Re: Cannot request certificate on client computer

We think alike. I have an old laptop that is an old domain member (same
name) that hasn't been used in some time. I just started it up and joined
the new domain. I got an info panel saying that the credentials needs
updating & I should log off & re-logon. I will try to get a certificate in
this old setting, then remove from domain & re-join & try again.


I'll let you know what happens. The key link is the log error message was
for all the XP machines on the network that joined under the Win2K3 server
not Win SBS.


"Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:eJEd%23KrWHHA.4132@xxxxxxxxxxxxxxxxxxxxxxx
I'd try reattaching one client PC first to see if it works, but that
sounds like the issue. (I always try this type of thing on my own PC
first to save evil looks and/or thrown staplers from my co-workers if
something goes wrong).


"John Lenz" <lenz4@xxxxxxxxxxxxxx> wrote in message
news:ed7ZnoqWHHA.4028@xxxxxxxxxxxxxxxxxxxxxxx
Sorry, I should have looked a the log sooner. I get this error message in
system:

the computer long... tried to connect to the server \\long2003 using the
trust relationship established by the longsoho domain.

However, the computer lost the correct security identifier (SID) when the
domain was reconfigured. Re-establish the trust relationship.

This message was for all the WinXP machines in my small domain.

I re-loaded the SBS server from a server 2003-sp1 and kept the domainname
for both. Could this be part of the trouble? Should I detach each machine
form the domain and re-attach it?


Also this error from the xp machine I tried to get certificate from:

The session setup from computer LongSat failed to authenticate. The
name(s) of the account(s) referenced in the security database is
longsat$. The following error occurred: access is denied

I do appreciates your help.


"Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:eN1EJLqWHHA.4076@xxxxxxxxxxxxxxxxxxxxxxx
That article says that if you change the group membership you have to
restart the server. FWIW, I don't have Enterprise Domain Controllers
either. I only have Domain Computers and Domain Users in that security
group.

What's showing in your system and application logs when you try to do
request the cert? (I'd check both the server and the client PC).
Between the last server restart and now, do you see any log entries that
could be related at all? Look for schannel, certsvc, or crypt32. You
could also check for any from IAS, ISA Server, or Microsoft Firewall to
see if there's anything useful under those, but if you're not getting
the cert in the first place, those probably won't matter.

Is this Standard or Premium? ISA strict RPC compliance can stop
certificate auto-enrollment, although I'm not sure it would matter to a
manually created request. I'm thinking this might be less of an actual
cert issue and that the thing to troubleshoot is really why that wizard
won't start.

You might browse the results if you google "wizard cannot be started
because there are no trusted certificate authorities available" - there
are quite a few potentially relevant hits there.

"John Lenz" <lenz4@xxxxxxxxxxxxxx> wrote in message
news:uZuY$4pWHHA.896@xxxxxxxxxxxxxxxxxxxxxxx
Dave,

I went through the process, but no enterprise domain controller only
enterprise admin. I added that member to dcom group. No change on
request certificate error.

any other thoughts?


"Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:OLCiykpWHHA.4764@xxxxxxxxxxxxxxxxxxxxxxx
Any help here? http://www.jsifaq.com/SF/Tips/Tip.aspx?id=11038


"John Lenz" <lenz4@xxxxxxxxxxxxxx> wrote in message
news:OS$gaSpWHHA.4636@xxxxxxxxxxxxxxxxxxxxxxx
Dave,

This is still not working.

I can see the certificate on the server via the MMC. On the XP
client, I cannot request a CA per earlier below.

Here is what I did.

1. On server un-install CA & IAS
2. reboot
3. Install IAS & CA according to pages 372-388 (friendly name
LongSOHO; open external firewall ports to server address)
4. reboot
5. verified certificate LongSOHO Root CA on server (actually 2
instances of the certificate)
6. Verified SBS server Certificate on SBS server in personal
certificates (deleted 2 copies from previous day)
7. On re-booted client machines attempted to request a certificate,
it had same error panel. ( my XP user account includes domain admin)
8. Launched certsrv web panel on XP client:
- installed trust CA
- requested EFS certificate, installed (CSP - MS enhanced crypto
provide v1.0, key size 1024)CMC SHA-1)
- requested user certificate, installed
9. in MMC verified 2 certificates in current user and LongSOHO Root
CA in current user
10. built VPN connection per manual:
- checked connect to these servers and selected LongSOHO Root CA
- connection failed - Error 781 no valid certificate
- viewed LongSOHO Root CA details on XP and they match server
certificate details

Any suggestions as to why I cannot use MMC, can add via certsrv and
still not connect?

"Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:u68YTwfWHHA.192@xxxxxxxxxxxxxxxxxxxxxxx
You could try going to http://<sbsname>/certsrv. Click "Download a
CA certificate, certificate chain, or CRL." On the next page,
choose the CA you created on the SBS and click "Download CA
Certificate." In the pop-up, click Open, then Install Certificate.
Let it automatically choose where to install the cert. Once you've
got the CA certificate installed, see if the wizard runs as
described.

I haven't see the issue you're having, so I don't really have any
first hand knowledge of what's going on. It just seems like this
would be the next logical step.


"John Lenz" <lenz4@xxxxxxxxxxxxxx> wrote in message
news:uPpq%23bfWHHA.5092@xxxxxxxxxxxxxxxxxxxxxxx
The certificate does not appear on the client PC trusted root...
certificates. It does appear on the server trusted root...
certificates

The client name is fully qualified.

Any thoughts?


"Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx> wrote
in message news:%23FVGSUfWHHA.4404@xxxxxxxxxxxxxxxxxxxxxxx
When you look on the client PC under Certificates (Local
Computer) -> Trusted Root Certification Authorities ->
Certificates, do you see one that uses the name you gave the CA
when you installed it on page 376? Does the client PC have the
proper DNS suffix as described on the bottom of page 379
(computername.domainname.local)?



"John Lenz" <lenz4@xxxxxxxxxxxxxx> wrote in message
news:u6anA2eWHHA.896@xxxxxxxxxxxxxxxxxxxxxxx
I am following MS book on SBS 2003 R2 administrators companion
page 378, Requesting computer and user certificates.

I installed CA on server. Client is correctly attached to domain
as domain admin.

I launch MMC on client computer and add certificates (local
computer) and certificates current user.

When I right-click personal on certificates (local computer) and
request a certificate, I get error panel:

The wizard cannot be started because...
-There are no trusted certificate authorities available
- You do not have permissions to request certificates from
available CAs
- The available CAs issue certificates for which you do not
have permissions


When I created the local certificate on the server machine, the
wizard went through just fine.

Where is the hang-up?





















.

Relevant Pages

  • Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle
    ... SSL only validates you are talking to a SSL certified server; ... They can simply edit the URL the client program ... can be done by using a X.509 certificate on both ends, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: LDP client authentication fails
    ... I got the LDP working with LDAP server under server client authentication ... I did not installed the certificate in pfx format .. ... Client cert auth won't work without that. ...
    (microsoft.public.windows.server.active_directory)
  • Re: SSL & Man In the Middle Attack
    ... >> it possible for the middle man to intercept all messages from server to me ... > server sends client a signed message along with a digital certificate. ... > client generates a random secret key, ...
    (comp.security.misc)
  • Re: activesync issue
    ... On the SBS 2003 Server open the Server Management console. ... On the "Web Server Certificate" page, choose to create a new Web server ... Install the new certificate which created in above step on mobile device: ... Access to browse the Exchange Server 2003 client after you install ...
    (microsoft.public.windows.server.sbs)
  • Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle
    ... order to detect we are connected to the wrong server (even though its SSL ... certificate is OK and valid by Verisign); we would need a client certificate. ... this can be detected by SSL/HTTPS client in ...
    (microsoft.public.dotnet.framework.aspnet.security)
Loading