PS PKI 3.2.5
This code snippet throws an error when running it locally on a Windows Server 2012 R2 domain-joined standalone root certificate authority. The same code works on Windows 7 SP1 domain-joined workstation with RSAT.
In this example, request 49's status is "taken under submission" and is waiting for approval before executing.
```
Import-Module PsPKI
Import-Module ActiveDirectory
$Script:CA = "ca.example.com"
Function Handle-Error {
Param (
[PSObject]$Error
)
Process {
$Error[0].Exception.InnerException.Message
$Error[0].Exception.InnerException.StackTrace
}
}
Write-Host "# Approve pending CSR: Get-PendingRequest"
Try {
$CertificateRequest = Get-PendingRequest -CertificationAuthority $Script:CA -RequestID 49
$CertificateRequest
} Catch {
Handle-Error -Error $Error[0]
}
Write-Host "# Approve pending CSR: Approve-CertificateRequest"
Try {
$ApprovalResponse = Approve-CertificateRequest -Request $CertificateRequest
$ApprovalResponse
} Catch {
Handle-Error -Error $Error[0]
}
```
Output for Windows Server 2012 R2 domain-joined standalone root certificate authority
```
# Approve pending CSR: Get-PendingRequest
RequestID : 49
Request.RequesterName : EXAMPLE\user
Request.SubmittedWhen : 5/17/2016 7:29:48 PM
Request.CommonName : Test User
CertificateTemplate :
RowId : 49
ConfigString : ca.example.com\CA
Table : Request
# Approve pending CSR: Approve-CertificateRequest
WARNING: Unable to issue request with ID = '49'
Exception calling "ResubmitRequest" with "2" argument(s): "CCertAdmin::ResubmitRequest: Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)"
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PsPKI\Server\Approve-CertificateRequest.ps1:16 char:5
+ $DM = $CertAdmin.ResubmitRequest($Request.ConfigString,$Request.RequestID)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : ComMethodTargetInvocation
```
Output for Windows 7 SP1 domain-joined workstation with RSAT
```
# Approve pending CSR: Get-PendingRequest
RequestID : 49
Request.RequesterName : EXAMPLE\user
Request.SubmittedWhen : 05/17/2016 07:29:48 PM
Request.CommonName : Test User
CertificateTemplate :
RowId : 49
ConfigString : ca.example.com\CA
Table : Request
# Approve pending CSR: Approve-CertificateRequest
The certificate '49' was issued.'
```
Comments: > What does the code library do when it runs on a CA server that it doesn't do when it runs on an RSAT client? It must be doing something extra. actually, it does nothing. `Approve-CertificateRequest` command is pure PowerShell script. Just out of curiosity: did you run PS console on CA server in elevated mode? When you call the method remotely, all assigned priveleges are enabled, while in local calls they may be reduced by UAC.
This code snippet throws an error when running it locally on a Windows Server 2012 R2 domain-joined standalone root certificate authority. The same code works on Windows 7 SP1 domain-joined workstation with RSAT.
In this example, request 49's status is "taken under submission" and is waiting for approval before executing.
```
Import-Module PsPKI
Import-Module ActiveDirectory
$Script:CA = "ca.example.com"
Function Handle-Error {
Param (
[PSObject]$Error
)
Process {
$Error[0].Exception.InnerException.Message
$Error[0].Exception.InnerException.StackTrace
}
}
Write-Host "# Approve pending CSR: Get-PendingRequest"
Try {
$CertificateRequest = Get-PendingRequest -CertificationAuthority $Script:CA -RequestID 49
$CertificateRequest
} Catch {
Handle-Error -Error $Error[0]
}
Write-Host "# Approve pending CSR: Approve-CertificateRequest"
Try {
$ApprovalResponse = Approve-CertificateRequest -Request $CertificateRequest
$ApprovalResponse
} Catch {
Handle-Error -Error $Error[0]
}
```
Output for Windows Server 2012 R2 domain-joined standalone root certificate authority
```
# Approve pending CSR: Get-PendingRequest
RequestID : 49
Request.RequesterName : EXAMPLE\user
Request.SubmittedWhen : 5/17/2016 7:29:48 PM
Request.CommonName : Test User
CertificateTemplate :
RowId : 49
ConfigString : ca.example.com\CA
Table : Request
# Approve pending CSR: Approve-CertificateRequest
WARNING: Unable to issue request with ID = '49'
Exception calling "ResubmitRequest" with "2" argument(s): "CCertAdmin::ResubmitRequest: Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)"
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PsPKI\Server\Approve-CertificateRequest.ps1:16 char:5
+ $DM = $CertAdmin.ResubmitRequest($Request.ConfigString,$Request.RequestID)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : ComMethodTargetInvocation
```
Output for Windows 7 SP1 domain-joined workstation with RSAT
```
# Approve pending CSR: Get-PendingRequest
RequestID : 49
Request.RequesterName : EXAMPLE\user
Request.SubmittedWhen : 05/17/2016 07:29:48 PM
Request.CommonName : Test User
CertificateTemplate :
RowId : 49
ConfigString : ca.example.com\CA
Table : Request
# Approve pending CSR: Approve-CertificateRequest
The certificate '49' was issued.'
```
Comments: > What does the code library do when it runs on a CA server that it doesn't do when it runs on an RSAT client? It must be doing something extra. actually, it does nothing. `Approve-CertificateRequest` command is pure PowerShell script. Just out of curiosity: did you run PS console on CA server in elevated mode? When you call the method remotely, all assigned priveleges are enabled, while in local calls they may be reduced by UAC.