Certificate Services Troubleshooting

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Troubleshooting

What problem are you having?

  • Clients do not automatically enroll for certificates after autoenrollment is configured.

  • General troubleshooting for a certification authority (CA).

  • Error when accessing the certification authority Web pages.

  • Web pages on an enterprise certification authority (CA) either don't generate certificates or generate certificates that are not valid.

  • Can't log into certification authority (CA) Web pages.

  • Certification authority (CA) Web enrollment pages that are installed on a remote server other than the CA do not work.

  • Internet Information Services (IIS) 4.0 and Certificate Server 1.0 cannot enroll for certificates using Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition Certificate Services Web pages.

  • A user tries to log on with the smart card and receives this message: "The system cannot log you on to this domain because the system's computer account in its primary domain is missing or the password on the account is incorrect."

  • After renewing a CA, computers are no longer automatically enrolling for certificates from that CA.

  • When trying to enroll for a certificate from a computer or account belonging to a child domain of the domain where the CA is located, the following error appears: "No template could be found. There are no CAs from which you have permission to request a certificate, or an error occurred while accessing the Active Directory."

Clients do not automatically enroll for certificates after autoenrollment is configured.

Cause:  The Group Policy information used for autoenrollment has not yet replicated to the client computers. By default, this information can take up to 120 minutes to replicate to all computers.

Solution:  Wait for Group Policy to complete replication or use the Gpupdate tool to force replication to occur immediately.

General troubleshooting for a certification authority (CA).

Check the event log of the server. It often logs more detailed errors than you will notice from doing the procedure you're attempting.

For more information about Certificate Services logging, see article Q305018, "How to Change the Event Logging Level for Certificate Services," in the Microsoft Knowledge Base.

Error when accessing the certification authority Web pages.

Cause:  The user accessing the Web pages is not a member of the Administrators or Power Users groups on the local computer. When a newer version of the Web enrollment software is available on the CA, the client computer must install that software. The user must be a member of the Administrators or Power Users group to install the software.

Solution:  Log on as a user that is a member of the Administrators or Power Users group to access the Web enrollment pages and download the newer version of the software.

Cause:  Web pages aren't installed on the certification authority (CA).

Solution:  From the command prompt on the CA, run certutil -vroot to install the Web enrollment pages.

Cause:  Web pages don't have execute script permissions.

Solution:  From Internet Information Services (IIS), open the CertSrv folder and confirm that there are execute script permissions on the folder. The CertSrv folder is:

Systemroot/System32/Certsrv

Web pages on an enterprise certification authority (CA) either don't generate certificates or generate certificates that are not valid.

Cause:  For an enterprise CA, Web pages require that the user be authenticated. If the pages are set to allow anonymous connections, then the CA will either not generate certificates or will generate certificates that are not valid.

Solution:  See Set security for access to certification authority Web pages.

Can't log into certification authority (CA) Web pages.

Cause:  If the Web pages negotiate basic authentication with the browser, then your Windows 2000 user account must have the user right to log on to the server.

Solution:  By default, only domain administrators have this user right. You will need to change this default security permission setting for the server hosting the CA if you use the Netscape browser.

Certification authority (CA) Web enrollment pages that are installed on a remote server other than the CA do not work.

Cause:  The pages are set to use NTLM authentication instead of basic authentication.

Solution:  If the Web pages are located on a different server than the CA, then you must set the pages to use basic authentication rather than NTLM if the CA is an enterprise CA. You should also use Secure Sockets Layers (SSL) to secure these pages to protect the passwords. See the Internet Information Services (IIS) documentation to change these settings.

Internet Information Services (IIS) 4.0 and Certificate Server 1.0 cannot enroll for certificates using Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition Certificate Services Web pages.

Cause:  IIS 4.0 and Certificate Server 1.0 cannot process a certification path, rather than just a single certificate.

Solution:  Use the command-line utility Certreq to process the enrollment request.

A user tries to log on with the smart card and receives this message: "The system cannot log you on to this domain because the system's computer account in its primary domain is missing or the password on the account is incorrect."

Cause:  The computer account may be disabled or the CA that issued the smart card certificate is not trusted by the computer.

Solution:

  1. Make sure that the computer account is enabled in the domain.

  2. Use the Certificates snap-in to verify that the root CA's certificate is in the Trusted Root Certification Authorities store on the user's computer.

  3. Use the Certificates snap-in to verify that the domain controller has been issued a domain controller certificate that can be verified to a trusted root.

After renewing a CA, computers are no longer automatically enrolling for certificates from that CA.

Cause:  CA renewal requires that all automatic certificate enrollment objects that enroll for certificates from that CA be recreated.

Solution:  See Create an automatic certificate request for computers in a Group Policy object.

When trying to enroll for a certificate from a computer or account belonging to a child domain of the domain where the CA is located, the following error appears: "No template could be found. There are no CAs from which you have permission to request a certificate, or an error occurred while accessing the Active Directory."

Cause:  You don't have the proper security permissions set on the certificate templates.

Solution:  Modify the security permissions for the certificate templates to include the child domain accounts from which you want to allow enrollment. To set access control for certificate templates, see Controlling enrollment access to certificate templates. Some access control caches must time out after making changes to security permissions, so you have to wait a short period of time before seeing the new security permissions replicate through the network.