Re: Web Certificate Enrollment security problem
- From: "Franz Schenk" <franz.schenkNOSPAM@xxxxxxxxxxxxxxxx>
- Date: Wed, 15 Mar 2006 12:27:58 +0100
Thank you for the ideas, but still have the same problem.
Have already trusted the computer for delegation according KB 300867 (this
article describes exactly the same error message we have). Also run the
command described in KB 903220, verified that "Everyone" is in the
CERTSVC_DCOM_ACCESS security group of the server with the CA (have added
also the domain controllers security group in addition to everyone).
Verified the security template permissions, but they are all ok (read,
enroll, automatic enroll for authenticated users). Certificate requests with
the MMC Snap-In are working fine. Can even successfully distribute Machine
and User certificates over AD GPO.
The only thing that doesn't work is Web enrollment. Have enabled object
access auditing and logging "issue and manage certificate requests" on the
CA. Even then, there is no failure log entry when trying to request a
certificate over the web enrollment page.
Have seen that there is a component "Certsrv Request" when launching
dcomcnfg.exe. Any ideas about the correct settings of this component?
Thank you in advance for any further help
Franz
"S. Pidgorny <MVP>" <slavickp@xxxxxxxxx> schrieb im Newsbeitrag
news:Oo7OYtASGHA.1204@xxxxxxxxxxxxxxxxxxxxxxx
Hi Franz,
Searching KB for "0x80070005" gives whole heap of problems and solutions -
not exactly like yours but very similar.
I assume that certificate services are running. The problem is most likely
with delegation - check security logs on the IIS and CA to find out how
the account is impersonated, and if the CA client has permissions to the
certificate template. There must be info in the event log on the CA about
the rejected enroillment as well.
Found the best KB for your situation -
http://support.microsoft.com/kb/239452
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
"Franz Schenk" <franz.schenkNOSPAM@xxxxxxxxxxxxxxxx> wrote in message
news:uY5tmYASGHA.5656@xxxxxxxxxxxxxxxxxxxxxxx
Have a problem that many others have, but haven't found any solution in
KB
or another NG Post. There are hints that something has to be ajusted with
dcomcfg, but not any hint what has to be changed.
- Have an enterprise CA on a Windows 2003 SP1 enterprise edition member
server
- Have the Certificate Web Enrollment Website installed on another
Windows
2003 SP1 member server
- Have enabled "trust this computer for delegation" on the computer with
the
Certificate Enrollment Website according KB 239452
- Rebooted both member servers
- Have tried with either Windows and Basic authentication
When requesting a certificate, after the Website shortly displays
"processing request", the following error appears:
Error
Your request failed. An error occurred while the server was processing
your
request.
Contact your administrator for further assistance.
Request Mode:
newreq - New Request
Disposition:
(never set)
Disposition message:
(none)
Result:
Access is denied. 0x80070005 (WIN32: 5)
COM Error Info:
CCertRequest::Submit Access is denied. 0x80070005 (WIN32: 5)
LastStatus:
The operation completed successfully. 0x0 (WIN32: 0)
Suggested Cause:
The Certification Authority Service has not been started.
Thank you all in advance for any suggestions.
Franz
.
- References:
- Web Certificate Enrollment security problem
- From: Franz Schenk
- Web Certificate Enrollment security problem
- Prev by Date: Cannot install any antivirus software
- Next by Date: Re: Domain users members of local administrator
- Previous by thread: Web Certificate Enrollment security problem
- Next by thread: Re: Web Certificate Enrollment security problem
- Index(es):
Relevant Pages
|
