Certificate Authority Problem.

Similar Messages

• Windows Server 2008 R2 Standard "Certificate Authority Service" / Exchange Server 2010 EMC not starting and no AD connectivity for authentication.

  Hello,
  I am a new IT Manager at this company and need assistance big time. Their environment looks as follows:
  Server 1. Domain Controller Server (Windows Server 2008 R2 Standard) running active directory.
  Server 2. Email Server (Windows Server 2008 R2 Standard) running Exchange Server 2010 .
  * Note. No back ups to work with aside from whats mentioned below.
  DC had a virus infection causing a lot of issues on the shared network drives 2 days ago locking up all the files with a crypto ransom virus. Running Avast suppressed the infection. Had to recover the file shares which luckily had a back up. 
  The issue is that the Exchange Server 2 post this lost connectivity with the AD Server 1. Exchange Server 2 when launching EMC could not launch the console stating the following:
  "No Exchange servers are available in any Active Directory sites. You can’t connect to remote
  Powershell on a computer that only has the Management Tools role installed."
  Shortly after I found that it is possible the EMC launcher was corrupt and needed to be reinstalled following another blog post. I deleted the exchange management console.msc  per instructions only to discover I couldnt relaunch it because there was
  no way how. So I copied another msc file that happened to be on the DC Server 1  back to Exchange Server 2 and got it to launch again. 
  Another post said that it might be an issue with the Domain Account for the Computer, so to delete it in the AD Server 1 only to find that rejoining it from Exchange Server 2 using Computer>Properties> Chage Settings > Change is greyed out because
  it is using the Certificate Authority Service.
  I tried manually re-adding the computer in AD and modeling permissions after another server in group settings but no go. After this I was unable to login to the Exchange Server 2 with domain accounts but only local admin, receiving the following Alert:
  "The Trust Relationship between this workstation and primary domain failed."
  I tried running the Power Shell tools on Exchange Server 2 to rejoing and to reset passwords for domain accounts as noted in some other blogs but no luck as the Server 2 could not make the connection with Server1 or other errors it kept spitting out.
  I also during the investigation found the DNS settings were all altered on both the Server 1 and Server 2 which I luckily was able to change back to original because of inventorying it in the beginning when I started. 
  I need help figuring out if I need to rejoin the Exchange Server 2 manually by disabling the Certificate Authority Service (or removing the CA as listed here:
  https://social.technet.microsoft.com/Forums/exchange/en-US/fb23deab-0a12-410d-946c-517d5aea7fae/windows-server-2008-r2-with-certificate-authority-service-to-rejoin-domain?forum=winserversecurity
  and getting exchange server to launch again. (Mind you I am relatively fresh to server managing) Please help E-Mail has been down for a whole day now!
  Marty

  I recommend that you open a ticket with Microsoft Support before you break things more.
  Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

• How can I permanently accept a certificate without trusting its certificate authority?

  Hello,
  When I try to connect to a secure website for which the certificate is signed by an untrusted certificate authority, Firefox warns me, as expected.
  The problem is that I would like to add a permanent exception for this certificate, but the corresponding checkbox is disabled. Note that I do not want to add the certificate authority in my database but only the certificate of the website.
  Is there a way to allow an excpetion of this kind?

  Thanks for the suggestion, I should've mentioned I'd already tried that without success. I tried clearing everything in the Clear Recent History section actually but the certificate is still remembered.
  I've also just now tried deleting the certificates completely but not even that works - a little concerning. (:

• How to create certificate authority and configure it for IIS

  Hi
  I Install ADCS role in Server 2012 and configure it. but when i go to IIS and want to create domain certification , the select button is grey .i think i couldn't configure certificate authority correctly. how can fix this problem.
  Whenever you see a helpful reply, click on Vote As Helpful & click on
  Mark As Answer if a post answers your question.
  LinkedIn:
    Facebook:

  Thanks my problem was solved.
  But there is a problem after install IIS and ADCS , i restarted both server but didn't work ,but now(6 hours after restart) it work fine.
  another Question is after i select appropriate certificate authority ,when i click on finish it gives me the following error 
  "the certificate request was submitted to the online authority but was not issued the request was denied"
  Whenever you see a helpful reply, click on Vote As Helpful & click on
  Mark As Answer if a post answers your question.
  LinkedIn:
  Facebook:

• I am replacing a Domain Controller (Windows 2003 Server) with a 2012 box. Can I have the Certificate authority exist in both locations during the process?

  Can you have the same Certificate Authority exist on both boxes while I work to get the 2012 up and running fully? Will it impact the users in any way or cause problems?

  > Can you have the same Certificate Authority exist on both boxes while I work to get the 2012 up and running fully?
  no. You have to uninstall CA role before you uninstall Domain Controller role from existing server.
  this is why it is not recommended to keep CA role on domain controllers.
  Vadims Podāns, aka PowerShell CryptoGuy
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell File Checksum Integrity Verifier tool.

• How do I recover accidentally deleted Certificate Authority?

  Hi,
  Running Firefox 5 on Ubuntu 10.10 and while troubleshooting some other issues, I believe I have deleted a Certificate Authority accidentally. Because of this I cannot securely access Facebook or any https Google sites. I can, however, access Bank of America and other https sites no problem.
  Also, I can access these sites in Chrome without issue (but I prefer Firefox).
  I'm looking for a way to recreate or repopulate the CAs. I tried uninstalling/reinstalling Firefox but that didn't seem to work. I'm at the point where I feel like I'll have to reinstall the OS, but I don't want to get to that point if at all possible.
  Any ideas much appreciated.
  Regards,
  Joe

  Thanks for your helpful information! I think you just solved a similar problem I've been having for quite awhile.

• Certificate Authority - Custom Temp not showing up. W2k8R2ent

  Hi Guys,
  Couldn't see a forum for CA so I had to post it here. Hopefully its the right place.
  (Server is test domain 1 single ad no replication. Running Win 2k8 r2 enterprise)
  So here's the issue I am trying to create and export certificate for other users (eobo).
  It works fine. But I want to do this throught certreq and in order to do that i have to creat custom cert which i did by duplicating User template.
  The new template CopyOfUser i changed(of confirmed) following settings:-
  General Tab = Publish Cert in Active Directory
  Request Handling = Allow private key to be exported & Enroll subject without req any input
  Security : I am logging as domain administrator and it has  Read/Write/Enroll
  Issurance Req: This number of authorized signature = 1
  & Application Policy & Client Authentication.
  Subject Name : Build from AD (Fully Distinguished name)
  Selected boxes : Include email name / Email name / UPN
  Now problem is i cannot see the custom template on Enable Certificate Templates.
  I am very new to CA so I am sure i am missing something or doing something wrong.
  Would love some help.

  Hi,
  I’d suggest if the steps below doesn’t help to remove the CA. Make sure you are using Enterprise Edition (no upgrade from 2K3 or 2K9 standart) of windows
  and install it again as Enterprise Root CA. Check and see if you still have the issue before tweaking the CA further:
  Open ADUC and check navigate to [Buildin > users > properties > members] and make sure the fallowing security groups are present.
    - Authenticated users
   - Domain Users
   - Interactive
  Open ADSI Edit and navigate to
  [Domain Naming context > DC=<DomainNAme>, DC=<DomainNAme> > CN=Users > CN=Cert Publishers > properties > security ]
   and give [Read] and [write]
  permissions to [Authenticated users] group
  Restart the CA.
  Check permissions on the CA:
  Open the [Certificate Authority] console and right click on [properties > Security] and add the fallowing permissions:
  [Authenticated Users]
  [V] Request Certificates
  [Domain Admins]
  [V] Read
  [V] Issue and Manager Certificates
  [V] Manage CA
  [V] Request Certificates
  [Enterprise Admins]
  [V] Issue and Manager Certificates
  [V] Manage CA
  [Administrators]
  [V] Issue and Manager Certificates
  [V] Manage CA
  [V] Request Certificates
  [Domain Controllers]
  [V] Read
  [V] Issue and Manager Certificates
  [V] Manage CA
  [V] Request Certificates
  [Domain Computers]
  [V] Read
  [V] Request Certificates
  Will appreciate if you give feedback if this has helped you. If yes please select “Mark
  as answer”.
  Best Regards,
  Spas Kaloferov
  MCITP: SA6 | EA6 | VA7 | EDA7 |DBA10 | DBD10 | BID10 | EMA14 | SPA14 
  NetShell Services & Solutions | “Design the future with simplicity and elegance”
  Visit me at:
  www.spaskaloferov.com
  |
  www: www.netshell-solutions.com

• Devicelistx.asp The certificate authority is invalid or incorrect

  Hello
  After some modifications of the file "getdeviceip.asp", I at the following point:
  (1) If I leave the line "xmlhttp.open("GET ", protocol +"://" + callManager + "/CCMAdmin/reports/devicelistx.asp", false);"
  I receive the error
  msxml4.dll error ' 80070005 '
  Acc?s refus?. (Access denied)
  (2) If I replace:
  + callmanager +
  by:
  + "callmanager" +
  With callmanager + IP in my host file
  I receive the error
  msxml4.dll error '80072f0d'
  The certificate authority is invalid or incorrect
  An idea?
  Thank you

  Well, I have the same problem...
  I ask in other forums and emails, and some guy tell me this:
  As you probably already know, your error is coming from URLMON (not XMLHTTP), it is INET_E_SECURITY_PROBLEM.
  Trying to pass a username and password using the "Basic" authentication scheme (thats what you are doing right?) through URLMON by HTTP header will not work. MSXML will not set the user information this way. You should pass the username and password to the XMLHTTP.open method, rather than in a request header. See
  http://msdn.microsoft.com/library/default.asp?url=/library/en-us/xmlsdk/html/52aaf5ff-e302-4490-821a-cb3a085fe5ee.asp
  However, also because "Basic" authentication is not generally encrypted, you should be using only SSL here.
  I change the code to:
  xmlhttp.Open "GET", "https://10.0.0.10/CCMAdmin/Reports/devicelistx.asp", False , userID, password
  But doesn't work... this is very frustrating...
  Without the IPs from the phones, we're very limitated...
  Jorge

• Certificate Enrollment Problem

   I have a Windows Server 2008 Enterprise Root CA with a different Windows 2008 Server running the Cert Enrollment website (ussing SSL).  Any certificate that I attempt to request (Vista or XP) results in:
  ============================================
  Your request failed. An error occurred while the server was processing your request.
  Contact your administrator for further assistance.
  Request Mode:
  newreq - New Request
  Disposition:
  (never set)
  Disposition message:
  (none)
  Result:
  The RPC server is unavailable. 0x800706ba (WIN32: 1722)
  COM Error Info:
  CCertRequest::Submit: The RPC server is unavailable. 0x800706ba (WIN32: 1722)
  LastStatus:
  The operation completed successfully. 0x0 (WIN32: 0)
  Suggested Cause:
  This error can occur if the Certification Authority Service has not been started.
  =================================
  The Windows Firewall is off between the web enrollment server and the CA, but only 443 is open in to the web enrollment server from externally.
  What am I missing here?  This is rapidly becoming a showstopper.
  Thanks,
  BH

  I'm having a slightly related problem.  I have Certificate Services running on a Windows 2008 Enterprise Edition 64-bit.  I installed it as a Enterprise subordinate CA, using a certificate from the original enterprise CA.  It is set up as  I am trying to enroll a certificate on another computer.  When I use "Automatically Enroll and Retrieve Certificates",  I see the certificate I want.  However, when I try to enroll it I get the following error:
  The RPC server is unavailable.
  The certificate rquest could not be submitted to teh certificate authority
  There are no firewalls between the certificate authority and I tried using the certutil ping command as stated above and I got an 'is alive' reply from the CA.
  Any idea what my hang up could be?

• Error Starting Certificate Authority after upgrading in place from Server 2003 Enterprise (32 bit) to Server 2008 Enterprise (32 bit).

  Hope this is the place to seek help with Active Directory Certificate Services.  We recently upgraded in place an issuing CA in our lab from 2003 to 2008 and the upgrade of the OS was successful but the CA service now will not start. 
  The error is:
  Error 0xc8000222 (ESE: -546)
  More info.  We did stop the CA service prior to doing the upgrade.

  Answering my own question with the hopes to help someone else. 
  The problem has something to do with the logs for the certificate database.  There is some sort of a format conflict after upgrading to 2008.
  To get around this error, and get the Certificate Authority service to start, remove all the logs from the C:\Windows\system32\CertLog directory that should be where your .edb database file lives, leave the database file there
  This worked for us on three of four of our CA servers, the other one had a database that went down in a dirty state, so we had to use ESEUTIL utility to fix the database.
  NOTE: there is no ESEUTIL utility on the CA servers, so we had to copy our database to an Exchange server in our test lab, then run ESEUTIL /MH to see what the Status is, it may say Dirty or Clean, then we ran ESEUTIL / P (P for Repair, go figure I know
  right) anyway that fixed the database, so we copied it back over to the CA and started the service
  hope this helps some of you out, we have a case opened with Microsoft Technical Support on this issue and will update this thread with their feedback as well once they get back to us (it has been a week already)

• Heartbleed: Remove Certificate Authority from iOS device

  Hi,
  I am in the process of changing SSL certificates after the Heartbleed bug. As I wasn't able to find a reliable cross platform way to revoke my internal certificates (e.g. Chrome doesn't check CRLs), I'm planning to reissue new certificates based on a new internal certificate authority (CA) and to remove the old CA from all systems. This should render all previous certificates as untrusted.
  This is easy for Linux, Windows and OS X, but how can I do this for iOS 7 devices? I believe the CA certificate was originally deployed to the iOS devices through a configuration profile. However, when I go to Settings > General > Profiles, there is no such profile listed. The iOS Safari shows my internal HTTPs pages without certificate warnings, thus the device must somehow have remembered that CA as trustworthy.
  Here are my questions:
  How can I view and/or modify the trust settings of CAs on iOS 7 devices?
  Where did the configuration profile with the CA go (I know that's a little weird to ask here) and why is the CA still active?
  Why are internal Https pages still trusted even if there is no configuration profile for that?
  This absolutely puzzles me! I always thought that for a custom CA to be active on a iOS device a configuration profile was required to be present. But that does not seem to be the case.
  Thanks for your help!

  The workaround seems to be the following:
  Go to the iPhone Configuration Utility
  Install the profile (again)
  Go to your iPhone and deinstall the profile that was just installed in Settings > General > Profiles
  Certificates signed by that authority are not trusted anymore.
  I consider this to be a major security problem in iOS if there is a way that profiles enable CAs and then get lost sometime later (maybe through an iOS upgrade?).

• Rename Certificate Authority

  I would like to rename my CA server. I know that if you back and restore the CA it has to be the same name (or you have tons of problems), but can you change the name of the server after it is restored? Is there something that will bite me if I do? My current
  CA is on Windows 2008 and I will upgrade to R2 soon, but I wanted to rename before I do, assuming that there is no big deal doing that.
  SnoBoy

  Can somebody help me, I renamed my domain controller without realizing it was a certificate authority. Can I just rename it back??? Now I am getting these errors in the event log:
  Active Directory Certificate Services could not publish a Delta CRL for key 0 to the following location on server mydomain.local:
  ldap:///CN=mydomain-DOMAINCONTROLLE-CA,CN=mydomain,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=mydomain,DC=local.  Directory object not found. 0x8007208d (WIN32: 8333).
  ldap: 0x20: 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
       'CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=mydomain,DC=local'
  The reason we renamed it in the first place was because the original
  host name had more than 15 characters and was breaking Hyper-V integration.
  Note: i am in no way an experienced Windows admin so please be nice:)

• Mail and SMTP server settings of ASA Certificate Authority for cisco anyconnect VPN

                     Dear All,
  i have the folloing case :
  i am using ASA as Certificate authority for cisco anyconnect VPN users,the authentication happens based on the local database of the ASA,
  i want to issue a new certificate every 72 hours for the users ,and i want to send the one time password via email to each user.
  so what the setting of the mail and smtp server should be ,
  was i understand i should put my smtp server ip address then i have to create the local users again under(Remte VPN VPN--Certificate management--Local certificate authority --Manage user Database) along with their email addresses to send the one time passsword to them via their emails.
  i sent the email manually ,hwo can automate sending the OTP to our VPN users automatically vi their emails?
  Best regards,

  Thanks Jennifer.
  I did manage to configure LDAP attribute map to the specific group policy.
  Nevertheless, I was thinking whether I can have fixed IP address tied to individual user.
  Using legacy Cisco VPN Client, I can do it using IPSEC(IKEv1) Connection profile, where I set Pre-Shared Key and Client Address Pools. Each Client Address Pools has only 1 fix IP address.
  Example: let say my username is LLH.
  Connection Profile for me is : LLH-Connection-Profile, my profile is protected by preshared key.
  Client Address Pool for me is : LLH-pool, and the IP is 172.16.1.11
  Only me know the preshared key and only me can login with my Connection Profile.
  Using AnyConnect, I have problem. User can use any connection profile because I cannot set preshared key for AnyConnect. In that case, I cannot control who can use my Connection Profile and pretend to be me.
  Example:
  AnyConnect Connection Profile for me is : LLH-Connection-Profile, without any password
  Client Address Pool for me is : LLH-pool, IP is 172.16.1.11
  Any body can use LLH-Connection-Profile, login with another user name, let say user-abc which is a valid user in LDAP server. In that case, ASA assign 172.16.1.11 to user-abc and this user-abc can access server which only allow my IP to access.
  I hope above description can paint the scenario clearer.
  Thanks in advance for all the help and comment given.

• Certificate Authority chain issue

  Hello,
  I have a problem with using root and sub Certificates in our PKI environment. Specifically, I have a problem with the way the Java implementation of certificates is working in our environment.
  We use Entrust as our external Certificatation Authority. We are a predominantly Microsoft environment and have implemented PKI for user accounts and Smartcard logons across our domain. Our certificates are generated under Entrusts certificatation authority and we have added their DCOMROOTCA and DCOMSUBCA (Root and Subordinate) certificates to our trusted root certification Authorities store for all MS clients. Entrust have recently reissued their DCOMROOTCA and DCOMSUBCA certificates and we have included those new certificates in our trusted root certification Authorities store. The old Entrust certificates are still valid and dont expire for another 2 years. Our PKI environment and authentication continues to work as normal in an MS environment.
  In a Windows environment which is using Microsoft’s implementation of certificates, a smart card which was issued under Entrust’s old root certificate will successfully authenticate with a certificate issued under Entrusts’s new root certificate.
  I am having a problem with VMWare View. VMWare View is a Web interface broker server which uses Java’s implementation of certificate security, ie uses keytool.exe and cacerts as its trusted certificate store. I have secured the web interface with a certificate issued under Entrust’s new root certificate. I am trying to authenticate with a smart card which has been issued with a certificate under Entrust’s old root certificate. This has not been successful. I have imported the old DCOMROOT and DCOMSUB certificates and the new DCOMROOT and DCOMSUB certificates into the cacerts file. The client (a Wyse Terminal) also has the old and new DCOMROOT and DCOMSUB certificates in its trusted store. When I attempt to logon I get the following event in the logs on the Web interface broker server:
  16:54:18,789 DEBUG <pool-1-thread-17> PooledProcessor SSL handshake exception from /10.42.2.138:2867, error was: sun.security.validator.ValidatorException: Certificate signature validation failed
  If I reissue the Smartcard with a new certificate which has been generated under Entrust's new root and sub certificates I am able to successfully authenticate.
  The conclusion I can draw from this is that Java certification (at least in the way I have set it up) breaks if a new issuing certificate is being used to generate a certificate to secure the Web interface and an old issuing certificate is being used on a smart card / client.
  Does this sound correct? Is this a known issue or have I not imported or setup up the certificate chains correctly?
  Any advice would be most welcome.
  Many thanks,
  Ben

  Hi,
  thanks for your reply.
  Here is some more from the log. The log has some VMWare specific entries.
  10:44:41,337 DEBUG <pool-1-thread-7> [PooledProcessor] SSL handshake exception from /10.42.2.134:1104, error was: sun.security.validator.ValidatorException: Certificate signature validation failed
  10:44:41,462 DEBUG <VirtualCenterDriver-81804728-d329-4022-8d84-74dfa92516d0> [VirtualCenterDriver] (RePropagate cn=gb_off,ou=server groups,dc=vdi,dc=vmware,dc=int) Determine actions for cn=gb_off,ou=server groups,dc=vdi,dc=vmware,dc=int: totalVMs=11, availableVMs=11, zombieVMs=0, busyVMs=0, poweredOffVMs=0, suspendedVMs=0, vmMaximumCount=20, vmMinimumCount=10, vmHeadroomCount=5, customizingVMs=0
  10:44:41,462 DEBUG <VirtualCenterDriver-81804728-d329-4022-8d84-74dfa92516d0> [VirtualCenterDriver] (RePropagate cn=gb_off,ou=server groups,dc=vdi,dc=vmware,dc=int) cn=gb_off,ou=server groups,dc=vdi,dc=vmware,dc=int::Control path is vmHeadroomCount-stop as availableVMs(11) > vmHeadroomCount(5)
  10:44:41,478 DEBUG <VirtualCenterDriver-81804728-d329-4022-8d84-74dfa92516d0> [VirtualCenterDriver] (RePropagate cn=gb_off,ou=server groups,dc=vdi,dc=vmware,dc=int) Not stopping VMs as policy is ALWAYSON, REMAINON or DELETEONUSE
  10:44:41,478 DEBUG <VirtualCenterDriver-81804728-d329-4022-8d84-74dfa92516d0> [VirtualCenterDriver] (RePropagate cn=gb_sco,ou=server groups,dc=vdi,dc=vmware,dc=int) onMachineEvent: null in pool: cn=gb_sco,ou=server groups,dc=vdi,dc=vmware,dc=int
  10:44:41,963 DEBUG <VirtualCenterDriver-81804728-d329-4022-8d84-74dfa92516d0> [VirtualCenterDriver] (RePropagate cn=gb_sco,ou=server groups,dc=vdi,dc=vmware,dc=int) Determine actions for cn=gb_sco,ou=server groups,dc=vdi,dc=vmware,dc=int: totalVMs=10, availableVMs=9, zombieVMs=0, busyVMs=1, poweredOffVMs=0, suspendedVMs=0, vmMaximumCount=20, vmMinimumCount=10, vmHeadroomCount=5, customizingVMs=0
  10:44:41,994 DEBUG <VirtualCenterDriver-81804728-d329-4022-8d84-74dfa92516d0> [VirtualCenterDriver] (RePropagate cn=gb_sco,ou=server groups,dc=vdi,dc=vmware,dc=int) cn=gb_sco,ou=server groups,dc=vdi,dc=vmware,dc=int::Control path is vmHeadroomCount-stop as availableVMs(9) > vmHeadroomCount(5)
  10:44:41,994 DEBUG <VirtualCenterDriver-81804728-d329-4022-8d84-74dfa92516d0> [VirtualCenterDriver] (RePropagate cn=gb_sco,ou=server groups,dc=vdi,dc=vmware,dc=int) Not stopping VMs as policy is ALWAYSON, REMAINON or DELETEONUSE
  10:44:41,994 DEBUG <VirtualCenterDriver-81804728-d329-4022-8d84-74dfa92516d0> [VirtualCenterDriver] (RePropagate cn=gb_dev,ou=server groups,dc=vdi,dc=vmware,dc=int) onMachineEvent: null in pool: cn=gb_dev,ou=server groups,dc=vdi,dc=vmware,dc=int
  10:44:41,994 DEBUG <VirtualCenterDriver-81804728-d329-4022-8d84-74dfa92516d0> [VirtualCenterDriver] (RePropagate cn=gb_dev,ou=server groups,dc=vdi,dc=vmware,dc=int) Determine actions for cn=gb_dev,ou=server groups,dc=vdi,dc=vmware,dc=int: totalVMs=6, availableVMs=6, zombieVMs=0, busyVMs=0, poweredOffVMs=0, suspendedVMs=0, vmMaximumCount=0, vmMinimumCount=0, vmHeadroomCount=0, customizingVMs=0
  10:44:42,713 DEBUG <HandshakeCompletedNotify-Thread> [PooledProcessor] Peer unverified
  10:44:42,713 DEBUG <Thread-19> [SimpleAJPService] (Request128) SimpleAJPService request: /broker/xml
  10:44:42,728 DEBUG <TP-Processor3> [XmlAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) In doFilter
  10:44:42,744 DEBUG <TP-Processor3> [XmlRequestProcessor] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) read XML input
  10:44:42,744 DEBUG <TP-Processor3> [XmlRequestProcessor] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) added: configuration
  10:44:42,759 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) In doFilter for disclaimer
  10:44:42,759 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Checking if authentication chain has been stopped
  10:44:42,759 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) In doFilter for SecurID
  10:44:42,759 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Checking if authentication chain has been stopped
  10:44:42,759 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) In doFilter for gssapi
  10:44:42,759 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Checking if authentication chain has been stopped
  10:44:42,759 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Attempting to authenticate against gssapi
  10:44:42,759 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) In doFilter for cert-auth
  10:44:42,775 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Checking if authentication chain has been stopped
  10:44:42,775 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Attempting to authenticate against cert-auth
  10:44:42,775 DEBUG <TP-Processor3> [CertificateAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Client did not use Certificate Authentication, skipping or failing
  10:44:42,775 DEBUG <TP-Processor3> [CertificateAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Failing Certificate authentication, bypassing for OPTIONAL mode
  10:44:42,775 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) In doFilter for windows-password
  10:44:42,775 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Checking if authentication chain has been stopped
  10:44:42,775 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Attempting to authenticate against windows-password
  10:44:42,775 DEBUG <TP-Processor3> [WinAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Attempting authentication against AD
  10:44:42,775 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Not authenticated, requesting login page for windows-password
  10:44:42,791 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) AuthorizationFilter: XML Authorization Filter in doFilter()
  10:44:42,791 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) paeCtx == null, forwarding to login page: /broker/xml
  10:44:42,791 DEBUG <TP-Processor3> [XmlServlet] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Start processing: configuration
  10:44:42,791 DEBUG <TP-Processor3> [XmlServlet] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Processing: configuration
  10:44:42,791 DEBUG <TP-Processor3> [XmlServlet] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Finished processing: configuration, Result: ok
  10:44:42,806 DEBUG <TP-Processor3> [XmlServlet] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) End processing: configuration
  Many thanks again,
  Ben

• Certificate authority is not installed

  Hi
  SBS 2011 std.
  In Fix My Network wizard I am getting 'certificate authority is not installed' and the wizard is unable to fix the problem. I have checked and Active Directory Certificate Services is installed under Roles.
  How can I fix this please?
  Thanks
  Regards

  Hi,
  Looks like a corrupt package, please follow
  Uninstall the CA server role
  1. On the server that is running SBS 2011 Essentials, click  Start , point to Administrative Tools , and then click Server Manager .
  2. Right-click Roles , and then select Remove Roles .
  3. On the Before You Begin page, click Next .
  4. Click to clear the Active Directory Certificate Services check box, and then click Next .
  5. On the Confirm Removal Selections page, click Remove .
  6. Click Close , and then restart the server.
  7. After the server restarts, click Close when you are prompted by a message that reads
  Removal Succeeded.
  Reinstall the CA server role
  1. On the server, click Start , point to Administrative Tools , and then click Server Manager .
  2. In the Roles Summary section, click Add Roles .
  3. On the Before You Begin page, click Next .
  4. On the Server Roles page, select Active Directory Certificate Services , and then click Next .
  5. On the Introduction to Active Directory Certificate Services page, click Next .
  6. On the Select Role Services page, select Certification Authority and Certification Authority Web Enrollment , and then click Next .
  7. On the Specify Setup Type page, select Standalone , and then click Next .
  8. On the Specify CA Type page, select Root CA , and then click Next .
  9. On the Set Up Private Key page, select Use existing private key , select Select a certificate and use its associated private key option, and then click Next .
  10. On the Select Existing Certificate page, select the <Server_Name> -CA certificate, and then click Next .
  Note In this certificate name item, < Server_Name> is the name of the destination server.
  11. On the Configure Certificate Database page, accept the default locations, and then click Next .
  12. Confirm your selections, and then click Install .
  13. When the wizard is finished, click Close , and then restart the server.
  14. At an elevated command prompt, run the following commands:
  • CertUtil -setreg CA\ValidityPeriod Years
  • CertUtil -setreg CA\ValidityPeriodUnits 30
  Verify the installation
  1. Click Start , point to Administrative Tools , and then click Certification Authority .
  2. Right-click the server name, and then click Properties .
  3. Click the Extensions tab.
  4. In the list that is displayed, click <a href="http:///CertEnroll/<CaName><CRLNAMESUFFIX><DELTACRLALLOWED>.crl">http://<ServerDNSName>/CertEnroll/<CaName><CRLNAMESUFFIX><DELTACRLALLOWED>.crl .
  5. Make sure that the following options are selected:
  • Include in CRLs. Clients use this to find the Delta CRL location .
  • Include in the CDP extension of issued certificates .
  6. Click OK to save your changes.
  7. When you are asked to restart Active Directory Certificate Services, click Yes .
  8. Close the Certification Authority screen.
  Add the server and the clients to the Dashboard
  1. Locate the following folder: C:\Program Files\Windows Server\Bin\ .
  2. Right-click the Wsspowershell.exe file, and then click Run As Administrator .
  Note A new window that runs PowerShell opens.
  3. In the PowerShell windows, type Add-WssLocalMachinecert .
  4. Rerun the connector installation on all client computers. For more information about how to install the client connector, see How do I connect compu
  Binu Kumar - MCP, MCITP, MCTS , MBA - IT , Director Aarbin Technology Pvt Ltd - Please remember to mark the replies as answers if they help and unmark them if they provide no help.