3.2.2.6.2.1.4.3 Verify End Entity Permissions
Input Parameters:
Input_ntSecurityDescriptor: The ntSecurityDescriptor attribute of the input template.
Input_SID: Contains the SID of the end entity requesting the certificate based on the input template.
Output Parameters:
TRUE or FALSE
Processing Rules:
The server MUST verify that the requester is allowed to enroll for the identified certificate template by following these steps:
Invoke the processing rules in Determining enrollment permission of an end entity for a template (section 2.5.1) as specified in [MS-CRTD] section 2.5.1, by setting Template_ntSecurityDescriptor equal to Input_ntSecurityDescriptor, and Requester_SID equal to Input_SID.
If the enrolling entity does not have the Enroll permission, as determined in the previous step, the CA MUST reject the request. The returned error code MUST be 0x80094012 (CERTSRV_E_TEMPLATE_DENIED).