2003 SP1 CA keeps denying cert requests


Paul Landry

Hi All,
I've got a 2003 SP1 server with all of the latest updates ( as of today )
running as a Stand-Alone Certificate Authority.
When I attempt to request certificates for IIS servers, using the Web
Enrollment, I keep getting the following messages.

Your certificate request was denied.
You Request id is xx. The disposition is "Denied by Policy Module"

On the CA machine, in he mmc, I see the rejected certificate requests. They
all say the same thing.

"The permissions on this certification authority do not allow the current
user to enroll for certificates. 0x80094011 (-2146877423)"

The requester name is LAB\IUSR_SPS which is the Anonymous Access user on the
Certificate authority machine.

I've googled the error and checked out several KB's , but nothing I've tried
has solved the problem.
I'm assuming I'm missing the spot where I can give the IUSR account
permissions, but I'll be darned if I can find that spot.

Does anyone have a clue how I can fix this problem?

On last piece of Info, the CA is running on the AD controller, in case that


Paul Landry
IT Manager - Centric Software, Inc.



Steven L Umbach

Are you sure that it is an stand alone CA and not an enterprise CA?? For a
stand alone CA you would have to find the pending request and then authorize
it to be issued in the CA Management Console. Make sure that you are logging
onto the IIS server as a local administrator. The command certutil -cainfo
will let you know the CA type. --- Steve

Paul Landry

Hi Steve,

I ran the certutil -cainfo and the results are...

CA type: 3 -- Stand-alone Root CA

I have configured the CA to automatically authorize requests.

It just doesn't seem to like the IUSR_ account being used to process the

Any ideas?



Steven L Umbach

Hi Paul.

I have not had that any experience with a stand alone CA configured to
automatically approve requests for a web server. What may be worth a try is
to see if it works where you have to manually approve the certificate and
then logging back onto the server as a local administrator to check for
pending request. The link below may help with specific details on how to
request and install a web server certificate in case you are missing
anything. You may also want to post in the Microsoft.public.security.crypto
newsgroup. --- Steve



Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question