Unable to enroll Computer certificates on Server 2008 R2 and older

I've found a strange issue with our CA setup, and it didn't used to be a problem.  While renewing some internal certificates a couple of months ago I discovered that systems of the Windows 7/Server 2008 R2 and older families cannot enroll for a Computer
certificate or for a custom template I built for web servers.  Systems of the Windows 8/Server 2012 and newer families can enroll using the exact same user and process without any trouble.  Direct IIS "domain certificate" enrollment still
works.
I'm enrolling with the Certificates MMC snap-in to allow use of the enhanced security template I built.  I open MMC, add the local computer certificates snap-in, and then attempt to request a certificate with Personal > Certificates > All Tasks
> Request New Certificate.  I choose the Active Directory Enrollment Policy but then get the "Certificate types are not available" error message and a blank selection screen.  If I check the box to show all templates the certificates
I want are listed with:
"The permissions on this certification authority do not allow the current user to enroll for certificates. A valid certification authority (CA) configured to issue certificates based on this template cannot be located, or the CA doesn't' support this
operation, or the CA is not trusted."
I've checked Event Viewer on both the CA and the clients, along with the CA request logs, but there's nothing visibly wrong.  The error message seems to say it all but since Windows 8/2012 clients and newer work I know the CA is functional and that
the Administrator account can request certificates.  I've searched the web but can't find anything like this specific issue.
Any ideas?
Thank you!

Hi Amy.
Domain Admins and Enterprise Admins have Read/Write/Enroll.  Authenticated Users have Read.
I also created a copy of an existing certificate (Web Server) but am unable to see it when I go to New > Certificate Template to Issue.  Our domain has had plenty of time to replicate the copied template.
I don't recall making any changes that would have affected a computer's ability to enroll.  There has been some Group Policy work done and a new certificate template was created and marked to issue, but this problem was picked up by accident when I
went to generate internal certificates back in October.  All administrative work is done as the domain Administrator account.
We didn't have issues with this CA when it was first built, so something did change.  We don't have a large PKI environment, just some internal web sites, so if it comes to it I may just start over with everything.  When we moved to Server 2012
on this system it was an upgrade from a Server 2003 CA that was never properly used or maintained.  It may be better just to clean everything and get one consistent root certificate again.
Alan

Similar Messages

  • Do we need CALS for windows server 2008 R2 and 2012 R2 if 2008 R2 is just a stepping stone?

    We currently have a server on Windows Server 2008 RC SP2 64-bit with approximately 20 clients.
    We want to upgrade to Windows server 2012 R2 but first need to upgrade to Windows 2008 R2 to allow us to do a straight upgrade.
    Is it possible to upgrade to Windows Server 2008 R2 with the 5 CAL's included and then upgradeto 2012 R2 and install 20 new CAL's and keep all users accounts and domain PC's the same? 

    Ok sorry for using the wrong terminology... I was under the impression for each client (Computer) connecting to the server we will need a CAL (Client Activation License) in order for the computer to be a domain PC on the server. Do I need 20 CALS's
    for Windows Server 2008 R2 and then another for Windows Server 2012 R2 if we are only upgrading to 2008 R2 to be able to upgrade to 2012 R2 without having to do a clean install.
    For WindowsServer (Standard edition or Enterprise edition or DataCenter edition), a Client Access License (CAL) is required for each device (if you're using the per-Device CAL licensing method), or, is required for each user (if you're using the per-User
    CAL licensing method).
    (whether you use per-Device, or per-User, is up to you, it comes down to cost).
    CALs are version-specific (to a point) - i.e. if you purchased WS2008 CALs for your 20 devices, for use with your WS2008 server, and you are now upgrading that server to WS2012, you need to upgrade your CALs.
    If you are adding a second server which is WS2012, and you are keeping your WS2008 server, you need to upgrade your CALs (because you only purchased WS2008 CALs which don't grant you the rights to connect to the newer server).
    If you were to install your second server as WS2008, you wouldn't need to purchase additional CALs, because as long as the version is the same, a single CAL grant you access to unlimited server (of the same version).
    CALs can be tricky to correctly license.
    Here's some introductory reading:
    http://www.microsoft.com/licensing/about-licensing/client-access-license.aspx#tab=1
    And, none of this relates to the technical aspects of product installation/configuration at all (e.g. clean install vs. upgrade).
    Windows Server CALs are not license keys/tokens/files which you install/load/download - Windows Server CALs are quite literally paper-based (just like a drivers license or car registration). You are required to have them, to be correctly licensed, but, you
    don't physically do anything with them to own/drive a car.
    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

  • Windows Server 2008 R2 and Windows 7 DNS Problem

    Hi,
    I have a DNS Server hosted in Windows Server 2008 R2 and our clients are using Windows 7. All are working fine then suddenly there are times that our client cannot access our internal site and cannot connect with our IM which is also hosted in the server.
    Tried to ping the server's IP but got this result: 
    Ping request could not find host .com. Please check the name and
     try again.
    NSLookup works fine. Tried to use the ip address instead of the domain name and it works. Resetting network connection seems to resolve the issue but we cannot do it all the time especially when we have hundreds of computers in our office. Anyone have ideas
    regarding this?

    Hi,
    “Resetting network connection seems to resolve the issue but we cannot do it all the time especially when we have hundreds of computers in our office. Anyone have ideas regarding
    this?”
    It seems is the client IP address conflict, it may cause by your DHCP Conflict Detection Attempts value setup is not appropriate. You can try to set Conflict Detection Attempts
    to a value other than 0.
    More information:
    Detect and Avoid IP Address Conflicts
    http://technet.microsoft.com/en-us/magazine/ff606371.aspx
    Hope this helps
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

  • How to install BIDS for SQL Server 2008 R2 and Visual Studio 2008(SSRS,SSIS)

    Hi,
    I want to install SQL Server 2008 R2 and Visual Studio to use SSRS tool, where to download these application. And my System Configuration is Window 8.1,64 Bit.
    Please share step by step information to download and installation. Kindly Reply soon. 
    Thank you
    Pravesh Kumar

    Hi Pravesh Kumar,
    As Visakh16 suggestted that you can download sql 2008 r2 standard and developer editon.
    If you have a subscription associated with your Microsoft account, you can download sql 2008 r2 standard and developer editon from below link, but these two editions are not for free:
    https://msdn.microsoft.com/subscriptions/securedownloads/
    Microsoft also provide the evaluation edition for free use of 180 days. This software is for evaluation and testing purposes. The evaluation is available in ISO format. Web, Standard, Enterprise and Datacenter editions are available via the same download:
    http://www.microsoft.com/en-us/download/details.aspx?id=11093
    More details information about the feature supported by different editions in the article below:
    Features Supported by the Editions of SQL Server 2008 R2
    If you still have any problem, please feel free to ask.
    Regards,
    Vicky Liu
    Vicky Liu
    TechNet Community Support

  • Dual boot Windows Server 2008 R2 and RHEL 7 Server?

    Do someone know how can I setup dual boot of Windows Server 2008 R2 and RHEL 7 Server?
    I've tried to install Windows first, then shrink, then install RHEL there.
    But GRUB2 loader doesn't offer to start Windows, only Linux in the menu. (probably Windows partition need to be added to grub2 somehow)

    Hi Oleg Vazhnev,
    Please refer to following article and check if can help you.
    How
    to add Vista/Windows 7 partition to Grub 2 (Ubuntu 9.10, Karmic Koala)
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft
    does not guarantee the accuracy of this information.
    Meanwhile, please also refer to following video and check if can provide you more details of installation.
    Install RHEL 7 in Legacy Mode (Dual Boot Windows Server
    2008 R2)
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft
    does not guarantee the accuracy of this information.
    If any update, please feel free to let me know.
    Hope this helps.
    Best regards,
    Justin Gu

  • XL Reporter in Sap 8.8 PL 16running On Server 2008 R2  and SQL 2008 R2

    Within the above environment (XL Reporter in Sap 8.8  PL 16 running On Server 2008 R2  and SQL 2008 R2)
    Xl reporter is loading and appears to work fine until you look at the spreadsheet result
    It is completely blank except for the titles
    Yet Excel Macros and the attachment paths are defined correctly
    As can be seen when we export any report to Excel successfully
    I've had another consultant look at my setup carefully just to be sure
    He can't figure out why
    Anyone with similar results
    I would appreciate any comments
    Georges Ostiguy

    Even something as simple as a list of BP 's and phone number gives a blank report
    When my friend who knows xl reporter much more than I do tried, he managed to get the
    BP numbers but nothing further
    I then brought him to another server with the same configuration , same result
    He then tried it on one of his own servers with similar config = same result
    Server 2008 Standard R2 64bit
    MSSQL 2008 R2
    SAP 8.8 PL 16
    Sample demo database
    I don't get it

  • Which widows server 2008 release and edition supports Oracle 11g R1 64 Bit

    Hi
    Trying to install the Oracle 11g R1 64bit on Windows server 2008 . Hence requesting you all , which Windows server 2008 Release and Edition support Oracle database 11g R1 64bit .
    Thank You
    Edited by: user8709943 on Nov 12, 2010 10:34 AM

    Hi,
    even 2008 also certified, totally widnows 2008/2003 R2/xp/vista , linux, ibm aix, hp Ux ...
    go to http://support.oracle.com --> certifications ---> select product "ORACLE DATABASE" ---> Release "11.x.x.x' --> select platform "ANY"
    you can check all the compatibility..
    *https://support.oracle.com/CSP/ui/flash.html#tab=CertifyHomePageV2(page=CertifyHomePageV2&id=ggfixmkw())*
    Thanks

  • Access Denied DNS Server 'Windows Server 2008 R2 and Install AD (PDC) and ADD (BDC=Additional AD)

    hi 
    I Have 
    Windows server 2008 R2 and Install Active Directory 
    Install and configuration for windows server 2008  PDC (Primary Domain Controller) and BDC (Additionall Domain Controller)
    Error
     A security Package specific Error Occurrred. would you like to add it anyway
    and 
    Access Denied Console Other Domain AD 
    and Nslookup 
    C:\Users\admin>nslookup pdc
    Server:  bdc.*.*
    Address:  10.0.X.X
    Name:    pdc.*.*
    Addresses:  10.0.1.11
              10.0.X.X

    Hello,
    your description is a bit confusing. You get the error message when you try to add the other DC to the DNS management console on one machine?
    Both DCs belong to the same domain according to your description?
    Please post an unedited ipconfig /all from both DC/DNS servers here.
    BTW: PDC/BDC concept is gone since the start from AD with Windows 2000 Server. All DCs are the same, difference are only the FSMO roles, still that can be held from any DC in the domain according to some rules.
    Best regards
    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/
    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

  • Windows Server 2008 x64 and Crystal Reports Server Embedded

    We're attempting to certify our software with Windows Server 2008 x64 and want to know the best way to configure both the server and client of Crystal Reports Server Embedded.  Currently, our software is certified against Windows Server 2003 x86, and we install Crystal Reports Server Embedded XI Release 2 (no SP) on the application server, and we deploy the Crystal Reports .NET merge modules for XI Release 2 (no SP) on any client machines.
    I believe I am correct in stating that no version of Crystal Reports Server Embedded officially supports Windows Server 2008 x64 (based on some other forum postings) until SP1 comes out (which I don't think has happened at this point).  If that is true, we can live with installing the RAS on a separate Windows Server 2003 x64, if that's even possible.  With that said, can we even get our Windows Server 2008 x64 running with the latest Crystal Reports 2008 .NET merge modules?  We've tried many different configurations between CR XI R2 SPs and CR 2008 for both client and server and have very little luck (either it won't install correctly because of x64 or missing .cabs, etc.) on both the client and server side of things.
    Can someone suggest the optimal configuration when Windows Server 2008 x64 is in the mix, noting that we can use a secondary Windows Server 2003 (x64 preferred but can fallback to x86)?  Or do we have to wait for Crystal Reports Server Embedded 2008 SP1 to be released, and if so, does anyone know of the date?
    Thanks,
    Ross Beehler

    CRSE 2008 is a 32 bit app, it works on 64 bit OS's but all parts must also be running in 32 bit mode.

  • I have installed Adobe Acrobat XI on citrix (server 2008, x64) and need to suppress repair option in Help menu for the users via registry.

    i have installed Adobe Acrobat XI on citrix (server 2008, x64) and need to suppress repair option in Help menu for the users via registry. Have tried Disable_repair dword key in HKLM\software\Wow6432Node\Adobe\AdobeAcrobat\11.0\Installer and it does not work. please help.

    Look in the ETK Preference Reference here:  Installer settings

  • How to merge partitions in Windows Server 2008 quickly and effectively?

    How to merge partitions in Windows Server 2008 quickly and effectively?

    Hi,
    In Windows systems we can only extend a partition to unallocated space behind it - so if we have 2 consistent partitions, we can only delete the second one and extend the first one.
    If the 2 partitions are on 2 different disks, you can also create a spanned volume - you will still need to delete the second partition and convert both disks to dynamic disk to create the spanned volume. 
    If you have any feedback on our support, please send to [email protected]

  • Extend license for evaluation versions of server 2008 rs and sql 2008 rs

    We had to stop our testing because of seasonal business requirements and now have only 11 days before the expiration of our trial versions of SQL Server 2008 R2 and Windows Server 2008 R2. How do we extend the license for 60 days to complete our testing
    and start the move to a new production system?

    Hi,
    Please refer to following article and check if can help you.
    Extending
    Your Activation Grace Period on Windows Server 2008 and 2008 R2
    However, as GreenlightTech suggested, purchasing licenses and activating will be a better option before activation
    Grace Period
    expired.
    If anything I misunderstand or any update, please feel free to let us know.
    Hope this helps.
    Best regards,
    Justin Gu

  • Unable to install illustrator on windows server 2008

    I keep getting error messages when trying to install the free trial of Illustrator with windows server 2008 platform. Is this not an approved OS?

    You can't use AI in a server environment. That would violate the EULA. Single user only.
    Not true. Local installs and usage do not in any way collide with the EULA even on a server OS. He said nothing about provisioning or setting it up for remote users.
    Mylenium

  • Unable to run report on CR server 2008 V1

    Hi,
    I am tasked to setup a CR Server 2008 on Windows 2003 and deploy dozens of reports on it. The reports is created using SAP Crystal Reports for Eclipse. The reports can be previewed on Eclipse, but they are failed to run on the newly setup server. The viewer showd "Failed to open the connection. Report1". My server environment is as below.
    OS: Windows Server 2003 Standard SP2
    CR server : CR Server 2008 V1
    DB server : Oracle 11.2.0.1.0 64bit
    DB client : 11.2.0 32bit
    The DB server can be connected via sqlplus on the Win2003 server. I guess there is problem in the link between CR Server 2008 and the Oracle Client. I am new to CR and don't know what debug/log messages I can dig into. How to make it run?
    Thanks

    All of the JDBC options you configure to use the Oracle JDBC driver on your work station to create the reports need to be set up exactly the same way on the CRS PC.
    Refer to the Help files on configuring your JDBC driver.
    Connection screen
    FROM Help file.
    Note: You can configure some of the connection information on this screen in the CRConfig.xml file. For more information, see CRConfig.xml Tag Reference.
    JDBC Connection
    Select this option to use a URL and class name to connect to a Java Database Connectivity (JDBC) data source.
    For details about JDBC, connection URLs, and class names, see your Java and/or data source documentation, or search the Sun Microsystems web site.
    Connection URL
    Enter a JDBC URL to specify a data source so that the appropriate database driver (class) can establish a connection; you'll identify the class in the next field.
    Database Classname
    Enter the name of the class that you want to use as your database driver for this connection. You must know the class name, which is provided by your database client software.
    JNDI Connection
    Select this option to use a data source (a combination of a connection URL and a class name) that has already been specified and saved through the Java Naming and Directory Interface (JNDI).
    JNDI Provider URL
    Enter the JNDI connection URL for your database driver. This information is provided by the database driver vendor.
    JNDI Username
    Enter the appropriate user name to connect to your JNDI server. The JDBC driver uses this information to connect to the database.
    JNDI Password
    Enter the appropriate password to connect to your JNDI server.
    Initial Context
    Enter a directory path that indicates where in the directory service the JNDI should start a recursive search for your predefined connections (data sources, or URL and class name combinations).
    Note: All tokens that appear below the directory location of the initial context are returned. Therefore, it is useful to be as specific as possible when entering initial context information.
    Once you have entered the appropriate directory path and have clicked the Next button, all data sources that you can choose are listed by name in the Data Source Name list. Select the data source that you want to use and click Next to go to the Connection Information screen.
    Don

  • Active Directory - Server 2008 R2 and 2012 R2 (Server Formatting or not productive

    Hello guys, I come here to try to clarify a great doubts regarding Server Operating Systems, I will attempt to detail the most of my scenario.
    Suppose I have a Server 2008 R2 in production, and this is my Active Directory server (meudominio.local) and am managing through Group Policy settings my workstations that are around 60-70 computers, guys my doubts the thing is, if I need some time to format
    and perform a fresh installation of my server as it will be my Active Directory? Of course I will have lost my domain controller and I have to accomplish the placement of each workstation again that enters my domain one by one.
    I know there is the option of AD replication, so we call the Active Directory, even for another version of the Operating System, prátia already realized this, but it most often comes not functioning properly, done without replication problems Server 2003 to
    2008 R2.
    Guys like to know a solution to not having to put my plants in my domain network again one by one, is there any way to backup so that when I reinstalled the system and the AD again in my server stations return to "see" again that server as your domain
    controller, even me installing AD with the same domain name before this formatting stations do not respond to this driver in this case do the Network ID or add the station to the area again, so she creates a new user profile for example (Max.meudominio) while
    your old profile "guy" still remains on the machine, I adopted the practice of editing the record of this newly created profile and pointing him well for the old user folder which contains all data and settings, eg edit my key "ProfileImagePath"
    regedit logged in with the newly created profile (Max.meudominio) ->
    (switch "ProfileImagePath" C:\Users\Max.meudominio) thus pointing to the folder before replacing in the field again this season after formatted server, thus ->
    (Switch "ProfileImagePath" C:\Users\Max), detail that we give permission for all such user "C:\Users\Max" folder, after that restart the computer and he comes back with the user profile and all your settings.
    I wonder if there is another method to perform this procedure, do not know even a backup AD to not have to replace all the seasons again "meudominio.local".
    Thank you for your attention!
    Translation with Google translator! Sorry.
    Matias Duarte Coordenador de Suporte Dual Solucoes® | Soluções em tecnologia da informação

    As the practice of replication I know her mostly said she has some flaws when I do the replication of my domain to another server but it works correctly, so having a server "master" and the other ServidorBKP as "slave", in redundancy,
    the problem is when I say, and put the "ServidorBKP" being my primary domain controller and disabling my main controller, to disable or turn off my main controller the stations themselves are unable to login because it does not communicate with the
    my ServidorBKP "slave" even I put it as the main driver of course.
    Regarding the System State as far as I know this option existed in Server 2003.
    I also got some information, confer on the links below.
    http://msdn.microsoft.com/en-us/library/bb727048.aspx
    http://technet.microsoft.com/pt-br/library/cc758435(v=ws.10).aspx
    http://technet.microsoft.com/en-us/library/cc961934.aspx
    I'm still researching other ways, getting communicate any news to everyone. (Google Translate)
    Matias Duarte Coordenador de T.I. Dual Solucoes® | Soluções em tecnologia da informação http://www.matiasduarte.com.br

Maybe you are looking for

  • BPEL server can not be started

    I have installed the BPEL manger server in windows 2000, I could not start the BPEL server and I could not launch the BPEL console either. What is the possible problems? Mark

  • In order to use the calendar feature - Do I need to have another program

    I don't use anything to "Synch" my calendar with since I typically don't use anything "synch-wise" Do I have to use another app or can't I simply create a calendar on my Droid. Does this make sense?

  • Can't get HTML iframe to work in Muse CC 2014

    I'm having some trouble with iframes in Muse CC 2014. I'm using Adobe Captivate 8 to create interactive tutorials. Catptivate then exports a tutorial as an HTML 5 web page into a folder with all of it's related content. I want to place that HTML 5 pa

  • Finally determined what causes an "Internal Error Occurred" message in FW

    I use Fireworks for creating wireframes. One FW png file may contain many layers with each layer representing a web page. The intention is to create the png file, and then to export it to a PDF file so that developers can use it to view the pages and

  • Why can't I change the color of the h1?

    I'm working on a site and all of my CSS is working properly but I'm having trouble changing the color of the h1.  I can change the font, the size, bold....everything EXCEPT the color. I duplicated my page and CSS and began to deconstruct the page ele