2003 SP1 CA keeps denying cert requests

Archived from groups: microsoft.public.win2000.security (More info?)

Hi All,
I've got a 2003 SP1 server with all of the latest updates ( as of today )
running as a Stand-Alone Certificate Authority.
When I attempt to request certificates for IIS servers, using the Web
Enrollment, I keep getting the following messages.

Your certificate request was denied.
You Request id is xx. The disposition is "Denied by Policy Module"

On the CA machine, in he mmc, I see the rejected certificate requests. They
all say the same thing.

"The permissions on this certification authority do not allow the current
user to enroll for certificates. 0x80094011 (-2146877423)"

The requester name is LAB\IUSR_SPS which is the Anonymous Access user on the
Certificate authority machine.

I've googled the error and checked out several KB's , but nothing I've tried
has solved the problem.
I'm assuming I'm missing the spot where I can give the IUSR account
permissions, but I'll be darned if I can find that spot.

Does anyone have a clue how I can fix this problem?

On last piece of Info, the CA is running on the AD controller, in case that
matters.

TIA,

Paul Landry
IT Manager - Centric Software, Inc.
4 answers Last reply
More about 2003 denying cert requests
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    Are you sure that it is an stand alone CA and not an enterprise CA?? For a
    stand alone CA you would have to find the pending request and then authorize
    it to be issued in the CA Management Console. Make sure that you are logging
    onto the IIS server as a local administrator. The command certutil -cainfo
    will let you know the CA type. --- Steve


    "Paul Landry" <plandry@frametech.com> wrote in message
    news:%23E$Ww2vnFHA.3288@TK2MSFTNGP09.phx.gbl...
    > Hi All,
    > I've got a 2003 SP1 server with all of the latest updates ( as of today )
    > running as a Stand-Alone Certificate Authority.
    > When I attempt to request certificates for IIS servers, using the Web
    > Enrollment, I keep getting the following messages.
    >
    > Your certificate request was denied.
    > You Request id is xx. The disposition is "Denied by Policy Module"
    >
    > On the CA machine, in he mmc, I see the rejected certificate requests.
    > They all say the same thing.
    >
    > "The permissions on this certification authority do not allow the current
    > user to enroll for certificates. 0x80094011 (-2146877423)"
    >
    > The requester name is LAB\IUSR_SPS which is the Anonymous Access user on
    > the Certificate authority machine.
    >
    > I've googled the error and checked out several KB's , but nothing I've
    > tried has solved the problem.
    > I'm assuming I'm missing the spot where I can give the IUSR account
    > permissions, but I'll be darned if I can find that spot.
    >
    > Does anyone have a clue how I can fix this problem?
    >
    > On last piece of Info, the CA is running on the AD controller, in case
    > that matters.
    >
    > TIA,
    >
    > Paul Landry
    > IT Manager - Centric Software, Inc.
    >
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Hi Steve,

    I ran the certutil -cainfo and the results are...

    CA type: 3 -- Stand-alone Root CA
    ENUM_STANDALONE_ROOTCA -- 3

    I have configured the CA to automatically authorize requests.

    It just doesn't seem to like the IUSR_ account being used to process the
    requests.

    Any ideas?

    Thanks,

    Paul

    "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    news:2pGdncfkactCXmPfRVn-qQ@comcast.com...
    > Are you sure that it is an stand alone CA and not an enterprise CA?? For a
    > stand alone CA you would have to find the pending request and then
    > authorize it to be issued in the CA Management Console. Make sure that you
    > are logging onto the IIS server as a local administrator. The command
    > certutil -cainfo will let you know the CA type. --- Steve
    >
    >
    >
    >
    > "Paul Landry" <plandry@frametech.com> wrote in message
    > news:%23E$Ww2vnFHA.3288@TK2MSFTNGP09.phx.gbl...
    >> Hi All,
    >> I've got a 2003 SP1 server with all of the latest updates ( as of today )
    >> running as a Stand-Alone Certificate Authority.
    >> When I attempt to request certificates for IIS servers, using the Web
    >> Enrollment, I keep getting the following messages.
    >>
    >> Your certificate request was denied.
    >> You Request id is xx. The disposition is "Denied by Policy Module"
    >>
    >> On the CA machine, in he mmc, I see the rejected certificate requests.
    >> They all say the same thing.
    >>
    >> "The permissions on this certification authority do not allow the current
    >> user to enroll for certificates. 0x80094011 (-2146877423)"
    >>
    >> The requester name is LAB\IUSR_SPS which is the Anonymous Access user on
    >> the Certificate authority machine.
    >>
    >> I've googled the error and checked out several KB's , but nothing I've
    >> tried has solved the problem.
    >> I'm assuming I'm missing the spot where I can give the IUSR account
    >> permissions, but I'll be darned if I can find that spot.
    >>
    >> Does anyone have a clue how I can fix this problem?
    >>
    >> On last piece of Info, the CA is running on the AD controller, in case
    >> that matters.
    >>
    >> TIA,
    >>
    >> Paul Landry
    >> IT Manager - Centric Software, Inc.
    >>
    >
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Hi Paul.

    I have not had that any experience with a stand alone CA configured to
    automatically approve requests for a web server. What may be worth a try is
    to see if it works where you have to manually approve the certificate and
    then logging back onto the server as a local administrator to check for
    pending request. The link below may help with specific details on how to
    request and install a web server certificate in case you are missing
    anything. You may also want to post in the Microsoft.public.security.crypto
    newsgroup. --- Steve

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;q290625

    "Paul Landry" <plandry@frametech.com> wrote in message
    news:uoro1HpoFHA.3256@TK2MSFTNGP12.phx.gbl...
    > Hi Steve,
    >
    > I ran the certutil -cainfo and the results are...
    >
    > CA type: 3 -- Stand-alone Root CA
    > ENUM_STANDALONE_ROOTCA -- 3
    >
    > I have configured the CA to automatically authorize requests.
    >
    > It just doesn't seem to like the IUSR_ account being used to process the
    > requests.
    >
    > Any ideas?
    >
    > Thanks,
    >
    > Paul
    >
    > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    > news:2pGdncfkactCXmPfRVn-qQ@comcast.com...
    >> Are you sure that it is an stand alone CA and not an enterprise CA?? For
    >> a stand alone CA you would have to find the pending request and then
    >> authorize it to be issued in the CA Management Console. Make sure that
    >> you are logging onto the IIS server as a local administrator. The
    >> command certutil -cainfo will let you know the CA type. --- Steve
    >>
    >>
    >>
    >>
    >> "Paul Landry" <plandry@frametech.com> wrote in message
    >> news:%23E$Ww2vnFHA.3288@TK2MSFTNGP09.phx.gbl...
    >>> Hi All,
    >>> I've got a 2003 SP1 server with all of the latest updates ( as of
    >>> today ) running as a Stand-Alone Certificate Authority.
    >>> When I attempt to request certificates for IIS servers, using the Web
    >>> Enrollment, I keep getting the following messages.
    >>>
    >>> Your certificate request was denied.
    >>> You Request id is xx. The disposition is "Denied by Policy Module"
    >>>
    >>> On the CA machine, in he mmc, I see the rejected certificate requests.
    >>> They all say the same thing.
    >>>
    >>> "The permissions on this certification authority do not allow the
    >>> current user to enroll for certificates. 0x80094011 (-2146877423)"
    >>>
    >>> The requester name is LAB\IUSR_SPS which is the Anonymous Access user on
    >>> the Certificate authority machine.
    >>>
    >>> I've googled the error and checked out several KB's , but nothing I've
    >>> tried has solved the problem.
    >>> I'm assuming I'm missing the spot where I can give the IUSR account
    >>> permissions, but I'll be darned if I can find that spot.
    >>>
    >>> Does anyone have a clue how I can fix this problem?
    >>>
    >>> On last piece of Info, the CA is running on the AD controller, in case
    >>> that matters.
    >>>
    >>> TIA,
    >>>
    >>> Paul Landry
    >>> IT Manager - Centric Software, Inc.
    >>>
    >>
    >>
    >
    >
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    Thanks Steve,
    I'll give both a try.
    Best Regards,
    Paul

    "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    news:9qydnf5uzuAXpp_eRVn-jg@comcast.com...
    > Hi Paul.
    >
    > I have not had that any experience with a stand alone CA configured to
    > automatically approve requests for a web server. What may be worth a try
    > is to see if it works where you have to manually approve the certificate
    > and then logging back onto the server as a local administrator to check
    > for pending request. The link below may help with specific details on how
    > to request and install a web server certificate in case you are missing
    > anything. You may also want to post in the
    > Microsoft.public.security.crypto newsgroup. --- Steve
    >
    > http://support.microsoft.com/default.aspx?scid=kb;EN-US;q290625
    >
    > "Paul Landry" <plandry@frametech.com> wrote in message
    > news:uoro1HpoFHA.3256@TK2MSFTNGP12.phx.gbl...
    >> Hi Steve,
    >>
    >> I ran the certutil -cainfo and the results are...
    >>
    >> CA type: 3 -- Stand-alone Root CA
    >> ENUM_STANDALONE_ROOTCA -- 3
    >>
    >> I have configured the CA to automatically authorize requests.
    >>
    >> It just doesn't seem to like the IUSR_ account being used to process the
    >> requests.
    >>
    >> Any ideas?
    >>
    >> Thanks,
    >>
    >> Paul
    >>
    >> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    >> news:2pGdncfkactCXmPfRVn-qQ@comcast.com...
    >>> Are you sure that it is an stand alone CA and not an enterprise CA?? For
    >>> a stand alone CA you would have to find the pending request and then
    >>> authorize it to be issued in the CA Management Console. Make sure that
    >>> you are logging onto the IIS server as a local administrator. The
    >>> command certutil -cainfo will let you know the CA type. --- Steve
    >>>
    >>>
    >>>
    >>>
    >>> "Paul Landry" <plandry@frametech.com> wrote in message
    >>> news:%23E$Ww2vnFHA.3288@TK2MSFTNGP09.phx.gbl...
    >>>> Hi All,
    >>>> I've got a 2003 SP1 server with all of the latest updates ( as of
    >>>> today ) running as a Stand-Alone Certificate Authority.
    >>>> When I attempt to request certificates for IIS servers, using the Web
    >>>> Enrollment, I keep getting the following messages.
    >>>>
    >>>> Your certificate request was denied.
    >>>> You Request id is xx. The disposition is "Denied by Policy Module"
    >>>>
    >>>> On the CA machine, in he mmc, I see the rejected certificate requests.
    >>>> They all say the same thing.
    >>>>
    >>>> "The permissions on this certification authority do not allow the
    >>>> current user to enroll for certificates. 0x80094011 (-2146877423)"
    >>>>
    >>>> The requester name is LAB\IUSR_SPS which is the Anonymous Access user
    >>>> on the Certificate authority machine.
    >>>>
    >>>> I've googled the error and checked out several KB's , but nothing I've
    >>>> tried has solved the problem.
    >>>> I'm assuming I'm missing the spot where I can give the IUSR account
    >>>> permissions, but I'll be darned if I can find that spot.
    >>>>
    >>>> Does anyone have a clue how I can fix this problem?
    >>>>
    >>>> On last piece of Info, the CA is running on the AD controller, in case
    >>>> that matters.
    >>>>
    >>>> TIA,
    >>>>
    >>>> Paul Landry
    >>>> IT Manager - Centric Software, Inc.
    >>>>
    >>>
    >>>
    >>
    >>
    >
    >
Ask a new question

Read More

Certificate Windows