CA Problems


J

JMS

Hello everyone

I'm having a strange problem with my CA.

Configuration: Windows 2003 - Certification Authority - Configured as
Enterprise Certification Authority (Member Server)

I already configured Default Domain Policy
PK Policies

Computer Section: Autoenrollment Settings - Enroll Certificates Automat.,
renew expired certificates and update certificates.
Computer Section: Trusted Root Certification Authorities - I have The
Certificate for the Trusted Root Certificate Authority
Computer Section: Automatic Certificate Request Settings i have a computer
certificate

User Section: Autoenrollment Settings - Enroll Certificates Automat., renew
expired certificates and update certificates.

Now the Problem:

The Root CA is being issued to all computers with no problems

The Windows XP in my domain are being issued with success the computer
certificate. (No problems with this)

None of my users are being issued any certificate.(I already tryed to
duplicate the user certificate and enabled Read, Enroll and Autoenroll
permission, but with no success)

My domain controller (also a Windows 2003 Standard Edition) don't have
certificate issued from my Root CA. I tryed to request manually from mmc
console All Tasks -> Request new certificate -> Domain Controller
certificate, but gives me an error: "The request could not be completed. The
RPC server is unavailable", if i type on command prompt gpupdate /force, in
my event viewer i get the error Source:AutoEnrollment - EventID:13 -
Description: Automatic certificate enrollment for local system failed to
enroll for one Domain Controller certificate (0x800706ba). The RPC server is
unavailable.

All of my computers in my domain have the root CA installed automatically.

Please any help woul be very app.
Best Regards.
 
Ad

Advertisements

J

JMS

I forgot to Say that both Domain Controller (Windows Server 2003 Stabdard
Edition) and Member Server my CA (Windows 2003 Standard Edition) both have
SP1 installed.

Best regards
 
B

Brian Komar [MVP]

I forgot to Say that both Domain Controller (Windows Server 2003 Stabdard
Edition) and Member Server my CA (Windows 2003 Standard Edition) both have
SP1 installed.

Best regards
Glad (sad) you added this. Autoenrollment requires that the CA be
running Enterprise Edition. Autoenrollment is not supported on Standard
Edition CAs.

Brian
 
J

JMS

Hello Brian

No autoenrollment allowed?

But the computers certificates are being issued!!!

Can i make manual certificate requests for doamin controller?

Thanks.
 
J

JMS

Another thingh

My main goal in this case is to allow L2TP connections to my vpn server,
from my remote users.

How Can I acomplish this using Standard Edition!!!
Thanks again
 
P

Paul Adare

Hello Brian

No autoenrollment allowed?

But the computers certificates are being issued!!!

The computer certificates are not being distributed via autoenrollment,
they are being distributed via Automatic Certificate Request Services
(ACRS) which is a different mechanism and is only available for machine
certificates that are based on version 1 certificate templates.
Can i make manual certificate requests for doamin controller?

Yes, but you shouldn't have to do this. You'll need to troubleshoot the
RPC error and resolve that.

--
Paul Adare - MVP Virtual Machines
It all began with Adam. He was the first man to tell a joke--or a lie.
How lucky Adam was. He knew when he said a good thing, nobody had said
it before. Adam was not alone in the Garden of Eden, however, and does
not deserve all the credit; much is due to Eve, the first woman, and
Satan, the first consultant." - Mark Twain
 
Ad

Advertisements

P

Paul Adare

Another thingh

My main goal in this case is to allow L2TP connections to my vpn server,
from my remote users.

How Can I acomplish this using Standard Edition!!!

Yes, but not with autoenrollment. You'll need to publish a V1
certificate template at the CA and then have the remote users use the
web pages to manually request the certificate.


--
Paul Adare - MVP Virtual Machines
It all began with Adam. He was the first man to tell a joke--or a lie.
How lucky Adam was. He knew when he said a good thing, nobody had said
it before. Adam was not alone in the Garden of Eden, however, and does
not deserve all the credit; much is due to Eve, the first woman, and
Satan, the first consultant." - Mark Twain
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top