Re: 2003 SP1 CA keeps denying cert requests
From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 08/16/05
- Previous message: Paul Landry: "Re: 2003 SP1 CA keeps denying cert requests"
- In reply to: Paul Landry: "Re: 2003 SP1 CA keeps denying cert requests"
- Next in thread: Paul Landry: "Re: 2003 SP1 CA keeps denying cert requests"
- Reply: Paul Landry: "Re: 2003 SP1 CA keeps denying cert requests"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 16 Aug 2005 14:20:43 -0500
Hi Paul.
I have not had that any experience with a stand alone CA configured to
automatically approve requests for a web server. What may be worth a try is
to see if it works where you have to manually approve the certificate and
then logging back onto the server as a local administrator to check for
pending request. The link below may help with specific details on how to
request and install a web server certificate in case you are missing
anything. You may also want to post in the Microsoft.public.security.crypto
newsgroup. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q290625
"Paul Landry" <plandry@frametech.com> wrote in message
news:uoro1HpoFHA.3256@TK2MSFTNGP12.phx.gbl...
> Hi Steve,
>
> I ran the certutil -cainfo and the results are...
>
> CA type: 3 -- Stand-alone Root CA
> ENUM_STANDALONE_ROOTCA -- 3
>
> I have configured the CA to automatically authorize requests.
>
> It just doesn't seem to like the IUSR_ account being used to process the
> requests.
>
> Any ideas?
>
> Thanks,
>
> Paul
>
> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> news:2pGdncfkactCXmPfRVn-qQ@comcast.com...
>> Are you sure that it is an stand alone CA and not an enterprise CA?? For
>> a stand alone CA you would have to find the pending request and then
>> authorize it to be issued in the CA Management Console. Make sure that
>> you are logging onto the IIS server as a local administrator. The
>> command certutil -cainfo will let you know the CA type. --- Steve
>>
>>
>>
>>
>> "Paul Landry" <plandry@frametech.com> wrote in message
>> news:%23E$Ww2vnFHA.3288@TK2MSFTNGP09.phx.gbl...
>>> Hi All,
>>> I've got a 2003 SP1 server with all of the latest updates ( as of
>>> today ) running as a Stand-Alone Certificate Authority.
>>> When I attempt to request certificates for IIS servers, using the Web
>>> Enrollment, I keep getting the following messages.
>>>
>>> Your certificate request was denied.
>>> You Request id is xx. The disposition is "Denied by Policy Module"
>>>
>>> On the CA machine, in he mmc, I see the rejected certificate requests.
>>> They all say the same thing.
>>>
>>> "The permissions on this certification authority do not allow the
>>> current user to enroll for certificates. 0x80094011 (-2146877423)"
>>>
>>> The requester name is LAB\IUSR_SPS which is the Anonymous Access user on
>>> the Certificate authority machine.
>>>
>>> I've googled the error and checked out several KB's , but nothing I've
>>> tried has solved the problem.
>>> I'm assuming I'm missing the spot where I can give the IUSR account
>>> permissions, but I'll be darned if I can find that spot.
>>>
>>> Does anyone have a clue how I can fix this problem?
>>>
>>> On last piece of Info, the CA is running on the AD controller, in case
>>> that matters.
>>>
>>> TIA,
>>>
>>> Paul Landry
>>> IT Manager - Centric Software, Inc.
>>>
>>
>>
>
>
- Previous message: Paul Landry: "Re: 2003 SP1 CA keeps denying cert requests"
- In reply to: Paul Landry: "Re: 2003 SP1 CA keeps denying cert requests"
- Next in thread: Paul Landry: "Re: 2003 SP1 CA keeps denying cert requests"
- Reply: Paul Landry: "Re: 2003 SP1 CA keeps denying cert requests"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
