All,

After staring at the configs in
http://blogs.technet.com/b/askds/archive/2009/10/13/designing-and-implementing-a-pki-part-ii.aspx
for days, and doing lots of reading and searching, I found the
problem.

Simple, really, but sometimes the purloined letter will ruin your day.

In the example CAPolicy.inf file for the issuing CA, the following
line was the problem:

     LoadDefaultTemplates=0

It didn't strike me for the longest time, but there you go. Removed
that line, and it started issuing certs - I see that all of my DCs and
the issuing CA itself have gotten certs, and so have about 18 people,
out of 250+ staff.

So, it's functioning now, and I have a good deal more reading to do to
figure out which templates I want to create, etc.

The more interesting things to understand are:


1) Why am I seeing the following warnings in the event logs, even
though the cert is being issued:

     Log Name:      Application
     Source:        Microsoft-Windows-CertificationAuthority
     Date:          2011-12-07 22:13:16
     Event ID:      80
     Task Category: None
     Level:         Warning
     Keywords:      Classic
     User:          SYSTEM
     Computer:      cert.example.com
     Description:
     Active Directory Certificate Services could not publish a
Certificate for request 19 to the following location on server
usdc4.example.com: CN=John
Doe,OU=Development,OU=Engineering,OU=Users,OU=ExampleUS,DC=example,DC=com.
 Insufficient access rights to perform the operation. 0x80072098
(WIN32: 8344).
     ldap: 0x32: 00002098: SecErr: DSID-03150BB9, problem 4003
(INSUFF_ACCESS_RIGHTS), data 0

At least, it looks to me as if the certs are being issued, because
certs with user names matching the request numbers are appearing in
the 'Issued Certificates' folder in the management console - they are
of the type 'Basic EFS (EFS)'.


2) What process is invoking these certs? I have no idea how (just a
few) users from such disparate departments and types of machines
(desktops and laptops) are getting the certs, especially since I
haven't announced anything, and don't have anything in place that
requires their use yet.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin

Reply via email to