Re: Autoenrollment of Certificates
- From: lorenzdominic_@xxxxxxxxxxx
- Date: 5 Sep 2006 18:05:01 -0700
Hello Crina
Here it is:
SBS Server 1 with VPN Access is 10.0.0.3 connected to a Router 10.0.0.1
SBS Server 2 without VPN Access is 10.0.0.4 connected to same Router.
I don't believe that SBS Server 2 has anything to do with the VPN
problem.
So far I have added two more VPN users since this problem using the
http://certsrv to enrol them with certificates.
However the certificate that identifies the SBS Server 1 is shown to be
the original one that I always have used before this problem occurred
(with the CA creating a new certificate to identify the VPN Server (SBS
Server 1). So I still have two certificates in the CA one that was
originally created when I setup the VPN and the other one which
mysteriously created itself after I deleted an earlier one which
created itself.
Therefore everytime I delete the latest certificate a new one is
created without my intervention. I am suspecting that there must be
some setting which does this.
Regards
Dominic
"Crina Li" wrote:
Hi Dominic,
Thanks for your update.
To narrow down the problem, would you please help me collect the following
information firstly?
1. Do you mean you only have one public IP for the 2 SBS domain?
2. How many NICs on the 2 SBS servers?
3. Can you draw a network diagram of your network for me?
Thanks for your time and I look forward to hearing from you.
Best regards,
Crina Li (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: lorenzdominic_@xxxxxxxxxxx
| Newsgroups: microsoft.public.windows.server.sbs
| Subject: Re: Autoenrollment of Certificates
| Date: 4 Sep 2006 03:23:55 -0700
| Organization: http://groups.google.com
| Lines: 118
| Message-ID: <1157365435.391817.240390@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
| References: <1156816075.543846.124260@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
| <hamPDkBzGHA.4340@xxxxxxxxxxxxxxxxxxxxx>
| NNTP-Posting-Host: 61.9.205.85
| Mime-Version: 1.0
| Content-Type: text/plain; charset="iso-8859-1"
| X-Trace: posting.google.com 1157365441 18174 127.0.0.1 (4 Sep 2006
10:24:01 GMT)
| X-Complaints-To: groups-abuse@xxxxxxxxxx
| NNTP-Posting-Date: Mon, 4 Sep 2006 10:24:01 +0000 (UTC)
| In-Reply-To: <hamPDkBzGHA.4340@xxxxxxxxxxxxxxxxxxxxx>
| User-Agent: G2/0.2
| X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1;
.NET CLR 1.1.4322; .NET CLR 2.0.50727),gzip(gfe),gzip(gfe)
| Complaints-To: groups-abuse@xxxxxxxxxx
| Injection-Info: m73g2000cwd.googlegroups.com; posting-host=61.9.205.85;
| posting-account=sD5sSwwAAACfxoFh8wh3FgbylMXBAetz
| Path:
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS01.phx.gbl!news-out.c
wix.com!newsfeed.cwix.com!image.surnet.ru!newsfeed.media.kyoto-u.ac.jp!postn
ews.google.com!m73g2000cwd.googlegroups.com!not-for-mail
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:295066
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Hello Crina
|
| It is good to hear from you. I will be posting my answers in various
| posts.
|
|
| > 3. Did you install CA on the SBS Server? Is it an Enterprise CA or
| > Standalone CA?
| I still believe it is a standalone CA.
|
| Certification Authority
| Microsoft Corporation
| Version: 5.2.3790.1830
|
| > 4. Can you post the detailed related error logs?
| I am putting generic names (SERVER) in where it will otherwise identify
| our internal computer names:
|
| I have taken the following Event Logs from the System and Application
| Logs according to which I think relate to the problem. It details the
| events which led up to the point where a new certificate was created
| AUTOMATICALLY even though we had a valid Server certificate
|
| System Log Data:
|
| Event Type: Warning
| Event Source: KDC
| Event Category: None
| Event ID: 20
| Date: 25/08/2006
| Time: 3:48:24 PM
| User: N/A
| Computer: SERVER
| Description:
| The currently selected KDC certificate was once valid, but now is
| invalid and no suitable replacement was found. Smartcard logon may not
| function correctly if this problem is not remedied. Have the system
| administrator check on the state of the domain's public key
| infrastructure. The chain status is in the error data.
|
|
| Event Type: Information
| Event Source: IAS
| Event Category: None
| Event ID: 5050
| Date: 25/08/2006
| Time: 4:57:08 PM
| User: N/A
| Computer: SERVER
| Description:
| A LDAP connection with domain controller server.server1.local for
| domain SERVER1 is established.
|
|
| Event Type: Information
| Event Source: IAS
| Event Category: None
| Event ID: 5050
| Date: 25/08/2006
| Time: 5:37:56 PM
| User: N/A
| Computer: SERVER
| Description:
| A LDAP connection with domain controller server.server1.local for
| domain SERVER1 is established.
|
|
|
| Event Type: Warning
| Event Source: KDC
| Event Category: None
| Event ID: 20
| Date: 25/08/2006
| Time: 5:48:22 PM
| User: N/A
| Computer: SERVER
| Description:
| The currently selected KDC certificate was once valid, but now is
| invalid and no suitable replacement was found. Smartcard logon may not
| function correctly if this problem is not remedied. Have the system
| administrator check on the state of the domain's public key
| infrastructure. The chain status is in the error data.
|
|
|
| The following events come from the Application Log:
|
|
| Event Type: Warning
| Event Source: CertSvc
| Event Category: None
| Event ID: 77
| Date: 25/08/2006
| Time: 5:48:23 PM
| User: N/A
| Computer: SERVER
| Description:
| The "Windows default" Policy Module logged the following warning: The
| Active Directory connection to SERVER has been reestablished to SERVER.
|
|
| Event Type: Information
| Event Source: AutoEnrollment
| Event Category: None
| Event ID: 19
| Date: 25/08/2006
| Time: 5:48:24 PM
| User: N/A
| Computer: SERVER
| Description:
| Automatic certificate enrollment for local system successfully received
| one Domain Controller certificate from certificate authority CA2005 on
| server.server1.local.
|
| I will answer the other questions in another post.
| Regards
| Dominic
|
|
.
- Follow-Ups:
- Re: Autoenrollment of Certificates
- From: "Crina Li"
- Re: Autoenrollment of Certificates
- References:
- Re: Autoenrollment of Certificates
- From: lorenzdominic_
- Re: Autoenrollment of Certificates
- From: "Crina Li"
- Re: Autoenrollment of Certificates
- Prev by Date: Re: POP3 incoming mail not working
- Next by Date: Re: Match fonts
- Previous by thread: Re: Autoenrollment of Certificates
- Next by thread: Re: Autoenrollment of Certificates
- Index(es):
Relevant Pages
|
