PKI, Encryption Reading Time: 3 minutes

Fixing “Denied by Policy Module” Error

This blog post covers how to resolve a common misconfiguration of a Template that causes a Denied by Policy Module error when issuing certificates. The error may range from

  • Permission denied in MMC console.
  • The Template does not appear on the web Enrollment page.
  • While issuing certificates from cmd, it throws an error of permission denied.

This blog will cover two phases: Problem Diagnosis and Problem Resolution.

Problem Diagnosis

Perform the following steps to troubleshoot the error; ensure you have enterprise admin rights for these steps.

  1. Run the certutil command to get the config value.

    Run command to get config file
  2. Replace the config value obtained in the following command

    certutil -config “{config}” -cainfo templates

    present you with all the templates available on this CA

    This will present you with all the templates available on this Certification Authority. This data is pulled from the domain controller, and so is the data that is displayed to the users.

    Note: If you don’t see your template, navigate to “certsrv.msc” and issue a new template.

  3. To check the permissions on the concerned template, run the following command-

    certutil -v -template {Template Name}

    Check the permissions on the concerned template

    If you can’t find the concerned user here with the required enroll permissions, the concerned user needs to be granted enroll permission by following the steps in the Resolution part.

    Note: If you just made the change, please wait a couple of minutes for the domain controllers to sync.

Resolution

Step-by-step process to resolve the issue found in the diagnosis phase, please follow the steps:

  1. Open Certificate Authority and right-click on Certificate Templates, and choose Manage.

    Open CA and choose manage
  2. Find the concerned Certificate Template, right-click, and choose Properties

    find the concerned Certificate Template
  3. Navigate to the Security tab, and click Add

    Navigate to the Security tab and click add
  4. Provide appropriate permissions to the user. Click Apply and exit.

  5. This should add the user with appropriate permissions. Run diagnostic steps again to ensure no errors are encountered.

Conclusion

“Denied by Policy” errors often stem from elusive misconfigurations in system settings and policies. To identify these problems, one needs a thorough grasp of authorization, authentication, and access control systems. The difficulty comes from the intricacy of dynamic rules and procedures and the possibility of human error. Maintaining a good security posture requires regular audits, automated configuration tools, and thorough administrator training to mitigate such failures.

At Encryption Consulting, we offer PKI as a Service (PKIaaS) to prevent these issues before they escalate. Our service includes expert guidance on certificate management, template configuration, and policy enforcement, ensuring your environment is always in compliance with best practices. With real-time support and proactive monitoring, our Encryption Advisory Services are designed to help you avoid misconfigurations like the “Denied by Policy” error and ensure smooth certificate issuance.

Contact us at [email protected]today to explore how our tailored encryption solutions can keep your organization secure from certificate-related issues and misconfigurations.

Tags:

Free Downloads

Datasheet of Public Key Infrastructure

We have years of experience in consulting, designing, implementing & migrating PKI solutions for enterprises across the country.

Download

About the Author

Hemant Bhatt's profile picture

Hemant Bhatt is a dedicated and driven Consultant at Encryption Consulting. He works with PKIs, HSMs, and cloud applications. With a focus on encryption methodologies and their application in data security, Hemant has honed his skills in developing applications tailored to clients' unique needs. Hemant excels in collaborating with cross-functional teams to analyze requirements, develop strategies, and implement innovative solutions. Hemant is deeply fascinated by cloud security, encryption, cutting-edge cryptographic protocols such as Post-Quantum Cryptography (PQC), Public Key Infrastructure (PKI), and all things cybersecurity.

Explore the full range of services offered by Encryption Consulting.

Feel free to schedule a demo to gain a comprehensive understanding of all the services Encryption Consulting provides.

Request a demo