Certificate Authority Web Enrollment - CSP states loading

Similar Messages

• Certification Authority Web Enrollment Install Error

  Hello
  We have moved our certification authority from "Windows Server 2008" to "Windows Server 2008 R2" according this blog entry:
  http://www.scottfeltmann.com/index.php/2010/03/02/move-root-ca-from-w2k3-to-w2k8/
  It works perfectly.  After that we wanted to install "Certificate Authority Web Enrollment" in Server Manager, but the following error appears:
  "Cannot install Certification Authority Web Enrollment, Active Directory Certificate Services setup failed with the following error: The parameter is incorrect. 0x80070057 (WIN32: 87)"
  Thanks for any help!
  Regards
  netbit

  Hello Marcin
  Thanks for your answer. The CA is now on a single server without any roles installed.
  There are no events in the eventvwr for this error or anything else.
  Just for clarification: If i try to select "Certificate Authority Web Enrollment" in the servermanager the error appears:
  Screenshot: http://giezi.com/public/servermanager-error.PNG
  Thanks!
  Regards
  Reto

• Usefullness of Certification Authority Web Enrollment?

  If a deployment has Certificate Enrollment Web Service and
  Certificate Enrollment Policy Web Service installed is there still a need for
  Certification Authority Web Enrollment?  This Windows Server 2012 CA design has an offline root CA, two Enterprise Subordinate CAs in a cluster, and two web servers hosting AIA/CDP/OCSP/CES and CEP behind a load balancer.  There is
  also a standalone NDES server.
  Thanks

  Starting with Windows Server 2008, web enrollment become useless as it allows only user certificates, therefore you should avoid web enrollment installation whenever it is possible. As for CEP/CES, there is a dependency that only Windows 7+ supports it.
  My weblog: http://en-us.sysadmins.lv
  PowerShell PKI Module: http://pspki.codeplex.com
  Check out new:
  PowerShell FCIV tool.

• Move Certification Authority Web Enrollment to new server issue.

  Hello, 
  i'm trying to move the Certification Authority Web Enrollment  from one server to a new one. I've got a fully functional server where i can enroll any certificate i want and everything is working properly.
  on the new server i configured I'm facing a problem that seems to be an impersonation issue. Indeed, while i try to enroll a certificate i get the following error msg from the interface :
  Request Mode:
  newreq - New Request 
  Disposition:
  (never set) 
  Disposition message:
  (none) 
  Result:
  The RPC server is unavailable. 0x800706ba (WIN32: 1722) 
  COM Error Info:
  CCertRequest::Submit: The RPC server is unavailable. 0x800706ba (WIN32: 1722) 
  LastStatus:
  The operation completed successfully. 0x0 (WIN32: 0) 
  Suggested Cause:
  This error can occur if the Certification Authority Service has not been started. 
  an i can also see on the CA it targets the following  application error event :
  Event 18209, ComRuntime:
  The application-specific permission settings do not grant Local access permission to the COM Server application C:\Windows\system32\certsrv.exe with APPID 
  {D99E6E74-FC88-11D0-B498-00A0C90312F3}
   to the user NT AUTHORITY\ANONYMOUS LOGON SID (S-1-5-7) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
   While i register a certificate on the server were it all works fine i can see event in the Security log on the CA that authenticate the user i generate the certificate with, where-as with the server were it does not work, all seems to be anonymous.
   IIS configuration are identical on both servers and the delegation has been set identically too ( ADUC object )
   Any idea how what I could check next? 

  Hi,
  Regarding event 18209, please follow steps from this article below to assign access permissions for the user mentioned in the event message:
  Event ID 18209 — COM Security Policy Configuration
  http://technet.microsoft.com/en-us/library/cc726319(v=WS.10).aspx
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Server 2008 R2 Certificate services web enrollment

  Not sure if this is the right place for this, but here goes.
  Upgraded a domain to 2008 R2. Migrated certificate services to 2008 R2 Enterprise root on a member server.
  Autoenrollment works fine
  Requesting cert from the MMC using certificates snapin works fine
  Requesting a cert via the web https://servername/certsrv gets the following error;
  Active Directory Certificate Services denied request 12345 because the request subject name is
  invalid or too long 0x80094001 (-2146877439)
  Error constructing or publiching certificate.
  I created a new cert template and did NOT check use Active Directory for subject name as templates with this checked
  do not show up in the web enrollment interface.
  I have enabled this template for enrollment and gave users rights to enroll.
  They are clicking advanced in the web interface as they want a computer cert.
  For the subject name, they enter computername.domain.local
  Based on searches I've done on the InterWeb, permissions APPEAR to be correct.
  Again, Autoenroll and MMC work just fine. Appears to be confined to only web.

  They are clicking advanced in the web interface as they want a computer cert.
  For the subject name, they enter computername.domain.local
  Be aware that the web enrollment pages does not support computer certificates and you need to issue the certificate to the user and import it to the computer store
  /Hasain

• Certification Authority Web Enrollment

  Can I install one CAWE role (proxy) to be use as web pages for more then one CA?

  No, it is not supported.
  Vadims Podāns, aka PowerShell CryptoGuy
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell File Checksum Integrity Verifier tool.

• No Templates Found in Web Enrollment

  Hi All,
  I have installed an Offline Standalone Root CA with Enterprise SubCA. I got success in publishing the CDP and AIA files manually but when I am trying to issue certificates through Web Enrollment I get the error "No Template Found". I added a new
  app pool and still it is giving me the same error. (http://msunleashed.wordpress.com/2011/11/21/no-certificate-templates-could-be-found-on-certsrv/ ). I did check for the path in the DNS hostname for the Certification Authority and it is same as the certdat.inc
  file in the "%systemroot%\system32\certsrv" folder on the Certification Authority ( http://support.microsoft.com/kb/811418 ). I do see an error in the CDP location when I open the PKI view and I did change the User Authentication and rebooted
  the IIS but of no use.
  Another thing is that each time I request for certificates I see Error 66 in the AD Server Manger
  Kindly do assist.
  Thanks
  Aj

  A copy of things.
  1) Since the root is an offline, you cant publish to AD. So copying it to the forest is the first step. To publish the info, you need to be logged in as an Enterprise Admin since the publishing is going to the configuration container.
  2) In order for the CRL to be properly, and easily published, you should defined the DSConfigDN in the CA properties on the root. This is in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<CA
  Name> registry key. Once configured, restart ADCS on the root and create a new CRL. Copy that to your AD forest and run the following command. Note the "-f" that is needed to create the object the first time.
  cerutil -dspublish -f "<CRL FILE NAME.crl>"
  3) If the Subordinate CA was properly installed and configured it will publish it's own information to
  AD automatically.
  Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years.

• Certificate authority is not installed

  Hi
  SBS 2011 std.
  In Fix My Network wizard I am getting 'certificate authority is not installed' and the wizard is unable to fix the problem. I have checked and Active Directory Certificate Services is installed under Roles.
  How can I fix this please?
  Thanks
  Regards

  Hi,
  Looks like a corrupt package, please follow
  Uninstall the CA server role
  1. On the server that is running SBS 2011 Essentials, click  Start , point to Administrative Tools , and then click Server Manager .
  2. Right-click Roles , and then select Remove Roles .
  3. On the Before You Begin page, click Next .
  4. Click to clear the Active Directory Certificate Services check box, and then click Next .
  5. On the Confirm Removal Selections page, click Remove .
  6. Click Close , and then restart the server.
  7. After the server restarts, click Close when you are prompted by a message that reads
  Removal Succeeded.
  Reinstall the CA server role
  1. On the server, click Start , point to Administrative Tools , and then click Server Manager .
  2. In the Roles Summary section, click Add Roles .
  3. On the Before You Begin page, click Next .
  4. On the Server Roles page, select Active Directory Certificate Services , and then click Next .
  5. On the Introduction to Active Directory Certificate Services page, click Next .
  6. On the Select Role Services page, select Certification Authority and Certification Authority Web Enrollment , and then click Next .
  7. On the Specify Setup Type page, select Standalone , and then click Next .
  8. On the Specify CA Type page, select Root CA , and then click Next .
  9. On the Set Up Private Key page, select Use existing private key , select Select a certificate and use its associated private key option, and then click Next .
  10. On the Select Existing Certificate page, select the <Server_Name> -CA certificate, and then click Next .
  Note In this certificate name item, < Server_Name> is the name of the destination server.
  11. On the Configure Certificate Database page, accept the default locations, and then click Next .
  12. Confirm your selections, and then click Install .
  13. When the wizard is finished, click Close , and then restart the server.
  14. At an elevated command prompt, run the following commands:
  • CertUtil -setreg CA\ValidityPeriod Years
  • CertUtil -setreg CA\ValidityPeriodUnits 30
  Verify the installation
  1. Click Start , point to Administrative Tools , and then click Certification Authority .
  2. Right-click the server name, and then click Properties .
  3. Click the Extensions tab.
  4. In the list that is displayed, click <a href="http:///CertEnroll/<CaName><CRLNAMESUFFIX><DELTACRLALLOWED>.crl">http://<ServerDNSName>/CertEnroll/<CaName><CRLNAMESUFFIX><DELTACRLALLOWED>.crl .
  5. Make sure that the following options are selected:
  • Include in CRLs. Clients use this to find the Delta CRL location .
  • Include in the CDP extension of issued certificates .
  6. Click OK to save your changes.
  7. When you are asked to restart Active Directory Certificate Services, click Yes .
  8. Close the Certification Authority screen.
  Add the server and the clients to the Dashboard
  1. Locate the following folder: C:\Program Files\Windows Server\Bin\ .
  2. Right-click the Wsspowershell.exe file, and then click Run As Administrator .
  Note A new window that runs PowerShell opens.
  3. In the PowerShell windows, type Add-WssLocalMachinecert .
  4. Rerun the connector installation on all client computers. For more information about how to install the client connector, see How do I connect compu
  Binu Kumar - MCP, MCITP, MCTS , MBA - IT , Director Aarbin Technology Pvt Ltd - Please remember to mark the replies as answers if they help and unmark them if they provide no help.

• Certificate template based on Server Authentication not showing in Web Enrollment

  Hi,
  I have a test lab with a certificate authority and web enrollment on the same servers. I have made a certificate template with all permissions (read, enroll, etc etc) set to "authenticated users".
  However, when I go certificate enrollment and choose advanced deployment, I do not see this cert template (which is set to be publish in AD).
  I've given the CA machine account full access to the cert template (read/enroll/auto-enroll, etc)
  I've started IE with "run as administrator" even though my logged on user is a domain admin and thus local admin on the server
  Selected Supply in the request in the certificate.
  Please advise

  After you created the template, did you add it to the CA? (right click Templates folder/New/Template to issue)
  You mentioned the template was "set to be publish in AD". Hopefully you dont mean the checkbox on the template itself that says "Publish to Active Directory". This means the public key will be published to AD when a certificate based
  on this template is issued. This will bloat your AD database overtime. All templates you create are automatically stored in AD. Be careful when using this checkbox.
  Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years.

• How to load the certificate authority into the keystore for the weblogic8.1

  how to load the certificate authority into the keystore for the weblogic8.1
  ==================================================
  Getting the message below when trying to improt the certificate to the weblogic 8.1 web server. Received this certificate from our internal IT certificate authority. Trying to import the certificate to our test sytem.
  ===================================================
  keytool error: java.lang.Exception: Failed to establish chain from reply
  Import failed. Verify that the Certificate Authority that signed 'certi.pem'
  has been loaded into your keystore 'keystore\pskey'
  To view keystore contents issue 'PSkeymanager -list -keystore keystore\pskey [-v
  To preview a certificate file issue 'PSkeymanager -previewfilecert -file certi.pem'

  You need to populate that field using cmod code. Find out from which table that field is and go to transaction cmod then enter project name and select component radio button then display.
  Now select the FM EXIT_SAPLRSAP_001  if your datasource is transactional dataource
  EXIT_SAPLRSAP_002 for master data attibute
  EXIT_SAPLRSAP_003 for Hierarchies
  EXIT_SAPLRSAP_004 for text
  then populate code .
  After your code then delete data from ods then reinit to populate the enhanced field.
  Hope it helps..

• "No certificate templates could be found..." error using web enrollment on Win2k8 R2 Enterprise SubCA

  Hi Folks,
  I have installed an online issuing CA running on Win2k8 R2 Enterprise, and installed the web enrollment role service on it.
  I have duplicated two computer certificate templates (computer & web server) on our DC's, modified them as Win2k3 templates, made some changes and saved them, then published them on the CA by selecting New -> Certificate Tempate
  to issue. The templates have read and enroll permissions set for domain admins and domain computers (my account is a domain admin). I can successfully enroll for them using the certificates MMC.
  When connecting to https://myca.mydomain.com/certsrv however, the page loads. I click on 'Request a certificate', then 'Create and submit a request to this CA'. I see a warning indicating that this website
  is attempting to perform a digital certificate operation on my behalf, so I click yes. Immediately after doing so, I get the error:
  "No certificate templates could be found. You do not have permission to request a certificate from this CA, or an error occurred while accessing the Active Directory."
  I have spent about 2 hours searching on this error and found at least 50 people complaining of this, but no real solutions. Here is what I have tried with no success:
  1) http://support.microsoft.com/kb/811418. Everyone references this solution, but it hasn't worked for anyone. The string values and cases are the same for me.
  2) Enabled SSL on the certsrv website.
  3) Set the authentication on the certsrv site to enable integrated authentication and disabled anonymous authentication.
  4) Created a separate application pool running under the Network Service then set the Certsrv application to run under it.
  I should note that this exact same condition occurred in my lab install, but rather than waste time trying to fix it in the lab, I just went ahead with the production install, only to experience the same problem, so apparently web enrollment is just
  broken out of the box on 2k8 R2 Enterprise.
  Does anyone have any idea how to get this working as advertised? Thanks for any help,
  Ian

  It appears to be an issue in Server 2012R2 as well.
  In our case, is a new two tier PKI setting is implemented on two Windows Servers 2012R2. After the installations and configurations are completed, I was unable to load certificate templates when requesting a certificate on the Web interface.
  The issue was that the pass-through authentication did not work in IIS with the standard Application Pool Identity.
  The solution was as followed:
  1. Changed the NTFS permissions on the certsrv virtual directory in IIS (C:\Windows\System32\CertSrv\en-US), by adding a (domain) user account with read and list permissions.
  2. In IIS CertSrv > Basic Settings > Connect as - select "Specific user:" and set the newly created user with the username and password.
  3. Tested in Basic Settings with - "Test Settings" button and both Authentication and Authorization were successful.
  4. Request certificate from Web interface and the templates are available.
  Note: You must have a certificate in the Templates store which you have duplicated from the Templates available.

• Secured Sybase Web Service with outside certificate authority

  Hello,
  I would like to use Secured Sybase Web Service with outside certificate authority, like Symantec. Could you let me know how I can create CSR for sending to Symantec? What other steps do I need to do?
  Thanks,
  Sudarat.

  Hello Jason,
  Thanks for your reply. The certificate authority require the CSR file before issue a signed certificate. If this is a signed certificate for IIS web server, I can create CSR from IIS. But I cannot use a signed certificate created from CSR of IIS with Sybase Web Service. The below steps are what I have tried.
  1. I use CreateCert.exe with /r parameter to create CSR and private key.
  2. I sent CSR to a certificate authority and they send back a signed certificate.
  3. I have to combine a signed certificate from #2 with private key created from #1. Then use that file to specify with -xs{https …when starting the service.
  Are the above steps what I have to do?  If so, do I need to redistribute createcert.exe to my customers who want to use my application and how? Why I cannot use the signed certificate created from CSR of IIS?
  Thanks,
  Sudarat.

• Request certificate for Linux client - web enrollment

  "Internet Explorer cannot run in the local computer's security context; therefore, users can no longer request computer certificates by using Web enrollment."
  https://technet.microsoft.com/en-us/library/cc732517(WS.10).aspx
  Does this mean that we cannot submit a request for a web server certificate via the web interface on behalf of a Linux based web server?
  If so, what recourse do we have? Must we use the command line?
  http://blogs.technet.com/b/pki/archive/2009/08/05/how-to-create-a-web-server-ssl-certificate-manually.aspx
  Of course, Group Policy and auto-enroll is not an option either.
  Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

  Web Enrollment no longer support direct certificate enrollment to local machine or smart card store. You have to generate certificate request outside of web enrollment. Though, you can submit pregenerated request via web enrollment pages.
  Vadims Podāns, aka PowerShell CryptoGuy
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell File Checksum Integrity Verifier tool.

• Certificate Authority Windows 2008 to 2012 R2 - Clean up and Migration

  Hello,
      I'm currently dealing with the following scenario:
  1. I've inherited the current infrastructure setup and the plan is to clean things up and setup a new certificate infrastructure using Windows 2012 R2.
  2. The current setup:
      a. Domain Controller, Windows 2008 R2, is/was a Certificate Authority.  It hasn't issued any new certificates (based on the information in Certificate Effective Date) for quite some time.  It also has an expired certificate for
  itself - issued by the domain's issuing CA - and attempts to renew it via MMC give a "Server execution failed" and STATUS: Failed when looking in Certificate enrollment for Domain Controller.  We'll call the server, DC1.
      b. Certificate Authority Server, we'll call it CERT1.  When booting up the machine and/or attempting to restart certificate services on the server, the following errors are in the event log:
  EVENT 7024: Description: The Active Directory Certificate Services service terminated with service-specific error %%-2146885613.
  EVENT 100: Active Directory Certificate Services did not start: Could not load or verify the current CA certificate.  Domainlocal Issuing CA The revocation function was unable to check revocation because the revocation server was offline. 0x80092013
  (-2146885613).
  EVENT 48: Description: Revocation status for a certificate in the chain for CA certificate 0 for Domain.local Issuing CA could not be verified because a server is currently unavailable.  The revocation function was unable to check revocation because
  the revocation server was offline. 0x80092013 (-2146885613).
  Note:  The server's computer certificate has expired and it was issued by the Domain Controller mentioned in point A.  Attempts to renew it fail.
  (The issue on CERT1 is like the one mentioned in this article: https://support.microsoft.com/kb/825061?wa=wsignin1.0  however an upgrade wasn't done and it's not old versions of Windows.)
  c. There is a certificate authority machine - part of what was created for a PKI infrastructure - that was kept shutdown.  I've powered it up and the machine is not part of the domain.
  Any thoughts or feedback on easily repairing the current situation so that I can upgrade everything to a new Windows 2012 R2 Certificate infrastructure would be appreciated.
  Thanks!

  Hi Vadims,
      Basically using certificates in the following manner:
  1. User / Computer enrollment in the AD domain.
  2. Any hardware / web services (internal) that need a certificates.  This is usually hardware that has some form of GUI that is accessed via URL, printers accessed via URL and/or that communicate via LDAP to AD, internal UC (Lync is an example), that
  sort of thing.
      A number of machines currently show certificate errors (ie.. certificate has expired) however that hasn't stopped things from working just functioning differently.  I'm going already on the assumption that if I remove the entire CA
  infrastructure and re-install a new one and have everything point to that new CA server that I should be ok but I'm not 100% certain hence why I asked on this forum.
  Also, you're correct is that there is one more CA.  That CA was the server that was turned off/offline that I powered on.  It is not part of the AD domain that the domain controller and the other CA belong to.  (It is standalone.)  I'm
  currently patching the standalone CA since it's been off for what looks like almost 1.5 years. 

• Web Enrollment (certsrv) gives HTTP 500.19

  I am attempting to implement an Enterprise CA including web enrollment.  I have installed the role and role services, and the CA appears to function.  However, I receive HTTP error 500.19 when trying to browse the /certsrv virtual directory:
  Module
  IIS Web Core
  Notification
  BeginRequest
  Handler
  Not yet determined
  Error Code
  0x80070003
  Config Error
  Cannot read configuration file
  Config File
  \\?\C:\Windows\system32\CertSrv\en-US\web.config
  Requested URL
  http://server11.tec.local:80/certsrv
  Physical Path
  C:\Windows\system32\CertSrv\en-US
  Logon Method
  Not yet determined
  Logon User
  Not yet determined
  I receive HTTP 500 in all browsers, and the above when browsing localhost/certsrv.  I have researched and made many attempts to fix this, without luck.  I've modified NTFS ACLs on the system32\CertSrv directory and subs, recreated the
  virtual directory with certutil -vroot, edited application pool settings, all to no avail.  The part that strikes me as an obvious problem is the lack of any web.config file in \en-US, which the error points to.  However, as I said, I have recreated
  the directory with certutil after clearing out the IIS virtual directory.
  The server itself is a domain controller running Server 2008 R2 Enterprise SP1.  It runs DNS and all FSMO roles.  It also runs DHCP, file and print services, RDS Licensing (and Citrix licensing), and AD DS & CS as mentioned.  There
  is another server in the environment running Server 2003 SP2.  This is the "old" domain controller, which is also a certificate authority.  I am configuring AD CS for the purpose of being able to decommission the old server.  ADCS seems to be
  otherwise functioning, so I am hoping to avoid removing the role service itself.  
  Any thoughts?
  (I previously posted
  this in Directory Services and was told to move it here)

  It is not an IIS problem from my perspective.  IIS is only being used for the purpose of certificate enrollment, and the default web site IIS 7 logo loads fine.  It is specifically the web.config for the Web Enrollment site that
  IIS reports it cannot find.
  That article does not (or should not) apply to this scenario since the certificate the physical path is local, not a UNC path.  Although the "\\?\C:\Windows\system32\CertSrv\en-US\web.config" path is confusing to me.  
  Anyway, since configuring AD CS is the only reason there even is an IIS web site, something has to being wrong or have gone wrong somewhere in the role/role service setup.  There were no IIS web sites prior to configuring ADCS, and I have gone as far
  as deleting the entire web site and recreating it and the AD CS sites.
  Edit: For reference, here is the relevant (slightly obscured) section I see in the web site's web.config file:
          <sites>
              <site name="Default Web Site" id="1" serverAutoStart="true">
                  <application path="/" applicationPool="Default Web Site">
                      <virtualDirectory path="/" physicalPath="C:\inetpub\wwwroot" />
                      <virtualDirectory path="/CertEnroll" physicalPath="C:\Windows\system32\CertSrv\CertEnroll" logonMethod="Network" />
                  </application>
                  <application path="/ocsp" applicationPool="OCSPISAPIAppPool">
                      <virtualDirectory path="/" physicalPath="C:\Windows\SystemData\ocsp" />
                  </application>
                  <application path="/COMPANY-DC1-CA_CES_UsernamePassword" applicationPool="WSEnrollmentServer">
                      <virtualDirectory path="/" physicalPath="C:\Windows\SystemData\CES\COMPANY-DC1-CA_CES_UsernamePassword" />
                  </application>
                  <application path="/CertSrv" applicationPool="Default Web Site">
                      <virtualDirectory path="/" physicalPath="C:\Windows\system32\CertSrv\en-US" logonMethod="Network" />
                  </application>
                  <bindings>
                      <binding protocol="http" bindingInformation="*:80:" />
                      <binding protocol="https" bindingInformation="*:443:" />
                  </bindings>
              </site>