IIS 7 with AD CS: Unable to download HTTP CRT and CRL RRS feed

  • Spørgsmål

  • Greetings,

    I’m trying to resolve AIA and CDP “unable to download” status messages the customer sees the subordinate issuing Certificate Authorities (CAs) report on the standalone root CA under “Enterprise PKI” in the AD CS management console.

    In the MMC Enterprise PKI, the subordinate issuing CA locations display a status of "OK"; however the root CA locations display these issues:

    AIA Location #2 – unable to download –
    CDP Location #2 – unable to download –

    I can view both RootCA.crt and RootCA.crl files in the physical location for this URL – C:\windows\system32\certsrv\CertEnroll.

    The name resolves correctly with NSLOOKUP from the subordinate CAs.

    The subordinate CA’s Default Web Site has the following modifications:

    1.    Bindings…: added https, all unassigned IP addresses and SSL

    2.    HTTP Redirect:

    The redirect setting is not ideal and the error I get when I try to change the redirect may be related to the “unable to download” error. I usually set the redirect to; however, browsing to this page or clicking “Home” from the top right of the CA Web enrollment pages or browsing these same URLs with HTTP, displays a “403 – Forbidden: Access is denied”. The Default.asp file is listed in C:\windows\system32\certsrv folder and browsing to correctly displays the Web enrollment page.

    I have tried to compare each IIS setting and several file permissions between production and lab and can’t find differences. The production CA servers continue to error.

    FYI, my question originally began in this Windows Server 2008 R2 Community with the thread “AD CS: Missing Domain Computers and Domain Users Containers” ( where Sean Xu asked that I repost as an IIS question.

    What steps do you recommend to get rid of the “unable to download” message for the HTTP locations and the “access is denied” message for the CA Web enrollment home page?

    If you need files or logs, please provide a private repository or email address.

    Thank you in advance for your assistance,


    • Flyttet af Sean_Xu 17. januar 2012 16:17 IIS related (发件人:Windows Server 2008 R2)
    17. januar 2012 09:28


  • Hi,

    I'd suggest you run WFetch on the problem machine to troubleshoot connection issue.

    For the 403 error, it is probably that the default.asp doesn't exist in the default document list. You can check the sub status code of failed request in IIS log, the sub status code reveal the exact reason that a request is unsuccessful.

    The HTTP status codes in IIS 7.0 and in IIS 7.5

    If your problem persists, please post the relevant IIS log entries here, you can remove the sensitive data from the log entry.


    Leo Tang [MSFT]
    MSDN Community Support | Feedback to us
    Get or Request Code Sample from Microsoft
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    18. januar 2012 10:29