You receive an error message, and event ID 53 is logged when a client computer requests a certificate from a Windows Server 2003 SP1-based CA

View products that this article applies to.

SYMPTOMS

When you use the Web browser on a client computer to request a certificate from a Microsoft Windows Server 2003 Service Pack 1 (SP1)-based certification authority (CA) computer, you may receive the following error message:

Denied by Policy Module 0x80094800, the request was for a certificate template that is not supported by the Certificate Services Policy. CertificateTemplateName

Alternatively, when you use the Microsoft Management Control Certificates snap-in to request a certificate, you may receive an error message that resembles the following:

Certification authority could not be found.

Additionally, the following event ID is logged in the Application log of the CA computer:

Event Type: Warning
Event Source: CertSvc
Event Category: None
Event ID: 53
Date: Date
Time: Time
User: N/A
Computer: ComputerName
Description:
Certificate Services denied request 5 because the requested certificate template is not supported by this CA. 0x80094800 (-2146875392). Additional information: Denied by Policy Module 0x80094800. The request was for a certificate template that is not supported by the Certificate Services policy: CertificateTemplatename.

Back to the top

CAUSE

This issue may occur because of the following causes.

Back to the top

Cause 1

The client computer is not a member of the CERTSVC_DCOM_ACCESS security group.

Back to the top

Cause 2

You installed Windows Server 2003 Service Pack 1 (SP1) on a CA computer that resides in a Microsoft Windows 2000 forest.

You must prepare the Windows 2000 forest for Windows Server 2003 because there are new attributes added to the Certificates templates object in the schema.

To verify this cause, view any of the Certificate templates by using ADSIEdit.msc or by using LDP.exe. You may find that the following attributes are missing:

msPKI-Certificate-Application-Policy
msPKI-Certificate-Name-Flag
msPKI-Certificate-Policy
msPKI-Cert-Template-OID
msPKI-Enrollment-Flag
msPKI-Minimal-Key-Size

Note You can find the Certificate template at the following location:

CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,dc= DomainComponent,dc=DomainComponent

Back to the top

Cause 3

You did not restart the Windows Server 2003-based CA computer after you added the following member groups to the CERTSVC_DCOM_ACCESS security group:

Domain Users
Domain Computers
Enterprise Domain Controllers

Note You add the Enterprise Domain Controllers group if the Certificate Services service is running on a domain controller.

Back to the top

RESOLUTION

To resolve this issue, use one or more of the following resolutions, as appropriate for your situation.

Resolution for cause 1

To resolve this issue, you must manually add the users to the CERTSVC_DCOM_ACCESS security group. Because the CERTSVC_DCOM_ACCESS security group is a domain local group, you can only add domain groups to it.

For example, if users and computers from another domain have to enroll with the certification authority, you must manually add the Contoso\Domain Users group and the Contoso\Domain Computers group to the CERTSVC_DCOM_ACCESS security group.

Note In this example, Contoso is a placeholder.

Notes on resolution for cause 1

Certificate Services cannot automatically update the DCOM security settings for client computers from outside the certification authority's domain if the following conditions are true:
- The certification authority is installed on a domain controller.
- The enterprise consists of more than one domain.
In this scenario, the client computers are denied enrollment access to the certification authority.
If the certification authority is installed on a member server, CERTSVC_DCOM_ACCESS is created as a computer local group. The Everyone security group is added to CERTSVC_DCOM_ACCESS.
If the certification authority is installed on a domain controller, CERTSVC_DCOM_ACCESS is created as a domain local group. The Domain Users security group and the Domain Computers security group from the certification authority’s domain are added to CERTSVC_DCOM_ACCESS. If domain controllers need access to this interface to request certificates from the certification authority, you must add the Domain Controllers security group. You must do this because domain controllers are not part of the Domain Computers security group.

Resolution for cause 2

To resolve this issue, use one of the following methods, as appropriate for your situation.

Method 1

Remove Windows Server 2003 SP1 from the CA computer.

Method 2

Use the Adprep.exe utility to run the adprep /forestprep command on the schema operations master, and then run the adprep /domainprep command.

For more information about the Adprep.exe utility, visit the following Microsoft Web site:
http://technet2.microsoft.com/WindowsServer/en/library/bc5ebbdb-a8d7-4761-b38a-e207baa734191033.mspx?mfr=true (http://technet2.microsoft.com/WindowsServer/en/library/bc5ebbdb-a8d7-4761-b38a-e207baa734191033.mspx?mfr=true)
Type the following commands at a command prompt on the CA computer, and then press ENTER after each command:
- Regsvr32 /i:i /n /s %systemroot%\system32\certcli.dll
- Net Stop CertSvc
- Net Start CertSvc

Resolution for cause 3

Restart the CA computer. If you again receive an error message that is mentioned in the "Symptoms" section, type the following commands at a command prompt on the CA computer, and then press ENTER after each command: