«

The MMC manual request keeps failing (same error messages as reported
earlier). And I found following event in the Application Event on my
notebook, the autoenrollment of the computer network also fails. The notebook
is connected on the wired LAN and works fine except for this issue.

Event Type: Error
Event Source: AutoEnrollment
Event Category: None
Event ID: 13
Date: 22/02/2005
Time: 11:36:15
User: N/A
Computer: TM803LMI
Description:
Automatic certificate enrollment for local system failed to enroll for one
Computer certificate (0x80070005). Access is denied.


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

I'd double check that your computer account has read and enroll permissions
for the cert. It seems that your computer doesn't have the rights to enroll
for the cert. Is the laptop running a server OS?

Cheers,

--
Mark Gamache
Certified Security Solutions
http://www.css-security.com



"Ivo" <> wrote in message
news:280A9C7A-0804-497E-A683-...
> The MMC manual request keeps failing (same error messages as reported
> earlier). And I found following event in the Application Event on my
> notebook, the autoenrollment of the computer network also fails. The
> notebook
> is connected on the wired LAN and works fine except for this issue.
>
> Event Type: Error
> Event Source: AutoEnrollment
> Event Category: None
> Event ID: 13
> Date: 22/02/2005
> Time: 11:36:15
> User: N/A
> Computer: TM803LMI
> Description:
> Automatic certificate enrollment for local system failed to enroll for one
> Computer certificate (0x80070005). Access is denied.
>
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
>

Interesting remark, the laptop just joined the domain, that's all. Just like
another PC and that one can do MMC manual certificate requests all right. The
laptop is running Windows XP Professional Service Pack 2 (like the other PC).
Where can I check these permissions?

Thanks, Ivo

"Mark Gamache" wrote:

> I'd double check that your computer account has read and enroll permissions
> for the cert. It seems that your computer doesn't have the rights to enroll
> for the cert. Is the laptop running a server OS?
>
> Cheers,
>
> --
> Mark Gamache
> Certified Security Solutions
> http://www.css-security.com

Try this http://support.microsoft.com/kb/239452/EN-US/

The scenario is slightly different, but I think the cause and resolution may
match your situation. The access denies appears to be access tot he CA or
its templates. Its clear that you have access to the resources on your
laptop.

--
Mark Gamache
Certified Security Solutions
http://www.css-security.com



"Ivo" <> wrote in message
news:3983BA5A-A179-4BBA-9909-...
> Interesting remark, the laptop just joined the domain, that's all. Just
> like
> another PC and that one can do MMC manual certificate requests all right.
> The
> laptop is running Windows XP Professional Service Pack 2 (like the other
> PC).
> Where can I check these permissions?
>
> Thanks, Ivo
>
> "Mark Gamache" wrote:
>
>> I'd double check that your computer account has read and enroll
>> permissions
>> for the cert. It seems that your computer doesn't have the rights to
>> enroll
>> for the cert. Is the laptop running a server OS?
>>
>> Cheers,
>>
>> --
>> Mark Gamache
>> Certified Security Solutions
>> http://www.css-security.com

Interestint that you managed to find the article with the exact error code,
it's for use wit W2K though and at home I have a W2K3 SBS.
I followed the KB article:

Grant Read and Enroll access for the template to the appropriate user or
group by using the Sites and Services snap-in. You can set the access rights
on the Security tab by expanding the following items: Services, Public Key
Services, Certificate Templates.
Note that the Show Services Node check box must be selected on the View
menu to see the Services tab.

I added the right to the following template: MachineEnrollmentAgent
Properties, so Domain Computers, were added with Read & Enroll Allowed.

I stopped and restarted the Certification Service on the server, restarted
the laptop but the auto enrollment error reappeard. I did a gpupdate /force
on the laptop and restarted the laptop but alas.

Regards, Ivo

"Mark Gamache" wrote:

> Try this http://support.microsoft.com/kb/239452/EN-US/
>
> The scenario is slightly different, but I think the cause and resolution may
> match your situation. The access denies appears to be access tot he CA or
> its templates. Its clear that you have access to the resources on your
> laptop.
>
> --
> Mark Gamache
> Certified Security Solutions
> http://www.css-security.com
>
>
>
> "Ivo" <> wrote in message
> news:3983BA5A-A179-4BBA-9909-...
> > Interesting remark, the laptop just joined the domain, that's all. Just
> > like
> > another PC and that one can do MMC manual certificate requests all right.
> > The
> > laptop is running Windows XP Professional Service Pack 2 (like the other
> > PC).
> > Where can I check these permissions?
> >
> > Thanks, Ivo
> >
> > "Mark Gamache" wrote:
> >
> >> I'd double check that your computer account has read and enroll
> >> permissions
> >> for the cert. It seems that your computer doesn't have the rights to
> >> enroll
> >> for the cert. Is the laptop running a server OS?
> >>
> >> Cheers,
> >>
> >> --
> >> Mark Gamache
> >> Certified Security Solutions
> >> http://www.css-security.com
>
>
>

I checked on the problem free PC (the one that can do manual MMC certificate
requests) for autoenrollment error in the Application Event... and this one
has problems with autoenrollment too, although the error code is different.

When I do a manual MMC certificate request as domain administrator on the
laptop (see earlier messages), then I should have enough rights to do that,
and computer rights should not play a role, different from autoenrollment.

I would be happy to do a successful manual MMC certification request...

Regards,
Ivo


Event Type: Error
Event Source: AutoEnrollment
Event Category: None
Event ID: 15
Date: 15/02/2005
Time: 21:56:29
User: N/A
Computer: DX6100MT
Description:
Automatic certificate enrollment for local system failed to contact the
active directory (0x8007003a). The specified server cannot perform the
requested operation.
Enrollment will not be performed.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Are you able to get any certs form the CA?? You may want to try
certutil -ping and certutil -catemplates and certutil -entinfo

it seems like that error is related to not being able to get the CA info
from AD. It may also be having trouble getting to AD. I'd verify that the
client is functioning in all other respects.

Cheers,



--
Mark Gamache
Certified Security Solutions
http://www.css-security.com



"Ivo" <> wrote in message
news:4C1164FC-998C-4C8A-BCDD-...
>I checked on the problem free PC (the one that can do manual MMC
>certificate
> requests) for autoenrollment error in the Application Event... and this
> one
> has problems with autoenrollment too, although the error code is
> different.
>
> When I do a manual MMC certificate request as domain administrator on the
> laptop (see earlier messages), then I should have enough rights to do
> that,
> and computer rights should not play a role, different from autoenrollment.
>
> I would be happy to do a successful manual MMC certification request...
>
> Regards,
> Ivo
>
>
> Event Type: Error
> Event Source: AutoEnrollment
> Event Category: None
> Event ID: 15
> Date: 15/02/2005
> Time: 21:56:29
> User: N/A
> Computer: DX6100MT
> Description:
> Automatic certificate enrollment for local system failed to contact the
> active directory (0x8007003a). The specified server cannot perform the
> requested operation.
> Enrollment will not be performed.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>

[rbassilian]

I'm having a similar issue. The interesting thing is that I can install a user based certificate just fine, but when I install a computer based certificate I get the error.

[WhatIThink]

I am having the exact same problem. I can request user certificates but not computer certs. I have gone through all DCOM, template permissions, CA permissions, etc. Pulling my hair out here.

Did you ever find the answer?