Operating system. Windows 7 IE versoin 8 CA Version: Windows 2008 R2 Certificate Template: SmartCard Logon --------------------------------------------------- I am creating a CMC certificate request via client side vb script so basically Create the PrivateKey object and set attributes then create PKCS10 Object and initialize it with PrivateKey and templateName Then Create CMC object and initailize with Template Name by passing the P10 object and TemplateName in the method. When I run the script only in VBS file, everything seems to be working fine and I am displayed a Pin Prompt ( as my template is smart card logon). But when I put this code in an aspx page and run it via browser. I am getting an ACCESS DENIED Error when I try to initialize the CMC object InitializeFromInnerRequestTemplateName(). I have added the site in the Local Intarnet zone, and enable everything. I also went into the local computer GPO and added 2,2,1,0 for the active x installer service. The code works in Windows Vista, but not in Windows 7 (IE 8).... Any guesses. I will redo the Windows 7 image and see if it makes a difference, but not sure, if that is the problem Any suggestions would help thanks

Without the actual code, no one is going to be of much help.Paul Adare CTO IdentIT Inc. ILM MVP

hmm noticed something strange, If I create my CMC object from the objectClassFactory.CreateObject, then I get the ACCESS DENIED, but if I create the CMC object by just calling the CreateObject("X509Enrollment.CX509CertificateRequestCmc") in then it does not throw the access denied.

I will see if I can post some test code.

here is the test code, that fails <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html><head><title>Untitled</title><script language="VBScript"><!-- Sub vbMessage_1() Dim objRequestPkcs10 dim objNameValuePair Dim objNameValuePairs Dim objRequestCMC Dim objPrivateKey Dim objClassFactory Dim CSPVendorName Set objClassFactory = CreateObject("X509Enrollment.CX509EnrollmentWebClassFactory") Set objEnroll = objClassFactory.CreateObject("X509Enrollment.CX509Enrollment") Set objPrivateKey = objClassFactory.CreateObject("X509Enrollment.CX509PrivateKey") Set objRequestPkcs10 = objClassFactory.CreateObject("X509Enrollment.CX509CertificateRequestPkcs10") Set objRequestCMC = objClassFactory.CreateObject("X509Enrollment.CX509CertificateRequestCmc") CSPVendorName="Microsoft Base Smart Card Crypto Provider" Dim CspInfo Set CspInfo = objClassFactory.CreateObject("X509Enrollment.CCspInformation") CspInfo.InitializeFromName(CSPVendorName) objPrivateKey.ProviderName = CspInf0.Name objPrivateKey.ProviderType = CspInfo.Type objPrivateKey.KeySpec = 2 GenKeyFlags = 0 objPrivateKey.KeyProtection = 0 objPrivateKey.ExportPolicy = GenKeyFlags objPrivateKey.Length = 1024 'Init the P10 call objRequestPkcs10.InitializeFromPrivateKey(1, objPrivateKey, "SmartcardLogon") 'Create CMC call objRequestCMC.InitializeFromInnerRequestTemplateName(objRequestPkcs10, "SmartcardLogon") MsgBox("Error " &Err.Number) End Sub //--></script> <script language="JavaScript" type="text/javascript"><!-- //--></script> </head><body><form name="frmTest"> <input type="button" value="Call Get Cert request" onclick="vbMessage_1()" /></form></body></html>

is there a way to turn cert enroll logging on the client machine. Access denied is a very generic error, and it seems like a catch all error

has anyone seen this error... I am getting desprate now :(

ok so some update on this. for the certificate enrollment when I create the objects from the object factor like this below Set objClassFactory = CreateObject("X509Enrollment.CX509EnrollmentWebClassFactory") Set objEnroll = objClassFactory.CreateObject("X509Enrollment.CX509Enrollment") Set objPrivateKey = objClassFactory.CreateObject("X509Enrollment.CX509PrivateKey") Set objRequestPkcs10 = objClassFactory.CreateObject("X509Enrollment.CX509CertificateRequestPkcs10") Set objRequestCMC = objClassFactory.CreateObject("X509Enrollment.CX509CertificateRequestCmc") and then make a call call objRequestCMC.InitializeFromInnerRequestTemplateName(objRequestPkcs10, "SmartcardLogon") I get the ACCESS DENIED error. I tried to call a different webenabled method call objRequestCMC.InitializeFromInnerRequest(objRequestPkcs10) then this method does not throw any exceptions, so I am thinking that their is some security settings either at the browser level or CA level that is producing the ACCESS DENIED error when the method objRequestCMC.InitializeFromInnerRequestTemplateName(objRequestPkcs10, "SmartcardLogon")is called. On the other hand if I create all my objects like below then all my code works fine and I am able to retrieve certs Set objClassFactory = CreateObject("X509Enrollment.CX509EnrollmentWebClassFactory") Set objEnroll = CreateObject("X509Enrollment.CX509Enrollment") Set objPrivateKey = CreateObject("X509Enrollment.CX509PrivateKey") Set objRequestPkcs10 = CreateObject("X509Enrollment.CX509CertificateRequestPkcs10") Set objRequestCMC = CreateObject("X509Enrollment.CX509CertificateRequestCmc") Can anyone from Microsoft Shed some light on it. I have the code working but I want to know why the failing code works on Windows Vista, but does not work with Windows 7

Still waiting for that Microsoft response! Come on guys! We are having the same problem with Gemalto Smartcard enrollment on Server 2008 R2. We are trying to mod the code below. The request works fine but the CSP is resulting in an access denied error and defaulting to the Microsoft CSP. **cryptoServiceProvider= "Gemalto Classic Card CSP" var csp = vistaClassFactory.CreateObject("X509Enrollment.CCspInformation"); var csps = vistaClassFactory.CreateObject("X509Enrollment.CCspInformations"); var privateKey = vistaClassFactory.CreateObject("X509Enrollment.CX509PrivateKey"); var request = vistaClassFactory.CreateObject("X509Enrollment.CX509CertificateRequestPkcs10"); var objectIDs = vistaClassFactory.CreateObject("X509Enrollment.CObjectIds"); var objectId = vistaClassFactory.CreateObject("X509Enrollment.CObjectId"); var x509ExtEnhancedKeyUsage = vistaClassFactory.CreateObject("X509Enrollment.CX509ExtensionEnhancedKeyUsage"); var extTemplate = vistaClassFactory.CreateObject("X509Enrollment.CX509ExtensionTemplateName"); var enroll = vistaClassFactory.CreateObject("X509Enrollment.CX509Enrollment"); var vistaDN = vistaClassFactory.CreateObject("X509Enrollment.CX500DistinguishedName"); csp.InitializeFromName(cryptoServiceProvider); //Initialize the csp object using the desired Cryptographic Service Provider (CSP) //Add this CSP object to the CSP Collection Object csps.Add(csp); //privateKey.ContainerName = privateKey.KeySpec = keyType; privateKey.ProviderType = 1; privateKey.Length=2048; privateKey.ExportPolicy=0x1; privateKey.CspInformations = csps; request.InitializeFromPrivateKey(1,privateKey, ""); //1.3.6.1.5.5.7.3.2 Oid - Extension objectId.InitializeFromValue(certificateOID); objectIDs.Add(objectId); x509ExtEnhancedKeyUsage.InitializeEncode(objectIDs); request.X509Extensions.Add(x509ExtEnhancedKeyUsage); vistaDN.Encode(DN, 0); //XCN_CERT_NAME_STR_NONE = 0 request.Subject = vistaDN; //ENROLL enroll.InitializeFromRequest(request); publicKey.value = enroll.CreateRequest(1);