Hello,I have my main issuing CA working fine in our domain, however after setting up a secondary server just for web enrollment services (install went fine) It seems no matter what permissions i set etc, I cannot request a cert. I get the following output:Request Mode: newreq - New Request Disposition: (never set) Disposition message: (none) Result: Access is denied. 0x80070005 (WIN32: 5) COM Error Info: CCertRequest::Submit Access is denied. 0x80070005 (WIN32: 5) LastStatus: The operation completed successfully. 0x0 (WIN32: 0) Suggested Cause: The Certification Authority Service has not been started. I have done the following to test1. Checked that the web enrollment server is set to trust for delegation, both servers are in a single forest domain.2. checked all permissions on the templates and re-tested.3. ran a reset on the DCOM permissions and restarted cert services however both boxes are 2003 server ent sp24. I can successfully request a cert from the main issuing CA's web enrollment services.5. IIS is set to use HTTPS but using integrated windows authentication. , neither of these boxes are domain controllers.Thanks in advance for the help! -BEGIN NEW CERTIFICATE REQUEST - MIIGQgYJKoZIhvcNAQcCoIIGMzCCBi8CAQMxCzAJBgUrDgMCGgUAMIIEnAYIKwYB BQUHDAKgggSOBIIEijCCBIYwdzB1AgECBgorBgEEAYI3CgoBMWQwYgIBADADAgEB MVgwVgYJKwYBBAGCNxUUMUkwRwIBBQwYREVTSzA1Nzg3LmVsb3lhbHR5Y28uY29t DBRFTE9ZQUxUWUNPXGVsb3kwNTc4NwwSQ2VydEVucm9sbEN0cmwuZXhlMIIEBaCC BAECAQEwggP6MIIC4gIBADAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC AQEA6sAOBF2zuDfdYr1Ww3f0227evBOxdKDnhdSUJlDM131ls6Ifj0c0rbW6htI8 04NYvPc3Lsm4KwO/8iaLE9A5ZKaIiynmCMY5tzmrHSU+osSbOxP8EMdPUmWgf7Xl JPw28ur8MXxsNf24MmWBkzJY+pac39T1atH2lGXUl4B4IsTSPnNSTra5c3XJ6lsX NZqipdJr9LWGJJFbb0pDDqQQQrIZtaX3AROmWgkj9s1uDG3Qf2R8ho6rOYdrXaou S1famByGq3sMcJQjKLGdtK4PbOekFg+2OB+OxJ7TJFFNApcV0FaoqHrtjn/Dag2z Q0CLn7gNhQ5L3Bc3EiqlNgAe9QIDAQABoIIBszAaBgorBgEEAYI3DQIDMQwWCjYu MS43MTAwLjIwVgYJKwYBBAGCNxUUMUkwRwIBBQwYREVTSzA1Nzg3LmVsb3lhbHR5 Y28uY29tDBRFTE9ZQUxUWUNPXGVsb3kwNTc4NwwSQ2VydEVucm9sbEN0cmwuZXhl MHQGCisGAQQBgjcNAgIxZjBkAgEBHlwATQBpAGMAcgBvAHMAbwBmAHQAIABFAG4A aABhAG4AYwBlAGQAIABDAHIAeQBwAHQAbwBnAHIAYQBwAGgAaQBjACAAUAByAG8A dgBpAGQAZQByACAAdgAxAC4AMAMBADCBxgYJKoZIhvcNAQkOMYG4MIG1MA4GA1Ud DwEB/wQEAwIEMDA+BgkrBgEEAYI3FQcEMTAvBicrBgEEAYI3FQiFmtMNhpzDC4at kReH1uAqhO7/OIF2g8a4WIbC/woCAWQCAQowRAYJKoZIhvcNAQkPBDcwNTAOBggq hkiG9w0DAgICAIAwDgYIKoZIhvcNAwQCAgCAMAcGBSsOAwIHMAoGCCqGSIb3DQMH MB0GA1UdDgQWBBQFCQMAkr2MdAyg9D2bhnGGPf33gzANBgkqhkiG9w0BAQUFAAOC AQEAS8heQrwncUVI3uF03+DpVxB07I4jeDCcVVN+4v+KI00WeAvrpROtoH/2UHnc qmMsIYKGN/yFY/ce30IoPyscQNHJmnYCzhvizn2WqoJtfCtfS9vTDcw1QVhOfjRB cRseCDiYmh1xSxhBxmOyF+JjfBXyxpEPcNggC1yEdlr7kG0EARepnVmntBWO9bAr trTKe/ksouH0L75K58PcjJqO3S9F8O7alPtaaw3V83XfPsuuzQMfEl+p7Zcgv4+x JqASV6HN/vKzl/H5r6ndnecXaYCFlogAhmDX4q/RX8+mwJ8aM8iXJSY9V/wpLwY5 DWX3mxB5SnTG+xK9OIrm1wsuwDAAMAAxggF7MIIBdwIBA4AUBQkDAJK9jHQMoPQ9 m4Zxhj3994MwCQYFKw4DAhoFAKA+MBcGCSqGSIb3DQEJAzEKBggrBgEFBQcMAjAj BgkqhkiG9w0BCQQxFgQUpxSQq8GVzqRU3vKc5WsUy9TwYm8wDQYJKoZIhvcNAQEB BQAEggEAGGmDj17+UzYsC1APZV1w2vGYUhGHRrBhGOzJF922ujFx1JoTFgm3ofTg 5xnn2fpWaBDgQvbrDqOND6rcJetyRaGhoSvcYmNTEwNSFByAf+3nvLYZQ/lJ/JCU ldJd501cWvopYmMfo1jlvdKYaGWbjxglSKEOmUSNlZmNMWoCFHZ3xNXBrQAv01Gr CSRNrPZ4dIuM0mKYDCFyUBviJEiAG5Q2Hm/0iwDgZTL+tj4JcZoWQWuYQ4b6acDo wMNm1hpj6zp9Y9AXyK8+PDnmlTPUiXQX6FTmf7FuHU/iqh2/9/Zj9QdbJoA7ERv4 vMwseKpwf5TbqxmbM1/Ywq76YYkA6g== -END NEW CERTIFICATE REQUEST - --

Kind of an update, I can get this to work if I use the servers name in the URL for examplehttps://servername/certsrv this workshowever if I use the DNS name (people will be accessing this box from the outside, but I have created a host record on our internal domain for it as well)https://blah.blah.com/certsrv this fails with the error in the above post.Im getting closer, for some reason it does not like the DNS naming context.

Ok another update,I failed to mention that the web enrollment URL that external users use is passed through by ISA.ISA does not show any errors though as its just passing requests through over 443, im wondering if its some kind of DCOM communication error between the web enrollment server and the CA issuing box. The only errors I see are some in the security log that are 560swinhttpautoproxysvc the PID points to services.exe

I suppose this could be a Kerberos problem. Have you set up SPNs correctly?RegardsMartin Rublik

I was able to get this working by modifying the IIS metabase.xml file and changing the authentication to 3 instead of 2 on the subsites.After that I then set the authentication to basic from Integrated and that fixed the issue.Thanks for the suggestions though.