无法请求新证书:访问被拒绝。(2008 R2)

无法请求新证书:访问被拒绝。(2008 R2)

当尝试从指定为 CA 的 DC 为 DomainControllerAuthentication 请求新证书时,我们一直收到访问被拒绝错误。

事件查看器中生成以下事件:

Log Name:      Application
Source:        Microsoft-Windows-CertificateServicesClient-CertEnroll
Date:          20/02/2013 2:54:32 PM
Event ID:      13
Task Category: None
Level:         Error
Keywords:      Classic
User:          CONSOTO\adadmin
Computer:      vmsrvdc-40.consoto.com
Description:
Certificate enrollment for Local system failed to enroll for a DomainControllerAuthentication certificate with request ID N/A from vmsrvdc-40.consoto.com\consoto-VMSRVDC-40-CA (Access is denied. 0x80070005 (WIN32: 5)).
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-CertificateServicesClient-CertEnroll" Guid="{54164045-7C50-4905-963F-E5BC1EEF0CCA}" EventSourceName="CertEnroll" />
    <EventID Qualifiers="49754">13</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2013-02-20T19:54:32.000000000Z" />
    <EventRecordID>5750</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>vmsrvdc-40.consoto.com</Computer>
    <Security UserID="S-1-5-21-1518945024-1460817392-709122288-5797" />
  </System>
  <EventData>
    <Data Name="Context">Local system</Data>
    <Data Name="TemplateName">DomainControllerAuthentication</Data>
    <Data Name="RequestId">vmsrvdc-40.consoto.com\consoto-VMSRVDC-40-CA</Data>
    <Data Name="CA">N/A</Data>
    <Data Name="ErrorCode">Access is denied. 0x80070005 (WIN32: 5)</Data>
  </EventData>
</Event>

Log Name:      Application
Source:        Microsoft-Windows-CertificateServicesClient-CertEnroll
Date:          20/02/2013 2:54:29 PM
Event ID:      64
Task Category: None
Level:         Information
Keywords:      Classic
User:          CONSOTO\adadmin
Computer:      vmsrvdc-40.consoto.com
Description:
Certificate enrollment for Local system successfully load policy from policy server {C1BA95CA-8DD5-4350-B81C-BE7BB80AD305}
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
 <System>
    <Provider Name="Microsoft-Windows-CertificateServicesClient-CertEnroll" Guid="{54164045-7C50-4905-963F-E5BC1EEF0CCA}" EventSourceName="CertEnroll" />
    <EventID Qualifiers="33370">64</EventID>
    <Version>0</Version>
    <Level>0</Level>
   <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2013-02-20T19:54:29.000000000Z" />
    <EventRecordID>5749</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>vmsrvdc-40.consoto.com</Computer>
    <Security UserID="S-1-5-21-1518945024-1460817392-709122288-5797" />
  </System>
  <EventData>
    <Data Name="Context">Local system</Data>
    <Data Name="ServerID">{C1BA95CA-8DD5-4350-B81C-BE7BB80AD305}</Data>
  </EventData>
</Event>

Log Name:      Application
Source:        Microsoft-Windows-CertificateServicesClient-CertEnroll
Date:          20/02/2013 2:54:29 PM
Event ID:      65
Task Category: None
Level:         Information
Keywords:      Classic
User:          CONSOTO\adadmin
Computer:      vmsrvdc-40.consoto.com
Description:
Certificate enrollment for Local system is successfully authenticated by policy server {C1BA95CA-8DD5-4350-B81C-BE7BB80AD305}
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-CertificateServicesClient-CertEnroll" Guid="{54164045-7C50-4905-963F-E5BC1EEF0CCA}" EventSourceName="CertEnroll" />
    <EventID Qualifiers="33370">65</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2013-02-20T19:54:29.000000000Z" />
    <EventRecordID>5748</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>vmsrvdc-40.consoto.com</Computer>
    <Security UserID="S-1-5-21-1518945024-1460817392-709122288-5797" />
  </System>
  <EventData>
    <Data Name="Context">Local system</Data>
    <Data Name="ServerURL">{C1BA95CA-8DD5-4350-B81C-BE7BB80AD305}</Data>
  </EventData>
</Event>

到目前为止,我们已经:

  • 验证 DCOM 证书注册组成员以确保将正确的 DC 和用户添加到该组。
  • 验证 CA 和模板上的权限,以确保请求新证书的用户和 DC 具有适当的权限来基于模板创建新证书。
  • 确保树中没有保留具有 CA 角色的旧丢失 DC 的对象

但是这些步骤不允许我们申请新的证书......

相关内容