TAG

No Certificate Templates could be found. You do not have permission to request a certificate from this CA

30 Comments

Recently i faced a problem while i was trying to issue a certificate from my Internal Certificate Authority, that’s when i received this error “No Certificate Templates could be found. You do not have permission to request a certificate from this CA, or an error occurred while accessing the Active Directory” .. That was so strange although i am sure i can access the certificate templates from the CA console and also the fact that i was using a Domain Admin account to issue the certificate.

I tried several things to solve this error until i came by a solution on Technet which suggested to change the Application Pool identity for CertSrv site from ApplicationPoolIdentity to NetworkService .. That actually solved it for me , so here is how i did it ..

First i checked the Application Pool associated currently with CertSrv site

Then to be safe i decided to create a separate Application pool for CertSrv

Then changed the Application Pool identity from ApplicationPoolIdentity to NetworkService from the Application pool advanced settings

Restart the application pool , and reopened CertSrv site , i could then view the Certificate Templates normally

Another reason that might cause this issue even if the above steps are done is anonymous authentication, please go to the CertSrv virtual directory on your CA Server and make sure that anonymous Authentication is disabled.

444

Hope that was Helpful

Follow My Page on Facebook for the latest Articles Tag on facebook

30 thoughts on “No Certificate Templates could be found. You do not have permission to request a certificate from this CA

  1. Thank you its work for us.

  2. U forgot to “change the application pool to a new one for CertSrv site”

    And all worked fine. Thank u.

  3. @voffka , glad it helped .. and thanks for the heads up i shall edit the post.

  4. YOU DA MAN. been seeing all kinds of resolutions which DID NOT work

  5. a made that changes and still tha same probleme i have :((

  6. i made the changes but still i have the same error :((, what elese can i do ? tq

    • @aenomis

      What Operating System do you have ?
      are you sure the logged in user is a domain admins member ?

      Send me an Email on info.tagblog@gmail.com so i can follow your case

      • Hello.
        I have the same problem. CA is 2008 R2 SP1. User is domain admin (I add personal full permissions for him in IIS and in Cert Templates). Could you tell me result of case, please?

      • @Samuel. please go to the certsrv virtual directory on your CA Server . make sure that anonymous authentication is disbaled.

      • Yes, it’s disabled in IIS for directory CertSrv.

      • Sam, since you have checked the above steps in the article, and the anonymous authentication is disabled and you also checked the permissions, there is nothing that should block him from accessing the templates,i suggest you create a separate user that is not a domain admin, assign him the permissions and give it a try. please email me the results on info.tagblog@gmail.com so i can follow up with you.

  7. Awesome, simple and effective. Would you mind explaining a bit on what these changes really do/mean?

  8. Thank you it worked perfectly. Great post

  9. Nailed it! Thank you for posting.

  10. its solved for me…… thanks a lot……

  11. Wow. Excellent. It works like a charm.

  12. Very detailed post. It worked for me. Thank you !!!!

  13. Thanks! This just saved me!!!!

  14. Thank You! Thank You! There are a lot of articles out there about this issue but your was the only one that made any sense. Been chasing this issue for 2 days.

  15. Jolly good! This worked like a charm. Thank you for sharing

  16. Good information – this resolved the issue for one of my Issuing CAs – Thanks!. Don’t see the missing part of assigning the website to the newly created CertSrv app pool.

    Thanks!

    -bill

  17. Worked like a charm! Thanks.
    I also have to start my IE as an Administrator. If I don’t do this I still have the error appear.
    Thought I might mention this in the hopes that it might save others some headaches 🙂

  18. UAC could also be causing the issue. Run IE as administrator.

  19. This worked for me. However I only had access to “Basic EFS” and “User” templates. I disabled IE ESC for admins (in Server Manager) and ran IE as administrator. I was then able to see the other templates.

  20. I am also getting the same error, I tried all setting but still it is not working.

  21. For those finding this via searching as I did, this is one of many potential issues that can cause this problem.

    Another problem relates to the domain functional level. In our case, although the Domain Controller was 2012, the domain was still at a 2003 level. This prevents ALL existing templates from being usable (thanks Microsoft!) the solution is to create a copy of the template you need (usually Web Server) and make sure in its properties that it is usable by 2003 and above, then make sure to “issue” the new template and it should show up in the list if that was the problem.

  22. Hi,
    Trying everything as mentioned above – and still not working for me.
    Windows 2012 R2 CA is installed on a separate server but is a part of the domain.
    I still get no templates found when trying to request from a regular domain user.

  23. Brilliant Solution

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s