Re: Web Certificate Enrollment security problem

Thank you for your help.

We were finally able to solve the problem. It was not a template permission
problem, but a DCOM problem. We found the soulution at
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx

1. We had to disable Basic authentication and enable Windows authentication
only (altough our Cert enrollment site runs only SSL)
2. Cert. Enrollment works only with the NetBIOS Name and not with the FQDN.
https://server1/certsrv works, https://server1.domain.com/certsrv does not.
(but in the file certdat.inc is the FQDN)

Have absolutely no idea why it works with the two requirements mentioned
above.

Franz


"S. Pidgorny <MVP>" <slavickp@xxxxxxxxx> schrieb im Newsbeitrag
news:OdxGRjNSGHA.4608@xxxxxxxxxxxxxxxxxxxxxxx
Try to relax security on the certificate template - allow Everyone to
enroll (bad idea for prod, but will pinpoint the issue). If that works,
you'll need to find out which account enrolls.

I'd also try to play with the Web site account/security context. Sorry,
cannot help much further via the groups.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

"Franz Schenk" <franz.schenkNOSPAM@xxxxxxxxxxxxxxxx> wrote in message
news:eOWjCOCSGHA.1160@xxxxxxxxxxxxxxxxxxxxxxx
Thank you for the ideas, but still have the same problem.

Have already trusted the computer for delegation according KB 300867
(this article describes exactly the same error message we have). Also run
the command described in KB 903220, verified that "Everyone" is in the
CERTSVC_DCOM_ACCESS security group of the server with the CA (have added
also the domain controllers security group in addition to everyone).
Verified the security template permissions, but they are all ok (read,
enroll, automatic enroll for authenticated users). Certificate requests
with the MMC Snap-In are working fine. Can even successfully distribute
Machine and User certificates over AD GPO.
The only thing that doesn't work is Web enrollment. Have enabled object
access auditing and logging "issue and manage certificate requests" on
the CA. Even then, there is no failure log entry when trying to request a
certificate over the web enrollment page.

Have seen that there is a component "Certsrv Request" when launching
dcomcnfg.exe. Any ideas about the correct settings of this component?

Thank you in advance for any further help
Franz

"S. Pidgorny <MVP>" <slavickp@xxxxxxxxx> schrieb im Newsbeitrag
news:Oo7OYtASGHA.1204@xxxxxxxxxxxxxxxxxxxxxxx
Hi Franz,

Searching KB for "0x80070005" gives whole heap of problems and
solutions - not exactly like yours but very similar.
I assume that certificate services are running. The problem is most
likely with delegation - check security logs on the IIS and CA to find
out how the account is impersonated, and if the CA client has
permissions to the certificate template. There must be info in the event
log on the CA about the rejected enroillment as well.

Found the best KB for your situation -
http://support.microsoft.com/kb/239452

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

"Franz Schenk" <franz.schenkNOSPAM@xxxxxxxxxxxxxxxx> wrote in message
news:uY5tmYASGHA.5656@xxxxxxxxxxxxxxxxxxxxxxx
Have a problem that many others have, but haven't found any solution in
KB
or another NG Post. There are hints that something has to be ajusted
with
dcomcfg, but not any hint what has to be changed.

- Have an enterprise CA on a Windows 2003 SP1 enterprise edition member
server
- Have the Certificate Web Enrollment Website installed on another
Windows
2003 SP1 member server
- Have enabled "trust this computer for delegation" on the computer
with the
Certificate Enrollment Website according KB 239452
- Rebooted both member servers
- Have tried with either Windows and Basic authentication

When requesting a certificate, after the Website shortly displays
"processing request", the following error appears:

Error


Your request failed. An error occurred while the server was processing
your
request.

Contact your administrator for further assistance.



Request Mode:
newreq - New Request
Disposition:
(never set)
Disposition message:
(none)
Result:
Access is denied. 0x80070005 (WIN32: 5)
COM Error Info:
CCertRequest::Submit Access is denied. 0x80070005 (WIN32: 5)
LastStatus:
The operation completed successfully. 0x0 (WIN32: 0)
Suggested Cause:
The Certification Authority Service has not been started.

Thank you all in advance for any suggestions.
Franz










.

Relevant Pages

  • Re: Change process owner to submit certificate requests
    ... The signing certificate remains in the client's Key ... You can see an example of this code in the win2k web enrollment ... > Creating an Enrollment Agent Signed CMC Request ... > HCERTSTORE hCertStore = CertOpenStore( ...
    (microsoft.public.platformsdk.security)
  • Re: Auto certificate and key generation to pfx
    ... but the classes merely use CryptoAPI for ... >Enrollment samples: ... >Troubleshooting Certificate Status and Revocation ... >> certificate request (I assume you can request a new ...
    (microsoft.public.platformsdk.security)
  • Re: Change process owner to submit certificate requests
    ... in order to allow the requestor to be different than the certificate ... You can see an example of this code in the win2k web enrollment ... Creating an Enrollment Agent Signed CMC Request ...
    (microsoft.public.platformsdk.security)
  • Re: Certificate Web enrollment pages
    ... When you install the web server, you select a CA for the web pages to ... to match the AD enrollment services entry. ... > certificate template ACL's and the certificate actually appearing in ... >> able to request a certificate using a form. ...
    (microsoft.public.win2000.security)
  • Outlook Web Access Security
    ... get the certificate dialog box but then I'm taken directly ... to my OWA inbox without any request for user name and ...
    (microsoft.public.windows.server.sbs)