Excellent. That's worth the review. Thanks.
On Thu, Dec 8, 2011 at 16:10, Jon Harris <jk.har...@gmail.com> wrote: > You might be interested in this BLOG for PKI > templates http://blogs.technet.com/b/pki/archive/2009/09/26/introducing-certificate-template-api.aspx. > > Good luck with the working toy. > > Jon > . > On Thu, Dec 8, 2011 at 2:29 PM, Kurt Buff <kurt.b...@gmail.com> wrote: >> >> All, >> >> After staring at the configs in >> >> http://blogs.technet.com/b/askds/archive/2009/10/13/designing-and-implementing-a-pki-part-ii.aspx >> for days, and doing lots of reading and searching, I found the >> problem. >> >> Simple, really, but sometimes the purloined letter will ruin your day. >> >> In the example CAPolicy.inf file for the issuing CA, the following >> line was the problem: >> >> LoadDefaultTemplates=0 >> >> It didn't strike me for the longest time, but there you go. Removed >> that line, and it started issuing certs - I see that all of my DCs and >> the issuing CA itself have gotten certs, and so have about 18 people, >> out of 250+ staff. >> >> So, it's functioning now, and I have a good deal more reading to do to >> figure out which templates I want to create, etc. >> >> The more interesting things to understand are: >> >> >> 1) Why am I seeing the following warnings in the event logs, even >> though the cert is being issued: >> >> Log Name: Application >> Source: Microsoft-Windows-CertificationAuthority >> Date: 2011-12-07 22:13:16 >> Event ID: 80 >> Task Category: None >> Level: Warning >> Keywords: Classic >> User: SYSTEM >> Computer: cert.example.com >> Description: >> Active Directory Certificate Services could not publish a >> Certificate for request 19 to the following location on server >> usdc4.example.com: CN=John >> Doe,OU=Development,OU=Engineering,OU=Users,OU=ExampleUS,DC=example,DC=com. >> Insufficient access rights to perform the operation. 0x80072098 >> (WIN32: 8344). >> ldap: 0x32: 00002098: SecErr: DSID-03150BB9, problem 4003 >> (INSUFF_ACCESS_RIGHTS), data 0 >> >> At least, it looks to me as if the certs are being issued, because >> certs with user names matching the request numbers are appearing in >> the 'Issued Certificates' folder in the management console - they are >> of the type 'Basic EFS (EFS)'. >> >> >> 2) What process is invoking these certs? I have no idea how (just a >> few) users from such disparate departments and types of machines >> (desktops and laptops) are getting the certs, especially since I >> haven't announced anything, and don't have anything in place that >> requires their use yet. >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to listmana...@lyris.sunbeltsoftware.com >> with the body: unsubscribe ntsysadmin > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin