Re: Cannot request computer certificate.
- From: "Jarryd" <j@xxx>
- Date: Fri, 6 Jan 2006 22:11:59 -0000
Hi Steve,
I did a cerutil -ping from the server again and now it is working:
C:\Program Files\Support Tools>certutil -ping
Connecting to srvr3domain.com\TELCA ...
Server "TELCA" ICertRequest2 interface is alive
CertUtil: -ping command completed successfully.
Not too sure, I might have not done it from the CA originally, sorry. Well
it is getting late here now and I don't want to miss the last train home so
I had best head home. I will check in again in about 45 mins so please do
post any more ideas.
Thanks a million,
Jarryd
"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:ORGxCUwEGHA.1028@xxxxxxxxxxxxxxxxxxxxxxx
> Just to clarify I ran certutil -ping on my Certificate Authority. ---
> Steve
>
>
> "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:uVPsSIwEGHA.344@xxxxxxxxxxxxxxxxxxxxxxx
>>I don't see anything obvious but I do see a couple of things that may or
>>may not be related. Your domain client can not find the SPN on the domain
>>controller that is your CA. I would run dcdiag /fix on both of those
>>domain controllers which may fix that problem. I tend to doubt that is the
>>whole problem since you can not request a certificate while logged onto
>>the CA.
>>
>> LDAP test. . . . . . . . . . . . . : Passed
>>> [WARNING] Failed to query SPN registration on DC 'srvr3.domain.com'.
>>> [WARNING] Failed to query SPN registration on DC 'srvr2.domain.com'.
>>
>> As far as certutil - ping. This is what it looks like on my test CA and
>> you should run the command on your test CA also to see what you get
>> because that looks problematic from what you show for your CA.
>>
>> E:\Documents and Settings\steve>certutil -ping
>> Connecting to server1-2003.umbach3.com\Umb3-a ...
>> Server "Umb3-a" ICertRequest2 interface is alive
>> CertUtil: -ping command completed successfully.
>>
>> I would verify that the certificate services service is running and set
>> to start as automatic. Also open the Certificate Authority Management
>> Console snapin to see if it shows your CA as running which would show a
>> circle with a green arrow to the right of the CA name. If it is running
>> try to restart the service to see if that helps or not. It seems odd that
>> you have the problem in your test network also. I wonder if it was a
>> baseline default install or modified somehow with security templates,
>> etc. See if you can request ANY user/computer certificate while logged
>> onto the CA using the mmc snapin for certificates for user and computer
>> to see if the problem is with a template or issuing certificates
>> altogether. The results of certutil -ping makes me wonder if the CA is
>> not working at all for any certificate request for some reason. Use
>> Active Directory Sites and Services to verify your CA name shows under
>> public key services - certification authorities. You may need to select
>> view - show services node first while ADS&S is highlighted. In security
>> for the CA everyone should have read and special permissions. I am
>> running out of ideas also : ( --- Steve
>>
>>
>>
>> ://www.microsoft.com/windowsserver2003/technologies/pki/default.mspx ---
>> Windows 2003 PKI resources.
>>
>> "Jarryd" <j@xxx> wrote in message
>> news:O3rNGwvEGHA.2300@xxxxxxxxxxxxxxxxxxxxxxx
>>> Hi Steve,
>>>
>>> I was so hoping you were going to reply. Right to answer your
>>> questions:
>>>
>>> Q.) What operating system and what type of CA are you using?
>>> A.) Windows Server 2003 SP1
>>> Q.) Is this a new or ongoing problem?
>>> A.) First time I have encountered it. Then again I haven't needed to
>>> request a computer certificate for about 9 months.
>>> Q.) More than one domain in the forest?
>>> A.) Just the one. Very simple setup.
>>> Q.) I would first verify that the CA is running, logon to it as an
>>> admin and verify that you can get a computer/server certificate from it.
>>> A.) The CA is running. I can log on to it. I cannot get a
>>> computer/server certificate from it - that is my problem. But the
>>> server can successfully request a certificate for itself.
>>> Q.) You can also use certutil to check on the CA such as certutil -ping
>>> at least for Windows 2003.
>>> A.) Result:
>>> ------------------------------------------------------------
>>> H:\>certutil -ping
>>> 402.203.0: 0x80070057 (WIN32: 87): ..CertCli Version
>>> 417.329.0: 0x80070103 (WIN32: 259)
>>> 417.596.0: 0x80070103 (WIN32: 259)
>>> 410.2618.0: 0x80070002 (WIN32: 2)
>>> 410.2633.0: 0x80070103 (WIN32: 259)
>>> CertUtil: No local Certification Authority; use -config option
>>> 301.2585.0: 0x80070103 (WIN32: 259)
>>> 301.2824.0: 0x80070103 (WIN32: 259)
>>> CertUtil: No more data is available.
>>> 301.3128.0: 0x80070103 (WIN32: 259)
>>> ------------------------------------------------------------
>>> Q.) Verify that you can ping it by name and IP address from the client
>>> computers.
>>> A.) Ping OK.
>>> Q.) In the CA Management Console look in properties for your CA and go
>>> to security and verify that authenticated users have request
>>> certificates permission.
>>> A.) They do, along with read permission. I have also explicitly given
>>> myself, my PC, and the server having the problem all four permissions.
>>> Still no luck.
>>> Q.) If you are using Windows 2003 see if there is any info in failed
>>> requests.
>>> A.) Nothing failed.
>>> Q.) Look in the logs of the CA via Event Viewer,etc. to see if there any
>>> pertinent messages there including any that may show errors for Group
>>> Policy.
>>> A.) Nothing in event viewer.
>>> Q.) Possibly there is a problem with the CA or domain computers
>>> contacting domain controllers.
>>> A.) The CA is a domain controller. I have no error messages when
>>> logging on, and nothing in event viewer to that effect either.
>>> Q.) An Enterprise CA needs to be trusted for delegation I believe so
>>> check it's computer account in Active Directory Users and Computer for
>>> that and to make sure that computer is in the
>>> A.) The Enterprise CA is trusted for delegation and it is a member of
>>> CERTSVC_DCOM_ACCESS and Cert Publishers groups.
>>> Q.) I would run the support tool netdiag on your domain controller [at
>>> least pdc fsmo], your CA, and a client domain computer having a problem
>>> looking for any errors/warnings relating to dc discovery, secure
>>> channel, Kerberos, or dns.
>>> A.) Results:
>>> 1.) Client:
>>> --------------------------------------------------------------
>>> Netcard queries test . . . . . . . : Passed
>>>
>>> Per interface results:
>>>
>>> Adapter : Local Area Connection
>>>
>>> Netcard queries test . . . : Passed
>>>
>>> Host Name. . . . . . . . . : IT1.domain.com
>>> IP Address . . . . . . . . : 200.200.10.18
>>> Subnet Mask. . . . . . . . : 255.255.255.0
>>> Default Gateway. . . . . . : 200.200.10.254
>>> Primary WINS Server. . . . : 200.200.10.1
>>> Dns Servers. . . . . . . . : 200.200.10.2
>>> 200.200.10.3
>>>
>>> AutoConfiguration results. . . . . . : Passed
>>>
>>> Default gateway test . . . : Passed
>>>
>>> NetBT name test. . . . . . : Passed
>>> [WARNING] At least one of the <00> 'WorkStation Service', <03>
>>> 'Messenger Service', <20> 'WINS' names is missing.
>>>
>>> WINS service test. . . . . : Passed
>>>
>>>
>>> Global results:
>>>
>>> Domain membership test . . . . . . : Passed
>>>
>>> NetBT transports test. . . . . . . : Passed
>>> List of NetBt transports currently configured:
>>> NetBT_Tcpip_{F3401C24-6574-42C3-AC4E-D74FAC611C8D}
>>> 1 NetBt transport currently configured.
>>>
>>> Autonet address test . . . . . . . : Passed
>>>
>>> IP loopback ping test. . . . . . . : Passed
>>>
>>> Default gateway test . . . . . . . : Passed
>>>
>>> NetBT name test. . . . . . . . . . : Passed
>>> [WARNING] You don't have a single interface with the <00>
>>> 'WorkStation Servi
>>> ce', <03> 'Messenger Service', <20> 'WINS' names defined.
>>>
>>> Winsock test . . . . . . . . . . . : Passed
>>>
>>> DNS test . . . . . . . . . . . . . : Passed
>>>
>>> Redir and Browser test . . . . . . : Passed
>>> List of NetBt transports currently bound to the Redir
>>> NetBT_Tcpip_{F3401C24-6574-42C3-AC4E-D74FAC611C8D}
>>> The redir is bound to 1 NetBt transport.
>>>
>>> List of NetBt transports currently bound to the browser
>>> NetBT_Tcpip_{F3401C24-6574-42C3-AC4E-D74FAC611C8D}
>>> The browser is bound to 1 NetBt transport.
>>>
>>> DC discovery test. . . . . . . . . : Passed
>>>
>>> DC list test . . . . . . . . . . . : Passed
>>>
>>> Trust relationship test. . . . . . : Passed
>>> Secure channel for domain 'Domain' is to '\\srvr3.domain.com'.
>>>
>>> Kerberos test. . . . . . . . . . . : Passed
>>>
>>> LDAP test. . . . . . . . . . . . . : Passed
>>> [WARNING] Failed to query SPN registration on DC 'srvr3.domain.com'.
>>> [WARNING] Failed to query SPN registration on DC 'srvr2.domain.com'.
>>>
>>> Bindings test. . . . . . . . . . . : Passed
>>>
>>> WAN configuration test . . . . . . : Skipped
>>> No active remote access connections.
>>>
>>> Modem diagnostics test . . . . . . : Passed
>>>
>>> IP Security test . . . . . . . . . : Passed
>>> Service status is: Started
>>> Service startup is: Automatic
>>> IPSec service is available, but no policy is assigned or active
>>> Note: run "ipseccmd /?" for more detailed information
>>>
>>> The command completed successfully
>>> ------------------------------------------------
>>> 2.) CA (which is also the also the PDC FSMO)
>>> .....................................
>>>
>>> Computer Name: SRVR3
>>> DNS Host Name: srvr3.domain.com
>>> System info : Windows 2000 Server (Build 3790)
>>> Processor : x86 Family 15 Model 2 Stepping 9, GenuineIntel
>>>
>>> Netcard queries test . . . . . . . : Passed
>>>
>>> Per interface results:
>>>
>>> Adapter : Local Area Connection
>>>
>>> Netcard queries test . . . : Passed
>>>
>>> Host Name. . . . . . . . . : srvr3
>>> IP Address . . . . . . . . : 200.200.10.3
>>> Subnet Mask. . . . . . . . : 255.255.255.0
>>> Default Gateway. . . . . . : 200.200.10.254
>>> Dns Servers. . . . . . . . : 200.200.10.2
>>> 200.200.10.3
>>>
>>> AutoConfiguration results. . . . . . : Passed
>>> Default gateway test . . . : Passed
>>> NetBT name test. . . . . . : Passed
>>> WINS service test. . . . . : Skipped
>>> There are no WINS servers configured for this interface.
>>>
>>> Global results:
>>>
>>> Domain membership test . . . . . . : Passed
>>>
>>> NetBT transports test. . . . . . . : Passed
>>> List of NetBt transports currently configured:
>>> NetBT_Tcpip_{FF77261C-B517-468C-9244-E3EABC4C12FD}
>>> 1 NetBt transport currently configured.
>>>
>>> Autonet address test . . . . . . . : Passed
>>>
>>> IP loopback ping test. . . . . . . : Passed
>>>
>>> Default gateway test . . . . . . . : Passed
>>>
>>> NetBT name test. . . . . . . . . . : Passed
>>>
>>> Winsock test . . . . . . . . . . . : Passed
>>>
>>> DNS test . . . . . . . . . . . . . : Passed
>>> PASS - All the DNS entries for DC are registered on DNS server
>>> '200.200.10.2
>>> ' and other DCs also have some of the names registered.
>>> PASS - All the DNS entries for DC are registered on DNS server
>>> '200.200.10.3
>>> ' and other DCs also have some of the names registered.
>>>
>>> Redir and Browser test . . . . . . : Passed
>>> List of NetBt transports currently bound to the Redir
>>> NetBT_Tcpip_{FF77261C-B517-468C-9244-E3EABC4C12FD}
>>> The redir is bound to 1 NetBt transport.
>>>
>>> List of NetBt transports currently bound to the browser
>>> NetBT_Tcpip_{FF77261C-B517-468C-9244-E3EABC4C12FD}
>>> The browser is bound to 1 NetBt transport.
>>>
>>> DC discovery test. . . . . . . . . : Passed
>>>
>>> DC list test . . . . . . . . . . . : Passed
>>>
>>> Trust relationship test. . . . . . : Skipped
>>>
>>> Kerberos test. . . . . . . . . . . : Passed
>>>
>>> LDAP test. . . . . . . . . . . . . : Passed
>>>
>>> Bindings test. . . . . . . . . . . : Passed
>>>
>>> WAN configuration test . . . . . . : Skipped
>>> No active remote access connections.
>>>
>>> Modem diagnostics test . . . . . . : Passed
>>> IP Security test . . . . . . . . . : Skipped
>>> Note: run "netsh ipsec dynamic show /?" for more detailed information
>>>
>>> The command completed successfully
>>> ------------------------------------------------------------------------------------------------------
>>> Q.) If the CA is Windows 2003 and you have the Windows Firewall enabled
>>> then disable it at least temporarily until the problem is resolved
>>> assuming this will not expose it to untrusted networks such as the
>>> internet.
>>> A.) Already disabled.
>>> Q.) Review the link below on Active Directory dns to make sure that your
>>> dns is correctly configured for the domain.
>>> A.) As far as I can tell DNS is tip top.
>>> Q.) You could also try Web Enrollment to see if that works or not for
>>> now.
>>> A.) Web enrollment does work, but I can't get a computer (Client
>>> Authentication) certificate using the web enrollment.
>>>
>>> So I really am stumped. Is there not a common reason why this doesn't
>>> work. I have installed a new server in a test network (1 x server = DC +
>>> CA), and connected one client to it. I have the same problem in the
>>> test network. What have I not done. The strange thing is that this was
>>> working. I really feel like I am going to have a break down. I might
>>> even just run away and never come back.
>>>
>>> Please help!!
>>>
>>> TIA,
>>>
>>> Jarryd
>>>
>>> "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>>> news:%23YdiHIvEGHA.3984@xxxxxxxxxxxxxxxxxxxxxxx
>>>> What operating system and what type of CA are you using? More than one
>>>> domain in the forest? Is this a new or ongoing problem? I would first
>>>> verify that the CA is running, logon to it as an admin and verify that
>>>> you can get a computer/server certificate from it. You can also use
>>>> certutil to check on the CA such as certutil -ping at least for Windows
>>>> 2003. Verify that you can ping it by name and IP address from the
>>>> client computers. In the CA Management Console look in properties for
>>>> your CA and go to security and verify that authenticated users have
>>>> request certificates permission. If you are using Windows 2003 see if
>>>> there is any info in failed requests. Look in the logs of the CA via
>>>> Event Viewer,etc. to see if there any pertinent messages there
>>>> including any that may show errors for Group Policy. Possibly there is
>>>> a problem with the CA or domain computers contacting domain
>>>> controllers. An Enterprise CA needs to be trusted for delegation I
>>>> believe so check it's computer account in Active Directory Users and
>>>> Computer for that and to make sure that computer is in the
>>>>
>>>> I would run the support tool netdiag on your domain controller [at
>>>> least pdc fsmo], your CA, and a client domain computer having a problem
>>>> looking for any errors/warnings relating to dc discovery, secure
>>>> channel, Kerberos, or dns. If you have multiple domain controllers run
>>>> dcdiag and gpotool on at least the pdc fsmo. If the CA is Windows 2003
>>>> and you have the Windows Firewall enabled then disable it at least
>>>> temporarily until the problem is resolved assuming this will not expose
>>>> it to untrusted networks such as the internet. Review the link below on
>>>> Active Directory dns to make sure that your dns is correctly configured
>>>> for the domain. You could also try Web Enrollment to see if that works
>>>> or not for now. --- Steve
>>>>
>>>> http://support.microsoft.com/default.aspx?scid=kb;en-us;294785
>>>>
>>>>
>>>> tp://www.isaserver.org/img/upl/vpnkitbeta2/webenrollstandalone.htm ---
>>>> Web Enrollment Example
>>>>
>>>> "Jarryd" <j@xxx> wrote in message
>>>> news:uDEaUruEGHA.376@xxxxxxxxxxxxxxxxxxxxxxx
>>>>> Hi,
>>>>>
>>>>> BTW, this is kind of a repost. I wouldn't normally do this but I am
>>>>> panicing. I have already tried to call MS for technical support but
>>>>> the operator would not transfer my call because it was almost 18:00.
>>>>> So now I am stuck. I need to request a computer certificate for VPN
>>>>> server. However, I get the the following error message:
>>>>>
>>>>> The certificate request failed because of one of the following
>>>>> conditions:
>>>>> -The certificate request was submitted to a Certification Authority
>>>>> (CA)
>>>>> that is not started.
>>>>> -You do not have the permissions to request certificates from the
>>>>> available
>>>>> CAs.
>>>>>
>>>>> It has got to be the second one. But how would I have lost
>>>>> permission? I
>>>>> have gone absolutely balmy by granting myself and my PC full control
>>>>> to the
>>>>> Computer and Enrollment Agent (computer) templates. Still not
>>>>> happening.
>>>>> The CA can successfully request certificates from itself, but all
>>>>> remote PCs
>>>>> fail, even DCs.
>>>>>
>>>>> Why me?!! Please help!!
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
.
- Follow-Ups:
- Re: Cannot request computer certificate.
- From: Steven L Umbach
- Re: Cannot request computer certificate.
- From: Jarryd
- Re: Cannot request computer certificate.
- References:
- Cannot request computer certificate.
- From: Jarryd
- Re: Cannot request computer certificate.
- From: Steven L Umbach
- Re: Cannot request computer certificate.
- From: Jarryd
- Re: Cannot request computer certificate.
- From: Steven L Umbach
- Re: Cannot request computer certificate.
- From: Steven L Umbach
- Cannot request computer certificate.
- Prev by Date: Re: Cannot request computer certificate.
- Next by Date: Re: Cannot request computer certificate.
- Previous by thread: Re: Cannot request computer certificate.
- Next by thread: Re: Cannot request computer certificate.
- Index(es):
Relevant Pages
|
