+1 971 231 5523 info@pkisolutions.com

The Requested Template is not Supported by this CA (Error 0x80094800)

PKI Solutions Inc. Certificate Templates, Enrollment, Permissions, PKI, Policy Module The Requested Template is not Supported by this CA (Error 0x80094800)

Certificate Templates Enrollment Permissions PKI Policy Module

Today I was working with a customer and they mentioned they had just been contacted about an enrollment problem on one of their CAs. They had recently added a template to one of their Windows Server 2012 R2 CAs. The template had been in use for a long time and is present on their other CAs. The user enrolling for the certificate was receiving an error about how the template was not available on the CA. We could look on the CA and see that the template was clearly there.

ClientError

Here is what the user was reporting when they attempted to enroll (all screenshots are lab reproductions of the issue). The error stated “The requested certificate template is not supported by the CA. Denied by Policy Module 0x80094800, The request was for a certificate template that is not supported by the Active Directory Certificate Services policy:XXXXXXXXX. CRTSRV_E_UNSUPPORTED_CERT_TYPE

 

On the CA we could clearly see template listed on the CA and we could also see the failed enrollment.

CAView

FailedEnrollment

 

 

 

 

 

 

At first all of the obvious things were addressed. Perhaps the template being used by the user was different than what we were looking at. So we verified the template OID in the request matched the template we had on the CA.

We used Certutil -view -restrict “requestid=xxx” to dump the enrollment request from the CA database to verify what was sent, to eliminate any chance the user left off part of the story.

Next, we looked at the permissions on the template. The template should our user had read and enroll permission for the computer object they were enrolling (CMB).

Perms

But while we were looking here, I suddenly had an ah-ha moment! Do you see it? The permissions showed me not only what the error was, but how the problem had occurred. Don’t see it yet?

One of the things I often tell customers, and students in my PKI classes, is that all templates by default have Authenticated Users with Read permission. This is a default configuration and one I recommend that never changes – because of issues like this. Notice that the CA computer is not listed in the permissions above. So in affect, the CA can’t see/read the template itself. The template is “added” to a CA but an administrator. But that process “New/Certificate Template to Issue” merely places an attribute on the CA’s Enrollment Services object in AD. So all that is needed is read permission for the administrator to add a template.

So when the user attempted to enroll, it retrieved the Enrollment Services objects, saw what templates were listed as available, and then download the templates from AD. It formulated its enrollment and sent it to the CA. At this point, the CA didn’t “know” anything about the request template, in affect, it couldn’t see that template. So it denied the enrollment.

 

So the fix, it was an easy one – add Authenticated Users back to the template and grant it Read permissions.

AuthUsers Success

  • July 21, 2016

Comments are closed.

  © Copyright 2013-2017 PKI Solutions Inc. // All Rights Reserved // Terms of Service // Privacy Policy // Pricing and Refund Policies