Re: Complicated root CA issue..
From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 06/08/05
- Previous message: Karl Levinson, mvp: "Re: Are we safe from EMP scanning? - tempest.txt (0/1)"
- In reply to: =pathfinder=: "Re: Complicated root CA issue.."
- Next in thread: =pathfinder=: "Re: Complicated root CA issue.."
- Reply: =pathfinder=: "Re: Complicated root CA issue.."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 7 Jun 2005 23:52:02 -0500
I don't know offhand but suspect that the CA you were denied access to is
not configured to use that certificate template or the permissions for that
template do not allow you to request a certificate for that server. You
could use the Certificate Authority Management Console to compare which
templates have been enabled on each CA and compare the permissions
configured. Otherwise verify that you have connectivity to the CA in
question from the domain controller that you are trying to obtain a
certificate by pinging it by IP address and fully qualified domain name and
using the command " certutil -ping -config CAcomputername " to see if the CA
responds as shown in the example below for me doing such from an XP Pro
domain computer. The link below explains some CA troubleshooting
methods. --- Steve
D:\Documents and Settings\Steve>certutil -ping -config server1-2003
402.203.0: 0x80070057 (WIN32: 87): ..CertCli Version
Connecting to server1-2003 ...
Server "CA3" ICertRequest2 interface is alive
CertUtil: -ping command completed successfully.
"=pathfinder=" <pathfinder@discussions.microsoft.com> wrote in message
news:65F59990-3A00-4753-B740-53122772939C@microsoft.com...
> Thanks Steven, that did the trick.
> one other thing: why is it that if i choose the advanced option and
> manually choose a different (subordinate) CA to give me the cert it fails
> complaining of "you do not have permission to do this or the CA is not
> running"? When i try the process again but choose the default options
> (uses
> the root CA) it all works?
>
> "Steven L Umbach" wrote:
>
>> Assuming everything is working correctly you could logon to the domain
>> controller as a domain admin and then use the mmc snapin for certificates
>> for computer to request a domain controller certificate. Go to the
>> personal/certificates folder, right click, select all tasks - request new
>> certificate and select domain controller certificate. --- Steve
>>
>>
>> "=pathfinder=" <pathfinder@discussions.microsoft.com> wrote in message
>> news:4FE024BE-8CD0-42D2-BC96-229A4F95E885@microsoft.com...
>> > Ok, we have 6 DC's. I built 3 in the last year but a previous admin
>> > built
>> > the original 3 DC's. I have an enterprise Root CA, it has issued
>> > Domain
>> > Controller certs to the 3 DC's I built but I can't get Domain
>> > Controller
>> > certs to the original 3 DC's. I created an enrollment policy for the
>> > Domain
>> > Controller certs but only 1 of the original DC's picked that up.
>> >
>> > I really need to get Domain Controller certs on all my DC's as I am
>> > deploying WPA-Radius WiFi and need to use PEAP to authenticate my
>> > users.
>> > The
>> > PEAP works fine on a DC that has its cert will PEAP can't be configured
>> > on
>> > a
>> > DC with out the cert.
>> >
>> > Any ideas on what I can do to force a Domain Controller cert onto the 3
>> > original DC's?
>> > How do I request a Domain Controller cert manually?
>> >
>>
>>
>>
- Previous message: Karl Levinson, mvp: "Re: Are we safe from EMP scanning? - tempest.txt (0/1)"
- In reply to: =pathfinder=: "Re: Complicated root CA issue.."
- Next in thread: =pathfinder=: "Re: Complicated root CA issue.."
- Reply: =pathfinder=: "Re: Complicated root CA issue.."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
