Re: CA web component problems

From: Vishal Agarwal (vishala_at_microsoft.com)
Date: 05/09/03 

Date: Thu, 8 May 2003 18:37:04 -0700

Could you please confirm that the Enterprise Admin account you are using is
NOT marked as sensitive? (If it is marked then it won't be allowed to
delegate).
Is a normal user able to enroll via web pages?

Thanks,
Vishal [MSFT] 

-- 
This posting is provided "AS IS" with no warranties, and confers no rights
"Eric Chamberlain" <eric_james_chamberlain@hotmail.com> wrote in message
news:OnXp#XbFDHA.3692@tk2msftngp13.phx.gbl...
> Both machines are running Server 2003, Enterprise Edition on the CA and
> Standard Edition on the RA.  The RA machine account was set to be trusted
> for delegation via the ADUC check box.  Are there specific delegation
> settings I could verify in the directory via ADSI edit?
>
> As an aside question, is there a way to install the Web enrollment pages
on
> Server 2003 Web Edition?  The Add/Remove windows components doesn't list
it
> as an option.
>
>
> "David Cross [MS]" <dcross@online.microsoft.com> wrote in message
> news:OCQzB4VFDHA.1760@TK2MSFTNGP09.phx.gbl...
> > Eric:
> >
> > Is both the web enrollment pages and the certificate authority running
> > Windows Server 2003?  That error usually means the machine account where
> the
> > web enrollment pages are installed is not trusted for delegation.  We
are
> > looking into this one.
> >
> > -- 
> >
> >
> > David B. Cross [MS]
> >
> > --
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> >
> > http://support.microsoft.com
> >
> > "Eric Chamberlain" <eric_james_chamberlain@hotmail.com> wrote in message
> > news:OgJYcmLFDHA.2100@TK2MSFTNGP11.phx.gbl...
> > > I'm trying to setup a Server 2003 Registration Authority, by
installing
> > the
> > > Certificate Services Web components.  The CA (Server 2003) is in the
W2K
> > > forest root domain and the RA is in another domain in the same forest.
> > I've
> > > enabled the web server for delegation via ADUC and rebooted the
machine.
> > The
> > > install for the Certificate Services web components runs successfully,
I
> > am
> > > able to select the Issuing CA.  The Certsrv folder is set to use
> > Integrated
> > > Authentication.  But, when I log in as an Enterprise Admin (local
Admin
> on
> > > both machines) and navigate to the certrqma.asp web page, for example,
I
> > get
> > > an error message saying that:
> > >
> > > An unexpected error has occurred:
> > > The Certification Authority Service has not been started.
> > >
> > >
> > > The web server has a DCOM error in the event logs:
> > >
> > > Event Type: Error
> > > Event Source: DCOM
> > > Event Category: None
> > > Event ID: 10006
> > > Date:  4/30/2003
> > > Time:  6:31:03 PM
> > > User:  MYDOMAIN\aDomainAdmin
> > > Computer: RA01
> > > Description:
> > > DCOM got error "General access denied error " from the computer
> > > ca.mydomain.edu when attempting to activate the server:
> > > {D99E6E74-FC88-11D0-B498-00A0C90312F3}
> > >
> > > For more information, see Help and Support Center at
> > > http://go.microsoft.com/fwlink/events.asp.
> > >
> > > The only entry I can find in the CA logs, is a Successful Network
Logon
> by
> > > the web server using NT AUTHORITY\ANONYMOUS LOGIN.
> > >
> > >
> > >
> > > --
> > > Eric Chamberlain, CISSP
> > > Campus Active Directory Architect
> > > Central Computing Services
> > > University of California, Berkeley
> > > http://calnetad.berkeley.edu
> > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: Windows integrated authentication with site content on UNC share...
    ... I have configured the AD such that the web server and the ... checkbox for "Trust computer for delegation". ... right clicking on the user account, went to "Account" tab and enabled ... Client Realm: ...
    (microsoft.public.inetserver.iis.security)
  • Re: SqlXml Bulk Load Error: COMException (0x80004005)
    ... describe that were resolved by setting the "Trusted for Delegation" group ... policy setting. ... Neither the IIS Computer itself nor the account it is using are setup for ... If I use same account on a box with both a web server and a sql server on it ...
    (microsoft.public.sqlserver.xml)
  • Re: Windows (Trusted) Authentication and SQL Server
    ... The account whose credentials are being delegated must be a domain account ... The computer on which the delegation takes place ... Server) does not need to be marked as trusted. ... in to play is when an IE client connects to a web server. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: accessing Active Directory
    ... I find the document and tried to apply the delegation in the active directory ... then I made the web server computer to be trusted for delegation ... then you can use a service account instead. ...
    (microsoft.public.dotnet.security)
  • Deploy to web server ( soft-sys )
    ... I would like to run my script on a web server that I do not have root ... access with (i.e. cannot install anything). ... This appears to me to be potentially against the license terms. ...
    (comp.soft-sys.matlab)