The credential specified in the MSCA object in Venafi will be used to run the executable:
The Vplatform.exe executable will use runas using the credentials mentioned before to initiate a connection to the MSCA. During this process you will be able to click Retrieve on the CA template and this will successfully retrieve the templates.
The error message will show up once a certificates renewal process begins and will show up in the Status of the certificate object.
The root cause of the issue is access to the Runas being denied in some way, for example:
Symantec IDS or IPS was blocking RunAs access to the vplatform.exe. Running ProcMon showed Symantec was logging to a csv file in the middle of the vplatform process (just after trying the runas)
This is one example that we have seen, theoretically anything that blocks access to RunAs could cause this issue.
The resolution to this issue is to ensure that vplatform has runas access to the executable, or to the system directly depending on how you have it restricted. So long as the vplatform process is able to run the exe with the credentials in the CA template the issue will not be present.