Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. Users Granted Permission to Manage the Certificate Authority Are Unable to Access It Remotely

Users Granted Permission to Manage the Certificate Authority Are Unable to Access It Remotely

IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows Registry

↑ Back to the top

Symptoms

When users who have been granted the right to manage certificates on a Windows 2000 Certificate Authority (CA) attempt to remotely access the CA through the CA snap-in, they receive the following error message:

Access is Denied. 0x5 (5)

↑ Back to the top

Cause

The CA snap-in requires users to have remote access to the following registry key on the CA:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration
If users do not have access to this registry key, they receive the error message described in the Symptoms section.

↑ Back to the top

Resolution

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

To resolve this issue, give the user permission to manage the CA. To grant this access to a non-administrative account, follow these steps:

  1. Open the CA snap-in.
  2. Right-click Certificate Authority Root and click Properties.
  3. Click the Security tab.
  4. Add the user who needs access and grant that user the required permissions.
The CA snap-in must be installed on the remote machine for the user to have remote access to the CA.

To give a non-administrative account permission to remotely manage a CA, follow these steps:

  1. Open the CA, click Run, and then type Regedt32.
  2. Navigate to the following registry key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths
  3. Open the Machine key and at the bottom of the key add the following value:
    SYSTEM\CurrentControlSet\Services\CertSvc\Configuration
  4. Click Save.
The remote user now has remote access to the CA.

↑ Back to the top

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

↑ Back to the top

More Information

For additional information about restricting access to the registry from a remote computer, click the article number below to view the article in the Microsoft Knowledge Base:

153183 How to Restrict Access to NT Registry from a Remote Computer

↑ Back to the top

Keywords: kb, kbbillprodsweep, w2000secconf, w2000certsrv, kbsecconfiged, kbprb, kbcertservices

↑ Back to the top

Article Info
Article ID : 271470
Revision : 6
Created on : 8/20/2020
Published on : 8/20/2020
Exists online : False
Views : 146