Microsoft KB Archive/927066

From BetaArchive Wiki
Knowledge Base


Error message when a client computer requests a certificate from a computer that is running Windows Server 2003 with Service Pack 1: "The wizard cannot be started because of one or more of the following conditions"

Article ID: 927066

Article Last Modified on 10/11/2007



APPLIES TO

  • Microsoft Windows Server 2003 SP1, when used with:
    • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
    • Microsoft Windows Server 2003, Enterprise Edition
    • Microsoft Windows Server 2003, Web Edition
    • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows Server 2003, Standard x64 Edition



SYMPTOMS

You have enabled the Certificate Services service on a Microsoft Windows Server 2003 Service Pack 1 (SP1)-based computer. When you use the Certificates console on a client computer to request a certificate, you receive the following error message:

The wizard cannot be started because of one or more of the following conditions:
- There are no trusted certification authorities (CAs) available.
- You do not have the permissions to request certificates from the available CAs.
- The available CAs issue certificates for which you do not have permissions.

Additionally, events are logged in the Application log on the server that hosts the certification authority (CA). These events resemble the following: Event Type: Warning
Event Source: CertSvc
Event Category: None
Event ID: 53
Date: Date
Time: Time
User: N/A
Computer: ServerName
Description: Certificate Services denied request 5 because the requested certificate template is not supported by this CA. 0x80094800 (-2146875392). Additional information: Denied by Policy Module 0x80094800. The request was for a certificate template that is not supported by the Certificate Services policy: SubCA.

Event Type: Error
Event Source: CertSvc
Event Category: None
Event ID: 21
Date: Date
Time: Time
User: N/A
Computer: ServerName
Description: Certificate Services could not process request 5 due to an error: The request's current status does not allow this operation. 0x80094003 (-2146877437).

If you enable automatic enrollment of certificates in the domain, client computers cannot obtain certificates automatically. Additionally, an event that resembles the following is logged in the Application log: Event Type: Error
Event Source: AutoEnrollment
Event Category: None
Event ID: 13
Date: Date
Time: Time
User: N/A
Computer: ComputerName
Description:


CAUSE

Windows Server 2003 SP1 introduces some enhanced default security settings for the DCOM protocol. Specifically, Windows Server 2003 SP1 introduces rights that give an administrator independent control over local and remote permissions for the following tasks:

  • Starting Component Object Model (COM) servers
  • Activating COM server settings
  • Accessing COM servers

The Windows Server 2003 SP1 installation process creates a new CERTSVC_DCOM_ACCESS security group. After the installation of Windows Server 2003 SP1, this new security group should have appropriate DCOM Access permissions and DCOM Launch and Activation permissions. By default, the Domain Users global group and the Domain Computers global group reside in the CERTSVC_DCOM_ACCESS group. If the Certificate Services service is running on a domain controller, the CERTSVC_DCOM_ACCESS group is created as a Domain Local group. Additionally, the Enterprise Domain Controllers group should be a member of the CERTSVC_DCOM_ACCESS group. This problem occurs if the membership of the CERTSVC_DCOM_ACCESS group is configured incorrectly.

RESOLUTION

To resolve the problem, follow these steps:

  1. Verify that the CERTSVC_DCOM_ACCESS group exists in the domain that hosts the certification authority. This group is in the CN=Users container. To do this, follow these steps:
    1. Click Start, click Run, type Dsa.msc, and then click OK.
    2. In the left pane, click the Users container.
    3. Verify that the CERTSVC_DCOM_ACCESS group is in the right pane. If the CERTSVC_DCOM_ACCESS group is not in the right pane, go to step 4.
  2. Verify that the CERTSVC_DCOM_ACCESS group includes the following member groups:
    • Domain Users
    • Domain Computers

    If these member groups do not exist in the CERTSVC_DCOM_ACCESS group, go to step 4.

    Note If users or computers in other domains need to enroll against the certification authority, you must also add those users and computers to the CERTSVC_DCOM_ACCESS group. If the current problem occurs on a domain controller, you must also add the Enterprise Domain Controllers group to the CERTSVC_DCOM_ACCESS group. By default, domain controllers are not members of the Domain Computers global group. Therefore, domain controllers do not have sufficient DCOM permissions.
  3. Verify that the CERTSVC_DCOM_ACCESS group has the appropriate DCOM Access permissions and DCOM Launch and Activation permissions on the computer that hosts the certification authority.
    1. Click Start, point to Program, point to Administrative Tools, and then click Component Services.
    2. Expand the Component Services node.
    3. Expand the Computers node.
    4. Right-click the My Computer node, and then click Properties.
    5. Click the COM Security tab.
    6. Under Access Permission, click Edit Limits.
    7. Verify that the CERTSVC_DCOM_ACCESS group has Allow Local Access and Allow Remote Access permissions, and then click Cancel.
    8. Under Launch and Activation Permissions, click Edit Limits.
    9. Verify that the CERTSVC_DCOM_ACCESS group has Allow Local Activation and Allow Remote Activation permissions, and then click Cancel.
    10. Click Cancel, and then close the Component Services console.
  4. Settings may be incorrect if any one of the following conditions is true:
    • The CERTSVC_DCOM_ACCESS group does not exist.
    • The default membership of the CERTSVC_DCOM_ACCESS group is incorrect.
    • The CERTSVC_DCOM_ACCESS group does not have the correct permissions.

    If any one setting is incorrect, run the following commands at a command prompt. Press ENTER after each command.

    certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG
    net stop certsvc
    net start certsvc

  5. Repeat steps 1 through 3 to verify that all the settings are correct.

    Note If the changes affect the group membership of the certification authority server, you must restart the server for the changes to take effect.


MORE INFORMATION

For more information about how Windows Server 2003 Service Pack 1 changes the DCOM security settings, click the following article number to view the article in the Microsoft Knowledge Base:

903220 Description of the changes to DCOM security settings after you install Windows Server 2003 Service Pack 1


Keywords: kbtshoot kbprb KB927066