This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(9.6, 44%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN%3C/text%3E%3C/svg%3E)
Windows server 2016 and running Microsoft CA offline root, with a SubCA\Issuing CA on a member server.
This has worked in the past but currently experiencing issues with permissions for users delegated permissions to request certs. This is an engineering \ test environment.
This was previously working but recently attempted to request a certificate and getting errors relating to permissions on certificate templates, as below.
"No certificate templates could be found. You do not have permission to request a certificate from this CA, or an error occured while accessing the Active Directory"
Permissions are delegated through a group for read and enrol on certificate templates, and 'Issue & Manage certificates' and 'Request certificates' on the Issuing CA, to that group.
I don't see any other relevent errors on the logs but users in this delegated group simply cannot submit a request on the http://server/certsrv/en-us portal with the above error message.
Permissions on IIS is configured for Windows Authentication only, and the app pool for CertSrv is configured for NetworkService.
Enterprise admins can submit new requests when tested.
PKIView shows everything OK.
Thoughts?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello @nmpuk ,
Thank you for your update.
If I launch mmc in the user context, the wizard shows no certificate templates available as below;
A: Because it is computer certificate template, only administrator under the local computer context can see it.
NOTE: I do NOT get an option to 'Supply in the request'. Where are you see expecting to see this? See below
A:On the certificate template.
I mean if you want to see "Web Server" certificate template through certsrv web page (http://localhost/certsrv or https://localhost/certsrv), you need to select the option 'Supply in the request'.
But you can see the web server cert template via MMC no matter you select the option 'Supply in the request' or not.
403 error seems like permission issue. Do you have the same 403 issue on any machine?
Here is a similar case for CSR as base64 encoded cert request.
I have replied before.
Unable to sign CSR with Microsoft Windows CA
https://learn.microsoft.com/en-us/answers/questions/89382/unable-to-sign-csr-with-microsoft-windows-ca.html
Best Regards,
Daisy Zhou
Thanks for the reply. I can confirm that my certificate template is configured for "Supply in the request" as mentioned above.
I understand that computer certs need to be requested by the certlm.msc console, and users through certmgr.msc, and as mentioned above, that is working for me.
However, I am not able to submit a csr request through web enrollment for a web server certificate, as you are able in your own testing. This is the crux of the matter and did used to work before. In your screenshot above, you are being presented the 'web server' certificates for enrolment. Are you running the internet browser in your own user context? How are you getting web enrollment to provide this?
Also, 403 is forbidden to browse directory contents - its not a permissions, its actually that there are no web pages in the \certsrv folder. See below picture of contents of the http://server/certsrv folder:
versus the contents of the folder https://server/certsrv/en-us folder:
Hello @nmpuk ,
Thank you for your update.
Are you running the internet browser in your own user context? How are you getting web enrollment to provide this?
Yes, it is my lab.
I set up one-tier CA and install 'Certification Authority Web Enrollment' role on CA server.
ADCS Step by Step Guide: Single Tier PKI Hierarchy Deployment
https://social.technet.microsoft.com/wiki/contents/articles/11750.adcs-step-by-step-guide-single-tier-pki-hierarchy-deployment.aspx
That is all.
Best Regards,
Daisy Zhou
Thanks, so its possible to use web enrollment for enrolling computer based certs like the web server cert. This is what isn’t working for me. Can you help?
Hello @nmpuk ,
Thank you for your update.
It seems the 'Certification Authority Web Enrollment' role is not configured correctly.
I suggest you can install a AD CS server in your lab and install and configured 'Certification Authority Web Enrollment' role, and if it is OK in your lab, then you can check the issue again.
Best Regards,
Daisy Zhou
Thanks, but I have already removed and reinstalled the Web enrollment role, as mentioned earlier, and that hasn't resolved the issue.
If I was able to reproduce and resolve the issue myself, I wouldn't have bothered to post on this support forum.
I'm hoping someone with greater knowledge than my own, would be able to assist.
Hello @nmpuk ,
Thank you for your update.
You can try to troubleshoot it based on the following link below.
Error when a user requests certificate from CA web enrollment pages: No certificate templates could be found
https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/no-certificate-templates-be-found
And here is a case with the same error for your reference.
Web Enrollment - No certificate templates could be found
https://social.technet.microsoft.com/Forums/lync/en-US/eb860d3c-9b63-4ebd-8192-1a000c305a46/web-enrollment-no-certificate-templates-could-be-found?forum=winserverDS
I hope CA expert can provide more help, too.
Thank you for your understanding.
Best Regards,
Daisy Zhou