Access Denied Error While Certificate Enrollment using IX509Enrollment APIs for Domain Users if UAC is ON RRS feed

  • Question


    We have an ActiveX dll which performs Certificate Enrollment for Smart Cards 330/400 and iKey 2032/4000 tokens. The ActiveX uses the vista's new Cert Enroll APIs (i.e. IX509Enrollment APIs) to enroll the certificate on the tokens. We also provides a Smart Card CSP which is used by the IX509Enrollment APIs to communicate to the smart card/tokens.


    For certificate enrollment, we implemented the Automatic enrollment method within the ActiveX DLL:

    -prepares a IX509CertificateRequestPkcs10 object.

    -calls the InitializeFromRequest() with IX509CertificateRequestPkcs10 object.

    -calls the Enroll() method.


    The certificate enrollment request is made through a web page which loads the ActiveX DLL. This process works well for users of both Domain Admin and Domain Users group if the UAC is turned Off. But if the UAC is turned Off then only users belonging to Domain Admin group are able to successfully enroll the certificate on their smart cards/tokens. But the users of Domain Users group are prompted an Access Denied error (i.e. 0x80070005).


    While debugging we found that actually the IX509Enrollment's Enroll() method is failed with Access Denied error (i.e. 0x80070005) when a domain user is logged in and UAC is turned On.


    Any suggestion regarding this issue will be highly appreciated.



    Tuesday, June 24, 2008 11:16 AM