Re: Cannot request computer certificate.
- From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 6 Jan 2006 12:50:18 -0600
What operating system and what type of CA are you using? More than one
domain in the forest? Is this a new or ongoing problem? I would first
verify that the CA is running, logon to it as an admin and verify that you
can get a computer/server certificate from it. You can also use certutil to
check on the CA such as certutil -ping at least for Windows 2003. Verify
that you can ping it by name and IP address from the client computers. In
the CA Management Console look in properties for your CA and go to security
and verify that authenticated users have request certificates permission. If
you are using Windows 2003 see if there is any info in failed requests. Look
in the logs of the CA via Event Viewer,etc. to see if there any pertinent
messages there including any that may show errors for Group Policy. Possibly
there is a problem with the CA or domain computers contacting domain
controllers. An Enterprise CA needs to be trusted for delegation I believe
so check it's computer account in Active Directory Users and Computer for
that and to make sure that computer is in the
I would run the support tool netdiag on your domain controller [at least
pdc fsmo], your CA, and a client domain computer having a problem looking
for any errors/warnings relating to dc discovery, secure channel, Kerberos,
or dns. If you have multiple domain controllers run dcdiag and gpotool on at
least the pdc fsmo. If the CA is Windows 2003 and you have the Windows
Firewall enabled then disable it at least temporarily until the problem is
resolved assuming this will not expose it to untrusted networks such as the
internet. Review the link below on Active Directory dns to make sure that
your dns is correctly configured for the domain. You could also try Web
Enrollment to see if that works or not for now. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;294785
http://www.isaserver.org/img/upl/vpnkitbeta2/webenrollstandalone.htm ---
Web Enrollment Example
"Jarryd" <j@xxx> wrote in message
news:uDEaUruEGHA.376@xxxxxxxxxxxxxxxxxxxxxxx
> Hi,
>
> BTW, this is kind of a repost. I wouldn't normally do this but I am
> panicing. I have already tried to call MS for technical support but the
> operator would not transfer my call because it was almost 18:00. So now I
> am stuck. I need to request a computer certificate for VPN server.
> However, I get the the following error message:
>
> The certificate request failed because of one of the following conditions:
> -The certificate request was submitted to a Certification Authority (CA)
> that is not started.
> -You do not have the permissions to request certificates from the
> available
> CAs.
>
> It has got to be the second one. But how would I have lost permission? I
> have gone absolutely balmy by granting myself and my PC full control to
> the
> Computer and Enrollment Agent (computer) templates. Still not happening.
> The CA can successfully request certificates from itself, but all remote
> PCs
> fail, even DCs.
>
> Why me?!! Please help!!
>
>
.
- Follow-Ups:
- Re: Cannot request computer certificate.
- From: Jarryd
- Re: Cannot request computer certificate.
- References:
- Cannot request computer certificate.
- From: Jarryd
- Cannot request computer certificate.
- Prev by Date: Cannot request computer certificate.
- Next by Date: Re: Just one logon
- Previous by thread: Cannot request computer certificate.
- Next by thread: Re: Cannot request computer certificate.
- Index(es):
Relevant Pages
|
