Certificate enrollment application in windows XP RRS feed

  • Question

  • Hi
    I am using xenroll.dll and certcilent.dll as assembly interop in my c# application to provide user with a management console for certificate request and enrollment.
    I can run a sample application to request for a certificate successfully but when I switch to XP it prompts and error message when request is being submitted to CA: "Access Denied"

    What should I do to run my application in windows XP (SP2)? Is there any alternative library that can help me do this task?

    Tuesday, March 11, 2008 6:17 AM


All replies

  • mahdix,


    Based on your post, xenroll.dll is the Certificate Enrollment API can be used to create a client application to request a certificate and install a certificate response. This new API is implemented in CertEnroll.dll starting with Windows Vista; it replaces Xenroll.dll. The Certificate Enrollment API is supported on Windows Server 2008 and Windows Vista


    The Certificate Enrollment API is for use by developers of applications that will enable users to create, request, and retrieve certificates over media, such as the Internet or an intranet, that are not inherently secure. According to the "Access Denied" error message, I would like to provide you the suggestions as follows:


    Please try to open the ACL's on the directory "%system drive%\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys. Actually only "Administrators" and "System" should have permissions. However, the list only contains "Everyone". When the private key is created, autoenrollment removes the "Everyone" group from the permission on the private key for security reasons. If "Everyone" is the only ACL on the key, the key not accessible by anyone and you get Access Denied.

    In addition, I would like to provide you the article on Certificate Enrollment Control and the Certificates Tools and Settings. Hope that can provide you some idea.

    Thursday, March 13, 2008 6:19 AM
  • Thanks Bruno Yu, I checked the permissions. Administrators and Everyone had permission for that folder. Changing Everyone permissions to Full control did not solve the problem.
    I think I should clear up my problem.
    I can run the application in windows 2003 when I am logged in as administrator but when I try to run it in windows XP I encounter this error message:
    CCertRequest:Tongue Tiedubmit Access is denied. 0x8007005 (WIN32: 5)
    There is no event log in the XP machine or CA machie.
    the CA is a windows 2003 Ent. Machine and I do not use windows Vista and 2008.

    In msdn help for CCertRequest:Tongue Tiedubmit method it is mentioned in requirements section that
    this method is not supported on client. Does this relate to my problem?

    Thanks for your help
    Thursday, March 13, 2008 9:10 AM
  • mahdix,


    Thanks for your follow up. Based on my research, this method is not supported on the client side since there is no Certification Authority Service on your Windows XP machine. 


    I would like to suggest you to read KB 300867 and the article Configuring and Troubleshooting Windows 2000 and Windows Server 2003 Certificate Services Web Enrollment


    Hope this helps.

    Friday, March 14, 2008 4:32 AM