Web Enrollment Certificate Request Denied

Archived from groups: microsoft.public.win2000.security (More info?)

I'm getting the following error when requesting a V1 EFS certificate
using web enrollment over our Windows 2000 IIS web enrollement server
(requesting the cert from a Windows 2003 Issuing CA):

"Certificate Request Denied


Your certificate request was denied.

Your Request Id is 5. The disposition message is "Denied by Policy
Module 0x80094800, The request was for a certificate template that is
not supported by the Certificate Services policy: EFS;;;;;;;;;;;;Basic
EFS. ".

Contact your administrator for further information."


When I request an EFS certificate using the MMC I have had no problem
at all and have done this from multiple workstations and servers. But
everytime I try the request through the web enrollment, I get this
error. This happens even though my account has full control access
(including enroll) to the EFS Certificate Template.

We are not using constrained delegation, and both the Windows 2000 web
enrollment server and the Windows 2003 Issuing CA are trusted for
delegation. We are using Windows Integrated authentication on the web
server.
We are using the Windows Default policy module currently on the
Windows 2003 Issuing CA.

I have searched through the new "Configuring and Troubleshooting
Windows 2000 and Windows Server 2003 Certificate Services Web
Enrollment" and haven't found anything that relates to this error.

Any help would be much appreciated.

Thanks!
2 answers Last reply
More about enrollment certificate request denied
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    I have a Doc file with all instruction to configure a vpn
    basic on smart card if you need it send me an e-mail and
    i will reply the file.
    I have problem to configure the client to accept connect
    with smart card if you have any information contact me.

    Tnx

    e-mail: robygst@tiscali.it
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Sorry, I haven't dealt with deploying smart cards yet.

    I'm just trying to figure out why certificate requests work using the
    Certificates MMC, but then I'm told that the EFS certificate template
    is
    not supported by the Certificate Services when requesting the
    certificate through web enrollment.

    My XP workstation is a member of the domain. I have the lowest
    possible browser security. And I'm using Windows Integrates Security
    both on the web enrollment server and its checked on the browser. I'm
    not using my UPN when connecting to the web server. These are all
    things that are notes as possible causes in the latest whitepaper.

    Perhaps my problem is that I'm not following Microsoft Best Practices
    of having the web enrollment server on the same server as the Issuing
    CA. I've split the two and I think that is causing me issues. There
    don't seem to be many examples of this - the new book by Brian Komar,
    the 2003 PKI Best Practices White Paper, and the 2003 PKI MOC all give
    best practices set-up with IIS and web enrollment together on the
    Issuing CA.

    Page 134 of Komar's book, Microsoft Windows Server 2003 PKI and
    Certificate Security, actually says "If you are planning to utilize
    the Certificate Services Web Enrollment pages, you must install IIS on
    the Issuing CA."

    So perhaps my setup doesn't work at all. Although it would seem to be
    better from a security standpoint to split web enrollment and IIS from
    the Issuing CAs and their private keys.
Ask a new question

Read More

Windows Server 2003 Windows 2000 Certificate Windows