A quick bit of background. We have a parent domain, and a child “production” domain. It’s a single forest.
As you may have gathered, assuming you’ve seen my other posts, I’ve been fecking about with our Public Key Infrastructure (PKI). I’ve occasionally gone off on tangents, and possibly even set up a certificate template for email signing, document signing and encryption.
Anyway, whilst setting up a new certificate that I felt was something of a security risk, I decided it would be prudent to remove Authenticated Users and the READ permission. I only wanted the certificate to be accessed from one account, so I wouldn’t need to have Authenticated Users. Right? Ooops, no!
I issued the new template without a hitch, however when I tried to enrol it sat at 50% for a period of time and then bombed out with error code 0x80094800:
Apparently the requested certificate template is not supported by the CA. oh right, well that just explains everything. Thanks for another helpful error message!
The problem here is that the certificate I am trying to enrol is being requested by a user in the child domain, but the Certificate Authority in the parent domain cannot access the template. I added Authenticated Users back with read, renrolled all certificate holders and bingo, everything worked fine!
Maybe one day the error message will be:
Look, you’ve been a muppet and you’re over-thinking stuff again; pop authenticated users back in with read and go for a cup of tea.
Till the next derp o/