Windows 2003 Certificate Services - problem downloading Active X control

[Bill]

I'm having a problem with Certificate Services on a Windows 2003
Enterprise Edition Server. I've created an Enterprise Root CA but
each time certain clients attempt to request a certificate, the
"Downloading ActiveX Control" window appears and won't go away. I'm
unable to successfully request a certificate from some clients because
of this. Problem clients include Windows 2003 (same server where CA
is installed) and XP with IE 6.0.2800.1106. One client that doesn't
have the problem is Windows 2000 Pro with IE 6.0.2600.0000.

I've read through plenty of postings in the Google groups and all of
them seem to apply to OS's other than 2003. Regardless, I've read the
MS articles and the suggestions in the groups to no avail. I've
downloaded all applicable Windows Updates for the server and still no
success. I've removed and installed several times on several servers
in the Domain and still no success. I've removed the Advanced IE
security settings with no success in solving the problem.

I have had no problems when installing a stand alone root CA on a
separate server.

Thanks in advance for your help,

Bill

 

[Dave Taylor]

Hi Bill,

Have you added http://*.yourinternaldnsname.com to your list of trusted
sites within internet explorer (so that when you access the
http://server/certsrv , it is a trusted site)


Regards,

Dave

 

[Laudon Williams [MSFT]]

See the following:
http://support.microsoft.com/default.aspx?scid=kb;en-us;330389

 

[Bill]

Thank you - I have read that knowledge base article. I'm already at
SP1 for the XP client and I've installed all available patches from
Windows Update for the client.

Any other thoughts?

Bill Holden

 

[Bill]

Dave,

Thanks for the quick response. I think I had done that in the past
but just to be sure, I tried it again. I'm sorry to say that it
didn't solve the problem.

Bill

 

[Laudon Williams [MSFT]]

Both client and server need to be updated.

--
This posting is provided "AS IS" with no warranties, and confers no rights.

Thank you - I have read that knowledge base article. I'm already at
SP1 for the XP client and I've installed all available patches from
Windows Update for the client.

Any other thoughts?

Bill Holden

"Laudon Williams [MSFT]" <[email protected]> wrote in message

See the following:
http://support.microsoft.com/default.aspx?scid=kb;en-us;330389

 

[Dave Taylor]

Hi Bill,

What is the certificate ? Is it a standard template ? If so, have you
tried using the certificates mmc snap-in to retrieve the cert ?

What (if any) errors do you get in the event viewer (client & server)


Just to confirm, you are "deleting the cache" etc. in internet explorer
before you request the certificate, aren't you ???

 

[David Cross [MS]]

No patch is required for Windows Server 2003, but you do need to run as
local admin when enrolling for the first time on any machine to install the
ActiveX control.

--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

Thank you - I have read that knowledge base article. I'm already at
SP1 for the XP client and I've installed all available patches from
Windows Update for the client.

Any other thoughts?

Bill Holden

"Laudon Williams [MSFT]" <[email protected]> wrote in message

See the following:
http://support.microsoft.com/default.aspx?scid=kb;en-us;330389

 

[Bill]

Dave,

I'm using all standard templates. I've had issues in the past with
templates where permissions weren't set correctly and I don't think
that's the issue here. I've seen the templates issue manifest itself
with a different error message.

The MMC doesn't show my anything helpful because I never get to the
point of requesting the certificate. I'm hung up at the following
pages: certsrv/certrqbi.asp?type=0 and certsrv/certrqma.asp

One thing I didn't mention before is that I also have a Subordinate
Enterprise CA that also had the problem. I managed to fix this
somehow while following your suggestions and installing the CA
certification path last night. I've attempted to emulate the process
on the Enterprise Root CA but am unable to. Perhaps I don't really
need to go further because the Root CA isn't really supposed to be
used for issuing certificates. I'm able to renew the Subordinate CA
certificate from the Root CA.

Here's one recurring error in the System Log:

The currently selected KDC certificate was once valid, but now is
invalid and no suitable replacement was found. Smartcard logon may
not function correctly if this problem is not remedied. Have the
system administrator check on the state of the domain's public key
infrastructure. The chain status is in the error data.

I've looked up this error message in Google Groups and MS. Nothing
applicable in MS and only two entries in Google groups with questions
and no responses.

Bill

 

[Bill]

Laudon,

Thanks for the suggestion. However, in one case, the client and the
server are one in the same (Windows 2003 Enterprise Edition). I've
loaded every single Windows Update for that system and the problem
persists.

Bill

Both client and server need to be updated.

--
This posting is provided "AS IS" with no warranties, and confers no rights.

Thank you - I have read that knowledge base article. I'm already at
SP1 for the XP client and I've installed all available patches from
Windows Update for the client.

Any other thoughts?

Bill Holden

"Laudon Williams [MSFT]" <[email protected]> wrote in message

See the following:
http://support.microsoft.com/default.aspx?scid=kb;en-us;330389

--
This posting is provided "AS IS" with no warranties, and confers no rights.


I'm having a problem with Certificate Services on a Windows 2003
Enterprise Edition Server. I've created an Enterprise Root CA but
each time certain clients attempt to request a certificate, the
"Downloading ActiveX Control" window appears and won't go away. I'm
unable to successfully request a certificate from some clients because
of this. Problem clients include Windows 2003 (same server where CA
is installed) and XP with IE 6.0.2800.1106. One client that doesn't
have the problem is Windows 2000 Pro with IE 6.0.2600.0000.

I've read through plenty of postings in the Google groups and all of
them seem to apply to OS's other than 2003. Regardless, I've read the
MS articles and the suggestions in the groups to no avail. I've
downloaded all applicable Windows Updates for the server and still no
success. I've removed and installed several times on several servers
in the Domain and still no success. I've removed the Advanced IE
security settings with no success in solving the problem.

I have had no problems when installing a stand alone root CA on a
separate server.

Thanks in advance for your help,

Bill

 

[Laudon Williams [MSFT]]

Bill, shooting a bit in the dark here (you may want to try customer
support).

- Is IIS hosted on the same system as the CA? If not, make sure it is
patched. Generally speaking, all clients will need the new XEnroll in order
to enroll to a WS2003 CA. The control will have to be downloaded using an
account with local admin (as David mentioned)
- For your DC issue, it is likely that you had the "domain controller"
templates active on your CA when you installed and removed them after the DC
enrolled. This is unlikely to be causing your current problem, but you can
add back the DC templates to make the errors go away
- WS2003 has the "IE Security" pack. You may want to try diabling it to see
if the problem goes away. It is installed/uninstalled through the optional
component manager.

That is about all I can think of. Again, you may want to try customer
support.

--
This posting is provided "AS IS" with no warranties, and confers no rights.

Laudon,

Thanks for the suggestion. However, in one case, the client and the
server are one in the same (Windows 2003 Enterprise Edition). I've
loaded every single Windows Update for that system and the problem
persists.

Bill

"Laudon Williams [MSFT]" <[email protected]> wrote in message

Both client and server need to be updated.

--
This posting is provided "AS IS" with no warranties, and confers no rights.

Thank you - I have read that knowledge base article. I'm already at
SP1 for the XP client and I've installed all available patches from
Windows Update for the client.

Any other thoughts?

Bill Holden

"Laudon Williams [MSFT]" <[email protected]> wrote in

message

See the following:
http://support.microsoft.com/default.aspx?scid=kb;en-us;330389

--
This posting is provided "AS IS" with no warranties, and confers no rights.


I'm having a problem with Certificate Services on a Windows 2003
Enterprise Edition Server. I've created an Enterprise Root CA but
each time certain clients attempt to request a certificate, the
"Downloading ActiveX Control" window appears and won't go away. I'm
unable to successfully request a certificate from some clients because
of this. Problem clients include Windows 2003 (same server where CA
is installed) and XP with IE 6.0.2800.1106. One client that doesn't
have the problem is Windows 2000 Pro with IE 6.0.2600.0000.

I've read through plenty of postings in the Google groups and all of
them seem to apply to OS's other than 2003. Regardless, I've read the
MS articles and the suggestions in the groups to no avail. I've
downloaded all applicable Windows Updates for the server and still no
success. I've removed and installed several times on several servers
in the Domain and still no success. I've removed the Advanced IE
security settings with no success in solving the problem.

I have had no problems when installing a stand alone root CA on a
separate server.

Thanks in advance for your help,

Bill

 

[Dave Taylor]

It's always difficult to picture the scene without actually being hands-on,
so here's what I did (which is quite similar)

On a standalone 2003 server, installed cert services & chose "Standalone
Root". Created the "root.cer"
copied the generated "root.cer" to floppy and published into active
directory (certutil -dspublish -f a:\root.cer RootCA)

In my 2003 A/D environment, installed cert services (enterprise subordinate,
sending the request to the offline root, and retrieving a SubCA.cer)

Templates:
DC's, i've found "domain controller authentication" is the cert you need
(not "domain controller")
For (XP) clients, make sure you install the smartcard CSP (You need this on
the server as well, obviously). Make sure you are a local admin, and that
http://*.localdomain.com is a member of internet explorer trusted sites.

That, pretty much should be it.

A good tool from m/s is "PKIView", (available in the windows 2003 reskit)
http://www.microsoft.com/downloads/...69-57FF-4AE7-96EE-B18C4790CFFD&displaylang=en
(watch for line wrapping). This is a graphical overview of your PKI, and
will help pinpoint errors.

Hope this helps ... Sorry if you've tried most/all of it before - but this
setup certainly works for me ... I've got users connecting to a quarantine
area with their smartcards over l2tp no problems ...

Regards,

Dave

 

[Bill]

Dave,

I think you helped me to solve the problem. You told me about the
PKIView application and this helped to prove the CA was very unhappy.
The biggest issue was that there were URLs that couldn't be contacted.
It seems that the CA absolutely requires that the certificate web
pages be served from the Default Website. Even if I disabled the
default site and created a new one that would answer to the machine
name, it wouldn't work.

All seems to be happy now.

Thanks for your help!

Bill

 

[Dave Taylor]

To be honest, i don't think the m/s cert services system is *entirely*
bug-free at the moment, as i've certainly had situations where I've set the
thing up (from scratch) multiple times (just to do the documentation), and
then re-install and it fails with some ridiculous problem...

Ah well, glad it's now working ...

now you've just got to deal with the users who've locked out their smartcard
tokens ... :-(

Regards,

Dave