All Windows 2008 R2. Stand-alone RootCA in workgroup. Enterprise SubCA in domain. Under Certificate Templates I have given my spefic user account, as well as all authenticated users read, enroll and autoenroll perms. Attempting to generate a web server certificate I can successfully generate the request from the IIS Manglement Console. 1) If I go to http://subca/certsrv, choose submit a CSR by using file, I get "No certificate templates could be found. You do not have permission to request a certificate from this CA, or an error occurred while accessing the Active Directory". No helpful eventlog messages follow this error. 2) If I go into Certificate Auth MMC, Submit a new request, load the CSR, I get "The request contains no certificate template information. 0x80094901. Denied by Policy Module 0x80094901 The request does not contain a certificate template extension of the certificate template request attribute. This is accompanied by an Event 53, warning, CertificationAuthority. Same error message as above, with CN string of the request. Things tried to date: 1) Fixed perms on cert templates, followed by AD CS restart. No effect. 2) http://support.microsoft.com/kb/811418 "No Certificate Templates Could Be Found" error message when a user requests certificate from CA Web enrollment pages Result: values all check out OK 3) Publish to Active Directory is enabled for the Cert Templates in question. 4) Manually submit to the CA and specify the template type per http://pdconsec.net/blogs/davidr/archive/2008/08/13/No_2D00_Certificate_2D00_Template_2D00_In_2D00_Request.aspx - returns the same error message Regardless of the name (full name, display name) used the error message “The requested certificat etemplate is not supported by this CA” results. 5) Applies to Windows 2000, doesn’t help as perms are correctly applied. http://support.microsoft.com/kb/239452 "Access Denied" When Requesting Certificate Through Web Access 6) I can confirm that AC CS is starting properly, the offline RootCA prep step to ignore the offline RootCA was taken, however the RootCA is currently not turned off yet. I'm running out of ideas...

Hi, For the request generated by IIS, please provide the output of “certutil -dump <iis_request>”. Also, open the certificate template snap-in (certtmpl.msc) and ensure the Web Server template Security tab shows that the CA Machine has permission to read and enroll. Instead of using IIS Manager to generate the request, you can do so manually. Opening the machine certificate MMC snap-in (mmc.exe -> File -> Add/Remove Snap-in ->Certificates -> Add -> Computer Account -> Next -> Local Computer -> Finish -> OK). Right click on the Certificates node under the “Personal” store. Select All Tasks -> Request New Certificate. When selecting the Web Server template from the enrollment wizard, open the template details and add both the machine name and fully qualified machine name of the web server as Common Names to the certificate subject. Thanks, John

Hi, I had same kind of problems with Windows 2008 R2 Enterprise CA. For my experience is that "Windows server 2008 enterprise" template does not work with web UI, but "Windows server 2003 Enterprise" works fine ! If you are using 2008 template, you should try to duplicate it and select "Windows server 2003 Enterprise" radio button. Hope it helps :) -Janne

I was able to resolve the issue in IIS 7 by creating a separate Application Pool for the CertSrv web app., and changing the Identity from ApplicationPoolIdentity to NetworkService in the advanced settings (of the app pool). It's a pity that the CertSrv web application doesn't (always) work out-of-the-box in IIS 7 on Windows Server 2008. Good luck, Peter

Thanks Applied Maths. You solution sort out my issues. Cheers, Erik