Re: Complicated root CA issue..

From: =pathfinder= (pathfinder_at_discussions.microsoft.com)
Date: 06/08/05


Date: Wed, 8 Jun 2005 14:34:01 -0700

I tried using the utility as you mention and here are the responses i get
from one of the 6 DC's I have. This is a DC I build that did receive a DC
cert automatically.
_______________________________________________________________
C:\Documents and Settings\path>certutil -ping -config myCA
Connecting to myCA ...
Server "myCA.domain.com" ICertRequest2 interface is alive
CertUtil: -ping command completed successfully.

C:\Documents and Settings\path>certutil -ping -config pcvw-udc
Connecting to pcvw-udc ...
Server could not be reached: Access is denied. 0x80070005 (WIN32: 5)

CertUtil: -ping command FAILED: 0x80070005 (WIN32: 5)
CertUtil: Access is denied.

Any more ideas?

"Steven L Umbach" wrote:

> I don't know offhand but suspect that the CA you were denied access to is
> not configured to use that certificate template or the permissions for that
> template do not allow you to request a certificate for that server. You
> could use the Certificate Authority Management Console to compare which
> templates have been enabled on each CA and compare the permissions
> configured. Otherwise verify that you have connectivity to the CA in
> question from the domain controller that you are trying to obtain a
> certificate by pinging it by IP address and fully qualified domain name and
> using the command " certutil -ping -config CAcomputername " to see if the CA
> responds as shown in the example below for me doing such from an XP Pro
> domain computer. The link below explains some CA troubleshooting
> methods. --- Steve
>
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/03fc472d-4b66-41ee-97a5-5ae181beae2d.mspx
>
> D:\Documents and Settings\Steve>certutil -ping -config server1-2003
> 402.203.0: 0x80070057 (WIN32: 87): ..CertCli Version
> Connecting to server1-2003 ...
> Server "CA3" ICertRequest2 interface is alive
> CertUtil: -ping command completed successfully.
>
> "=pathfinder=" <pathfinder@discussions.microsoft.com> wrote in message
> news:65F59990-3A00-4753-B740-53122772939C@microsoft.com...
> > Thanks Steven, that did the trick.
> > one other thing: why is it that if i choose the advanced option and
> > manually choose a different (subordinate) CA to give me the cert it fails
> > complaining of "you do not have permission to do this or the CA is not
> > running"? When i try the process again but choose the default options
> > (uses
> > the root CA) it all works?
> >
> > "Steven L Umbach" wrote:
> >
> >> Assuming everything is working correctly you could logon to the domain
> >> controller as a domain admin and then use the mmc snapin for certificates
> >> for computer to request a domain controller certificate. Go to the
> >> personal/certificates folder, right click, select all tasks - request new
> >> certificate and select domain controller certificate. --- Steve
> >>
> >>
> >> "=pathfinder=" <pathfinder@discussions.microsoft.com> wrote in message
> >> news:4FE024BE-8CD0-42D2-BC96-229A4F95E885@microsoft.com...
> >> > Ok, we have 6 DC's. I built 3 in the last year but a previous admin
> >> > built
> >> > the original 3 DC's. I have an enterprise Root CA, it has issued
> >> > Domain
> >> > Controller certs to the 3 DC's I built but I can't get Domain
> >> > Controller
> >> > certs to the original 3 DC's. I created an enrollment policy for the
> >> > Domain
> >> > Controller certs but only 1 of the original DC's picked that up.
> >> >
> >> > I really need to get Domain Controller certs on all my DC's as I am
> >> > deploying WPA-Radius WiFi and need to use PEAP to authenticate my
> >> > users.
> >> > The
> >> > PEAP works fine on a DC that has its cert will PEAP can't be configured
> >> > on
> >> > a
> >> > DC with out the cert.
> >> >
> >> > Any ideas on what I can do to force a Domain Controller cert onto the 3
> >> > original DC's?
> >> > How do I request a Domain Controller cert manually?
> >> >
> >>
> >>
> >>
>
>
>



Relevant Pages

  • Re: Problem setting the "Valid To" for EFS certificates
    ... You seem to be THE MAN on EFS since I ... credential roaming will work is that the server will request the private key ... unless an EFS certificate and private key exist in the user's profile on ... Basic EFS template and created a new template. ...
    (microsoft.public.windows.server.security)
  • Re: Certificates for DNS domains outside of Active Directory Domains
    ... >I haven't used Office Live Communications Server yet, but previously we>have> discussed creating the certificates for it using Certificate Server Web> forms. ... I have created a Certificate>> Template> on>> our Windows Server 2003 Enterprise Edition DC. ...
    (microsoft.public.windows.server.security)
  • Re: Certificates for DNS domains outside of Active Directory Domains
    ... I haven't used Office Live Communications Server yet, ... This is how to request a certificate with both Client and Server ... I have created a Certificate Template on> our Windows Server 2003 Enterprise Edition DC. ...
    (microsoft.public.windows.server.security)
  • Re: 802.1x EAP-TLS with Certificates and Access Points on Windows Server 2008 CA
    ... I have trouble to authenticate Access Points via EAP-TLS on a Windows ... 2008 Enterprise Server Domian. ... How can I create a certificate for the access point which is working ... name but I can't create certificates via my template (copied from user ...
    (microsoft.public.security)
  • Re: Outlook RPC over HTTP
    ... The only certificate setup ... changed to the Remote.Domain.co.uk reciently through CEICW. ... In case it matters i have gone into IIS on the Server and checked the ... mutually authenticate the sesssion when connecting with SSL: ...
    (microsoft.public.windows.server.sbs)