Re: security event 537

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Miha Pihler (mihap-news_at_atlantis.si)
Date: 11/24/04 

Date: Wed, 24 Nov 2004 21:02:35 +0100

Easiest way to do this is to use Method 2 from the article that I posted
http://support.microsoft.com/?id=295663

certutil -dspublish -f filename NTAuthCA

You just have to export CA certificate first on your CA and transfer it to
the computer where you will perform certutil (e.g your DC).

Mike

"Param R." <pr@nospam.com> wrote in message
news:eBze1Vl0EHA.4004@tk2msftngp13.phx.gbl...
> Well that was a no go. I installed the CA cert into my local domain
> (Domain A) from my client machine using the Enterprise PKI snapin. I even
> updated the CA to publish a proper url for the AIA that is accessible from
> the outside. I then installed a new cert on my computer, restarted IIS on
> my test box. Still no luck. I am getting that security warning.
>
> thanks!
>
> "Miha Pihler" <mihap-news@atlantis.si> wrote in message
> news:%230emg4k0EHA.3408@tk2msftngp13.phx.gbl...
>> Hi,
>>
>> In this case run the procedure on member server in both domains (on e.g.
>> domain controllers).
>>
>> Mike
>>
>> "Param R." <pr@nospam.com> wrote in message
>> news:uF0nyzk0EHA.1524@TK2MSFTNGP09.phx.gbl...
>>> Mike, sorry for the confusion. Here is my setup:-
>>>
>>> Domain A (Office where I sit):-
>>>
>>> 1. SBS 2003 Server with Stand Alone CA installed that issues server &
>>> client certs. - SBSSERVER
>>> 2. Windows XP Clients all members of Domain A
>>>
>>> Domain B (Data Center where IIS servers reside):-
>>>
>>> 1. 1 Domain Controller - Forest Root
>>> 2. 2 IIS Web Servers which are member of Domain B
>>>
>>> Absolutely no connection or trust between Domain A & B.
>>>
>>> Now the IIS web servers have server certs installed that are issued by
>>> SBSSERVER
>>>
>>> does that help a bit?
>>>
>>> thanks!
>>>
>>>
>>> "Miha Pihler" <mihap-news@atlantis.si> wrote in message
>>> news:ekKE1Uk0EHA.2572@tk2msftngp13.phx.gbl...
>>>> Hi,
>>>>
>>>> on any server that is member of domain. Since you have CA installed on
>>>> the server that is also domain member do it from there (you will
>>>> already have certutil installed there).
>>>>
>>>> Mike
>>>>
>>>> "Param R." <pr@nospam.com> wrote in message
>>>> news:uuPJvTj0EHA.1652@TK2MSFTNGP11.phx.gbl...
>>>>> On which machine do I need to import the root CA certificate?
>>>>>
>>>>> 1. CA server?
>>>>> 2. Web Server? - it is on a different domain at a different location
>>>>> 3. Client Machines - that have the client certificate installed. Some
>>>>> clients are in the domain the CA is on. Some are not.
>>>>>
>>>>> SSL authentication seems to be working although it is slow.
>>>>>
>>>>> thanks a bunch!
>>>>>
>>>>> "Miha Pihler" <mihap-news@atlantis.si> wrote in message
>>>>> news:u0e7kXf0EHA.1408@TK2MSFTNGP10.phx.gbl...
>>>>>> Hi,
>>>>>>
>>>>>> Check out this article.
>>>>>>
>>>>>> 295663 How to import third-party certification authority (CA)
>>>>>> certificates into
>>>>>> http://support.microsoft.com/?id=295663
>>>>>>
>>>>>> As above article states, import root CA certificate into NTAuthCA
>>>>>> store.
>>>>>>
>>>>>> Do you use smart cards for authentication to Web Site or certificates
>>>>>> stored on hard drive?
>>>>>>
>>>>>> I hope this helps,
>>>>>>
>>>>>> Mike
>>>>>>
>>>>>> "Param R." <pr@nospam.com> wrote in message
>>>>>> news:%23ujMhyb0EHA.2804@TK2MSFTNGP15.phx.gbl...
>>>>>>> 1. Stand Alone CA (not integrated into AD) - reason for this is that
>>>>>>> I could never get an Enterprise CA to work with IIS.
>>>>>>> 2. Web server is member of a domain which is different than the
>>>>>>> machine on which the CA is running. 2 seperate networks at different
>>>>>>> locations.
>>>>>>> 3. CA server is also a Domain Controller for the network at my
>>>>>>> office.
>>>>>>> 4. Web server resides in my data center which has its own domain &
>>>>>>> DC.
>>>>>>>
>>>>>>> thanks!
>>>>>>>
>>>>>>> "Miha Pihler" <mihap-news@atlantis.si> wrote in message
>>>>>>> news:eS$I$uZ0EHA.2804@TK2MSFTNGP15.phx.gbl...
>>>>>>>> Can you give me some more information please?
>>>>>>>> * is this Enterprise CA ("integrated into Active Directory)?
>>>>>>>> * is web server member of domain?
>>>>>>>>
>>>>>>>> Mike
>>>>>>>>
>>>>>>>> "Param R." <pr@nospam.com> wrote in message
>>>>>>>> news:ewxAweZ0EHA.1264@TK2MSFTNGP12.phx.gbl...
>>>>>>>>> Yes we use SSL Server & Client Certificates. Generated by our own
>>>>>>>>> CA. Our CA's certificate are in the web server's Trusted Root CA
>>>>>>>>> Store for the computer account.
>>>>>>>>>
>>>>>>>>> Never seen this error when the applications were running on win2k
>>>>>>>>> server?
>>>>>>>>>
>>>>>>>>> thanks!
>>>>>>>>>
>>>>>>>>> "Miha Pihler" <mihap-news@atlantis.si> wrote in message
>>>>>>>>> news:esZY$3Y0EHA.3820@TK2MSFTNGP11.phx.gbl...
>>>>>>>>>> Hi,
>>>>>>>>>>
>>>>>>>>>> Do you use SSL certificate on this server or do you use
>>>>>>>>>> certificates to access this server? If yes, can you describe a
>>>>>>>>>> bit your deployment (e.g. own CA, 3rd party CA)...?
>>>>>>>>>>
>>>>>>>>>> Mike
>>>>>>>>>>
>>>>>>>>>> "Param R." <pr@nospam.com> wrote in message
>>>>>>>>>> news:%23sbz03X0EHA.3900@TK2MSFTNGP10.phx.gbl...
>>>>>>>>>>> Hi all, we have a few 2003 machines running web edition. We are
>>>>>>>>>>> seeing a ton of errors in the security event log:-
>>>>>>>>>>>
>>>>>>>>>>> Logon Failure:
>>>>>>>>>>>
>>>>>>>>>>> Reason: An error occurred during logon
>>>>>>>>>>>
>>>>>>>>>>> User Name:
>>>>>>>>>>>
>>>>>>>>>>> Domain:
>>>>>>>>>>>
>>>>>>>>>>> Logon Type: 3
>>>>>>>>>>>
>>>>>>>>>>> Logon Process: Schannel
>>>>>>>>>>>
>>>>>>>>>>> Authentication Package: Microsoft Unified Security Protocol
>>>>>>>>>>> Provider
>>>>>>>>>>>
>>>>>>>>>>> Workstation Name: -
>>>>>>>>>>>
>>>>>>>>>>> Status code: 0xC000006D
>>>>>>>>>>>
>>>>>>>>>>> Substatus code: 0x80090325
>>>>>>>>>>>
>>>>>>>>>>> Caller User Name: -
>>>>>>>>>>>
>>>>>>>>>>> Caller Domain: -
>>>>>>>>>>>
>>>>>>>>>>> Caller Logon ID: -
>>>>>>>>>>>
>>>>>>>>>>> Caller Process ID: -
>>>>>>>>>>>
>>>>>>>>>>> Transited Services: -
>>>>>>>>>>>
>>>>>>>>>>> Source Network Address: -
>>>>>>>>>>>
>>>>>>>>>>> Source Port: -
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> For more information, see Help and Support Center at
>>>>>>>>>>> http://go.microsoft.com/fwlink/events.asp.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Please help!
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

Relevant Pages

  • Re: Can certutil -sign be used without prompting for the CA cert?
    ... clicking the right cert in the cert selection dialog? ... > command FAILED: 0x80092005 The object or property already ... > CertUtil: The object or property already exists. ... >> Shreeniwas Kelkar ...
    (microsoft.public.platformsdk.security)
  • Re: How to? Certificate Server 1.0 root certificate renewal
    ... I haven't tested this(exporting an Win2K ca cert back to NT4) but I ... think it should be workable by using certutil. ...
    (microsoft.public.inetserver.iis.security)
  • Re: CAPI2 error 80093005
    ... E.g. w2k cert server, the cert is to install on IIS4.0 ... > newsgroup...I've radixed the stream and put any possible ... I've tried also with the certutil. ... >>> and using an external PKI. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Can certutil -sign be used without prompting for the CA cert?
    ... This posting is provided "AS IS" with no warranties, and confers no rights. ... > Deleting the old CA cert (which was showing in the cert selection dialog ... > Can the Certutil -slient -sign option somehow be told which CA cert to ... >>> Shreeniwas Kelkar ...
    (microsoft.public.platformsdk.security)
  • Re: security event 537
    ... Mike ... For my data center machines running IIS I will ... >> You just have to export CA certificate first on your CA and transfer it ... >> to the computer where you will perform certutil. ...
    (microsoft.public.windows.server.general)