Certification Authority configuration to publish certificates in Active Directory of trusted domain (281271)


The information in this article applies to:

  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
This article was previously published under Q281271

SYMPTOMS

In the following scenario, if a user from the same domain as a Root certification authority (CA) requests a certificate, the issued certificate is published in Active Directory. However, if the user is from a child domain, this process is not successful. Also, when users from the same domain as a Root CA request a certificate, the issued certificate may not be published in Active Directory.

Scenario: In a two-level domain hierarchy with a parent and a child domain, the Enterprise CA is located in the parent domain, and the users are in the child domain. The users in the child domain enroll to the parent CA, and the CA publishes issued certificates to the user's DS object in the child domain. Within a single-level domain or a parent domain, where the Enterprise CA is located in the parent domain, the users in the single-level or parent domain enroll to the single-level CA or to the parent CA, and the CA publishes issued certificates to the user's DS object in the single-level domain or in the parent domain.

CAUSE

Two-level domain hierarchy scenario

Users from the child domain do not have appropriate permissions to enroll. Even when they do, the Root CA does not have the access permissions to publish the certificate to Active Directory.

By default, only domain users from the same domain as the Root CA have enroll permissions.

By default, the Root CA has the following necessary permissions granted on users within its domain:
  • Read userCertificate
  • Write userCertificate
The Root CA in the parent domain does not have permissions to the userCertificate property on the users in the child domain.

Single-level domain or parent domain scenario

By default, the AdminSDHolder object does not grant the Cert Publishers group the necessary permissions for user accounts that are covered under the AdminSDHolder process.

RESOLUTION

Two-level domain hierarchy scenario

To enable the child domain users to get certificates and have them published to Active Directory, you must perform the following steps:
  1. Set the permissions on the CA's template to allow enrollment requests. Set the user object permissions to allow the CA to publish the certificate. Alter AdminSDHolder to push the user object permissions to users that are administrators.
  2. Set the user object permissions to allow the CA to publish the certificate. Alter AdminSDHolder to push the user object permissions to users that are administrators.
  3. Alter AdminSDHolder to push the user object permissions to users that are administrators.
Note You must first install Support Tools from the Windows Professional, or Windows Server CD-ROM.

To enable the child domain users to get certificates and have them published to Active Directory

  1. Set permissions on the CA to allow users in the child domain to request a certificate. By default, this should be in place.
    1. Open the Certification Authority snap-in, right-click the CA, and then click Properties.
    2. On the Security tab, ensure that the Authenticated Users group is allowed to request certificates.
  2. Set permissions on the applicable certificate templates to allow users in the child domain to enroll. (Note You must be logged onto the root domain with domain administrator rights.)
    1. Open the Active Directory Sites and Services snap-in.
    2. Click View, and then click Show Services Node.
    3. Expand the Services Node folder, expand Public Key Services, and then click Certificate Templates.
    4. In the Details pane, select the desired template, or templates. For example, right-click the User certificate template, and then click Properties.
    5. On the Security tab, grant enroll permissions to the desired group, such as Authenticated Users.
  3. Configure the CA Exit Module to publish certificates to Active Directory.
    1. In the Certification Authority snap-in, right-click the CA, and then click Properties.
    2. On the Exit Module tab, click Configure.
    3. In the properties for the Exit Module, click to select the Allow certificates to be published in the Active Directory box.
    On the child domain controller:
  4. Open the Active Directory Users and Computers snap-in, and right-click the domain node.
  5. Click Delegate Control, at which point the Delegation wizard starts. In the wizard:
    1. Click Next, click Add, and then add the Cert Publishers group from the parent domain. Click Next.
    2. Select the Create a custom task to delegate option, and then click Next.
    3. Select the Only the following objects in the folder.
    4. Select the User objects option, and then click Next.
    5. Select the Property-specific option.
    6. Select the Read userCertificate option.
    7. Select the Write userCertificate option.
    8. Click Next, and then click Finished.
  6. Still on the child domain controller, at a command prompt, run the following two commands, keeping the quotation marks:

    dsacls "cn=adminsdholder,cn=system,dc=<your domain>,dc=<com>" /G "<CA's domain>\Cert Publishers:WP;userCertificate"

    dsacls "cn=adminsdholder,cn=system,dc=<your domain>,dc=<com>" /G "<CA's domain>\Cert Publishers:RP;userCertificate"

    where dc=your domain,dc=com is the distinguished name (DN) of your child domain, and where CA's Domain is the domain name where the CA is located.

Single-level domain or parent domain scenario

On the single-level domain controller or on the parent domain controller, at a command prompt, run the following two commands, keeping the quotation marks:

dsacls "cn=adminsdholder,cn=system,dc=<your domain>,dc=<com>" /G "<CA's domain>\Cert Publishers:WP;userCertificate"

dsacls "cn=adminsdholder,cn=system,dc=<your domain>,dc=<com>" /G "<CA's domain>\Cert Publishers:RP;userCertificate"

where dc=your domain,dc=com is the distinguished name (DN) of your child domain, and where CA's Domain is the domain name where the CA is located.

Windows 2000 domains and Windows Server 2003 domains that have been upgraded from Windows 2000

The Cert Publishers group is a Domain Global group in Windows 2000 domains. This group is also a Domain Global groupin Windows Server 2003 domains that have been upgraded from Windows 2000. You can enable the child domain users to obtain certificates and have them published in upgraded Windows Server 2003 domains. To do this, change the group type to Domain Local, and include the CA server from the parent domain. This procedure creates the same configuration that is present in a freshly installed Windows Server 2003 domain. The user interface (UI) does not let you change the group type. However, you can use the dsmod command to change the Cert Publishers group from a Domain Global group to a Domain Local group. To do this, use the following syntax:

dsmod group Group Distinguished Name -scope l

Note In some cases, you cannot change groupType directly from global to domain local group. In this case you have to change the global group into an universal group and change the universal group into a domain local group. To do this, follow these steps:
  1. Type the following command and then press ENTER:

    dsmod group Group Distinguished Name -scope u

    This command changes the global group into an univeral group.
  2. Type the following command and then press ENTER:

    dsmod group Group Distinguished Name -scope l

    This command changes the univeral group into a domain local group.

STATUS

Microsoft has confirmed that this is a problem in Windows 2000 Server and in Windows Server 2003.

MORE INFORMATION

When a user from a child domain does not succeed in enrolling, the following error is generated in the CA application event log: 
Event Type:     Warning 
Event Source:   CertSvc 
Event Category: None 
Event ID:       53 
Date:           08/14/2000 
Time:           05:13:00 
User:           N/A 
Computer:       <Root CA name> 
Description: 
Certificate Services denied request <request #> because Access is denied.
0x80070005 (WIN32: 5).  The request was for (Unknown Subject).  Additional
information: Denied by Policy Module
If the ACLs are set so that the user can enroll, but the CA does not have permissions to publish to the user's Active Directory, the following error is generated in the CA application event log: 
Event Type:     Error 
Event Source:   CertSvc 
Event Category: None 
Event ID:       46 
Date:           08/14/2000 
Time:           05:13:00 
User:           N/A 
Computer:       <Root CA name> 
Description: 
The "Enterprise and Stand-alone Exit Module" Exit Module "Notify" method
returned an error. Access is denied. The returned status code is
0x80070005 (5).  The Certification Authority was unable to publish the
certificate for Child\User to the Directory Service.  Access is denied.

(0x80070005)
Modification Type:MajorLast Reviewed:8/8/2005
Keywords:kbCertServices kbprb KB281271 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.