Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, February 12, 2019 10:30 AM
Where can I check why one account cannot publish a new certificate template? I can manage (edit / duplicate etc.) templates, but I unable to issue them. In an adsiedit.msc console i checked properties of the containers: Certificate Templates and OID. In security tab in both containers is added a group with full control permissions. There are several users in this group, others can easily issue new certificate templates, but for me "New -> Certificate Template to Issue" option is grayed out.
Could you please advise on the next actions to find the root cause of this issue?
All replies (5)
Friday, February 15, 2019 9:04 AM âś…Answered
Hi Krystian,
Hmmm, if you wouldn't have the "Issue and Manage Certificates" and "Manage CA" permissions, adding a template to the CA must fail exactly the way you described. You may want to go across the permissions part (group membership, deny permissions, anything you can think of that would cause the net permissions not to be right) with a fine toothcomb. You don't have to bother with the template permissions, they don't impact this particular action. The most likely is still a misconfiguration that knocks out the permission for you.
Assuming all is in perfect order, you may want to check back with Microsoft support, as it sounds like the system might not be responding to the permissions set (though improbable).
Kind Regards,
Tuesday, February 12, 2019 2:54 PM
Hi Krystian,
You need Issue and Manage Certificates or Manage CA permissions on the CA itself for adding a new Certificate Template to Issue (I'm not entirely sure which of the two). When in the CA, right-click the CA icon itself and click Properties. Navigate to the Security tab. You'll find four permissions there, the two I mentioned, Read and Request Certificates.
Kind Regards,
Tuesday, February 12, 2019 2:56 PM
check permissions in adsi configuration context - services - pki - enrollment services
templates that are published are added to a attribute on the enrollment object od the issuing ca
Please remember to mark the replies as answers if they helped.
Wednesday, February 13, 2019 8:03 AM
@J.Couwenberg, I can confirm that such permissions (Issue and Manage Certificates and Manage CA) are assigned to this group. I don't think that this is a root cause, because other people in this group can issue new templates.
@Proed, I checked permissions on the CN=Enrollment Services container and i don't see any misconfiguration.
Monday, February 25, 2019 2:19 AM
Hi,
Was your issue resolved?
If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.
If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.
If no, please reply and tell us the current situation in order to provide further help.
Best Regards,
Kallen
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].