Request-CsCertificate – Command execution failed: Denied by Policy Module

Certificates, Skype for Business Leave a comment

Issue

Using the Skype for Business Server Deployment Wizard, when requesting a new certificate based on a custom template, the task fails with “Command execution failed: Denied by Policy Module”.

DeniedByPolicyModuleError

I am specifying a custom template called SfB_Template, this template was created to provide 5 year validity certificates to Skype for Business Servers.

PolicyErrorTemplate

Investigation

Using the Certification Authority MMC, under Failed Requests, there is an entry that corresponds with the “Denied by Policy Module” error:

Request ID: 148

Request Status Code: The permissions on the certificate template do not allow the current user to enroll for this type of certificate.  0x80094012 (-2146877422 CERTSRV_E_TEMPLATE_DENIED).

Request Disposition Message: Denied by Policy Module

Resolution

Back to the Certificate Authority MMC, edit the permissions on the Certificate Template (SfB_Template) to give the account requesting the certificate the permissions required to do so.

Here I have given the CsAdministrator full permissions to perform this task:

CorrectPermissions

The certificate can now be successfully requested and issued.

 

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s