Enterprise CA access

[Marko Loukkaanhuhta]

Hi,
I'm having problems with certificate enrolling in our w2k domain. We have
one enterprise CA which can enroll user certs and smart card user certs via
http://machine/certsrv/. When I'm requesting new computer (machine)
certificate with certificates snap-in on a remote computer I get this error:
Certification Request Wizard
The certificate request failed because of one of the following conditions:
- the certificate request was submitted to a Certification Authority (CA)
that is not started.
- You do not have the permissions to request certificates from the available
CAs.

Facts:
- I tried with username that is in Enterprise Admin -group
- You can, however request new user, computer, administrator etc.
certificates in certificates snap-in when logged on CA computer, but not on
remote computer
- When trying from remote machine certutil -config
machine.domain.local\CAsname -ping I get Connecting to.... Server could
not be reached: Access is denied. 0x80070005 (WIN32: 5), while logged on as
a member of EA -group

Any ideas how to correct this?

 

[Steven L Umbach]

I am not sure what you mean by remote computer but to be able to request a
certificate from the mmc certificates snapin you need to be logged onto the
domain via the LAN and logged onto the computer as a local administrator.
Enterprise administrators are not in the local administrators group of
domain computers, though any user in the domain admins group would be by
default. If still a no go check your dns configuration for the domain to
make sure it is correct. The link below is a FAQ on Active Directory dns.
The netdiag and dcdiag support tools are very helpful in checking domain and
networking configuration. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;291382

 

[Marko Loukkaanhuhta]

I am not sure what you mean by remote computer but to be able to request a
certificate from the mmc certificates snapin you need to be logged onto the
domain via the LAN and logged onto the computer as a local administrator.
Enterprise administrators are not in the local administrators group of
domain computers, though any user in the domain admins group would be by
default. If still a no go check your dns configuration for the domain to
make sure it is correct. The link below is a FAQ on Active Directory dns.
The netdiag and dcdiag support tools are very helpful in checking domain and
networking configuration. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;291382

Ok, sorry for not being precise. DNS is ok, user is local administrator.
Problem seems to be that over LAN with certificates snap-in you cannot
request new certificate. On a iis server (another machine) you can make
online cert request for webcert and it works, http://machine/certsrv/ it
works, but when i try to use certificates snap-in to make computer
certificate for RAS machine it does not work. I believe this is a dcom
problem, or?

 

[Steven L Umbach]

For the Certificate Authority verify that it's computer account is trusted
for delegation in it's computer properties in AD Users and Computers and
look in Event Viewer to see if there any helpful info on what the problem
might be. Also verify that it is a member of the Cert Publishers group. Then
I would check that you have connectivity to it by trying to access a share
on it and also run netdiag on both the CA and the computer you are trying to
request the CA from looking for any pertinent failed tests/errors/warnings
particularly relating to dns, dclist, kerberos, or secure channel. Netdiag
is one of the support tools that is available on the install disk in he
support/tools folder where you need to run the setup to install them. Does
just this one particular computer have a problem requesting a certificate
via mmc certificate snapin or do all the domain computers? Can the CA
request a certificate for itself via the mmc certificate snapin? --- Steve

 

[Marko Loukkaanhuhta]

For the Certificate Authority verify that it's computer account is trusted
for delegation in it's computer properties in AD Users and Computers and
look in Event Viewer to see if there any helpful info on what the problem
might be.

No related events.

Also verify that it is a member of the Cert Publishers group.

It is.

Then

I would check that you have connectivity to it by trying to access a share
on it and also run netdiag on both the CA and the computer you are trying
to request the CA from looking for any pertinent failed
tests/errors/warnings particularly relating to dns, dclist, kerberos, or
secure channel. Netdiag is one of the support tools that is available on
the install disk in he support/tools folder where you need to run the
setup to install them. Does just this one particular computer have a
problem requesting a certificate via mmc certificate snapin or do all the
domain computers?

Funny, I forgot to tell that there is no problem with w2000 servers. Just
every computer that runs windows server 2003 has the same problem. Windows
2000 servers does not have this issue. So, domain is 2000 native, and ras
server is w2k3.

Can the CA

request a certificate for itself via the mmc certificate snapin?

Yes.

 

[Steven L Umbach]

Interesting that it only happens to W2003 Servers. I tested on my Windows
2000 native domain and was able to request and receive certificates for my
Windows 2003 Server domain member via the mmc certificates snapin. From your
Windows 2003 Server are you able to access a share on the Certificate
Server? There may be a problem with incompatible security options for the
Windows 2003 Servers. It might be worth a try to go into the Local Security
Policy on the Windows 2003 Server and under security settings/local
policies/security options, set the option for Microsoft network
client:digitally sign communications(always) to disabled. Are there any
failed requests recorded in the CA Management Console? If there are they may
have a reason that may help. --- Steve