I cannot figure out why I can't enroll a certificate from the mmc on my backup server. I need a web server cert to use with my backup app. When I run the mmc I get the error: Certificate enrollment for Local system failed to enroll for a WebServercertificate with request ID 1249 from enterpriseca.domain.com\ENTERPRISE-CA (The permissions on the certificate template do not allow the current user to enroll for this type of certificate. 0x80094012 (-2146877422)). Digging further, on the event viewer of the CA- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> - <System> <Provider Name="Microsoft-Windows-CertificationAuthority" Guid="{9AFE-4F35-AD08-52134F85DFB9}" EventSourceName="CertSvc" /> <EventID Qualifiers="33370">53</EventID> <Version>0</Version> <Level>3</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2012-06-24T17:51:11.000000000Z" /> <EventRecordID>9300</EventRecordID> <Correlation /> <Execution ProcessID="0" ThreadID="0" /> <Channel>Application</Channel> <Computer>enterpriseca.domain.com</Computer> <Security UserID="S-1-5-18" /> </System> - <EventData Name="MSG_DN_CERT_DENIED_WITH_INFO"> <Data Name="RequestId">1249</Data> <Data Name="Reason">The permissions on the certificate template do not allow the current user to enroll for this type of certificate. 0x80094012 (-2146877422)</Data> <Data Name="SubjectName">CN=veeam.domain.com, C=US, L=Fort Lauderdale, O=Company Inc, S=Florida</Data> <Data Name="AdditionalInformation">Denied by Policy Module</Data> </EventData> </Event> The computer in question is running 2008 r2, and is a member of the global security group "Servers", which has been given read and enroll rights to the webserver template.

Hi, Please refer the following link to troubleshoot this issue: Event ID 53 AD CS Certificate Request (Enrollment) Processing http://technet.microsoft.com/en-us/library/dd299871(WS.10).aspx Hope this helps! Best Regards Elytis ChengElytis Cheng TechNet Community Support

Elytis, Thank you very much for the pointer to that article. Can you explain the following to me: If I add a server directly to the security settings of a template, I can issue the certificate. However if I add a security group which contains that server, the certificate enrollment fails. Why?