Error: 0x00000046 - when requesting certificates

D

DJH

Hey,

We have an internal PKI utilising an offlint root and policy server, and an
AD integrated enterprise issuing server. We've distributed our root
certificate via a GPO to all workstations/servers in AD.

We have a number of certifcate templates for SSL certs. We permission these
with Role groups to define who can request and modify the certs.

We have one problematic box, when requesting a certificate via
servername\certsrv we get a permission denied error:

"An error occurred while creating the certificate request. Please verify
that your CSP supports any settings you have made and that your input is
valid.
Suggested cause:
You do not have write permission to save the file to the path
Error: 0x00000046 - Permission Denied"

The request is for a generic SSL certificate so that a secure channel can be
used to communicate between 2 boxes. The certificate request never reaches
the enterprise issuing server (no record of failed request). The error
message indicates a permission issue, but the way we permission the templates
is such that you wont see the cert via the web interface if your not a member
of the group which can request this certificate type. The user requesting the
certificate is a member of builtin\administrators of the box requesting the
certificate.

Anyone have any suggestions?
 
D

DJH

Found it!

Permissions on the local certificate store were incorrect. for some reason
administrators only had read!

Local certificate store location:
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys

"DJH" wrote:

> Hey,
>
> We have an internal PKI utilising an offlint root and policy server, and an
> AD integrated enterprise issuing server. We've distributed our root
> certificate via a GPO to all workstations/servers in AD.
>
> We have a number of certifcate templates for SSL certs. We permission these
> with Role groups to define who can request and modify the certs.
>
> We have one problematic box, when requesting a certificate via
> servername\certsrv we get a permission denied error:
>
> "An error occurred while creating the certificate request. Please verify
> that your CSP supports any settings you have made and that your input is
> valid.
> Suggested cause:
> You do not have write permission to save the file to the path
> Error: 0x00000046 - Permission Denied"
>
> The request is for a generic SSL certificate so that a secure channel can be
> used to communicate between 2 boxes. The certificate request never reaches
> the enterprise issuing server (no record of failed request). The error
> message indicates a permission issue, but the way we permission the templates
> is such that you wont see the cert via the web interface if your not a member
> of the group which can request this certificate type. The user requesting the
> certificate is a member of builtin\administrators of the box requesting the
> certificate.
>
> Anyone have any suggestions?
 
Back
Top Bottom