FIX: Error message when you try to directly send a new SSL server certificate request to a CA service after you upgrade from Exchange 2000 Server to Exchange Server 2003: "Access is denied" (922423)

SYMPTOMS

Consider the following scenario:

You upgrade a Web server from Microsoft Exchange 2000 Server to Microsoft Exchange Server 2003 Service Pack 2 (SP2).
The Web server is also running Microsoft Internet Information Services (IIS) 5.0 and Microsoft Outlook Web Access (OWA).
You try to directly send a new Secure Sockets Layer (SSL) server certificate request to an online root Microsoft Windows enterprise certification authority (CA) service.

In this scenario, you may receive the following error message:

Access is denied: 0x80070005

Additionally, when you try to send the certificate request by using the path http://localhost/certsrv or the path http://ca_server_name/certsrv, you may receive the following error message:

Fatal Error

Note These are the only two methods that you can use to request a certificate from a CA service.

This problem may occur if the following conditions are true:

Microsoft Windows 2000 Server Service Pack 4 (SP4) is installed on both the Web server and the computer that is running the CA service.
You use SSL to communicate with OWA on the Web server.

You experience this problem although OWA worked correctly when you used Exchange 2000 Server.

Note The Web server is the source of the certificate request. Any user who tries to request a certificate for a Web site on the Web server is affected by this problem.

RESOLUTION

To resolve this problem, use the following methods. Try method 1 first. If method 1 does not resolve the problem, stop the Certificate Services service, and then go to method 2.

Method 1

On the computer that is running the CA service, make sure that the Certificate Services service is running. If the service is not running, start the service.

To start the Certificate Services service, follow these steps:

Click Start, click Run, type services.msc, and then click OK.
In the Services pane, right-click Certificate Services, and then click Start.

When you have completed these steps, try to access OWA by using SSL.

Method 2

On the Web server, remove the current SSL server certificate for the Default Web site, and then create a new SSL server certificate request.

Remove the current SSL server certificate

Start Internet Services Manager (ISM). ISM starts the Microsoft Internet Information Services (IIS) snap-in for Microsoft Management Console (MMC).
Select the Default Web site, right-click the site, and then click Properties.
In the Properties dialog box, click the Directory Security tab, and then click Server Certificate. The Web Site Certificate Wizard opens.
In the Web Site Certificate Wizard, click Next.
Click Remove the Current Certificate, and then click OK.
Verify that the certificate name that appears is the name of the server certificate that you want to remove. Click Next.
Click Finish.

Note By removing the server certificate from the Web site, you only disable the secure communications (SSL/TLS) on that site. The server certificate will still exist in the Certificate Store of the server. Therefore, you can still assign the server certificate to the Web site again if the server certificate is required. If you are sure that you will not assign the server certificate to the Web site again, you may also remove the server certificate from the Certificate Store.
Right-click the computer name in MMC, and then click Restart IIS.

Create a new SSL server certificate request

When you create a new SSL server certificate request on the Web server, select the Prepare the request now, but send it later option. To do this, follow these steps:

Start the ISM. ISM starts the IIS snap-in for MMC.
In the Interface pane, right-click the Web site for which you want to add the certificate, and then click Properties.
In the Properties dialog box, click the Directory Security tab, and then click Server Certificate to start the Web Server Certificate Wizard. In the wizard, click Next.
Select Create a new certificate, and then click Next.
Select Prepare the request now, but send it later, and then click Next.
Type a name for the certificate.
Select the bit length of the key that you want to use, specify whether you want to use Server Gated Cryptography (SGC), and then click Next.

Note For more information about bit length and SGC, see the IIS Help file on the Web server.
In the Organization and Organizational Unit box, type the name of your organization and organizational unit, and then click Next.
In the Interface pane, type the common name for your site, and then click Next.

Note The common name must match the fully qualified domain name (FQDN) of the server as the FQDN is listed in DNS. For example, the following URL and common name match:
- URL: https://www.contoso.com/securedir
- Common name: www.contoso.com
In the Country box, type your country. In the State box, type your state.

Note You must type the full name of your state instead of the abbreviation. In the City or Locality box, type your city or locality.

Click Next.
Select a location to which you want to save your request, type a file name, and then click Next.
Click Next, and then click Finish to close the wizard.

Restart the Certificate Services service

To restart the service, follow these steps:

Click Start, click Run, type services.msc, and then click OK.
In the Services pane, right-click Certificate Services, and then click Start.