This section lists a few common issues you may encounter when using the Certification Authority snap-in or working with certification authorities (CAs). For more information about troubleshooting and resolving problems with CAs, see Active Directory Certificate Services Troubleshooting (http://go.microsoft.com/fwlink/?LinkId=89215).
What problem are you having?
- Clients do not
automatically enroll for certificates after autoenrollment is
configured
- A CA could not be installed
as an enterprise CA, or CA Web enrollment support could not be
installed to recognize a stand-alone CA
- Error when accessing the CA
Web pages
- A user tries to log on with
the smart card and receives this message: "The system cannot log
you on to this domain because the system's computer account in its
primary domain is missing or the password on the account is
incorrect."
- When trying to enroll for a
certificate from a computer or account belonging to a child domain
of the domain where the CA is located, the following message
appears: "No template could be found. There are no CAs from which
you have permission to request a certificate, or an error occurred
while accessing the Active Directory."
- An enrollment agent cannot
enroll on behalf of a user for a specific certificate
template
- Restricted certificate
manager or enrollment agent operations cannot be completed after a
domain is renamed
- I cannot add a new version
2 or version 3 certificate template to my CA
- I have a problem that is
not listed here
Clients do not automatically enroll for certificates after autoenrollment is configured.
- Cause: The Group Policy information
used for autoenrollment has not yet replicated to the client
computers. By default, this information can take up to two hours to
replicate to all computers.
- Solution: Wait for Group Policy to
complete replication or use the Gpupdate command-line tool to force
replication to occur immediately. For more information, see
Gpupdate (http://go.microsoft.com/fwlink/?LinkId=94248).
A CA could not be installed as an enterprise CA, or CA Web enrollment support could not be installed to recognize a stand-alone CA.
- Cause: The CA was installed by a user
who is not a member of the Enterprise Admins or Domain
Admins group; therefore, the enterprise CA option was not
available and information about the CA cannot be published to
Active Directory Domain Services (AD DS).
- Solution: Log on as a user who is a
member of the Enterprise Admins or Domain Admins
group to install the CA and CA Web enrollment support.
- Cause: The domain was not accessible
during CA setup.
- Solution: Ensure that you have network
connectivity to a domain controller during CA setup.
Error when accessing the CA Web pages.
- Cause: The user accessing the Web
pages is not a member of the Administrators or Power
Users group on the local computer. When a newer version of the
Web enrollment software is available on the CA, the client computer
must install that software. The user must be a member of the
Administrators or Power Users group to install the
software.
- Solution: Log on as a user who is a
member of the Administrators or Power Users group to
access the Web enrollment pages and download the newer version of
the software.
- Cause: Web pages aren't installed on
the CA.
- Solution: From a command prompt on the
CA, run certutil -vroot to install the Web enrollment
pages.
A user tries to log on with the smart card and receives this message: "The system cannot log you on to this domain because the system's computer account in its primary domain is missing or the password on the account is incorrect."
- Cause: The computer account may be
disabled, or the CA that issued the smart card certificate is not
trusted by the computer.
- Solution:
- Verify that the computer account is enabled in the domain.
- Use the Certificates snap-in to verify that the root CA's
certificate is in the Trusted Root Certification Authorities store
on the user's computer.
- Use the Certificates snap-in to verify that the domain
controller has been issued a domain controller certificate that can
be verified to a trusted root.
- Verify that the computer account is enabled in the domain.
When trying to enroll for a certificate from a computer or account belonging to a child domain of the domain where the CA is located, the following error appears: "No template could be found. There are no CAs from which you have permission to request a certificate, or an error occurred while accessing the Active Directory."
- Cause: The necessary security
permissions are not set on the certificate templates.
- Solution: Modify the security
permissions for the certificate templates to include the child
domain accounts from which you want to allow enrollment. To set
access control for certificate templates, see Issuing Certificates
Based on Certificate Templates (http://go.microsoft.com/fwlink/?LinkID=142333).
Some access control caches must time out after changes are made to security permissions, so you might have to wait a short period of time before the new security permissions are replicated through the network.
An enrollment agent cannot enroll on behalf of a user for a specific certificate template.
- Cause: Enrollment agent restrictions
may have been configured to prevent the enrollment agent from
enrolling for certificates based on the certificate template for
this user group.
- Solution: This behavior may be by
design, if you do intend for the enrollment agent to enroll for
certificates based on this certificate template or for this group
of users. If it is not by design, follow the steps in Establish Restricted
Enrollment Agents to configure the correct enrollment agent
permissions for this group and certificate template.
- Cause: The enrollment agent
certificate is configured with a Cryptography Next Generation (CNG)
key, and the certificate is being requested from a Windows
Server 2003–based CA.
- Solution: Use an enrollment agent
certificate that is compatible with Windows Server 2003–based
CAs, or request the certificate from a CA on a computer running
Windows Server 2008 R2 or Windows Server 2008.
Restricted certificate manager or enrollment agent operations cannot be completed after a domain is renamed.
- Cause: For restricted officer
operations, a CA relies on the Security Accounts Manager (SAM) name
of the requester that is stored in the Active Directory database to
verify that the officer has rights to manage the request. However,
the SAM name contains the domain name and the restricted officer
operation will fail if the domain name is changed (instead of just
the DNS portion of the name).
- Solution: Disable or reconfigure the
restricted officer permissions before attempting the enrollment
operation again.
I cannot add a new version 2 or version 3 certificate template to my CA.
- Cause: The CA is installed on a server
running Windows Server 2008 R2 Standard or Windows
Server 2008 Standard. Version 2 and version 3 certificate
templates and certificate autoenrollment can only be used with CAs
installed on Windows Server 2008 R2 Enterprise, Windows
Server 2008 R2 Datacenter, Windows Server 2008
Enterprise, or Windows Server 2008 Datacenter.
- Solution: Upgrade to Windows
Server 2008 R2 Enterprise, Windows
Server 2008 R2 Datacenter, Windows Server 2008
Enterprise, or Windows Server 2008 Datacenter.
I have a problem that is not listed here.
- Cause: Check the event log of the
server. It often contains more detailed error messages that can
help you diagnose and solve the problem you are having.
- Solution: For more information about
events that are logged by Active Directory Certificate Services,
see Active Directory Certificate Services Troubleshooting (http://go.microsoft.com/fwlink/?LinkId=89215).