question

SukhwinderSingh-7853 avatar image
0 Votes"
SukhwinderSingh-7853 asked SukhwinderSingh-7853 answered

Certificate template creation using delegated admin is failing

Hi All,

We have setup the delegated access on Windows 2012 PKI templates as per the link : https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725621(v=ws.10)?redirectedfrom=MSDN


The access is provided on following

  • Create All Child Objects permission on the following container: CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot.

  • Create All Child Objects permission on the following container: CN=OID,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot

  • Full access and ownership on the template which needs to be duplicated

Still when the delegated user tries to duplicate template he is getting the error:

Template cannot be duplicated. Access is denied

I dont want to assign him Enterprise admin rights

Can someone suggest what is the issue here and how to get this done

windows-serverwindows-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered

Hi,

I did a test in my lab:
1, On the CA server, assign the user read permission.
113115-image.png
2, Assign the following permission through ADSI:
Create All Child Objects permission on the following container: CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot.
Create All Child Objects permission on the following container: CN=OID,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot
Full access on the template which needs to be duplicated. (didn't take the owner)
Then the user will be able to duplicate the templates.

It is suggested:
Refresh the group membership by log off and login again.
Make sure the group membership was refreshed.

Synchronize the configuration to all the DCs. You may try to confirm if the AD replication works well.
Repadmin /syncall /APeD
Repadmin /showrepl * /csv >c:\repl.csv (replication situation for all the DCs)

Best Regards,






image.png (57.8 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered

Hi,

I will do a test in my lab tomorrow since my lab is down today.
Update here as soon as possible.

Best Regards,

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SukhwinderSingh-7853 avatar image
0 Votes"
SukhwinderSingh-7853 answered

Hi
Thanks for taking out the time and testing. One thing which was missing everywhere and was the issue in my setup was that the permission was configured to apply on " All Descendant objects".

After we made it " Apply to this object and all Descendant objects" it worked

So one need to check that part while assigning permissions which we were missing.

Thanks for your help and support

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.