When you use the Certificates console on a client computer to request a certificate from a computer running Windows Server 2003 SP1, you receive:

The wizard cannot be started because of one or more of the following conditions:

- There are no trusted certification authorities (CAs) available.
- You do not have the permissions to request certificates from the available CAs.
- The available CAs issue certificates for which you do not have permissions.

The servers Application log contains events like:

Event Type: Warning
Event Source: CertSvc
Event Category: None
Event ID: 53
Date: MM/DD/YYYY
Time: HH:MM
User: N/A
Computer: <ServerName>
Description: Certificate Services denied request 5 because the requested certificate template is not supported by this CA. 0x80094800 (-2146875392). Additional information: Denied by Policy Module 0x80094800. The request was for a certificate template that is not supported by the Certificate Services policy: SubCA.


Event Type: Error
Event Source: CertSvc
Event Category: None
Event ID: 21
Date: MM/DD/YYYY
Time: HH:MM
User: N/A
Computer: <ServerName>
Description: Certificate Services could not process request 5 due to an error: The request's current status does not allow this operation. 0x80094003 (-2146877437).

The client Application log will post Event ID: 13, Event Source: AutoEnrollment if you enable automatic enrollment of certificates in the domain. The client will be unable to obtain certificates automatically.

SP1 introduced rights that give an administrator independent control over local and remote permissions for:

- Starting Component Object Model (COM) servers.
- Activating COM server settings.
- Accessing COM servers.

A new CERTSVC_DCOM_ACCESS security group in the CN=Users container, which should have appropriate permissions, was created when SP1 was installed, and should have the Domain Users and Domain Computers global groups as members. If the Certificate Services service is running on a domain controller, the CERTSVC_DCOM_ACCESS is configured as a Domain Local group with the Enterprise Domain Controllers group as an additional member.

The problem behavior occurs if the membership of the CERTSVC_DCOM_ACCESS group, or DCOM permissions, is incorrect.

To fix the problem:

1. Verify that the CERTSVC_DCOM_ACCESS group exists in the domain that hosts the certification authority:
a. Start / Run / Dsa.msc / OK
b. Select the Users container.
c. If the CERTSVC_DCOM_ACCESS group is not in the right pane, go to step 4.
2. Verify that the CERTSVC_DCOM_ACCESS group includes the following member groups:
        <b>Domain Users
        Domain Computers
        Enterprise Domain Controllers</b> if the <b>Certificate Services</b> service is running on a domain controller.
NOTE: If users or computers in other domains need to enroll against the certification authority, you must add them to the CERTSVC_DCOM_ACCESS group.

3. Verify that the CERTSVC_DCOM_ACCESS group has the appropriate DCOM Access permissions and DCOM Launch and Activation permissions on the computer that hosts the certification authority:
a. Start / All Programs / Administrative Tools / Component Services.
b. Expand Component Services.
c. Expand the Computers node.
d. Right-click the My Computer node, and press Properties.
e. Select the COM Security tab.
f. Press Edit Limits under Access Permission.
g. Verify that the CERTSVC_DCOM_ACCESS group has Allow Local Access and Allow Remote Access permissions, and then press Cancel.
h. Under Launch and Activation Permissions, press Edit Limits.
i. Verify that the CERTSVC_DCOM_ACCESS group has Allow Local Activation and Allow Remote Activation permissions, and then press Cancel.
j. Press Cancel, and then close the Component Services console.
4. If any of the above are incorrect:
a. open a CMD.EXE window.
b. Run the following commands, pressing Enter after each line:

certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG
net stop certsvc
net start certsvc

5. Repeat steps 1 through 3 to verify that all the settings are correct.

NOTE: If you changed membership of the CERTSVC_DCOM_ACCESS group, you must restart the server for the changes to take effect.

NOTE: See tip 9834 ยป Description of the changes to DCOM security settings after you install Windows Server 2003 Service Pack 1.