로그인
Microsoft.com
 
Microsoft
 
 
 
Microsoft >
Ongoing access denied CWA Certificate

Locked Ongoing access denied CWA Certificate

  • 2009년 6월 29일 월요일 오전 10:25
     
     
    로그인하여 투표
    0

    I'm trying to set up a CWA server for a pilot-OCS roll out. I want to use cert's from our own internal root CA (domain) like I've been doing with many pilot projects that needed certificates. The front-end OCS 2007 R2 server we already have up and running within the same pilot project already uses the domain root CA to issue cert's to OCS clients.

    So I was running through the docs until I came to this step : http://technet.microsoft.com/en-us/library/dd441293(office.13).aspx
    When I run the command, I get an error telling me I don't have enough privileges.

    Now this error is common if you have a look at this : http://technet.microsoft.com/en-us/library/dd441378(office.13).aspx
    So you'd think I have not installed the Cert-chain. Especially since our root CA is Win2003 and the CWA server is Win2008. But I have installed the Cert-chain. And the domain Root-CA shows up just fine in the Certificates MMC snap-in. It's valid too.
    Actually the Cert-chain was already present since the server is a domain-member, but I added it by hand just the same. Still get the error.

    I'm stuck. Seems such a no brainer this step and I've used the domain Root-CA many times before. So either somethings broken, or I just don't get it.

    Any thoughts ?

       

    모든 응답

    • 2009년 7월 1일 수요일 오후 1:41
      중재자
       
       
      로그인하여 투표
      0

      I assume you are running this command from the CWA server.  Since the key is marked as exportable in the request, try running the same command from your OCS Front-End server and see if you get the same errors.  If not, you can export the cert and key to a file and then import it into the CWA server manually to get around the issue.  Check that the certificate chain checks out ok on the imported cert.

      Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
         
      • 2009년 7월 6일 월요일 오후 5:46
         
         
        로그인하여 투표
        0
        Try launching a command prompt with elevated priviliges and then running the LCSCmd.exe. I've run into some problems on Server 2008 deployments with some of the utilities if you don't run them as admin.

        I'd also double check you're using an account that has permission to request the certificate from the CA.
           
        • 2009년 7월 7일 화요일 오후 3:29
           
           제안된 답변
          로그인하여 투표
          1
          Well the problem turned out to be something trivial.

          One of the arguments for lcscmd.exe is that you specify the FQDN of your CA server. I tried several names. I tried things like;

          <machinename>
          <machinename.domain.com>
          <machinename>\Certenroll
          <machinename>/Certenroll
          <machinename>\Certsrv
          <machinename>/Certsrv
          and you name whatever combinations.

          All to no avail. The docs say you just need to enter the FQDN.

          A few days later I was renewing a Cert on another IIS webserver in the GUI. While following the wizard for this it pops up with which online CA root server you want to use. And here the format is;

          <machinename>\<CARootname>

          So this gave me an idea to also use this format in the LcsCmd. And voila, that did the trick. With hindsight, it might sound logical, but once again, the docs explicitly state you only need to enter de FQDN.
          • 답변으로 제안됨 Tom PacykMVP 2009년 7월 7일 화요일 오후 8:42
          •  
             
          • 2009년 11월 26일 목요일 오후 1:49
            중재자
             
             
            로그인하여 투표
            0

            yes that is how it works. You can use certutil to find out the correct syntax under "Config".


            TechNet Forum Moderator - http://www.leedesmond.com