Windows server 2016 and running Microsoft CA offline root, with a SubCA\Issuing CA on a member server.
This has worked in the past but currently experiencing issues with permissions for users delegated permissions to request certs. This is an engineering \ test environment.
This was previously working but recently attempted to request a certificate and getting errors relating to permissions on certificate templates, as below.
"No certificate templates could be found. You do not have permission to request a certificate from this CA, or an error occured while accessing the Active Directory"
Permissions are delegated through a group for read and enrol on certificate templates, and 'Issue & Manage certificates' and 'Request certificates' on the Issuing CA, to that group.
I don't see any other relevent errors on the logs but users in this delegated group simply cannot submit a request on the http://server/certsrv/en-us portal with the above error message.
Permissions on IIS is configured for Windows Authentication only, and the app pool for CertSrv is configured for NetworkService.
Enterprise admins can submit new requests when tested.
PKIView shows everything OK.