Web Enrollment Certificate Request Denied

[Max]

I'm getting the following error when requesting a V1 EFS certificate
using web enrollment over our Windows 2000 IIS web enrollement server
(requesting the cert from a Windows 2003 Issuing CA):

"Certificate Request Denied


Your certificate request was denied.

Your Request Id is 5. The disposition message is "Denied by Policy
Module 0x80094800, The request was for a certificate template that is
not supported by the Certificate Services policy: EFS;;;;;;;;;;;;Basic
EFS. ".

Contact your administrator for further information."


When I request an EFS certificate using the MMC I have had no problem
at all and have done this from multiple workstations and servers. But
everytime I try the request through the web enrollment, I get this
error. This happens even though my account has full control access
(including enroll) to the EFS Certificate Template.

We are not using constrained delegation, and both the Windows 2000 web
enrollment server and the Windows 2003 Issuing CA are trusted for
delegation. We are using Windows Integrated authentication on the web
server.
We are using the Windows Default policy module currently on the
Windows 2003 Issuing CA.

I have searched through the new "Configuring and Troubleshooting
Windows 2000 and Windows Server 2003 Certificate Services Web
Enrollment" and haven't found anything that relates to this error.

Any help would be much appreciated.

Thanks!

 

[Guest]

I have a Doc file with all instruction to configure a vpn
basic on smart card if you need it send me an e-mail and
i will reply the file.
I have problem to configure the client to accept connect
with smart card if you have any information contact me.

Tnx

e-mail: (e-mail address removed)

 

[Max]

Sorry, I haven't dealt with deploying smart cards yet.

I'm just trying to figure out why certificate requests work using the
Certificates MMC, but then I'm told that the EFS certificate template
is
not supported by the Certificate Services when requesting the
certificate through web enrollment.

My XP workstation is a member of the domain. I have the lowest
possible browser security. And I'm using Windows Integrates Security
both on the web enrollment server and its checked on the browser. I'm
not using my UPN when connecting to the web server. These are all
things that are notes as possible causes in the latest whitepaper.

Perhaps my problem is that I'm not following Microsoft Best Practices
of having the web enrollment server on the same server as the Issuing
CA. I've split the two and I think that is causing me issues. There
don't seem to be many examples of this - the new book by Brian Komar,
the 2003 PKI Best Practices White Paper, and the 2003 PKI MOC all give
best practices set-up with IIS and web enrollment together on the
Issuing CA.

Page 134 of Komar's book, Microsoft Windows Server 2003 PKI and
Certificate Security, actually says "If you are planning to utilize
the Certificate Services Web Enrollment pages, you must install IIS on
the Issuing CA."

So perhaps my setup doesn't work at all. Although it would seem to be
better from a security standpoint to split web enrollment and IIS from
the Issuing CAs and their private keys.