Enterprise CA CDP and DeltaCRL LDAP Location Expired
I installed a Enterprise CA in a Server to use with OCS. Some months latter the CDP and DeltaCRL Location appeared Expired, and when i try to submit a certificate request returns a error - No certificate templates could be found. you do not have permission
to request a certificate from this CA, or an error occurred while accessing the AD.
well i need to solution this, but i think that is a ad error, because when installed another CA to test, that return CDP and DeltaCRL status is unable to download.
what could be causing this errorMCSE, MCDST, CCNA
May 20th, 2010 8:04am
Hi,
do you have correct permissions on enrollment, cdp and aia container in AD? You can check this out using ADSI Edit, please check permissions for the following objects:
CN=<CANAME>,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=<DOMAIN>,DC=<SUFFIX>
CN=<CANAME>,CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=<DOMAIN>,DC=<SUFFIX>
CN=<CANAME>,CN=<CANAME-NETBIOS-HOSTNAME>,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=<DOMAIN>,DC=<SUFFIX>
Among others, CA computer account should have full control access to these locations and Everyone/Authenticated Users should be able to read these containers.
Also can you be more specific on CA configuration (AIA, CDP, ...).
Martin
Free Windows Admin Tool Kit Click here and download it now
May 21st, 2010 10:18am
the problem in fact are the Default Domain Controller Policy, the gpo was changed by the customer
We Added Authenticated Users and Everyone group to the user right "Access this computer from the network".
We need to have the groups there. If these groups are missing then group policy processing will fail for the systems.
And that is why we are not able to request certificates from the CA.
Rebooted the domain controllers one after the other.
Then rebooted the CA.
Now we were able to request certificates from the CA using MMC, but not in Web Enrollment
Then we need to republished the templates on the CA, but no success.
Removed and then added the web enrollment service on the CA.
Now we were able to request certificates using web enrollment.
MCSE, MCDST, CCNA
May 25th, 2010 8:55pm
Glad to hear that you have resolved the issue.
Thanks for your sharing.This posting is provided "AS IS" with no warranties, and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
May 26th, 2010 7:47am
We were able to resolve the " No certificate templates could be found" issue in IIS 7 by creating a separate Application Pool for the CertSrv web app., and changing the Identity from ApplicationPoolIdentity to NetworkService in the
advanced settings (of the app pool).
It's a pity that the CertSrv web application doesn't (always?) work out-of-the-box in IIS 7 on Windows Server 2008.
Good luck,
Peter
March 30th, 2011 5:52am