Can not find the certificate template
https://blog.csdn.net/weixin_34109408/article/details/92098655
https://blog.51cto.com/donex/616786
symptom:
When a user attempts to register Web page to request a certificate from the issuing certificate authority (CA), the user may receive the following error message:
If the Web page is registered Active Directory domain on an enterprise CA server, this behavior will occur. The event, Web pages are registered or on a different member server on the same server.
the reason:
CA Web enrollment pages perform two values are case-sensitive string comparison of. Is a value on the certificate% systemroot% \ System32 sServerConfig value and another value Certdat.inc Certsrv file folder in \ is in Active Directory dnsHostName pkiEnrollmentService property on the object. If the two strings do not match, including the case of registration failure in the match.
solution:
To correct this problem, follow these steps:
- Active objects on view pkiEnrollmentService Directory dNSHostName property. This object is in the following location:
= CN CertificateServer CN = Registration Service, CN = Public Key Services, CN = Services, CN = Configuration, DC = MyDomain DC = COMTo access dNSHostName property or use ADSIEdit.msc LDP.exe.
- Certdat.inc edit documents in order to sServerConfig values are equal, compared with the dNSHostName property Certificate Authority name.
Please note sServerConfig value must be the exact same situation as dNSHostName property. If not, you will continue to get the same error. - For example: If the DNS host name of the certificate authority is server1.domain.local, the certificate authority's name is MYCA, then make sure dNSHostName attribute "CN = MYCA, CN = Registration Service, CN = Public Key Services, CN = Services , CN = configuration, DC = domain DC = local object is set to "server1.domain.local", and should be set in the certificate authority certdat.inc file "% systemroot% \ system32 \ certsrv " folder sServerConfig to "server1 .domain.local \ MYCA ".
- The user has, and to request the certificate restart Internet Explorer. This allows the new credentials to the CA.
Note Also make sure that the permissions on the certificate template user that the user is granted Read and Enroll request. You can grant these permissions by using ADSIEdit.msc snap-in or the Certificate Templates snap-in.
================= End