Certification Authority configuration to publish certificates in Active Directory of trusted domain

Article translations Article translations
Article ID: 281271 - View products that this article applies to.
This article was previously published under Q281271
Expand all | Collapse all

On This Page

SYMPTOMS

In the following scenarios, if a user from the same domain as a certification authority (CA) requests a certificate, the issued certificate is published in Active Directory. However, if the user is from a child domain, this process is not successful. Also, when users from the same domain as a CA request a certificate, the issued certificate may not be published in Active Directory.

Scenario 1
In this scenario, the CA does not publish issued certificates to the user's DS object in the child domain when the following conditions are true:
  • The user is in a two-level domain hierarchy with a parent and a child domain.
  • The Enterprise CA is located on the parent domain and the user is in the child domain.
  • The user in the child domain enroll in the parent CA.
In a two-level domain hierarchy with a parent and a child domain, the Enterprise CA is located in the parent domain, and the users are in the child domain. The users in the child domain enroll in the parent CA, and the CA publishes issued certificates to the user's DS object in the child domain.

Scenario 2
Consider the following scenario:
  • The user is in a single-level domain or a parent domain.
  • The Enterprise CA is located on the parent domain.
  • The domain controllers do not have hotfix 327825 installed or Windows 2000 Service Pack 4 (SP4) installed.
  • The user, either in the single-level or parent domain, enrolls in the single-level certification authority or the parent certification authority.
In this scenario, the certification authority does not publish the issued certificates to the user's domain server object in the single-level domain or in the parent domain.

CAUSE

Scenario 1: Two-level domain hierarchy

Users from the child domain do not have appropriate permissions to enroll. Even when they do, the CA does not have the access permissions to publish the certificate to Active Directory.

By default, only domain users from the same domain as the CA have enroll permissions.

By default, the CA has the following necessary permissions granted on users within its domain:
  • Read userCertificate
  • Write userCertificate
The CA in the parent domain does not have permissions to the userCertificate property on the users in the child domain.

Scenario 2: Single-level domain or parent domain

By default in Windows 2000, the AdminSDHolder object does not grant the Cert Publishers group the necessary permissions for user accounts that are covered under the AdminSDHolder process. The following list contains the protected user account groups in Windows 2000:
  • Enterprise Admins
  • Schema Admins
  • Domain Admins
  • Administrators
After you apply the hotfix that is described in Microsoft Knowledge Base article 327825 or after you install Windows 2000 SP4, the following list of user account groups in Windows Server 2003 and in Windows 2000 are now protected user account groups:
  • Administrators
  • Account Operators
  • Server Operators
  • Print Operators
  • Backup Operators
  • Domain Admins
  • Schema Admins
  • Enterprise Admins
  • Cert Publishers

RESOLUTION

Scenario 1: Two-level domain hierarchy

To enable the child domain users to obtain certificates and have them published to Active Directory, follow these steps:
  1. Set the permissions on the CA's template to allow enrollment requests. Set the user object permissions to allow the CA to publish the certificate. Alter AdminSDHolder to push the user object permissions to users who are administrators.
  2. Set the user object permissions to allow the CA to publish the certificate. Alter AdminSDHolder to push the user object permissions to users who are administrators.
  3. Alter AdminSDHolder to push the user object permissions to users who are administrators.
Note You must first install Support Tools from the Windows Professional, or Windows Server CD-ROM.

To enable the child domain users to obtain certificates and have them published to Active Directory

  1. Set permissions on the CA to allow users in the child domain to request a certificate. By default, this should be in place.
    1. Open the Certification Authority snap-in, right-click the CA, and then click Properties.
    2. On the Security tab, make sure that the Authenticated Users group is allowed to request certificates.
  2. Set permissions on the applicable certificate templates to allow users in the child domain to enroll.

    Note You must be logged on to the root domain with domain administrator rights.
    1. Open the Active Directory Sites and Services snap-in.
    2. Click View, and then click Show Services Node.
    3. Expand the Services Node folder, expand Public Key Services, and then click Certificate Templates.
    4. In the Details pane, select the desired template, or templates. For example, right-click the User certificate template, and then click Properties.
    5. On the Security tab, grant enroll permissions to the desired group, such as Authenticated Users.
  3. Configure the CA Exit Module to publish certificates to Active Directory.
    1. In the Certification Authority snap-in, right-click the CA, and then click Properties.
    2. On the Exit Module tab, click Configure.
    3. In the properties for the Exit Module, click to select the Allow certificates to be published in the Active Directory box.
    On the child domain controller:

    Note In Windows 2000 domains and in Windows Server 2003 domains that have been upgraded from Windows 2000, the Cert Publishers group is a Domain Global group. You must manually add the Cert Publishers group to each child domain.

    For Windows Server 2003 domains

    You can enable the child domain users to obtain certificates and to have them published in upgraded Windows Server 2003 domains. To do this, change the group type to Domain Local, and include the CA server from the parent domain. This procedure creates the same configuration that is present in a freshly installed Windows Server 2003 domain. The user interface (UI) does not let you change the group type. However, you can use the dsmod command to change the Cert Publishers group from a Domain Global group to a Domain Local group. To do this, use the following syntax:
    dsmod group Group Distinguished Name -scope l
    Note In some cases, you cannot change groupType directly from global to domain local group. In this case, you have to change the global group into a universal group and change the universal group into a domain local group. To do this, follow these steps:
    1. Type the following command, and then press ENTER:
      dsmod group Group Distinguished Name -scope u
      This command changes the global group into a universal group.
    2. Type the following command, and then press ENTER:
      dsmod group Group Distinguished Name -scope l
      This command changes the universal group into a domain local group.
    For Windows 2000 domains

    You can use the Delegation Wizard to manually add the root domain's Cert Publisher group to every user object in the child domain. To do this, follow these steps:
    1. Open the Active Directory Users and Computers snap-in, and then right-click the domain node.
    2. Click Delegate Control. The Delegation wizard starts. In the wizard follow these steps:
      1. Click Next, click Add, and then add the Cert Publishers group from the parent domain.
      2. Click Next, click Create a custom task to delegate, and then click Next.
      3. Select the Only the following objects in the folder check box.
      4. Click User objects, and then click Next.
      5. Click Property-specific, click Read userCertificate, and then click Write userCertificate.
      6. Click Next, and then click Finished.
  4. Open the Active Directory Users and Computers snap-in, and right-click the domain node.
  5. Click Delegate Control, at which point the Delegation wizard starts. In the wizard:
    1. Click Next, click Add, and then add the Cert Publishers group from the parent domain. Click Next.
    2. Select the Create a custom task to delegate option, and then click Next.
    3. Select the Only the following objects in the folder.
    4. Select the User objects option, and then click Next.
    5. Select the Property-specific option.
    6. Select the Read userCertificate option.
    7. Select the Write userCertificate option.
    8. Click Next, and then click Finished.
  6. On the child domain controller, at a command prompt, run the following two commands, keeping the quotation marks:
    dsacls "cn=adminsdholder,cn=system,dc=your domain,dc=com" /G "CA's domain\Cert Publishers:WP;userCertificate"
    dsacls "cn=adminsdholder,cn=system,dc=your domain,dc=com" /G "CA's domain\Cert Publishers:RP;userCertificate"
    In this case, dc=your domain,dc=com is the distinguished name (DN) of your child domain, and where CA's Domain is the domain name where the CA is located.
  7. Note Windows Server 2003 SP1 provides a new security group, CERTSVC_DCOM_ACCESS. The user or requesting computer from the parent or child domain must be a member of this group to be able to obtain this certificate.

    On the CA server, at a command prompt, run the following three commands:
    certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG
    net stop certsvc
    net start certsvc
    For more information about the CERTSVC_DCOM_ACCESS security group, click the following article number to view the article in the Microsoft Knowledge Base:
    927066 Error message when a client computer requests a certificate from a computer that is running Windows Server 2003 with Service Pack 1: "The wizard cannot be started because of one or more of the following conditions"
    For more information about how to add users and servers in a cross forest environment to the CERTSVC_DCOM_ACCESS security group, click the following article number to view the article in the Microsoft Knowledge Base:
    961298 Auto enrollment does not work in the Cross Forest environment

Scenario 2: Single-level domain or parent domain

On the single-level domain controller or on the parent domain controller, at a command prompt, run the following two commands, keeping the quotation marks:
dsacls "cn=adminsdholder,cn=system,dc=<your domain>,dc=<com>" /G "<CA's domain>\Cert Publishers:WP;userCertificate"
dsacls "cn=adminsdholder,cn=system,dc=<your domain>,dc=<com>" /G "<CA's domain>\Cert Publishers:RP;userCertificate"
Where dc=your domain,dc=com is the distinguished name (DN) of your child domain, and where CA's Domain is the domain name where the CA is located.

STATUS

Microsoft has confirmed that this is a problem in Windows 2000 Server and in Windows Server 2003.

MORE INFORMATION

When a user from a child domain does not succeed in enrolling, the following error is generated in the CA application event log:
Event Type:     Warning 
Event Source:   CertSvc 
Event Category: None 
Event ID:       53 
Date:           08/14/2000 
Time:           05:13:00 
User:           N/A 
Computer:       <Root CA name> 
Description: 
Certificate Services denied request <request #> because Access is denied.
0x80070005 (WIN32: 5).  The request was for (Unknown Subject).  Additional
information: Denied by Policy Module
					
If the ACLs are set so that the user can enroll, but the CA does not have permissions to publish to the user's Active Directory, the following error is generated in the CA application event log:
Event Type:     Error 
Event Source:   CertSvc 
Event Category: None 
Event ID:       46 
Date:           08/14/2000 
Time:           05:13:00 
User:           N/A 
Computer:       <Root CA name> 
Description: 
The "Enterprise and Stand-alone Exit Module" Exit Module "Notify" method
returned an error. Access is denied. The returned status code is
0x80070005 (5).  The Certification Authority was unable to publish the
certificate for Child\User to the Directory Service.  Access is denied.

(0x80070005)

Properties

Article ID: 281271 - Last Review: February 25, 2009 - Revision: 8.0
APPLIES TO
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
Keywords: 
kbcertservices kbprb KB281271

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com