Hello. The deployment is the following: a root (offline) and a subordinate enterprise CA (correctly propagated in the AD). The enterprise CA is a MS 2008 Cluster (CA service name is correctly propagated through out the AD as the enrollment point) Some modifications were: 1. adding OCSP server on a totally separated machine 2. related to the security of the templates (modifying rights). NOTE: all the modifications, configuration and tryings for enrollment are performed with the an user (lets say XAdministrator) which is a domain admin and CA manager (with full rights). THE ISSUES are the following: 1. When performing enrollment process in the certsrv.msc > subOrdinate Autority > contextual menu > "submit new request" > specify the CSR file, the following error message appears: "Active Directory Certificate Services denied request xxxxx because The request contains no certificate template information. 0x80094801 (-2146875391). The request was for CN=servername.domain.extension, OU=IT, O=organization_name, L=somewhere, S=US, C=US. Additional information: Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute." This operation is executed with an user XAdministrator which has full rights in CA proprieties > Security and on Certificate template > security. BUT: if the following command is issued, the certificate is successfully issued: certreq -submit -attrib "CertificateTemplate:WebServer" "path_to_csr_file" (I must specify that is the same user on the CA machine). 2. Another station is used as Certification Authority Web Enrollment and when browsing to request new certificate in the page where the CSR must be pasted and certificate template is to be selected, the following error message appears: "no certificate template could be found. you do not have permission to request a certificate from this CA, or an error occured while accessing the Active Directory". The same XAdministrator user is used (which has full rights in CA proprieties > Security and on Certificate template > security) and no certificate appears as template. BUT: if on the same machine, with the same user I use MMC to open certificate store of local computer and I start the enrollment process for WebServer certificate: the template is successfully seen and the enrollment is successful. BUT: if on the same machine, with the same user I use MMC to open certificate store of current user and I try to enroll logged user (XAdministrator) with an User template, the process is successful. 3. If a new template is added in the certificate template the following error message appears: the template information on the CA cannot be modified at this moment. This is most likely because the CA service is not running or there are replication delays. Access denied. 0x80070005. I chose to save the changes in the Active Directory. The certificate template is not available for enrollment. BUT: if I modify the Security settings for an existing certificate (lets say I grant enroll right for Domain Users for User template) this new setting is applied and the appropriate users are able to enroll. Thank you

Hello. Any insights? thank you

what user account do you use when the issue occurs? ensure it has enough rights and certificate template permissions have been configured correctly. http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/298006b4-533b-4c88-a5fd-461ecf5a0a42/

HI error 0x80094801 (-2146875391) mean This issue may be caused by incorrect Certificate Template permission settings. Lets give Authenticated user Enroll permission: 1. Open MMC, click File menu, choose Add/Remove Snap-in, choose Certificate Templates, click OK. 2. Double-click Web Server template, switch to Security tab, selected Authenticated users, click Enroll option. Click OK. 3. Open CA console, stop CA service and restart it. 4. Try to open MMC->Certificates of Local Computer, try to request Web Server certificates. how to create your csr when you do "certreq -submit -attrib "CertificateTemplate:WebServer" "path_to_csr_file" what is the content of your request.inf file you can look Vadim's blog post he give right procedure to create WEB SSL certificate with the SAN http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?List=332991f0-bfed-4143-9eea-f521167d287c&ID=20&Source=http%3A%2F%2Fen-us.sysadmins.lv%2FLists%2FPosts%2FArchive.aspx because if it not a Authenticated user problem you have a miss configuration between your CSR VS template VS policy Module ( 99% the error is the template has configure for using DNS name in the SAN but no DNS entry in the local DNS for the website or your template is configure to retrieve the Subject in the CSR but you don't include one Hope this will help you