Microsoft KB Archive/321953

= XCCC: &quot;Your Certificate Request was Denied&quot; Error Message Occurs When You Request a Certificate for Secure Conferences =

Article ID: 321953

Article Last Modified on 10/28/2006

-

APPLIES TO


 * Microsoft Windows 2000 Service Pack 1
 * Microsoft Windows 2000 Service Pack 2
 * Microsoft Windows 2000 Service Pack 3
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Service Pack 2
 * Microsoft Windows 2000 Service Pack 3
 * Microsoft Exchange 2000 Conferencing Server Service Pack 1
 * Microsoft Exchange 2000 Conferencing Server Service Pack 2
 * Microsoft Exchange 2000 Conferencing Server Service Pack 3

-



This article was previously published under Q321953



SYMPTOMS
Participating in secure online conferences requires that users request and install a certificate from a certification authority (CA) for use with the Exchange 2000 Conferencing Server computer. This configuration can be particularly difficult when the users who participate are contained in a trusted Microsoft Windows NT 4.0 domain.

When you try to request a certificate through Microsoft Internet Explorer from a CA in a Microsoft Windows 2000 forest or domain where the Conferencing Server computer resides by using an account from a trusted Windows NT 4.0 domain, you may receive the following error message:

Certificate Request Denied

Your certificate request was denied.

Contact your administrator for further information.



CAUSE
This behavior can occur because Enterprise CAs can only issue certificates to users who are members of the forest.



WORKAROUND
To work around this behavior and permit Windows NT 4.0 users to participate in secure online conferences from their native Windows NT 4.0 domain, you must follow these steps:  Install a Windows 2000 member server into the Windows NT 4.0 domain. Install a Stand-alone Root CA service on the member server. Manually export the member servers CA certificate:  Start the Certification Authority snap-in. To do so, click Start, point to Programs, point to Administrative Tools, and then click Certification Authority. Under Certification Authority, right-click the server object, and then click Properties. Click View Certificate, and then click the Details tab.</li> Click Copy to File, and then follow the steps of the Certificate Export Wizard, accepting all of the default settings, to create a copy of the CA file.</li></ol>

NOTE: The file is created in the My Documents folder.</li> Manually import the member server's CA certificate into the Enterprise Root CA's Trusted Root Certificate store, located in the Windows 2000 forest or domain. <ol style="list-style-type: lower-alpha;"> Start the Active Directory Users and Computers snap-in. To do so, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.</li> Right-click the domain object, and then click Properties.</li> Click the Group Policy tab, click the appropriate Group Policy Object to be applied, and then click Edit.</li> Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Public Key Policies, and then click Trusted Root Certification Authorities.</li> Right-click this object, point to All Tasks, and then click Import.</li> Follow the steps of the Certificate Import Wizard, accepting all default settings, to import the file that you exported from the member server.</li></ol>

NOTE: The file is imported into the Trusted Root Certification Authorities store.</li> From a Windows NT 4.0 client, request a certificate from the stand-alone root CA's certificate request Web site, (for example, http:// /certsrv)</li> Manually issue the certificate to the client from the stand-alone root CA computer: <ol style="list-style-type: lower-alpha;"> On the Windows 2000 member server, start the Certificate Authority snap-in.</li> Expand the certificate server object, and then click Pending Requests.</li> Right-click the appropriate pending CA request, point to All Tasks, and then click Issue.</li></ol> </li> From the client, revisit the stand-alone root CA's certificate request Web site, verify the status of the certificate, and then click Install.</li></ol>

After you perform the earlier steps, a Windows NT 4.0 user can participate in secure conferences hosted on a Conferencing Server in a forest or domain outside its own.

<div class="status_section">

STATUS
This behavior is by design.

Additional query words: exch2kp2w

Keywords: kberrmsg kbnofix kbprb KB321953

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.