When a user tries to request a certificate from the certification authority (CA) Web enrollment pages, the user may receive the following error message:
- View the Active Directory dNSHostName attribute on the pkiEnrollmentService object. This object is in the following location: CN=CertificateServer,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=MyDomain,DC=comTo view the dNSHostName attribute, use ADSIEdit.msc or LDP.exe.
- Edit the Certdat.inc file so that the value for sServerConfig is the same as the value for the dNSHostName attribute followed by the Certificate Authority Name.
Note The sServerConfig value must be in the same exact case as the dNSHostName attribute. If this is not true, you will continue to get the same error.
- For example: If the DNS hostname for the Certification Authority is server1.domain.local and name of the Certification Authority is MYCA, then ensure the dNSHostName attribute for "CN=MYCA,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=Domain,DC=local" object is set to "server1.domain.local" and sServerConfig in the certdat.inc file in the "%systemroot%\system32\certsrv" folder on the Certification Authority should be set to"server1.domain.local\MYCA".
- Have the user who wants to request the certificate restart Internet Explorer. This permits the new credentials to pass to the CA.
Article ID: 811418 - Last Review: Nov 22, 2010 - Revision: 1