Não é possível solicitar novo certificado: acesso negado. (2008 R2)

Navegue suas respostas
2

Ao tentar solicitar um novo certificado para DomainControllerAuthentication do nosso DC designado como CA, continuamos a receber um erro de acesso negado.

Os seguintes eventos são gerados no visualizador de eventos: 

Log Name:      Application
Source:        Microsoft-Windows-CertificateServicesClient-CertEnroll
Date:          20/02/2013 2:54:32 PM
Event ID:      13
Task Category: None
Level:         Error
Keywords:      Classic
User:          CONSOTO\adadmin
Computer:      vmsrvdc-40.consoto.com
Description:
Certificate enrollment for Local system failed to enroll for a DomainControllerAuthentication certificate with request ID N/A from vmsrvdc-40.consoto.com\consoto-VMSRVDC-40-CA (Access is denied. 0x80070005 (WIN32: 5)).
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-CertificateServicesClient-CertEnroll" Guid="{54164045-7C50-4905-963F-E5BC1EEF0CCA}" EventSourceName="CertEnroll" />
    <EventID Qualifiers="49754">13</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2013-02-20T19:54:32.000000000Z" />
    <EventRecordID>5750</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>vmsrvdc-40.consoto.com</Computer>
    <Security UserID="S-1-5-21-1518945024-1460817392-709122288-5797" />
  </System>
  <EventData>
    <Data Name="Context">Local system</Data>
    <Data Name="TemplateName">DomainControllerAuthentication</Data>
    <Data Name="RequestId">vmsrvdc-40.consoto.com\consoto-VMSRVDC-40-CA</Data>
    <Data Name="CA">N/A</Data>
    <Data Name="ErrorCode">Access is denied. 0x80070005 (WIN32: 5)</Data>
  </EventData>
</Event>

Log Name:      Application
Source:        Microsoft-Windows-CertificateServicesClient-CertEnroll
Date:          20/02/2013 2:54:29 PM
Event ID:      64
Task Category: None
Level:         Information
Keywords:      Classic
User:          CONSOTO\adadmin
Computer:      vmsrvdc-40.consoto.com
Description:
Certificate enrollment for Local system successfully load policy from policy server {C1BA95CA-8DD5-4350-B81C-BE7BB80AD305}
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
 <System>
    <Provider Name="Microsoft-Windows-CertificateServicesClient-CertEnroll" Guid="{54164045-7C50-4905-963F-E5BC1EEF0CCA}" EventSourceName="CertEnroll" />
    <EventID Qualifiers="33370">64</EventID>
    <Version>0</Version>
    <Level>0</Level>
   <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2013-02-20T19:54:29.000000000Z" />
    <EventRecordID>5749</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>vmsrvdc-40.consoto.com</Computer>
    <Security UserID="S-1-5-21-1518945024-1460817392-709122288-5797" />
  </System>
  <EventData>
    <Data Name="Context">Local system</Data>
    <Data Name="ServerID">{C1BA95CA-8DD5-4350-B81C-BE7BB80AD305}</Data>
  </EventData>
</Event>

Log Name:      Application
Source:        Microsoft-Windows-CertificateServicesClient-CertEnroll
Date:          20/02/2013 2:54:29 PM
Event ID:      65
Task Category: None
Level:         Information
Keywords:      Classic
User:          CONSOTO\adadmin
Computer:      vmsrvdc-40.consoto.com
Description:
Certificate enrollment for Local system is successfully authenticated by policy server {C1BA95CA-8DD5-4350-B81C-BE7BB80AD305}
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-CertificateServicesClient-CertEnroll" Guid="{54164045-7C50-4905-963F-E5BC1EEF0CCA}" EventSourceName="CertEnroll" />
    <EventID Qualifiers="33370">65</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2013-02-20T19:54:29.000000000Z" />
    <EventRecordID>5748</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>vmsrvdc-40.consoto.com</Computer>
    <Security UserID="S-1-5-21-1518945024-1460817392-709122288-5797" />
  </System>
  <EventData>
    <Data Name="Context">Local system</Data>
    <Data Name="ServerURL">{C1BA95CA-8DD5-4350-B81C-BE7BB80AD305}</Data>
  </EventData>
</Event>

Até agora, temos:

  • Verificamos os membros do grupo de Inscrição de Certificados do DCOM para garantir que os DCs e usuários apropriados sejam adicionados ao grupo.
  • Verificamos as permissões na CA e nos modelos para garantir que o usuário e o DC que solicitam o novo certificado tenham permissões adequadas para criar um novo certificado com base no modelo.
  • Assegure-se de que nenhum objeto permaneça na árvore do DC perdido antigo que tenha a função de autoridade de certificação

No entanto, estas etapas não nos permitiram solicitar novos certificados ...

    
por Andrew Moore 20.02.2013 / 21:35

0 respostas

Tags

Web Farm Framework no Windows Server 2012 nginx - Ocultar a extensão .php e redirecionar permanentemente as solicitações * .php para o URL limpo