Re: Computer and User Certificates Issues
jabrandt_at_online.microsoft.com
Date: 09/25/05
- Next message: big jim: "Firewall Security"
- Previous message: Lanwench [MVP - Exchange]: "Re: Norton Anti-Virus Problem!"
- In reply to: Steven L Umbach: "Re: Computer and User Certificates Issues"
- Next in thread: William Teller: "Re: Computer and User Certificates Issues"
- Reply: William Teller: "Re: Computer and User Certificates Issues"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 24 Sep 2005 23:17:36 -0500
So a couple of new things to check out.
1. You created a custom V2 template but is this CA running Windows Server
2003 Enterprise Edition? Standard Ed. of the OS will not issue custom
templates.
2. A 2003 CA requires Kerberos authentication so if for some reason you fail
Kerberos and use NTLM you will be denied access. A tool such as Klist or
Kerbtray will show if you have a TGS Kerberos ticket from that machine.
3. A 2003 CA with SP1 installed will not function properly in a Windows
2000 AD that does not have the 2003 Schema extension installed. Either
install the Schema extension or uninstall SP1.
James
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:eafEGSFwFHA.3720@TK2MSFTNGP14.phx.gbl...
> Can you request any certificate at all via the mmc snapin for either user
> or computer such as the standard version 1 templates?? That will help
> determine if there is just a problem with that one certificate template or
> requesting certificates in general. Also use the Management Console for
> the CA and go to the CA properties for security to make sure authenticated
> users have the allow permission for request certificates. Check the logs
> on the CA [system/application] for anything that may indicate a problem
> contacting the domain controller and verify that you can ping the domain
> controller from the CA by fully qualified domain name and IP address. Also
> run the support tool netdiag on the CA to see if any related problems are
> discovered such as dns, dc discovery, or trust/secure channel. --- Steve
>
>
> "William Teller" <WilliamTeller@discussions.microsoft.com> wrote in
> message news:7145382C-6D0D-4F09-B011-30448A72FC9B@microsoft.com...
>> Thanks for the help.
>>
>> I have double checked the permissions on each duplicate certificate, they
>> are exactly as follows:
>>
>> New Computer Certificate:
>> Authenticated Users = Read
>> Domain Computers = Read, Enroll, Autoenroll
>> Domain Admins = Read, Write, Enroll
>> Enterprise Admins = Read, Write, Enroll
>>
>> New User Certificate:
>> Authenticated Users = Read
>> Domain Users = Read, Enroll, Autoenroll
>> Domain Admins = Read, Write, Enroll
>> Enterprise Admins = Read, Write Enroll
>>
>> I have checked the Failed Requests folder on the CA and there are no
>> failed
>> requests. I have also tried manually enrolling for a computer certificate
>> through the Computer Certificates MMC Snapin. When I requested a
>> certificate
>> I could see the new duplicate computer certificate for autoenrollment and
>> could select it. But when I clicked finish I got the following message:
>>
>> "The certificate request failed because of one of the following
>> conditions:
>> -The certificate request was submitted to a Certification Authority
>> (CA)
>> that is not started.
>> -You do not have the permissions to request certificates from the
>> available CA's."
>>
>> Issue still not resolved, but trying hard to find out more info. The
>> security event log shows no access denied events by the way. Thank-you in
>> advance for any additional help.
>>
>> Sincerely,
>>
>> William Teller
>>
>> "Steven L Umbach" wrote:
>>
>>> Check your duplicate template for the computer certificate and verify
>>> that
>>> domain computers group has read, enroll, and autoenroll permissions. On
>>> your
>>> CA use the Management Console for Certificate Authority and look in the
>>> failed requests folder to see if you find anything there that may have
>>> more
>>> details on the reason the autoenroll failed. Try requesting a computer
>>> certificate manually on one of the computers while logged on as a local
>>> administrator using the mmc snapin for computer certificates to see if
>>> that
>>> works or not. You would need to go to the personal folder, right click
>>> and
>>> select all tasks - request new certificate. --- Steve
>>>
>>>
>>> "William Teller" <WilliamTeller@discussions.microsoft.com> wrote in
>>> message
>>> news:3CB04962-A00E-4804-95EE-57ED421131CD@microsoft.com...
>>> > Hello,
>>> >
>>> > I have setup a Windows Server 2003 box in a test environment as a
>>> > RADIUS
>>> > Server using IAS to familiarise with Wireless Networking
>>> > Authentication
>>> > (we
>>> > are intending to deploy some Windows 2003 systems as RADIUS Servers in
>>> > the
>>> > near future). The authentication method that I am hoping to use is
>>> > EAP-TLS,
>>> > which I understand requires User and Computer Certificates. Hence, I
>>> > installed a CA on the Server, and duplicated the User and Computer
>>> > Certificate Templates, changing only the Expiration Times. Both
>>> > Templates
>>> > have Authenticated Users with Read Access, Domain Admins with Full
>>> > Access.
>>> > The new User Template has Domain Users with Enroll and AutoEnroll
>>> > Access
>>> > and
>>> > the same for Computer Template except for Domain Computers group. We
>>> > have
>>> > configured the Domain Level GPO to grant Automatic Certificate
>>> > Enrollment.
>>> > However, when computers in the test environment update Group Policy
>>> > they
>>> > all
>>> > contain the following events:
>>> >
>>> > Event Type: Error
>>> > Event Source: AutoEnrollment
>>> > Event Category: None
>>> > Event ID: 13
>>> > Date: 22/09/2005
>>> > Time: 9:54:16 PM
>>> > User: N/A
>>> > Computer: EPT-101
>>> > Description:
>>> > Automatic certificate enrollment for local system failed to enroll for
>>> > one
>>> > LFN Computer certificate (0x80070005). Access is denied.
>>> >
>>> >
>>> > For more information, see Help and Support Center at
>>> > http://go.microsoft.com/fwlink/events.asp.
>>> >
>>> > Event Type: Error
>>> > Event Source: AutoEnrollment
>>> > Event Category: None
>>> > Event ID: 13
>>> > Date: 22/09/2005
>>> > Time: 10:09:49 PM
>>> > User: N/A
>>> > Computer: EPT-201
>>> > Description:
>>> > Automatic certificate enrollment for local system failed to enroll for
>>> > one
>>> > LFN Computer certificate (0x80070005). Access is denied.
>>> >
>>> >
>>> > For more information, see Help and Support Center at
>>> > http://go.microsoft.com/fwlink/events.asp.
>>> >
>>> > Where have I gone wrong? These are XP SP2 clients, I previously tried
>>> > enabling detailed Enrollment Logging but the additional events
>>> > provided no
>>> > extra information.
>>> >
>>> > Thank-you in advance for all corresspondence,
>>> >
>>> > William Teller
>>>
>>>
>>>
>
>
- Next message: big jim: "Firewall Security"
- Previous message: Lanwench [MVP - Exchange]: "Re: Norton Anti-Virus Problem!"
- In reply to: Steven L Umbach: "Re: Computer and User Certificates Issues"
- Next in thread: William Teller: "Re: Computer and User Certificates Issues"
- Reply: William Teller: "Re: Computer and User Certificates Issues"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
