Users cannot enroll for a certificate when the "Include e-mail name in subject name" option is selected on the template (330238)


The information in this article applies to:

  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Datacenter Edition for Itanium-based Systems
  • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows Small Business Server 2003, Premium Edition
  • Microsoft Windows Small Business Server 2003, Standard Edition
This article was previously published under Q330238

SYMPTOMS

If a user tries to enroll for certificates from a Windows Server 2003 Enterprise Edition certification authority (CA) and the Include e-mail name in subject name option is selected on the template, the user cannot enroll. If the user uses the autoenrollment feature, the following event ID messages are logged in the Application Event log.

Message 1Event Type: Warning
Event Source: CertSvc
Event Category: None
Event ID: 53
User: N/A
Computer:
Description:
Certificate Services denied request Request Number because the e-mail name is unavailable and cannot be added to the Subject or Subject Alternate name. 0x80094812 (-2146875374). The request was for User Name. Additional information: Denied by Policy Module Message 2 Event Type: Error
Event Source: AutoEnrollment
Event Category: None
Event ID: 13
User:
Computer:
Description:
Automatic certificate enrollment for User Name failed to enroll for one Template Name certificate (0x80092004). Cannot find object or property.

CAUSE

This problem occurs because the e-mail address is not defined in the Active Directory account of the user who is trying to enroll. The LDAP mail attribute is missing from the Active Directory user account.

RESOLUTION

To resolve this problem, use Active Directory Users and Computers to define the mail attribute on the user account. To do so, follow these steps on a domain controller or a workstation that has the Active Directory administrative tools installed:
  1. Click Start , click Run, type dsa.msc, and then click OK.
  2. In Active Directory, right-click the user account, and then click Properties.
  3. Type the user e-mail address in the E-mail box.
  4. Click OK.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

For more information about autoenrollment, see the "Certificate Autoenrollment in Windows XP" white paper. To view this white paper, visit the following Microsoft Web site:

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/certenrl.mspx

Modification Type:MajorLast Reviewed:3/15/2005
Keywords:kbbug KB330238
©2004 Microsoft Corporation. All rights reserved.