Re: sbs 2k3 - certificate authority web server template - not being able to issue a certificate
- From: "Pedro M. Leite" <pleite@xxxxxxxxx>
- Date: Mon, 14 May 2007 17:49:04 +0100
Hi
Good Afternoon.
thank you for your information.
will will read it and post back the results.
however, i have managed to make ou dc trust the linuxbox ca.
i had to export the root certificate from fedora and import to the trusted
root authorities container, then, export the sub site certificate, and
import to the store.
double clicking on the certificate file and adding would not work.
still, i would like to issue all certificates on the sbs box so i'll check
your instructions.
thank you very much
Pedro Leite
-----------------------------------------------
""Jacky Luo [MSFT]"" <v-jaluo@xxxxxxxxxxxxxxxxxxxx> escreveu na mensagem
news:ME$CWEhlHHA.5432@xxxxxxxxxxxxxxxxxxxxxxxxx
Hi Pedro,hesitate
Thanks for posting here.
From the description, I understand the issue is that you got event id 53
error when you request certificate. If I am off base, please don't
to let me know.that
Let us refer to the following steps to troubleshoot the issue:
1.Added the following member groups to the CERTSVC_DCOM_ACCESS security
group:
. Domain Users
. Domain Computers
. Enterprise Domain Controllers
2.
. Certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG
. Net stop certsvc
. Net start certsvc
you must restart the server for the changes to take effect.
Verify that the CERTSVC_DCOM_ACCESS group has the appropriate DCOM Access
permissions and DCOM Launch and Activation permissions on the computer
hosts the certification authority.for
a. Click Start, point to Program, point to Administrative Tools, and then
click Component Services.
b. Expand the Component Services node.
c. Expand the Computers node.
d. Right-click the My Computer node, and then click Properties.
e. Click the COM Security tab.
f. Under Access Permission, click Edit Limits.
g. Verify that the CERTSVC_DCOM_ACCESS group has Allow Local Access and
Allow Remote Access permissions, and then click Cancel.
h. Under Launch and Activation Permissions, click Edit Limits.
i. Verify that the CERTSVC_DCOM_ACCESS group has Allow Local Activation
and Allow Remote Activation permissions, and then click Cancel.
j. Click Cancel, and then close the Component Services console.
3.view any of the Certificate templates by using ADSIEdit.msc or by using
LDP.exe. You can check if the following attributes are missing:
. msPKI-Certificate-Application-Policy
. msPKI-Certificate-Name-Flag
. msPKI-Certificate-Policy
. msPKI-Cert-Template-OID
. msPKI-Enrollment-Flag
. msPKI-Minimal-Key-Size
Note You can find the Certificate template at the following location:
CN=Certificate Templates,CN=Public Key
Services,CN=Services,CN=Configuration,dc= DomainComponent ,dc=
DomainComponent
4.Update the templates by reregistering the %windir%\System32\Certcli.dll
file on the CA server. To do this, follow these steps:
a. Click Start, click Run, type cmd , and then click OK.
b. At the command prompt, type the following command, and then press
ENTER:
regsvr32 /i:i /n /s %windir%\system32\certcli.dll
c. Type the following commands. Press ENTER after each command.
net stop certsvc
net start certsvc
d. Type exit , and then press ENTER to close the Command Prompt window.
If the issue persists, please help me collect the following information
analysis:rights.
verify that templates have not loaded by enabling debug logging for the
CertSvc service and then restarting the service. To do this, follow these
steps:
1. Click Start, click Run, type cmd , and then click OK.
2. At the command prompt, type the following command, and then press
ENTER:
certutil -setreg ca\debug 0xfffffffe3
3. Type the following commands. Press ENTER after each command.
net stop certsvc
net start certsvc
4. Type exit , and then press ENTER to close the Command Prompt window.
send %windir%\Certsrv.log file to me at v-jaluo@xxxxxxxxxxxxx
More useful information:
http://support.microsoft.com/?id=931354
http://support.microsoft.com/?id=932457
http://support.microsoft.com/?id=927066
I appreciate your time. I am happy to be of assistance and look forward to
your reply.
Have a nice day!
Best regards,
Jacky Luo (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
====================================================
PLEASE NOTE: The partner managed newsgroups are provided to
assist with break/fix issues and simple how to questions.
We also love to hear your product feedback! Let us know what you think by
posting
from the web interface: Partner Feedback
from your newsreader: microsoft.private.directaccess.partnerfeedback.
We look forward to hearing from you!
====================================================
When responding to posts, please "Reply to Group" via your newsreader
so that others may learn and benefit from this issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no
====================================================
.
- Follow-Ups:
- Re: sbs 2k3 - certificate authority web server template - not being able to issue a certificate
- From: "Jacky Luo [MSFT]"
- Re: sbs 2k3 - certificate authority web server template - not being able to issue a certificate
- References:
- sbs 2k3 - certificate authority web server template - not being able to issue a certificate
- From: Pedro M. Leite
- RE: sbs 2k3 - certificate authority web server template - not being able to issue a certificate
- From: "Jacky Luo [MSFT]"
- sbs 2k3 - certificate authority web server template - not being able to issue a certificate
- Prev by Date: Re: Backups failing on System State
- Next by Date: Re: sbs2003, Exchange, VPNS
- Previous by thread: RE: sbs 2k3 - certificate authority web server template - not being able to issue a certificate
- Next by thread: Re: sbs 2k3 - certificate authority web server template - not being able to issue a certificate
- Index(es):
Relevant Pages
|
