Browse By Category

Free Power Tools Brochure
Get Mark Minasi's
17-page guide today!



      

advertisement

Get Newsletters

  • Get the Latest News
  • Product Updates
  • Helpful Tricks
  • Productivity Tips

Subscribe Now!

November 27, 2006 02:27 PM

Q. You receive 'The wizard cannot be started because of one or more of the following conditions' when you use the Certificates console on a client computer to request a certificate from a Windows Server 2003 SP1 (Service Pack 1) computer?

Rating: (0)
Jerold Schulman
Windows IT Pro
InstantDoc ID #94322

When you use the Certificates console on a client computer to request a certificate from a computer running Windows Server 2003 SP1, you receive:

The wizard cannot be started because of one or more of the following conditions:

- There are no trusted certification authorities (CAs) available.
- You do not have the permissions to request certificates from the available CAs.
- The available CAs issue certificates for which you do not have permissions.

The servers Application log contains events like:

Event Type: Warning
Event Source: CertSvc
Event Category: None
Event ID: 53
Date: MM/DD/YYYY
Time: HH:MM
User: N/A
Computer: <ServerName>
Description: Certificate Services denied request 5 because the requested certificate template is not supported by this CA. 0x80094800 (-2146875392). Additional information: Denied by Policy Module 0x80094800. The request was for a certificate template that is not supported by the Certificate Services policy: SubCA.


Event Type: Error
Event Source: CertSvc
Event Category: None
Event ID: 21
Date: MM/DD/YYYY
Time: HH:MM
User: N/A
Computer: <ServerName>
Description: Certificate Services could not process request 5 due to an error: The request's current status does not allow this operation. 0x80094003 (-2146877437).

The client Application log will post Event ID: 13, Event Source: AutoEnrollment if you enable automatic enrollment of certificates in the domain. The client will be unable to obtain certificates automatically.

SP1 introduced rights that give an administrator independent control over local and remote permissions for:

- Starting Component Object Model (COM) servers.
- Activating COM server settings.
- Accessing COM servers.

A new CERTSVC_DCOM_ACCESS security group in the CN=Users container, which should have appropriate permissions, was created when SP1 was installed, and should have the Domain Users and Domain Computers global groups as members. If the Certificate Services service is running on a domain controller, the CERTSVC_DCOM_ACCESS is configured as a Domain Local group with the Enterprise Domain Controllers group as an additional member.

The problem behavior occurs if the membership of the CERTSVC_DCOM_ACCESS group, or DCOM permissions, is incorrect.

To fix the problem:

1.Verify that the CERTSVC_DCOM_ACCESS group exists in the domain that hosts the certification authority:
a. Start / Run / Dsa.msc / OK
b. Select the Users container.
c. If the CERTSVC_DCOM_ACCESS group is not in the right pane, go to step 4.
2.Verify that the CERTSVC_DCOM_ACCESS group includes the following member groups:
        Domain Users
        Domain Computers
        Enterprise Domain Controllers if the Certificate Services service is running on a domain controller.
NOTE: If users or computers in other domains need to enroll against the certification authority, you must add them to the CERTSVC_DCOM_ACCESS group.

3.Verify that the CERTSVC_DCOM_ACCESS group has the appropriate DCOM Access permissions and DCOM Launch and Activation permissions on the computer that hosts the certification authority:
a. Start / All Programs / Administrative Tools / Component Services.
b. Expand Component Services.
c. Expand the Computers node.
d. Right-click the My Computer node, and press Properties.
e. Select the COM Security tab.
f. Press Edit Limits under Access Permission.
g. Verify that the CERTSVC_DCOM_ACCESS group has Allow Local Access and Allow Remote Access permissions, and then press Cancel.
h. Under Launch and Activation Permissions, press Edit Limits.
i. Verify that the CERTSVC_DCOM_ACCESS group has Allow Local Activation and Allow Remote Activation permissions, and then press Cancel.
j. Press Cancel, and then close the Component Services console.
4.If any of the above are incorrect:
a. open a CMD.EXE window.
b. Run the following commands, pressing Enter after each line:

certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG
net stop certsvc
net start certsvc

5.Repeat steps 1 through 3 to verify that all the settings are correct.

NOTE: If you changed membership of the CERTSVC_DCOM_ACCESS group, you must restart the server for the changes to take effect.

NOTE: See tip 9834 » Description of the changes to DCOM security settings after you install Windows Server 2003 Service Pack 1.


ARTICLE TOOLS

Want to use this article? Click here for options!

Add a Comment

There are no comments to display. Be the first one!
You must log on before posting a comment.

Are you a new visitor? Register Here

VB Script to enable user account

Do any of you guys have a VB script that could be used to enable a AD user account? We are setting up a "firecall" ID which will stay disabled until i...222-96219

advertisement

GOOGLE LINKS
SPONSORED LINKS
FEATURED LINKS

Podcasts

To successfully implement virtual desktops, IT administrators must carefully match user requirements to specific desktop technologies. Listen to this podcast to learn what you need to keep in mind when formulating your approach to desktop virtualization.

Downloads

PacketTrap IT is a comprehensive and affordable network management and application monitoring solution that solves problems associated with bandwidth, network and application performance, and connectivity. Gain insight into your network - try PacketTrapIT free for 21 days!

Web Seminars

Aside from its employees, data is an organization’s most important resource. Join Windows technical specialist and 11-time MVP John Savill to learn the best practices for managing data using features in Windows Server.
View this web seminar on demand!

eLearning Series

We bring the experts direct to you to share their real-world perspective and expertise. During each event, three sessions stream in real time, so you can learn, ask questions, and get solutions.
Upcoming event: Getting the Most with Exchange 2010 with Paul Robichaux

Subscribe to Windows IT Pro!

DevProConnections ITTV Left-Brain SharePointPro Connections SQL Server Magazine SuperSite for Windows Windows IT Pro

© Penton Media, Inc.

Home About Us Advertise Customer Service Privacy Statement Subscribe/Renew Terms Of Use

Windows is a trademark of the Microsoft group of companies. Windows IT Pro is used by Penton Media Inc. under license from owner.