Couple days ago I was troubleshooting customer CA which was able to issue certificates to itself but not for any other Domain Controller (CA was installed to DC). Certificates were needed to Domain Controllers because of smart card authentication.
When I was trying to request certificate from another DC error message was:
Event Type: Error
Event Source: AutoEnrollment
Event Category: None
Event ID: 13
Date: Date
Time: Time
User: N/A
Computer: ComputerName
Description:
CAUSE:
Windows Server 2003 SP1 introduces some enhanced default security settings for the DCOM protocol. Specifically, Windows Server 2003 SP1 introduces rights that give an administrator independent control over local and remote permissions for the following tasks:
– Starting Component Object Model (COM) servers
– Activating COM server settings
– Accessing COM servers
The Windows Server 2003 SP1 installation process creates a new CERTSVC_DCOM_ACCESS security group. After the installation of Windows Server 2003 SP1, this new security group should have appropriate DCOM Access permissions and DCOM Launch and Activation permissions. By default, the Domain Users global group and the Domain Computers global group reside in the CERTSVC_DCOM_ACCESS group. If the Certificate Services service is running on a domain controller, the CERTSVC_DCOM_ACCESS group is created as a Domain Local group. Additionally, the Enterprise Domain Controllers group should be a member of the CERTSVC_DCOM_ACCESS group. This problem occurs if the membership of the CERTSVC_DCOM_ACCESS group is configured incorrectly.
RESOLUTION
1.Verify that the CERTSVC_DCOM_ACCESS group exists in the domain that hosts the certification authority. This group is in the CN=Users container.
To do this, follow these steps:
a.Click Start, click Run, type Dsa.msc, and then click OK.
b.In the left pane, click the Users container.
c.Verify that the CERTSVC_DCOM_ACCESS group is in the right pane. If the CERTSVC_DCOM_ACCESS group is not in the right pane, go to step 4.
2.Verify that the CERTSVC_DCOM_ACCESS group includes the following member groups:
– Domain Users
– Domain Computers
If these member groups do not exist in the CERTSVC_DCOM_ACCESS group, go to step 4.
Note
If users or computers in other domains need to enroll against the certification authority, you must also add those users and computers to the CERTSVC_DCOM_ACCESS group. If the current problem occurs on a domain controller, you must also add the Enterprise Domain Controllers group to the CERTSVC_DCOM_ACCESS group. By default, domain controllers are not members of the Domain Computers global group. Therefore, domain controllers do not have sufficient DCOM permissions.
3.Verify that the CERTSVC_DCOM_ACCESS group has the appropriate DCOM Access permissions and DCOM Launch and Activation permissions on the computer that hosts the certification authority.
a.Click Start, point to Program, point to Administrative Tools, and then click Component Services.
b.Expand the Component Services node.
c.Expand the Computers node.
d.Right-click the My Computer node, and then click Properties.
e.Click the COM Security tab.
f.Under Access Permission, click Edit Limits.
g.Verify that the CERTSVC_DCOM_ACCESS group has Allow Local Access and Allow Remote Access permissions, and then click Cancel.
h.Under Launch and Activation Permissions, click Edit Limits.
i.Verify that the CERTSVC_DCOM_ACCESS group has Allow Local Activation and Allow Remote Activation permissions, and then click Cancel.
j.Click Cancel, and then close the Component Services console.
4.Settings may be incorrect if any one of the following conditions is true: ◦The CERTSVC_DCOM_ACCESS group does not exist.
– The default membership of the CERTSVC_DCOM_ACCESS group is incorrect.
– The CERTSVC_DCOM_ACCESS group does not have the correct permissions.
If any one setting is incorrect, run the following commands at a command prompt. Press ENTER after each command.
certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG
net stop certsvc
net start certsvc
5.Repeat steps 1 through 3 to verify that all the settings are correct.
If the changes affect the group membership of the certification authority server, you must restart the server for the changes to take effect.
After these changes we were able to request certificates from other Domain Controllers and problem was solved.
Link to Microsoft documentation below:
Sam's Corner 