Re: Computer Certificate using Web enrollment

From: Brian Komar (bkomar_at_nospam.identit.ca)
Date: 08/25/05

• Next message: Arch Willingham: "Automatic certificate enrollment for local system failed after upgrading member server to domain controller"
• Previous message: Olaf Engelke [MVP Windows Server]: "Re: FYI - Transparent Screensaver for 2003 Server found"
• In reply to: manuellee: "Computer Certificate using Web enrollment"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 25 Aug 2005 16:02:19 -0500

In article <UPydnYIWz55_G5DeRVn_vA@giganews.com>, manuellee@cableonda-
dot-net.no-spam.invalid says...
> I have a standalone root certificate, and IIS6.0 installed. I´m
> currently trying to deploy computer certificates, and eventhough I´m
> able to do this using active directory or the cert manager console, I
> want to deploy the computer certificates using IIS6.0.
>
> The issue is that when i log into the Webpage and select advanced
> certificate request, in the certificate templates there is no option
> for computer certificate.
>
> I have run the certutil and verified that the machine certificate is
> set for deploy. What should i do?
>
>
The reason is that the Web enrollment requests are performed in the
security context of the user, not the computer. The computer has enroll
permissions and not the user. Even if the user were assigned the Read
and Enroll permissions, there is no DNS name in their user account to
populate the subject of the certificate.

You must enable the Offline templates or create a v2 template that
enables the user to provide the subject in the request. This will allow
the user to type the DNS name of the computer and then submit the
request from the Web interface (if they have Read and Enroll permissions
for the cert and are a local Administrator on the computer to install it
in the machine store)

Brian

-- 
==
Brian Komar
MVP - Windows - Security
http://www.identit.ca/blogs/brian

• Next message: Arch Willingham: "Automatic certificate enrollment for local system failed after upgrading member server to domain controller"
• Previous message: Olaf Engelke [MVP Windows Server]: "Re: FYI - Transparent Screensaver for 2003 Server found"
• In reply to: manuellee: "Computer Certificate using Web enrollment"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Unable to install Godaddy cert on SBS R2 Standard box ... When you receive the file from Godaddy it is in a .crt file and Windows is looking for a .cer. ... "Please create a new request,and request for a new certificate from ... Godaddy(issue a new certificate),then install the new certificate. ... (microsoft.public.windows.server.sbs) Re: Installing an existing GoDaddy SSL on another SBS box.... ... Certificate' and then 'Assign an existing certificate'. ... I've got a functional GoDaddy SSL cert installed and working on my ... vanilla install so far. ... I got an error that there was no pending request for the ... (microsoft.public.windows.server.sbs) Certificate Server ... not you've installed a root CA or a subordinate CA. I'm ... certificate installed so that the services will operate ... certificate request for the CA. ... certificate and install that on the macine. ... (microsoft.public.win2000.security) Re: Unable to install Godaddy cert on SBS R2 Standard box ... That is was why I started to install the Turbo cert. ... "Please create a new request,and request for a new certificate from ... Godaddy(issue a new certificate),then install the new certificate. ... (microsoft.public.windows.server.sbs) Re: Certificates for l2tp VPN ... "IPSec offline request" template, the certificate is in the Local ... can´t install the correct certificate to make it work. ... (microsoft.public.win2000.security)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint