Pages

Tuesday, February 7, 2012

A new Windows Server 2008 R2 Enterprise Root Certificate Authority throws the error: “No certificate templates could be found. You do not have permission to request a certificate from this CA, or an error occurred while accessing the Active Directory.” when you try to request a certificate through the web enrollment webpage

Problem

Your Active Directory environment has an empty root domain and a child domain that contains your computer and user objects.  You decide to deploy an Enterprise Root CA in the child domain and use it as a Certificate Authority.  The deployment of the CA completes and while logged on as a domain administrator of the child domain, you open the http://yourCA/certsrv web enrollment page to try to request a certificate but receive the following error:

Certificate Template: (No templates found!)

No certificate templates could be found. You do not have permission to request a certificate from this CA, or an error occurred while accessing the Active Directory.

image

You open up Active Directory Sites and Services to check on Services –> Public Key Services –> Certificate Templates and you see the templates:

image

Solution

The reason why you’re receiving this error is because although you’ve installed the Enterprise Root CA in your child domain, by default, the permissions required to see the templates is to have at least Domain Administrator privileges in the parent root domain.  It’s a bit hard to see in the screenshot below since I had to blank out the domain name but what we’re supposed to see in there is the domain and enterprise administrators for the root domain listed:

image

The screenshot below is the permissions that the domain administrator of the root domain has inherited:

image

What we need to do is add the domain administrators group to the security permissions and mirror the permissions that the domain administrators group in the root domain has:

image

What’s also important is to change the Apply to drop down menu from:

This object only

… to …

This object and all descendant objects

image

Click OK when the permissions have been set:

image

Now that you have given the domain administrators group permissions to the templates, the error message should no longer be presented when you attempt to request a certificate from the web enrollment webpage:

image

4 comments:

Anonymous said...

Thanks!

sarathy said...

Able to see only user and efs template, not able to see other template such as web server and so..any help pl

Anonymous said...

Great documentation! Very helpful

Anonymous said...

For those finding this via searching as I did, this is one of many potential issues that can cause this problem.

Another problem relates to the domain functional level. In our case, although the Domain Controller was 2012, the domain was still at a 200 level. This prevents ALL existing templates from being usable (thanks Microsoft!) the solution is to create a copy of the template you need (usually Web Server) and make sure in its properties that it is usable by 2003 and above, then make sure to "issue" the new template and it should show up in the list if that was the problem.