Re: Can't submit a certificate request to CA using a form

From: Tracy W. Gaynor (twgaynor@yahoo.com)
Date: 04/09/03 

From: twgaynor@yahoo.com (Tracy W. Gaynor)
Date: 9 Apr 2003 07:46:16 -0700

Did you ever get this resolved? I am seeing the same problem I think.
 From another post I mde that has not seen a reponse yet:

Running complete MS shop, Windows 2000 native mode. All servers
patched current (SP3, IE6SP1, all criticals applied etc. as of 3/28/03
anyway)

I've been researching this for a week or so now and see that others
out there are experiencing the same problem, but have not found a fix
that works yet.

Ultimately, I need to get RADIUS working for both my RRAS server, and
for a new wireless segment we are putting in that needs to be 802.11x.
 When trying to generate a certificate per the MS KB article 253498,
the request just hangs and an error shows in Active X like:

Line: 1140
Char: 4
Error: Could not complete the operation due to error 80095005
Code: 0
URL: http://10.x.x.x/certsrv/certrqma.asp

Generic user requests are generated and applied, and an advanced
request using the administrator template will ONLY work if I select a
key usage of "both". If I attempt to generate a "signature" key using
the administrator template, the request hangs.

I am not sure when the functionality stopped. From reading other
posts, it could have been when SP3 was added, or when IE was updated.
For a brief period, we did run the IIS lockdown tool and I saw a post
suspecting that that tool was the problem. However, I have re-run the
lockdown tool and restored the original settings (once we knew that CA
requests were not working).

One post claimed that:

"that by removing the "Deny Write" permissions
for the "Web Applications" user on the %systemroot%\system32\certsrv
folder allows the Certificate Services web page to issue certificates"

I checked and did not have "deny write" set for any users or groups on
our certsrv folder on any of my CA machines.

We have 1 Enterprise CA running on our forest root, with 2 subordinate
CAs running. 1 is on a DC, the other is on the RRAS member server.

I had already applied all criticals, but as I saw it listed several
places, have re-applied Q323172 on both the CA servers and clients
generating the request. Nothing works.

I cannot afford to wait until this is addressed in SP4, but also am in
the public sector and do not have the luxury of a company credit card
to deal with a paid support incident with MS.

Has anyone out there figured out a fix for this? Ultimately, I have
got the latest and greatest W2K environment, that can't support RADIUS
and need it pronto! Thanks for any assistance, advice, or related
experience you can provide!

Best Regards,

Tracy W. Gaynor
Sr. Systems Analyst
jennle@online.microsoft.com ("Jennifer Lesher [MS]") wrote in message news:<t3fEP4Z#CHA.2300@cpmsftngxa08.phx.gbl>...
> Hello Dragan,
>
> Please check your email for a response.
> Sincerely,
>
> Jennifer Lesher
> Microsoft Online Support
>
> | I still have a problem with "generating request..." error. Couldn't ignore
> | this error as you suggested. Please help.
> |
> | Dragan
> |
> | "Dragan Pendic" <dragan.pendic@subnetcom.co.uk> wrote in message
> | news:023501c2ea2e$53e3fa00$3001280a@phx.gbl...
> | "Display a notification about every script error" was
> | disabled in my browser. Is this what KB article is talking
> | about.
> |
> | Thanks,
> | Draga
> |
> | >-----Original Message-----
> | >Hello Dragan,
> | >
> | >I found one article that tells us that this error can be
> safely ignored.
> | >Please review the article and tell me if you agree. If
> not, I may have
> | >some additional steps to suggest:
> | >
> | >300860 Enrollment Does Not Succeed on Windows XP When
> Requesting a
> | >Certificate
> | >http://support.microsoft.com/?id=300860
> | >
> | >Please let me know if this solves your problem or if you
> would like further
> | >assistance.
> | >
> | >I look forward to hearing from you.
> | >
> | >Sincerely,
> | >
> | >Jennifer Lesher
> | >MCSE/MCDBA
> | >Microsoft Online Support
> | >
> | >This posting is provided "AS IS" with no warranties, and
> confers no rights.
> | >
> | >Get Secure! - www.microsoft.com/security
> | >
> | >
> | >| To clarify, I tried to install this patch but it didn't
> work. It works
> only
> | >| on a computer with no SP installed.
> | >|
> | >| Dragan
> | >|
> | >| "Dragan Pendic" <dragan.pendic@subnetcom.co.uk> wrote
> in message
> | >| news:04e101c2e879$030d10f0$a501280a@phx.gbl...
> | >| Thank you for your reply. I can't apply 323172 on XP Pro
> | >| SP1 computer. This is pre-SP1 patch and it is included
> | >| with SP1.
> | >| Should I reinstall SP1a again?
> | >|
> | >| Thanks,
> | >| Dragan
> | >|
> | >| >-----Original Message-----
> | >| >Hello Dragan,
> | >| >
> | >| >I have seen this issue in a couple of other cases -
> there
> it was resolved
> | >| >by putting Q323172 on the client as well as the server.
> Please try
> | >| >patching the client and let me know if that helps.
> | >| >
> | >| >Sincerely,
> | >| >
> | >| >Jennifer Lesher
> | >| >MCSE/MCDBA
> | >| >Microsoft Online Support
> | >| >
> | >| >This posting is provided "AS IS" with no warranties,
> and
> confers no rights.
> | >| >
> | >| >Get Secure! - www.microsoft.com/security
> | >| >
> | >| >
> | >| >| Thanks that helped. Still got the problem though.
> Now I
> | >| >| can get to the the page fill the form but when I
> press
> | >| >| submit I'm getting error on my XP Pro SP1 pc. On the
> | >| >| bottom of the page I can se yellow tringle
> with "error
> on
> | >| >| page". When I double click on it says:
> | >| >| Line: 1140
> | >| >| Char: 4
> | >| >| Error: Signing certificate cannot include SMIME
> extension
> | >| >| Code: 0
> | >| >| Url: http://server/certsrv/certqma.asp
> | >| >| I already ran windows update and it seems I have got
> the
> | >| >| latest patches and service packs.
> | >| >| Thanks,
> | >| >| Dragan
> | >| >| >-----Original Message-----
> | >| >| >The solution is here...
> | >| >| >http://support.microsoft.com/default.aspx?
> scid=kb;en-
> us;330389
> | >| >| >
> | >| >| >
> | >| >| >"Dragan Pendic" <dragan.pendic@subnetcom.co.uk> a
> écrit
> dans le message de
> | >| >| >news: 04d001c2e7cc$68e61910$a601280a@phx.gbl...
> | >| >| >> I'm having a trouble with our enterprise CA. As
> it is
> | >| >| >> explained in KB solution no 253498 "HOW TO:
> Install a
> | >| >| >> Certificate for Use with IP Security", but I can't
> load
> | >| >| >> page with a form. I get the page but
> the "Downloading
> | >| >| >> ActiveX Control..." message hangs there
> indefinitely.
> | >| >| >> The server is Win2000 SP3 with these patches
> installed:
> | >| >| >> Q323172
> | >| >| >> Q323255
> | >| >| >> Q324096
> | >| >| >> Q324380
> | >| >| >> Q326830
> | >| >| >> Q326886
> | >| >| >> Q327696
> | >| >| >> Q328310
> | >| >| >> Q329115
> | >| >| >> Q329170
> | >| >| >> Q329834
> | >| >| >> Q810030
> | >| >| >> Q810649
> | >| >| >> Q810833
> | >| >| >> Q811630
> | >| >| >> Tried from different versions of Internet Explorer
> to
> get
> | >| >| >> the certificate but the same message appears.
> Tried
> to
> | >| >| >> enable all ActiveX options from Security tab in IE
> but
> | >| >| >> without success.
> | >| >| >>
> | >| >| >>
> | >| >| >> Many thanks,
> | >| >| >> Dragan Pendic
> | >| >| >> Subnet Communications
> | >| >| >>
> | >| >| >
> | >| >| >
> | >| >| >.
> | >| >| >
> | >| >|
> | >| >
> | >| >.
> | >| >
> | >|
> | >|
> | >|
> | >
> | >.
> | >
> |
> |
> |

Relevant Pages

  • RE: Microsoft Security Advisory MS 03-007
    ... announcement covers IIS 5.1 but not IIS 6, ... > You say "IIS servers are actively being compromised already, ... -- permissions are checked on httpext.dll to see if Anonymous request ... CONFIGURATIONS OF THE IIS LOCKDOWN TOOL DO LEAVE WEBDAV ...
    (Bugtraq)
  • Re: Microsoft Security Advisory MS 03-007
    ... announcement covers IIS 5.1 but not IIS 6, ... > You say "IIS servers are actively being compromised already, ... -- permissions are checked on httpext.dll to see if Anonymous request ... CONFIGURATIONS OF THE IIS LOCKDOWN TOOL DO LEAVE WEBDAV ...
    (Bugtraq)
  • Re: Client IP behind Load Balancer
    ... request had to be NATed. ... So we will try to move servers into the same DMZ as the F5, ... > If requests are done through the public IP, then they go through the load ... and I only see the virtual private IP in the logs. ...
    (microsoft.public.inetserver.iis)
  • RE: Upgrading W2K3 Server to MSXML SP2
    ... "Trent USTA" wrote: ... > between the IIS request to SQL and the response back to IIS. ... > I've been tasked with upgrading the web servers to SP2. ...
    (microsoft.public.inetserver.asp.db)
  • Cannot generate a certificate using the Administrator template = no RADIUS!
    ... the request just hangs and an error shows in Active X like: ... posts, it could have been when SP3 was added, or when IE was updated. ... lockdown tool and restored the original settings (once we knew that CA ... have re-applied Q323172 on both the CA servers and clients ...
    (microsoft.public.win2000.security)