Microsoft KB Archive/313629

= A custom smart card template is unavailable on the smart card enrollment station =

Article ID: 313629

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
 * Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
 * Microsoft Windows Small Business Server 2003 Standard Edition
 * Microsoft Windows Small Business Server 2003 Premium Edition

-



This article was previously published under Q313629



SYMPTOMS
A custom Version 2 template for smart card logon is unavailable for enrollment on the smart card enrollment station Web pages.



CAUSE
This problem occurs if the following conditions are true:
 * The certificate template has been configured to use the CA certificate manager approval option on the Issuance Requirements tab of the template properties dialog box.
 * The certificate template has not been set to require exactly one signature of an authorized certificate request agent. The smart card enrollment station ignores any templates that do not require exactly one authorized signature.

Because of these conditions, the Version 2 Smart Card logon template may not appear in the Web page when you click the Request a certificate for a smart card on behalf of another user by using the smart card certificate enrollment station link. The smart card enrollment Web page does not support pending requests. If you want to implement pending approvals, you must write your own enrollment application code. Or, use a solution such as the Certificate Lifecycle Manager (CLM).



RESOLUTION
To resolve this problem, edit the custom template so that the issuance requirements are set to require exactly one signature. To do this, follow these steps:
 * 1) Log on as an enterprise administrator to the computer from which you administer your PKI infrastructure.
 * 2) Click Start, click Run, type mmc, and then click OK.
 * 3) On the File menu, click Add/Remove Snap-in.
 * 4) Click Add.
 * 5) Click Certificate Templates, click Add, and then click Close.
 * 6) Right-click the template that you want to edit, and then click Properties.
 * 7) Click the Issuance Requirements tab, click to clear the CA certificate manager approval check box.
 * 8) Click to select the This number of authorized signatures check box. Then, make sure that the value is set to 1.



STATUS
This behavior is by design.

Additional query words: enroll on behalf of EOBO sc smartcard

Keywords: kbtshoot KB313629

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.