Microsoft KB Archive/278257

= Requests for Certificates from an Enterprise Certificate Authority Are Unsuccessful =

Article ID: 278257

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Small Business Server 2003 Premium Edition
 * Microsoft Windows Small Business Server 2003 Standard Edition

-



This article was previously published under Q278257



SYMPTOMS
If Read permissions are removed from the Authenticated Users group on a certificate template, all requests for certificates from an enterprise Certificate Authority (CA) are unsuccessful.



CAUSE
This issue occurs because the Authenticated Users group is on a template access control list (ACL) by default. The enterprise CA is included in this group.

If the Authenticated Users group is removed from a template ACL, the CA can no longer read the template in Active Directory, therefore all certificate requests are not successful.



STATUS
This behavior is by design.



MORE INFORMATION
If you are an administrator and you want to remove the Authenticated Users group from the ACL, follow these steps:
 * 1) Add every CA computer account to the template ACLs, and then grant them Read permissions.
 * 2) Give any users, groups, or computers that need to enroll with that template Enroll permissions.

Keywords: kbbug kbcertservices KB278257

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.