HiI wonder if someone can explain why I am seeing behaviour I do not expect fromour PKI. It is a 2 tier CA hierarchy, offline stand-alone rootwithServer 2003 R2 SP2 Enterprise Issuing CA. We have a few custom templates along with the basic default setup. The only significant change madeis the removal of the Enroll securitypermission on the Windows 2000/v1 User certificate template.As for the Group Policy settings autoenrollment is configured in the default domain policy to allow computers to autoenroll, renew, update,revoke etc. However users are currently denied autoenrollment in the same GPO and nothing overrides this further down.The issue I have is that each time a user logs in the CA denies them a User certifcate on the grounds that they do not have permission. This is seen as a failed enrollment and the following event log entry:Source: CertSvcEvent ID: 53Certificate Services denied request123 because The permissions on the certificate template do not allow the current user to enroll for this type of certificate. 0x80094012 (-2146877422). The request was for CN=SDAM. Additional information: Denied by Policy ModuleNow I guess I could just remove the template from the CA but at some point we may (although it is highly unlikely) wish to use it for some users. What I really want to know though, is why is it trying to enroll it in the first place? It's a version 1 template and therefore can't be autoenrolled, autoenrollment is denied by Group Policy for users anyway so what is causing Windows to attempt to enroll the certificate at log on?I guess there is something I am stillmissing in my understanding of Microsoft PKI so any advice would be greatly appreciated!ThanksKarl

The only other "autoenrollment" mechanism that I know of is ACRS [http://technet.microsoft.com/en-us/library/cc785279.aspx]ACRS supports only v1 templates; but it only supports machine templates.One thing you may want to do is look at the attributes of the request in the ca database [i.e. start ca snap-in and right click on a row and choose "Attributes"]. One of the attributes will be the process that submitted the cert request. This will give you an indication of who is trying to submit the cert request.Andrew

Hi Karl, Thank you for your post. According to the event, I notice that the failed request is pointing to CN=SDAM certificate template. Please confirm if there is certificate template named "CN=SDAM" under "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,dc=DomainComponent,dc=DomainComponent". Analysis ----------- Upon researching this template name, I find that this issue may occur if the software named "Sanctuary Device Control" is installed on the client workstations. The software uses our PKI structure to do enrollment for a SDAM certificate in order to control access to storage devices such as USB and External Hard Drives. However, it will request a certificate from the CA server without checking its rights on that given certificate template. As a result, you receive the Event 53 error from CertSvc. Suggestion --------------- Please check whether the software named "Sanctuary Device Control" is installed on clients. If so, I suggest that you contact the vendor for configuration to either use or disable this feature.

Hi JosonThanks for the response, we do indeed use Sancutary Device Control so that must be what is causing it, I will look into this further. I'd be interested to know where you found that information from - when I Googled SDAM I got nothing!Thanks for your helpKarl

Hi Karl, I am glad that the information is helpful. We have an internal knowledge base system which records problem and resolution of incoming Customer Service cases. A customer encountered a similar problem before and the root cause was isolated to Sanctuary Disk Control. As these case logs may contain private customer information, they are not publicly available. Just for your reference, I have included the information about the 3rd party software Sanctuary Disk Control from Secure Wave below: http://www.bii-compliance.com/pdf/securewave/Sanctuary_DC_AC_BS7799_Compliance.pdf You may contact the vendor for more information. Thanks.