Problem
Your Active Directory environment has an empty root domain and a child domain that contains your computer and user objects. You decide to deploy an Enterprise Root CA in the child domain and use it as a Certificate Authority. The deployment of the CA completes and while logged on as a domain administrator of the child domain, you open the http://yourCA/certsrv web enrollment page to try to request a certificate but receive the following error:
Certificate Template: (No templates found!)
No certificate templates could be found. You do not have permission to request a certificate from this CA, or an error occurred while accessing the Active Directory.
You open up Active Directory Sites and Services to check on Services –> Public Key Services –> Certificate Templates and you see the templates:
Solution
The reason why you’re receiving this error is because although you’ve installed the Enterprise Root CA in your child domain, by default, the permissions required to see the templates is to have at least Domain Administrator privileges in the parent root domain. It’s a bit hard to see in the screenshot below since I had to blank out the domain name but what we’re supposed to see in there is the domain and enterprise administrators for the root domain listed:
The screenshot below is the permissions that the domain administrator of the root domain has inherited:
What we need to do is add the domain administrators group to the security permissions and mirror the permissions that the domain administrators group in the root domain has:
What’s also important is to change the Apply to drop down menu from:
This object only
… to …
This object and all descendant objects
Click OK when the permissions have been set:
Now that you have given the domain administrators group permissions to the templates, the error message should no longer be presented when you attempt to request a certificate from the web enrollment webpage:
4 comments:
Thanks!
Able to see only user and efs template, not able to see other template such as web server and so..any help pl
Great documentation! Very helpful
For those finding this via searching as I did, this is one of many potential issues that can cause this problem.
Another problem relates to the domain functional level. In our case, although the Domain Controller was 2012, the domain was still at a 200 level. This prevents ALL existing templates from being usable (thanks Microsoft!) the solution is to create a copy of the template you need (usually Web Server) and make sure in its properties that it is usable by 2003 and above, then make sure to "issue" the new template and it should show up in the list if that was the problem.
Post a Comment