Microsoft KB Archive/330238

= Users cannot enroll for a certificate when the &quot;Include e-mail name in subject name&quot; option is selected on the template =

Article ID: 330238

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
 * Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
 * Microsoft Windows Small Business Server 2003 Premium Edition
 * Microsoft Windows Small Business Server 2003 Standard Edition

-



This article was previously published under Q330238



SYMPTOMS
If a user tries to enroll for certificates from a Windows Server 2003 Enterprise Edition certification authority (CA) and the Include e-mail name in subject name option is selected on the template, the user cannot enroll. If the user uses the autoenrollment feature, the following event ID messages are logged in the Application Event log.

Message 1 Event Type: Warning

Event Source: CertSvc

Event Category: None

Event ID: 53

User: N/A

Computer:

Description:

Certificate Services denied request  because the e-mail name is unavailable and cannot be added to the Subject or Subject Alternate name. 0x80094812 (-2146875374). The request was for. Additional information: Denied by Policy Module

Message 2 Event Type: Error

Event Source: AutoEnrollment

Event Category: None

Event ID: 13

User:

Computer:

Description:

Automatic certificate enrollment for  failed to enroll for one   certificate (0x80092004). Cannot find object or property.



CAUSE
This problem occurs because the e-mail address is not defined in the Active Directory account of the user who is trying to enroll. The LDAP mail attribute is missing from the Active Directory user account.



RESOLUTION
To resolve this problem, use Active Directory Users and Computers to define the mail attribute on the user account. To do so, follow these steps on a domain controller or a workstation that has the Active Directory administrative tools installed:
 * 1) Click Start, click Run, type dsa.msc , and then click OK.
 * 2) In Active Directory, right-click the user account, and then click Properties.
 * 3) Type the user e-mail address in the E-mail box.
 * 4) Click OK.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.



MORE INFORMATION
For more information about autoenrollment, see the &quot;Certificate Autoenrollment in Windows XP&quot; white paper. To view this white paper, visit the following Microsoft Web site:

http://technet.microsoft.com/en-us/library/bb456981.aspx

Keywords: kbbug KB330238

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.