You receive an error message, and event ID 53 is logged when a client computer requests a certificate from a Windows Server 2003 SP1-based CA

When you use the Web browser on a client computer to request a certificate from a Microsoft Windows Server 2003 Service Pack 1 (SP1)-based certification authority (CA) computer, you may receive the following error message:Alternatively, when you use the Microsoft Management Control Certificates snap-in to request a certificate, you may receive an error message that resembles the following:Additionally, the following event ID is logged in the Application log of the CA computer:

Event Type: Warning
Event Source: CertSvc
Event Category: None
Event ID: 53
Date: Date
Time: Time
User: N/A
Computer: ComputerName
Description:
Certificate Services denied request 5 because the requested certificate template is not supported by this CA. 0x80094800 (-2146875392). Additional information: Denied by Policy Module 0x80094800. The request was for a certificate template that is not supported by the Certificate Services policy: CertificateTemplatename.

This issue may occur because of the following causes.

Cause 1

The client computer is not a member of the CERTSVC_DCOM_ACCESS security group.

Cause 2

You installed Windows Server 2003 Service Pack 1 (SP1) on a CA computer that resides in a Microsoft Windows 2000 forest.

You must prepare the Windows 2000 forest for Windows Server 2003 because there are new attributes added to the Certificates templates object in the schema.

To verify this cause, view any of the Certificate templates by using ADSIEdit.msc or by using LDP.exe. You may find that the following attributes are missing:

• msPKI-Certificate-Application-Policy
• msPKI-Certificate-Name-Flag
• msPKI-Certificate-Policy
• msPKI-Cert-Template-OID
• msPKI-Enrollment-Flag
• msPKI-Minimal-Key-Size

Note You can find the Certificate template at the following location:

Cause 3

You did not restart the Windows Server 2003-based CA computer after you added the following member groups to the CERTSVC_DCOM_ACCESS security group:

• Domain Users
• Domain Computers
• Enterprise Domain Controllers
  
  Note You add the Enterprise Domain Controllers group if the Certificate Services service is running on a domain controller.

To resolve this issue, use one or more of the following resolutions, as appropriate for your situation.

Resolution for cause 1

To resolve this issue, you must manually add the users to the CERTSVC_DCOM_ACCESS security group. Because the CERTSVC_DCOM_ACCESS security group is a domain local group, you can only add domain groups to it.

For example, if users and computers from another domain have to enroll with the certification authority, you must manually add the Contoso\Domain Users group and the Contoso\Domain Computers group to the CERTSVC_DCOM_ACCESS security group.

Note In this example, Contoso is a placeholder.

Notes on resolution for cause 1

• Certificate Services cannot automatically update the DCOM security settings for client computers from outside the certification authority's domain if the following conditions are true:
  • The certification authority is installed on a domain controller.
  • The enterprise consists of more than one domain.
  In this scenario, the client computers are denied enrollment access to the certification authority.
• If the certification authority is installed on a member server, CERTSVC_DCOM_ACCESS is created as a computer local group. The Everyone security group is added to CERTSVC_DCOM_ACCESS.
• If the certification authority is installed on a domain controller, CERTSVC_DCOM_ACCESS is created as a domain local group. The Domain Users security group and the Domain Computers security group from the certification authority’s domain are added to CERTSVC_DCOM_ACCESS. If domain controllers need access to this interface to request certificates from the certification authority, you must add the Domain Controllers security group. You must do this because domain controllers are not part of the Domain Computers security group.

Resolution for cause 2

To resolve this issue, use one of the following methods, as appropriate for your situation.

Method 1

Remove Windows Server 2003 SP1 from the CA computer.

Method 2

1. Use the Adprep.exe utility to run the adprep /forestprep command on the schema operations master, and then run the adprep /domainprep command.
   
   For more information about the Adprep.exe utility, visit the following Microsoft Web site:
   http://technet2.microsoft.com/WindowsServer/en/library/bc5ebbdb-a8d7-4761-b38a-e207baa734191033.mspx?mfr=true (http://technet2.microsoft.com/WindowsServer/en/library/bc5ebbdb-a8d7-4761-b38a-e207baa734191033.mspx?mfr=true)
2. Type the following commands at a command prompt on the CA computer, and then press ENTER after each command:
   • Regsvr32 /i:i /n /s %systemroot%\system32\certcli.dll
   • Net Stop CertSvc
   • Net Start CertSvc

Resolution for cause 3

Restart the CA computer. If you again receive an error message that is mentioned in the "Symptoms" section, type the following commands at a command prompt on the CA computer, and then press ENTER after each command:

• Certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG
• Net stop certsvc
• Net start certsvc