Share via


Troubleshoot Active Directory Certificate Services

Applies To: Windows Server 2008

This section lists a few common issues you may encounter when using the Certification Authority snap-in or working with certification authorities (CAs). For more information about troubleshooting and resolving problems with CAs, see Active Directory Certificate Services Troubleshooting (https://go.microsoft.com/fwlink/?LinkId=89215).

What problem are you having?

  • Clients do not automatically enroll for certificates after autoenrollment is configured.

  • A CA could not be installed as an enterprise CA, or CA Web enrollment support could not be installed to recognize a stand-alone CA.

  • Error when accessing the CA Web pages.

  • A user tries to log on with the smart card and receives this message: "The system cannot log you on to this domain because the system's computer account in its primary domain is missing or the password on the account is incorrect."

  • When trying to enroll for a certificate from a computer or account belonging to a child domain of the domain where the CA is located, the following error appears: "No template could be found. There are no CAs from which you have permission to request a certificate, or an error occurred while accessing the Active Directory."

  • An enrollment agent cannot enroll on behalf of a user for a specific certificate template.

  • Restricted certificate manager or enrollment agent operations cannot be completed after a domain is renamed.

  • I cannot add a new version 2 or version 3 certificate template to my CA.

  • I have a problem that is not listed here.

Clients do not automatically enroll for certificates after autoenrollment is configured.
  • Cause: The Group Policy information used for autoenrollment has not yet replicated to the client computers. By default, this information can take up to two hours to replicate to all computers.

  • Solution: Wait for Group Policy to complete replication or use the Gpupdate command-line tool to force replication to occur immediately. For more information, see Gpupdate (https://go.microsoft.com/fwlink/?LinkId=94248).

A CA could not be installed as an enterprise CA, or CA Web enrollment support could not be installed to recognize a stand-alone CA.
  • Cause: The CA was installed by a user who is not a member of the Enterprise Admins or Domain Admins group; therefore, the enterprise CA option was not available and information about the CA cannot be published to Active Directory Domain Services (AD DS).

  • Solution: Log on as a user who is a member of the Enterprise Admins or Domain Admins group to install the CA and CA Web enrollment support.

  • Cause: The domain was not accessible during CA setup.

  • Solution: Ensure that you have network connectivity to a domain controller during CA setup.

Error when accessing the CA Web pages.
  • Cause: The user accessing the Web pages is not a member of the Administrators or Power Users group on the local computer. When a newer version of the Web enrollment software is available on the CA, the client computer must install that software. The user must be a member of the Administrators or Power Users group to install the software.

  • Solution: Log on as a user who is a member of the Administrators or Power Users group to access the Web enrollment pages and download the newer version of the software.

  • Cause: Web pages aren't installed on the CA.

  • Solution: From a command prompt on the CA, run certutil -vroot to install the Web enrollment pages.

  • Cause: Web pages do not have permissions to execute scripts.

  • Solution: From the Internet Information Services (IIS) management console, open the CertSrv folder and confirm that there are execute script permissions on the folder. The CertSrv folder is: Systemroot/System32/Certsrv.

A user tries to log on with the smart card and receives this message: "The system cannot log you on to this domain because the system's computer account in its primary domain is missing or the password on the account is incorrect."
  • Cause: The computer account may be disabled, or the CA that issued the smart card certificate is not trusted by the computer.

  • Solution:

    1. Verify that the computer account is enabled in the domain.

    2. Use the Certificates snap-in to verify that the root CA's certificate is in the Trusted Root Certification Authorities store on the user's computer.

    3. Use the Certificates snap-in to verify that the domain controller has been issued a domain controller certificate that can be verified to a trusted root.

When trying to enroll for a certificate from a computer or account belonging to a child domain of the domain where the CA is located, the following error appears: "No template could be found. There are no CAs from which you have permission to request a certificate, or an error occurred while accessing the Active Directory."
  • Cause: The necessary security permissions are not set on the certificate templates.

  • Solution: Modify the security permissions for the certificate templates to include the child domain accounts from which you want to allow enrollment. To set access control for certificate templates, see Issuing Certificates Based on Certificate Templates.

    Some access control caches must time out after making changes to security permissions, so you might have to wait a short period of time before the new security permissions are replicated through the network.

An enrollment agent cannot enroll on behalf of a user for a specific certificate template.
  • Cause: Enrollment agent restrictions may have been configured to prevent the enrollment agent from enrolling for certificates based on the certificate template for this user group.

  • Solution: This behavior may be by design, if you do intend for the enrollment agent to enroll for certificates based on this certificate template or for this group of users. If it is not by design, follow the steps in Establish Restricted Enrollment Agents to configure the correct enrollment agent permissions for this group and certificate template.

  • Cause: The enrollment agent certificate is configured with a Cryptography Next Generation (CNG) key, and the certificate is being requested from a Windows Server 2003–based CA.

  • Solution: Use an enrollment agent certificate that is compatible with Windows Server 2003–based CAs, or request the certificate from a CA on a computer running Windows Server 2008.

Restricted certificate manager or enrollment agent operations cannot be completed after a domain is renamed.
  • Cause: For restricted officer operations, a CA relies on the Security Accounts Manager (SAM) name of the requestor that is stored in the Active Directory database to verify that the officer has rights to manage the request. However, the SAM name contains the domain name and the restricted officer operation will fail if the domain name is changed (instead of just the DNS portion of the name).

  • Solution: Disable or reconfigure the restricted officer permissions before attempting the enrollment operation again.

I cannot add a new version 2 or version 3 certificate template to my CA.
  • Cause: The CA is installed on a server running Windows Server 2008 Standard. Version 2 and version 3 certificate templates and certificate autoenrollment can only be used with CAs installed on Windows Server 2008 Enterprise or Windows Server 2008 Datacenter.

  • Solution: Upgrade to Windows Server 2008 Enterprise or Windows Server 2008 Datacenter.

I have a problem that is not listed here.
  • Cause: Check the event log of the server. It often contains more detailed error messages that can help you diagnose and solve the problem you are having.

  • Solution: For more information about events that are logged by Active Directory Certificate Services, see Active Directory Certificate Services Troubleshooting (https://go.microsoft.com/fwlink/?LinkId=89215).