Requesting certificates via Certificate Authority Web Enrollment (CAWE) fails with error code "ERROR_ACCESS_DENIED".

Assume the following scenario:

• A Certificate Authority Web Enrollment (CAWE) server is installed on the network.
• The role is installed on a separate server, not on the certification authority directly.
• A user attempts to request a certificate via the certification authority web enrollment or submit an existing certificate request to the certification authority.
• The request fails with the following error message:

Your request failed. An error occurred while the server was processing your request. Contact your administrator for further assistance.

In the details of the error message you will find the following note:

CCertRequest::Submit: Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)

The certificate authority web registration is a very old feature from Windows 2000 times - and was last adapted with the release of Windows Server 2003. Accordingly, the code is old and potentially insecure. Likewise, the function supports No certificate templates with version 3 or newer - This means that certificate templates that use functions introduced with Windows Vista / Windows Server 2008 or newer cannot be used. It is recommended that you do not use the certificate authority web registration and instead request certificates via on-board resources or the PSCertificateEnrollment PowerShell module.

Possible causes

• The service account under which the CAWE is running is not configured for delegation or is not configured correctly.
• The user account with which the certificate was requested may not be delegated.
• The user account under which the CAWE is running is not a member of the Windows Authorization Access security group.

Details: The service account under which the CAWE is running is not or not correctly configured for delegation.

Unfortunately, the error messages issued by CAWE are not very meaningful. The ERROR_ACCESS_DENIED error occurs, among other things, when the delegation of user authentication to the certificate authority fails, and the CAWE responds with a Domain account or a Group Managed Service Account (gMSA) is operated.

For delegation variants that only allow Kerberos-only authentication, NTLM authentication is no longer possible. These are:

• "Trust this User for delegation to any service (Kerberos only)".
• "Trust this user for delegation to specified services only" in conjunction with "Use Kerberos only".

Therefore, for CAWE to work properly, it is recommended to set the delegation settings to "Trust this user for delegation to specified services only" in conjunction with "Use any authentication protocol", or better yet, to avoid using NTLM altogether and instead use Basic Authentication, which does not require Kerberos delegation.

Details: The user account with which the certificate was requested must not be delegated.

If the "Account is sensitive and cannot be delegated" option is enabled on the user account, CAWE cannot impersonate the user to request the certificate. The same applies if the user is a member of the Protected Users group.

Related links:

• Requesting certificates via Certificate Authority Web Enrollment (CAWE) fails with error code "RPC_S_SERVER_UNAVAILABLE".
• Configure Certificate Authority Web Enrollment (CAWE) for use with a Group Managed Service Account (gMSA).
• Configure the Certificate Authority Web Enrollment (CAWE) for use with a domain account.

External sources

• Some applications and APIs require access to authorization information on account objects (Microsoft)