To resolve this problem, confirm that the problem is not related to the certification authority (CA). Then, add the missing registry entry.
Follow these steps to make sure that the problem is not related to the CA.
Note This procedure requires that you use the Cominfo.exe utility. To obtain the Cominfo.exe utility, contact Microsoft Customer Support Services. For a complete list of Microsoft Customer Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:
- Verify that the CA and all its parent CA certificates are trusted and valid.
- Make sure that the certificate template's discretionary access control list (DACL) on the CA includes the Authenticated Users group. If the Authenticated Users group is removed from the DACL, the CA can no longer read the template in Active Directory. Therefore, the CA cannot issue certificates.
- On the client computer, type the following commands at a command prompt. Press ENTER after each command.
certutil �template
certutil �dump
Note The first command displays the user's permissions on the available templates.
An "Access denied" status appears for each certificate template that cannot be used by the user who is currently logged on. The second command displays a list of enterprise CAs. - Type the following command to find the common name (CN) of the CA, and then press ENTER:
certutil �dump | findstr config
- Type the following command, and then press ENTER:
set config=CAMachineDNSName\CACommonName
- Type the following command, and then press ENTER:
certutil �config "%config%" �ping
You may receive an "Access denied" message. - Type the following command to export a CA exchange certificate, and then press ENTER:
certutil �config "%config%" �cainfo xchg
You may receive a message that resembles the following:Exported CA Exchange Certificate to xchg.cer
- Type the following command, and then press ENTER:
certutil �config "%config%" �verify �urlfetch xchg.cer
You may receive a message that resembles the following:CertUtil -verify command FAILED: 0x8009310b (ASN: 267)
- Run the Cominfo.exe utility to collect DCOM information.
The Cominfo.exe utility may produce output that resembles the following:DCOM Installed
The value EnableDCOM is not present under HKEY_LOCAL_MACHINE\Software\Microsoft\Ole.
[Warning: You are likely to get error RPC_E_REMOTE_DISABLED if you run DCOM applications in this machine.]
This message confirms that the problem is related to the missing registry entry.
To add the EnableDCOM registry entry, follow these steps.
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
- Click Start, click Run, type regedit, and then click OK.
- Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
- On the Edit menu, point to New, and then click String Value.
- Type EnableDCOM, and then press ENTER.
- Right-click EnableDCOM, and then click Modify.
- Type Y in the Value data box, and then click OK.
- Exit Registry Editor.