Symptom:
Install certificate failed with error: Access is denied” when provisioning to Windows using local (non-Active Directory) account.
Summary:
When provisioning a certificate to a Windows system using a local account fails with an “Access Denied” error although the user account specified is a member of the local Administrators group. This scenario is often encountered when provisioning to servers that are not joined to an Active Directory domain.
Specific Error encountered during Stage 800 (provisioning):
Install Certificate failed with error: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
Cause:
This error is caused by Windows not providing full administrative privileges to local accounts (SAM accounts) that connect to the server over the network. The result is that even though the account has been granted administrator privileges, the security token that is built as a result of the network authentication lacks the administrator token (and thus the ability to perform administrative tasks such as installing certificates!). More information about this behavior is described here: http://support.microsoft.com/kb/951016
Workaround:
You can disable the restrictions for local accounts by modifying the registry on the target server (the server where the certificate is going to be installed).
To disable UAC remote restrictions, follow these steps:
1. Click Start, click Run, type regedit, and then press ENTER.
2. Locate and then click the following registry subkey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
3. If the LocalAccountTokenFilterPolicy registry entry does not exist, follow these steps:
a. On the Edit menu, point to New, and then click DWORD Value.
b. Type LocalAccountTokenFilterPolicy, and then press ENTER.
4. Right-click LocalAccountTokenFilterPolicy, and then click Modify.
5. In the Value data box, type 1, and then click OK.
6. Exit Registry Editor.
It may be necessary to reboot the target server after making this change.
Comments