Re: Online request of a certificate with CA in another domain

I am using the Version 1 certificate I believe. From what I have read you
need Windows 2003 Enterprise to use Version 2 certificates and the CA is
Windows 2003 Standard. However I don't believe that Authenticated Users is
enough since I had to add our the Domain Users groups from our child domains
to the Certificate Templates in order to allow the child domain users to see
the certificates. The Domain Computers group from the child domain does not
have permissions to the Web Server certificate. I'll attempt to add that
now and see how it works.


Mike

"Paul Adare" <padare@xxxxxxxxxxx> wrote in message
news:MPG.2023ff99f3e9a96598a3bb@xxxxxxxxxxxxxxxxxxxxxxx
In article <OKTi5hWQHHA.2256@xxxxxxxxxxxxxxxxxxxx>, in the
microsoft.public.windows.server.security news group, Mike Celone
<mike.spamfree.celone@xxxxxxxxxxxxxxxx> says...

I am now trying to submit an online certificate request through IIS on a
Windows 2003 machine and have not been successful. The option is
available
to submit it online and it can see the CA (it shows up in the drop down
menu) but when the wizard finishes I have no certificate installed. I
have
verified that the user account I am using has rights to read and enroll a
web server certificate template by going to the Certsrv webpages and web
server shows up in the list of templates I can request. Are there some
other permissions I need to set to request online certificates?

Do you have the default version 1 Web Server certificate
template published or are you using a custom version 2 template?
If the latter it won't work as the IIS wizard is hard coded for
the version 1 template and can't be changed.
Also, does the computer itself have permissions on the template
(authenticated users is enough)? When using the IIS wizard it
doesn't matter which user account you're using, the request is
submitted in the security context of the computer account.

--
Paul Adare - MVP Virtual Machines
Waiting for a bus is about as thrilling as fishing,
with the similar tantalisation that something,
sometime, somehow, will turn up. George Courtauld



.

Relevant Pages

  • Re: Changing Global Group to Domain Local Group.
    ... > to Windows 2003 I want to change my Cert Publishers group from a Global ... > Authority structure with the Issuing Certificate Authority in the Root ... All users and computer objects are in the child domain. ... > unless I can put the CA computer object that is in the root domain in the ...
    (microsoft.public.windows.server.general)
  • Re: Changing Global Group to Domain Local Group.
    ... > to Windows 2003 I want to change my Cert Publishers group from a Global ... > Authority structure with the Issuing Certificate Authority in the Root ... All users and computer objects are in the child domain. ... > unless I can put the CA computer object that is in the root domain in the ...
    (microsoft.public.windows.server.active_directory)
  • Re: Changing Global Group to Domain Local Group.
    ... > to Windows 2003 I want to change my Cert Publishers group from a Global ... > Authority structure with the Issuing Certificate Authority in the Root ... All users and computer objects are in the child domain. ... > unless I can put the CA computer object that is in the root domain in the ...
    (microsoft.public.windows.server.security)
  • RE: Certsrv and Autoenrollment problem
    ... Thank you for posting to the SBS Newsgroup. ... so it will not be instantiated on the template ... Certificate Authority snap-in will show the templates in the Certificate ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: PEAP-TLS with MS NPS
    ... that other then install, and duplicate the template. ... "The user or computer certificate is configured with the Client ... Authentication purpose in Application Policies extensions (also called ... but the workstation authentication cert ...
    (microsoft.public.windows.server.networking)