Re: Complicated root CA issue..

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 06/09/05

  • Next message: Steven L Umbach: "Re: Running IIS and Massager on Windows Servers"
    Date: Thu, 9 Jun 2005 10:40:45 -0500
    
    

    Hmm. Not quite sure what is going on but what I would try is running the
    support tool netdiag on both the CA you are refused access to and the server
    you are refused access from. Netdiag will run a battery of tests that will
    check among other things network connectivity, dns name resolution and
    record registration, dc discovery, kerberos, and trust/secure channel. Dns
    or trust/secure channel problems could be a possible cause. I would also run
    dcdiag on the domain controller to check for pertinent problems including
    dns and replication. You also may want to post in the
    Microsoft.public.security.crypto newsgroup. --- Steve

    "=pathfinder=" <pathfinder@discussions.microsoft.com> wrote in message
    news:8AC77FBA-D640-4D42-BDFD-B6C00E5847E6@microsoft.com...
    >I tried using the utility as you mention and here are the responses i get
    > from one of the 6 DC's I have. This is a DC I build that did receive a DC
    > cert automatically.
    > _______________________________________________________________
    > C:\Documents and Settings\path>certutil -ping -config myCA
    > Connecting to myCA ...
    > Server "myCA.domain.com" ICertRequest2 interface is alive
    > CertUtil: -ping command completed successfully.
    >
    > C:\Documents and Settings\path>certutil -ping -config pcvw-udc
    > Connecting to pcvw-udc ...
    > Server could not be reached: Access is denied. 0x80070005 (WIN32: 5)
    >
    > CertUtil: -ping command FAILED: 0x80070005 (WIN32: 5)
    > CertUtil: Access is denied.
    >
    > Any more ideas?
    >
    >
    > "Steven L Umbach" wrote:
    >
    >> I don't know offhand but suspect that the CA you were denied access to is
    >> not configured to use that certificate template or the permissions for
    >> that
    >> template do not allow you to request a certificate for that server. You
    >> could use the Certificate Authority Management Console to compare which
    >> templates have been enabled on each CA and compare the permissions
    >> configured. Otherwise verify that you have connectivity to the CA in
    >> question from the domain controller that you are trying to obtain a
    >> certificate by pinging it by IP address and fully qualified domain name
    >> and
    >> using the command " certutil -ping -config CAcomputername " to see if the
    >> CA
    >> responds as shown in the example below for me doing such from an XP Pro
    >> domain computer. The link below explains some CA troubleshooting
    >> methods. --- Steve
    >>
    >> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/03fc472d-4b66-41ee-97a5-5ae181beae2d.mspx
    >>
    >> D:\Documents and Settings\Steve>certutil -ping -config server1-2003
    >> 402.203.0: 0x80070057 (WIN32: 87): ..CertCli Version
    >> Connecting to server1-2003 ...
    >> Server "CA3" ICertRequest2 interface is alive
    >> CertUtil: -ping command completed successfully.
    >>
    >> "=pathfinder=" <pathfinder@discussions.microsoft.com> wrote in message
    >> news:65F59990-3A00-4753-B740-53122772939C@microsoft.com...
    >> > Thanks Steven, that did the trick.
    >> > one other thing: why is it that if i choose the advanced option and
    >> > manually choose a different (subordinate) CA to give me the cert it
    >> > fails
    >> > complaining of "you do not have permission to do this or the CA is not
    >> > running"? When i try the process again but choose the default options
    >> > (uses
    >> > the root CA) it all works?
    >> >
    >> > "Steven L Umbach" wrote:
    >> >
    >> >> Assuming everything is working correctly you could logon to the domain
    >> >> controller as a domain admin and then use the mmc snapin for
    >> >> certificates
    >> >> for computer to request a domain controller certificate. Go to the
    >> >> personal/certificates folder, right click, select all tasks - request
    >> >> new
    >> >> certificate and select domain controller certificate. --- Steve
    >> >>
    >> >>
    >> >> "=pathfinder=" <pathfinder@discussions.microsoft.com> wrote in message
    >> >> news:4FE024BE-8CD0-42D2-BC96-229A4F95E885@microsoft.com...
    >> >> > Ok, we have 6 DC's. I built 3 in the last year but a previous admin
    >> >> > built
    >> >> > the original 3 DC's. I have an enterprise Root CA, it has issued
    >> >> > Domain
    >> >> > Controller certs to the 3 DC's I built but I can't get Domain
    >> >> > Controller
    >> >> > certs to the original 3 DC's. I created an enrollment policy for
    >> >> > the
    >> >> > Domain
    >> >> > Controller certs but only 1 of the original DC's picked that up.
    >> >> >
    >> >> > I really need to get Domain Controller certs on all my DC's as I am
    >> >> > deploying WPA-Radius WiFi and need to use PEAP to authenticate my
    >> >> > users.
    >> >> > The
    >> >> > PEAP works fine on a DC that has its cert will PEAP can't be
    >> >> > configured
    >> >> > on
    >> >> > a
    >> >> > DC with out the cert.
    >> >> >
    >> >> > Any ideas on what I can do to force a Domain Controller cert onto
    >> >> > the 3
    >> >> > original DC's?
    >> >> > How do I request a Domain Controller cert manually?
    >> >> >
    >> >>
    >> >>
    >> >>
    >>
    >>
    >>


  • Next message: Steven L Umbach: "Re: Running IIS and Massager on Windows Servers"