Lukas Beeler’s IT Blog

I’ve run into a nasty little problem. The initial situation was as follows:

Windows Server 2003 R2 SP2, Single Domain Controller, which was also a CA. This worked fine, users could get their cert, the machine was able to register it’s own DC certs, and all machines were able to get their certs.

However, the second domain controller (also Windows Server 2003 R2 SP2) added to this domain was unable to register a certificate. I got the error message on the right, from source AutoEnrollment with Eventid 13, telling me “Permission denied”, with error code 0×80070005 - it was unable to register it’s own domain controller certificate.

This baffled me, but after searching around on the internet, i found out that there were two issues i was facing.

Members of the CERTSVC_DCOM_ACCESS group

The CERTSVC_DCOM_ACCESS group controls access to the certification service. In my case, the “Domain Controllers” group wasn’t a member of the CERTSVC_DCOM_ACCESS group. After adding it, the domain controller was able to talk to the CA service, but still wasn’t able to fetch a certificate.

According to some postings on the internet, this issue arises if you use a AD migrated over from a Windows 2000 functional level with a Windows 2000 CA, which was the case here, but i wasn’t able to find definitive answers.

Permissions on the MachineKeys directory

In %ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\RSA\MachineKeys, you will find a directory which has to have special permissions. There’s a Microsoft KB entry Default permissions for the MachineKeys Folder which describe how to fix this issue.

No idea why these permissions were wrong, this was a fresh install with SP2.

After fixing the permissions according to this documentation, everything was up and running again.