RE: netsh error - 1312


Sorry for the late response.

A couple of things on the last response.

I can issue a cert from the certsrv and make it work but ONLY if I log in as
a domain admin, which was the original issue. Can we get around this? and how?

Then you said, "there is no particular SSL certificate that can only be used
for WCF ....

OK, what are the correct properties that need to be set, there has got to be
an article somewhere that outlines what properties are required for what type
of certificate, in this case SSL. Then try to use it for SSL in ISA server ;-(

Is there a way to create a custom certificate template for the certsrv? In
the certification Authority application you can click on the Certificate
Template/New/Certificate Template to issue. But there is no SSL pick and
using the web server pick requires Domain Admin rights, so there must be some
way to generate the certificate needed without all these combinations of
requirements.

If I could give up on this, I would at this point.
--
Scott Norberg


""Steven Cheng"" wrote:

Hi Scott,

As for "using IIS certificate wizard", I don't think it is the incorrect
way. Because SSL certificate has standard request format and properties.
IIS wizard provide a very convenient GUI for us to generate request. I
suggest you use it so as to eliminate any potential issue specfic to
certificate creation. Also, you can find many SSL certifcate configuration
tech articles(no matter IIS or Exchange) that mentioned using IIS wizard to
generated cert request:

#Step by Step adding SSL certificate to Exchange Server and Windows Mobile
devices
http://msmvps.com/blogs/nunoluz/archive/2008/04/09/step-by-step-adding-ssl-c
ertificate-to-exchange-server-and-windows-mobile-devices.aspx

#How to set up an SSL certificate to encrypt OWA and ActiveSync traffic
http://searchexchange.techtarget.com/tip/0,,sid43_gci1272045,00.html

For my local test, I've also tried directly use "certsrv"(without
pregenerating a request in IIS) to create a "Server Authentication
certificate" and it works for my test box's IIS ssl connection.

In other words, there is no particular SSL certificate that can only be
used for WCF(or only used for IIS or exchange). As long as the certificate
is a standard SSL certificate(has the correct servername and crypto
properties), it can be used for any service that require setup SSL
channel(it may only vary depend on the servername or key length ....).

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg@xxxxxxxxxxxxxx

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


--------------------
Thread-Topic: netsh error - 1312
thread-index: AclTwbZLErSbRuGHT5KaQDRd9osCCA==
X-WBNR-Posting-Host: 207.46.192.207
Subject: RE: netsh error - 1312
Date: Mon, 1 Dec 2008 06:33:00 -0800


Before I start ranting, to answer your question, yes it does. Domain Admin
is
the only way I can get anything to work.

What is the point of CertSrv? It doesn't seem to create a certificate that
can be used anywhere. We are having a similar problem creating a SSL cert
for
ISA Server. We needed to create the certificate using IIS which is
obviously
not the intended use of IIS. It is to create an IIS cert.

So what is the difference between the certificates created with IIS and
what
is required for a SSL CERT??? The same question can be asked for ISA. No
one
can give me an answer.

There should be a exact process for creating certificates for these
standard
situations, wether it be for a client or ISA server, and I don't think that
using IIS is the correct process and it certainly does not tell me what the
differences are between a CertSrv web server certificate and a valid
sslcert.

If I get on the Certificate Authority application (Control panel/Admin
tools) there is no template for a sslcert and I do not see a way to create
a
custom template.

This is all very frustrating. What is the Microsoft official statement on
how to create an SSLCert for either WCF or ISA? Using IIS to create the
certificate and then stop the process and export the pending certificate
request is not what is needed here.

--
Scott


""Steven Cheng"" wrote:

Thanks for your followup Scott,

Seems the "must be created under domain admin" somewhat related to the
problem. For my local test, if not use "makecert.exe", I'll use IIS cert
request wizard to generate a SSL certificate(that can ensure I don't miss
any necessary cert properties). Have you tried using IIS wizard generated
cert request to create the certificate (does it also require you to run
as
DomainAdmin )?

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you.
Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg@xxxxxxxxxxxxxx

--------------------
From: =?Utf-8?B?U2NvdHQ=?= <snorberg@xxxxxxxxxxxxxxxxx>
Subject: RE: netsh error - 1312
Date: Tue, 25 Nov 2008 06:09:05 -0800


If you are using CertSrv to create the certificate you can only select
the
Web Server certificate if you are a Domain Admin. After installing the
cert
I
still needed to move it to the correct store. But netsh still would not
run
unless I ran it under the domain admin.

So this may have something to do with the authority needed to create the
certificate in the first place. How do you create a WebServer cert while
being an normal user or admin?
--
Scott Norberg


""Steven Cheng"" wrote:

Thanks for your followup Scott,

If the netsh cert install works when you running it as a domain admin.
I'm
wondering where did you originally import the certificate. Did you
install
it into "CurrentUser" store (which maybe a domain account) or local
machine
store? For my local test, the certificate is imported into
localmachine
cert store and I can access it correctly with a normal local admin
account.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments
and
suggestions about how we can improve the support we provide to you.
Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg@xxxxxxxxxxxxxx

--------------------
From: =?Utf-8?B?U2NvdHQ=?= <snorberg@xxxxxxxxxxxxxxxxx>
Subject: RE: netsh error - 1312
Date: Mon, 24 Nov 2008 11:51:43 -0800


Logging on as a domain admin rather than just a local admin seems to
get
around this problem. Restricting netsh to domain admins does not seem
like
what is needed. In the case I have here that means that I need a Domain
admin
to log on to each workstation just to install the ssl certificate. This
is
going to be a real problem with the workstation support people!
--
Scott Norberg


""Steven Cheng"" wrote:

Thanks for your reply Scott,

As for the "1312" and "... logon session not exists" error, they're
very
general error (also occurs in other remote accessing context),
therefore,
and I've also performed some research based on this error
message(with
ssl
certificate context), but didn't find any useful records.

I think the problem is still with the certificate. For creating the
certificate, if you have IIS installed, you can try using IIS's ssl
certificate request wizard to generate a SSL certificate creation
request.
Then, you can use that generated request to create a certificate from
your
windows certificate server.

#How do I¡�Request and install SSL certificates in
IIS 7.0?
http://blogs.techrepublic.com.com/howdoi/?p=159

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments
and
suggestions about how we can improve the support we provide to you.
Please
feel free to let my manager know what you think of the level of
service
provided. You can send feedback directly to my manager at:
msdnmg@microsoft

.

Relevant Pages

  • Re: Failure installing SSL certificate on SBS2003PremSP1 (incl. IS
    ... I decided to purchase a CA SSL key and replace the self cert on ... Basically I think the SBS web listener needs to be ... since both are working off the same certificate store. ...
    (microsoft.public.windows.server.sbs)
  • Re: 400 Bad Request Error
    ... Thanks for the reply,it does not look like the partner is using 2 different ... I have that cert imported into my trusted people certificate store for the ... I tried adding a client cert and without one and it is the same result.I do ... use a SSL connection on a different certificate. ...
    (microsoft.public.biztalk.server)
  • Heads Up: SSL defeated in IE and Konqueror
    ... SSL defeated in IE and Konqueror ... VeriSign SSL site certificate to forge any other VeriSign SSL site certificate, ... tricky site owner signs an intermediate cert with another valid cert, ...
    (comp.os.linux.security)
  • Re: Cant get SSL to work locally
    ... SelfSSL just lowers the bar to enabling SSL on IIS (many people mistake ... needing Certificate Server or is just not possible "for free" with IIS). ... does not attempt to address the issue of trust. ...
    (microsoft.public.inetserver.iis.security)
  • Re: ** READ THIS BEFORE POSTING - answers to frequently asked questions 2003.08.15
    ... Here's how to enable SSL in IIS 5.0, not sure if 5.1 is different. ... XP comes with a different mini-IIS MMC that is confusing to me and does not ... Regarding your cert question, you have a choice of using the test cert from ...
    (microsoft.public.inetserver.iis.security)