I am triing to request a certificate by going to http://[hostname]/certsrt. I will click on "Request certificate" and then "submit an advanced request certificate request." Next I select "Create and submit a request to this CA." Everytime I get an error. The CA does show a failed request with a status code "The parameter is incorrect. ox80070057 (WIN32:87)." In event viewer Application logs show Event 96 and event 77. See below *********************************************************** Event Type: Error Event Source: CertSvc Event Category: None Event ID: 96 Date: 9/2/2010 Time: 10:36:16 AM User: N/A Computer: SERVERNAME Description: Certificate Services could not create an encryption certificate. Requested by DOMAIN\USERNAME. The parameter is incorrect. 0x80070057 (WIN32: 87). ************************************************************** Event Type: Warning Event Source: CertSvc Event Category: None Event ID: 77 Date: 9/2/2010 Time: 10:35:57 AM User: N/A Computer: SERVERNAME The "Windows default" Policy Module logged the following warning: The Workstation Certificate Template could not be loaded. Element not found. 0x80070490 (WIN32: 1168). ********************************************************************************** Not sure if it related but I am seeing a DCOM error as well. See the message below Event Type: Error Event Source: DCOM Event Category: None Event ID: 10016 Date: 9/2/2010 Time: 10:12:17 AM User: domain\username Computer: servername Description: The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {D99E6E73-FC88-11D0-B498-00A0C90312F3} to the user domain\username SID (S-1-5-21-1659004503-884357618-725345543-27800). This security permission can be modified using the Component Services administrative tool. ********************************************************************************************** For the CA I am using Win 2K3 Enterprise SP2 R2. The client requesting the cert is XP Pro. The DC's are 2003 using a 2003 schema.

if you open the certification authority control on your server (administrative tools) and check certificate templates, is the workstation certificate template there? (right click -> manage to add it if its missing)

I do see a workstation authentication template. Everytime I restart the CA service I get an Event 77 messages for each of the below certificates in addition to Workstation. CAExchange; CrossCA; DirectoryEmailReplication; DomainControllerAuthentication; KeyRecoveryAgent; RASAndIASServer When I remove the templates I only get the event ID 96 message Thanks,

One thing I noticed is that these are all V2 templates. I am using Windows 2003 Enterprise Edition for the CA.

Do you get the same error if you do the same request using the certificate MMC plugin for the local computer account?

Yes...a computer account certificate can be requested and issued correctly using the Certificate MMC plugin on the requesting computer. This method requests a 'Computer (Machine)' certificate...why is the web request (via http://servername/certsrv) processing the certificate as a 'CAExchange' template instead of a 'Machine' template (as seen using the Certificate MMC)?

I got it figured out. The OID was missing. To recreate it you have use adsiedit. Then delete all templates and add them back. Make sure you check permissions after you replace them. Thanks,