Requests for Certificates from an Enterprise Certificate Authority Are Unsuccessful (278257)


The information in this article applies to:

  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows Small Business Server 2003, Premium Edition
  • Microsoft Windows Small Business Server 2003, Standard Edition
This article was previously published under Q278257

SYMPTOMS

If Read permissions are removed from the Authenticated Users group on a certificate template, all requests for certificates from an enterprise Certificate Authority (CA) are unsuccessful.

CAUSE

This issue occurs because the Authenticated Users group is on a template access control list (ACL) by default. The enterprise CA is included in this group.

If the Authenticated Users group is removed from a template ACL, the CA can no longer read the template in Active Directory, therefore all certificate requests are not successful.

STATUS

This behavior is by design.

MORE INFORMATION

If you are an administrator and you want to remove the Authenticated Users group from the ACL, follow these steps:
  1. Add every CA computer account to the template ACLs, and then grant them Read permissions.
  2. Give any users, groups, or computers that need to enroll with that template Enroll permissions.
Modification Type:MinorLast Reviewed:1/20/2006
Keywords:kbbug kbCertServices w2000certsrv KB278257
©2004 Microsoft Corporation. All rights reserved.