You might be interested in this BLOG for PKI templates http://blogs.technet.com/b/pki/archive/2009/09/26/introducing-certificate-template-api.aspx .
Good luck with the working toy. Jon . On Thu, Dec 8, 2011 at 2:29 PM, Kurt Buff <[email protected]> wrote: > All, > > After staring at the configs in > > http://blogs.technet.com/b/askds/archive/2009/10/13/designing-and-implementing-a-pki-part-ii.aspx > for days, and doing lots of reading and searching, I found the > problem. > > Simple, really, but sometimes the purloined letter will ruin your day. > > In the example CAPolicy.inf file for the issuing CA, the following > line was the problem: > > LoadDefaultTemplates=0 > > It didn't strike me for the longest time, but there you go. Removed > that line, and it started issuing certs - I see that all of my DCs and > the issuing CA itself have gotten certs, and so have about 18 people, > out of 250+ staff. > > So, it's functioning now, and I have a good deal more reading to do to > figure out which templates I want to create, etc. > > The more interesting things to understand are: > > > 1) Why am I seeing the following warnings in the event logs, even > though the cert is being issued: > > Log Name: Application > Source: Microsoft-Windows-CertificationAuthority > Date: 2011-12-07 22:13:16 > Event ID: 80 > Task Category: None > Level: Warning > Keywords: Classic > User: SYSTEM > Computer: cert.example.com > Description: > Active Directory Certificate Services could not publish a > Certificate for request 19 to the following location on server > usdc4.example.com: CN=John > Doe,OU=Development,OU=Engineering,OU=Users,OU=ExampleUS,DC=example,DC=com. > Insufficient access rights to perform the operation. 0x80072098 > (WIN32: 8344). > ldap: 0x32: 00002098: SecErr: DSID-03150BB9, problem 4003 > (INSUFF_ACCESS_RIGHTS), data 0 > > At least, it looks to me as if the certs are being issued, because > certs with user names matching the request numbers are appearing in > the 'Issued Certificates' folder in the management console - they are > of the type 'Basic EFS (EFS)'. > > > 2) What process is invoking these certs? I have no idea how (just a > few) users from such disparate departments and types of machines > (desktops and laptops) are getting the certs, especially since I > haven't announced anything, and don't have anything in place that > requires their use yet. > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
