Denied by Policy Module 0x80094800, The request was for a certificate template that is not supported by the Certificate Services policy

We’re currently deploying Lync 2010 and needed to provision some certificates for the Edge server from our internal PKI environment. The Lync certificate wizard was used to generate the request and when it was submitted to the CA we got this error:

“Denied by Policy Module 0x80094800, The request was for a certificate template that is not supported by the Certificate Services policy.”

We use a custom template based on the default WebServer template shipped with Windows Server. The template “friendly name” contained spaces such as “Contoso – Web Server” however the “short name” removes these and is referenced as “ContosoWebServer”.

During the certificate request process in Lync Server 2010 you can specify an alternate template to use for the certificate. During this process we had specified the friendly name and not the short name which resulted in the error.

Once we changed the Lync Server 2010 certificate request template name in the wizard to the short name, the CA issued the certificate without issue.

The Case of the Misbehaving OCS Edge Server

Recently we had an issue with our OCS 2007 R2 edge server.The OCS services refused to start and the server was very sluggish in general. After some troubleshooting it was determined that some of the services would start if the network interfaces were disconnected and performance also returned to normal. Odd but it was chalked up to being a network glitch.

However, the “Office Communications Server Audio/Video Edge” (RTCMEDIARELAY) service was still unable to start. The only entry in the event logs was rather unhelpful.

“A timeout was reached (30000 milliseconds) while waiting for the Office Communications Server Audio/Video Edge service to connect.”

I had a hunch this was still something network related and did a bit of digging around on Google and hit the jackpot!

Hotfix: http://support.microsoft.com/kb/955805

“If a certificate that has the subject information access (SIA) extension is installed on a Windows Vista Service Pack 1 (SP1)-based or Windows Server 2008-based computer, applications that involve certificate validation become very slow. For example, you may experience a delay of two to five minutes when you visit a secure Web site or when you verify a file signature.”

This was just what we were experiencing and it made perfect sense in hindsight since the root certificates update had been applied a few weeks ago which must have compounded the problem.

All I had to do was apply the hotfix and we were back in business.