Certificates

[SR]

I've setup a group policy in my Win2k domain (1 DC, 1
member server and 1 client) with active directory that
let's my machine request a machine certificate during
bootup/logon. When I try to have my Windows 2000 Pro PC
receive a machine certificate from my Enterprise ROOT CA
(installed on a windows 2000 member server), I get an
error message saying that the certificate store cannot be
enumerated. When I use the certificates snap in to find
my certificate store on the Windows 2000 Pro PC, I get an
error message. What's wrong? How can I get my certificate
stores back on my Windows 2000 Pro PC?

 

[Steven L Umbach]

It may be a networking or dns configuration problem. I would run netdiag on both
machines and dcdiag on the domain controller looking for any failed pertinent tests.
The domain controller in your situation should point only to itself by it's assigned
static ip address for dns server and the domain computers also must point only to the
domain controller for their dns configuration - NEVER any ISP dns servers configured
in tcp/ip properties of a domain computer. Netdiag and dcdiag are on the install
cdrom under the support/tools folder where you want to run the setup program
here. --- Steve

 

[SR]

I do have all PCs pointing to my DNS server on my network
which acts as a forwarder to my ISP's DNS servers. The
DNS server is running on the Domain controller with a
static IP so I have my bases covered on the DNS end. The
CA is an Enterprise Root running on a Windows 2000 member
server. The Domain Controller got it's certificate just
fine. The Windows 2000 Pro PC doesn't seems to have any
certificate store to look at locally. Is there a way to
recreate this local certificate store.

-----Original Message-----
It may be a networking or dns configuration problem. I would run netdiag on both
machines and dcdiag on the domain controller looking for any failed pertinent tests.
The domain controller in your situation should point

only to itself by it's assigned

static ip address for dns server and the domain

computers also must point only to the

 

[Steven Umbach]

Running netdiag is still a good idea to check for things like domain controller
listing and secure channel. You did not mention service packs, but SP3 should at
least be used these days. I would also check event viewer for any clues on the
Pro machine and run System File Checker - sfc /scannow. I am not sure what the
exact problem is and a search on Google did not show much of anything. ---
Steve

 

[SR]

I really appreciate the help. I am running SP4 on all PCs
in my domain. I haven't found any info on where the
certificate store is on a Win 2k Pro PC. How would I
restore the certificate store (not just the certificates
but the actually container that houses the certificates)
part of Win 2k if I never knew it was missing until I
tried to get a certificate for the first time? What is
System File Checker? I haven't heard of it before.

 

[Steven Umbach]

The following links explain Windows File Protection and System File Checker
which is often worth running when things do not work as they should. The
certificate store is a mmc snapin to manage certificates. Certificates are not
stored in a central place but are located in places like the registry and the
user profile. My guess is that you have some sort of file or registry
corruption. SFC may be able to repair file corruption or wrong versions. ---
Steve

http://support.microsoft.com/default.aspx?scid=kb;EN-US;222471
http://support.microsoft.com/default.aspx?scid=kb;EN-US;222193

 

[David Bolt]

Just had a run in with Certificate Authorities, so hope I can help.
In your original message you said you had an error message in the MMC, but
didn't say what message.
Do you have any other error messages in the Event Viewer that might be
associated with the problem?
Dave

 

[Curtis Clay III [MSFT]]

Hello SR,
I'll need the exact error message when you boot and when you manually
request a certificate. Also have you confirmed that your CA has the
appropriate templates in place to issue the certificates?

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[SR]

The error I get is:
The certificate cannot be installed because of a problem
with the cryptographic hardware.

 

[SR]

The message in the MMC is:
The certificate stores could not be enumerated. The
network path was not found.

 

[Curtis Clay III [MSFT]]

Hello SR,

Windows 2000 does not support opening the Certificate manager using this
method.


To open Certificate Manager in Windows 2000 do the following:

1. Click Start, and then click Run.

2. Type "MMC.EXE" (without the quotation marks) and click OK.

3. Click Console in the new MMC you created, and then click Add/Remove
Snap-in.

4. In the new window, click Add.

5. Highlight the Certificates snap-in, and then click Add.

6. Choose the Computer, User, or Service Account, options depending on the
certificates you want to view or manage, and click Next.

7. Click OK. (If you choose Computer you will be provided with an option to
opn
Local Computer or browse for a computer on the network)

8. Click Close, and then click OK.

9. You have now added the Certificates snap-in, which will allow you to
work with any certificates in your chosen certificate store. You
may want to save this MMC for later use.

Note: Windows XP does support opening Certificate Manager launching
certmgr.msc
from the run line.

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[SR]

When I do that I get this message:
The certificate stores could not be enumerated. The
network path was not found.

 

[David Bolt]

In an attempt to clarify things:
Do you have machine A which has the Certificate Authority installed, and
machine B which has requested a certificate, and on which you wish to run
MMC with the Certificates snap-in?
Dave

 

[SR]

That's correct.

-----Original Message-----
In an attempt to clarify things:
Do you have machine A which has the Certificate Authority installed, and
machine B which has requested a certificate, and on which you wish to run
MMC with the Certificates snap-in?
Dave



.

 

[Curtis Clay III [MSFT]]

Check these keys for the permissions. They should read as follows...

%systemdrive%\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys
Explicit ACEs:
Administrators:Full Control:This folder only
Everyone:Special:This folder only
List Folder / Read Data
Read Attributes
Read Extended Attributes
Create Files / Write Data
Create Folders / Append Data
Write Attributes
Write Extended Attributes
Read Permissions

"Allow inheritable permissions from parent to propagate to this object" is
not
checked.

%systemdrive%\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA
Explicit ACEs:
Administrators:Full Control:This folder only

Inherited ACEs:
System:Full Control:This folder, subfolders, and files
Administrators:Full Control:This folder, subfolders, and files
CREATOR OWNER:Full Control:Subfolders and files only
Users:Read & Execute:This folder, subfolders, and files
Everyone:Read & Execute:This folder, subfolders, and files
S-1-5-32-547:Special:This folder, subfolders, and files
Traverse Folder / Execute Data
List Folder / Read Data
Read Attributes
Read Extended Attributes
Create Files / Write Data
Create Folders / Append Data
Write Attributes
Write Extended Attributes
Delete Subfolders and Files
Delete
Read Permissions

"Allow inheritable permissions from parent to propagate to this object" is
checked.

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Curtis Clay III [MSFT]]

Have you made any changes to the default NTFS permissions for your
workstation?

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[SR]

What is the S-1-5-32-547 user or SID that you mentioned
for the inherited ACEs for the RSA folder? I can't find
that user anywhere.