Re: Cannot request certificate on client computer

That article says that if you change the group membership you have to
restart the server. FWIW, I don't have Enterprise Domain Controllers
either. I only have Domain Computers and Domain Users in that security
group.

What's showing in your system and application logs when you try to do
request the cert? (I'd check both the server and the client PC). Between
the last server restart and now, do you see any log entries that could be
related at all? Look for schannel, certsvc, or crypt32. You could also
check for any from IAS, ISA Server, or Microsoft Firewall to see if there's
anything useful under those, but if you're not getting the cert in the first
place, those probably won't matter.

Is this Standard or Premium? ISA strict RPC compliance can stop certificate
auto-enrollment, although I'm not sure it would matter to a manually created
request. I'm thinking this might be less of an actual cert issue and that
the thing to troubleshoot is really why that wizard won't start.

You might browse the results if you google "wizard cannot be started because
there are no trusted certificate authorities available" - there are quite a
few potentially relevant hits there.

"John Lenz" <lenz4@xxxxxxxxxxxxxx> wrote in message
news:uZuY$4pWHHA.896@xxxxxxxxxxxxxxxxxxxxxxx
Dave,

I went through the process, but no enterprise domain controller only
enterprise admin. I added that member to dcom group. No change on request
certificate error.

any other thoughts?


"Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:OLCiykpWHHA.4764@xxxxxxxxxxxxxxxxxxxxxxx
Any help here? http://www.jsifaq.com/SF/Tips/Tip.aspx?id=11038


"John Lenz" <lenz4@xxxxxxxxxxxxxx> wrote in message
news:OS$gaSpWHHA.4636@xxxxxxxxxxxxxxxxxxxxxxx
Dave,

This is still not working.

I can see the certificate on the server via the MMC. On the XP client, I
cannot request a CA per earlier below.

Here is what I did.

1. On server un-install CA & IAS
2. reboot
3. Install IAS & CA according to pages 372-388 (friendly name LongSOHO;
open external firewall ports to server address)
4. reboot
5. verified certificate LongSOHO Root CA on server (actually 2 instances
of the certificate)
6. Verified SBS server Certificate on SBS server in personal
certificates (deleted 2 copies from previous day)
7. On re-booted client machines attempted to request a certificate, it
had same error panel. ( my XP user account includes domain admin)
8. Launched certsrv web panel on XP client:
- installed trust CA
- requested EFS certificate, installed (CSP - MS enhanced crypto
provide v1.0, key size 1024)CMC SHA-1)
- requested user certificate, installed
9. in MMC verified 2 certificates in current user and LongSOHO Root CA
in current user
10. built VPN connection per manual:
- checked connect to these servers and selected LongSOHO Root CA
- connection failed - Error 781 no valid certificate
- viewed LongSOHO Root CA details on XP and they match server
certificate details

Any suggestions as to why I cannot use MMC, can add via certsrv and
still not connect?

"Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:u68YTwfWHHA.192@xxxxxxxxxxxxxxxxxxxxxxx
You could try going to http://<sbsname>/certsrv. Click "Download a CA
certificate, certificate chain, or CRL." On the next page, choose the
CA you created on the SBS and click "Download CA Certificate." In the
pop-up, click Open, then Install Certificate. Let it automatically
choose where to install the cert. Once you've got the CA certificate
installed, see if the wizard runs as described.

I haven't see the issue you're having, so I don't really have any first
hand knowledge of what's going on. It just seems like this would be
the next logical step.


"John Lenz" <lenz4@xxxxxxxxxxxxxx> wrote in message
news:uPpq%23bfWHHA.5092@xxxxxxxxxxxxxxxxxxxxxxx
The certificate does not appear on the client PC trusted root...
certificates. It does appear on the server trusted root...
certificates

The client name is fully qualified.

Any thoughts?


"Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:%23FVGSUfWHHA.4404@xxxxxxxxxxxxxxxxxxxxxxx
When you look on the client PC under Certificates (Local Computer) ->
Trusted Root Certification Authorities -> Certificates, do you see
one that uses the name you gave the CA when you installed it on page
376? Does the client PC have the proper DNS suffix as described on
the bottom of page 379 (computername.domainname.local)?



"John Lenz" <lenz4@xxxxxxxxxxxxxx> wrote in message
news:u6anA2eWHHA.896@xxxxxxxxxxxxxxxxxxxxxxx
I am following MS book on SBS 2003 R2 administrators companion page
378, Requesting computer and user certificates.

I installed CA on server. Client is correctly attached to domain as
domain admin.

I launch MMC on client computer and add certificates (local
computer) and certificates current user.

When I right-click personal on certificates (local computer) and
request a certificate, I get error panel:

The wizard cannot be started because...
-There are no trusted certificate authorities available
- You do not have permissions to request certificates from
available CAs
- The available CAs issue certificates for which you do not have
permissions


When I created the local certificate on the server machine, the
wizard went through just fine.

Where is the hang-up?















.

Relevant Pages

  • Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle
    ... SSL only validates you are talking to a SSL certified server; ... They can simply edit the URL the client program ... can be done by using a X.509 certificate on both ends, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: LDP client authentication fails
    ... I got the LDP working with LDAP server under server client authentication ... I did not installed the certificate in pfx format .. ... Client cert auth won't work without that. ...
    (microsoft.public.windows.server.active_directory)
  • Re: SSL & Man In the Middle Attack
    ... >> it possible for the middle man to intercept all messages from server to me ... > server sends client a signed message along with a digital certificate. ... > client generates a random secret key, ...
    (comp.security.misc)
  • Re: activesync issue
    ... On the SBS 2003 Server open the Server Management console. ... On the "Web Server Certificate" page, choose to create a new Web server ... Install the new certificate which created in above step on mobile device: ... Access to browse the Exchange Server 2003 client after you install ...
    (microsoft.public.windows.server.sbs)
  • Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle
    ... order to detect we are connected to the wrong server (even though its SSL ... certificate is OK and valid by Verisign); we would need a client certificate. ... this can be detected by SSL/HTTPS client in ...
    (microsoft.public.dotnet.framework.aspnet.security)
Loading