locked
hpcbpws.ps1 - Install failed, no suitable client or server authentication certificates discovered RRS feed

  • Question

  • I'm trying to commission the HPC Basic Profile Web Service, and running hpcbpws.ps1 returns "Install failed, no suitable client or server authentication certificates discovered".  I'd initially followed the steps outlined in "The Windows HPC Server 2008 Cluster in a Linux Environment" and set up the AD Certificate Services role on our head node.  Since our institution doesn't allow dynamic DNS, I didn't think I could make it an Enterprise cert server, so I made it a standalone in the wizard, otherwise following all the instructions in the document.

    A certificate is shown in the Server Manager (domain-server-CA), but I still got the "no suitable cert" error.  I then read the "HPC Basic Profile Web Service Documentation for CTP2" document, and followed the instructions to bind the cert to https in ISS manager, but the error is still the same. 

    Any ideas?  I'll probably remove and add the cert server role as enterprise (if it will let me) next.

    Cheers!  -Eric
    • Moved by parmita mehtaModerator Tuesday, September 22, 2009 10:27 PM basic profile .. (From:Windows HPC Server Deployment, Management, and Administration)
    Friday, September 18, 2009 7:19 PM

Answers

All replies

  • I'll forward this on to the team and see if anyone can help.  My understanding is that Dynamic DNS is a requirement for AD to functoin correctly.  I'm not sure if hte "Enterprise Certificate Server" piece is required.

    Thanks,
    Josh
    -Josh
    Thursday, October 1, 2009 10:34 PM
    Moderator
  • Hi Eric,

    The script Is looking for a certificate that can be used for client or server authentication.

     

    The following powershell script displays all the certificates that are registered:

     

    foreach ($cert in (dir cert:\LocalMachine\my)) {

      write $cert

      write $cert.Extensions | %{$_.EnhancedKeyUsages}

    }

     

    The key you are trying to create has a Value of  1.3.6.1.5.5.7.3.1 and FriendlyName Server Authentication or Value  1.3.6.1.5.5.7.3.2 and FriendlyName  Client Authentication.

    Hope this helps.


    -Colin Microsoft HPC
    Thursday, October 1, 2009 10:54 PM
    Moderator
  • I'm not sure what you mean.  When I run your script, it returns:

        Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\my
    
    
    Thumbprint                                Subject
    ----------                                -------
    E4063557624C77297370141F0210684A8763AB9E  CN=domain-SERVER-CA, DC=domain, DC=do...
    Does that tell me anything about why I'm getting the "no suitable cert" error?
    Wednesday, October 14, 2009 3:25 PM
  • Hi Eric,

    You should see 4+ lines per certificate. You need to create and import a key that has the third line with  1.3.6.1.5.5.7.3.1 or 1.3.6.1.5.5.7.3.2.

    For example one of my certificates returns:

    1011328845688D01C4FE976E9507D2FDF9C850CA

    Value        : 1.3.6.1.5.5.7.3.2
    FriendlyName : Client Authentication

    The following is one of a series of videos that should help with creating certificates for HPC BP.
    http://channel9.msdn.com/shows/The+HPC+Show/HPC-Basic-Profile-with-Steven-Newhouse-25-the-SDK/


    -Colin Microsoft HPC
    Wednesday, October 14, 2009 11:56 PM
    Moderator