read permissions for Authenticated Users.Symptoms as follows:When a useruses anaccount in a child domain of the Principal forestto submit a new certificate request via the web enrollment page, the user is able to see and select the template and enter the request details. When the user clicks Submit, it goes through generating the request and attempts to submit to the CA at which point it errors out with Access Denied. COM Error InfoCCertRequest::Submit Access is denied. 0x80070005 (WIN32: 5)Suggested CauseThe Certification Authority Service has not been started.An attempt to build a request manually and submit via certreq.exe produces the following error:This computer was unable to communicate with the computer providing the server. 0x8000401d (-2147467235)This occurs regardless of whether the requestor is using a system joined to the Resource or the Principal forest. Using an account in the Resource forest works fine.To make the issue even stranger, if the requestor logs onto the CA in the Resource forest directly, the requestor can then submit a request using the web enrollment without issue.Even after turningup logging for DCOM on the CA, there is no error generated in the event log. The CA even has a success entry in the security log. The IIS log does show some 401.2 entries, but Authenticated Users has access to all the files and directories. I have even tried running procmon, but got nada that was any use from what I could tell.Any help would be much appreciated.Merddyn

Hello, Please understand that even when you have the forest trust between two forests there was no support for cross-forest enrollment. Therefore, each forest required its own set of enterprise CAs. This feature is improved in the Window Server 2008 R2. For more information you may refer to: Cross-forest Certificate Enrollment with Windows Server 2008 R2.doc http://www.microsoft.com/downloads/details.aspx?FamilyID=d408be72-7c74-4b19-a2de-fa11858c30b2&DisplayLang=en However, there is a workaround to achieve that: We have to generate INF file for every server which require the certificate. 1. Create the .INF file. Here is a sample .inf file that can be used to create the certificate request: ;----------------- request.inf ----------------- [Version] Signature="$Windows NT$" [NewRequest] Subject = "CN=<DC fqdn>" ; replace with the FQDN of the DC KeySpec = 1 KeyLength = 1024 ; Can be 1024, 2048, 4096, 8192, or 16384. ; Larger key sizes are more secure, but have ; a greater impact on performance. Exportable = TRUE MachineKeySet = TRUE SMIME = False PrivateKeyArchive = FALSE UserProtected = FALSE UseExistingKeySet = FALSE ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 RequestType = PKCS10 KeyUsage = 0xa0 ' if submitting to a Windows Enterprise CA, the following ' section is required. The Web Server certificate template ' must be present in the Certficate Templates folder in ' the CA snap-in. [RequestAttributes] CertificateTemplate = WebServer ;----------------------------------------------- Cut and paste the example into a new text file called request.inf. Provide the fully qualified DNS name of the domain controller in the request. 2. Create the request. a. Run the following command to create the request file: C:\>certreq -new request.inf request.req b. A new file called request.req will be created. 3. Submit the request to a CA. 4. Retrieve the issued certificate. Save the certificate as certnew.cer in the same directory as the request file. The saved certificate must be encoded as Base64. 5. Accept the issued certificate. a. Run the following command to accept the issued certificate: C:\>certreq -accept certnew.cer 6. Verify the certificate is installed in the Computer's Personal store. 7 . You also need to export the server certifacte from the CA and copy that to trusted root container of the target server. If you have any questions or concerns, please do not hesitate to let me know.

Hello,I have recently setup cross-forest certificate services as outlined in the document you mention. Everything seemed to work great. I can go to a computer in the account forest and using the certificates snap-in to request a new certificate. The Request New Certificate Wizard comes up; I can see the published templates; and can proceed through the wizard. The correct CA in the resource forest is listed. However, after clicking Finish in the wizard I get an error telling me The certificate request failed because of one of the following conditions: - The certificate request was submitted to a Certification Authority (CA) that is not started. - You do not have the permissions to request certificates from the available CAs.I can't find any errors in event logs, etc. How can to proceed with troubleshooting the issue? I have granted read and enroll permissions on the certificates for the Authenticated Users group which should work cross-forest....Thanks,Kirk Van Slyke