Cs 6.3 fails to create certificate authority

Similar Messages

• How to create certificate authority and configure it for IIS

  Hi
  I Install ADCS role in Server 2012 and configure it. but when i go to IIS and want to create domain certification , the select button is grey .i think i couldn't configure certificate authority correctly. how can fix this problem.
  Whenever you see a helpful reply, click on Vote As Helpful & click on
  Mark As Answer if a post answers your question.
  LinkedIn:
    Facebook:

  Thanks my problem was solved.
  But there is a problem after install IIS and ADCS , i restarted both server but didn't work ,but now(6 hours after restart) it work fine.
  another Question is after i select appropriate certificate authority ,when i click on finish it gives me the following error 
  "the certificate request was submitted to the online authority but was not issued the request was denied"
  Whenever you see a helpful reply, click on Vote As Helpful & click on
  Mark As Answer if a post answers your question.
  LinkedIn:
  Facebook:

• Failed to create machine self-signed certificate for site role [SMS_SQL_SERVER]

  SCCM 2012 has been successfully installed on the server:
  SRVSCCM.
  The database is on SQL Server 2008 R2 SP1 CU6 Failover Cluster (CLS-SQL4\MSSQLSERVER04)
  Cluster nodes: SQL01 and SQL01. On all nodes made necessary the Security Setup of SCCM. No errors and warning on SCCM Monitoring.
  The cluster service is running on the account: sqlclusteruser
  The account has the appropriate SPN are registered:
  setspn -L domain\sqlclusteruser
  Registered ServicePrincipalNames for CN=SQL Cluster,OU=SQL,OU=Users special,OU=MAIN,DC=domain,DC=local:
  MSSQLSvc/CLS-SQL4
  MSSQLSvc/CLS-SQL4.domain.local
  MSSQLSvc/CLS-SQL4:11434
  MSSQLSvc/CLS-SQL4.domain.local:11434
  After some time on the cluster hosts every day started appearing new folders with files inside:
  srvboot.exe
  srvboot.ini
  srvboot.log
  srvboot.log contains the following information:
  SMS_SERVER_BOOTSTRAP_SRVSCCM.domain.local_SMS_SQL_SERVER started.
  Microsoft System Center 2012 Configuration Manager v5.00 (Build 7711)
  Copyright (C) 2011 Microsoft Corp.
  Command line: "SMS_SERVER_BOOTSTRAP_SRVSCCM.domain.local_SMS_SQL_SERVER CAS K:\SMS_SRVSCCM.domain.local_SMS_SQL_SERVER8 /importcertificate SOFTWARE\MicrosoftCertBootStrap\ SMS_SQL_SERVER".
  Set current directory to K:\SMS_SRVSCCM.domain.local_SMS_SQL_SERVER8.
  Site server: SRVSCCM.domain.local_SMS_SQL_SERVER.
  Importing machine self-signed certificate for site role [SMS_SQL_SERVER] on Server [SQL01]...
  Failed to retrieve SQL Server service account.
  Bootstrap operation failed: Failed to create machine self-signed certificate for site role [SMS_SQL_SERVER].
  Disconnecting from Site Server.
  SMS_SERVER_BOOTSTRAP_SRVSCCM.domain.local_SMS_SQL_SERVER stopped.

  The site server is trying to install the sms_backup agent on the SQL Server Cluster nodes.
  Without successfull bootstrap the siteserver backup is not able to run successfully.
  Try grant everyone the read permisson on
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS on the SQL server nodes.
  This worked for me.
  After that a Folder named "SMS_<SITESERVER-FQDN>" appeared on C: on the SQL Cluster nodes, and a "SMS_SITE_SQL_BACKUP_FQDN" Service should be installed.
  After the new Folder is created and the new Service is installed, you can safely remove the bootstrap Service by opening a command prompt and enter:
  sc delete "SMS_SERVER_BOOTSTRAP_FQDN-of-SiteServer_SMS_SQL_SERVER"

• Certificate authority export fails connection refused

  I am trying to export zenwork certificate and I receive the following error:
  Command
  zman --debug certificate-authority-export /root/cert
  Error:Could not connect to the ZENworks Server. Ensure that the server is running, and the host and port information specified is correct.
  Debug:
  com.novell.zenworks.datamodel.exceptions.Connectio nException: Connection refused
  What can I look at?

  zman certificate-authority-export /root/cert --debug
  Error:Could not connect to the ZENworks Server. Ensure that the server is runnin g, and the host and port information specified is correct.
  Debug:
  com.novell.zenworks.datamodel.exceptions.Connectio nException: Connection refused
  at com.novell.zenworks.zman.exceptions.ZManExceptionH andler.createExcept ion(ZManExceptionHandler.java:286)
  at com.novell.zenworks.zman.exceptions.ZManExceptionH andler.makeDataMode lException(ZManExceptionHandler.java:260)
  at com.novell.zenworks.zman.exceptions.ZManExceptionH andler.processRemot eException(ZManExceptionHandler.java:390)
  at com.novell.zenworks.zman.commands.CAHandler.<init> (CAHandler.java:72)
  at sun.reflect.NativeConstructorAccessorImpl.newInsta nce0(Native Method)
  at sun.reflect.NativeConstructorAccessorImpl.newInsta nce(NativeConstruct orAccessorImpl.java:39)
  at sun.reflect.DelegatingConstructorAccessorImpl.newI nstance(DelegatingC onstructorAccessorImpl.java:27)
  at java.lang.reflect.Constructor.newInstance(Construc tor.java:501)
  at com.novell.zenworks.zman.CommandRunner.execute(Com mandRunner.java:86)
  at com.novell.zenworks.zman.ZMan.executeRunner(ZMan.j ava:321)
  at com.novell.zenworks.zman.ZMan.main(ZMan.java:505)
  Caused by: java.rmi.ConnectException: Connection refused
  at com.novell.soa.ws.portable.ApplicationException.ma pToRemote(Applicati onException.java:207)
  at com.novell.zenworks.datamodel.services.zoneconfig. soap.ZoneConfigAdmi nServiceBinding_Stub.hasZENServerRole(ZoneConfigAd minServiceBinding_Stub.java:50 71)
  at com.novell.zenworks.zman.commands.CAHandler.<init> (CAHandler.java:68

• How do I set up my own certificate authority

  I tried google on the above question, and the most recent thing I found was 7 years old. replacing the phrase used generates a lot of hits with a very poor signal to noise ratio.
  I have OpenSSL (in the cygwin distribution), which is quite recent, but frankly its documentation leaves just about everything to be desired. I found pyca, but it has no documentation at all (and it is a couple years old).
  I tried the steps appended below, but invariably the attempt to sign the certificates fails with an obscure error message about OpenSSL not finding one thing or another.
  At this stage, I just don't care whether I do this using something in the J2SDK such as keytool or OpenSSL, as long as I can get it done. Or if there is some other opensource software tool I can use, terrific. This is primarily for the purpose of securing communications within an Intranet, and secondarily for signing applets and applications distributed through WebStart. If I am not mistaken, I'll need a certificate for each of my servers. Right?
  If you know of an URL where this is well explained and illustrated, great. Give that to me.
  Otherwise, a simple illustration (or a correction of what I've appended below) would be appreciated. I believe I understand what ought to be happening. It ought to be rather simple to do, but there are these irritating and frustrating minor details getting in the way. For example, the steps I show below seem simple, but everything appears to get messed up by some of the contents of openssl.cnf in 'usr/ssl', in the cygwin directory, and there is no explanation of how to set things up for the first time you use OpenSSL within Cygwin (or on unix for that matter).
  Any assistance would be appreciated.
  Thanks,
  Ted
  ========failed attempt=====================
  # Generation of Certificate Authority(CA)
  openssl req -new -x509 -keyout cakey.pem -out cacert.pem -config /usr/ssl/openssl.cnf
  # Create server request and key
  openssl req -new -keyout server-key.pem -out server-req.pem -days 36502 -config /usr/ssl/openssl.cnf
  # Remove the passphrase from the key
  openssl rsa -in server-key.pem -out server-key.pem
  # Sign server cert
  openssl ca -policy policy_anything -out server-cert.pem -infiles server-req.pem -config /usr/ssl/openssl.cnf
  # Create client request and key
  openssl req -new -keyout client-key.pem -out client-req.pem -days 36502 -config /usr/ssl/openssl.cnf
  # Remove a passphrase from the key
  openssl rsa -in client-key.pem -out client-key.pem
  # Sign client cert
  openssl ca -policy policy_anything -out client-cert.pem -infiles client-req.pem -config /usr/ssl/openssl.cnf

  The following works for me:
  NB: Some of the output has been removed in the interests of privacy (this will not affect the outcome)
  1. Create CA key and certificate
  1.1 Create a new file called "serial" containing the value "01".
  1.2 Create an empty file "index.txt"
  1.3 Create a subdirectory "newcerts"
  1.4 Execute.... create a key for your CA
  [ben@localhost ca]$ openssl genrsa -out ca.key 2048
  Generating RSA private key, 2048 bit long modulus
  .....................................+++
  ..........................................................+++
  e is 65537 (0x10001)
  1.5 Execute... create a certificate for your own CA
  [ben@localhost ca]$ openssl req -config ./openssl.cnf -new -x509 -key ca.key -out cacert.pem -days 365
  You are about to be asked to enter information that will be incorporated
  into your certificate request.
  What you are about to enter is what is called a Distinguished Name or a DN.
  There are quite a few fields but you can leave some blank
  For some fields there will be a default value,
  If you enter '.', the field will be left blank.
  Country Name (2 letter code) [GB]:
  County or State (full name) []:
  City or town (eg, Hitchin) []:
  Organization Name (eg, company) []:
  Organizational Unit Name (eg, section) []:
  Common Name (eg, your name or your server's hostname) []:
  Email Address []:
  2. Create PK key and .csr
  2.1 Execute...
  [ben@localhost ca]$ keytool -genkey -alias PK
  Enter keystore password: password
  What is your first and last name?
  [Unknown]:
  What is the name of your organizational unit?
  [Unknown]:
  What is the name of your organization?
  [Unknown]:
  What is the name of your City or Locality?
  [Unknown]:
  What is the name of your State or Province?
  [Unknown]:
  What is the two-letter country code for this unit?
  [Unknown]:
  Is CN=, OU=, O=, L=, ST=, C=GB correct?
  [no]: yes
  Enter key password for <PK>
  (RETURN if same as keystore password):
  2.2 Create .csr
  [ben@localhost ca]$ keytool -certreq -alias PK -file PK.csr
  Enter keystore password: password
  3. Sign PK with CA cert
  [ben@localhost ca]$ openssl ca -config ./openssl.cnf -in PK.csr -out PK.pem -keyfile ca.key -days 365
  Using configuration from ./openssl.cnf
  Check that the request matches the signature
  Signature ok
  Certificate Details:
  Serial Number: 0 (0x0)
  Validity
  Not Before: Jan 5 19:48:33 2006 GMT
  Not After : Jan 5 19:48:33 2007 GMT
  Subject:
  countryName = GB
  stateOrProvinceName =
  organizationName =
  organizationalUnitName =
  commonName =
  X509v3 extensions:
  X509v3 Basic Constraints:
  CA:FALSE
  Netscape Comment:
  OpenSSL Generated Certificate
  X509v3 Subject Key Identifier:
  D6:2D:7E:71:77:9E:1A:BB:54:69:98:63:6A:6A:E2:BA:12:C4:D7:DD
  X509v3 Authority Key Identifier:
  keyid:92:7C:33:7C:EC:1D:76:C5:B8:F0:30:6D:10:12:40:E5:E7:EA:24:31
  DirName:/C=GB/ST=/L=/O=/OU=/CN=/emailAddress=
  serial:F0:D1:38:36:65:6D:71:D5
  Certificate is to be certified until Jan 5 19:48:33 2007 GMT (365 days)
  Sign the certificate? [y/n]:y
  1 out of 1 certificate requests certified, commit? [y/n]y
  Write out database with 1 new entries
  Data Base Updated
  4. Convert PK certificate into DER format
  [ben@localhost ca]$ openssl x509 -in PK.pem -out PK.der -outform DER
  5. Import CA certificate into keystores
  [ben@localhost ca]$ keytool -import -alias ca -file cacert.pem
  Enter keystore password: password
  Owner: EMAILADDRESS=, CN=, OU=, O=, L=, ST=, C=GB
  Issuer: EMAILADDRESS=, CN=, OU=, O=, L=, ST=, C=GB
  Serial number: f0d13836656d71d5
  Valid from: Thu Jan 05 19:41:09 GMT 2006 until: Fri Jan 05 19:41:09 GMT 2007
  Certificate fingerprints:
  MD5: AF:3D:8E:25:12:24:04:1F:40:70:BC:A0:9E:0E:44:84
  SHA1: B8:E8:0B:A5:86:33:21:0C:B5:3C:6E:F2:DE:7B:31:0F:59:AE:21:E4
  Trust this certificate? [no]: yes
  Certificate was added to keystore
  6. Import signed PK into keystore
  [ben@localhost ca]$ keytool -import -alias pk -file PK.der
  Enter keystore password: password
  Certificate reply was installed in keystore
  REF:
  http://www.yorku.ca/dkha/docs/jsse_cert/jsse_cert.htm
  http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#ownca
  http://www.openssl.org/docs/apps/ca.html#
  openssl.cnf:#
  # OpenSSL example configuration file.
  # This is mostly being used for generation of certificate requests.
  # This definition stops the following lines choking if HOME isn't
  # defined.
  HOME               = .
  RANDFILE          = $ENV::HOME/.rnd
  # Extra OBJECT IDENTIFIER info:
  #oid_file          = $ENV::HOME/.oid
  oid_section          = new_oids
  # To use this configuration file with the "-extfile" option of the
  # "openssl x509" utility, name here the section containing the
  # X.509v3 extensions to use:
  # extensions          =
  # (Alternatively, use a configuration file that has only
  # X.509v3 extensions in its main [= default] section.)
  [ new_oids ]
  # We can add new OIDs in here for use by 'ca' and 'req'.
  # Add a simple OID like this:
  # testoid1=1.2.3.4
  # Or use config file substitution like this:
  # testoid2=${testoid1}.5.6
  [ ca ]
  default_ca     = CA_default          # The default ca section
  [ CA_default ]
  dir          = .               # Where everything is kept
  certs          = $dir/certs          # Where the issued certs are kept
  crl_dir          = $dir/crl          # Where the issued crl are kept
  database     = $dir/index.txt     # database index file.
  #unique_subject     = no               # Set to 'no' to allow creation of
                           # several ctificates with same subject.
  new_certs_dir     = $dir/newcerts          # default place for new certs.
  certificate     = $dir/cacert.pem      # The CA certificate
  serial          = $dir/serial           # The current serial number
  #crlnumber     = $dir/crlnumber     # the current crl number must be
                           # commented out to leave a V1 CRL
  crl          = $dir/crl.pem           # The current CRL
  private_key     = $dir/private/cakey.pem# The private key
  RANDFILE     = $dir/private/.rand     # private random number file
  x509_extensions     = usr_cert          # The extentions to add to the cert
  # Comment out the following two lines for the "traditional"
  # (and highly broken) format.
  name_opt      = ca_default          # Subject Name options
  cert_opt      = ca_default          # Certificate field options
  # Extension copying option: use with caution.
  # copy_extensions = copy
  # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
  # so this is commented out by default to leave a V1 CRL.
  # crlnumber must also be commented out to leave a V1 CRL.
  # crl_extensions     = crl_ext
  default_days     = 365               # how long to certify for
  default_crl_days= 30               # how long before next CRL
  default_md     = md5               # which md to use.
  preserve     = no               # keep passed DN ordering
  # A few difference way of specifying how similar the request should look
  # For type CA, the listed attributes must be the same, and the optional
  # and supplied fields are just that :-)
  policy          = policy_match
  # For the CA policy
  [ policy_match ]
  countryName          = match
  stateOrProvinceName     = match
  organizationName     = match
  organizationalUnitName     = optional
  commonName          = supplied
  emailAddress          = optional
  # For the 'anything' policy
  # At this point in time, you must list all acceptable 'object'
  # types.
  [ policy_anything ]
  countryName          = optional
  stateOrProvinceName     = optional
  localityName          = optional
  organizationName     = optional
  organizationalUnitName     = optional
  commonName          = supplied
  emailAddress          = optional
  [ req ]
  default_bits          = 1024
  default_keyfile      = privkey.pem
  distinguished_name     = req_distinguished_name
  attributes          = req_attributes
  x509_extensions     = v3_ca     # The extentions to add to the self signed cert
  # Passwords for private keys if not present they will be prompted for
  # input_password = secret
  # output_password = secret
  # This sets a mask for permitted string types. There are several options.
  # default: PrintableString, T61String, BMPString.
  # pkix      : PrintableString, BMPString.
  # utf8only: only UTF8Strings.
  # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
  # MASK:XXXX a literal mask value.
  # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
  # so use this option with caution!
  # we use PrintableString+UTF8String mask so if pure ASCII texts are used
  # the resulting certificates are compatible with Netscape
  string_mask = MASK:0x2002
  # req_extensions = v3_req # The extensions to add to a certificate request
  [ req_distinguished_name ]
  countryName               = Country Name (2 letter code)
  countryName_default          = GB
  countryName_min               = 2
  countryName_max               = 2
  stateOrProvinceName          = County or State (full name)
  stateOrProvinceName_default     =
  localityName               = City or town (eg, Hitchin)
  localityName_default          =
  0.organizationName          = Organization Name (eg, company)
  0.organizationName_default     =
  # we can do this but it is not needed normally :-)
  #1.organizationName          = Second Organization Name (eg, company)
  #1.organizationName_default     = World Wide Web Pty Ltd
  organizationalUnitName          = Organizational Unit Name (eg, section)
  organizationalUnitName_default     =
  commonName               = Common Name (eg, your name or your server\'s hostname)
  commonName_max               = 64
  emailAddress               = Email Address
  emailAddress_max          = 64
  # SET-ex3               = SET extension number 3
  [ req_attributes ]
  challengePassword          = A challenge password
  challengePassword_min          = 4
  challengePassword_max          = 20
  unstructuredName          = An optional company name
  [ usr_cert ]
  # These extensions are added when 'ca' signs a request.
  # This goes against PKIX guidelines but some CAs do it and some software
  # requires this to avoid interpreting an end user certificate as a CA.
  basicConstraints=CA:FALSE
  # Here are some examples of the usage of nsCertType. If it is omitted
  # the certificate can be used for anything *except* object signing.
  # This is OK for an SSL server.
  # nsCertType               = server
  # For an object signing certificate this would be used.
  # nsCertType = objsign
  # For normal client use this is typical
  # nsCertType = client, email
  # and for everything including object signing:
  # nsCertType = client, email, objsign
  # This is typical in keyUsage for a client certificate.
  # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  # This will be displayed in Netscape's comment listbox.
  nsComment               = "OpenSSL Generated Certificate"
  # PKIX recommendations harmless if included in all certificates.
  subjectKeyIdentifier=hash
  authorityKeyIdentifier=keyid,issuer:always
  # This stuff is for subjectAltName and issuerAltname.
  # Import the email address.
  # subjectAltName=email:copy
  # An alternative to produce certificates that aren't
  # deprecated according to PKIX.
  # subjectAltName=email:move
  # Copy subject details
  # issuerAltName=issuer:copy
  #nsCaRevocationUrl          = http://www.domain.dom/ca-crl.pem
  #nsBaseUrl
  #nsRevocationUrl
  #nsRenewalUrl
  #nsCaPolicyUrl
  #nsSslServerName
  [ v3_req ]
  # Extensions to add to a certificate request
  basicConstraints = CA:FALSE
  keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  [ v3_ca ]
  # Extensions for a typical CA
  # PKIX recommendation.
  subjectKeyIdentifier=hash
  authorityKeyIdentifier=keyid:always,issuer:always
  # This is what PKIX recommends but some broken software chokes on critical
  # extensions.
  #basicConstraints = critical,CA:true
  # So we do this instead.
  basicConstraints = CA:true
  # Key usage: this is typical for a CA certificate. However since it will
  # prevent it being used as an test self-signed certificate it is best
  # left out by default.
  # keyUsage = cRLSign, keyCertSign
  # Some might want this also
  # nsCertType = sslCA, emailCA
  # Include email address in subject alt name: another PKIX recommendation
  # subjectAltName=email:copy
  # Copy issuer details
  # issuerAltName=issuer:copy
  # DER hex encoding of an extension: beware experts only!
  # obj=DER:02:03
  # Where 'obj' is a standard or added object
  # You can even override a supported extension:
  # basicConstraints= critical, DER:30:03:01:01:FF
  [ crl_ext ]
  # CRL extensions.
  # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
  # issuerAltName=issuer:copy
  authorityKeyIdentifier=keyid:always,issuer:always

• Receiving error message "Login failed for user 'NT AUTHORITY\SYSTEM'" every minute on server which is the mirror

  Hello,
  I have 2 SQL Server 2008 R2 machines that are configured with database mirroring (using certificates as authentication), there is no witness configured.  My issue is that the mirror server is receiving at least one of the below pared messages every
  second and filling up my sql error log quickly.
  SYSTEM is the service account user for the MSSQLSERVER service. 
  [298] SQLServer Error: 4060, Cannot open database "<databasename>" requested by the login. The login failed. [SQLSTATE 42000]
  [298] SQLServer Error: 18456, Login failed for user 'NT AUTHORITY\SYSTEM'. [SQLSTATE 28000]
  The database has a status of: Affected database state is: Mirror, Synchronized/Restoring...
  When I checking the database mirror monitor, it shows that its mirroring ok and everything has green checkboxes.
  Is there a way to stop all these errors being logged, I'm assuming this isn't normal.
  Marcus

  Yes i have faced the same issues and tried everything and nothing was using this account, system was ended up with creating few GB's sql error log files everday.. and finally i had two options, 1 -- Rebuild the instance completely 2. Change the SQL Server
  Audit settings to Only successful logins and restart the instance.. ( May be your current sql server level Audit setting is set to Failed & Successful logins..
  Remeber my server was a DR so I have changed the SQL Server Audit settings to only Successful logins.. but production servers we will monitor both... :)
  Raju Rasagounder Sr MSSQL DBA

• Certificate Authority Windows 2008 to 2012 R2 - Clean up and Migration

  Hello,
      I'm currently dealing with the following scenario:
  1. I've inherited the current infrastructure setup and the plan is to clean things up and setup a new certificate infrastructure using Windows 2012 R2.
  2. The current setup:
      a. Domain Controller, Windows 2008 R2, is/was a Certificate Authority.  It hasn't issued any new certificates (based on the information in Certificate Effective Date) for quite some time.  It also has an expired certificate for
  itself - issued by the domain's issuing CA - and attempts to renew it via MMC give a "Server execution failed" and STATUS: Failed when looking in Certificate enrollment for Domain Controller.  We'll call the server, DC1.
      b. Certificate Authority Server, we'll call it CERT1.  When booting up the machine and/or attempting to restart certificate services on the server, the following errors are in the event log:
  EVENT 7024: Description: The Active Directory Certificate Services service terminated with service-specific error %%-2146885613.
  EVENT 100: Active Directory Certificate Services did not start: Could not load or verify the current CA certificate.  Domainlocal Issuing CA The revocation function was unable to check revocation because the revocation server was offline. 0x80092013
  (-2146885613).
  EVENT 48: Description: Revocation status for a certificate in the chain for CA certificate 0 for Domain.local Issuing CA could not be verified because a server is currently unavailable.  The revocation function was unable to check revocation because
  the revocation server was offline. 0x80092013 (-2146885613).
  Note:  The server's computer certificate has expired and it was issued by the Domain Controller mentioned in point A.  Attempts to renew it fail.
  (The issue on CERT1 is like the one mentioned in this article: https://support.microsoft.com/kb/825061?wa=wsignin1.0  however an upgrade wasn't done and it's not old versions of Windows.)
  c. There is a certificate authority machine - part of what was created for a PKI infrastructure - that was kept shutdown.  I've powered it up and the machine is not part of the domain.
  Any thoughts or feedback on easily repairing the current situation so that I can upgrade everything to a new Windows 2012 R2 Certificate infrastructure would be appreciated.
  Thanks!

  Hi Vadims,
      Basically using certificates in the following manner:
  1. User / Computer enrollment in the AD domain.
  2. Any hardware / web services (internal) that need a certificates.  This is usually hardware that has some form of GUI that is accessed via URL, printers accessed via URL and/or that communicate via LDAP to AD, internal UC (Lync is an example), that
  sort of thing.
      A number of machines currently show certificate errors (ie.. certificate has expired) however that hasn't stopped things from working just functioning differently.  I'm going already on the assumption that if I remove the entire CA
  infrastructure and re-install a new one and have everything point to that new CA server that I should be ok but I'm not 100% certain hence why I asked on this forum.
  Also, you're correct is that there is one more CA.  That CA was the server that was turned off/offline that I powered on.  It is not part of the AD domain that the domain controller and the other CA belong to.  (It is standalone.)  I'm
  currently patching the standalone CA since it's been off for what looks like almost 1.5 years. 

• Certificate Authority not working when signing documents (Active Directory)

  We recently went to an Active Directory structure at my job, and we do a lot of signatures. Part of the Active Directory setup was an auto-certificate authority setup. I went to sign a document  recently and the signature will not apply. I went into trust tab and clicked to trust the certificate, and then backed out, but it still will not sign. When I click to sign the document nothing happens. There are red Xs next to everything in the trust tab.
  Any ideas? I am wondering if there is something I can do in Adobe to let it know that certificate is trusted?
  Any help would be appreciated.

  When Acrobat builds the signature object (which is created when you sign), it tries to populate the object with as much data as possible in order to facilitate long term validation. This means that it is trying to add all of the certificates in the signature chain to the PDF along with all of the corresponding revocation information (which is either an OCSP response of a CRL). This way, after the signer's digital ID expires all of the validation collateral will still be available, otherwise you would get an Unknown signature after the signer's cert expired.
  In order for Acrobat to get the revocation information trust has to be established. When you create the signature Acrobat tries to gather all of the certificates in the signing chain. After it has finished building the chain it walks the chain from the bottom up (the bottom being the signer's certificate) and checks to see if the cert is a designated trust anchor. Once it finds trust anchor it will try to procure revocation info for each cert below the trust anchor, but not the trust anchor itself. After it has gathered up all of the rev info it writes it into the PDF file along with the certificates. So, when it comes to signature creation, it's good to add the certificate that is at the root (top) of the signing chain to the Manage Trusted Identities list and trust it for signing and certifying. That way when you do sign all of the rev info will be written into the file.
  The next thing to realize is Acrobat can only retrieve the revocation info if it knows where to get it from. Each certificate in the signing chain except for the root cert should have an extension that tells Acrobat where it can download the information. For an OCSP response the URI is in the Authority Information Access (AIA) extension and for a CRL the URI is in the CRL Distribution Point (CRLdP) extension. If there is an entry in either of these two extensions that are not valid (that is either they don't exist or, the exist but don't really provide the expected data) then Acrobat will try to download the data, but the download will fail. Thus, you end up with a signature in an Unknown state because revocation checking must succeed if the is an AIA or CRLdP extension. Wheat you need to check is, does the certificate have one or both of these two extensions and if so, does it lead to a successful download.
  Steve

• UCS Manager and using Microsoft Certificate Authority

  Has anybody gone through the process of setting up UCS Manager with a certificate issued from a Microsoft Certificate Authority?  If so I would appreciate some assistance.  I was able to successfully create a request and have generated the certificate, but I see no way of being able to put the request and the certificate chain back into UCS Manager.

  First you have to create a trusted point (under the Admin Tab -> Key Management). In the new trusted point, paste the public cert in base64 format of your root certificate authority. If you have a subordinate CA that's issuing then add that CA's cert too. If you have a whole tree of CAs, then you need to create a trusted point with all the CAs in the chain from the issueing CA up to the root. Paste one cert after the other, in order, up the chain, all in the same trusted point. If they're not in the right order or if you're missing the root, then the TP won't accept the cert.
  Once you have a trusted point you can accept the certificate you generated. In the KeyRing you used to generate the request, choose the new Trusted Point, and paste the new certificate in Base64 format into the Certificate field.
  Once that's done, you can go to Communication Management -> Communication Services, and for the HTTPS protocol, choose the new Key Ring. It might not take effect immediately, but after a few minutes your UCSM web site should start responding with the new certificate.
  I hope that helps.
  Note: There's a bug in UCS currently issue number CSCth62582. If your fabric interconnects fail over, the SSL cert will revert to the default self signed cert. You have to go back into Communication services and set it to default, save, then set it back to the new Key Ring.  

• Windows Server 2008 R2 Standard "Certificate Authority Service" / Exchange Server 2010 EMC not starting and no AD connectivity for authentication.

  Hello,
  I am a new IT Manager at this company and need assistance big time. Their environment looks as follows:
  Server 1. Domain Controller Server (Windows Server 2008 R2 Standard) running active directory.
  Server 2. Email Server (Windows Server 2008 R2 Standard) running Exchange Server 2010 .
  * Note. No back ups to work with aside from whats mentioned below.
  DC had a virus infection causing a lot of issues on the shared network drives 2 days ago locking up all the files with a crypto ransom virus. Running Avast suppressed the infection. Had to recover the file shares which luckily had a back up. 
  The issue is that the Exchange Server 2 post this lost connectivity with the AD Server 1. Exchange Server 2 when launching EMC could not launch the console stating the following:
  "No Exchange servers are available in any Active Directory sites. You can’t connect to remote
  Powershell on a computer that only has the Management Tools role installed."
  Shortly after I found that it is possible the EMC launcher was corrupt and needed to be reinstalled following another blog post. I deleted the exchange management console.msc  per instructions only to discover I couldnt relaunch it because there was
  no way how. So I copied another msc file that happened to be on the DC Server 1  back to Exchange Server 2 and got it to launch again. 
  Another post said that it might be an issue with the Domain Account for the Computer, so to delete it in the AD Server 1 only to find that rejoining it from Exchange Server 2 using Computer>Properties> Chage Settings > Change is greyed out because
  it is using the Certificate Authority Service.
  I tried manually re-adding the computer in AD and modeling permissions after another server in group settings but no go. After this I was unable to login to the Exchange Server 2 with domain accounts but only local admin, receiving the following Alert:
  "The Trust Relationship between this workstation and primary domain failed."
  I tried running the Power Shell tools on Exchange Server 2 to rejoing and to reset passwords for domain accounts as noted in some other blogs but no luck as the Server 2 could not make the connection with Server1 or other errors it kept spitting out.
  I also during the investigation found the DNS settings were all altered on both the Server 1 and Server 2 which I luckily was able to change back to original because of inventorying it in the beginning when I started. 
  I need help figuring out if I need to rejoin the Exchange Server 2 manually by disabling the Certificate Authority Service (or removing the CA as listed here:
  https://social.technet.microsoft.com/Forums/exchange/en-US/fb23deab-0a12-410d-946c-517d5aea7fae/windows-server-2008-r2-with-certificate-authority-service-to-rejoin-domain?forum=winserversecurity
  and getting exchange server to launch again. (Mind you I am relatively fresh to server managing) Please help E-Mail has been down for a whole day now!
  Marty

  I recommend that you open a ticket with Microsoft Support before you break things more.
  Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

• Login failed for user 'NT AUTHORITY\ANONYMOUS

  Hi All
  I have already gone thru lot of links, So appreciate if i can have some solution
  I have 3 servers A, B and C . A and B are in same domain and C is in different domain. and I am sysadmin in all 3 servers and all have trusted connection with each other
  1. All have tcp and named pipe enable
  2. All 3 servers and all services including browser are up and running
  3. When i connect any sql server from any Server using SSMS i am able to connect and  (net_transport, auth_scheme = TCP , NTLM).
  Now i create linked server at server B to Server C (C domain is different than A and B).  When i login on Server B and try to run query on C its working fine. But after remote login to server A and connect sql server at B using SSMS when
  i expand linked server to c i cant see databases and query is giving error "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'"
  I also tried to connect to all 3 server in ssms using forced  named pipes but i am getting below error
  "provider named pipes provider error 40 - Could not open connection to sql server"
  My question :
  1. I have to use domain account to use linked server from server A to connect SQLserver B to server C, How this can be done is this related to Double hop ??
  2. Why i cant connect using forced Named pipe to any server using SSMS except local host
  Thanks Saurabh Sinha http://saurabhsinhainblogs.blogspot.in/ Please click the Mark as answer button and vote as helpful if this reply solves your problem

  Hello,
  First, it is possible to use Kerberos delegation across trusted domains.
  net_transport, auth_scheme = TCP , NTLM
  This means something isn't correctly setup as you're defaulting back to NTLM. This should read Kerberos if your SPNs were setup correctly and authenticated properly. Check the SPNs and service accounts.
  http://technet.microsoft.com/en-us/library/cc280744(v=SQL.105).aspx
  1. I have to use domain account to use linked server from server A to connect SQLserver B to server C, How this can be done is this related to Double hop ??
  To go across domains I'm not entirely sure on that part, but I can say it'd probably be easier if you did use a domain account as the service account.
  2. Why i cant connect using forced Named pipe to any server using SSMS except local host
  I'm not quite sure what you mean here. You can't connect through NP? Why the need for NP at all?
  Sean Gallardy | Blog |
  Twitter

• Database Logon Failed which created by Crystal Report 2008

  this time i meet the famous error again which is database logon failed.
  i created a crystal report 2008 starting from blank report, then connect with odbc
  i use 2008 method
  objRpt.SetDatabaseLogon(db_username, db_password, odbc_name, database_name);
  2008 method will get database logon failed even set database location and verify database again
  then i use 8.5 method and try again for 2008 report. it said field name is unknown for one of formula
  then i drag field again for formula and set database location and verify database again
  it said the same error.
  then i uninstall 8.5 crytal report software in window 7 deployment machine, and do above again, it said the same error
  //'Create a new Stored Procedure Table to replace the reports current table.
          CrystalDecisions.ReportAppServer.DataDefModel.Procedure boTable = new CrystalDecisions.ReportAppServer.DataDefModel.Procedure();
          //'boMainPropertyBag: These hold the attributes of the tables ConnectionInfo object
          PropertyBag boMainPropertyBag = new PropertyBag();
          //'boInnerPropertyBag: These hold the attributes for the QE_LogonProperties
          //'In the main property bag (boMainPropertyBag)
          PropertyBag boInnerPropertyBag = new PropertyBag();
          //'Set the attributes for the boInnerPropertyBag
          boInnerPropertyBag.Add("Connect Timeout", "15");
          //boInnerPropertyBag.Add("Data Source", "MyDataSource");
          boInnerPropertyBag.Add("Data Source", "10.1.1.191");
          boInnerPropertyBag.Add("DataTypeCompatibility", "0");
          boInnerPropertyBag.Add("General Timeout", "0");
          //boInnerPropertyBag.Add("Initial Catalog", "MyCatalog");
          boInnerPropertyBag.Add("Initial Catalog", database_name);
          boInnerPropertyBag.Add("Integrated Security", "False");
          boInnerPropertyBag.Add("Locale Identifier", "1033");
          boInnerPropertyBag.Add("MARS Connection", "0");
          //boInnerPropertyBag.Add("OLE DB Services", "-5");
          //boInnerPropertyBag.Add("ODBC", "-5");
          boInnerPropertyBag.Add("ODBC", "Cheque");
          boInnerPropertyBag.Add("Provider", "SQLNCLI");
          boInnerPropertyBag.Add("Tag with column collation when possible", "0");
          boInnerPropertyBag.Add("Trust Server Certificate", "0");
          boInnerPropertyBag.Add("Use Encryption for Data", "0");
          //'Set the attributes for the boMainPropertyBag
          boMainPropertyBag.Add("Database DLL", "crdb_ado.dll");
          //boMainPropertyBag.Add("Database DLL", "p2sodbc.dll");
          //boMainPropertyBag.Add("QE_DatabaseName", "VEPILOT");
          boMainPropertyBag.Add("QE_DatabaseName", database_name);
          //boMainPropertyBag.Add("QE_DatabaseType", "OLE DB (ADO)");
          boMainPropertyBag.Add("QE_DatabaseType", "ODBC");
          //'Add the QE_LogonProperties we set in the boInnerPropertyBag Object
          boMainPropertyBag.Add("QE_LogonProperties", boInnerPropertyBag);
          boMainPropertyBag.Add("QE_ServerDescription", "MyServer");
          boMainPropertyBag.Add("QE_SQLDB", "True");
          boMainPropertyBag.Add("SSO Enabled", "False");
          //'Create a new ConnectionInfo object
          CrystalDecisions.ReportAppServer.DataDefModel.ConnectionInfo boConnectionInfo = new CrystalDecisions.ReportAppServer.DataDefModel.ConnectionInfo();
          //'Pass the database properties to a connection info object
          boConnectionInfo.Attributes = boMainPropertyBag;
          //'Set the connection kind
          boConnectionInfo.Kind = CrConnectionInfoKindEnum.crConnectionInfoKindCRQE;
          //'*EDIT* Set the User Name and Password if required.
          boConnectionInfo.UserName = db_username;
          boConnectionInfo.Password = db_password;
          //'Pass the connection information to the table
          boTable.ConnectionInfo = boConnectionInfo;
  CrystalDecisions.ReportAppServer.DataDefModel.Tables boTables = objRpt.ReportClientDocument.DatabaseController.Database.Tables;
              CrystalDecisions.CrystalReports.Engine.Tables tables = objRpt.Database.Tables;
              foreach (CrystalDecisions.CrystalReports.Engine.Table table in tables)
                  if (!string.IsNullOrEmpty(table.Name))
                      //boTable.Name = table.Name;
                      //boTable.QualifiedName = database_name + ".dbo." + table.Name;
                      //boTable.Alias = table.Name;
                      boTable.Name = "sp_ChequeIssueDetRpt";
                      boTable.QualifiedName = database_name + ".dbo.sp_ChequeIssueDetRpt";
                      boTable.Alias = "sp_ChequeIssueDetRpt";
                      objRpt.ReportClientDocument.DatabaseController.SetTableLocation(boTables[0], boTable);
              objRpt.VerifyDatabase();
  http://sourceforge.net/projects/aspchequesprint/files/ChequeIssueDet.rpt/download

  No subreport, only a stored procedure with final two lines are
  print @m_sql
  exec (@m_sql)
  After use generated code in the link above
  Error at boReportDocument.VerifyDatabase();
  Inner Exception : no error
  Message "Logon failed"
  ErrorID : CrystalDecisions.CrystalReports.Engine.EngineExceptionErrorID.LogOnFailed
  HelpLink : null
  stacktrace :  CrystalDecisions.CrystalReports.Engine.ReportDocument.VerifyDatabase()\r\n   at viewReport.Page_Load(Object sender, EventArgs e) 於 d:
  Data
  My Documents
  Visual Studio 2008
  WebSites
  Cheques
  viewReport.aspx.cs: row 1302\r\n   at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e)\r\n   at System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e)\r\n   at System.Web.UI.Control.OnLoad(EventArgs e)\r\n   at System.Web.UI.Control.LoadRecursive()\r\n   於 System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
  TargetSite : {Void VerifyDatabase()}
  string reportPath = report_path + "ChequeIssueDet.rpt";
              boReportDocument = new ReportDocument();
              //**EDIT** Change the path and report name to the report you want to change.
              boReportDocument.Load(reportPath, OpenReportMethod.OpenReportByTempCopy);
              //Create a new Stored Procedure Table to replace the reports current table.
              CrystalDecisions.ReportAppServer.DataDefModel.Procedure boTable =
              new CrystalDecisions.ReportAppServer.DataDefModel.Procedure();
              //boMainPropertyBag: These hold the attributes of the tables ConnectionInfo object
              PropertyBag boMainPropertyBag = new PropertyBag();
              //boInnerPropertyBag: These hold the attributes for the QE_LogonProperties
              //In the main property bag (boMainPropertyBag)
              PropertyBag boInnerPropertyBag = new PropertyBag();
              //Set the attributes for the boInnerPropertyBag
              boInnerPropertyBag.Add("Database", database_name);
              boInnerPropertyBag.Add("DSN", "Cheque");
              boInnerPropertyBag.Add("UseDSNProperties", "False");
              //Set the attributes for the boMainPropertyBag
              boMainPropertyBag.Add("Database DLL", "crdb_odbc.dll");
              boMainPropertyBag.Add("QE_DatabaseName", database_name);
              boMainPropertyBag.Add("QE_DatabaseType", "ODBC (RDO)");
              //Add the QE_LogonProperties we set in the boInnerPropertyBag Object
              boMainPropertyBag.Add("QE_LogonProperties", boInnerPropertyBag);
              boMainPropertyBag.Add("QE_ServerDescription", "Cheque");
              boMainPropertyBag.Add("QE_SQLDB", "True");
              boMainPropertyBag.Add("SSO Enabled", "False");
              //Create a new ConnectionInfo object
              CrystalDecisions.ReportAppServer.DataDefModel.ConnectionInfo boConnectionInfo =
              new CrystalDecisions.ReportAppServer.DataDefModel.ConnectionInfo();
              //Pass the database properties to a connection info object
              boConnectionInfo.Attributes = boMainPropertyBag;
              //Set the connection kind
              boConnectionInfo.Kind = CrConnectionInfoKindEnum.crConnectionInfoKindCRQE;
              //**EDIT** Set the User Name and Password if required.
              boConnectionInfo.UserName = db_username;
              boConnectionInfo.Password = db_password;
              //Pass the connection information to the table
              boTable.ConnectionInfo = boConnectionInfo;
              //Get the Database Tables Collection for your report
              CrystalDecisions.ReportAppServer.DataDefModel.Tables boTables;
              boTables = boReportDocument.ReportClientDocument.DatabaseController.Database.Tables;
              //For each table in the report:
              // - Set the Table Name properties.
              // - Set the table location in the report to use the new modified table
              boTable.Name = "sp_ChequeIssueDetRpt;1";
              boTable.QualifiedName = database_name+".dbo.sp_ChequeIssueDetRpt;1";
              boTable.Alias = "sp_ChequeIssueDetRpt;1";
              boReportDocument.ReportClientDocument.DatabaseController.SetTableLocation(boTables[0], boTable);
              //Verify the database after adding substituting the new table.
              //To ensure that the table updates properly when adding Command tables or Stored Procedures.
              boReportDocument.VerifyDatabase();
              //**EDIT** Set the value for the Stored Procedure parameters.
              string m_curUser = "";
              int spid = Convert.ToInt32(Request.Cookies["login_cookie"]["spid"]);
              queryString = "select * from v_All_Session where SPID=" + spid.ToString();
              //string _connectionString = ConfigurationManager.ConnectionStrings["ChequeConnectionString"].ConnectionString;
              using (SqlConnection connection = new SqlConnection(_connectionString))
                  SqlCommand command = connection.CreateCommand();
                  command.CommandText = queryString;
                  connection.Open();
                  using (SqlDataReader datareader = command.ExecuteReader())
                      if (datareader.HasRows == true)
                          while (datareader.Read())
                              if (datareader["UserID"] != System.DBNull.Value)
                                  m_curUser = datareader["UserID"].ToString();
                      datareader.Close();
                  connection.Close();
              boReportDocument.SetParameterValue("@UserID", m_curUser);
              if (string.IsNullOrEmpty(Session["fm_CoCode"].ToString()))
                  boReportDocument.SetParameterValue("@fm_CoCode", Session["fm_CoCode"].ToString());
              if (string.IsNullOrEmpty(Session["to_CoCode"].ToString()))
                  boReportDocument.SetParameterValue("@to_CoCode", Session["to_CoCode"].ToString());
              if (string.IsNullOrEmpty(Session["fm_BankACNo"].ToString()))
                  boReportDocument.SetParameterValue("@fm_BankACNo", Session["fm_BankACNo"].ToString());
              if (string.IsNullOrEmpty(Session["to_BankACNo"].ToString()))
                  boReportDocument.SetParameterValue("@to_BankACNo", Session["to_BankACNo"].ToString());
              if (string.IsNullOrEmpty(Session["fm_BatchNo"].ToString()))
                  boReportDocument.SetParameterValue("@fm_BatchNo", Session["fm_BatchNo"].ToString());
              if (string.IsNullOrEmpty(Session["to_BatchNo"].ToString()))
                  boReportDocument.SetParameterValue("@to_BatchNo", Session["to_BatchNo"].ToString());
  Edited by: Mathew_666 on Jul 19, 2011 4:27 AM
  Edited by: Mathew_666 on Jul 19, 2011 4:28 AM

• Untrusted server cert chain & does not recognize the certificate authority

  I have java code that makes an ssl connection to an HTTPS server.
  The code workes fine when I connect to a server that has a
  certificate that was issued by a recognizable authority.
  But when I try to connect to our test HTTPS server which has a
  certificate that was created by ourselves for debug, I get this
  java exception: "untrusted server cert chain".
  When I connect to our test HTTPS server with a browser, I get
  this message from the browser in a popup window:
  "www.xyz.com is a web site that uses a security certifcate to
  identify itself. However netscape 6 does not recognize the
  certificate authority that issued this certificate."
  At this point I am able to accept the certificate in the popup
  window and continue.
  Question: In my java code how can I accept a certificate
  that was signed by an unrecognizable authority just like the
  browser can. Or during debug, how can I set an override
  to accept ALL certs no matter what.
  Thanks.....Paul

  You will have to import your server test certificate into your client machine keystore. By default the keystore will be the 'cacerts' file in JAVA_HOME/jre/lib/security, get your server certificate in .pem format and use keytool to import it to the client.
  keytool -import -alias <anything> -file <full path of .pem file> -keystore <full path of cacerts file>
  The keystore password is 'changeit' by default, keytool comes with the JDK.
  The reasoning behind this is to prevent the misuse of test certificates, the client has to consciously import an untrusted certificate. When you install a real certificate on your server the client will be automatically validated if bought from a trusted CA (Thawte, Verisign).
  Take a look at the java.security.KeyStore class, you can use it to view your certificate chain.
  Ronny.

• Linked Server error: Login Failed for user 'NT AUTHORITY\ANONYMOUS LOGON' between sql server 2005 32 bit and sql server 2012 64 bit

  Hi All,
  Here the linked server is created between sql server 2012 64 bit and sql server 2005 32 bit. I am getting the below error  when i try to access linked server from third server. I have created linked from Instance 1 to Instance 2. When i access it from
  instance 3 i am getting the below error. SPN setting has been done between these 2 servers. Also the option 'Trust the delegate' is enabled for the both the service account. 
  'Login Failed for user 'NT AUTHORITY\ANONYMOUS LOGON' 
  Appreciate your quick response. 
  Vikas.M.S

  Hello,
  Please read the following resources:
  http://www.databasejournal.com/features/mssql/article.php/3696506/Setting-Up-Delegation-for-Linked-Servers.htm
  http://social.msdn.microsoft.com/Forums/sqlserver/en-US/ea26de43-4c6b-4991-86d7-e1578f107c92/linked-server-login-failed-for-user-nt-authorityanonymous-logon?forum=sqldataaccess
  Hope this helps.
  Regards,
  Alberto Morillo
  SQLCoffee.com

• Failed to create a daily note

  I have successed to create a appointment using the sample code in the document of Oracle® Calendar Application Developer’s Guide,but failed to create a daily note.
  main code like this
  oracle.calendar.soap.iCal.iCalendar ical =
  new oracle.calendar.soap.iCal.iCalendar();
  oracle.calendar.soap.iCal.vCalendar vcal =
  new oracle.calendar.soap.iCal.vCalendar();
  vevent = new oracle.calendar.soap.iCal.vEvent();
  ical.addvCalendar(vcal);
  vcal.addvComponent(vevent);
  // set the vEvent attributes
  vevent.setEventClass(m_eventClass);
  // Start time
  vevent.setDtStart(k_startTime);
  // Duration
  vevent.setDuration(k_baseDuration);
  // Location
  vevent.setLocation(k_baseLocation);
  // Summary
  vevent.setSummary(m_testName);
  // UID
  vevent.setUid(m_uid);
  // Event type
  vevent.setXEventType(m_xEventType);
  // Description
  vevent.setDescription(ical.toString());
  oracle.calendar.soap.client.CreateCommand create =
  new oracle.calendar.soap.client.CreateCommand();
  create.setCmdId(m_cmdid);
  create.setiCalendar(ical);
  // Create the Oracle Calendar client SOAP stub
  // and set the basic authentication header
  System.out.println("Creating the Oracle Calendar client SOAP stub");
  oracle.calendar.soap.client.Calendarlet cws =
  new oracle.calendar.soap.client.Calendarlet();
  // Login
  if (cws == null) {
  return;
  Initialization myInit = new Initialization();
  myInit.initBasicAuth(cws, "test", "12345",
  "http://myhost:7777/ocws-bin/ocas.fcgi");
  // Next, make the SOAP call
  System.out.println("Making the SOAP call");
  oracle.calendar.soap.client.CalendaringResponse response =
  cws.Create(create.getElement());
  My call method is:
  MyEventCreateTest myEventCreateTest =
  new MyEventCreateTest("20060715", "PT01H00M",
  "Somewhere exotic", "MyEventCreateTest8",
  "MyEventCreateTest-UID-8",
  oracle.calendar.soap.iCal.vEvent.k_eventClassPublic,
  vEvent.k_eventTypeDailyNote,
  "CommandID-MyEventCreateTest", false);
  myEventCreateTest.run();
  and the log is:
  Creating the Oracle Calendar client SOAP stub
  Making the SOAP call
  SOAP send buffer:
  <?xml version='1.0' encoding='UTF-8'?>
  <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <SOAP-ENV:Header>
  <auth:BasicAuth xmlns:auth="http://soap-authentication.org/2002/01/"><Name>test</Name><Password>12345</Password></auth:BasicAuth>
  </SOAP-ENV:Header>
  <SOAP-ENV:Body>
  <cwsl:Create xmlns:cwsl="http://www.oracle.com/WebServices/Calendaring/1.0/">
  <CmdId>CommandID-MyEventCreateTest</CmdId><iCalendar><vcalendar prodid="-//Oracle//Calendaring//Calendarlet//EN" version="2.0"><vevent><class>PUBLIC</class><description>iCalendar
  vcalendar
  vcalendar.version:2.0
  vcalendar.prodid:-//Oracle//Calendaring//Calendarlet//EN
  vevent
  vevent.class:PUBLIC
  vevent.x-oracle-eventtype:DAILY NOTE
  vevent.dtstart:20060715
  vevent.duration:PT01H00M
  vevent.location:Somewhere exotic
  vevent.summary:MyEventCreateTest8
  vevent.uid:MyEventCreateTest-UID-8
  </description><dtstart>20060715</dtstart>
  <duration>PT01H00M</duration><location>Somewhere exotic</location><summary>MyEventCreateTest8</summary>
  <uid>MyEventCreateTest-UID-8</uid><x-oracle-eventtype>DAILY NOTE</x-oracle-eventtype></vevent></vcalendar></iCalendar></cwsl:Create>
  </SOAP-ENV:Body>
  </SOAP-ENV:Envelope>
  SOAP receive buffer:
  <?xml version="1.0" encoding="utf-8" ?>
  <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
  <soap:Body>
  <soap:Fault>
  <faultcode>soap:Server.Error::System::SOAPRequest</faultcode>
  <faultstring>The Create method did not have a proper element in the request</faultstring>
  <detail>
  <cwsl:Error xmlns:cwsl="http://www.oracle.com/WebServices/Calendaring/1.0/">
  <Class>Error::System::SOAPRequest</Class>
  <Code>0020-00-00-00000034</Code>
  <Line>3028</Line>
  <FileName>SOAPRequestHandler.cpp,v</FileName>
  <Version>1.46</Version>
  <LastMod>2005/07/05 15:02:04</LastMod>
  <Author>fleblanc</Author>
  <Date>Fri Jul 14 16:47:41 2006</Date>
  <PID>15299</PID>
  <TID>3046071216</TID>
  <Level>Error</Level>
  </cwsl:Error>
  </detail>
  </soap:Fault>
  </soap:Body>
  </soap:Envelope>
  Creating CreateReply
  Unable to create CreateReply
  Thanks
  null

  Hi,
  You also need to set the event parameter "m_dtstartvalue" when creating daily notes and day events, as follows:
  vevent.setDtStartValue(vEvent.k_valueTypeDate);
  Regards.