Unable to request new certificate: access denied. (2008 R2)

Question

When trying to request a new certificate for DomainControllerAuthentication from our DC designated as the CA, we keep receiving an access denied error.

The following events are generated in the event viewer:

Log Name:      Application
Source:        Microsoft-Windows-CertificateServicesClient-CertEnroll
Date:          20/02/2013 2:54:32 PM
Event ID:      13
Task Category: None
Level:         Error
Keywords:      Classic
User:          CONSOTO\adadmin
Computer:      vmsrvdc-40.consoto.com
Description:
Certificate enrollment for Local system failed to enroll for a DomainControllerAuthentication certificate with request ID N/A from vmsrvdc-40.consoto.com\consoto-VMSRVDC-40-CA (Access is denied. 0x80070005 (WIN32: 5)).
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-CertificateServicesClient-CertEnroll" Guid="{54164045-7C50-4905-963F-E5BC1EEF0CCA}" EventSourceName="CertEnroll" />
    <EventID Qualifiers="49754">13</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2013-02-20T19:54:32.000000000Z" />
    <EventRecordID>5750</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>vmsrvdc-40.consoto.com</Computer>
    <Security UserID="S-1-5-21-1518945024-1460817392-709122288-5797" />
  </System>
  <EventData>
    <Data Name="Context">Local system</Data>
    <Data Name="TemplateName">DomainControllerAuthentication</Data>
    <Data Name="RequestId">vmsrvdc-40.consoto.com\consoto-VMSRVDC-40-CA</Data>
    <Data Name="CA">N/A</Data>
    <Data Name="ErrorCode">Access is denied. 0x80070005 (WIN32: 5)</Data>
  </EventData>
</Event>

Log Name:      Application
Source:        Microsoft-Windows-CertificateServicesClient-CertEnroll
Date:          20/02/2013 2:54:29 PM
Event ID:      64
Task Category: None
Level:         Information
Keywords:      Classic
User:          CONSOTO\adadmin
Computer:      vmsrvdc-40.consoto.com
Description:
Certificate enrollment for Local system successfully load policy from policy server {C1BA95CA-8DD5-4350-B81C-BE7BB80AD305}
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
 <System>
    <Provider Name="Microsoft-Windows-CertificateServicesClient-CertEnroll" Guid="{54164045-7C50-4905-963F-E5BC1EEF0CCA}" EventSourceName="CertEnroll" />
    <EventID Qualifiers="33370">64</EventID>
    <Version>0</Version>
    <Level>0</Level>
   <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2013-02-20T19:54:29.000000000Z" />
    <EventRecordID>5749</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>vmsrvdc-40.consoto.com</Computer>
    <Security UserID="S-1-5-21-1518945024-1460817392-709122288-5797" />
  </System>
  <EventData>
    <Data Name="Context">Local system</Data>
    <Data Name="ServerID">{C1BA95CA-8DD5-4350-B81C-BE7BB80AD305}</Data>
  </EventData>
</Event>

Log Name:      Application
Source:        Microsoft-Windows-CertificateServicesClient-CertEnroll
Date:          20/02/2013 2:54:29 PM
Event ID:      65
Task Category: None
Level:         Information
Keywords:      Classic
User:          CONSOTO\adadmin
Computer:      vmsrvdc-40.consoto.com
Description:
Certificate enrollment for Local system is successfully authenticated by policy server {C1BA95CA-8DD5-4350-B81C-BE7BB80AD305}
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-CertificateServicesClient-CertEnroll" Guid="{54164045-7C50-4905-963F-E5BC1EEF0CCA}" EventSourceName="CertEnroll" />
    <EventID Qualifiers="33370">65</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2013-02-20T19:54:29.000000000Z" />
    <EventRecordID>5748</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>vmsrvdc-40.consoto.com</Computer>
    <Security UserID="S-1-5-21-1518945024-1460817392-709122288-5797" />
  </System>
  <EventData>
    <Data Name="Context">Local system</Data>
    <Data Name="ServerURL">{C1BA95CA-8DD5-4350-B81C-BE7BB80AD305}</Data>
  </EventData>
</Event>

So far we have:

Verified the DCOM Certificate Enrollment group members to ensure that the proper DCs and users are added to the group.
Verified the permissions on the CA and on the templates to ensure that the user and the DC requesting the new certificate has proper permissions to create a new certificate based on the template.
Ensured that no objects remains in the tree for the old lost DC who had the CA role

However these steps did not allow us to request new certificates...

Andrew, are you running Windows Server 2008 R2 Standard Edition or Enterprise / Datacenter Edition? Also, are you able to request any certificates (like web server certs) or do they all fail? — Harold Wong, Feb 27 '13 at 19:58

Unable to request new certificate: access denied. (2008 R2)

0 Answers0