MORE INFORMATION
Windows Server 2003 certificate services uses the DCOM protocol to provide
enrollment and administration services. Certificate
services provides several DCOM interfaces to make enrollment and administration services available. For
correct access and usage of these services, certificate services assumes that
the DCOM interfaces are set to enable remote activation and access permissions.
However, because default security settings for DCOM are applied when you upgrade to Windows Server 2003 SP1, you may have to update these security
settings to make sure that enrollment and administration services are available.
By default, all DCOM interfaces in
Windows Server 2003 SP1 are configured to grant remote access permissions,
remote launch permissions, and remote activation permissions to
administrators. However, when you upgrade to Windows Server 2003 SP1, security
configuration changes are made to the global DCOM interface and to the CertSrv
Request DCOM interface. These changes are made to enable certificate services
to work correctly.
Note Any changes that have been made to the CertSrv Request DCOM
interface security settings before you install Windows Server 2003 SP1 are lost. Windows Server 2003 SP1 Setup resets all previous security settings in the CertSrv
Request DCOM interface to their default settings.
During Windows Server 2003 SP1 Setup, certificate services automatically updates the DCOM
security settings as follows:
- CertSrv Request DCOM interface
- The Everyone security group is granted local and remote
access permissions.
- The Everyone security group is granted local and remote
activation permissions.
- The Everyone security group is not granted local or
remote launch permissions.
- DCOM computer restriction settings
- A new security group, CERTSVC_DCOM_ACCESS, is
automatically created.
If the certification authority is installed on
a member server, CERTSVC_DCOM_ACCESS is created as a computer local group. The
Everyone security group is added to CERTSVC_DCOM_ACCESS.
If the certification authority
is installed on a domain controller, CERTSVC_DCOM_ACCESS is created as a domain local
group. The Domain Users security group and the Domain Computers security group
from the certification authority's domain are added to CERTSVC_DCOM_ACCESS. If domain controllers need access to this interface to request certificates from the certification authority, you must add the Domain Controllers security group. You must do this because domain controllers are not part of the Domain Computers security group. - The CERTSVC_DCOM_ACCESS security group is granted local
and remote access permissions.
- The CERTSVC_DCOM_ACCESS security group is granted local
and remote activation permissions.
- The CERTSVC_DCOM_ACCESS security group is not granted
local or remote launch permissions.
Note If the certification authority is installed on a domain
controller and if the enterprise consists of more than one domain, certificate
services cannot automatically update the DCOM security settings for enrollees
from outside the certification authority's domain. Therefore, these enrollees
will be denied enrollment access to the certification authority.
To
resolve this issue, you must manually add the users to the CERTSVC_DCOM_ACCESS
security group. Because the CERTSVC_DCOM_ACCESS security group is a domain
local group, you can add only domain groups to it. For example, if users and
computers from another domain, the Contoso domain, have to enroll with the
certification authority, you must manually add the Contoso\Domain Users group
and the Contoso\Domain Computers group to the CERTSVC_DCOM_ACCESS security
group.
If any enrollees that should be authorized by the certification
authority are denied authorization after Windows Server 2003 SP1 is installed, you can have
certificate services update the DCOM security settings again. To do this, type the following commands at the command prompt, and then press ENTER after each command. certutil -setreg SetupStatus
-SETUP_DCOM_SECURITY_UPDATED_FLAG
The following events may be logged after you install Windows Server 2003 SP1.
Event message 1Event Type: Error
Event Source: AutoEnrollment
Event Category: None
Event ID: 13
Date: date
Time: time
User: N/A
Computer: computer_name
Description: Automatic certificate enrollment for local system failed to enroll for one Directory Email Replication certificate (0x80070005). Access is denied. For more information, see Help and Support Center at http://support.microsoft.com.
Event message 2Event Type: Error
Event Source: AutoEnrollment
Event Category: None
Event ID: 13
Date: date
Time: time
User: N/A
Computer: computer_name
Description: Automatic certificate enrollment for local system failed to enroll for one Workstation Authentication certificate (0x80070005). Access is denied. For more information, see Help and Support Center at http://support.microsoft.com. Event Type: Error Event Source: AutoEnrollment Event Category: None Event ID: 13 Date: 8/2/2005 Time: 10:28:53 AM User: N/A Computer: NICHOLASH Description: Automatic certificate enrollment for local system failed to enroll for one Domain Controller 2003 certificate (0x80070005). Access is denied
When you manually request a certificate by using the Certificate snap-in, you may receive the following error message:
The certificate request failed because of one of the following conditions: -The certificate request was submitted to a Certification Authority (CA) that is not started. -You do not have the permissions to request certificates from the available CAs.
Note If these errors occur on a domain controller, then add the Domain Controllers group to the CERTSVC_DCOM_ACCESS group. Domain controllers are not members of the Domain Computers global group and will not have sufficient DCOM permissions by default.
If you change the group membership to include the Domain Controllers group, you must restart the domain controller to reflect the change.
Technical support for x64-based versions of Microsoft Windows
If your hardware came with a Microsoft Windows x64 edition already installed, your hardware manufacturer provides technical support and assistance for the Windows x64 edition. In this case, your hardware manufacturer provides support because a Windows x64 edition was included with your hardware. Your hardware manufacturer might have customized the Windows x64 edition installation by using unique components. Unique components might include specific device drivers or might include optional settings to maximize the performance of the hardware. Microsoft will provide reasonable-effort assistance if you need technical help with a Windows x64 edition. However, you might have to contact your manufacturer directly. Your manufacturer is best qualified to support the software that your manufacturer installed on the hardware. If you purchased a Windows x64 edition such as a Microsoft Windows Server 2003 x64 edition separately, contact Microsoft for technical support.
For product information about Microsoft Windows XP Professional x64 Edition, visit the following Microsoft Web site:
For product information about x64-based versions of Microsoft Windows Server 2003, visit the following Microsoft Web site:
For more information about the DCOM security enhancements
that are introduced by Windows Server 2003 SP1, visit the following Microsoft
Web site: