Error 0x80094011: Windows XP client cannot enroll certificate from ADCS

If you still have client computers with Windows XP, you might encounter the following error while enrolling certificate from Active Directory Certification Services (ADCS), which working under Windows Server 2012 R2:

EventID 13
Source AutoEnrollment
0x80094011
The permissions on this certification authority do not allow the current user to enroll for certificates (this error you will find in Application Event Log on client computer). 

Cause of error 0x80094011

This issue is connected with the new security settings in Windows Server 2012 R2. When a certificate request is received by a certification authority (CA), encryption for the request can be enforced by the CA via the RPC_C_AUTHN_LEVEL_PKT. On Windows Server 2008 R2 and earlier versions, this setting is not enabled by default on the CA. On a Windows Server 2012 or Windows Server 2012 R2 CA, this enhanced security setting is enabled by default.

The commands to enable the enhanced security level of RPC_C_AUTHN_LEVEL_PKT on Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, or Windows Server 2008 R2 certification authorities are (restart ADCS then):

certutil -setreg CA\InterfaceFlags +IF_ENFORCEENCRYPTICERTREQUEST

How to disable RPC_C_AUTHN_LEVEL_PKT

Lower CA security for compatibility with Windows XP clients.

certutil -setreg CA\InterfaceFlags -IF_ENFORCEENCRYPTICERTREQUEST
net stop certsvc
net start certsvc

More detail about new security features of ADCS in Windows Server 2012 R2 (and other new features) you can read in the following article What's New in Certificate Services in Windows Server.

Tags: pki (en), windows xp (en)

PrintEmail

Add comment


Security code
Refresh