Requesting certificates via Enroll on Behalf of (EOBO) fails with the error message "The operation is denied. It can only be performed by a certificate manager that is allowed to manage certificates for the current requester."

• A certificate is requested for a user from a certification authority via the certificate management console (certmgr.msc).
• One uses here the Enroll on Behalf of (EOBO) Mechanism.
• The certificate request fails with the following error message:

The operation is denied. It can only be performed by a certificate manager that is allowed to manage certificates for the current requester.

The Certification Authority will use the Event no. 21 log.

Cause

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

Occurs when the user does not have the right to request a certificate for that user due to restricted enrollment agent settings on the certificate authority.

Related links:

• Basics: Enroll on Behalf of (EOBO)