hpcbpws.ps1 - Install failed, no suitable client or server authentication certificates discovered
- I'm trying to commission the HPC Basic Profile Web Service, and running hpcbpws.ps1 returns "Install failed, no suitable client or server authentication certificates discovered". I'd initially followed the steps outlined in "The Windows HPC Server 2008 Cluster in a Linux Environment" and set up the AD Certificate Services role on our head node. Since our institution doesn't allow dynamic DNS, I didn't think I could make it an Enterprise cert server, so I made it a standalone in the wizard, otherwise following all the instructions in the document.
A certificate is shown in the Server Manager (domain-server-CA), but I still got the "no suitable cert" error. I then read the "HPC Basic Profile Web Service Documentation for CTP2" document, and followed the instructions to bind the cert to https in ISS manager, but the error is still the same.
Any ideas? I'll probably remove and add the cert server role as enterprise (if it will let me) next.
Cheers! -Eric- Moved byparmita mehtaModeratorTuesday, September 22, 2009 10:27 PMbasic profile .. (From:Windows HPC Server Deployment, Management, and Administration)
Answers
Hi Eric,
You should see 4+ lines per certificate. You need to create and import a key that has the third line with 1.3.6.1.5.5.7.3.1 or 1.3.6.1.5.5.7.3.2.
For example one of my certificates returns:
1011328845688D01C4FE976E9507D2FDF9C850CAValue : 1.3.6.1.5.5.7.3.2
FriendlyName : Client Authentication
The following is one of a series of videos that should help with creating certificates for HPC BP.
http://channel9.msdn.com/shows/The+HPC+Show/HPC-Basic-Profile-with-Steven-Newhouse-25-the-SDK/
-Colin Microsoft HPC- Proposed As Answer byJosh BarnardMSFT, OwnerThursday, October 15, 2009 4:57 PM
- Marked As Answer byJosh BarnardMSFT, OwnerTuesday, October 27, 2009 5:40 PM
All Replies
- I'll forward this on to the team and see if anyone can help. My understanding is that Dynamic DNS is a requirement for AD to functoin correctly. I'm not sure if hte "Enterprise Certificate Server" piece is required.
Thanks,
Josh
-Josh Hi Eric,
The script Is looking for a certificate that can be used for client or server authentication.The following powershell script displays all the certificates that are registered:
foreach ($cert in (dir cert:\LocalMachine\my)) {
write $cert
write $cert.Extensions | %{$_.EnhancedKeyUsages}
}
The key you are trying to create has a Value of 1.3.6.1.5.5.7.3.1 and FriendlyName Server Authentication or Value 1.3.6.1.5.5.7.3.2 and FriendlyName Client Authentication.
Hope this helps.
-Colin Microsoft HPCI'm not sure what you mean. When I run your script, it returns:
Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\my Thumbprint Subject ---------- ------- E4063557624C77297370141F0210684A8763AB9E CN=domain-SERVER-CA, DC=domain, DC=do...
Does that tell me anything about why I'm getting the "no suitable cert" error?Hi Eric,
You should see 4+ lines per certificate. You need to create and import a key that has the third line with 1.3.6.1.5.5.7.3.1 or 1.3.6.1.5.5.7.3.2.
For example one of my certificates returns:
1011328845688D01C4FE976E9507D2FDF9C850CAValue : 1.3.6.1.5.5.7.3.2
FriendlyName : Client Authentication
The following is one of a series of videos that should help with creating certificates for HPC BP.
http://channel9.msdn.com/shows/The+HPC+Show/HPC-Basic-Profile-with-Steven-Newhouse-25-the-SDK/
-Colin Microsoft HPC- Proposed As Answer byJosh BarnardMSFT, OwnerThursday, October 15, 2009 4:57 PM
- Marked As Answer byJosh BarnardMSFT, OwnerTuesday, October 27, 2009 5:40 PM
