Re: Windows 2003 Certificate Services - problem downloading Active X control
From: Bill (holdens3_at_hotmail.com)
Date: 10/21/03
- Next message: Gordon Burgess-Parker: "Re: outlook express address file"
- Previous message: David Cross [MS]: "Re: Install CA"
- In reply to: Dave Taylor: "Re: Windows 2003 Certificate Services - problem downloading Active X control"
- Next in thread: Dave Taylor: "Re: Windows 2003 Certificate Services - problem downloading Active X control"
- Reply: Dave Taylor: "Re: Windows 2003 Certificate Services - problem downloading Active X control"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 21 Oct 2003 05:49:09 -0700
Dave,
I think you helped me to solve the problem. You told me about the
PKIView application and this helped to prove the CA was very unhappy.
The biggest issue was that there were URLs that couldn't be contacted.
It seems that the CA absolutely requires that the certificate web
pages be served from the Default Website. Even if I disabled the
default site and created a new one that would answer to the machine
name, it wouldn't work.
All seems to be happy now.
Thanks for your help!
Bill
"Dave Taylor" <Dave.Taylor@work.com> wrote in message news:<3f8c12a3$1@eumel.hag.hilti.com>...
> It's always difficult to picture the scene without actually being hands-on,
> so here's what I did (which is quite similar)
>
> On a standalone 2003 server, installed cert services & chose "Standalone
> Root". Created the "root.cer"
> copied the generated "root.cer" to floppy and published into active
> directory (certutil -dspublish -f a:\root.cer RootCA)
>
> In my 2003 A/D environment, installed cert services (enterprise subordinate,
> sending the request to the offline root, and retrieving a SubCA.cer)
>
> Templates:
> DC's, i've found "domain controller authentication" is the cert you need
> (not "domain controller")
> For (XP) clients, make sure you install the smartcard CSP (You need this on
> the server as well, obviously). Make sure you are a local admin, and that
> http://*.localdomain.com is a member of internet explorer trusted sites.
>
> That, pretty much should be it.
>
> A good tool from m/s is "PKIView", (available in the windows 2003 reskit)
> http://www.microsoft.com/downloads/details.aspx?FamilyID=9D467A69-57FF-4AE7-96EE-B18C4790CFFD&displaylang=en
> (watch for line wrapping). This is a graphical overview of your PKI, and
> will help pinpoint errors.
>
> Hope this helps ... Sorry if you've tried most/all of it before - but this
> setup certainly works for me ... I've got users connecting to a quarantine
> area with their smartcards over l2tp no problems ...
>
> Regards,
>
> Dave
>
>
>
> "Bill" <holdens3@hotmail.com> wrote in message
> news:cf93b19f.0310140635.c243a3a@posting.google.com...
> > Dave,
> >
> > I'm using all standard templates. I've had issues in the past with
> > templates where permissions weren't set correctly and I don't think
> > that's the issue here. I've seen the templates issue manifest itself
> > with a different error message.
> >
> > The MMC doesn't show my anything helpful because I never get to the
> > point of requesting the certificate. I'm hung up at the following
> > pages: certsrv/certrqbi.asp?type=0 and certsrv/certrqma.asp
> >
> > One thing I didn't mention before is that I also have a Subordinate
> > Enterprise CA that also had the problem. I managed to fix this
> > somehow while following your suggestions and installing the CA
> > certification path last night. I've attempted to emulate the process
> > on the Enterprise Root CA but am unable to. Perhaps I don't really
> > need to go further because the Root CA isn't really supposed to be
> > used for issuing certificates. I'm able to renew the Subordinate CA
> > certificate from the Root CA.
> >
> > Here's one recurring error in the System Log:
> >
> > The currently selected KDC certificate was once valid, but now is
> > invalid and no suitable replacement was found. Smartcard logon may
> > not function correctly if this problem is not remedied. Have the
> > system administrator check on the state of the domain's public key
> > infrastructure. The chain status is in the error data.
> >
> > I've looked up this error message in Google Groups and MS. Nothing
> > applicable in MS and only two entries in Google groups with questions
> > and no responses.
> >
> > Bill
> >
> > "Dave Taylor" <Dave.Taylor@work.com> wrote in message
> news:<3f8b9c78$1@eumel.hag.hilti.com>...
> > > Hi Bill,
> > >
> > > What is the certificate ? Is it a standard template ? If so, have you
> > > tried using the certificates mmc snap-in to retrieve the cert ?
> > >
> > > What (if any) errors do you get in the event viewer (client & server)
> > >
> > >
> > > Just to confirm, you are "deleting the cache" etc. in internet explorer
> > > before you request the certificate, aren't you ???
> > >
> > >
> > > "Bill" <holdens3@hotmail.com> wrote in message
> > > news:cf93b19f.0310131501.5f88f215@posting.google.com...
> > > > Dave,
> > > >
> > > > Thanks for the quick response. I think I had done that in the past
> > > > but just to be sure, I tried it again. I'm sorry to say that it
> > > > didn't solve the problem.
> > > >
> > > > Bill
> > > >
> > > > "Dave Taylor" <Dave.Taylor@work.com> wrote in message
> news:<3f8ac0b5$1@eumel.hag.hilti.com>...
> > > > > Hi Bill,
> > > > >
> > > > > Have you added http://*.yourinternaldnsname.com to your list of
> trusted
> > > > > sites within internet explorer (so that when you access the
> > > > > http://server/certsrv , it is a trusted site)
> > > > >
> > > > >
> > > > > Regards,
> > > > >
> > > > > Dave
> > > > >
> > > > > "Bill" <holdens3@hotmail.com> wrote in message
> > > > > news:cf93b19f.0310130553.7ec9148f@posting.google.com...
> > > > > > I'm having a problem with Certificate Services on a Windows 2003
> > > > > > Enterprise Edition Server. I've created an Enterprise Root CA but
> > > > > > each time certain clients attempt to request a certificate, the
> > > > > > "Downloading ActiveX Control" window appears and won't go away.
> I'm
> > > > > > unable to successfully request a certificate from some clients
> because
> > > > > > of this. Problem clients include Windows 2003 (same server where
> CA
> > > > > > is installed) and XP with IE 6.0.2800.1106. One client that
> doesn't
> > > > > > have the problem is Windows 2000 Pro with IE 6.0.2600.0000.
> > > > > >
> > > > > > I've read through plenty of postings in the Google groups and all
> of
> > > > > > them seem to apply to OS's other than 2003. Regardless, I've read
> the
> > > > > > MS articles and the suggestions in the groups to no avail. I've
> > > > > > downloaded all applicable Windows Updates for the server and still
> no
> > > > > > success. I've removed and installed several times on several
> servers
> > > > > > in the Domain and still no success. I've removed the Advanced IE
> > > > > > security settings with no success in solving the problem.
> > > > > >
> > > > > > I have had no problems when installing a stand alone root CA on a
> > > > > > separate server.
> > > > > >
> > > > > > Thanks in advance for your help,
> > > > > >
> > > > > > Bill
- Next message: Gordon Burgess-Parker: "Re: outlook express address file"
- Previous message: David Cross [MS]: "Re: Install CA"
- In reply to: Dave Taylor: "Re: Windows 2003 Certificate Services - problem downloading Active X control"
- Next in thread: Dave Taylor: "Re: Windows 2003 Certificate Services - problem downloading Active X control"
- Reply: Dave Taylor: "Re: Windows 2003 Certificate Services - problem downloading Active X control"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
