Historical Content Alert

This is a historical content for Windows 2000 product and is presented for informative purposes only. All content on this page is copyrighted and owned by Microsoft.


What problem are you having?

General troubleshooting for a certification authority (CA)

Check the event log of the Windows 2000 server. It often logs more detailed errors than you will notice from doing the procedure you're attempting.

If the problem is reproducible, run Certificate Services in diagnostic mode using the certsrv -z command. For more information see CertSrv.

See Microsoft Product Support Services for updated information about Certificate Services.

Error when accessing the certification authority Web pages

Cause:  Web pages aren't installed on the certification authority (CA).

Solution:  Run certutil -vroot from the command prompt on the CA to install the Web enrollment pages.

Cause:  Web pages don't have execute script permissions.

Solution:  From Internet Information Services (IIS), open the CertSrv folder and confirm that there are execute script permissions on the folder. The CertSrv folder is:


Web pages on an enterprise certification authority (CA) either don't generate certificates or generate certificates that are not valid

Cause:  For an enterprise CA, Web pages require that the user be authenticated. If the pages are set to allow anonymous connections, then the CA will either not generate certificates or will generate certificates that are not valid.

Solution:  See Set security for access to certification authority Web pages.

Can't log into certification authority (CA) Web pages

Cause:  If the Web pages negotiate basic authentication with the browser, then your Windows 2000 user account must have the privilege to log on to the server.

Solution:  By default, only domain administrators have this privilege. You will need to change this default security permission setting for the server hosting the CA if you use the Netscape browser.

Certification authority (CA) Web enrollment pages that are installed on a remote server other than the CA do not work

Cause:  The pages are set to use NTLM authentication instead of basic authentication.

Solution:  If the Web pages are located on a different server than the CA, then you must set the pages to use basic authentication rather than NTLM if the CA is an enterprise CA. You should also use SSL to secure these pages to protect the passwords. See the Internet Information Services (IIS) documentation to change these settings.

Internet Information Services (IIS) 4.0 and Certificate Server 1.0 cannot enroll for certificates using Windows 2000 Certificate Services Web pages

Cause:  IIS 4.0 and Certificate Server 1.0 cannot process a certification path, rather than just a single certificate.

Solution:  Use the command line utility CertReq to process the enrollment request.

A user tries to log on with the smart card and receives this message: "The system cannot log you on to this domain because the system's computer account in its primary domain is missing or the password on the account is incorrect"

Cause:  The computer account may be disabled, or the CA that issued the smart card certificate is not trusted by the computer.


  1. Make sure that the computer account is enabled in the domain.
  2. Use the Certificates snap-in to verify that the root CA's certificate is in the Trusted Root Certification Authorities store on the user's computer.
  3. Use the Certificates snap-in to verify that the domain controller has been issued a domain controller certificate that can be verified to a trusted root.

After renewing a CA, computers are no longer automatically enrolling for certificates from that CA

Cause:  CA renewal requires that all automatic certificate enrollment objects that enroll for certificates from that CA be recreated.

Solution:  See Create an automatic certificate request for computers in a Group Policy object.

When trying to enroll for a certificate from a computer or account belonging to a child domain of the domain where the CA is located, the following error appears: "No template could be found. There are no CAs from which you have permission to request a certificate, or an error occurred while accessing the Active Directory."

Cause:  You don't have the proper security permissions set on the certificate templates.

Solution:  Modify the security permissions for the certificate templates to include the child domain accounts from which you want to allow enrollment. To set access control for certificate templates , see Set security permissions and delegate control of certificate templates. Some access control caches must time out after making changes to security permissions, so you have to wait a short period of time before seeing the new security permissions replicate through the network.

Share this article: