XCCC: "Your Certificate Request was Denied" Error Message Occurs When You Request a Certificate for Secure Conferences (321953)

SYMPTOMS

Participating in secure online conferences requires that users request and install a certificate from a certification authority (CA) for use with the Exchange 2000 Conferencing Server computer. This configuration can be particularly difficult when the users who participate are contained in a trusted Microsoft Windows NT 4.0 domain.

When you try to request a certificate through Microsoft Internet Explorer from a CA in a Microsoft Windows 2000 forest or domain where the Conferencing Server computer resides by using an account from a trusted Windows NT 4.0 domain, you may receive the following error message:

Certificate Request Denied

Your certificate request was denied.

Contact your administrator for further information.

WORKAROUND

To work around this behavior and permit Windows NT 4.0 users to participate in secure online conferences from their native Windows NT 4.0 domain, you must follow these steps:

Install a Windows 2000 member server into the Windows NT 4.0 domain.
Install a Stand-alone Root CA service on the member server.
Manually export the member servers CA certificate:
1. Start the Certification Authority snap-in. To do so, click Start, point to Programs, point to Administrative Tools, and then click Certification Authority.
2. Under Certification Authority, right-click the server object, and then click Properties.
3. Click View Certificate, and then click the Details tab.
4. Click Copy to File, and then follow the steps of the Certificate Export Wizard, accepting all of the default settings, to create a copy of the CA file.
NOTE: The file is created in the My Documents folder.
Manually import the member server's CA certificate into the Enterprise Root CA's Trusted Root Certificate store, located in the Windows 2000 forest or domain.
1. Start the Active Directory Users and Computers snap-in. To do so, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
2. Right-click the domain object, and then click Properties.
3. Click the Group Policy tab, click the appropriate Group Policy Object to be applied, and then click Edit.
4. Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Public Key Policies, and then click Trusted Root Certification Authorities.
5. Right-click this object, point to All Tasks, and then click Import.
6. Follow the steps of the Certificate Import Wizard, accepting all default settings, to import the file that you exported from the member server.
NOTE: The file is imported into the Trusted Root Certification Authorities store.
From a Windows NT 4.0 client, request a certificate from the stand-alone root CA's certificate request Web site, (for example, http://server/certsrv)
Manually issue the certificate to the client from the stand-alone root CA computer:
1. On the Windows 2000 member server, start the Certificate Authority snap-in.
2. Expand the certificate server object, and then click Pending Requests.
3. Right-click the appropriate pending CA request, point to All Tasks, and then click Issue.
From the client, revisit the stand-alone root CA's certificate request Web site, verify the status of the certificate, and then click Install.

After you perform the earlier steps, a Windows NT 4.0 user can participate in secure conferences hosted on a Conferencing Server in a forest or domain outside its own.

XCCC: "Your Certificate Request was Denied" Error Message Occurs When You Request a Certificate for Secure Conferences (321953)

SYMPTOMS

CAUSE

WORKAROUND

STATUS