最近因为一个证书问题郁闷了好久,终于解决了,跟大家共享一下。哈哈!!
问题描述:
本地系统 的自动证书注册在注册一个 域控制器身份验证 证书 (0x80070005)时失败。拒绝访问。
解决方法:
1.
打开域控制器的Active Directory用户和计算机.展开Users,找到CERTSVC_DCOM_ACCESS .
2.
手动将Domain Users 组和Domain Computers组添加到 CERTSVC_DCOM_ACCESS 安全组.(如果存在就不用添加).
3.
如果是域控制器上发生這些错误,请將Domain Controllers 组加入CERTSVC_DCOM_ACCESS组.因为域控制器不是Domain Computers通用组的成員,沒有足夠的 DCOM 权限.
4.
运行以下命令:
certutil –setreg SetupStatus –SETUP_DCOM_SECURITY_UPDATED_FLAG
net stop certsvc
net start certsvc
net stop certsvc
net start certsvc
参考信息:
1.
http://www.cnblogs.com/benbenkoala/articles/1083161.html
Windows Server 2003 certificate services uses the DCOM protocol to provide enrollment and administration services. Certificate services provides several DCOM interfaces to make enrollment and administration services available. For correct access and usage of these services, certificate services assumes that the DCOM interfaces are set to enable remote activation and access permissions. However, because default security settings for DCOM are applied when you upgrade to Windows Server 2003 SP1, you may have to update these security settings to make sure that enrollment and administration services are available.
By default, all DCOM interfaces in Windows Server 2003 SP1 are configured to grant remote access permissions, remote launch permissions, and remote activation permissions to administrators. However, when you upgrade to Windows Server 2003 SP1, security configuration changes are made to the global DCOM interface and to the CertSrv Request DCOM interface. These changes are made to enable certificate services to work correctly.
Note Any changes that have been made to the CertSrv Request DCOM interface security settings before you install Windows Server 2003 SP1 are lost. Windows Server 2003 SP1 Setup resets all previous security settings in the CertSrv Request DCOM interface to their default settings.
During Windows Server 2003 SP1 Setup, certificate services automatically updates the DCOM security settings as follows: CertSrv Request DCOM interface? The Everyone security group is granted local and remote access permissions.
The Everyone security group is granted local and remote activation permissions.
The Everyone security group is not granted local or remote launch permissions.
DCOM computer restriction settings? A new security group, CERTSVC_DCOM_ACCESS, is automatically created.
If the certification authority is installed on a member server, CERTSVC_DCOM_ACCESS is created as a computer local group. The Everyone security group is added to CERTSVC_DCOM_ACCESS.
If the certification authority is installed on a domain controller, CERTSVC_DCOM_ACCESS is created as a domain local group. The Domain Users security group and the Domain Computers security group from the certification authority’s domain are added to CERTSVC_DCOM_ACCESS. If domain controllers need access to this interface to request certificates from the certification authority, you must add the Domain Controllers security group. You must do this because domain controllers are not part of the Domain Computers security group.
The CERTSVC_DCOM_ACCESS security group is granted local and remote access permissions.
The CERTSVC_DCOM_ACCESS security group is granted local and remote activation permissions.
The CERTSVC_DCOM_ACCESS security group is not granted local or remote launch permissions.
Note:If the certification authority is installed on a domain controller and if the enterprise consists of more than one domain, certificate services cannot automatically update the DCOM security settings for enrollees from outside the certification authority's domain. Therefore, these enrollees will be denied enrollment access to the certification authority.
To resolve this issue, you must manually add the users to the CERTSVC_DCOM_ACCESS security group. Because the CERTSVC_DCOM_ACCESS security group is a domain local group, you can add only domain groups to it. For example, if users and computers from another domain, the Contoso domain, have to enroll with the certification authority, you must manually add the Contoso\Domain Users group and the Contoso\Domain Computers group to the CERTSVC_DCOM_ACCESS security group.
If any enrollees that should be authorized by the certification authority are denied authorization after Windows Server 2003 SP1 is installed, you can have certificate services update the DCOM security settings again. To do this, type the following commands at the command prompt, and then press ENTER after each command.
certutil –setreg SetupStatus –SETUP_DCOM_SECURITY_UPDATED_FLAG
net stop certsvc
net start certsvc
DCOM_SECURITY_UPDATED_FLAG is an internal certificate services registry flag that indicates that the DCOM security settings were successfully updated. Certificate services checks this flag every time that certificate services is started. The previous commands reset the flag and then stop and start certificate services. This behavior causes certificate services to update the DCOM security settings again.
By default, all DCOM interfaces in Windows Server 2003 SP1 are configured to grant remote access permissions, remote launch permissions, and remote activation permissions to administrators. However, when you upgrade to Windows Server 2003 SP1, security configuration changes are made to the global DCOM interface and to the CertSrv Request DCOM interface. These changes are made to enable certificate services to work correctly.
Note Any changes that have been made to the CertSrv Request DCOM interface security settings before you install Windows Server 2003 SP1 are lost. Windows Server 2003 SP1 Setup resets all previous security settings in the CertSrv Request DCOM interface to their default settings.
During Windows Server 2003 SP1 Setup, certificate services automatically updates the DCOM security settings as follows: CertSrv Request DCOM interface? The Everyone security group is granted local and remote access permissions.
The Everyone security group is granted local and remote activation permissions.
The Everyone security group is not granted local or remote launch permissions.
DCOM computer restriction settings? A new security group, CERTSVC_DCOM_ACCESS, is automatically created.
If the certification authority is installed on a member server, CERTSVC_DCOM_ACCESS is created as a computer local group. The Everyone security group is added to CERTSVC_DCOM_ACCESS.
If the certification authority is installed on a domain controller, CERTSVC_DCOM_ACCESS is created as a domain local group. The Domain Users security group and the Domain Computers security group from the certification authority’s domain are added to CERTSVC_DCOM_ACCESS. If domain controllers need access to this interface to request certificates from the certification authority, you must add the Domain Controllers security group. You must do this because domain controllers are not part of the Domain Computers security group.
The CERTSVC_DCOM_ACCESS security group is granted local and remote access permissions.
The CERTSVC_DCOM_ACCESS security group is granted local and remote activation permissions.
The CERTSVC_DCOM_ACCESS security group is not granted local or remote launch permissions.
Note:If the certification authority is installed on a domain controller and if the enterprise consists of more than one domain, certificate services cannot automatically update the DCOM security settings for enrollees from outside the certification authority's domain. Therefore, these enrollees will be denied enrollment access to the certification authority.
To resolve this issue, you must manually add the users to the CERTSVC_DCOM_ACCESS security group. Because the CERTSVC_DCOM_ACCESS security group is a domain local group, you can add only domain groups to it. For example, if users and computers from another domain, the Contoso domain, have to enroll with the certification authority, you must manually add the Contoso\Domain Users group and the Contoso\Domain Computers group to the CERTSVC_DCOM_ACCESS security group.
If any enrollees that should be authorized by the certification authority are denied authorization after Windows Server 2003 SP1 is installed, you can have certificate services update the DCOM security settings again. To do this, type the following commands at the command prompt, and then press ENTER after each command.
certutil –setreg SetupStatus –SETUP_DCOM_SECURITY_UPDATED_FLAG
net stop certsvc
net start certsvc
DCOM_SECURITY_UPDATED_FLAG is an internal certificate services registry flag that indicates that the DCOM security settings were successfully updated. Certificate services checks this flag every time that certificate services is started. The previous commands reset the flag and then stop and start certificate services. This behavior causes certificate services to update the DCOM security settings again.