Cannot generate a certificate using the Administrator template = no RADIUS!
From: Tracy W. Gaynor (twgaynor@yahoo.com)
Date: 04/03/03
- Next message: Jonathan Martin: "Re: Found hacker's folder"
- Previous message: Keith W. McCammon: "Re: securityadmin.info"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: twgaynor@yahoo.com (Tracy W. Gaynor) Date: 3 Apr 2003 08:09:46 -0800
Running complete MS shop, Windows 2000 native mode. All servers
patched current (SP3, IE6SP1, all criticals applied etc. as of 3/28/03
anyway)
I've been researching this for a week or so now and see that others
out there are experiencing the same problem, but have not found a fix
that works yet.
Ultimately, I need to get RADIUS working for both my RRAS server, and
for a new wireless segment we are putting in that needs to be 802.11x.
When trying to generate a certificate per the MS KB article 253498,
the request just hangs and an error shows in Active X like:
Line: 1140
Char: 4
Error: Could not complete the operation due to error 80095005
Code: 0
URL: http://10.x.x.x/certsrv/certrqma.asp
Generic user requests are generated and applied, and an advanced
request using the administrator template will ONLY work if I select a
key usage of "both". If I attempt to generate a "signature" key using
the administrator template, the request hangs.
I am not sure when the functionality stopped. From reading other
posts, it could have been when SP3 was added, or when IE was updated.
For a brief period, we did run the IIS lockdown tool and I saw a post
suspecting that that tool was the problem. However, I have re-run the
lockdown tool and restored the original settings (once we knew that CA
requests were not working).
One post claimed that:
"that by removing the "Deny Write" permissions
for the "Web Applications" user on the %systemroot%\system32\certsrv
folder allows the Certificate Services web page to issue certificates"
I checked and did not have "deny write" set for any users or groups on
our certsrv folder on any of my CA machines.
We have 1 Enterprise CA running on our forest root, with 2 subordinate
CAs running. 1 is on a DC, the other is on the RRAS member server.
I had already applied all criticals, but as I saw it listed several
places, have re-applied Q323172 on both the CA servers and clients
generating the request. Nothing works.
I cannot afford to wait until this is addressed in SP4, but also am in
the public sector and do not have the luxury of a company credit card
to deal with a paid support incident with MS.
Has anyone out there figured out a fix for this? Ultimately, I have
got the latest and greatest W2K environment, that can't support RADIUS
and need it pronto! Thanks for any assistance, advice, or related
experience you can provide!
Best Regards,
Tracy W. Gaynor
Sr. Systems Analyst
- Next message: Jonathan Martin: "Re: Found hacker's folder"
- Previous message: Keith W. McCammon: "Re: securityadmin.info"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
