Re: Cannot request computer certificate.
- From: "Jarryd" <j@xxx>
- Date: Fri, 6 Jan 2006 22:23:50 -0000
Just to clarify, the cerutil - ping is working, not the certificate
requests. I am sure that the fact that the web requests work and the mmc
requests do not is a big clue.
TIA,
Jarryd
"Jarryd" <j@xxx> wrote in message
news:%23cq503wEGHA.1508@xxxxxxxxxxxxxxxxxxxxxxx
> Hi Steve,
>
> I did a cerutil -ping from the server again and now it is working:
>
> C:\Program Files\Support Tools>certutil -ping
> Connecting to srvr3domain.com\TELCA ...
> Server "TELCA" ICertRequest2 interface is alive
> CertUtil: -ping command completed successfully.
>
> Not too sure, I might have not done it from the CA originally, sorry.
> Well it is getting late here now and I don't want to miss the last train
> home so I had best head home. I will check in again in about 45 mins so
> please do post any more ideas.
>
> Thanks a million,
>
> Jarryd
>
>
> "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:ORGxCUwEGHA.1028@xxxxxxxxxxxxxxxxxxxxxxx
>> Just to clarify I ran certutil -ping on my Certificate Authority. ---
>> Steve
>>
>>
>> "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:uVPsSIwEGHA.344@xxxxxxxxxxxxxxxxxxxxxxx
>>>I don't see anything obvious but I do see a couple of things that may or
>>>may not be related. Your domain client can not find the SPN on the domain
>>>controller that is your CA. I would run dcdiag /fix on both of those
>>>domain controllers which may fix that problem. I tend to doubt that is
>>>the whole problem since you can not request a certificate while logged
>>>onto the CA.
>>>
>>> LDAP test. . . . . . . . . . . . . : Passed
>>>> [WARNING] Failed to query SPN registration on DC 'srvr3.domain.com'.
>>>> [WARNING] Failed to query SPN registration on DC 'srvr2.domain.com'.
>>>
>>> As far as certutil - ping. This is what it looks like on my test CA and
>>> you should run the command on your test CA also to see what you get
>>> because that looks problematic from what you show for your CA.
>>>
>>> E:\Documents and Settings\steve>certutil -ping
>>> Connecting to server1-2003.umbach3.com\Umb3-a ...
>>> Server "Umb3-a" ICertRequest2 interface is alive
>>> CertUtil: -ping command completed successfully.
>>>
>>> I would verify that the certificate services service is running and set
>>> to start as automatic. Also open the Certificate Authority Management
>>> Console snapin to see if it shows your CA as running which would show a
>>> circle with a green arrow to the right of the CA name. If it is running
>>> try to restart the service to see if that helps or not. It seems odd
>>> that you have the problem in your test network also. I wonder if it was
>>> a baseline default install or modified somehow with security templates,
>>> etc. See if you can request ANY user/computer certificate while logged
>>> onto the CA using the mmc snapin for certificates for user and computer
>>> to see if the problem is with a template or issuing certificates
>>> altogether. The results of certutil -ping makes me wonder if the CA is
>>> not working at all for any certificate request for some reason. Use
>>> Active Directory Sites and Services to verify your CA name shows under
>>> public key services - certification authorities. You may need to select
>>> view - show services node first while ADS&S is highlighted. In security
>>> for the CA everyone should have read and special permissions. I am
>>> running out of ideas also : ( --- Steve
>>>
>>>
>>>
>>>
>>> /www.microsoft.com/windowsserver2003/technologies/pki/default.mspx ---
>>> Windows 2003 PKI resources.
>>>
>>> "Jarryd" <j@xxx> wrote in message
>>> news:O3rNGwvEGHA.2300@xxxxxxxxxxxxxxxxxxxxxxx
>>>> Hi Steve,
>>>>
>>>> I was so hoping you were going to reply. Right to answer your
>>>> questions:
>>>>
>>>> Q.) What operating system and what type of CA are you using?
>>>> A.) Windows Server 2003 SP1
>>>> Q.) Is this a new or ongoing problem?
>>>> A.) First time I have encountered it. Then again I haven't needed to
>>>> request a computer certificate for about 9 months.
>>>> Q.) More than one domain in the forest?
>>>> A.) Just the one. Very simple setup.
>>>> Q.) I would first verify that the CA is running, logon to it as an
>>>> admin and verify that you can get a computer/server certificate from
>>>> it.
>>>> A.) The CA is running. I can log on to it. I cannot get a
>>>> computer/server certificate from it - that is my problem. But the
>>>> server can successfully request a certificate for itself.
>>>> Q.) You can also use certutil to check on the CA such as certutil -ping
>>>> at least for Windows 2003.
>>>> A.) Result:
>>>> ------------------------------------------------------------
>>>> H:\>certutil -ping
>>>> 402.203.0: 0x80070057 (WIN32: 87): ..CertCli Version
>>>> 417.329.0: 0x80070103 (WIN32: 259)
>>>> 417.596.0: 0x80070103 (WIN32: 259)
>>>> 410.2618.0: 0x80070002 (WIN32: 2)
>>>> 410.2633.0: 0x80070103 (WIN32: 259)
>>>> CertUtil: No local Certification Authority; use -config option
>>>> 301.2585.0: 0x80070103 (WIN32: 259)
>>>> 301.2824.0: 0x80070103 (WIN32: 259)
>>>> CertUtil: No more data is available.
>>>> 301.3128.0: 0x80070103 (WIN32: 259)
>>>> ------------------------------------------------------------
>>>> Q.) Verify that you can ping it by name and IP address from the client
>>>> computers.
>>>> A.) Ping OK.
>>>> Q.) In the CA Management Console look in properties for your CA and go
>>>> to security and verify that authenticated users have request
>>>> certificates permission.
>>>> A.) They do, along with read permission. I have also explicitly given
>>>> myself, my PC, and the server having the problem all four permissions.
>>>> Still no luck.
>>>> Q.) If you are using Windows 2003 see if there is any info in failed
>>>> requests.
>>>> A.) Nothing failed.
>>>> Q.) Look in the logs of the CA via Event Viewer,etc. to see if there
>>>> any pertinent messages there including any that may show errors for
>>>> Group Policy.
>>>> A.) Nothing in event viewer.
>>>> Q.) Possibly there is a problem with the CA or domain computers
>>>> contacting domain controllers.
>>>> A.) The CA is a domain controller. I have no error messages when
>>>> logging on, and nothing in event viewer to that effect either.
>>>> Q.) An Enterprise CA needs to be trusted for delegation I believe so
>>>> check it's computer account in Active Directory Users and Computer for
>>>> that and to make sure that computer is in the
>>>> A.) The Enterprise CA is trusted for delegation and it is a member of
>>>> CERTSVC_DCOM_ACCESS and Cert Publishers groups.
>>>> Q.) I would run the support tool netdiag on your domain controller [at
>>>> least pdc fsmo], your CA, and a client domain computer having a problem
>>>> looking for any errors/warnings relating to dc discovery, secure
>>>> channel, Kerberos, or dns.
>>>> A.) Results:
>>>> 1.) Client:
>>>> --------------------------------------------------------------
>>>> Netcard queries test . . . . . . . : Passed
>>>>
>>>> Per interface results:
>>>>
>>>> Adapter : Local Area Connection
>>>>
>>>> Netcard queries test . . . : Passed
>>>>
>>>> Host Name. . . . . . . . . : IT1.domain.com
>>>> IP Address . . . . . . . . : 200.200.10.18
>>>> Subnet Mask. . . . . . . . : 255.255.255.0
>>>> Default Gateway. . . . . . : 200.200.10.254
>>>> Primary WINS Server. . . . : 200.200.10.1
>>>> Dns Servers. . . . . . . . : 200.200.10.2
>>>> 200.200.10.3
>>>>
>>>> AutoConfiguration results. . . . . . : Passed
>>>>
>>>> Default gateway test . . . : Passed
>>>>
>>>> NetBT name test. . . . . . : Passed
>>>> [WARNING] At least one of the <00> 'WorkStation Service', <03>
>>>> 'Messenger Service', <20> 'WINS' names is missing.
>>>>
>>>> WINS service test. . . . . : Passed
>>>>
>>>>
>>>> Global results:
>>>>
>>>> Domain membership test . . . . . . : Passed
>>>>
>>>> NetBT transports test. . . . . . . : Passed
>>>> List of NetBt transports currently configured:
>>>> NetBT_Tcpip_{F3401C24-6574-42C3-AC4E-D74FAC611C8D}
>>>> 1 NetBt transport currently configured.
>>>>
>>>> Autonet address test . . . . . . . : Passed
>>>>
>>>> IP loopback ping test. . . . . . . : Passed
>>>>
>>>> Default gateway test . . . . . . . : Passed
>>>>
>>>> NetBT name test. . . . . . . . . . : Passed
>>>> [WARNING] You don't have a single interface with the <00>
>>>> 'WorkStation Servi
>>>> ce', <03> 'Messenger Service', <20> 'WINS' names defined.
>>>>
>>>> Winsock test . . . . . . . . . . . : Passed
>>>>
>>>> DNS test . . . . . . . . . . . . . : Passed
>>>>
>>>> Redir and Browser test . . . . . . : Passed
>>>> List of NetBt transports currently bound to the Redir
>>>> NetBT_Tcpip_{F3401C24-6574-42C3-AC4E-D74FAC611C8D}
>>>> The redir is bound to 1 NetBt transport.
>>>>
>>>> List of NetBt transports currently bound to the browser
>>>> NetBT_Tcpip_{F3401C24-6574-42C3-AC4E-D74FAC611C8D}
>>>> The browser is bound to 1 NetBt transport.
>>>>
>>>> DC discovery test. . . . . . . . . : Passed
>>>>
>>>> DC list test . . . . . . . . . . . : Passed
>>>>
>>>> Trust relationship test. . . . . . : Passed
>>>> Secure channel for domain 'Domain' is to '\\srvr3.domain.com'.
>>>>
>>>> Kerberos test. . . . . . . . . . . : Passed
>>>>
>>>> LDAP test. . . . . . . . . . . . . : Passed
>>>> [WARNING] Failed to query SPN registration on DC 'srvr3.domain.com'.
>>>> [WARNING] Failed to query SPN registration on DC 'srvr2.domain.com'.
>>>>
>>>> Bindings test. . . . . . . . . . . : Passed
>>>>
>>>> WAN configuration test . . . . . . : Skipped
>>>> No active remote access connections.
>>>>
>>>> Modem diagnostics test . . . . . . : Passed
>>>>
>>>> IP Security test . . . . . . . . . : Passed
>>>> Service status is: Started
>>>> Service startup is: Automatic
>>>> IPSec service is available, but no policy is assigned or active
>>>> Note: run "ipseccmd /?" for more detailed information
>>>>
>>>> The command completed successfully
>>>> ------------------------------------------------
>>>> 2.) CA (which is also the also the PDC FSMO)
>>>> .....................................
>>>>
>>>> Computer Name: SRVR3
>>>> DNS Host Name: srvr3.domain.com
>>>> System info : Windows 2000 Server (Build 3790)
>>>> Processor : x86 Family 15 Model 2 Stepping 9, GenuineIntel
>>>>
>>>> Netcard queries test . . . . . . . : Passed
>>>>
>>>> Per interface results:
>>>>
>>>> Adapter : Local Area Connection
>>>>
>>>> Netcard queries test . . . : Passed
>>>>
>>>> Host Name. . . . . . . . . : srvr3
>>>> IP Address . . . . . . . . : 200.200.10.3
>>>> Subnet Mask. . . . . . . . : 255.255.255.0
>>>> Default Gateway. . . . . . : 200.200.10.254
>>>> Dns Servers. . . . . . . . : 200.200.10.2
>>>> 200.200.10.3
>>>>
>>>> AutoConfiguration results. . . . . . : Passed
>>>> Default gateway test . . . : Passed
>>>> NetBT name test. . . . . . : Passed
>>>> WINS service test. . . . . : Skipped
>>>> There are no WINS servers configured for this interface.
>>>>
>>>> Global results:
>>>>
>>>> Domain membership test . . . . . . : Passed
>>>>
>>>> NetBT transports test. . . . . . . : Passed
>>>> List of NetBt transports currently configured:
>>>> NetBT_Tcpip_{FF77261C-B517-468C-9244-E3EABC4C12FD}
>>>> 1 NetBt transport currently configured.
>>>>
>>>> Autonet address test . . . . . . . : Passed
>>>>
>>>> IP loopback ping test. . . . . . . : Passed
>>>>
>>>> Default gateway test . . . . . . . : Passed
>>>>
>>>> NetBT name test. . . . . . . . . . : Passed
>>>>
>>>> Winsock test . . . . . . . . . . . : Passed
>>>>
>>>> DNS test . . . . . . . . . . . . . : Passed
>>>> PASS - All the DNS entries for DC are registered on DNS server
>>>> '200.200.10.2
>>>> ' and other DCs also have some of the names registered.
>>>> PASS - All the DNS entries for DC are registered on DNS server
>>>> '200.200.10.3
>>>> ' and other DCs also have some of the names registered.
>>>>
>>>> Redir and Browser test . . . . . . : Passed
>>>> List of NetBt transports currently bound to the Redir
>>>> NetBT_Tcpip_{FF77261C-B517-468C-9244-E3EABC4C12FD}
>>>> The redir is bound to 1 NetBt transport.
>>>>
>>>> List of NetBt transports currently bound to the browser
>>>> NetBT_Tcpip_{FF77261C-B517-468C-9244-E3EABC4C12FD}
>>>> The browser is bound to 1 NetBt transport.
>>>>
>>>> DC discovery test. . . . . . . . . : Passed
>>>>
>>>> DC list test . . . . . . . . . . . : Passed
>>>>
>>>> Trust relationship test. . . . . . : Skipped
>>>>
>>>> Kerberos test. . . . . . . . . . . : Passed
>>>>
>>>> LDAP test. . . . . . . . . . . . . : Passed
>>>>
>>>> Bindings test. . . . . . . . . . . : Passed
>>>>
>>>> WAN configuration test . . . . . . : Skipped
>>>> No active remote access connections.
>>>>
>>>> Modem diagnostics test . . . . . . : Passed
>>>> IP Security test . . . . . . . . . : Skipped
>>>> Note: run "netsh ipsec dynamic show /?" for more detailed information
>>>>
>>>> The command completed successfully
>>>> ------------------------------------------------------------------------------------------------------
>>>> Q.) If the CA is Windows 2003 and you have the Windows Firewall enabled
>>>> then disable it at least temporarily until the problem is resolved
>>>> assuming this will not expose it to untrusted networks such as the
>>>> internet.
>>>> A.) Already disabled.
>>>> Q.) Review the link below on Active Directory dns to make sure that
>>>> your dns is correctly configured for the domain.
>>>> A.) As far as I can tell DNS is tip top.
>>>> Q.) You could also try Web Enrollment to see if that works or not for
>>>> now.
>>>> A.) Web enrollment does work, but I can't get a computer (Client
>>>> Authentication) certificate using the web enrollment.
>>>>
>>>> So I really am stumped. Is there not a common reason why this doesn't
>>>> work. I have installed a new server in a test network (1 x server = DC
>>>> + CA), and connected one client to it. I have the same problem in the
>>>> test network. What have I not done. The strange thing is that this was
>>>> working. I really feel like I am going to have a break down. I might
>>>> even just run away and never come back.
>>>>
>>>> Please help!!
>>>>
>>>> TIA,
>>>>
>>>> Jarryd
>>>>
>>>> "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>>>> news:%23YdiHIvEGHA.3984@xxxxxxxxxxxxxxxxxxxxxxx
>>>>> What operating system and what type of CA are you using? More than
>>>>> one domain in the forest? Is this a new or ongoing problem? I would
>>>>> first verify that the CA is running, logon to it as an admin and
>>>>> verify that you can get a computer/server certificate from it. You can
>>>>> also use certutil to check on the CA such as certutil -ping at least
>>>>> for Windows 2003. Verify that you can ping it by name and IP address
>>>>> from the client computers. In the CA Management Console look in
>>>>> properties for your CA and go to security and verify that
>>>>> authenticated users have request certificates permission. If you are
>>>>> using Windows 2003 see if there is any info in failed requests. Look
>>>>> in the logs of the CA via Event Viewer,etc. to see if there any
>>>>> pertinent messages there including any that may show errors for Group
>>>>> Policy. Possibly there is a problem with the CA or domain computers
>>>>> contacting domain controllers. An Enterprise CA needs to be trusted
>>>>> for delegation I believe so check it's computer account in Active
>>>>> Directory Users and Computer for that and to make sure that computer
>>>>> is in the
>>>>>
>>>>> I would run the support tool netdiag on your domain controller [at
>>>>> least pdc fsmo], your CA, and a client domain computer having a
>>>>> problem looking for any errors/warnings relating to dc discovery,
>>>>> secure channel, Kerberos, or dns. If you have multiple domain
>>>>> controllers run dcdiag and gpotool on at least the pdc fsmo. If the CA
>>>>> is Windows 2003 and you have the Windows Firewall enabled then disable
>>>>> it at least temporarily until the problem is resolved assuming this
>>>>> will not expose it to untrusted networks such as the internet. Review
>>>>> the link below on Active Directory dns to make sure that your dns is
>>>>> correctly configured for the domain. You could also try Web Enrollment
>>>>> to see if that works or not for now. --- Steve
>>>>>
>>>>> http://support.microsoft.com/default.aspx?scid=kb;en-us;294785
>>>>>
>>>>>
>>>>>
>>>>> p://www.isaserver.org/img/upl/vpnkitbeta2/webenrollstandalone.htm ---
>>>>> Web Enrollment Example
>>>>>
>>>>> "Jarryd" <j@xxx> wrote in message
>>>>> news:uDEaUruEGHA.376@xxxxxxxxxxxxxxxxxxxxxxx
>>>>>> Hi,
>>>>>>
>>>>>> BTW, this is kind of a repost. I wouldn't normally do this but I am
>>>>>> panicing. I have already tried to call MS for technical support but
>>>>>> the operator would not transfer my call because it was almost 18:00.
>>>>>> So now I am stuck. I need to request a computer certificate for VPN
>>>>>> server. However, I get the the following error message:
>>>>>>
>>>>>> The certificate request failed because of one of the following
>>>>>> conditions:
>>>>>> -The certificate request was submitted to a Certification Authority
>>>>>> (CA)
>>>>>> that is not started.
>>>>>> -You do not have the permissions to request certificates from the
>>>>>> available
>>>>>> CAs.
>>>>>>
>>>>>> It has got to be the second one. But how would I have lost
>>>>>> permission? I
>>>>>> have gone absolutely balmy by granting myself and my PC full control
>>>>>> to the
>>>>>> Computer and Enrollment Agent (computer) templates. Still not
>>>>>> happening.
>>>>>> The CA can successfully request certificates from itself, but all
>>>>>> remote PCs
>>>>>> fail, even DCs.
>>>>>>
>>>>>> Why me?!! Please help!!
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
.
- References:
- Cannot request computer certificate.
- From: Jarryd
- Re: Cannot request computer certificate.
- From: Steven L Umbach
- Re: Cannot request computer certificate.
- From: Jarryd
- Re: Cannot request computer certificate.
- From: Steven L Umbach
- Re: Cannot request computer certificate.
- From: Steven L Umbach
- Re: Cannot request computer certificate.
- From: Jarryd
- Cannot request computer certificate.
- Prev by Date: Re: Cannot request computer certificate.
- Next by Date: Re: Cannot request computer certificate.
- Previous by thread: Re: Cannot request computer certificate.
- Next by thread: Re: Cannot request computer certificate.
- Index(es):
Relevant Pages
|
