Permission issues trying to install NDES
I'm in the process of trying to set up an NDES in a 2008R2 PKI environment (3 tier with Root, Intermediate and 3 Issuing CAs). I have the CA ready to go with my domain admin account also set up as an Enterprise admin (during NDES setup I enter this account as the user account for NDES to use) . During set up, I get to the point where I need to select the CA and it comes back saying: "Insufficient access rights to perform the operation , 0x80072098 , (win32:8344)". All of the servers are in the CertPublishers group. The domain is (server).(ChildDomain).(ParentDomain).local if this makes a difference. In a Technet document I found it states: "During setup certificates are requested for NDES based on the Exchange Enrollment Agent (Offline Request) and the CEP Encryption certificate templates, which are required during setup. ". I try and add access to the above mentioned default templates for the NDES machine but it comes back with the error: "Unable to save permission changes on EnrollmentAgentOffline. A referral was returned from the server ". I'm not sure if this is the solution though. If someone could point me in the right direction that would be good. Thanks
February 6th, 2011 10:08pm

Any ideas?
Free Windows Admin Tool Kit Click here and download it now
February 10th, 2011 8:15pm

I just changed the permissions without issue. However, the error is making me wonder if you are using an account that has permissions to Add Templates to the CA. Look at the default permissions of the Exchange Enrollment Agent (Offline request) - do they match what you have? If so, then it seems like you are running into a different issue. Ensure that your Domain Admins group (or whatever appropriate Group Membership you are using) has the ability to Issue and Manage Certificates. This is found by right-clicking the CA, Properties, Security.
April 6th, 2012 9:35pm

Kurt, they need Manage CA to add a certificate template to the CA <G>. The Issue and Manage certificate permission is related to revoking certificate and issuing pending certificate. Brian
Free Windows Admin Tool Kit Click here and download it now
April 7th, 2012 10:15am

Thanks for clarifying those requirements, Brian. :-) I was pulling the requirements from the Network Device Enrollment Services (NDES) article, but obviously grabbed the wrong ones.
April 9th, 2012 1:20pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics