locked
Web Access Certificate Issue RRS feed

  • Question

  • Hi all,

    I'm trying to install CWA on a seperate VMware'd machine from our OCS 2007 install. I'm having trouble issuing the required certificates which I belive comes from the fact that our internal certificate authority is not an 'enterprise root CA' but is a 'standard root CA'.
    I have tried setting up an enterprise subservient CA, linking to the original root CA but this caused problems through autoenrollment and when certificates began appearing for domain controllers we go a little jumpy and disabled it.

    1. Am I right in thinking the authority used to issue the certificate for CWA needs to be an enterprise CA (the standard CA did not appear to have the correct template available - no 'web server')?
    2. Is a realistic configuration to have an enterprise CA underneath a standard one without this causing issues. Disabling the standard CA is not an option as this is used for outlook web access in our external sites.
    3. If this is not a realistic option, do I have any options left to get the internal certificate i need to get this working?

    Thanks for the help.

    Joel
    Thursday, July 31, 2008 3:23 PM

Answers

  • Hi Joel,

    I'm pretty sure that you're ok with standard root CA; however, you will need to use the WebServer template. My guess is that you do actually have the template though because this is the one that the OWA server would be using.

     

    I would suggest using the same process that you used to issue the OWA cert...

     

    Are you requesting this MTLS cert from within IIS on the CWA server?

     

    Regards,

    Matt

     

    Thursday, July 31, 2008 4:54 PM

All replies

  • Hi Joel,

    I'm pretty sure that you're ok with standard root CA; however, you will need to use the WebServer template. My guess is that you do actually have the template though because this is the one that the OWA server would be using.

     

    I would suggest using the same process that you used to issue the OWA cert...

     

    Are you requesting this MTLS cert from within IIS on the CWA server?

     

    Regards,

    Matt

     

    Thursday, July 31, 2008 4:54 PM
  • Domain Controllers that do Autoenrollement is not a problem that is as designed and the Certificate makes it possible to do LDAPs connections to your DCs from scripts (nothing else so there is absolutely no harm)

     

    Enterprise Root CA is the easiest thing to do.

    But I am surprised that you can request a "Web Server" cert from a Standard CA

    Might need to look at security on your "Web Server" Template

    This template is very standard and normally generally available

     

    Thursday, July 31, 2008 10:02 PM
  • Enterprise Root is not an option - we cannot run an Enterprise root and a standard root within the same domain as I can see this causing problems.
    Autoenrollment is probably doing nothing that's going to cause any harm - but as this will be a tempory CA specifically to trail CWA i'd rather not have lots of defunct certificates floating about the place.

    I've also been getting an issue when logging in to the certsrv folder on the CA with an error saying no templates are available, not sure how to fix that yet. I found a knowledgebase article referencing the error but it implied i needed to check the DnsHostName value in Active Directory and the sServerName value in a .dat file on the server itself and check they were the same. They're different (one has a /<servername> on the end) but removing this causes the web server to just report a general error.
    Friday, August 1, 2008 8:03 AM
  • Running the two together does not cause problems they can live perfectly next to each other. (Enterprise Root and Standard Root)

     

    You can also perfectly install an Enterprise Subordinate CA that is dependant on the Standard Root CA, this is a very supported install

     

    How many Certificate servers do you have installed for the moment?

     

     

    Friday, August 1, 2008 8:36 AM
  • I've managed to get it working, thanks for the help. I issued the certificate through IIS rather than attempting to use the /certsrv directory and that worked fine.

    Thanks,

    Joel
    Friday, August 1, 2008 9:13 AM