Automatic certificate enrollment for local system failed

I am receiving the error message (see below) every 8 hours. This computer,
FW is a (W2K3 standard Server) DC and is connected to the Primary DC (W2K3
Enterprise server). FW is running ISA Server 2004 and The primary DC is also
an exchange server.
I have selected Enroll certificates automatically in the Autoenrollment
Settings and Properties in the Public Key Policies. I have also checked
Renew expired certificates and Update certificates.

I have not been able to find any links that refer to this error.

I would appreciate any help in finding this solution
thanks
m

Event Type: Error
Event Source: AutoEnrollment
Event Category: None
Event ID: 13
Date: 1/13/2005
Time: 11:18:11 PM
User: N/A
Computer: FW
Description:
Automatic certificate enrollment for local system failed to enroll for one
Domain Controller certificate (0x80070005). Access is denied.

That error usually means that the enrollee doesn't have Read or Enroll permissions
on the certificate template used for the certificate request. Make sure that
the computer account has correct permissions on the template.

Steve Riley
(E-Mail Removed)



> I am receiving the error message (see below) every 8 hours. This
> computer,
> FW is a (W2K3 standard Server) DC and is connected to the Primary DC
> (W2K3
> Enterprise server). FW is running ISA Server 2004 and The primary DC
> is also
> an exchange server.
> I have selected Enroll certificates automatically in the
> Autoenrollment
> Settings and Properties in the Public Key Policies. I have also
> checked
> Renew expired certificates and Update certificates.
> I have not been able to find any links that refer to this error.
>
> I would appreciate any help in finding this solution
> thanks
> m
> Event Type: Error
> Event Source: AutoEnrollment
> Event Category: None
> Event ID: 13
> Date: 1/13/2005
> Time: 11:18:11 PM
> User: N/A
> Computer: FW
> Description:
> Automatic certificate enrollment for local system failed to enroll for
> one
> Domain Controller certificate (0x80070005). Access is denied.

Check what are the ACL's on the directory "%system drive%\Documents and
Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys Only
"Administrators" and "System" should have permissions. I'd bet the list
only contains "Everyone". When the private key is created, autoenrollment
removes the "Everyone" group from the permission on the private key for
security reasons. If "Everyone" is the only ACL on the key, the key not
accessible by anyone and you get Access Denied.

--
Rod
http://www.thelazyadmin.com


"MR" <(E-Mail Removed)> wrote in message
news:O8eewob%(E-Mail Removed)...
>I am receiving the error message (see below) every 8 hours. This computer,
>FW is a (W2K3 standard Server) DC and is connected to the Primary DC (W2K3
>Enterprise server). FW is running ISA Server 2004 and The primary DC is
>also an exchange server.
> I have selected Enroll certificates automatically in the Autoenrollment
> Settings and Properties in the Public Key Policies. I have also checked
> Renew expired certificates and Update certificates.
>
> I have not been able to find any links that refer to this error.
>
> I would appreciate any help in finding this solution
> thanks
> m
>
> Event Type: Error
> Event Source: AutoEnrollment
> Event Category: None
> Event ID: 13
> Date: 1/13/2005
> Time: 11:18:11 PM
> User: N/A
> Computer: FW
> Description:
> Automatic certificate enrollment for local system failed to enroll for one
> Domain Controller certificate (0x80070005). Access is denied.
>
>
>

thanks for your reply. i added the administrator and system and allowed
read, read&execute and List Folder Contents. Unfortunately, I still get the
same error.

i noticed in the system log that whenever i get the Autoenrollment error in
the application log, i get a corresponding DCOM error:

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10006
Date: 1/14/2005
Time: 10:36:44 AM
User: NT AUTHORITY\SYSTEM
Computer: FW
Description:
DCOM got error "General access denied error " from the computer
hev.server.com when attempting to activate the server:
{D99E6E74-FC88-11D0-B498-00A0C90312F3}


sounds like another security issue, but where?

thanks for your help
m



"lazyadmin" <(E-Mail Removed)> wrote in message
news:e1xsh3d%(E-Mail Removed)...
>
> Check what are the ACL's on the directory "%system drive%\Documents and
> Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys Only
> "Administrators" and "System" should have permissions. I'd bet the list
> only contains "Everyone". When the private key is created, autoenrollment
> removes the "Everyone" group from the permission on the private key for
> security reasons. If "Everyone" is the only ACL on the key, the key not
> accessible by anyone and you get Access Denied.
>
> --
> Rod
> http://www.thelazyadmin.com
>
>
> "MR" <(E-Mail Removed)> wrote in message
> news:O8eewob%(E-Mail Removed)...
>>I am receiving the error message (see below) every 8 hours. This computer,
>>FW is a (W2K3 standard Server) DC and is connected to the Primary DC (W2K3
>>Enterprise server). FW is running ISA Server 2004 and The primary DC is
>>also an exchange server.
>> I have selected Enroll certificates automatically in the Autoenrollment
>> Settings and Properties in the Public Key Policies. I have also checked
>> Renew expired certificates and Update certificates.
>>
>> I have not been able to find any links that refer to this error.
>>
>> I would appreciate any help in finding this solution
>> thanks
>> m
>>
>> Event Type: Error
>> Event Source: AutoEnrollment
>> Event Category: None
>> Event ID: 13
>> Date: 1/13/2005
>> Time: 11:18:11 PM
>> User: N/A
>> Computer: FW
>> Description:
>> Automatic certificate enrollment for local system failed to enroll for
>> one Domain Controller certificate (0x80070005). Access is denied.
>>
>>
>>
>
>

"MR" <(E-Mail Removed)> said

> thanks for your reply. i added the administrator and system and allowed
> read, read&execute and List Folder Contents. Unfortunately, I still get
> the same error.
>
> i noticed in the system log that whenever i get the Autoenrollment error
> in the application log, i get a corresponding DCOM error:
>
> Event Type: Error
> Event Source: DCOM
> Event Category: None
> Event ID: 10006
> Date: 1/14/2005
> Time: 10:36:44 AM
> User: NT AUTHORITY\SYSTEM
> Computer: FW
> Description:
> DCOM got error "General access denied error " from the computer
> hev.server.com when attempting to activate the server:
> {D99E6E74-FC88-11D0-B498-00A0C90312F3}
>
>
> sounds like another security issue, but where?
>


Try here:
http://support.microsoft.com/?kbid=246208

--
Andy.

i am not clear if i am supposed to make the changes on the server (CA) or
the client
please advise

thanks


"Andrew Mitchell" <(E-Mail Removed)> wrote in message
news:Xns95DEE467B8D5Fcasey01@207.46.248.16...
> "MR" <(E-Mail Removed)> said
>
>> thanks for your reply. i added the administrator and system and allowed
>> read, read&execute and List Folder Contents. Unfortunately, I still get
>> the same error.
>>
>> i noticed in the system log that whenever i get the Autoenrollment error
>> in the application log, i get a corresponding DCOM error:
>>
>> Event Type: Error
>> Event Source: DCOM
>> Event Category: None
>> Event ID: 10006
>> Date: 1/14/2005
>> Time: 10:36:44 AM
>> User: NT AUTHORITY\SYSTEM
>> Computer: FW
>> Description:
>> DCOM got error "General access denied error " from the computer
>> hev.server.com when attempting to activate the server:
>> {D99E6E74-FC88-11D0-B498-00A0C90312F3}
>>
>>
>> sounds like another security issue, but where?
>>
>
>
> Try here:
> http://support.microsoft.com/?kbid=246208
>
> --
> Andy.