当尝试从指定为 CA 的 DC 为 DomainControllerAuthentication 请求新证书时,我们一直收到访问被拒绝错误。
事件查看器中生成以下事件:
Log Name: Application
Source: Microsoft-Windows-CertificateServicesClient-CertEnroll
Date: 20/02/2013 2:54:32 PM
Event ID: 13
Task Category: None
Level: Error
Keywords: Classic
User: CONSOTO\adadmin
Computer: vmsrvdc-40.consoto.com
Description:
Certificate enrollment for Local system failed to enroll for a DomainControllerAuthentication certificate with request ID N/A from vmsrvdc-40.consoto.com\consoto-VMSRVDC-40-CA (Access is denied. 0x80070005 (WIN32: 5)).
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-CertificateServicesClient-CertEnroll" Guid="{54164045-7C50-4905-963F-E5BC1EEF0CCA}" EventSourceName="CertEnroll" />
<EventID Qualifiers="49754">13</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2013-02-20T19:54:32.000000000Z" />
<EventRecordID>5750</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>vmsrvdc-40.consoto.com</Computer>
<Security UserID="S-1-5-21-1518945024-1460817392-709122288-5797" />
</System>
<EventData>
<Data Name="Context">Local system</Data>
<Data Name="TemplateName">DomainControllerAuthentication</Data>
<Data Name="RequestId">vmsrvdc-40.consoto.com\consoto-VMSRVDC-40-CA</Data>
<Data Name="CA">N/A</Data>
<Data Name="ErrorCode">Access is denied. 0x80070005 (WIN32: 5)</Data>
</EventData>
</Event>
Log Name: Application
Source: Microsoft-Windows-CertificateServicesClient-CertEnroll
Date: 20/02/2013 2:54:29 PM
Event ID: 64
Task Category: None
Level: Information
Keywords: Classic
User: CONSOTO\adadmin
Computer: vmsrvdc-40.consoto.com
Description:
Certificate enrollment for Local system successfully load policy from policy server {C1BA95CA-8DD5-4350-B81C-BE7BB80AD305}
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-CertificateServicesClient-CertEnroll" Guid="{54164045-7C50-4905-963F-E5BC1EEF0CCA}" EventSourceName="CertEnroll" />
<EventID Qualifiers="33370">64</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2013-02-20T19:54:29.000000000Z" />
<EventRecordID>5749</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>vmsrvdc-40.consoto.com</Computer>
<Security UserID="S-1-5-21-1518945024-1460817392-709122288-5797" />
</System>
<EventData>
<Data Name="Context">Local system</Data>
<Data Name="ServerID">{C1BA95CA-8DD5-4350-B81C-BE7BB80AD305}</Data>
</EventData>
</Event>
Log Name: Application
Source: Microsoft-Windows-CertificateServicesClient-CertEnroll
Date: 20/02/2013 2:54:29 PM
Event ID: 65
Task Category: None
Level: Information
Keywords: Classic
User: CONSOTO\adadmin
Computer: vmsrvdc-40.consoto.com
Description:
Certificate enrollment for Local system is successfully authenticated by policy server {C1BA95CA-8DD5-4350-B81C-BE7BB80AD305}
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-CertificateServicesClient-CertEnroll" Guid="{54164045-7C50-4905-963F-E5BC1EEF0CCA}" EventSourceName="CertEnroll" />
<EventID Qualifiers="33370">65</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2013-02-20T19:54:29.000000000Z" />
<EventRecordID>5748</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>vmsrvdc-40.consoto.com</Computer>
<Security UserID="S-1-5-21-1518945024-1460817392-709122288-5797" />
</System>
<EventData>
<Data Name="Context">Local system</Data>
<Data Name="ServerURL">{C1BA95CA-8DD5-4350-B81C-BE7BB80AD305}</Data>
</EventData>
</Event>
到目前为止,我们已经:
- 验证 DCOM 证书注册组成员以确保将正确的 DC 和用户添加到该组。
- 验证 CA 和模板上的权限,以确保请求新证书的用户和 DC 具有适当的权限来基于模板创建新证书。
- 确保树中没有保留具有 CA 角色的旧丢失 DC 的对象
但是这些步骤不允许我们申请新的证书......