I migrated a Windows 2008 R2 root enterprise CA to Windows 2012 R2. All looks like it’s working well except that I can’t get Web Enrollment to work. Upon selecting to submit a certificate request, I get the message:
No certificate templates could be found. You do not have permission to request a certificate from this CA, or an error occurred while accessing the Active Directory.
Certificate enrollment does work through the Certificates MMC, in fact I was able to create a certificate to secure the CA’s Default Web Site.
I have done everything I can find on the Internet to fix this, including:
- Followed https://support.microsoft.com/en-us/kb/811418 - no dice, the values are identical
- Switched permissions of CertSrv and CertEnroll between Anonymous and Windows as perhttps://patrickhoban.wordpress.com/2012/02/14/1256/
- Changed permissions on Public Key Services as per http://terenceluk.blogspot.com/2012/02/new-windows-server-2008-r2-enterprise.html
- Changed the app pool for CertSrv to a new one that uses NetworkService
- Changed the authentication to “specific user” (this failed badly because of permissions to ASP that I can’t see how to change) per http://www.wikiguga.com/topic/43ad7d5420006546052f4d4154171df3
- Checked permissions on templates—they look good
- Checked permissions all over the place—I can’t remember all the places
- Removed Web Enrollment and IIS (which also removes Online Responder) and reinstalling
- Verified that the templates are V1
- Granted the CA machine account read and enroll rights on the Web Server template
- Rebooted the server, IISRESET, stopped and started app pools
- Started IE as administrator, and tried using https:\servername\certsrv
- Walked through this document, but no silver bullet: http://blogs.technet.com/b/askds/archive/2007/11/06/how-to-troubleshoot-certificate-enrollment-in-the-mmc-certificate-snap-in.aspx
Any of you seen anything like this and maybe have an idea how to remedy it?
Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."