You Cannot Register a User Certificate for Message Queuing
Applies To: Windows Server 2008
Describes a specific problem with Message Queuing. Includes step-by-step instructions for fixing the problem.
This problem typically occurs when attempting to register a user certificate for use with Message Queuing. Attempts to register a user certificate for use with Message Queuing fail.
Diagnosis
By default, users have permission to register certificates for Message Queuing. However, if default user permissions are changed, this might affect your ability to register certificates. For registering certificates, the user object requires the Write Personal Information permission in Active Directory Domain Services.
Active Directory Domain Services sets a multi-valued attribute limit of approximately 800 user certificates for a specific user account. This limit can be exceeded when obsolete user certificates have not been deleted from Active Directory Domain Services. If multiple certificates exist for a user account, only the latest is used, and obsolete certificates can be deleted.
Resolution
Follow these steps to grant the appropriate permissions in Active Directory Domain Services and to delete obsolete user certificates from Active Directory Domain Services.
To grant the user object the Write Personal Information permission in Active Directory Domain Services
Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
Expand Users, right-click the user whose permissions you want to modify, and then click Properties.
Click the Security tab.
Under Group or user names, click the user whose permissions you want to modify, click to select the Write Personal Information check box under Allow, and then click OK.
Note
If the user whose permissions you want to modify does not appear under Group or user names, click Add to display the Select Users, Computers, or Groups dialog box, enter the name of the user, and click OK.
- Quit Active Directory Users and Computers.
To delete obsolete user certificates from Active Directory Domain Services
- Follow the instructions in Remove Certificates for Message Queuing to delete obsolete user certificates.
Verification
Follow the steps in Register Certificates for Message Queuing to register a user certificate for Message Queuing.