Problem:
A few days ago, I had a problem where I couldn’t deploy a newly created certificate template. Every time the user requested the certificate, I received the following error message:
“The requested certificate template is not supported by the CA. Denied by Policy Module 0x80094800. The request was for a certificate template that is not supported by the Active Directory Certificate Services policy:XXXXXXXXX. CRTSRV_E_UNSUPPORTED_CERT_TYPE.”
So, I rechecked the template and suspected a permissions issue. The group had „Read“ and „Enroll“ permissions, which should have been sufficient.
Solution:
The solution was, once again, simple. After looking at a default CA template, it became clear.
It is absolutely essential that the „Authenticated Users“ group has „Read“ permissions for enrollment to work.
It is not enough for the user or the group to have permissions. A similar issue to the security filtering of group policies.