Enterprise CA May Not Publish Certificates from Child Domain or Trusted Domain

Article translations Article translations
Article ID: 219059 - View products that this article applies to.
This article was previously published under Q219059
This article has been archived. It is offered "as is" and will no longer be updated.
Expand all | Collapse all

On This Page

SYMPTOMS

You may not be able to issue certificates using an enterprise Certificate Authority (CA) to users in child domains. When you try to do so, the following entry may appear in the event log:
Event ID: 11
Source: Cert Server Enterprise Policy
Application: Warning CA was unable to publish the certificate for the Domain\server. Server is not part of the Cert Publishers group. Privilege violation.

CAUSE

When you install a child domain in an existing domain tree with an enterprise CA already configured, the default permissions on the child domain do not allow the enterprise CA to publish certificates from the child domain.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

MORE INFORMATION

If you have updated from a Windows 2000 domain, you may have to change the group type into a domain local group. For more information about this topic, click the following article number to view the article in the Microsoft Knowledge Base:
281271 Certification Authority configuration to publish certificates in Active Directory of trusted domain
Certificate servers publish certificates to user objects in the directory service. They are allowed to do this because they are in the Cert Publishers group, which has write access to the 'userCertificate' attribute on the user object.

The problem occurs when a certificate server in one domain tries to issue a certificate to a user in another domain.

WORKAROUND

To work around this issue, use one of the following methods:
  • Manually add the CA computer to the Cert Publishers group on the child domain. This process cannot be performed during Setup because the child domain may not yet exist when the CA is configured.

    NOTE: This only works in a Windows Server 2003-based environment, not a Windows 2000 environment.
  • Use the Delegation Wizard to manually add the root domain's Cert Publisher group to every user object in the child domain.

Properties

Article ID: 219059 - Last Review: February 21, 2014 - Revision: 5.4
APPLIES TO
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, 64-Bit Datacenter Edition
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows Server 2003, Web Edition
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
Keywords: 
kbnosurvey kbarchive kbprb KB219059

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com