Request a certificate from certificate service fails (DCOM Error 2147942405)
Hi, I have a problem with the Certificate Service installed in a Windows 2008 Enterprise Server: The Domain Computers can not request a certificate. It always fails. The users can request the certificates successfully. I added the "Domain Controllers" and "Domain Computers" groups to the "Certificate Service DCOM Access Group", modify the SETUP_DCOM_SECURITY_UPDATED_FLAG and restart the service. I verify the Component Services\Computers\My Computer\COM Security configuration and set "Certificate Service DCOM Access Group" "Launch and Activation Permission\Security Limits" allowing all activities (Local\Remote Launch and Local\Remote Activation) to the "Certificate Service DCOM Access Group". Well, looking in a two different Windows 2008 Servers, using the Event Viewer and filtering all the Errors generated from DistributedCOM source, I have several messages which says: DCOM got error "2147942405" from the computer XXXXX when attempting to activate the server: {D99E6E74-FC88-11D0-B498-00A0C90312F3}" Where {D99E6E74-FC88-11D0-B498-00A0C90312F3} is the "CertSrv Request" DCOM application, and XXXXX is the W2K8 server where i have installed the Certificate Service. The message is generated when reboots the computer or request a new certificate. Any Idea how to fix this issue? Thanks in advance. H.
June 4th, 2009 5:57pm

Hi, A possible cause of this issue is that one of the following objects is not added to the local Users group: NT AUTHORITY\Authenticated Users NT AUTHORITY\INTERACTIVE Domain Users Please add the objects to the Users group and restart the CA service to check the result.
Free Windows Admin Tool Kit Click here and download it now
June 9th, 2009 4:38am

Hi, Thanks for your answer, but I have installed the Certificate Server in a Domain Controller, so I do not have access to local Users Group, only Domain Users. In other hand, the problem is not present with the users, only with the computers (Domain Controllers and Domain Computers). In interesting issue: I am not able to request a new certificate using the MMC in the domain controller where i have installed the certificate authority service. But when I restart the computer, it can request successfully the certificates. Looks like the security policy which denies the access to the service using the MMC is not active while the computer starts (a security flaw???, do not known). Thanks in advance for your help. H.
June 9th, 2009 8:38am

Hi Joson, I add the "Domain Computers" and "Domain Controllers" to builtin\Users (in spanish builtin\Usuarios) group, and now I am able to request certificates. Now, I am afraid about security issues. Anyway, thanks for the ideas you told me in the before message. H.
Free Windows Admin Tool Kit Click here and download it now
June 10th, 2009 5:49pm

Hi, Yes. The Builtin\Users group is the local Users group on domain controller. J Normally, this operation will not create any security risk.
June 10th, 2009 10:11pm

I am receiving this same error on SBS 2011, but there is no a local security group called "Users". Can anyone help? TY
Free Windows Admin Tool Kit Click here and download it now
April 6th, 2011 10:35am

THANKS Resolve my problem with your solution!!!!!
September 28th, 2011 4:16pm

Hi Joson, I add the "Domain Computers" and "Domain Controllers" to builtin\Users (in spanish builtin\Usuarios) group, and now I am able to request certificates. Now, I am afraid about security issues. Anyway, thanks for the ideas you told me in the before message. H. I finally found this one! I tried adding NT AUTHORITY\Authenticated UsersNT AUTHORITY\INTERACTIVE a few times, and at first I was adding it to my local computer and not the domain server. I was so confused. Now I think I got it. I will find out in a few days when I either get certificates, or errors. Thanks!
Free Windows Admin Tool Kit Click here and download it now
April 17th, 2012 4:16pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics