Enrollment agent certificate template could not be duplicated. access denied
Active Directory certification services is very important part to provide security and PKI features. AD CS is the Server Role that allows you to build a public key infrastructure (PKI) and provide public key cryptography, digital certificates, and digital signature capabilities for your organization.
There are multiple options available in Active Directory certification services which needs to be configured and most important part is to have a certificate template. Active Directory certification services. There might be many cases when simple cases can waste good amount of time.
The error given in the title of this post is fairly simple “enrollment agent certificate template could not be duplicated. access denied”. Active Directory certification services are installed other than writeable domain controller and the certificate template rights needs to be delegated to non-admin users.
The solution to this problem is to Delegate certificate template duplication rights to the user. Rest of the post is copied from under listed URL which is pretty much the same and there was no need to invest more time on producing the same content which was already shared.
https://terrytlslau.tls1.cc/2013/07/managing-all-certificate-templates-and.html
Delegate duplication of all certificate templates
1. On Domain Controller, log in as Administrator.
2. Click “Start“, enter “adsiedit.msc” to launch “ADSI Edit“.
3. Right-click “ADSI Edit“, select “Connect to“.
4. On “Connection Settings” window, next to “Select a well known Naming Context“, select “Configuration“.
5. Click “OK“.
Remark: Make sure you connected to “Configuration” of Forest Root Domain.
6. Expand “Configuration > CN=Configuration,DC=adcslab,DC=local > CN=Services > CN=Public Key Services“.
7. On central pane, right-click “CN=Certificate Templates“, select “Properties“.
8. On “CN=Certificate Templates Properties” tab, click “Security” tab.
9. Click “Add“.
10. On “Select Users, Computers, or Groups” window, click “Locations“.
11. On “Locations” window, select “corp.adcslab.local“.
12. Click “OK“.
13. Next to “Enter the object names to select (examples)“, enter “Terry“.
14. Click “OK“.
15. Next to “Permissions for Terry“, check “Allow – Full control“.
16. Click “OK“.
17. On central pane, right-click “CN=OID“, select “Properties“.
18. On “CN=OID Properties” tab, click “Security” tab.
19. Click “Add“.
20. On “Select Users, Computers, or Groups” window, click “Locations“.
21. On “Locations” window, select “corp.adcslab.local“.
22. Click “OK“.
23. Next to “Enter the object names to select (examples)“, enter “Terry” and then click “OK“.
24. Next to “Permissions for Terry“, check “Allow – Full control“.
25. Click “OK“.
26. Close “ADSI Edit“.
Remark: In production environment, we should grant the permissions to a global or universal group that contains users for “Certificate Templates” and “OID“.
Related
