Applies to:
Venafi Encryption Director 6.1 - 11
Venafi Trust Protection Platform 14.1
(Note: does NOT apply to Venafi Trust Protection Platform 14.2 and up)
Symptom:
When we try and setup our MS CA server we get this error when clicking on the load button.
"Authentication with the CA has failed, please check the settings before trying again. System error: CCertAdmin: GetCAProperty Access is denied. ox8007005 (WIN32:5)
Cause:
Certificate Manager uses the same credentials to communicate to all Microsoft Certificate Authority servers for which it's configured. If these credentials do not have rights to pull certificates, you will see this error. We use the Com+ feature on the Windows Certificate Manager server to authenticate/communicate with other Microsoft servers.
Troubleshooting:
To find out what what set of credentials your certificate Manager is using to authenticate to your Microsoft Certificate Authority servers, follow these steps.
- Login to your Windows 2008 server ( the one that has Certificate Manager installed on it) with the Administrator, or equivalent account.
- Load your component services.
- Start > Administrative tools > Component services.
- Click on component services > My Computer > Com+Applications.
- Right Click on Venafi Com + service, and go into properties.
- Click on the identity service, and you'll see the user id being used.
- Depending on the CA type, this account needs to have these rights:
- The account must have “Issue and Manage Certificates” and “Request Certificates” permission on the CA.
- For an Enterprise CA, the account must also have “Read”, “Write”, and “Enroll” permissions applied to any templates that Director will use to enroll certificates
- Navigating to the security tab, here is a screenshot of what the rights should look like, at a minimum. The three rights we need are Read, Issue and Manage Certificates, and request. (The below screenshot was taken from the CA object itself. )
- Ensure the tab called 'Certificate Managers' is set to 'Restrict certificate Managers, and not set to "Do not restrict certificate Managers'. If it is the former, all authenticated users will be able to pull certificates from the MS Certificate Authority.
- By running the Microsoft Certificate Templates console, we checked on the rights on the templates we were being allowed to download.
- To do this, run Start > run > certtmpl.msc
- Ensure your template has these rights- Read and Enroll. On some versions of MS software , they are called Read and Request certificates.
- The template we are looking at here is webservers.
Resolution:
- Ensure the user, as identified above, has rights sufficient to allow it to Request, Read and Issue and Manage Certificates from the CA server, as per the above screenshot.
- The server(s) where Certificate Manager is installed to needs to be a member of the domain where your Certificate Authority (CA) servers reside. If this cannot be done, the username you use locally needs to be identical to the one on the domain that has rights to the CA object.
- Once the credentials have been changed or verified, you will need to stop the Venafi COM+ object so that it will use the new credentials.
Comments
Great article Martin. thanks