lundi 29 juin 2009 10:25
I'm trying to set up a CWA server for a pilot-OCS roll out. I want to use cert's from our own internal root CA (domain) like I've been doing with many pilot projects that needed certificates. The front-end OCS 2007 R2 server we already have up and running within the same pilot project already uses the domain root CA to issue cert's to OCS clients.
So I was running through the docs until I came to this step : http://technet.microsoft.com/en-us/library/dd441293(office.13).aspx
When I run the command, I get an error telling me I don't have enough privileges.
Now this error is common if you have a look at this : http://technet.microsoft.com/en-us/library/dd441378(office.13).aspx
So you'd think I have not installed the Cert-chain. Especially since our root CA is Win2003 and the CWA server is Win2008. But I have installed the Cert-chain. And the domain Root-CA shows up just fine in the Certificates MMC snap-in. It's valid too.
Actually the Cert-chain was already present since the server is a domain-member, but I added it by hand just the same. Still get the error.
I'm stuck. Seems such a no brainer this step and I've used the domain Root-CA many times before. So either somethings broken, or I just don't get it.
Any thoughts ?
Toutes les réponses
mercredi 1 juillet 2009 13:41Modérateur
I assume you are running this command from the CWA server. Since the key is marked as exportable in the request, try running the same command from your OCS Front-End server and see if you get the same errors. If not, you can export the cert and key to a file and then import it into the CWA server manually to get around the issue. Check that the certificate chain checks out ok on the imported cert.
Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
lundi 6 juillet 2009 17:46Try launching a command prompt with elevated priviliges and then running the LCSCmd.exe. I've run into some problems on Server 2008 deployments with some of the utilities if you don't run them as admin.
I'd also double check you're using an account that has permission to request the certificate from the CA.
mardi 7 juillet 2009 15:29Well the problem turned out to be something trivial.
One of the arguments for lcscmd.exe is that you specify the FQDN of your CA server. I tried several names. I tried things like;
and you name whatever combinations.
All to no avail. The docs say you just need to enter the FQDN.
A few days later I was renewing a Cert on another IIS webserver in the GUI. While following the wizard for this it pops up with which online CA root server you want to use. And here the format is;
So this gave me an idea to also use this format in the LcsCmd. And voila, that did the trick. With hindsight, it might sound logical, but once again, the docs explicitly state you only need to enter de FQDN.
- Proposé comme réponse Tom PacykMVP mardi 7 juillet 2009 20:42
jeudi 26 novembre 2009 13:49Modérateur
yes that is how it works. You can use certutil to find out the correct syntax under "Config".
TechNet Forum Moderator - http://www.leedesmond.com