Re: Cannot request certificate on client computer

Dave,

I went through the process, but no enterprise domain controller only
enterprise admin. I added that member to dcom group. No change on request
certificate error.

any other thoughts?


"Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:OLCiykpWHHA.4764@xxxxxxxxxxxxxxxxxxxxxxx
Any help here? http://www.jsifaq.com/SF/Tips/Tip.aspx?id=11038


"John Lenz" <lenz4@xxxxxxxxxxxxxx> wrote in message
news:OS$gaSpWHHA.4636@xxxxxxxxxxxxxxxxxxxxxxx
Dave,

This is still not working.

I can see the certificate on the server via the MMC. On the XP client, I
cannot request a CA per earlier below.

Here is what I did.

1. On server un-install CA & IAS
2. reboot
3. Install IAS & CA according to pages 372-388 (friendly name LongSOHO;
open external firewall ports to server address)
4. reboot
5. verified certificate LongSOHO Root CA on server (actually 2 instances
of the certificate)
6. Verified SBS server Certificate on SBS server in personal certificates
(deleted 2 copies from previous day)
7. On re-booted client machines attempted to request a certificate, it
had same error panel. ( my XP user account includes domain admin)
8. Launched certsrv web panel on XP client:
- installed trust CA
- requested EFS certificate, installed (CSP - MS enhanced crypto
provide v1.0, key size 1024)CMC SHA-1)
- requested user certificate, installed
9. in MMC verified 2 certificates in current user and LongSOHO Root CA in
current user
10. built VPN connection per manual:
- checked connect to these servers and selected LongSOHO Root CA
- connection failed - Error 781 no valid certificate
- viewed LongSOHO Root CA details on XP and they match server
certificate details

Any suggestions as to why I cannot use MMC, can add via certsrv and still
not connect?

"Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:u68YTwfWHHA.192@xxxxxxxxxxxxxxxxxxxxxxx
You could try going to http://<sbsname>/certsrv. Click "Download a CA
certificate, certificate chain, or CRL." On the next page, choose the
CA you created on the SBS and click "Download CA Certificate." In the
pop-up, click Open, then Install Certificate. Let it automatically
choose where to install the cert. Once you've got the CA certificate
installed, see if the wizard runs as described.

I haven't see the issue you're having, so I don't really have any first
hand knowledge of what's going on. It just seems like this would be the
next logical step.


"John Lenz" <lenz4@xxxxxxxxxxxxxx> wrote in message
news:uPpq%23bfWHHA.5092@xxxxxxxxxxxxxxxxxxxxxxx
The certificate does not appear on the client PC trusted root...
certificates. It does appear on the server trusted root... certificates

The client name is fully qualified.

Any thoughts?


"Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:%23FVGSUfWHHA.4404@xxxxxxxxxxxxxxxxxxxxxxx
When you look on the client PC under Certificates (Local Computer) ->
Trusted Root Certification Authorities -> Certificates, do you see one
that uses the name you gave the CA when you installed it on page 376?
Does the client PC have the proper DNS suffix as described on the
bottom of page 379 (computername.domainname.local)?



"John Lenz" <lenz4@xxxxxxxxxxxxxx> wrote in message
news:u6anA2eWHHA.896@xxxxxxxxxxxxxxxxxxxxxxx
I am following MS book on SBS 2003 R2 administrators companion page
378, Requesting computer and user certificates.

I installed CA on server. Client is correctly attached to domain as
domain admin.

I launch MMC on client computer and add certificates (local computer)
and certificates current user.

When I right-click personal on certificates (local computer) and
request a certificate, I get error panel:

The wizard cannot be started because...
-There are no trusted certificate authorities available
- You do not have permissions to request certificates from
available CAs
- The available CAs issue certificates for which you do not have
permissions


When I created the local certificate on the server machine, the
wizard went through just fine.

Where is the hang-up?













.

Relevant Pages

  • Re: New Event Log Errors!
    ... Somehow along those lines I'd also installed the Certificate Authority ... Did you apply the last Server Pack for SBS Server? ... Please install Windows Support Tools on the win2k3 sp1 problematic ... Microsoft is providing this information only as a convenience to you: ...
    (microsoft.public.windows.server.sbs)
  • Re: Adding EXCH2007 SP1 box to existing EXCH2003 SP2 Org
    ... Certificates - going to be using a SAN Certificate like I have many times before. ... We are making this a virtual server (someone is going on-site on Thursday to install VMWare (which will kill everything on this box) and WIN2008 Server SP1 x64 and then I will install EXCH2007 SP1. ... as mentioned - ISA was not involved in any of those eight environments.... ...
    (microsoft.public.exchange.admin)
  • Re: Change public domain name for E-mail and Web on SBS2003
    ... self-cert from everything while the request was being processed. ... I need to change the e-mail addresses, and the SSL certificate to match ... just run the Connect to the Internet Wizard ... request and install the new SSL Cert? ...
    (microsoft.public.windows.server.sbs)
  • Re: Certificate request failed. Keyset does not exist
    ... Original Win2K3 SP1 server domain called SOHO ... I did not remove my 5 winXP PC's from old domain prior to install of SBS ... I am trying to setup certificate based VPN validation. ... I request a certificate for the local machine - computer. ...
    (microsoft.public.windows.server.sbs)
  • Re: Terminal Services over a VPN
    ... Create a certificate request and submit it to godaddy in order to obtain a public cert. ... You can use the wizard in IIS Manager for this by creating a new website that matches the above name (on your TS server), right-click and choose properties, directory security tab, server certificate button. ... After the install you can stop or delete the website created above since you don't need it for anything. ...
    (microsoft.public.windows.terminal_services)