XP Pro Can't get Domain Certificate....


Dave Onex

Hi Folks;

I have an XP Pro laptop connected to a Windows 2000 network. One of the
Windows 2000 servers has Certificate Services installed. For some reason,
the root CA certificate has not made it's way to the XP laptop.

I checked all the other Windows 2000 machines and each one got it
automatically from Active Directory. Each of the Windows 2000 machines is
able to request a certificate through the MMC and obtain one. Certificate
services appears to be working fine on the network - even the ISA server can
get one!

However, the XP Pro machine does not have the enterprise root CA certificate
installed under Trusted Root Authorities. I tried doing a gpudate /force
thinking it would cause the machine to get the enterprise root certificate
from Active Directory - but it didn't.

So, I have two problems;

1) the xp pro laptop does not have the domain's certificate installed under
Trusted Root Certification Authorities &
2) if I try to manually request a certificate through MMC I get this error;

Certificate Request Wizard

The wizard cannot be started because of one or more of the following
-There are no trusted certification authorities (CAs) available (could this
be because there is no Trusted root certificate installed?)
-You do not have the permissions to request certificates from the available
CA's (I am logged on as the network admin - highest account)
-The available CAs issue certificates for which you do not have permissions
(can't see that one as the issue)

Earlier I tried exporting the trusted root certificate from one of the other
machines and installing it on the XP machine. It installed fine but I still
could not use the MMC to get a certificate for the XP machine from the
certificate server on the network. Instead, I got the same wizard error.

Can anyone help with this? I use this machine to administer my network
remotely using an L2TP connection. But without a certificate for the XP
machine I can't use L2TP

Dave Onex

PS>This machine used to be able to get certificates (it had one from the
previous CA on the network) and I did disable the Windows Firewall.

Dave Onex

Strange.... I managed to fix it a few seconds after this post (figures)...

I mentioned earlier that I exported the domain cert from another machine and
imported it to the XP machine and that it didn't work.
I tried that again, this time using an XP machine and accepting the default
export type.

After that I imported it into the other XP Pro machine and was then able to
request a machine certificate!

So it seems the issue was that the machine did not have the Trusted Root
Certificate from the Certificate Server installed.

That begs the question though - if all other machines on the network got the
Trusted Root Cert through active directory then why didn't the XP laptop?


Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question