ACC: The permissions on this certification authority do not allow the current user to enroll for certificates

 Error/Symptom

This error is found in the verbosed ACC logs when using the ACC for CA Integration.

The exact error is as below.

Processing LongQuery request AirWatch.CloudConnector.CertificateService.ICertificateService:TestConnection
03/07/2016 15:57:40 AirWatchAWACC01 c98c8b0a-f9a2-431b-aaa6-663d40905842 [0000000-0000000] (15) Trace AirWatch.CloudConnector.CertificateService.CertificateService.TestConnection Enter ++TestConnection
03/07/2016 15:57:40 AirWatchAWACC01 c98c8b0a-f9a2-431b-aaa6-663d40905842 [0000000-0000000] (15) Debug AirWatch.CloudConnector.CertificateService.CertificateService.TestConnection Forwarding to AirWatch.CloudConnector.CertificateService.CertificateService_Microsoft
03/07/2016 15:57:40 AirWatchAWACC01 c98c8b0a-f9a2-431b-aaa6-663d40905842 [0000000-0000000] (15) Trace AirWatch.CloudConnector.CertificateService.CertificateService_Microsoft.TestConnection Enter ++TestConnection
03/07/2016 15:57:40 AirWatchAWACC01 c98c8b0a-f9a2-431b-aaa6-663d40905842 [0000000-0000000] (15) Debug AirWatch.CloudConnector.CertificateService.CertificateService_Microsoft.TestConnection Request certificate from AirWatchADCS01.la.ad.AirWatch.org. CAName: AirWatch-CA
03/07/2016 15:57:40 AirWatchAWACC01 c98c8b0a-f9a2-431b-aaa6-663d40905842 [0000000-0000000] (15) Trace AirWatch.CloudConnector.CertificateService.CertificateService_Microsoft.TestConnection Exit --TestConnection 00:00:00.0149288
03/07/2016 15:57:40 AirWatchAWACC01 c98c8b0a-f9a2-431b-aaa6-663d40905842 [0000000-0000000] (15) Trace AirWatch.CloudConnector.CertificateService.CertificateService.TestConnection Exit --TestConnection 00:00:00.0184526
03/07/2016 15:57:40 AirWatchAWACC01 c98c8b0a-f9a2-431b-aaa6-663d40905842 [0000000-0000000] (15) Error AirWatch.CloudConnector.AccServiceListener.ProcessServiceRequest/1 Exception from service operation
03/07/2016 15:57:40 AirWatchAWACC01 c98c8b0a-f9a2-431b-aaa6-663d40905842 [0000000-0000000] (15) Error AirWatch.CloudConnector.AccServiceListener.ProcessServiceRequest/1 *** EXCEPTION ***
System.Runtime.InteropServices.COMException: The permissions on this certification authority do not allow the current user to enroll for certificates. (Exception from HRESULT: 0x80094011)
at CERTCLIENTLib.CCertRequestClass.GetCACertificate(Int32 fExchangeCertificate, String strConfig, Int32 Flags)
at AirWatch.CloudConnector.CertificateService.CertificateService_Microsoft._TestConnection(TestCertificateConnectionRequest testConnectionRequest, ILogger log, String& action)
at AirWatch.CloudConnector.CertificateService.CertificateService_Microsoft.TestConnection(TestCertificateConnectionRequest testConnectionRequest)
at AirWatch.CloudConnector.CertificateService.CertificateService.TestConnection(TestCertificateConnectionRequest testConnectionRequest)
Diagnostics Context

 

Cause

This is caused because the service account associated for the CA integration or the account that the ACC service runs does not have the necessary permissions.

 

Resolution

Ensure that the service account associated for CA integration has the following permissions:

  1. On the certificate template, Read and Enroll are required.
  2. On the Certificate Authority, all permissions except Manage CA.

Ensure that the account that the ACC service runs on has permissions to request a certificate.

  1. Check the account that the ACC service is running and verify if it belongs to the same domain as the CA.
  2. Ensure that the account has permissions to request for certificates.
  3. If not, change the service account that the ACC service runs on and try the test connection for CA integration in the Admin Console.
  4. Check the failed requests folder on the CA to see if the request even made it to the CA from the ACC.
  5. Check the event viewer on CA for any errors/reasons for failures.
Have more questions? Submit a request

0 Comments

Article is closed for comments.