Hi, I have problem with CA template and its permissions. So in general: I have 2008R2 Ent CA. I have new template configured which issues certificates for computers. There is one group which has all computers accounts and which has read, Enroll and autoenroll permissions for this template. I added few computer accounts and when policy was refreshed on them certificates were issued for these computers. But now I've added few more computers. And when policy is refreshed on them all I get is error: The permissions on the certificate template do not allow the current user to enroll for this type of certificate. 0x80094012 (-2146877422) Active Directory Certificate Services denied request 19 because The permissions on the certificate template do not allow the current user to enroll for this type of certificate. 0x80094012 (-2146877422). The request was for DOMAIN\COMPUTERNAME$. Additional information: Denied by Policy Module I double checked this group membership, forced replication betweel all of DCs, completely restarted server with CA - nothing has helped:/ When I granted permissions directly for computer account for this template - computer was able to get certificate. What Is goung on? Where could be my problem? One of my thoughts is that maybe CA can't read this group membership but then how was it able to issue certificates to few other computers which are in this group too?:/

What is the scope of the group. You can only use Global groups or Universal groups for certificate template permissionsDomain Local groups cannot be used because the certificate template objects are stored in the Configuration naming contect (which is replicated to all DCs in the forest (all domains))Brian

Was able to reproduce this. Added my own computer account into this group. Replicated between all Dcs. Restarted CA just in any case. Refreshed policy onto CA just in any case. And now - when I issue the following command onto my computer: gpupdate /target:computer /force - I get this error:/ It seems that CA somehow caches group membership for some time:/ How can I avoid this? I want certificate to be issued right when computer is added into required group and when group policy is refreshed on it. Kerberos ticket lifetime maybe?

OK, this is really basic Windows stuff.When you add a user/computer to a group, the group membership is only recognized the next time the account logs in to the network.So, for a user, you logon and logoff.For a computer, you wait 8 hours or you reboot the computerThis is *not* the CA caching group membership. This, as I stated in the beginning is basic Windows stuff.Brian

Are you talking about Universal group caching? If so I have this caching disabled. So I'm interested why do I need to wait for 8 hours. Brian, what would be your approach to this problem? Because as for now if I put a lot of computers accounts into this group and if they are mostly online all of the time - I simply will end with a lot of failed requests on CA:(

> Are you talking about Universal group caching?No. Brian talks about kerberos token. When computer starts or user logs on to a domain, he receives security token from KDC that contains all security group SID's where exist particular account. When you change computer/user membership (remove from group or add to a group) these changes will take effect when client renew his token. For users you will have to wait up to 10 hours or just logoff and logon again to force these changes immediately. To immediately force security group membership change for computer account you need to restart this computer. http://www.sysadmins.lv

In my initial posts I mentioned kerberos ticket lifetime btw:) Maybe one solution would be to shorten kerberos ticket lifetime? What would be your solution for my problem? I want to avoid these failed certs requests from showing up on my precious CA:)

restart them?Also you have nothing telled about kerberos ticket. You said that you have refreshed policy. In that case security token remains the same and is not changed. http://www.sysadmins.lv

What do you want to know about this ticket? It has default lifetime. I'm interested in finding some solution which avoids computers restart. Because if I'll add 100 computer accounts at one time into this group I simply will not be able to restart all of them. And if I'll not restart them I'll get tons of failed requests as GPO refresh is a lot of shorter that 10 hours:( And thanks for your help to your neighbor from LT:)

Actually there is only 2 solutions: reduce ticket lifetime in group policy kerberos section or restart computers.http://www.sysadmins.lv

Actually, there is a third option.PATIENCE! <G>Brian

Brian, actually its not a good solution, because this solution will end up with a lot of failed requests in "Failed requests" folder on my CA. I do not want to have unneeded garbage which I can avoid without having some kind of big side effects:) But I'll keep your solution in mind:)

Actually there is only 2 solutions: reduce ticket lifetime in group policy kerberos section or restart computers. http://www.sysadmins.lv Are you talking about service ticket or user ticket lifetime?

user.http://www.sysadmins.lv

But I still can't understand this damn group membership thing:( Example: Added two computer accounts to required group at 17:30. Both computers were online till this morning. The results: I can't see neither failed request nor issued certificate for one computer today (it's 8:00 now). As for another computer I see failed request at 7:39. I can see that 10 hours time has passed so why do I have such behavior? And why have I had only one failed request during 10 hours time frame? As I know GPO refreshes more frequently.