When you use the Web browser on a client computer to request a certificate from a Microsoft Windows Server 2003 Service Pack 1 (SP1)-based certification authority (CA) computer, you may receive the following error message:
Denied by Policy Module 0x80094800, the request was for a certificate template that is not supported by the Certificate Services Policy. CertificateTemplateName
Alternatively, when you use the Microsoft Management Control Certificates snap-in to request a certificate, you may receive an error message that resembles the following:
Certification authority could not be found.
Additionally, the following event ID is logged in the Application log of the CA computer:
Event Type: Warning Event Source: CertSvc Event Category: None Event ID: 53 Date: Date Time: Time User: N/A Computer: ComputerName Description: Certificate Services denied request 5 because the requested certificate template is not supported by this CA. 0x80094800 (-2146875392). Additional information: Denied by Policy Module 0x80094800. The request was for a certificate template that is not supported by the Certificate Services policy: CertificateTemplatename.
This issue may occur because of the following causes.
The client computer is not a member of the CERTSVC_DCOM_ACCESS security group.
You installed Windows Server 2003 Service Pack 1 (SP1) on a CA computer that resides in a Microsoft Windows 2000 forest.
You must prepare the Windows 2000 forest for Windows Server 2003 because there are new attributes added to the Certificates templates object in the schema.
To verify this cause, view any of the Certificate templates by using ADSIEdit.msc or by using LDP.exe. You may find that the following attributes are missing:
Note You can find the Certificate template at the following location:
You did not restart the Windows Server 2003-based CA computer after you added the following member groups to the CERTSVC_DCOM_ACCESS security group:
Enterprise Domain Controllers
Note You add the Enterprise Domain Controllers group if the Certificate Services service is running on a domain controller.
To resolve this issue, use one or more of the following resolutions, as appropriate for your situation.
Resolution for cause 1
To resolve this issue, you must manually add the users to the CERTSVC_DCOM_ACCESS security group. Because the CERTSVC_DCOM_ACCESS security group is a domain local group, you can only add domain groups to it.
For example, if users and computers from another domain have to enroll with the certification authority, you must manually add the Contoso\Domain Users group and the Contoso\Domain Computers group to the CERTSVC_DCOM_ACCESS security group.
Note In this example, Contoso is a placeholder.
Notes on resolution for cause 1
Certificate Services cannot automatically update the DCOM security settings for client computers from outside the certification authority's domain if the following conditions are true:
The certification authority is installed on a domain controller.
The enterprise consists of more than one domain.
In this scenario, the client computers are denied enrollment access to the certification authority.
If the certification authority is installed on a member server, CERTSVC_DCOM_ACCESS is created as a computer local group. The Everyone security group is added to CERTSVC_DCOM_ACCESS.
If the certification authority is installed on a domain controller, CERTSVC_DCOM_ACCESS is created as a domain local group. The Domain Users security group and the Domain Computers security group from the certification authority’s domain are added to CERTSVC_DCOM_ACCESS. If domain controllers need access to this interface to request certificates from the certification authority, you must add the Domain Controllers security group. You must do this because domain controllers are not part of the Domain Computers security group.
Resolution for cause 2
To resolve this issue, use one of the following methods, as appropriate for your situation.
Remove Windows Server 2003 SP1 from the CA computer.
Use the Adprep.exe utility to run the adprep /forestprep command on the schema operations master, and then run the adprep /domainprep command.
For more information about the Adprep.exe utility, visit the following Microsoft Web site:
Restart the CA computer. If you again receive an error message that is mentioned in the "Symptoms" section, type the following commands at a command prompt on the CA computer, and then press ENTER after each command:
Microsoft Windows Server 2003 Service Pack 1, Microsoft Windows Server 2003, Enterprise Edition (32-bit x86), Microsoft Windows Server 2003, Standard Edition (32-bit x86), Microsoft Windows Server 2003, Datacenter Edition (32-bit x86), Microsoft Windows Server 2003 Service Pack 2