Re: CRL failing to publish to AD
- From: KHauer <KHauer@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 5 Sep 2008 15:08:01 -0700
Maybe this is a silly question, but for the life of me I am *not* seeing
permissions on containers when using pkiview.
"Brian Komar (MVP)" wrote:
ummm, deleting the containers was a really bad idea..
You should have updated the objects in those containers by fixing the
permissions.
I recommend building a replica in a virtual environment, checking out the
permissions, and then recreate containers per those permissions.
Brian
"KHauer" <KHauer@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:05C91D4C-F771-4386-BB0D-48C689360DD4@xxxxxxxxxxxxxxxx
Ok, I used PKIView.msc to view the containers. Couldn't figure out how to
view container permissions, but here's what I did so far:
1. When PKIView.msc opens, both Enterprise PKI and my CA show with nice
big,
red X's in them.
2. Right-clicked on Enterprise PKI and selected 'Manage AD containers...'
3. NTAuthCertificates tab lists the CA and the status is OK.
4. AIA Container tab lists the CA, status OK.
5. CDP Container tab listed both the Base CRL and Delta CRL, both listed
as
Expired.
6. I removed both CRLs from the CDP Container tab. When asked if I wanted
to
remove the container, I said yes (which, I likely shouldn't have, I was
hoping it would recreate it on the fly).
7. Now I open the CA console and try and publish the CRL and receive the
following error:
Directory object not found. 0x8007208d (WIN32: 8333)
How badly did I break it? Thanks again for all your help, it's
appreciated.
BTW, manually installing the CRLs on each DC is still working,
authentication
works just fine (I just don't want to have to keep doing it manually).
"Brian Komar (MVP)" wrote:
Use pkiview.msc to view the containers.
Brian
"KHauer" <KHauer@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:6277B409-1883-4207-BA2B-D61B9A1343F4@xxxxxxxxxxxxxxxx
Thank you for your response, Brian.
I went through and checked the permissions on the CDP\Computer and AIA
containers, and they were all set as you recommend they should be.
However, I
noted one discrepancy: I can't seem to find the CA certificate object
(but
I
freely admit I may be looking in the wrong place).
I used ADSI Edit and was looking at everything in:
Configuration -> Services -> Public Key Services
Is that where I should be looking?
"Brian Komar (MVP)" wrote:
What are the permissions on the CDP\Computer and AIA containers?
DId you happen to ever delete the comptuer account and then rebuild?
It sounds like a permissions problem in the configuration naming
context.
1. AIA container. Ensure Cert Publishers is assigned Read, Write,
Create
all
Child Objects and Delete All Child Objects.
2. CA Certificate object: CA computer account: Full Control, Read, and
Write.
4. CDP\ComputerName. Cert Publishers group assigned Read, Write,
Create
all
Child Objects and Delete All Child Objects
4. CRL Object(s) in the CDP\Computer Name container. CA Computer
account:
Full Control, Read, Write
5. CA object in Enrollment Services: Comptuer account assigned Read,
Write
Brian
"KHauer" <KHauer@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:2C7E3AB2-27F9-405F-88A9-4C6B18F02B53@xxxxxxxxxxxxxxxx
Update on this:
I was able to restore authentication by browsing to the CertEnroll
share
and
manually installing the Base and Delta CRLs on each domain
controller.
This
tells me that the CA and certificate services are functioning
properly,
it's
just a matter of the CA being able to publish the CRL to AD, which
currently,
it is unable to do.
- Prev by Date: 2008 CA revocation/autoenrollment process...
- Next by Date: Achat acomplia france acheter acomplia canada en ligne acomplia belgique bon marche acomplia suisse citrate de Rimonabant acomplia canada belgique
- Previous by thread: 2008 CA revocation/autoenrollment process...
- Next by thread: Re: CRL failing to publish to AD
- Index(es):
Relevant Pages
|
