CA: Non - Enterprise, Standalone CA running on an Active Directory Domain controller.

I'm trying to get the web-enrollment proxy set up on a different machine,
Certificate services is configured, the web-enrollment machine is set up as trusted for delegation,

however I still get the following:

Request Mode:

newreq NN - New Request (keygen)

Disposition:

(never set)

Disposition message:

(none)

Result:

Access is denied. 0x80070005 (WIN32: 5)

COM Error Info:

CCertRequest::Submit Access is denied. 0x80070005 (WIN32: 5)

LastStatus:

The operation completed successfully. 0x0 (WIN32: 0)

Suggested Cause:

The Certification Authority Service has not been started.

The thing is, it can find the CA when I set up web-enrollment, and if I set up the CA as an Enterprise CA then it has no problem communicating, but I don't want to operate in Enterprise CA mode if I can help it, as the web-enrollment won't be for AD members.

theres definitely a six-pack of beer / a lunch in it if you can work out what i'm missing.

Thanks all.


Oh and yes the C.A. service is running on the machine, and if I point at the Web-enrollment on the machine hosting the CA it works fine.