Article ID: 932457 - View products that this article applies to.
When you use the Web browser on a client computer to request a certificate from a Microsoft Windows Server 2003 Service Pack 1 (SP1)-based certification authority (CA) computer, you may receive the following error message:
Alternatively, when you use the Microsoft Management Control Certificates snap-in to request a certificate, you may receive an error message that resembles the following:
Denied by Policy Module 0x80094800, the request was for a certificate template that is not supported by the Certificate Services Policy. CertificateTemplateName
Additionally, the following event ID is logged in the Application log of the CA computer:
Certification authority could not be found.
Event Type: Warning
This issue may occur because of the following causes.
Cause 1The client computer is not a member of the CERTSVC_DCOM_ACCESS security group.
Cause 2You installed Windows Server 2003 Service Pack 1 (SP1) on a CA computer that resides in a Microsoft Windows 2000 forest.
You must prepare the Windows 2000 forest for Windows Server 2003 because there are new attributes added to the Certificates templates object in the schema.
To verify this cause, view any of the Certificate templates by using ADSIEdit.msc or by using LDP.exe. You may find that the following attributes are missing:
CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,dc= DomainComponent,dc=DomainComponent
Cause 3You did not restart the Windows Server 2003-based CA computer after you added the following member groups to the CERTSVC_DCOM_ACCESS security group:
To resolve this issue, use one or more of the following resolutions, as appropriate for your situation.
Resolution for cause 1To resolve this issue, you must manually add the users to the CERTSVC_DCOM_ACCESS security group. Because the CERTSVC_DCOM_ACCESS security group is a domain local group, you can only add domain groups to it.
For example, if users and computers from another domain have to enroll with the certification authority, you must manually add the Contoso\Domain Users group and the Contoso\Domain Computers group to the CERTSVC_DCOM_ACCESS security group.
Note In this example, Contoso is a placeholder.
Notes on resolution for cause 1
Resolution for cause 2To resolve this issue, use one of the following methods, as appropriate for your situation.
Method 1Remove Windows Server 2003 SP1 from the CA computer.
Resolution for cause 3Restart the CA computer. If you again receive an error message that is mentioned in the "Symptoms" section, type the following commands at a command prompt on the CA computer, and then press ENTER after each command:
Article ID: 932457 - Last Review: February 26, 2007 - Revision: 1.3
Contact us for more help
Connect with Answer Desk for expert help.