"No certificate templates could be found. You do not have permissions to request a certificate from this CA..
or an error occurred while accessing Active Directory."
When I set up the subordinate CA where I am seeing this error message (when attempting to make a request via the web interface for a Linux client - Group Policy not possible here) I opted to not "Load Default Templates".
Just FYI, PKI View shows "OK" for everything.
Permissions on the template are Read and Enroll for Authenticated Users.
Issuance Requirements are "CA certificate manager approval" (checked) - nothing else checked. "Same criteria for enrollment".
Have I googled?
That's just the problem. I've seen plenty of hits where people say "I've solved it this way and I've solved it that way".
What is the (MS) recommended method to solve this problem?
I'm concerned some solutions might be the equivalent of disabling CRL checks to resolve CRL problems - something where the solution is worse than the problem.
Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.
OK. This is the problem. When I duplicated the web server template, I had the choice of Windows Server 2003 or 2008 (Enterprise).
I selected 2008 (OK, in the screenshot 2003 is selected - by default).
Windows 2008 based templates (v3) do not work with web enrollment.
https://technet.microsoft.com/en-us/library/cc732517(WS.10).aspx
Absolutely none of the other solutions will help if you make this choice:
- no adjustments of IE settings will help (if you thought it was "something" with your browser.
- It does not matter if the Windows Authentication provider is set to NTLM or Negotiate first.
- Application Pool identity can be ApplicationPoolIdentity or Network service.
- You can enable or disable Anonymous Authentication.
If you decide to select a v3 template, forget about using web enrollment.
You will spend hours t-shooting.
It will not work.
IMPORTANT EDIT
Having tried this on a second CA, it seems that you might have to change the NTLM and App Pool settings.
I simply duplicated a template (2003) and thought I was all set.
Not at all.
I had to play with the Provider priority (put NTLM above negotiate) and use "Network Service" for the Default App Pool identity.
Then it finally worked.
Yes, an iisreset /noforce after each change.
I'm not sure why this is so complicated.
Maybe someone from Microsoft could explain what is going on here.
This is documented nowhere. You have to proceed by trial and error until you get the right combination.
Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.
Similar Messages
-
Hi Folks,
I have installed an online issuing CA running on Win2k8 R2 Enterprise, and installed the web enrollment role service on it.
I have duplicated two computer certificate templates (computer & web server) on our DC's, modified them as Win2k3 templates, made some changes and saved them, then published them on the CA by selecting New -> Certificate Tempate
to issue. The templates have read and enroll permissions set for domain admins and domain computers (my account is a domain admin). I can successfully enroll for them using the certificates MMC.
When connecting to https://myca.mydomain.com/certsrv however, the page loads. I click on 'Request a certificate', then 'Create and submit a request to this CA'. I see a warning indicating that this website
is attempting to perform a digital certificate operation on my behalf, so I click yes. Immediately after doing so, I get the error:
"No certificate templates could be found. You do not have permission to request a certificate from this CA, or an error occurred while accessing the Active Directory."
I have spent about 2 hours searching on this error and found at least 50 people complaining of this, but no real solutions. Here is what I have tried with no success:
1) http://support.microsoft.com/kb/811418. Everyone references this solution, but it hasn't worked for anyone. The string values and cases are the same for me.
2) Enabled SSL on the certsrv website.
3) Set the authentication on the certsrv site to enable integrated authentication and disabled anonymous authentication.
4) Created a separate application pool running under the Network Service then set the Certsrv application to run under it.
I should note that this exact same condition occurred in my lab install, but rather than waste time trying to fix it in the lab, I just went ahead with the production install, only to experience the same problem, so apparently web enrollment is just
broken out of the box on 2k8 R2 Enterprise.
Does anyone have any idea how to get this working as advertised? Thanks for any help,
IanIt appears to be an issue in Server 2012R2 as well.
In our case, is a new two tier PKI setting is implemented on two Windows Servers 2012R2. After the installations and configurations are completed, I was unable to load certificate templates when requesting a certificate on the Web interface.
The issue was that the pass-through authentication did not work in IIS with the standard Application Pool Identity.
The solution was as followed:
1. Changed the NTFS permissions on the certsrv virtual directory in IIS (C:\Windows\System32\CertSrv\en-US), by adding a (domain) user account with read and list permissions.
2. In IIS CertSrv > Basic Settings > Connect as - select "Specific user:" and set the newly created user with the username and password.
3. Tested in Basic Settings with - "Test Settings" button and both Authentication and Authorization were successful.
4. Request certificate from Web interface and the templates are available.
Note: You must have a certificate in the Templates store which you have duplicated from the Templates available. -
You do not have permissions to open the dashboard
On a clean install of 2012 R2, I joined an existing domain and added the Essentials role. After that, I configured it which took about 5 minutes. At the end, it placed an icon on the desktop called "Dashboard". It will not allow
me to open this no matter what I try. I get this error:
Cannot open the Dashboard
You do not have permissions to open the dashboard. Please log on as a network administrator and try to open the dashboard again.
I am using a domain admin account. For laughs, I tried a couple accounts, but had no luck.
The log at "C:\ProgramData\Microsoft\Windows Server\Logs\dashboard.log" shows "Dashboard.Forms: Dashboard: Non domain admin cannot access dashboard."
Server Manager shows a green up arrow by Manageability for WSEE.
BPA shows only one error about Windows Server Backup and unsupported partition, which from what I gather is to be ignored as a false alarm.
Not sure what to do here. Nothing seems to work. Ideas? Suggestions?Hi everyone!
I went in and tried all of your solutions, but none worked.
I have found the REAL solution to why this isn't working, and it should be corrected by Microsoft.
In the users profile, you can see the member of and primary group.
With my admin account, on Primary Group, I had "Domain Admins" as the group. It didn't work. I tried setting that to Enterprise Admins, and it worked and was able to get into dashboard. I set it back to Domain Admins, and it didn't work.
I set it as Domain Users, and it worked.
As long as you have the user in Domain Admins group, and primary group set to either "Domain Users" or "Enterprise Admins" -- it will always work. The account does NOT need to be in the Enterprise Admins group, just be sure to keep the
primary group on "Domain Users", and make sure it is in the "Domain Admins" group.
When the member above Lynn said they created a new account, it worked because ALL new user accounts are set to primary group of "Domain Users".
When the other user Brian Hoyt had to remove ALL administrator groups, it removed the primary role from "Domain Admins" to "Domain Users" which then worked. Then he added ALL admin groups (you do NOT need Enterprise Admins group) but
probably forgot to set the primary group, which is good and that is why it worked. When he copied the Admin account, the primary group always rolls over to the new account and is copied with it. When he removed all groups, he forgot to set back the primary
group.
When Robert Pearman tried, he probably had the primary group set to something other than "Domain Admins" as well.
You don't want a Domain Admin (primary group) configuring your server. You want a domain user in Admin group (such as an employee to reset passwords), OR the Enterprise Admin (primary group) to configure server applications, NOT a domain admin. So
I do see why Microsoft had this set the way it is.
So basically, you can NOT have the primary group to "Domain Admins". It needs to be either "Domain Users" OR "Enterprise Admins". The account MUST be in the "Domain Admins" group.
I do believe Microsoft should fix this issue, because it could be a bug, but also could be so that Domain Admins (primary group) can't screw applications that should be maintained and configured by Enterprise Admins (primary group).
I have made a video showing the problem was fixed, and this is the solution!
youtube.com\watch?v=bZoNc3RkBSw
Thanks guys! -
Hi,
We have an issue with our OWA page. We are currently publishing OWA via UAG.
We recently upgraded to Exchange 2010 SP3 and then SP3 Rollup7. Since the upgrade, we are keep getting the following error after entering our credentials on the login page. I've tried with every possible browser.
You do not have permissions to view this folder or page
Strangely enough, the mobile phones are sending and receiving emails just fine, the phones use the same OWA link, so it's not an authentication issue, the phones login into the UAG servers with no issues. I can see this on the Active Sessions screen
on Web Monitor.
I've attempted to connect to the OWA by bypassing the UAG server, so putting in the local OWA address of one of my Exchange servers, it works... so the OWA page is up and running.
No error logs get generated on Web Monitor when we receive the permission error, I think this is because it's past authentication, it's on the Exchange layer.
Any insight would be helpful? I'm assuming something changed on the Exchange side after the upgrade.
Just in case, I've upgraded the UAG and TMG servers to the latest SP and Rollup packets.
UAG > SP4
TMG > SP2 Rollup 5I've found a solution; UAG requires Basic Authentication over OWA. For some reason Integrated Windows Authentication got turned on after the SP3 upgrade.
http://technet.microsoft.com/en-us/library/ee921443.aspx
Turning Integrated Windows Authentication off via the Client Access OWA settings resolved the issue. Though beware, you
have do this on all your Client Access servers. -
Hi,
I am trying to use "IBIMonitoringAuthoring" in my local web site.
But i am getting error like "Server was unable to process request. ---> You do not have permissions to create a data source in this document library. Additional details have been logged for your administrator."
My code is below,
string url = ServerName + webServiceUrl;
IBIMonitoringAuthoring biService = BIMonitoringAuthoringServiceProxy.CreateInstance(url);
//Create data source object
DataSource dataCube = new DataSource("AW_Data_Cube");
dataCube.Name.Text = "AW_Data_Cube";
dataCube.ServerName = "SQL2008dev";
dataCube.DatabaseName = "Analysis Services Project1";
dataCube.CubeName = "TestCube";
dataCube.ConnectionContext = ConnectionContext.ConnectAsSharedUser;
dataCube.FormattingDimensionName = "Measures";
dataCube.MinutesToCache = 10;
dataCube.CustomTimeIntelligenceSettings = "";
biService.CreateDataSource(connectionListUrl, dataCube);
How could i authenticate the Service. Is there any way to pass credentials for this method?
Thanks & Regards
Poomani SankaranI suffered similar issue in Infopath, and i finally solved the issue by changing the data connection URL, it should the same as the Infopath publish location.
for example: SP server iP 192.168.1.1 have two name, hostname is mySP, alternate assces mapping name is companySP, and you can access the websit by both
http://mySP and
http://companySP
hope it can help someone.. -
New-MsolUser : Access Denied. You do not have permissions to call this cmdlet.
I am trying to create new user in Azure Active Directoy,
New-MsolUser -UserPrincipalName [email protected] -DisplayName "username" -FirstName "fname" -LastName "lname"
I am getting this error,
New-MsolUser : Access Denied. You do not have permissions to call this cmdlet.
Can anyone suggest what could be the problem?Hi Shankar,
The error "New-MsolUser : Access Denied. You do not have permissions to call this cmdlet" when trying to use the cmdlet indicates you might have to check if you have the appropriate admin role.
You could refer the following link for details on various types of Admin Roles in Windows Azure Active Directory.
https://support.office.com/en-US/Article/Assigning-admin-roles-eac4d046-1afd-4f1a-85fc-8219c79e1504?ui=en-US&rs=en-US&ad=US
Also, you could refer the following link for assistance with using PowerShell to create bulk users for Office365.
http://blogs.technet.com/b/heyscriptingguy/archive/2014/08/04/use-powershell-to-create-bulk-users-for-office-365.aspx
Regards,Malar. -
Login failed, or you do not have permissions to login to this application.
Dear All,
I have installed Workflow server, Form manager and Workflow Designer on my Windows server 2003 machine and in the same order as written above.I am able to access Workflow server and form manager through webui but when i log in to Workflow designer, an error message is displayed-"Login failed, or you do not have permissions to login to this application."
Can Anyone help.Thanks in advance.
AnupamThanks Howard,
As told by you i did exactly that you mentioned and i am getting the following error:-
java.lang.reflect.UndeclaredThrowableException
at $Proxy1.login(Unknown Source)
at com.adobe.workflow.client.QLCSessionImpl.login(QLCSessionImpl.java:11
6)
at com.adobe.workflow.saf.SAFLoginDialog$3.run(SAFLoginDialog.java:122)
Caused by: java.io.InvalidObjectException: inauthentic principal assertion
at com.adobe.idp.Context.getValidatedAuthResultFromAssertion(Context.jav
a:291)
at com.adobe.idp.Context.readResolve(Context.java:246)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at java.io.ObjectStreamClass.invokeReadResolve(Unknown Source)
at java.io.ObjectInputStream.readOrdinaryObject(Unknown Source)
at java.io.ObjectInputStream.readObject0(Unknown Source)
at java.io.ObjectInputStream.readObject(Unknown Source)
at java.rmi.MarshalledObject.get(Unknown Source)
at org.jboss.invocation.jrmp.interfaces.JRMPInvokerProxy.invoke(JRMPInvo
kerProxy.java:136)
at org.jboss.invocation.MarshallingInvokerInterceptor.invoke(Marshalling
InvokerInterceptor.java:67)
at org.jboss.proxy.TransactionInterceptor.invoke(TransactionInterceptor.
java:46)
at org.jboss.proxy.SecurityInterceptor.invoke(SecurityInterceptor.java:5
3)
at org.jboss.proxy.ejb.StatelessSessionInterceptor.invoke(StatelessSessi
onInterceptor.java:100)
at org.jboss.proxy.ClientContainer.invoke(ClientContainer.java:85)
... 3 more
com.adobe.workflow.client.QLCException: Login failed, or you do not have permiss
ions to login to this application
at com.adobe.workflow.client.QLCSessionImpl.login(QLCSessionImpl.java:12
6)
at com.adobe.workflow.saf.SAFLoginDialog$3.run(SAFLoginDialog.java:122)
I am using WorkFlow Designer 7.0, Workflow server 7.0 and Form Manager 7.0.1.
What could be the possible solution for the above mentioned error.Any help would be highly appreciated.
Thanks,
Anupam -
'You do not have permissions for this item' - MATERIAL SPECIFICATION
Dear members,
I am trying to access a Material Spec but I am persistently presented with the following message: "'You do not have permissions for this item'".
Funnily, I was previously able to access the specifications but now I am presented with this.
I have the same issue with LIO Profiles.
Does anybody have a known solution for this?
Kind regards,This usually occurs when you do not have Read permission according to the workflow status of the specification. Different permissions can be set up for different statuses in WFA (WorkFlow) Administration.
Also, if you are using the Business Units as Security feature (rather than just BU visibility), you could get this message. In this case, you should not be able to see this spec in a search result though, so if you can see it in the material spec search page results, it isn't a BU issue, it is a workflow read permission issue.
There is one additional possibility, which is if your team has implemented the SpecVetoHandler extensibility point, which allows for added custom read permission checks. This is a technical extensibility point configured in the CustomPluginExtensions.xml config.
But most likely, it is a workflow permissions issue. You'll have to ask your workflow adminitrator user(s).
Regards
Ron -
Hi....i m using Mac OS x 10.5.8 with safari Version 5.0.2 (5533.18.5). I just updated the Java version to Java 6 and now m getting below error:
This page contains content of “application/x-java-applet” type. You do not have the plug-in required to view this content.
Please help me out on this....I am also having a problem with this. My website is hosted through "www.onlinepictureproof.com" and now that my laptop is back from repair with OS X 10.6.8 I am unable to upload my photos to my work website. It says "a plug-in is needed to display this content. Install plug-in" and then a window pops up that says "no suitable plug-ins were found". Below that is "unknown plug-in (application/x-java-applet)" with a link to "manual install" which takes me to "http://www.oracle.com/technetwork/java/index-jsp-141438.html#download" which just leaves me lost. I've tried downloading the "JRE" but I have zero idea what that means or if Im downloading the proper thing. Once I click on the "download JRE" it brings me to a download page where there are WAY too many items for me to choose from to download, when I have no idea what I need or why I need it. please help, this is driving me insane. I actually preferred my constantly crashing laptop to the state its in now, "like brand new" back from apple repair...I have already updated everything that is promted through "Software Updates".
"OnlinePictureProof.com" only directs me to apple support.
Thank you for any help you can offer!
Sheila -
After QT7.4, AE error-you do not have permissions to open this file (-54)
Immediately after installing the QT 7.4 update, I have been unable to render (anything) in After Effects.
I get an error: After Effects error: opening movie - you do not have permissions to open this file (-54)
(44::53)
I have repaired permissions, downloaded the Full QT 7.4 installer, reinstalled, repaired permissions again and still the same problem. Something has changed in QT that has made AE incompatible.
Apple, please fix or offer some assistance on how to fix.
The AE forums are also beginning to fill with everyone having this same issue after an update to QT 7.4
My work has come to a halt. How do I fix this?
I can't find any info on reverting back to QT 10.3.1"Apple, please fix or offer some assistance on how to fix."
Apple does not read these postings. These are user to user forums whereas everyday folks post questions & offer help to each other.
"How do I fix this?"
Check out Klaus1 possible solution in the following thread:
http://discussions.apple.com/thread.jspa?threadID=1343184&tstart=0
"I can't find any info on reverting back to QT 10.3.1"
You really mean 7.3.1 right?
Do an archive and install of your OS from the OS disc. Stop at the QT upgrade you need.
http://docs.info.apple.com/article.html?artnum=301270 Scroll down to "Archive and Install” -
You do not have permissions to open this file on Excel Services.
Hi all,
I am recieving this error:
I have setup a trusted location to the document library where the Excel spreadsheet resides, and I still recieved the error. I changed the location to the entire site and I still recieve the error. I am the Sharepoint Admin, so I have full
rights to all.
I am on SharePoint 2007.
I set the location as Http://sitename/document Library name
Location type = Windows SP Services
Checked trust Children
there are no extrernal connections so I took the defaults for all other options.
Any help would be greatly appreciated.
TIA,
JoeHi,
I understand that when you try to open an excel file in browser, you received Access Denied error. You can check the excel service settings in Central Administration like this :
Open Central Administration -> go to Operations tab. Ensure that the Excel Service is running
Open Central Administration -> go to your configured Shared Service -> click Excel Service Settings. Set File Access Method: ensure that it is not using Impersonation, instead the Option Process Account should be enabled.
Open Central Administration -> go to your configured Shared Service -> click add new trusted file location.
field URL: here you can specify a report library or the whole portal
Location Type: should be Windows SharePoint Services
Children trusted: defines whether the children should also be trusted or only the defined path
For more information, please refer to this site:
MOSS Excel Services you do not have permissions to open this file:
http://developers.de/blogs/nadine_storandt/archive/2007/09/06/moss-excel-services-you-do-not-have-permissions-to-view-this-workbook.aspx
Thanks,
Entan Ming
TechNet Subscriber Support in forum
If you have any feedback on our support, please [email protected]
Entan Ming
TechNet Community Support -
First I have tried all sorts of searches and and all I come up with is things related to Windows Server 2008.
1. I have Fax Service running on my 2012 R2 File and Print Server.
a. It can send faxes from the logged in domain user
b. It does not need to receive faxes because we have another machine for that
2. I have added the domain user I am using on the Windows 7 machine to the Accounts List in Fax Manager
3. I can not seem to find any logging saying that there is a security problem (Event Log, etc...)
Please point me in the correct direction as I need to have my staff use Print to Fax from our Practice Management Application.Hi Shawn,
à
You do not have permissions to complete this operation. Contact your fax administrator for more assistance
From the error message, please check if share the Fax on the server. Meanwhile, please also check if assign
correct permissions in Security tab under Fax properties.
If any update, please feel free to let me know.
Hope this helps.
Best regards,
Justin Gu
1. Fax Sharing is enabled and can see the Shared Fax Printer on other machines.
2. At least 2 domain groups that the Windows 7 user is in are in the Security Section, set to be able to fax. One othem can manage fax. -
"You do not have permissions to create an Assigned Conference."
Can someone tell me what permissions a user needs to create an assigned conference? My account has full permissions to do everything (I thought) in Lync yet when I and others try to set up a conference, we get the below error:
Assigned Conference Information
Give your Assigned Conference information to people you want to invite to your meeting.
You do not have permissions to create an Assigned Conference.
RichHi,
Have you checked the value of EnableAssignedConferenceType using Get-CsMeetingConfiguration?
Here is similar case for your reference:
http://social.technet.microsoft.com/Forums/en-US/ocsconferencing/thread/366030f2-d461-41bd-860d-a4dee9511400
Kent Huang
TechNet Community Support -
I have dropdown on infopath form , and it receives data from sql server table , it works fine when i am running in preview mode , but when i am publishing form to sharepoint server and loading that form
i am getting this
You do not have permissions to access a database that contains data required for this form to function correctly.
Can you please help?
Thanks,try this one, if not yet
Convert the data connection to UDC (store it in a Data Connection Library within the same site collection as the form library). See if this works without any other changes, but if not, then...
Manually edit your UDC file in Notepad (or your preferred editor) so that the authentication line is not commented out and so that it references the name of the SSO target app you created.
For Type, use NTLM.
Ensure the user has rights to access the database
Also ensure the connection file has been approved - A sharepoint admin can access a non approved Ucdx file. Go to the connection library and approve the file
Also check this post having the similar issue:
http://social.technet.microsoft.com/Forums/en-US/3196bafd-4bc3-40ab-ac2b-d149d1c3e0fa/sharepoint-2010-error-you-do-not-have-permissions-to-access-a-database?forum=sharepointdevelopmentprevious
Please remember to mark your question as answered &Vote helpful,if this solves/helps your problem. ****************************************************************************************** Thanks -WS MCITP(SharePoint 2010, 2013) Blog: http://wscheema.com/blog -
Setup:
Exchange Server 2010 Sp2
Servers running individual roles (2xMailbox, 2xCAS, 2xHub, 2xEdge) All windows server ent 2008 R2
I can see the calendar content if i open Room Mailbox using the 'Open Calendar' from the menu but the scheduling assistant while
creating a new meeting invite gives 'You do not have permissions to see the recipient's free busy' error code 5037
Permission on the conference room is below.
[PS] C:\Windows\system32>Get-MailboxFolderPermission -id Testconfroom1:\calendar
RunspaceId : bbb43bc9-a0c5-4c23-b5f5-b7235f795e26
FolderName : Calendar
User : Default
AccessRights : {ReadItems, EditOwnedItems, FolderVisible}
Identity : Default
IsValid : True
RunspaceId : bbb43bc9-a0c5-4c23-b5f5-b7235f795e26
FolderName : Calendar
User : Anonymous
AccessRights : {FolderVisible}
Identity : Anonymous
IsValid : True
Appreciate any help to fix the above.
InderjitHi Inderjit,
Does this issue occur on only one user or all users?
If only one user has this issue, I suggest performing troubleshooting on Outlook client first.
1. Please run Outlook under safe mode to avoid some AVs and add-ins.
2. Please start Outlook with "outlook.exe /cleanfreebusy".
3. Please try to re-create profile to refresh the caches.
Then please perform troubleshooting on Exchange server side.
1. This issue may occured due to mailbox corruption in the folder level.
2. Genrally we can check the mailbox property PR_FreeBUsy_NT_SECURITY_DESCRIPTOR and verify the permission.
3. I suggest re-granding the specific user permission for testing.
4. I suggest moving the sepcific user's mailbox to another database, issues will solved by itself automatically.
If all users have this issue, I suggest resetting the permission on Calendar folder and give the necessary permissions (Free Busy Time/ Free Busy Details /Full Details) via Exfolders.
Refer to :
http://gallery.technet.microsoft.com/Exchange-2010-SP1-ExFolders-e6bfd405
Hope it is helpful
Thanks
Mavis
Mavis Huang
TechNet Community Support
Maybe you are looking for
-
3G no longer shows up on desktop, spinning beach ball on iTunes launch
After playing with my new 3G all day, which included several successful syncs with iTunes, the iPhone no longer shows up on the desktop. iTunes launches automatically but just sits there with the spinning beach ball. Have to Force Quit. The iPhone al
-
Details for function module COIS_SELECT_PARAMETERS_SET
Hi All, I want to use function module COIS_SELECT_PARAMETERS_SET in an enhancement program for generating a ALV report of production orders. Can anybody please provide me the details of this function module and how it works? Thanking you Anuraag
-
Dvd player not responding, spits out dvd
My dvd player does not read dvds. It just spits out the dvd. This has only begun after I installed Lion.
-
Hello, I have a problem that i wonder if its possible to solve using xalan xpath. I have a XML structure that looks like this: <ReferenceCoded> <type>AgreementType</type> <value>AgreementType1111</value> </ReferenceCoded> <ReferenceCoded> <type>Proje
-
Will my 8310 be able to take video's with the new 4.5 os ?
i have been told that with the new 4.5 os i will be able to make video's. with the 4.2 i only can take picture's .