Re: Windows Server 2003 Ent. Certificate Services Webenroll
- From: jentzsch <jentzsch.3a6uvc@xxxxxxxxxxxxx>
- Date: Fri, 30 May 2008 01:03:14 +0530
Sory to answer your question so late but I have been working on this
issue for a few days now and nobody on the net had the answer. Here are
the simptoms of the problem:
1) You have installed a CA (Santd Alone) in machine A and a Web
Enrollment Suport in machine B. Installation succeed ok. You access the
page http://MachineB/certsrv and try to request a new certificate for
you. After filling all fields you click the Submit button and get the
message:
2) You have installed a CA (Enterprise) in machine A and a Web
Enrollment Suport in machine B. Installation succeed ok. You whant to
enable Basic Authentication on the page http://MachineB/certsrv for
users outside your firewall because for them integrated auth does not
work. You try to request a new certificate for you. After filling all
fields you click the Submit button and get the message:
Error
Your request failed. An error occurred while the server was processing
your request.
Contact your administrator for further assistance.
If you click on the details button you get:
Request Mode:
newreq - New Request
Disposition:
(never set)
Disposition message:
(none)
Result:
Access is denied. 0x80070005 (WIN32: 5)
COM Error Info:
CCertRequest::Submit Access is denied. 0x80070005 (WIN32: 5)
LastStatus:
The operation completed successfully. 0x0 (WIN32: 0)
Suggested Cause:
The Certification Authority Service has not been started.
I have contacted Microsoft support and I´m surprised that the solution
is not published on th KB. So I will post it here:
Solution for the problem:
Stop IIS and open the metabase
(c:\windows\system32\inetsrv\metabse.xml) file on Notepad.
Locate the string logonmethod and verify that under those 3 virtual
directories of the web Enrollment the method is set to "2". Change all
3 values to "3" and save the file. It will resemble the following:
</IIsWebVirtualDir>
<IIsWebVirtualDir Location ="/LM/W3SVC/1/ROOT/CertControl"
AccessFlags="AccessRead | AccessScript"
AuthFlags="AuthAnonymous"
LogonMethod="3"
Path="C:\WINDOWS\system32\CertSrv\CertControl"
>
</IIsWebVirtualDir>
<IIsWebVirtualDir Location ="/LM/W3SVC/1/ROOT/CertEnroll"
AccessFlags="AccessRead | AccessScript"
AuthFlags="AuthAnonymous"
LogonMethod="3"
Path="C:\WINDOWS\system32\CertSrv\CertEnroll"
>
</IIsWebVirtualDir>
<IIsWebVirtualDir Location ="/LM/W3SVC/1/ROOT/CertSrv"
AccessFlags="AccessRead | AccessScript"
AppFriendlyName=""
AppIsolated="0"
AppRoot="/LM/W3svc/1/ROOT/CertSrv"
AuthFlags="AuthAnonymous"
LogonMethod="3"
Path="C:\WINDOWS\system32\CertSrv"
One more detail: If the machine that you have installed the Web
Enrollment Machine B does not belong tho the same domain it will be
necessary to create on local account on both machine A and B wiht the
same username and password (set it so it does not expire). On both
machine ad this user to the goup Distributed COM users. On the CertSrv
virtual directory on Machine B change the anonymous account to this
account you have created.
It will work.
Best Reagrds: Marcus
--
jentzsch
------------------------------------------------------------------------
jentzsch's Profile: http://forums.techarena.in/member.php?userid=50671
View this thread: http://forums.techarena.in/showthread.php?t=385636
http://forums.techarena.in
.
- Prev by Date: Restricting RDP to 2k3 DCs to only specific admins and not the entire admin group
- Next by Date: Is a CA mandatory in AD
- Previous by thread: Restricting RDP to 2k3 DCs to only specific admins and not the entire admin group
- Next by thread: Is a CA mandatory in AD
- Index(es):
