Microsoft CA - Web enrollment permissions issue.

nmpuk 21 Reputation points
2021-03-04T13:03:32.683+00:00

Windows server 2016 and running Microsoft CA offline root, with a SubCA\Issuing CA on a member server.

This has worked in the past but currently experiencing issues with permissions for users delegated permissions to request certs. This is an engineering \ test environment.

This was previously working but recently attempted to request a certificate and getting errors relating to permissions on certificate templates, as below.

"No certificate templates could be found. You do not have permission to request a certificate from this CA, or an error occured while accessing the Active Directory"

Permissions are delegated through a group for read and enrol on certificate templates, and 'Issue & Manage certificates' and 'Request certificates' on the Issuing CA, to that group.

I don't see any other relevent errors on the logs but users in this delegated group simply cannot submit a request on the http://server/certsrv/en-us portal with the above error message.

Permissions on IIS is configured for Windows Authentication only, and the app pool for CertSrv is configured for NetworkService.

Enterprise admins can submit new requests when tested.

PKIView shows everything OK.

Thoughts?

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,776 questions
0 comments No comments
{count} votes

10 answers

Sort by: Most helpful
  1. nmpuk 21 Reputation points
    2021-03-04T23:21:32.957+00:00

    Ok so minor update. Checking through some perms today, noticed that PKIView is throwing a couple of errors today on the .crl and cert for the offline root are both showing as 'Unable to download'. The cert and crl are both present in the CertEnrol folder and manually fetching them works fine. Not sure why thats suddenly happening. Yesterday this was showing 'Ok'.

    0 comments No comments

  2. Daisy Zhou 20,876 Reputation points Microsoft Vendor
    2021-03-05T06:40:07.047+00:00

    Hello @nmpuk ,

    Thank you for posting here.

    To better understand our question, please confirm the following information:

    1. What certificate template do you use(user certificate template or computer certificate template)?
    2. Could you please check if you can enroll one certificate using the same certificate template via MMC method?
    3. Can you confirm if you use http://server/certsrv/en-us or http://server/certsrv?
    4. Did you receive the error message you mentioned after you type http://server/certsrv/en-us and click Enter immediately? If so, what step did you receive the error message you mentioned? If you can provide the screenshot, it will be better.

    I know permissions on certificate template, but what do you mean for the following two descriptions?

    "Permissions are delegated through a group for read and enrol on certificate templates, and 'Issue & Manage certificates' and 'Request certificates' on the Issuing CA, to that group."
    &
    experiencing issues with permissions for users delegated permissions to request certs.

    Tip: the issue "that PKIView is throwing a couple of errors today on the .crl and cert for the offline root are both showing as 'Unable to download'. " may not be related to the Web enrollment permissions issue.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    0 comments No comments

  3. nmpuk 21 Reputation points
    2021-03-05T21:58:34.203+00:00

    Hi,

    Thanks for the reply - please see my responses in line;

    1.What certificate template do you use(user certificate template or computer certificate template)?

                A. None of the published certificate templates are appearing, specifically attempting to issue a web server certificate.   
    

    2.Could you please check if you can enroll one certificate using the same certificate template via MMC method?

                A. Will check shortly, and confirm back.   
    

    3.Can you confirm if you use http://server/certsrv/en-us or http://server/certsrv?

                A. I am using https://server/certsrv/en-us.   
                    https://server/certsrv results in an access denied error message.   
                    What's the difference?   
    

    4.Did you receive the error message you mentioned after you type http://server/certsrv/en-us and click Enter immediately? If so, what step did you receive the error message you mentioned? If you can provide the screenshot, it will be better.

               A. No. The error only occurs on the third step after choosing 'Request a Certificate'; selecting 'Create and submit a request to this CA.' we get a prompt below;  
    

    74879-error-1.jpg

               A. Clicking Yes on this prompt loads the page and you get the following error:  
    

    74880-error2.jpg

               A. Similarly, when choosing 'Request a certificate' then selecting 'Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.', we get the following errors;  
    

    74913-error-3.jpg

    I know permissions on certificate template, but what do you mean for the following two descriptions?

    "Permissions are delegated through a group for read and enrol on certificate templates, and 'Issue & Manage certificates' and 'Request certificates' on the Issuing CA, to that group."

              A. Permissions have been delegated with reference to a Microsoft article whereby specific global group for certificate management has been granted the following permissions on the Sub CA itself;   
    

    75001-ca-perms.jpg

              A. and the following permissions on the certificate template itself.   
    

    74972-cert-perms.jpg

    Will post results of issuing via mmc shortly.

    thanks

    0 comments No comments

  4. Daisy Zhou 20,876 Reputation points Microsoft Vendor
    2021-03-10T08:38:36.01+00:00

    Hello @nmpuk ,

    I am sorry for the late reply.

    Thank you for your very detailed update.

    Q: I am using https://server/certsrv/en-us.
    https://server/certsrv results in an access denied error message.
    What's the difference?

    A: Usually, we use http://servername/certsrv (http://localhost/certsrv ) or https://servername/certsrv (https://localhost/certsrv) (https web page is bind by cert, it is safer) web page to request cert.

    Tip: servername is the machine name with Certification Authority Web Enrollment role.

    Or we can check on the server with Certification Authority Web Enrollment role (in my case, I installed Certification Authority Web Enrollment role on CA server).

    76183-iis3.png

    Open IIS and open the browser.
    76185-iis1.png

    And in my lab, I will open the web page below.
    76254-iis2.png

    1.Could you please check if you can enroll one certificate using the same certificate template you mentioned via MMC method?

    2.For Subject Name tab on Web server cert template.

    Select “Supply in the request”

    Tip: we must select “Supply in the request” under subject name tab, then we can see this certificate template through web page.

    0 comments No comments

  5. nmpuk 21 Reputation points
    2021-03-10T14:26:36.623+00:00

    Thanks for the reply. Couple points with your suggestions.

    I have tested and can request a certificate through mmc, however, the mmc has to be run under the local computer context (requesting web server certificate) and the certificate is shown as issued to 'hostname$'.

    If I launch mmc in the user context, the wizard shows no certificate templates available as below;
    76364-mm-no-certs-error.jpg

    This user is a member of the group granted permissions to read and enrol on the web server certificate.

    If I repeat this process in computer context (computer is granted permissions on the web server template), I can select the template and enrol the certificate by manually completing the certificate attributes.

    NOTE: I do NOT get an option to 'Supply in the request'. Where are you see expecting to see this? See below

    76346-mmc-subject-tab.jpg

    Secondly, I checked web enrolment and the virtual directory contents of http://server/certsrv are actually empty except the certdat.inc file and two subfolders, including en-us which contains the web enrollment pages. As such if I try to browse to http://server/certsrv i get an 'access denied'

    76355-web-error.jpg

    I believe this has always been the case, and removing and reinstalling the 'Certification Authority Web Enrollment' role, doesn't resolve this.

    In a nutshell the crux of the issue is that we need to submit csr's created by third party (non windows) devices as base64 encoded. We used to use the web enrolment for this and this used to work. Would be great to get this working, but also to understand if there are other better ways as I understand that the web enrollment is pretty much deprecated.

    Thanks

    0 comments No comments