zondag 22 november 2009

Active Directory: Corrupt Certificate Templates

I was trying to get my Windows Mobile 6.5 to work with Exchange 2010, but when I tried to request a certificate to my CA i got the following error:

Eventid: 53, CertificationAuthority
Message: Active Directory Certificate Services denied request 17 because The requested certificate template is not supported by this CA. 0x80094800 (-2146875392). The request was for CN="". Additional information: Denied by Policy Module 0x80094800, The request was for a certificate template that is not supported by the Active Directory Certificate Services policy: User.

Now what? For some reason it thinks my User certificate does not exist or something? It seemed the User Certificate Template on my CA was corrupt for some reason. This is how I fixed it.

Note: I assume you backup your CA before changing settings, because of this I'll not mention it in the Howto.

1. Stop the Certificate Services Service.
net stop CertSvc

2. Log in to ADSI Edit and open the Configuration naming context. Then go to CN=Services,CN=Public Key Services,CN=Certificate Templates. If all is correct there should be quite a few items listed there. Empty out the CN=Certificate Templates container. This is most easily done by deleting CN=Certificate Templates and recreating it with the same name.

3. Start the Certificate Services Service.
net start CertSvc

4. Open the Certification Authority Snap-In and go to Certificate Templates. You should see all templates listed with an X in front of it.

If this is the case, right-click on Certificate Templates and choose Manage. Windows should give a popup with a message like: "New certificate templates are found, would you like to install them?". Agree with the message and see the magic work. After a few moments (depending on the size of your AD) you'll be able to issue certificates again.