Q. You receive 'The wizard cannot be started because of one or more of the following conditions' when you use the Certificates console on a client computer to request a certificate from a Windows Server 2003 SP1 (Service Pack 1) computer?

Jerold Schulman

November 26, 2006

3 Min Read
ITPro Today logo

When you use the Certificates console on a client computer to request a certificate from a computer running Windows Server 2003 SP1, you receive:

The wizard cannot be started because of one or more of the following conditions:

- There are no trusted certification authorities (CAs) available.
- You do not have the permissions to request certificates from the available CAs.
- The available CAs issue certificates for which you do not have permissions.

The servers Application log contains events like:

Event Type: Warning
Event Source: CertSvc
Event Category: None
Event ID: 53
Date: MM/DD/YYYY
Time: HH:MM
User: N/A
Computer:
Description: Certificate Services denied request 5 because the requested certificate template is not supported by this CA. 0x80094800 (-2146875392). Additional information: Denied by Policy Module 0x80094800. The request was for a certificate template that is not supported by the Certificate Services policy: SubCA.


Event Type: Error
Event Source: CertSvc
Event Category: None
Event ID: 21
Date: MM/DD/YYYY
Time: HH:MM
User: N/A
Computer:
Description: Certificate Services could not process request 5 due to an error: The request's current status does not allow this operation. 0x80094003 (-2146877437).

The client Application log will post Event ID: 13, Event Source: AutoEnrollment if you enable automatic enrollment of certificates in the domain. The client will be unable to obtain certificates automatically.

SP1 introduced rights that give an administrator independent control over local and remote permissions for:

- Starting Component Object Model (COM) servers.
- Activating COM server settings.
- Accessing COM servers.

A new CERTSVC_DCOM_ACCESS security group in the CN=Users container, which should have appropriate permissions, was created when SP1 was installed, and should have the Domain Users and Domain Computers global groups as members. If the Certificate Services service is running on a domain controller, the CERTSVC_DCOM_ACCESS is configured as a Domain Local group with the Enterprise Domain Controllers group as an additional member.

The problem behavior occurs if the membership of the CERTSVC_DCOM_ACCESS group, or DCOM permissions, is incorrect.

To fix the problem:

1.

Verify that the CERTSVC_DCOM_ACCESS group exists in thedomain that hosts the certification authority:

2.

Verify that the CERTSVC_DCOM_ACCESS groupincludes the following member groups:

NOTE: If users or computers in other domains need to enroll against the certification authority, you must add them to the CERTSVC_DCOM_ACCESS group.

3.

Verify that the CERTSVC_DCOM_ACCESS group has the appropriate DCOMAccess permissions and DCOMLaunch and Activation permissions on the computer that hosts the certification authority:

4.

If any of the above are incorrect:

5.

Repeat steps 1 through 3 to verify that all the settings are correct.

NOTE: If you changed membership of the CERTSVC_DCOM_ACCESS group, you must restart the server for the changes to take effect.

NOTE: See tip 9834 Description of the changes to DCOM security settings after you install Windows Server 2003 Service Pack 1.


About the Author

Jerold Schulman

Jerold Schulman

See more from Jerold Schulman
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
Newsletter Sign-Up

You May Also Like

Editor's Choice

a stressed employee at their laptop and collaboration icons gone amok
Unified Communications
Microsoft Teams Is Acting Up. What Can We Do?Microsoft Teams Is Acting Up. What Can We Do?
byBrien Posey
Sep 12, 2024
4 Min Read
person placing a block between two columns of blocks
IT Management
Data Skills Gap Is Hampering Productivity; Is Upskilling the Answer?Data Skills Gap Is Hampering Productivity; Is Upskilling the Answer?
byNathan Eddy
Sep 7, 2024
7 Min Read
data privacy quiz sample question above a desk
Data Privacy
Data Privacy Quiz: 20 Questions To Test Your KnowledgeData Privacy Quiz: 20 Questions To Test Your Knowledge
byIan Horowitz
Aug 30, 2024
1 Min Read
Exclusive ITPro Resources
See all ITPro Resources

Featured How Tos

A cartoon of a person sitting at a computer, with speech bubbles—one from the person saying Hello and one from the computer responding with Hello
PowerShell
PowerShell Speech Recognition: How To Set up Voice Commands and ResponsesPowerShell Speech Recognition: Set up Voice Commands and Responses
Migrating From VMware Guide cover
VMWare
Migrating From VMware: Guide to a Successful TransitionMigrating From VMware: Guide to a Successful Transition
a wall and fire with the words linux uncomplicated firewall (ufw) tutorial, configure and manage
Linux OS
Linux UFW (Uncomplicated Firewall) Configuration Made EasyLinux UFW (Uncomplicated Firewall) Configuration Made Easy
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
Newsletter Sign-Up
Trending

Recent What Is

list of domains within the umbrella category of IT security
IT Security
What Is IT Security? Essentials of IT Security ExplainedWhat Is IT Security? Essentials of IT Security Explained
ITPro Today's tech careers quick reference guide cover
Career Management
Tech Careers: Quick Reference Guide to IT Job TitlesTech Careers: Quick Reference Guide to IT Job Titles