Re: Windows 2003 PKI
From: Brian Komar (bkomar_at_nospam.identit.ca)
Date: 08/23/05
- Next message: Philip Herlihy: "Re: Affordable Antivirus for servers?"
- Previous message: Philip Herlihy: "Re: Affordable Antivirus for servers?"
- In reply to: Philippe Bonatti: "Windows 2003 PKI"
- Next in thread: Philippe Bonatti: "Re: Windows 2003 PKI"
- Reply: Philippe Bonatti: "Re: Windows 2003 PKI"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 23 Aug 2005 07:19:36 -0500
Some answers inline:
In article <mn.ba4f7d582b0d4431.28949@teo.homeunix.net>,
philippe@teo.home____unix.net says...
> Hi,
>
> I have a big problem with our PKI
>
> Trouble:
> -------
> When a computer request (by autoenrollment), the IssuerCA accept the
> certificate (I can show it on Issue Certificate Folder) but a few
> minutes late, the following error appear on CA MMC, on Failled Request
> Folder :
> The authorizations on the model of certificate do not authorize the
> current user to be a registrered for this type of certificate.
> 0x80094012 (-2146877422)
>
> Refused by the module of strategy.
>
Did you modify the permissions of the certificate template to allow
computers/users in the child domains to Read/Enroll certificates. This
is done in the Certificate Templates console (certtmpl.msc)
> When a child domain controller ask for a domain controller certificate,
> I got this message on child DC :
> The request for certificate failed because of one of the following
> conditions :
> - Autorithy of certification did not start.
> - You do not have the authorizations to ask for certificates starting
> from the authorities of certification available.
>
Same case here. In addition, because you are running on a DC, make sure
that you add each domain's DOMAIN\Domain Controllers group to the
CERTSVC_DCOM_ACCESS in the domain where the CA exists.
> I checked, CA has stard and I thing I have right for enroll
> certificate.
>
> Where can I search information about ?
>
> note : Error message has been translate from french ...
>
> Our structure :
> ---------------
> Root domain : toto.com
> 5 Childs domains : a.toto.com, b.toto.com, c.toto.com, ...
>
> We're migrating domain from windows 2000 (native) to Windows 2003.
> Parent domain is migrated a few week ago.
>
> Old PKI:
> --------
> First we've a simple PKI with a DC Win2000 SP4 as Enterprise CA and
> worked not perfectly, but worked.
> This old PKI has been removed now.
>
> Current PKI:
> ------------
> We have a Autonome Offline CA (Windows 2003)
> We have one Intermediate Enterprise CA design to issue CA Certificates
> All enterprise CA are on root domain and are Windows 2003 Standard SP1
> Domain Controller only.
A CA needs to run on Windows Server 2003 Enterprise Edition to issue v2
certificates with autoenrollment. Not really an issue here, but will get
you in the future,
-- == Brian Komar MVP - Windows - Security http://www.identit.ca/blogs/brian
- Next message: Philip Herlihy: "Re: Affordable Antivirus for servers?"
- Previous message: Philip Herlihy: "Re: Affordable Antivirus for servers?"
- In reply to: Philippe Bonatti: "Windows 2003 PKI"
- Next in thread: Philippe Bonatti: "Re: Windows 2003 PKI"
- Reply: Philippe Bonatti: "Re: Windows 2003 PKI"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
