locked
Installing certificates using IIS7 RRS feed

  • Question

  • Hi,

     

    I am trying to install certificates for my Exchange server as per the deployment guide. My setup includes only W2k8 machines. My Active Directory is the certificate authority and uses IIS7.

     

    When I do https://<ip-certauth>/certsrv > Request New Certificate > Create and Submit a Request to this CA > Advanced Certificate Request, I get the following error:

     

    "No certificate templates could be found. You do not have permission to request certificate from this CA or an error occurred while trying to access Active Directory."

     

    I am not sure whether the problem is with the certificate authority or with IIS. Any help would be great. Thanks.

    Tuesday, November 11, 2008 4:48 PM

Answers

  • I've solved the problem - without understanding the reasoning. I am able to get the website to install the certificate on the exchange machine. On IIS7, I went to CertSrv, right clicked on ASP and clicked on the "connect as" button. On the following window I specified Administrator and password, and it worked. Hope this is useful to someone.

     

    Thanks!

    Thursday, November 13, 2008 8:06 PM

All replies

  • Hi,

    How did you authenticate against the certsrv site, Anonymously, normal account or domain admin account? Do you have the necessarry Enroll permissions on the certificate template? Have a look at the properties of the template and look at the permissions, the account you logged on with at the website should have Enroll permissions.

    Sincerely,
    Tonino Bruno
    Tuesday, November 11, 2008 10:00 PM
  • Hi Tonino,

     

    I am new to Server 2008 and IIS7. How do I verify that that the account logged on (Administrator) has enroll permissions?

     

    Thanks,

    Akshai

    Tuesday, November 11, 2008 10:19 PM
  • For the moment I don't have access to my servers but I figure it should be similar to Windows 2003

    First when you open your CA console and look at the Certificate Templates you should have several listed. If not you right click on the certificate templates and choose "Certificate Template to issue" and you select the one you need.

    Next open the management console (Start --> Run --> MMC) and add the Certificates Template snap-in to the list. Open the certificate template you want to use and look at the security tab. When you look closely you will find the "Enroll" permission for the various users and groups on this security tab. Just make sure that your account (administrator)  has that specific right either explicitely OR inhireted by being member of one of the other groups such as "Domain Admins" or "Administrators".

    Also look at this support article which is for Windows 2003 but may still be applicable for Windows 2008.
    http://support.microsoft.com/kb/811418

    Sincerely,
    Tonino Bruno


    Tuesday, November 11, 2008 10:45 PM
  •  

    Hi,

     

    I figured out part of the problem, but now I encounter another one. It appears that the Users have permission to certsrv\en-US directory for Read and Execute, List folder contents, and Read and Administrators have Special permissions (I don't know what this means). I added the Administrator to the users group. I then follow the following steps from the deployment guide:

     

    1. Click Start, click Run, type http://<name of your Issuing CA Server>/certsrv, and then click OK.
    2. Under Select a task, click Request a Certificate.

    3. Under Request a Certificate, click Advanced certificate request.

    4. Under Advanced Certificate Request, click Create and submit a request to this CA.

    5. Under Advanced Certificate Request, select Web server or another server certificate template configured for server authentication.

    6. Under Identifying Information for Offline Template, in the Name box, type the FQDN of the Exchange Server. You must enter the FQDN of the Exchange Server for communications to work.

    7. Under Key Options, click the Store certificate in the local computer certificate store checkbox.

    8. Click the Submit button in the bottom of the Web page.

    9. A dialog box will open asking for confirmation. Click Yes to continue to go to Certificate Issued page.

    10. Under Certificate Issued, click Install this certificate.

    11. A dialog box will open asking for confirmation. Click Yes.

    12. Verify that the page says "Your new certificate has been successfully installed.

    After step 8, I get the message:

    "Your request has failed. An error occurred while the server was processing the request. Contact your administrator for further assistance...Result: The format of the specified domain name is invalid. 0x800704bc (WIN32:1212)"

     

    Thanks for your help in advance.

    Wednesday, November 12, 2008 4:50 PM
  • So what did you specify in steps 6?

    Sincerely,
    Tonino Bruno
    Wednesday, November 12, 2008 10:21 PM
  • Hi,

     

    I specified the fqdn of exchange server as required.

     

    Thanks.

    Wednesday, November 12, 2008 10:23 PM
  • What was the exact string you entered?  The error is related to the format (versus the content) so it's possable you just have an invalid character the string.

     

    Thursday, November 13, 2008 1:44 PM
    Moderator
  • Hi,

     

    I have a machine called exch and my domain name is ocs.com. I entered exch.ocs.com. Thanks for your help in advance!

     

    Akshai

     

     

    Thursday, November 13, 2008 3:31 PM
  • I've solved the problem - without understanding the reasoning. I am able to get the website to install the certificate on the exchange machine. On IIS7, I went to CertSrv, right clicked on ASP and clicked on the "connect as" button. On the following window I specified Administrator and password, and it worked. Hope this is useful to someone.

     

    Thanks!

    Thursday, November 13, 2008 8:06 PM