When installing an Active Directory integrated certification authority, the error message "Insufficient access rights to perform the operation. 0x80072098 (Win32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)"

Assume the following scenario:

A certification authority (Enterprise Certification Authority) integrated into Active Directory is installed via Windows PowerShell.
Delegated permissions are used to install the certificate authority. Thus, the installing user is not a member of the Enterprise Administrators group.
After running the Role Configuration Wizard, one or more of the following error messages is displayed on the command line:

Setup could not add the Certification Authority's computer account to the Pre-Windows 2000 Compatible Access security group. Certificate managers Restrictions feature will not work correctly on this Certification Authority. To fix this, an administrator must manually add the Certification's Authority's computer account to the Pre-Windows 2000 Compatible Access security group in Active Directory. Insufficient access rights to perform the operation. 0x80072098 (Win32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)

Warning: Setup could not add the certification authority's computer account to the cert Publishers Security Group. This Certification Authority will not be able to publish certificates in Active Directory. To fix this, an administrator must manually add the Certification Authority's computer account to the Cert Publishers security group in Active Directory.  Insufficient access rights to perform the operation. 0x80072098 (Win32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)

If the installation is delegated, the logged-in user must have the right to include the certificate authority computer object in the following security groups of the Active Directory forest:

Pre-Windows 2000 Compatible Access
Cert Publishers

However, group memberships can be set up subsequently by an appropriately authorized user. On the membership in the Pre-Windows 2000 Compatible Access security group can be waived, if no restricted certificate managers are used.

Please note that the group memberships will be applied only after the user account - in this case the computer account - is newly logged in, and thus only after the computer is restarted.

If LDAP revocation list distribution points are configured, their publication will be disabled until fail with the same error messageuntil the certification authority is a member of the "Cert Publishers" security group and the group membership has been applied by restarting the server.

One thought on “Bei der Installation einer Active Directory integrierten Zertifizierungsstelle erscheint die Fehlermeldung „Insufficient access rights to perform the operation. 0x80072098 (Win32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)“”

Pingback: Why Active Directory integrated certificate authorities are members of the "Pre-Windows 2000 Compatible Access" security group - Uwe Gradenegger

Comments are closed.

When installing an Active Directory integrated certificate authority, the error message "Insufficient access rights to perform the operation. 0x80072098 (Win32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)" appears.

Related links:

External sources:

One thought on “Bei der Installation einer Active Directory integrierten Zertifizierungsstelle erscheint die Fehlermeldung „Insufficient access rights to perform the operation. 0x80072098 (Win32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)“”