No Templates Found in Web Enrollment

Similar Messages

• "No certificate templates could be found..." error using web enrollment on Win2k8 R2 Enterprise SubCA

  Hi Folks,
  I have installed an online issuing CA running on Win2k8 R2 Enterprise, and installed the web enrollment role service on it.
  I have duplicated two computer certificate templates (computer & web server) on our DC's, modified them as Win2k3 templates, made some changes and saved them, then published them on the CA by selecting New -> Certificate Tempate
  to issue. The templates have read and enroll permissions set for domain admins and domain computers (my account is a domain admin). I can successfully enroll for them using the certificates MMC.
  When connecting to https://myca.mydomain.com/certsrv however, the page loads. I click on 'Request a certificate', then 'Create and submit a request to this CA'. I see a warning indicating that this website
  is attempting to perform a digital certificate operation on my behalf, so I click yes. Immediately after doing so, I get the error:
  "No certificate templates could be found. You do not have permission to request a certificate from this CA, or an error occurred while accessing the Active Directory."
  I have spent about 2 hours searching on this error and found at least 50 people complaining of this, but no real solutions. Here is what I have tried with no success:
  1) http://support.microsoft.com/kb/811418. Everyone references this solution, but it hasn't worked for anyone. The string values and cases are the same for me.
  2) Enabled SSL on the certsrv website.
  3) Set the authentication on the certsrv site to enable integrated authentication and disabled anonymous authentication.
  4) Created a separate application pool running under the Network Service then set the Certsrv application to run under it.
  I should note that this exact same condition occurred in my lab install, but rather than waste time trying to fix it in the lab, I just went ahead with the production install, only to experience the same problem, so apparently web enrollment is just
  broken out of the box on 2k8 R2 Enterprise.
  Does anyone have any idea how to get this working as advertised? Thanks for any help,
  Ian

  It appears to be an issue in Server 2012R2 as well.
  In our case, is a new two tier PKI setting is implemented on two Windows Servers 2012R2. After the installations and configurations are completed, I was unable to load certificate templates when requesting a certificate on the Web interface.
  The issue was that the pass-through authentication did not work in IIS with the standard Application Pool Identity.
  The solution was as followed:
  1. Changed the NTFS permissions on the certsrv virtual directory in IIS (C:\Windows\System32\CertSrv\en-US), by adding a (domain) user account with read and list permissions.
  2. In IIS CertSrv > Basic Settings > Connect as - select "Specific user:" and set the newly created user with the username and password.
  3. Tested in Basic Settings with - "Test Settings" button and both Authentication and Authorization were successful.
  4. Request certificate from Web interface and the templates are available.
  Note: You must have a certificate in the Templates store which you have duplicated from the Templates available.

• Certificate template based on Server Authentication not showing in Web Enrollment

  Hi,
  I have a test lab with a certificate authority and web enrollment on the same servers. I have made a certificate template with all permissions (read, enroll, etc etc) set to "authenticated users".
  However, when I go certificate enrollment and choose advanced deployment, I do not see this cert template (which is set to be publish in AD).
  I've given the CA machine account full access to the cert template (read/enroll/auto-enroll, etc)
  I've started IE with "run as administrator" even though my logged on user is a domain admin and thus local admin on the server
  Selected Supply in the request in the certificate.
  Please advise

  After you created the template, did you add it to the CA? (right click Templates folder/New/Template to issue)
  You mentioned the template was "set to be publish in AD". Hopefully you dont mean the checkbox on the template itself that says "Publish to Active Directory". This means the public key will be published to AD when a certificate based
  on this template is issued. This will bloat your AD database overtime. All templates you create are automatically stored in AD. Be careful when using this checkbox.
  Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years.

• Found 1 web using missing web template 14001 (lcid: 1033) with compatibility level 14

  Hi,
  I am receiving the following error when I try to upgrade an SP 2010 content database to SP2013: "Found 1 web using missing web template 14001 (lcid: 1033) with compatibility level 14".
  How do I find out what that web template is? Or, how do I move all of the web templates from the old sp to the new sp?
  thanks,
  Sherazad
  Sherazad

  I believe this PowerShell should work:
  > Get-SPWebTemplate
  |
  select
  ID,
  Name, Title | Sort-Object
  ID
  Scott Brickey
  MCTS, MCPD, MCITP
  www.sbrickey.com
  Strategic Data Systems - for all your SharePoint needs

• CA web enrollment page is not shown in windows server 2008 R2 Datacenter edition

  hi friends
  on a windows server 2008 R2 Datacenter, i have installed ADCS (including web enrollment), & every thing is ok.
  but when i connect to CA web enrollment page to request a certificate for my web server, when i select advanced certificate request, system doesn't show the page which we select which register our name & specification & we select which certificate
  template do we want.  instead it shows the page 
  in windows 2008 R2 enterprise edition this problem doesn't exist. also in standalone CA web enrollment page this problem doesn't exist.
  any help pleas
  thanks in advance

  forget about enrollment web pages. With Enterprise CAs you should consider to use Certificates MMC snap-in:
  http://technet.microsoft.com/en-us/library/cc754490.aspx
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell FCIV tool.
  hi thanks.
  i am familiar with cert snap-in, but i wanted to know can we restore previous web enrollment page which delivered us the ability of enroll

• AD CS Web Enrollment Error - "public key does not meet the minimum size required"

  I've installed a standalone root CA and a enterprise subordinate CA in our environment - both are Windows 2008 R2. Everything is working except for Web Enrollment using a custom User template. I duplicated the default User template and choose
  2003 Compatible for the new one. I changed the minimum key length to 2048 and set the validity period to 2 years.
  We'd like to avoid using the Advanced Certificate Request page, so I modified certrqtp.inc to point to the new template:
  Else
  ' Request types for enterprise
  rgAvailReqTypes(0,FIELD_TEMPLATE)="User-custom"
  rgAvailReqTypes(0,FIELD_FRIENDLYNAME)=L_UserTemplateCert_Text
  rgAvailReqTypes(0,FIELD_CSPLIST)="Microsoft Enhanced Cryptographic Provider v1.0?Microsoft Base Cryptographic Provider v1.0"
  rgAvailReqTypes(0,FIELD_CSPLIST2)="Microsoft Base Cryptographic Provider v1.0?Microsoft Enhanced Cryptographic Provider v1.0"
  rgAvailReqTypes(0,FIELD_EXPORTABLE)="True"
  nAvailReqTypes=1
  End If
  I also ran into this issue where Web Enrollment jumps straight to the Advanced page if the original User template isn't present on the CA:
  http://social.technet.microsoft.com/Forums/en/winserversecurity/thread/9ab514bc-1f9f-424e-b70d-705874d9c623
  So I have both User templates loaded on the CA, and I get this error back when attempting a certificate request using IE 8 or 9:
  Your certificate request was denied.
  Your Request Id is 25. The disposition message is "Denied by Policy Module".
  Contact your administrator for further information.
  Looking at the CA's Failed Requests section, I see this error:
  The public key does not meet the minimum size required by the specified certificate template. 0x80094811 (-2146875375)
  I double-checked our custom template and it does specify 2048 as the minimum key size.
  Also, when trying with Chrome 11.0, I get an extra option during enrollment asking for a key size (1024 or 2048). When I choose 2048, the certificate request succeeds. I don't get the key size option when using IE, though.
  We'd like to get this working with IE if possible. Any ideas?

  We had the same error message. The problem turned out to be on the requesting computer, not the server. When we went to renew a cert in IIS on a server it was generating a 1028-bit key request. Since the minimum on the server was set to 2048-bit
  the request failed. So, there's two ways to handle this. You can change the certificate template on the server to have a minimum set to 1024-bit or you can have IIS submit a new request for a certificate and choose 2048-bit as the size of the key during the
  wizard. We opted to have IIS request a 2048-bit key. The same would apply for whatever computer, device, or software you are using to form the certificate request.
  Your message is pretty old, but I am running on the same problem right now. I've added a custom template to select (with 2048) minimum length, but the webpage from the IIS by default provides just 1024-bit. Where can i optimize the IIS to use a 2048-bit
  key when requesting the certificate?
  When I open the same site with Firefox for example, i got a listed option (Medium / High Strength) to choose for the encryption. It seems that the high strength is >= 2048-bit.

• Web Template URL for Web Template ZTEST could not be Generated

  Hello Experts,
                         I have designed a Template in WAD with the name ZTEST(example) when i am trying to execute it in Browser, it is throwing an error like "Web Template URL for Web Template ZTEST could not generated". I am working on 7.0 WAD
  Please suggest me if there is any settings to done.
  Thanks in Advance,
  Regards,
  Vishnu.

  Hello Mr. Wond,
                              Even if i am Executing using a default Template it is throwing the same error that " Web Template URL could not be generated". Meanwhile when i am working on this issue i found that some Command URLs should be defined, but i am unable to trace where to define this URL Command like <a href=u201Dhttp://myAppServer:myPort/SAP/BW/BEx?pageno=1&request_no=8&cmd=ldoc&template_id=EXAMPLE_TEMPLATEu201C></a>
  Please suggest..................
  Regards,
  Vishnu.

• Attribute field in 2008 R2 AD CS Web Enrollment - Obsolete?

  Is the Attributes field in AD CS Web Enrollment now obsolete?
  I have implemented a Windows 2008 R2 two tier PKI infrastructure at my organization for some time now. We are just now rolling it out to our general populace. As such, I am tasked with coming up with an instructional presentation for less knowledgeable
  users. I have found that I cannot use the Attributes field on the Web Enrollment page for requesting SAN certificates.
  I read the documentation from Microsoft located at:
  http://technet.microsoft.com/en-us/library/ff625722(v=ws.10).aspx#BKMK_MakeSanExt .
  I can see that in order to request a SAN cert via certreq and .inf file, I must use the [Extensions] section rather than the [RequestAttributes] section. This works when using and INF file. When using the Attributes field in Web Enrollment, my certificate
  can be issued but the SAN is not present in the resulting certificate. I used the makeSanExtension.vbs script as mentioned in the above site and create the ANSI1 formatted extension then copied it into the Attributes field in Web Enrollment
  and viewed the Binary certificate request in ADCS and the
  SAN is not even listed.  
  So, is there a way to request a SAN via that field? Are there other attributes that may be requested via this field?
  Below is what I read from the site mentioned above:
  [Extensions]
  ; If your client operating system is Windows Server 2008, Windows Server 2008 R2, Windows Vista, or Windows 7
  ; SANs can be included in the Extensions section by using the following text format. Note 2.5.29.17 is the OID for a SAN extension.
  2.5.29.17 = "{text}"
  _continue_ = "dns=www01.fabrikam.com&"
  _continue_ = "dn=CN=www01,OU=Web Servers,DC=fabrikam,DC=com&"
  _continue_ = "url=http://www.fabrikam.com&"
  _continue_ = "ipaddress=172.31.10.134&"
  _continue_ = "[email protected]&"
  _continue_ = "[email protected]&"
  _continue_ = "guid=f7c3ac41-b8ce-4fb4-aa58-3d1dc0e36b39&"
  ; If your client operating system is Windows Server 2003, Windows Server 2003 R2, or Windows XP
  ; SANs can be included in the Extensions section only by adding Base64-encoded text containing the alternative names in ASN.1 format.
  ; Use the provided script MakeSanExt.vbs to generate a SAN extension in this format.
  2.5.29.17=MCaCEnd3dzAxLmZhYnJpa2FtLmNvbYIQd3d3LmZhYnJpa2FtLmNvbQ==
  [RequestAttributes]
  ; If your client operating system is Windows Server 2003, Windows Server 2003 R2, or Windows XP
  ; and you are using a standalone CA, SANs can be included in the RequestAttributes
  ; section by using the following text format.
  SAN="dns=www01.fabrikam.com&dns=www.fabrikam.com&ipaddress=172.31.10.130"
  Thanks for the response.
  Brian Britt
   

  On Mon, 7 Apr 2014 18:50:47 +0000, Brtian wrote:
  Is the Attributes field in AD CS Web Enrollment now obsolete?
  No.
  I have implemented a Windows 2008 R2 two tier PKI infrastructure at my organization for some time now. We are just now rolling it out to our general populace. As such, I am tasked with coming up with an instructional presentation for less knowledgeable
  users. I have found that I cannot use the Attributes field on the Web Enrollment page for requesting SAN certificates.
  I read the documentation from Microsoft located at:
  http://technet.microsoft.com/en-us/library/ff625722(v=ws.10).aspx#BKMK_MakeSanExt .
  I can see that in order to request a SAN cert via certreq and .inf file, I must use the [Extensions] section rather than the [RequestAttributes] section. This works when using and INF file. When using the Attributes field in Web Enrollment, my certificate
  can be issued but the SAN is not present in the resulting certificate. I used the makeSanExtension.vbs script as mentioned in the above site and create the ANSI1 formatted extension then copied it into the Attributes field in Web Enrollment
  and viewed the Binary certificate request in ADCS and the SAN is not even listed.  
  So, is there a way to request a SAN via that field? Are there other attributes that may be requested via this field?
  You're reading the documentation incorrectly. That script is only required if you're going to use an INF file for the request. If you're going to use the web enrollment pages (which is
  not recommended as per the security warnings in the article) you need to enter something like the following in that section:
  san:dns=corpdc1.fabrikam.com&dns=ldap.fabrikam.com
  This example will register two SANs. Multiple SANs, if required, are separated with an &.
  From a security perspective I would strongly suggest that you forget about using the web enrollment and instead document how to use the Certificates MMC console.
  Paul Adare - FIM CM MVP
  "Space Aliens ate my UNIX compatibility!" -- cm about AIX

• Server 2008 R2 Certificate services web enrollment

  Not sure if this is the right place for this, but here goes.
  Upgraded a domain to 2008 R2. Migrated certificate services to 2008 R2 Enterprise root on a member server.
  Autoenrollment works fine
  Requesting cert from the MMC using certificates snapin works fine
  Requesting a cert via the web https://servername/certsrv gets the following error;
  Active Directory Certificate Services denied request 12345 because the request subject name is
  invalid or too long 0x80094001 (-2146877439)
  Error constructing or publiching certificate.
  I created a new cert template and did NOT check use Active Directory for subject name as templates with this checked
  do not show up in the web enrollment interface.
  I have enabled this template for enrollment and gave users rights to enroll.
  They are clicking advanced in the web interface as they want a computer cert.
  For the subject name, they enter computername.domain.local
  Based on searches I've done on the InterWeb, permissions APPEAR to be correct.
  Again, Autoenroll and MMC work just fine. Appears to be confined to only web.

  They are clicking advanced in the web interface as they want a computer cert.
  For the subject name, they enter computername.domain.local
  Be aware that the web enrollment pages does not support computer certificates and you need to issue the certificate to the user and import it to the computer store
  /Hasain

• Integrate WAD 7.0 Template into BPS Web Interface

  Dear all,
  We recently migrated to BW 7.01. We have an existing planning application running as a BPS Web Interface.
  I now want to integrate a query output (data and chart) by using a web template designed with WAD 7.0 into the existing BPS web interface. I know how to do this with a web template designed with WAD 3.5. There is also a How-to paper available that explains it for 3.5. I'm struggling now to do the same with WAD 7.0. The syntax for the URL generation changed, that's one problem. There maybe more when actually calling the web template from the web interface(?).
  I found some threads here in the forum dealing with this issue but no clear solution. Some posts even mentioned that integration of 7.0 web templates into BPS web interfaces is not possible at all. I would appreciate any information on this issue.
  Thanks in advance!
  Regards,
  Ulrich Meier

  Hello Ulrich,
  the 7.0 web templates run on your BI Java server which has a different host name (and port) than you BW ABAP server which run the BPS web interface. The servers are different in Dev/QA/Prod so you need to generate the URL dynamically.
  One way is to hardcode it in JavaScript. Something like: if CurrentDomain = ABAPDevDomain. Domain = JavaDevDomain. if CurrentDomain = ABAPQADomain. Domain = JavaQADomain. etc
  A fancy alternative would be to put the Java domain and port into an exit variable which you could include in the BPS web interface (in a hidden DIV tag for example). Fill the exit variable using function RSWR_GET_DEPLOY_PORTAL_INFO. Then your JavaScript can pick up this value to generate the proper URL for the web template.
  Regards,
  Marc
  SAP Techology RIG
  PS: Posting JavaScript directly is limited for security reasons (certain JS keywords are not allowed). You can put your JS into a text file and attach it to your posting.

• Certificate Authority Web Enrollment - CSP states loading

  Hello,
  I have setup an enterprise sub CA (the root is offline).
  I have been able to issue certificates, but I did not have the Web Service, Policy Web Service or the Web Enrollment turned on.
  I turned them on yesterday and when I visit the website, when I click Create and submit a request to this CA it takes to the next page where I can request a certificate.  I created a duplicate template for the User Certificate and made it available.
  I see it in the drop down, however under key options, CSP just says loading. I went to this site:http://support.microsoft.com/kb/939290 and followed the instructions, Active Scripting is enabled and it still
  continues to state loading.
  I am at a complete loss as to what the problem might be. Event logs on CA server are clean, no errors or warning.
  Any suggestions?
  Update: I tried to get to the site from the actual CA server and it displays the The Web site is attempting to perform a digital certificate operation on your behalf, etc...
  And it populated the CSP.
  I tried it from another server and it worked.
  I tried it from another workstation and it shows loading in the CSP.
  Has anyone run into this issue?

  Hi,
  As this works on one of your servers, whether all your workstation have this issue?
  Certificate Enrollment Web Services client computers must be computers running at least Windows 7 or Windows Server 2008 R2 operating systems. To utilize key-based renewal, client computers must be running at least Windows 8 or Windows Server 2012 operating
  systems.
  Please follow the below article for more details:
  http://social.technet.microsoft.com/wiki/contents/articles/7734.certificate-enrollment-web-services-in-active-directory-certificate-services.aspx
  Regards,
  Yan Li
  Regards, Yan Li

• BEx Web Template (BTMP) and Web Template (TMPL)

  Hi,
  I found in BI7 Objects, there are BEx Web Template (BTMP) and Web Template (TMPL). what's the different between them? For the BEx Web Template (BTMP), i can find in Web Application designer.
  But for Web Template (TMPL), I cannot find them in Web Application designer. How can I edit them?
  for example, there is a standard Web Template (TMPL)  0tpli_0tct_mc01_q0111, where can I change it?
  Many Thanks
  Jonathan

  hello,
  TMPL is for 3.5 template and BTMP is for BI 7.0 templates. For opening 7.0 template you need to use BI 7.0 WAD not 3.5 WAD.
  you can open the standard template 0tpli_0tct_mc01_q0111 in WAD and then do save as to save it custom template.
  Then you can edit the custom template and make the changes.
  Make sure that the std. template is installed correctly.
  Regards,
  Dhanya

• I have an iPod Touch and am going on a cruise where I have been told that I won't be able to use Safari so I should download Firefox.  I found "Mercury Web Browser" Firefox at the app store.  Is this what I need? I'm leaving on Sept. 3rd.

  I have an iPod Touch and am going on a cruise where I have been told that Safari won't work on the ship so I need to download Firefox. My iPod said that Safari cna't download it from the Firefox website.  I found "Mercury Web Browser" Firefox, in the app store (free) and am wondering if that is what I need?  Help, I'm leaving on Sept. 3/12.  Thanks.

  - I never heard that but it may be true. It could be that for some reason Safari can't be used to log into the network. Once logged in, Safari should work fine
  - However, I see nothing that say the Mercury Web Browser is Firefox. I would contact the cruise line and ask if and how you use the ship's['s wifi for an iPhone or iPad (it will apply to iPod touch)

• No Template Found while creating Asset

  As admin I have created new template, flex definition.
  As a contributor when trying to create Flex Asset, it is not showing any Template. Gives a message 'No template found. Why it doesn't take the Template created.

  Hi there,
  just a couple of basic questions:
  1) Did you enable the template asset type for the "Store" site ?
  2) When you create the template you can assign it to specific asset types, does the template apply to the "StorePageDef" asset type ?
  for more info on creating templates see the developer's guide : 23.4 Creating Template Assets
  kind regards,
  Pietro

• Want to set mailto for google apps;tried editing the gecko...mailto.2.uritemplate as per instructions found on web; set 3 related config values to "true" as per instructions; does not work; tried javascript method without success

  I want to set the mailto app for google apps gmail.
  I tried editing the gecko...mailto.2.uritemplate as per instructions found on web (https://mail.google.com/a/MYDOMAIN/mail/?extsrc=mailto&url=%s.
  Set 3 related config values to "true" as per instructions (network.protocol-handler.expose.mailto ; network.protocol-handler.warn-external.mailto ; AND, third, gecko.handlerService.allowRegisterFromDifferentHost.
  Does not work, no Google Apps in the mailto app spot.
  Tried javascript method in address bar without success:
  javascript:window.navigator.registerProtocolHandler("mailto","https://mail.google.com/a/MYDOMAIN/mail/?extsrc=mailto&url=%s","Google Apps GMail")
  Any light anyone can shed will be appreciated. Cheers, jlf

  Great howto Steve! This further increased my understanding of the MVC patterns used by BC4J.
  Some remarks:
  [*]Select New Business Components...
  This should be 'New Business Components Package', or you won't be able to add business components.
  ename as "Name",
  sal as "Salary"
  from emp
  where empno = ?That should be deptno.
  [*]Select the EditEmpsInDepartment view objectThat should be EmpsInDepartment.
  Greetings,
  Ivo