Sign in with
Sign up | Sign in
Your question

2003 SP1 CA keeps denying cert requests

Last response: in Windows 2000/NT
Share
Anonymous
August 12, 2005 5:21:25 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi All,
I've got a 2003 SP1 server with all of the latest updates ( as of today )
running as a Stand-Alone Certificate Authority.
When I attempt to request certificates for IIS servers, using the Web
Enrollment, I keep getting the following messages.

Your certificate request was denied.
You Request id is xx. The disposition is "Denied by Policy Module"

On the CA machine, in he mmc, I see the rejected certificate requests. They
all say the same thing.

"The permissions on this certification authority do not allow the current
user to enroll for certificates. 0x80094011 (-2146877423)"

The requester name is LAB\IUSR_SPS which is the Anonymous Access user on the
Certificate authority machine.

I've googled the error and checked out several KB's , but nothing I've tried
has solved the problem.
I'm assuming I'm missing the spot where I can give the IUSR account
permissions, but I'll be darned if I can find that spot.

Does anyone have a clue how I can fix this problem?

On last piece of Info, the CA is running on the AD controller, in case that
matters.

TIA,

Paul Landry
IT Manager - Centric Software, Inc.
Anonymous
August 14, 2005 3:09:08 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Are you sure that it is an stand alone CA and not an enterprise CA?? For a
stand alone CA you would have to find the pending request and then authorize
it to be issued in the CA Management Console. Make sure that you are logging
onto the IIS server as a local administrator. The command certutil -cainfo
will let you know the CA type. --- Steve




"Paul Landry" <plandry@frametech.com> wrote in message
news:%23E$Ww2vnFHA.3288@TK2MSFTNGP09.phx.gbl...
> Hi All,
> I've got a 2003 SP1 server with all of the latest updates ( as of today )
> running as a Stand-Alone Certificate Authority.
> When I attempt to request certificates for IIS servers, using the Web
> Enrollment, I keep getting the following messages.
>
> Your certificate request was denied.
> You Request id is xx. The disposition is "Denied by Policy Module"
>
> On the CA machine, in he mmc, I see the rejected certificate requests.
> They all say the same thing.
>
> "The permissions on this certification authority do not allow the current
> user to enroll for certificates. 0x80094011 (-2146877423)"
>
> The requester name is LAB\IUSR_SPS which is the Anonymous Access user on
> the Certificate authority machine.
>
> I've googled the error and checked out several KB's , but nothing I've
> tried has solved the problem.
> I'm assuming I'm missing the spot where I can give the IUSR account
> permissions, but I'll be darned if I can find that spot.
>
> Does anyone have a clue how I can fix this problem?
>
> On last piece of Info, the CA is running on the AD controller, in case
> that matters.
>
> TIA,
>
> Paul Landry
> IT Manager - Centric Software, Inc.
>
Anonymous
August 16, 2005 6:40:20 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi Steve,

I ran the certutil -cainfo and the results are...

CA type: 3 -- Stand-alone Root CA
ENUM_STANDALONE_ROOTCA -- 3

I have configured the CA to automatically authorize requests.

It just doesn't seem to like the IUSR_ account being used to process the
requests.

Any ideas?

Thanks,

Paul

"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:2pGdncfkactCXmPfRVn-qQ@comcast.com...
> Are you sure that it is an stand alone CA and not an enterprise CA?? For a
> stand alone CA you would have to find the pending request and then
> authorize it to be issued in the CA Management Console. Make sure that you
> are logging onto the IIS server as a local administrator. The command
> certutil -cainfo will let you know the CA type. --- Steve
>
>
>
>
> "Paul Landry" <plandry@frametech.com> wrote in message
> news:%23E$Ww2vnFHA.3288@TK2MSFTNGP09.phx.gbl...
>> Hi All,
>> I've got a 2003 SP1 server with all of the latest updates ( as of today )
>> running as a Stand-Alone Certificate Authority.
>> When I attempt to request certificates for IIS servers, using the Web
>> Enrollment, I keep getting the following messages.
>>
>> Your certificate request was denied.
>> You Request id is xx. The disposition is "Denied by Policy Module"
>>
>> On the CA machine, in he mmc, I see the rejected certificate requests.
>> They all say the same thing.
>>
>> "The permissions on this certification authority do not allow the current
>> user to enroll for certificates. 0x80094011 (-2146877423)"
>>
>> The requester name is LAB\IUSR_SPS which is the Anonymous Access user on
>> the Certificate authority machine.
>>
>> I've googled the error and checked out several KB's , but nothing I've
>> tried has solved the problem.
>> I'm assuming I'm missing the spot where I can give the IUSR account
>> permissions, but I'll be darned if I can find that spot.
>>
>> Does anyone have a clue how I can fix this problem?
>>
>> On last piece of Info, the CA is running on the AD controller, in case
>> that matters.
>>
>> TIA,
>>
>> Paul Landry
>> IT Manager - Centric Software, Inc.
>>
>
>
Related resources
Can't find your answer ? Ask !
Anonymous
August 16, 2005 6:40:21 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi Paul.

I have not had that any experience with a stand alone CA configured to
automatically approve requests for a web server. What may be worth a try is
to see if it works where you have to manually approve the certificate and
then logging back onto the server as a local administrator to check for
pending request. The link below may help with specific details on how to
request and install a web server certificate in case you are missing
anything. You may also want to post in the Microsoft.public.security.crypto
newsgroup. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q290625

"Paul Landry" <plandry@frametech.com> wrote in message
news:uoro1HpoFHA.3256@TK2MSFTNGP12.phx.gbl...
> Hi Steve,
>
> I ran the certutil -cainfo and the results are...
>
> CA type: 3 -- Stand-alone Root CA
> ENUM_STANDALONE_ROOTCA -- 3
>
> I have configured the CA to automatically authorize requests.
>
> It just doesn't seem to like the IUSR_ account being used to process the
> requests.
>
> Any ideas?
>
> Thanks,
>
> Paul
>
> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> news:2pGdncfkactCXmPfRVn-qQ@comcast.com...
>> Are you sure that it is an stand alone CA and not an enterprise CA?? For
>> a stand alone CA you would have to find the pending request and then
>> authorize it to be issued in the CA Management Console. Make sure that
>> you are logging onto the IIS server as a local administrator. The
>> command certutil -cainfo will let you know the CA type. --- Steve
>>
>>
>>
>>
>> "Paul Landry" <plandry@frametech.com> wrote in message
>> news:%23E$Ww2vnFHA.3288@TK2MSFTNGP09.phx.gbl...
>>> Hi All,
>>> I've got a 2003 SP1 server with all of the latest updates ( as of
>>> today ) running as a Stand-Alone Certificate Authority.
>>> When I attempt to request certificates for IIS servers, using the Web
>>> Enrollment, I keep getting the following messages.
>>>
>>> Your certificate request was denied.
>>> You Request id is xx. The disposition is "Denied by Policy Module"
>>>
>>> On the CA machine, in he mmc, I see the rejected certificate requests.
>>> They all say the same thing.
>>>
>>> "The permissions on this certification authority do not allow the
>>> current user to enroll for certificates. 0x80094011 (-2146877423)"
>>>
>>> The requester name is LAB\IUSR_SPS which is the Anonymous Access user on
>>> the Certificate authority machine.
>>>
>>> I've googled the error and checked out several KB's , but nothing I've
>>> tried has solved the problem.
>>> I'm assuming I'm missing the spot where I can give the IUSR account
>>> permissions, but I'll be darned if I can find that spot.
>>>
>>> Does anyone have a clue how I can fix this problem?
>>>
>>> On last piece of Info, the CA is running on the AD controller, in case
>>> that matters.
>>>
>>> TIA,
>>>
>>> Paul Landry
>>> IT Manager - Centric Software, Inc.
>>>
>>
>>
>
>
Anonymous
August 17, 2005 3:14:00 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Thanks Steve,
I'll give both a try.
Best Regards,
Paul

"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:9qydnf5uzuAXpp_eRVn-jg@comcast.com...
> Hi Paul.
>
> I have not had that any experience with a stand alone CA configured to
> automatically approve requests for a web server. What may be worth a try
> is to see if it works where you have to manually approve the certificate
> and then logging back onto the server as a local administrator to check
> for pending request. The link below may help with specific details on how
> to request and install a web server certificate in case you are missing
> anything. You may also want to post in the
> Microsoft.public.security.crypto newsgroup. --- Steve
>
> http://support.microsoft.com/default.aspx?scid=kb;EN-US;q290625
>
> "Paul Landry" <plandry@frametech.com> wrote in message
> news:uoro1HpoFHA.3256@TK2MSFTNGP12.phx.gbl...
>> Hi Steve,
>>
>> I ran the certutil -cainfo and the results are...
>>
>> CA type: 3 -- Stand-alone Root CA
>> ENUM_STANDALONE_ROOTCA -- 3
>>
>> I have configured the CA to automatically authorize requests.
>>
>> It just doesn't seem to like the IUSR_ account being used to process the
>> requests.
>>
>> Any ideas?
>>
>> Thanks,
>>
>> Paul
>>
>> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
>> news:2pGdncfkactCXmPfRVn-qQ@comcast.com...
>>> Are you sure that it is an stand alone CA and not an enterprise CA?? For
>>> a stand alone CA you would have to find the pending request and then
>>> authorize it to be issued in the CA Management Console. Make sure that
>>> you are logging onto the IIS server as a local administrator. The
>>> command certutil -cainfo will let you know the CA type. --- Steve
>>>
>>>
>>>
>>>
>>> "Paul Landry" <plandry@frametech.com> wrote in message
>>> news:%23E$Ww2vnFHA.3288@TK2MSFTNGP09.phx.gbl...
>>>> Hi All,
>>>> I've got a 2003 SP1 server with all of the latest updates ( as of
>>>> today ) running as a Stand-Alone Certificate Authority.
>>>> When I attempt to request certificates for IIS servers, using the Web
>>>> Enrollment, I keep getting the following messages.
>>>>
>>>> Your certificate request was denied.
>>>> You Request id is xx. The disposition is "Denied by Policy Module"
>>>>
>>>> On the CA machine, in he mmc, I see the rejected certificate requests.
>>>> They all say the same thing.
>>>>
>>>> "The permissions on this certification authority do not allow the
>>>> current user to enroll for certificates. 0x80094011 (-2146877423)"
>>>>
>>>> The requester name is LAB\IUSR_SPS which is the Anonymous Access user
>>>> on the Certificate authority machine.
>>>>
>>>> I've googled the error and checked out several KB's , but nothing I've
>>>> tried has solved the problem.
>>>> I'm assuming I'm missing the spot where I can give the IUSR account
>>>> permissions, but I'll be darned if I can find that spot.
>>>>
>>>> Does anyone have a clue how I can fix this problem?
>>>>
>>>> On last piece of Info, the CA is running on the AD controller, in case
>>>> that matters.
>>>>
>>>> TIA,
>>>>
>>>> Paul Landry
>>>> IT Manager - Centric Software, Inc.
>>>>
>>>
>>>
>>
>>
>
>
!