I have a W2K8 R2 Ent. Sub CA setup to issue certificates w/an W2K8 R2 Ent Standalone Root that is offline. I have several templates loaded into the CA, however when I try to complete a request via the cert enroll website [https:\\subcaname\certsvr] website I receive the message "No certificate templates could be found..." Likewise when I try to pass the certificate template name & request file to the sub Ca using certreq -submit -attrib "CertificateTemplate: template name" requestfilename.req I receive the message "The requested certificate template is not supported by this CA. 0x80094800 (-2146875392) Denied by Policy Module" However! If I use the Certificates MMC snap-in & use the wizard, the templates are present & I am able to successfully enroll for one as long as the machine/user has the correct permissions...furthermore if I tell the wizard to "show all" templates, then I see all of the unavailable templates as well. I have tried the following: · using v2 & v3 templates · confirmed that domain computers & authenticated users have read access to the templates · have also made sure that the "NT Authority\Authenticated Users" and "NT Authority\Interactive" groups are a member of the "Certificate Service DCOM Access" group on the subCA. Finally, I have tried enabling enroll\debug logging & issuing a request via certreq, but only receive a few lines: 402.511.948: Begin: 11/30/2011 1:55 PM 02.761s 402.516.0: certreq 402.520.0: GMT - 5.00 2005.208.0: certcli.dll: 6.1:7601.17514 retail 2005.208.0: certenroll.dll: 6.1:7601.17514 retail 402.377.949: End: 11/30/2011 1:56 PM 10.993s For comparison, here is the debug output of a successful enrollment via MMC 402.511.948: Begin: 11/30/2011 1:33 PM 21.416s 402.516.0: MMC.EXE 402.520.0: GMT - 5.00 2005.208.0: certcli.dll: 6.1:7601.17514 retail 2005.208.0: certenroll.dll: 6.1:7601.17514 retail 3000.835.0:<2011/11/30, 13:33:23>: 0x80094004 (-2146877436) 2032.4215.0:<2011/11/30, 13:33:23>: 0x80094004 (-2146877436): Fetch Id 3000.835.0:<2011/11/30, 13:33:23>: 0x80094004 (-2146877436) 3000.858.0:<2011/11/30, 13:33:23>: 0x80094004 (-2146877436) 2720.287.0:<2011/11/30, 13:34:7>: 0x800704c7 (WIN32: 1223) 3000.835.0:<2011/11/30, 13:34:9>: 0x80094004 (-2146877436) 2032.1524.0:<2011/11/30, 13:34:9>: 0x80094004 (-2146877436) 2007.195.0:<2011/11/30, 13:34:9>: 0x80091002 (-2146889726): 3DES_112 2007.195.0:<2011/11/30, 13:34:9>: 0x80091002 (-2146889726): DESX 2007.195.0:<2011/11/30, 13:34:9>: 0x80091002 (-2146889726): AES-GMAC 2032.2807.0:<2011/11/30, 13:34:9>: 0x80094012 (-2146877422): Administrator 2032.2807.0:<2011/11/30, 13:34:9>: 0x80094012 (-2146877422): ClientAuth 2032.2807.0:<2011/11/30, 13:34:9>: 0x80094012 (-2146877422): EFS 2032.2825.0:<2011/11/30, 13:34:9>: 0x80094012 (-2146877422): CAExchange 2032.2825.0:<2011/11/30, 13:34:9>: 0x80094012 (-2146877422): CEPEncryption 2032.2807.0:<2011/11/30, 13:34:9>: 0x80094012 (-2146877422): CodeSigning 2027.6875.0:<2011/11/30, 13:34:10>: 0x80094800 (-2146875392) 2032.3029.0:<2011/11/30, 13:34:10>: 0x80094800 (-2146875392): Machine 2032.2807.0:<2011/11/30, 13:34:10>: 0x80094012 (-2146877422): CrossCA 2032.2825.0:<2011/11/30, 13:34:10>: 0x80094012 (-2146877422): DirectoryEmailReplication 2032.2825.0:<2011/11/30, 13:34:10>: 0x80094012 (-2146877422): DomainController 2032.2825.0:<2011/11/30, 13:34:10>: 0x80094012 (-2146877422): DomainControllerAuthentication 2032.2807.0:<2011/11/30, 13:34:10>: 0x80094012 (-2146877422): EFSRecovery 2032.2807.0:<2011/11/30, 13:34:10>: 0x80094012 (-2146877422): EnrollmentAgent 2032.2825.0:<2011/11/30, 13:34:10>: 0x80094012 (-2146877422): MachineEnrollmentAgent 2032.2807.0:<2011/11/30, 13:34:10>: 0x80094012 (-2146877422): EnrollmentAgentOffline 2032.2807.0:<2011/11/30, 13:34:10>: 0x80094012 (-2146877422): ExchangeUserSignature 2032.2807.0:<2011/11/30, 13:34:10>: 0x80094012 (-2146877422): ExchangeUser 2032.2807.0:<2011/11/30, 13:34:10>: 0x80094012 (-2146877422): CustTemplate01 2032.2807.0:<2011/11/30, 13:34:10>: 0x80094012 (-2146877422): CustTemplate02 2032.2807.0:<2011/11/30, 13:34:10>: 0x80094012 (-2146877422): CustTemplate03 2032.2825.0:<2011/11/30, 13:34:10>: 0x80094012 (-2146877422): CustTemplate04 2032.2825.0:<2011/11/30, 13:34:10>: 0x80094012 (-2146877422): CustTemplate05 2027.6875.0:<2011/11/30, 13:34:10>: 0x80094800 (-2146875392) 2032.3029.0:<2011/11/30, 13:34:10>: 0x80094800 (-2146875392): IPSECIntermediateOnline 2032.2825.0:<2011/11/30, 13:34:10>: 0x80094012 (-2146877422): IPSECIntermediateOffline 2032.2825.0:<2011/11/30, 13:34:10>: 0x80094012 (-2146877422): KerberosAuthentication 2032.2807.0:<2011/11/30, 13:34:10>: 0x80094012 (-2146877422): KeyRecoveryAgent 2032.2825.0:<2011/11/30, 13:34:10>: 0x80094012 (-2146877422): OCSPResponseSigning 2032.2825.0:<2011/11/30, 13:34:10>: 0x80094012 (-2146877422): RASAndIASServer 2032.2825.0:<2011/11/30, 13:34:10>: 0x80094012 (-2146877422): CA 2032.2825.0:<2011/11/30, 13:34:10>: 0x80094012 (-2146877422): OfflineRouter 2032.2807.0:<2011/11/30, 13:34:10>: 0x80094012 (-2146877422): SmartcardLogon 2032.2807.0:<2011/11/30, 13:34:10>: 0x80094012 (-2146877422): SmartcardUser 2032.2825.0:<2011/11/30, 13:34:10>: 0x80094012 (-2146877422): SubCA 2032.2807.0:<2011/11/30, 13:34:10>: 0x80094012 (-2146877422): CTLSigning 2032.2807.0:<2011/11/30, 13:34:10>: 0x80094012 (-2146877422): User 2032.2807.0:<2011/11/30, 13:34:10>: 0x80094012 (-2146877422): UserSignature 2032.2825.0:<2011/11/30, 13:34:10>: 0x80094012 (-2146877422): WebServer 2027.6875.0:<2011/11/30, 13:34:10>: 0x80094800 (-2146875392) 2032.3029.0:<2011/11/30, 13:34:10>: 0x80094800 (-2146875392): Workstation 2009.4916.0:<2011/11/30, 13:34:10>: 0x80094004 (-2146877436) 2014.3881.0:<2011/11/30, 13:34:10>: 0x80094004 (-2146877436) 2008.1048.0:<2011/11/30, 13:34:10>: 0x80094004 (-2146877436) 2014.4239.0:<2011/11/30, 13:34:10>: 0x80094004 (-2146877436) 2027.7483.0:<2011/11/30, 13:35:31>: 0x80004003 (-2147467261) 2009.4916.0:<2011/11/30, 13:35:31>: 0x80094004 (-2146877436) 2009.4621.0:<2011/11/30, 13:35:31>: 0x80094004 (-2146877436) 2009.2193.0:<2011/11/30, 13:35:31>: 0x1 (WIN32: 1): Microsoft Software Key Storage Provider 2009.2242.0:<2011/11/30, 13:35:31>: 0x1 (WIN32: 1): RSA 2009.2243.0:<2011/11/30, 13:35:31>: 0x1 (WIN32: 1): le-CustomTemplateName-c5a9c136-b359-482e-b104-6e27d0022b50 2009.2282.0:<2011/11/30, 13:35:31>: 0x800 (WIN32: 2048): RSA 419.224.0:<2011/11/30, 13:35:31>: 0x8009000b (-2146893813): Security Descr 2009.3894.0:<2011/11/30, 13:35:31>: 0x8009000b (-2146893813) 2009.3932.0:<2011/11/30, 13:35:31>: 0x8009000b (-2146893813) 452.43.0:<2011/11/30, 13:35:31>: 0x80090029 (-2146893783): SmartCardKeyCertificate 2014.3720.0:<2011/11/30, 13:35:31>: 0x80094004 (-2146877436) 2013.4507.0:<2011/11/30, 13:35:31>: 0x80094004 (-2146877436) 2021.1241.0:<2011/11/30, 13:35:35>: 0x80092004 (-2146885628) 2041.783.0:<2011/11/30, 13:35:35>: 0x80092004 (-2146885628) 2021.1241.0:<2011/11/30, 13:35:35>: 0x80092004 (-2146885628) 2041.783.0:<2011/11/30, 13:35:35>: 0x80092004 (-2146885628) 2009.3628.0:<2011/11/30, 13:35:35>: 0x80090029 (-2146893783): SmartCardKeyCertificate 2009.5246.0:<2011/11/30, 13:35:35>: 0x80090029 (-2146893783) 2027.7865.0:<2011/11/30, 13:35:35>: 0x80090029 (-2146893783) 2027.3598.0:<2011/11/30, 13:35:35>: 0x80090029 (-2146893783) 402.377.949: End: 11/30/2011 1:35 PM 38.054s Any help would be greatly appreciated

Can you check you've left Authenticated Users with Read on the template in configuration partition ?

Thanks Alexander, but I took a look and Auth. Users have Read permissions both at the PKI & Templates containers

Hi Can you add the the Computer Account of the CA ($SubCA) with Read and Enroll permissions on the template you need to issue via the Certsrv Website. Gpupdate /force and things should work a bit betterBlog Link: http://blogs.cyquent.ae | Follow us on Twitter: @cyquent | ADRMS Wiki Portal: Technet Wiki

Hi Can you add the the Computer Account of the CA ($SubCA) with Read and Enroll permissions on the template you need to issue via the Certsrv Website. Gpupdate /force and things should work a bit betterBlog Link: http://blogs.cyquent.ae | Follow us on Twitter: @cyquent | ADRMS Wiki Portal: Technet Wiki