From: "Charles Yang [MSFT]" on
Hi,

Thanks for updates.

After carefully checking your log, we did not find any relate information,
please note that it might take some time to do the task.

For this issue, I have some suggestion below:

Can I assume that you want to set up the SBS 2003 premium as a CA server,
so that when user logon to website, they require the certificate, which
purpose you want to use for this certificate for VPN issue or for a
website? From your log, it seems to be used for IPSec VPN.

1. Please change the website you use for web enrollment's authentication
method from anonymous to Windows Authentication.
2. Please refer to the KB article below to check the permission setting for
CA, make sure that you have go through the article to double check it:

Q239706 Default Permission Settings for Enterprise Certificate Authority
http://support.microsoft.com/default.aspx?scid=kb;EN-US

3. If the issue still exists, please follow the steps to reinstall the CA
server:

A. Opened regedit and went to HKLM\system\CCS\services and deleted the
certsrv key
B. Opened the file system and deleted c:\winnt\system32\certserv folder and
contents
C. Opened up AD sites and services and deleted and in services\public key
services

Please deleted all the contents of the containers leaving the empty
containers with the exception of the templates container. Note, please
perform a backup for registry.

If the issue still exist, you have to refer to the KB article below to
change the log level of certificate then reproduce the issue check the
event log again.

305018 How to Change the Event Logging Level for Certificate Services
http://support.microsoft.com/?id=305018

Thanks for your efforts. I will be here waiting for updates.



Best regards,

Charles Yang (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| From: "PG" <*@*.*>
| References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl>
<tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl>
<OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl>
<biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl>
| Subject: Re: SBS2003Premium Certification Authority from HELL!!!
| Date: Wed, 21 Sep 2005 11:33:30 +0100
| Lines: 401
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
| X-RFC2646: Format=Flowed; Original
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| Message-ID: <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl>
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: 62.48.233.71
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:155186
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| I've sent you the log's as you requested Charles...
|
| Thanks for the help
|
| ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in message
| news:biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl...
| > HI PG,
| >
| > Thanks for updates.
| >
| > In order to make the issue more clear, could you send me the application
| > log and system event log so that we can isolate the issue more clearly,
| > you
| > can compress the log files and send to my mailbox.
| >
| > v-chayan(a)microsoft.com
| >
| > Thanks for your understanding.
| >
| >
| >
| > Best regards,
| >
| > Charles Yang (MSFT)
| >
| > Microsoft CSS Online Newsgroup Support
| >
| > Get Secure! - www.microsoft.com/security
| >
| > ======================================================
| > This newsgroup only focuses on SBS technical issues. If you have issues
| > regarding other Microsoft products, you'd better post in the
corresponding
| > newsgroups so that they can be resolved in an efficient and timely
manner.
| > You can locate the newsgroup here:
| > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| >
| > When opening a new thread via the web interface, we recommend you check
| > the
| > "Notify me of replies" box to receive e-mail notifications when there
are
| > any updates in your thread. When responding to posts via your
newsreader,
| > please "Reply to Group" so that others may learn and benefit from your
| > issue.
| >
| > Microsoft engineers can only focus on one issue per thread. Although we
| > provide other information for your reference, we recommend you post
| > different incidents in different threads to keep the thread clean. In
| > doing
| > so, it will ensure your issues are resolved in a timely manner.
| >
| > For urgent issues, you may want to contact Microsoft CSS directly.
Please
| > check http://support.microsoft.com for regional support phone numbers.
| >
| > Any input or comments in this thread are highly appreciated.
| > ======================================================
| > This posting is provided "AS IS" with no warranties, and confers no
| > rights.
| >
| >
| > =====================================================
| > When responding to posts, please "Reply to Group" via your newsreader so
| > that others may learn and benefit from your issue.
| > =====================================================
| >
| > This posting is provided "AS IS" with no warranties, and confers no
| > rights.
| >
| > --------------------
| > | From: "PG" <*@*.*>
| > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl>
| > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl>
| > | Subject: Re: SBS2003Premium Certification Authority from HELL!!!
| > | Date: Tue, 20 Sep 2005 13:28:25 +0100
| > | Lines: 269
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
| > | X-RFC2646: Format=Flowed; Original
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| > | Message-ID: <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl>
| > | Newsgroups: microsoft.public.windows.server.sbs
| > | NNTP-Posting-Host: 62.48.233.71
| > | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
| > | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:154800
| > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > |
| > | Thanks for your reply Charles
| > |
| > | Responses to your questions follow, and are in line:
| > |
| > |
| > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in
message
| > | news:tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl...
| > | > HI PG,
| > | >
| > | > Welcome to SBS newsgroup.
| > | >
| > | > Issue description:
| > | > ================
| > | >
| > | > I understand that you encountered some problem when using CA on SBS
| > 2003
| > | > premium.
| > | >
| > | > Analyzing and suggestions:
| > | > ================
| > | >
| > | > Generally speaking, the error you encountered can be caused by many
| > | > factors, in order to make the issue more clear, please refer to my
| > | > suggestions below to gather more information:
| > | >
| > | > 1. If possible, please send me the event log for further research,
it
| > | > should include more information which can help us determine which
| > kinds
| > of
| > | > error you encountered, you can send the log files to my email box.
| > | > v-chayan(a)microsoft.com.
| > |
| > | There is nothing recorded in the logs, when the error's occur.
| > |
| > | > 2. Does the issue occur from the client's computer or from the
server
| > | > side?
| > |
| > | Both! It occur's when I request a certificate from the client and
from
| > the
| > | server! :( Via Web request or MMC snap-in
| > |
| > |
| > | >
| > | >
| > | > Let's first check the following:
| > | >
| > | > 1. Go to the CA Server, go to Services.msc console, make sure that
the
| > | > Certificate Service is started.
| > |
| > | Check
| > |
| > | > 2. Open Certificate Authority, make sure that it can be opened.
| > |
| > | Check
| > |
| > | > 3. If you are using Enterprise CA, go to the Certificate Template
in
| > the
| > | > Certificate Authority, make sure that necessary Certificate
Template
| > is
| > | > added and listed in the right panel.
| > |
| > | Check
| > |
| > | > 4. On the CA Server, click Start -> Run, type MMC and click OK.
Click
| > File
| > | > -> Add/Remove Snap-in, click Add button, select Certificate, click
| > Add,
| > | > select Computer Account and click next. Select Local Computer, click
| > | > Finish
| > | > and then Close.
| > |
| > | Check
| > |
| > | > 5. Expand the Certificate (Local Computer)\Personal\Certificate,
check
| > if
| > | > the Root certificate exists. It's 'issued by' and 'issued to'
should
| > be
| > | > itself. Then please check if the root certificate is still alive.
If
| > it
| > is
| > | > expired, right click the Certificate, select All Tasks -> Renew
| > | > Certificate
| > | > with Same Key. Then renew the user certificate and let me know how
| > | > everything is going.
| > | > NOTE: Please check the Certificate Authority to make sure that these
| > | > client
| > | > certificate are not revoked before you renew the certificate.
| > | >
| > | > If the issue still exists, please check if the CA computer where you
| > start
| > | > the Certificate Web Enrollment from is set to trust for delegation.
To
| > do
| > | > so:
| > | > 1. Log on as a domain administrator or equivalent account.
| > | > 2. Click Start, point to Programs, point to Administrative Tools,
and
| > then
| > | > click "Active Directory Users and Computers".
| > | > 3. In the left pane, locate the container or organizational unit
(OU)
| > on
| > | > which you want to enable delegation.
| > | > 4. Right-click the computer account name, and then click Properties.
| > | > 5. On the General tab, click Trust computer for delegation.
| > | > 6. Click OK.
| > | > 7. Quit Active Directory Users and Computers.
| > | >
| > | > For more info, please refer to:
| > | > 300867 Error Message: The Certification Authority Service Has Not
Been
| > | > Started
| > | > http://support.microsoft.com/?id=300867
| > |
| > | The certificate is alive until 16/9/2010! So I didn't renew it.
| > |
| > |
| > | >
| > | >
| > | > This issue may also occur if the Domain Users group on the child
| > domain
| > | > does not have the right to enroll a user template. To have a check:
| > | >
| > | > 1. Logon to CA Server as Enterprise Administrator
| > |
| > | check
| > |
| > | > 2. Click Start, click Programs, click Administrative Tools, and then
| > click
| > | > the "Active Directory Sites and Services" snap-in.
| > |
| > | check
| > |
| > | > 3. In MMC, right-click the "Active Directory Sites and Services"
| > snap-in,
| > | > click View, and then click "Show Services Mode". This allows you to
| > view
| > | > the Services folder, which is hidden from view by default.
| > |
| > | Check
| > |
| > | > 4. From the "Active Directory Sites and Services" snap-in, click
| > Services,
| > | > click Public Key Services, and then click Certificate Templates.
This
| > | > reveals the complete list of published certificate templates in
Active
| > | > Directory.
| > |
| > | Check
| > |
| > | > 5. Double-click the User certificate template to view the
properties.
| > |
| > | Check
| > |
| > | > 6. On the Security tab, click Add to add the Domain Users group to
the
| > | > list.
| > |
| > | The group domain users wasn't there so I added it
| > |
| > | > 7. For the Domain Users group, select the Read and Enroll rights.
| > |
| > | When I tryed to apply the changes it gave the following error:
| > |
| > | "Unable to save permission changes on
| > | LDAP://SBS2003PDC.CONTIMETRA.LOCAL/CN=USER,CN=CERTIFICATE
| > | TEMPLATES,CN=PUBLIC KEY
| > | SERVICES,CN=SERVICES,CN=CONFIGURATION,DC=CONTIMETRA,DC=LOCAL
| > |
| > | ACCESS IS DENIED"
| > |
| > |
| > | > 8. Restart the computer.
| > |
| > | Didn't do it because no changes were made!
| > |
| > | >
| > | > For more info, please refer to:
| > | > 271861 Windows Cannot Find a Certificate Authority That Processes
the
| > | > Request
| > | > http://support.microsoft.com/?id=271861
| > | >
| > | > NOTE: Request from MMC only works if it is a Enterprise CA. To stand
| > alone
| > | > CA, you must request certificate by WEB.
| > | >
| > | > I appreciate your understanding and please paste your results as
your
| > | > convenience, It is important for us to isolate the issue. I am glad
to
| > | > help
| > | > you.
| > | >
| > | >
| > | >
| > | > Best regards,
| > | >
| > | > Charles Yang (MSFT)
| > | >
| > | > Microsoft CSS Online Newsgroup Support
| > | >
| > | > Get Secure! - www.microsoft.com/security
| > | >
| > | > ======================================================
| > | > This newsgroup only focuses on SBS technical issues. If you have
| > issues
| > | > regarding other Microsoft products, you'd better post in the
| > corresponding
| > | > newsgroups so that they can be resolved in an efficient and timely
| > manner.
| > | > You can locate the newsgroup here:
| > | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| > | >
| > | > When opening a new thread via the web interface, we recommend you
| > check
| > | > the
| > | > "Notify me of replies" box to receive e-mail notifications when
there
| > are
| > | > any updates in your thread. When responding to posts via your
| > newsreader,
| > | > please "Reply to Group" so that others may learn and benefit from
your
| > | > issue.
| > | >
| > | > Microsoft engineers can only focus on one issue per thread.
Although
| > we
| > | > provide other information for your reference, we recommend you post
| > | > different incidents in different threads to keep the thread clean.
In
| > | > doing
| > | > so, it will ensure your issues are resolved in a timely manner.
| > | >
| > | > For urgent issues, you may want to contact Microsoft CSS directly.
| > Please
| > | > check http://support.microsoft.com for regional support phone
numbers.
| > | >
| > | > Any input or comments in this thread are highly appreciated.
| > | > ======================================================
| > | > This posting is provided "AS IS" with no warranties, and confers no
| > | > rights.
| > | >
| > | >
| > | > =====================================================
| > | > When responding to posts, please "Reply to Group" via your
newsreader
| > so
| > | > that others may learn and benefit from your issue.
| > | > =====================================================
| > | >
| > | > This posting is provided "AS IS" with no warranties, and confers no
| > | > rights.
| > | >
| > | > --------------------
| > | > | From: "PG" <*@*.*>
| > | > | Subject: SBS2003Premium Certification Authority from HELL!!!
| > | > | Date: Fri, 16 Sep 2005 11:35:46 +0100
| > | > | Lines: 25
| > | > | X-Priority: 3
| > | > | X-MSMail-Priority: Normal
| > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
| > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| > | > | X-RFC2646: Format=Flowed; Original
| > | > | Message-ID: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl>
| > | > | Newsgroups: microsoft.public.windows.server.sbs
| > | > | NNTP-Posting-Host: 62.48.233.71
| > | > | Path:
| > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
| > | > | Xref: TK2MSFTNGXA01.phx.gbl
| > microsoft.public.windows.server.sbs:153926
| > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > | > |
| > | > | Hi everybody,
| > | > |
| > | > | When I try to request a certificate from my Enterprise CA
| > installed
| > | > on
| > | > | SBS2003Premium It gives the following error :"No certificate
| > templates
| > | > could
| > | > | be found. You do not have permission to request a certificate from
| > this
| > | > CA,
| > | > | or an error occurred while accessing the Active Directory." I
went
| > and
| > | > | search for a solution and found this microsoft article
| > | > | http://support.microsoft.com/default.aspx?scid=kb;en-us;811418
that
| > | > didn't
| > | > | help because the name of the server is the same in the
certdat.inc
| > and
| > | > in
| > | > | the AD!!! :(
| > | > |
| > | > | When I go to the certification authority and click on
"manage"
| > on
| > | > the
| > | > | certificate templates, windows says that it detected that new
| > | > certificate
| > | > | templates should be installed, and ask if I want to install them
| > now,
| > | > and
| > | > I
| > | > | say "Yes", and gives an error saying "Windows could not install
the
| > new
| > | > | certificate templates. Access is denied" :( I doing this as
| > enterprise
| > | > admin
| > | > | and it says access denied!!!!! :( :(
| > | > |
| > | > | I've tryed to reinstall the CA and the errors are still the
| > same!
| > | > |
| > | > | Can anyone help me with this issue, please?
| > | > |
| > | > | Thanks in advance for any help you can give me....
| > | > |
| > | > |
| > | > |
| > | >
| > |
| > |
| > |
| > |
| > |
| > |
| >
|
|
|

From: PG on
Hi Charles,

I started to go through the points you reffered bellow and on the second
point(Permissions settings) everything checked out ok except for the
certificates templates permissions again, I'm unable to change permissions
on some certificates, but others are ok! I'm sending you some compressed
pictures to your e-mail so you can try and see if this is normal, or not.
I didn't want to continue following your suggestions(to reinstall the
CA) before you had a look at the pictures I sent you.

Thanks
PG

""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in message
news:MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl...
> Hi,
>
> Thanks for updates.
>
> After carefully checking your log, we did not find any relate information,
> please note that it might take some time to do the task.
>
> For this issue, I have some suggestion below:
>
> Can I assume that you want to set up the SBS 2003 premium as a CA server,
> so that when user logon to website, they require the certificate, which
> purpose you want to use for this certificate for VPN issue or for a
> website? From your log, it seems to be used for IPSec VPN.
>
> 1. Please change the website you use for web enrollment's authentication
> method from anonymous to Windows Authentication.
> 2. Please refer to the KB article below to check the permission setting
> for
> CA, make sure that you have go through the article to double check it:
>
> Q239706 Default Permission Settings for Enterprise Certificate Authority
> http://support.microsoft.com/default.aspx?scid=kb;EN-US
>
> 3. If the issue still exists, please follow the steps to reinstall the CA
> server:
>
> A. Opened regedit and went to HKLM\system\CCS\services and deleted the
> certsrv key
> B. Opened the file system and deleted c:\winnt\system32\certserv folder
> and
> contents
> C. Opened up AD sites and services and deleted and in services\public key
> services
>
> Please deleted all the contents of the containers leaving the empty
> containers with the exception of the templates container. Note, please
> perform a backup for registry.
>
> If the issue still exist, you have to refer to the KB article below to
> change the log level of certificate then reproduce the issue check the
> event log again.
>
> 305018 How to Change the Event Logging Level for Certificate Services
> http://support.microsoft.com/?id=305018
>
> Thanks for your efforts. I will be here waiting for updates.
>
>
>
> Best regards,
>
> Charles Yang (MSFT)
>
> Microsoft CSS Online Newsgroup Support
>
> Get Secure! - www.microsoft.com/security
>
> ======================================================
> This newsgroup only focuses on SBS technical issues. If you have issues
> regarding other Microsoft products, you'd better post in the corresponding
> newsgroups so that they can be resolved in an efficient and timely manner.
> You can locate the newsgroup here:
> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>
> When opening a new thread via the web interface, we recommend you check
> the
> "Notify me of replies" box to receive e-mail notifications when there are
> any updates in your thread. When responding to posts via your newsreader,
> please "Reply to Group" so that others may learn and benefit from your
> issue.
>
> Microsoft engineers can only focus on one issue per thread. Although we
> provide other information for your reference, we recommend you post
> different incidents in different threads to keep the thread clean. In
> doing
> so, it will ensure your issues are resolved in a timely manner.
>
> For urgent issues, you may want to contact Microsoft CSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Any input or comments in this thread are highly appreciated.
> ======================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
> =====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> --------------------
> | From: "PG" <*@*.*>
> | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl>
> <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl>
> <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl>
> <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl>
> | Subject: Re: SBS2003Premium Certification Authority from HELL!!!
> | Date: Wed, 21 Sep 2005 11:33:30 +0100
> | Lines: 401
> | X-Priority: 3
> | X-MSMail-Priority: Normal
> | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
> | X-RFC2646: Format=Flowed; Original
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
> | Message-ID: <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl>
> | Newsgroups: microsoft.public.windows.server.sbs
> | NNTP-Posting-Host: 62.48.233.71
> | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
> | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:155186
> | X-Tomcat-NG: microsoft.public.windows.server.sbs
> |
> | I've sent you the log's as you requested Charles...
> |
> | Thanks for the help
> |
> | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in message
> | news:biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl...
> | > HI PG,
> | >
> | > Thanks for updates.
> | >
> | > In order to make the issue more clear, could you send me the
> application
> | > log and system event log so that we can isolate the issue more
> clearly,
> | > you
> | > can compress the log files and send to my mailbox.
> | >
> | > v-chayan(a)microsoft.com
> | >
> | > Thanks for your understanding.
> | >
> | >
> | >
> | > Best regards,
> | >
> | > Charles Yang (MSFT)
> | >
> | > Microsoft CSS Online Newsgroup Support
> | >
> | > Get Secure! - www.microsoft.com/security
> | >
> | > ======================================================
> | > This newsgroup only focuses on SBS technical issues. If you have
> issues
> | > regarding other Microsoft products, you'd better post in the
> corresponding
> | > newsgroups so that they can be resolved in an efficient and timely
> manner.
> | > You can locate the newsgroup here:
> | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
> | >
> | > When opening a new thread via the web interface, we recommend you
> check
> | > the
> | > "Notify me of replies" box to receive e-mail notifications when there
> are
> | > any updates in your thread. When responding to posts via your
> newsreader,
> | > please "Reply to Group" so that others may learn and benefit from your
> | > issue.
> | >
> | > Microsoft engineers can only focus on one issue per thread. Although
> we
> | > provide other information for your reference, we recommend you post
> | > different incidents in different threads to keep the thread clean. In
> | > doing
> | > so, it will ensure your issues are resolved in a timely manner.
> | >
> | > For urgent issues, you may want to contact Microsoft CSS directly.
> Please
> | > check http://support.microsoft.com for regional support phone numbers.
> | >
> | > Any input or comments in this thread are highly appreciated.
> | > ======================================================
> | > This posting is provided "AS IS" with no warranties, and confers no
> | > rights.
> | >
> | >
> | > =====================================================
> | > When responding to posts, please "Reply to Group" via your newsreader
> so
> | > that others may learn and benefit from your issue.
> | > =====================================================
> | >
> | > This posting is provided "AS IS" with no warranties, and confers no
> | > rights.
> | >
> | > --------------------
> | > | From: "PG" <*@*.*>
> | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl>
> | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl>
> | > | Subject: Re: SBS2003Premium Certification Authority from HELL!!!
> | > | Date: Tue, 20 Sep 2005 13:28:25 +0100
> | > | Lines: 269
> | > | X-Priority: 3
> | > | X-MSMail-Priority: Normal
> | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
> | > | X-RFC2646: Format=Flowed; Original
> | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
> | > | Message-ID: <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl>
> | > | Newsgroups: microsoft.public.windows.server.sbs
> | > | NNTP-Posting-Host: 62.48.233.71
> | > | Path:
> TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
> | > | Xref: TK2MSFTNGXA01.phx.gbl
> microsoft.public.windows.server.sbs:154800
> | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
> | > |
> | > | Thanks for your reply Charles
> | > |
> | > | Responses to your questions follow, and are in line:
> | > |
> | > |
> | > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in
> message
> | > | news:tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl...
> | > | > HI PG,
> | > | >
> | > | > Welcome to SBS newsgroup.
> | > | >
> | > | > Issue description:
> | > | > ================
> | > | >
> | > | > I understand that you encountered some problem when using CA on
> SBS
> | > 2003
> | > | > premium.
> | > | >
> | > | > Analyzing and suggestions:
> | > | > ================
> | > | >
> | > | > Generally speaking, the error you encountered can be caused by
> many
> | > | > factors, in order to make the issue more clear, please refer to my
> | > | > suggestions below to gather more information:
> | > | >
> | > | > 1. If possible, please send me the event log for further research,
> it
> | > | > should include more information which can help us determine which
> | > kinds
> | > of
> | > | > error you encountered, you can send the log files to my email box.
> | > | > v-chayan(a)microsoft.com.
> | > |
> | > | There is nothing recorded in the logs, when the error's occur.
> | > |
> | > | > 2. Does the issue occur from the client's computer or from the
> server
> | > | > side?
> | > |
> | > | Both! It occur's when I request a certificate from the client and
> from
> | > the
> | > | server! :( Via Web request or MMC snap-in
> | > |
> | > |
> | > | >
> | > | >
> | > | > Let's first check the following:
> | > | >
> | > | > 1. Go to the CA Server, go to Services.msc console, make sure that
> the
> | > | > Certificate Service is started.
> | > |
> | > | Check
> | > |
> | > | > 2. Open Certificate Authority, make sure that it can be opened.
> | > |
> | > | Check
> | > |
> | > | > 3. If you are using Enterprise CA, go to the Certificate Template
> in
> | > the
> | > | > Certificate Authority, make sure that necessary Certificate
> Template
> | > is
> | > | > added and listed in the right panel.
> | > |
> | > | Check
> | > |
> | > | > 4. On the CA Server, click Start -> Run, type MMC and click OK.
> Click
> | > File
> | > | > -> Add/Remove Snap-in, click Add button, select Certificate, click
> | > Add,
> | > | > select Computer Account and click next. Select Local Computer,
> click
> | > | > Finish
> | > | > and then Close.
> | > |
> | > | Check
> | > |
> | > | > 5. Expand the Certificate (Local Computer)\Personal\Certificate,
> check
> | > if
> | > | > the Root certificate exists. It's 'issued by' and 'issued to'
> should
> | > be
> | > | > itself. Then please check if the root certificate is still alive.
> If
> | > it
> | > is
> | > | > expired, right click the Certificate, select All Tasks -> Renew
> | > | > Certificate
> | > | > with Same Key. Then renew the user certificate and let me know how
> | > | > everything is going.
> | > | > NOTE: Please check the Certificate Authority to make sure that
> these
> | > | > client
> | > | > certificate are not revoked before you renew the certificate.
> | > | >
> | > | > If the issue still exists, please check if the CA computer where
> you
> | > start
> | > | > the Certificate Web Enrollment from is set to trust for
> delegation.
> To
> | > do
> | > | > so:
> | > | > 1. Log on as a domain administrator or equivalent account.
> | > | > 2. Click Start, point to Programs, point to Administrative Tools,
> and
> | > then
> | > | > click "Active Directory Users and Computers".
> | > | > 3. In the left pane, locate the container or organizational unit
> (OU)
> | > on
> | > | > which you want to enable delegation.
> | > | > 4. Right-click the computer account name, and then click
> Properties.
> | > | > 5. On the General tab, click Trust computer for delegation.
> | > | > 6. Click OK.
> | > | > 7. Quit Active Directory Users and Computers.
> | > | >
> | > | > For more info, please refer to:
> | > | > 300867 Error Message: The Certification Authority Service Has Not
> Been
> | > | > Started
> | > | > http://support.microsoft.com/?id=300867
> | > |
> | > | The certificate is alive until 16/9/2010! So I didn't renew it.
> | > |
> | > |
> | > | >
> | > | >
> | > | > This issue may also occur if the Domain Users group on the child
> | > domain
> | > | > does not have the right to enroll a user template. To have a
> check:
> | > | >
> | > | > 1. Logon to CA Server as Enterprise Administrator
> | > |
> | > | check
> | > |
> | > | > 2. Click Start, click Programs, click Administrative Tools, and
> then
> | > click
> | > | > the "Active Directory Sites and Services" snap-in.
> | > |
> | > | check
> | > |
> | > | > 3. In MMC, right-click the "Active Directory Sites and Services"
> | > snap-in,
> | > | > click View, and then click "Show Services Mode". This allows you
> to
> | > view
> | > | > the Services folder, which is hidden from view by default.
> | > |
> | > | Check
> | > |
> | > | > 4. From the "Active Directory Sites and Services" snap-in, click
> | > Services,
> | > | > click Public Key Services, and then click Certificate Templates.
> This
> | > | > reveals the complete list of published certificate templates in
> Active
> | > | > Directory.
> | > |
> | > | Check
> | > |
> | > | > 5. Double-click the User certificate template to view the
> properties.
> | > |
> | > | Check
> | > |
> | > | > 6. On the Security tab, click Add to add the Domain Users group to
> the
> | > | > list.
> | > |
> | > | The group domain users wasn't there so I added it
> | > |
> | > | > 7. For the Domain Users group, select the Read and Enroll rights.
> | > |
> | > | When I tryed to apply the changes it gave the following error:
> | > |
> | > | "Unable to save permission changes on
> | > | LDAP://SBS2003PDC.CONTIMETRA.LOCAL/CN=USER,CN=CERTIFICATE
> | > | TEMPLATES,CN=PUBLIC KEY
> | > | SERVICES,CN=SERVICES,CN=CONFIGURATION,DC=CONTIMETRA,DC=LOCAL
> | > |
> | > | ACCESS IS DENIED"
> | > |
> | > |
> | > | > 8. Restart the computer.
> | > |
> | > | Didn't do it because no changes were made!
> | > |
> | > | >
> | > | > For more info, please refer to:
> | > | > 271861 Windows Cannot Find a Certificate Authority That Processes
> the
> | > | > Request
> | > | > http://support.microsoft.com/?id=271861
> | > | >
> | > | > NOTE: Request from MMC only works if it is a Enterprise CA. To
> stand
> | > alone
> | > | > CA, you must request certificate by WEB.
> | > | >
> | > | > I appreciate your understanding and please paste your results as
> your
> | > | > convenience, It is important for us to isolate the issue. I am
> glad
> to
> | > | > help
> | > | > you.
> | > | >
> | > | >
> | > | >
> | > | > Best regards,
> | > | >
> | > | > Charles Yang (MSFT)
> | > | >
> | > | > Microsoft CSS Online Newsgroup Support
> | > | >
> | > | > Get Secure! - www.microsoft.com/security
> | > | >
> | > | > ======================================================
> | > | > This newsgroup only focuses on SBS technical issues. If you have
> | > issues
> | > | > regarding other Microsoft products, you'd better post in the
> | > corresponding
> | > | > newsgroups so that they can be resolved in an efficient and timely
> | > manner.
> | > | > You can locate the newsgroup here:
> | > | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
> | > | >
> | > | > When opening a new thread via the web interface, we recommend you
> | > check
> | > | > the
> | > | > "Notify me of replies" box to receive e-mail notifications when
> there
> | > are
> | > | > any updates in your thread. When responding to posts via your
> | > newsreader,
> | > | > please "Reply to Group" so that others may learn and benefit from
> your
> | > | > issue.
> | > | >
> | > | > Microsoft engineers can only focus on one issue per thread.
> Although
> | > we
> | > | > provide other information for your reference, we recommend you
> post
> | > | > different incidents in different threads to keep the thread clean.
> In
> | > | > doing
> | > | > so, it will ensure your issues are resolved in a timely manner.
> | > | >
> | > | > For urgent issues, you may want to contact Microsoft CSS directly.
> | > Please
> | > | > check http://support.microsoft.com for regional support phone
> numbers.
> | > | >
> | > | > Any input or comments in this thread are highly appreciated.
> | > | > ======================================================
> | > | > This posting is provided "AS IS" with no warranties, and confers
> no
> | > | > rights.
> | > | >
> | > | >
> | > | > =====================================================
> | > | > When responding to posts, please "Reply to Group" via your
> newsreader
> | > so
> | > | > that others may learn and benefit from your issue.
> | > | > =====================================================
> | > | >
> | > | > This posting is provided "AS IS" with no warranties, and confers
> no
> | > | > rights.
> | > | >
> | > | > --------------------
> | > | > | From: "PG" <*@*.*>
> | > | > | Subject: SBS2003Premium Certification Authority from HELL!!!
> | > | > | Date: Fri, 16 Sep 2005 11:35:46 +0100
> | > | > | Lines: 25
> | > | > | X-Priority: 3
> | > | > | X-MSMail-Priority: Normal
> | > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
> | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
> | > | > | X-RFC2646: Format=Flowed; Original
> | > | > | Message-ID: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl>
> | > | > | Newsgroups: microsoft.public.windows.server.sbs
> | > | > | NNTP-Posting-Host: 62.48.233.71
> | > | > | Path:
> | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
> | > | > | Xref: TK2MSFTNGXA01.phx.gbl
> | > microsoft.public.windows.server.sbs:153926
> | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
> | > | > |
> | > | > | Hi everybody,
> | > | > |
> | > | > | When I try to request a certificate from my Enterprise CA
> | > installed
> | > | > on
> | > | > | SBS2003Premium It gives the following error :"No certificate
> | > templates
> | > | > could
> | > | > | be found. You do not have permission to request a certificate
> from
> | > this
> | > | > CA,
> | > | > | or an error occurred while accessing the Active Directory." I
> went
> | > and
> | > | > | search for a solution and found this microsoft article
> | > | > | http://support.microsoft.com/default.aspx?scid=kb;en-us;811418
> that
> | > | > didn't
> | > | > | help because the name of the server is the same in the
> certdat.inc
> | > and
> | > | > in
> | > | > | the AD!!! :(
> | > | > |
> | > | > | When I go to the certification authority and click on
> "manage"
> | > on
> | > | > the
> | > | > | certificate templates, windows says that it detected that new
> | > | > certificate
> | > | > | templates should be installed, and ask if I want to install them
> | > now,
> | > | > and
> | > | > I
> | > | > | say "Yes", and gives an error saying "Windows could not install
> the
> | > new
> | > | > | certificate templates. Access is denied" :( I doing this as
> | > enterprise
> | > | > admin
> | > | > | and it says access denied!!!!! :( :(
> | > | > |
> | > | > | I've tryed to reinstall the CA and the errors are still the
> | > same!
> | > | > |
> | > | > | Can anyone help me with this issue, please?
> | > | > |
> | > | > | Thanks in advance for any help you can give me....
> | > | > |
> | > | > |
> | > | > |
> | > | >
> | > |
> | > |
> | > |
> | > |
> | > |
> | > |
> | >
> |
> |
> |
>


From: "Charles Yang [MSFT]" on
Hi PG,

After checking your screen shot, we decide to collect more information, as
this issue should relate to AD setting:

1. Please send me all the event log except the application and system event
log that you have already sent to me.
2. please also run netdiag -v and dcdiag -v on the SBS server and send the
results to me also.
3. If possible, could you tell us if have changed any setting on AD or on
SBS server. As the screen shot point that you have some problem in query
user objects on DC.

I appreciate your effort on this issue.



Best regards,

Charles Yang (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| From: "PG" <*@*.*>
| References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl>
<tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl>
<OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl>
<biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl>
<#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl>
<MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl>
| Subject: Re: SBS2003Premium Certification Authority from HELL!!!
| Date: Thu, 22 Sep 2005 09:31:33 +0100
| Lines: 597
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
| X-RFC2646: Format=Flowed; Original
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| Message-ID: <u6mrIB1vFHA.4032(a)TK2MSFTNGP15.phx.gbl>
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: 62.48.233.71
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:155493
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Hi Charles,
|
| I started to go through the points you reffered bellow and on the
second
| point(Permissions settings) everything checked out ok except for the
| certificates templates permissions again, I'm unable to change
permissions
| on some certificates, but others are ok! I'm sending you some compressed
| pictures to your e-mail so you can try and see if this is normal, or not.
| I didn't want to continue following your suggestions(to reinstall the
| CA) before you had a look at the pictures I sent you.
|
| Thanks
| PG
|
| ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in message
| news:MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl...
| > Hi,
| >
| > Thanks for updates.
| >
| > After carefully checking your log, we did not find any relate
information,
| > please note that it might take some time to do the task.
| >
| > For this issue, I have some suggestion below:
| >
| > Can I assume that you want to set up the SBS 2003 premium as a CA
server,
| > so that when user logon to website, they require the certificate, which
| > purpose you want to use for this certificate for VPN issue or for a
| > website? From your log, it seems to be used for IPSec VPN.
| >
| > 1. Please change the website you use for web enrollment's authentication
| > method from anonymous to Windows Authentication.
| > 2. Please refer to the KB article below to check the permission setting
| > for
| > CA, make sure that you have go through the article to double check it:
| >
| > Q239706 Default Permission Settings for Enterprise Certificate Authority
| > http://support.microsoft.com/default.aspx?scid=kb;EN-US
| >
| > 3. If the issue still exists, please follow the steps to reinstall the
CA
| > server:
| >
| > A. Opened regedit and went to HKLM\system\CCS\services and deleted the
| > certsrv key
| > B. Opened the file system and deleted c:\winnt\system32\certserv folder
| > and
| > contents
| > C. Opened up AD sites and services and deleted and in services\public
key
| > services
| >
| > Please deleted all the contents of the containers leaving the empty
| > containers with the exception of the templates container. Note, please
| > perform a backup for registry.
| >
| > If the issue still exist, you have to refer to the KB article below to
| > change the log level of certificate then reproduce the issue check the
| > event log again.
| >
| > 305018 How to Change the Event Logging Level for Certificate Services
| > http://support.microsoft.com/?id=305018
| >
| > Thanks for your efforts. I will be here waiting for updates.
| >
| >
| >
| > Best regards,
| >
| > Charles Yang (MSFT)
| >
| > Microsoft CSS Online Newsgroup Support
| >
| > Get Secure! - www.microsoft.com/security
| >
| > ======================================================
| > This newsgroup only focuses on SBS technical issues. If you have issues
| > regarding other Microsoft products, you'd better post in the
corresponding
| > newsgroups so that they can be resolved in an efficient and timely
manner.
| > You can locate the newsgroup here:
| > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| >
| > When opening a new thread via the web interface, we recommend you check
| > the
| > "Notify me of replies" box to receive e-mail notifications when there
are
| > any updates in your thread. When responding to posts via your
newsreader,
| > please "Reply to Group" so that others may learn and benefit from your
| > issue.
| >
| > Microsoft engineers can only focus on one issue per thread. Although we
| > provide other information for your reference, we recommend you post
| > different incidents in different threads to keep the thread clean. In
| > doing
| > so, it will ensure your issues are resolved in a timely manner.
| >
| > For urgent issues, you may want to contact Microsoft CSS directly.
Please
| > check http://support.microsoft.com for regional support phone numbers.
| >
| > Any input or comments in this thread are highly appreciated.
| > ======================================================
| > This posting is provided "AS IS" with no warranties, and confers no
| > rights.
| >
| >
| > =====================================================
| > When responding to posts, please "Reply to Group" via your newsreader so
| > that others may learn and benefit from your issue.
| > =====================================================
| >
| > This posting is provided "AS IS" with no warranties, and confers no
| > rights.
| >
| > --------------------
| > | From: "PG" <*@*.*>
| > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl>
| > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl>
| > <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl>
| > <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl>
| > | Subject: Re: SBS2003Premium Certification Authority from HELL!!!
| > | Date: Wed, 21 Sep 2005 11:33:30 +0100
| > | Lines: 401
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
| > | X-RFC2646: Format=Flowed; Original
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| > | Message-ID: <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl>
| > | Newsgroups: microsoft.public.windows.server.sbs
| > | NNTP-Posting-Host: 62.48.233.71
| > | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
| > | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:155186
| > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > |
| > | I've sent you the log's as you requested Charles...
| > |
| > | Thanks for the help
| > |
| > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in
message
| > | news:biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl...
| > | > HI PG,
| > | >
| > | > Thanks for updates.
| > | >
| > | > In order to make the issue more clear, could you send me the
| > application
| > | > log and system event log so that we can isolate the issue more
| > clearly,
| > | > you
| > | > can compress the log files and send to my mailbox.
| > | >
| > | > v-chayan(a)microsoft.com
| > | >
| > | > Thanks for your understanding.
| > | >
| > | >
| > | >
| > | > Best regards,
| > | >
| > | > Charles Yang (MSFT)
| > | >
| > | > Microsoft CSS Online Newsgroup Support
| > | >
| > | > Get Secure! - www.microsoft.com/security
| > | >
| > | > ======================================================
| > | > This newsgroup only focuses on SBS technical issues. If you have
| > issues
| > | > regarding other Microsoft products, you'd better post in the
| > corresponding
| > | > newsgroups so that they can be resolved in an efficient and timely
| > manner.
| > | > You can locate the newsgroup here:
| > | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| > | >
| > | > When opening a new thread via the web interface, we recommend you
| > check
| > | > the
| > | > "Notify me of replies" box to receive e-mail notifications when
there
| > are
| > | > any updates in your thread. When responding to posts via your
| > newsreader,
| > | > please "Reply to Group" so that others may learn and benefit from
your
| > | > issue.
| > | >
| > | > Microsoft engineers can only focus on one issue per thread.
Although
| > we
| > | > provide other information for your reference, we recommend you post
| > | > different incidents in different threads to keep the thread clean.
In
| > | > doing
| > | > so, it will ensure your issues are resolved in a timely manner.
| > | >
| > | > For urgent issues, you may want to contact Microsoft CSS directly.
| > Please
| > | > check http://support.microsoft.com for regional support phone
numbers.
| > | >
| > | > Any input or comments in this thread are highly appreciated.
| > | > ======================================================
| > | > This posting is provided "AS IS" with no warranties, and confers no
| > | > rights.
| > | >
| > | >
| > | > =====================================================
| > | > When responding to posts, please "Reply to Group" via your
newsreader
| > so
| > | > that others may learn and benefit from your issue.
| > | > =====================================================
| > | >
| > | > This posting is provided "AS IS" with no warranties, and confers no
| > | > rights.
| > | >
| > | > --------------------
| > | > | From: "PG" <*@*.*>
| > | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl>
| > | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl>
| > | > | Subject: Re: SBS2003Premium Certification Authority from HELL!!!
| > | > | Date: Tue, 20 Sep 2005 13:28:25 +0100
| > | > | Lines: 269
| > | > | X-Priority: 3
| > | > | X-MSMail-Priority: Normal
| > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
| > | > | X-RFC2646: Format=Flowed; Original
| > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| > | > | Message-ID: <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl>
| > | > | Newsgroups: microsoft.public.windows.server.sbs
| > | > | NNTP-Posting-Host: 62.48.233.71
| > | > | Path:
| > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
| > | > | Xref: TK2MSFTNGXA01.phx.gbl
| > microsoft.public.windows.server.sbs:154800
| > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > | > |
| > | > | Thanks for your reply Charles
| > | > |
| > | > | Responses to your questions follow, and are in line:
| > | > |
| > | > |
| > | > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in
| > message
| > | > | news:tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl...
| > | > | > HI PG,
| > | > | >
| > | > | > Welcome to SBS newsgroup.
| > | > | >
| > | > | > Issue description:
| > | > | > ================
| > | > | >
| > | > | > I understand that you encountered some problem when using CA on
| > SBS
| > | > 2003
| > | > | > premium.
| > | > | >
| > | > | > Analyzing and suggestions:
| > | > | > ================
| > | > | >
| > | > | > Generally speaking, the error you encountered can be caused by
| > many
| > | > | > factors, in order to make the issue more clear, please refer to
my
| > | > | > suggestions below to gather more information:
| > | > | >
| > | > | > 1. If possible, please send me the event log for further
research,
| > it
| > | > | > should include more information which can help us determine
which
| > | > kinds
| > | > of
| > | > | > error you encountered, you can send the log files to my email
box.
| > | > | > v-chayan(a)microsoft.com.
| > | > |
| > | > | There is nothing recorded in the logs, when the error's occur.
| > | > |
| > | > | > 2. Does the issue occur from the client's computer or from the
| > server
| > | > | > side?
| > | > |
| > | > | Both! It occur's when I request a certificate from the client and
| > from
| > | > the
| > | > | server! :( Via Web request or MMC snap-in
| > | > |
| > | > |
| > | > | >
| > | > | >
| > | > | > Let's first check the following:
| > | > | >
| > | > | > 1. Go to the CA Server, go to Services.msc console, make sure
that
| > the
| > | > | > Certificate Service is started.
| > | > |
| > | > | Check
| > | > |
| > | > | > 2. Open Certificate Authority, make sure that it can be opened.
| > | > |
| > | > | Check
| > | > |
| > | > | > 3. If you are using Enterprise CA, go to the Certificate
Template
| > in
| > | > the
| > | > | > Certificate Authority, make sure that necessary Certificate
| > Template
| > | > is
| > | > | > added and listed in the right panel.
| > | > |
| > | > | Check
| > | > |
| > | > | > 4. On the CA Server, click Start -> Run, type MMC and click OK.
| > Click
| > | > File
| > | > | > -> Add/Remove Snap-in, click Add button, select Certificate,
click
| > | > Add,
| > | > | > select Computer Account and click next. Select Local Computer,
| > click
| > | > | > Finish
| > | > | > and then Close.
| > | > |
| > | > | Check
| > | > |
| > | > | > 5. Expand the Certificate (Local Computer)\Personal\Certificate,
| > check
| > | > if
| > | > | > the Root certificate exists. It's 'issued by' and 'issued to'
| > should
| > | > be
| > | > | > itself. Then please check if the root certificate is still
alive.
| > If
| > | > it
| > | > is
| > | > | > expired, right click the Certificate, select All Tasks -> Renew
| > | > | > Certificate
| > | > | > with Same Key. Then renew the user certificate and let me know
how
| > | > | > everything is going.
| > | > | > NOTE: Please check the Certificate Authority to make sure that
| > these
| > | > | > client
| > | > | > certificate are not revoked before you renew the certificate.
| > | > | >
| > | > | > If the issue still exists, please check if the CA computer
where
| > you
| > | > start
| > | > | > the Certificate Web Enrollment from is set to trust for
| > delegation.
| > To
| > | > do
| > | > | > so:
| > | > | > 1. Log on as a domain administrator or equivalent account.
| > | > | > 2. Click Start, point to Programs, point to Administrative
Tools,
| > and
| > | > then
| > | > | > click "Active Directory Users and Computers".
| > | > | > 3. In the left pane, locate the container or organizational unit
| > (OU)
| > | > on
| > | > | > which you want to enable delegation.
| > | > | > 4. Right-click the computer account name, and then click
| > Properties.
| > | > | > 5. On the General tab, click Trust computer for delegation.
| > | > | > 6. Click OK.
| > | > | > 7. Quit Active Directory Users and Computers.
| > | > | >
| > | > | > For more info, please refer to:
| > | > | > 300867 Error Message: The Certification Authority Service Has
Not
| > Been
| > | > | > Started
| > | > | > http://support.microsoft.com/?id=300867
| > | > |
| > | > | The certificate is alive until 16/9/2010! So I didn't renew it.
| > | > |
| > | > |
| > | > | >
| > | > | >
| > | > | > This issue may also occur if the Domain Users group on the child
| > | > domain
| > | > | > does not have the right to enroll a user template. To have a
| > check:
| > | > | >
| > | > | > 1. Logon to CA Server as Enterprise Administrator
| > | > |
| > | > | check
| > | > |
| > | > | > 2. Click Start, click Programs, click Administrative Tools, and
| > then
| > | > click
| > | > | > the "Active Directory Sites and Services" snap-in.
| > | > |
| > | > | check
| > | > |
| > | > | > 3. In MMC, right-click the "Active Directory Sites and Services"
| > | > snap-in,
| > | > | > click View, and then click "Show Services Mode". This allows
you
| > to
| > | > view
| > | > | > the Services folder, which is hidden from view by default.
| > | > |
| > | > | Check
| > | > |
| > | > | > 4. From the "Active Directory Sites and Services" snap-in, click
| > | > Services,
| > | > | > click Public Key Services, and then click Certificate Templates.
| > This
| > | > | > reveals the complete list of published certificate templates in
| > Active
| > | > | > Directory.
| > | > |
| > | > | Check
| > | > |
| > | > | > 5. Double-click the User certificate template to view the
| > properties.
| > | > |
| > | > | Check
| > | > |
| > | > | > 6. On the Security tab, click Add to add the Domain Users group
to
| > the
| > | > | > list.
| > | > |
| > | > | The group domain users wasn't there so I added it
| > | > |
| > | > | > 7. For the Domain Users group, select the Read and Enroll
rights.
| > | > |
| > | > | When I tryed to apply the changes it gave the following error:
| > | > |
| > | > | "Unable to save permission changes on
| > | > | LDAP://SBS2003PDC.CONTIMETRA.LOCAL/CN=USER,CN=CERTIFICATE
| > | > | TEMPLATES,CN=PUBLIC KEY
| > | > | SERVICES,CN=SERVICES,CN=CONFIGURATION,DC=CONTIMETRA,DC=LOCAL
| > | > |
| > | > | ACCESS IS DENIED"
| > | > |
| > | > |
| > | > | > 8. Restart the computer.
| > | > |
| > | > | Didn't do it because no changes were made!
| > | > |
| > | > | >
| > | > | > For more info, please refer to:
| > | > | > 271861 Windows Cannot Find a Certificate Authority That
Processes
| > the
| > | > | > Request
| > | > | > http://support.microsoft.com/?id=271861
| > | > | >
| > | > | > NOTE: Request from MMC only works if it is a Enterprise CA. To
| > stand
| > | > alone
| > | > | > CA, you must request certificate by WEB.
| > | > | >
| > | > | > I appreciate your understanding and please paste your results as
| > your
| > | > | > convenience, It is important for us to isolate the issue. I am
| > glad
| > to
| > | > | > help
| > | > | > you.
| > | > | >
| > | > | >
| > | > | >
| > | > | > Best regards,
| > | > | >
| > | > | > Charles Yang (MSFT)
| > | > | >
| > | > | > Microsoft CSS Online Newsgroup Support
| > | > | >
| > | > | > Get Secure! - www.microsoft.com/security
| > | > | >
| > | > | > ======================================================
| > | > | > This newsgroup only focuses on SBS technical issues. If you have
| > | > issues
| > | > | > regarding other Microsoft products, you'd better post in the
| > | > corresponding
| > | > | > newsgroups so that they can be resolved in an efficient and
timely
| > | > manner.
| > | > | > You can locate the newsgroup here:
| > | > | >
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| > | > | >
| > | > | > When opening a new thread via the web interface, we recommend
you
| > | > check
| > | > | > the
| > | > | > "Notify me of replies" box to receive e-mail notifications when
| > there
| > | > are
| > | > | > any updates in your thread. When responding to posts via your
| > | > newsreader,
| > | > | > please "Reply to Group" so that others may learn and benefit
from
| > your
| > | > | > issue.
| > | > | >
| > | > | > Microsoft engineers can only focus on one issue per thread.
| > Although
| > | > we
| > | > | > provide other information for your reference, we recommend you
| > post
| > | > | > different incidents in different threads to keep the thread
clean.
| > In
| > | > | > doing
| > | > | > so, it will ensure your issues are resolved in a timely manner.
| > | > | >
| > | > | > For urgent issues, you may want to contact Microsoft CSS
directly.
| > | > Please
| > | > | > check http://support.microsoft.com for regional support phone
| > numbers.
| > | > | >
| > | > | > Any input or comments in this thread are highly appreciated.
| > | > | > ======================================================
| > | > | > This posting is provided "AS IS" with no warranties, and
confers
| > no
| > | > | > rights.
| > | > | >
| > | > | >
| > | > | > =====================================================
| > | > | > When responding to posts, please "Reply to Group" via your
| > newsreader
| > | > so
| > | > | > that others may learn and benefit from your issue.
| > | > | > =====================================================
| > | > | >
| > | > | > This posting is provided "AS IS" with no warranties, and
confers
| > no
| > | > | > rights.
| > | > | >
| > | > | > --------------------
| > | > | > | From: "PG" <*@*.*>
| > | > | > | Subject: SBS2003Premium Certification Authority from HELL!!!
| > | > | > | Date: Fri, 16 Sep 2005 11:35:46 +0100
| > | > | > | Lines: 25
| > | > | > | X-Priority: 3
| > | > | > | X-MSMail-Priority: Normal
| > | > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
| > | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| > | > | > | X-RFC2646: Format=Flowed; Original
| > | > | > | Message-ID: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl>
| > | > | > | Newsgroups: microsoft.public.windows.server.sbs
| > | > | > | NNTP-Posting-Host: 62.48.233.71
| > | > | > | Path:
| > | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
| > | > | > | Xref: TK2MSFTNGXA01.phx.gbl
| > | > microsoft.public.windows.server.sbs:153926
| > | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > | > | > |
| > | > | > | Hi everybody,
| > | > | > |
| > | > | > | When I try to request a certificate from my Enterprise CA
| > | > installed
| > | > | > on
| > | > | > | SBS2003Premium It gives the following error :"No certificate
| > | > templates
| > | > | > could
| > | > | > | be found. You do not have permission to request a certificate
| > from
| > | > this
| > | > | > CA,
| > | > | > | or an error occurred while accessing the Active Directory." I
| > went
| > | > and
| > | > | > | search for a solution and found this microsoft article
| > | > | > | http://support.microsoft.com/default.aspx?scid=kb;en-us;811418
| > that
| > | > | > didn't
| > | > | > | help because the name of the server is the same in the
| > certdat.inc
| > | > and
| > | > | > in
| > | > | > | the AD!!! :(
| > | > | > |
| > | > | > | When I go to the certification authority and click on
| > "manage"
| > | > on
| > | > | > the
| > | > | > | certificate templates, windows says that it detected that new
| > | > | > certificate
| > | > | > | templates should be installed, and ask if I want to install
them
| > | > now,
| > | > | > and
| > | > | > I
| > | > | > | say "Yes", and gives an error saying "Windows could not
install
| > the
| > | > new
| > | > | > | certificate templates. Access is denied" :( I doing this as
| > | > enterprise
| > | > | > admin
| > | > | > | and it says access denied!!!!! :( :(
| > | > | > |
| > | > | > | I've tryed to reinstall the CA and the errors are still
the
| > | > same!
| > | > | > |
| > | > | > | Can anyone help me with this issue, please?
| > | > | > |
| > | > | > | Thanks in advance for any help you can give me....
| > | > | > |
| > | > | > |
| > | > | > |
| > | > | >
| > | > |
| > | > |
| > | > |
| > | > |
| > | > |
| > | > |
| > | >
| > |
| > |
| > |
| >
|
|
|

From: PG on
Hi Charles,

1. I sent all the logs you requested to your e-mail.

2. Done that also.

3. No changes done...that I can remember

Thanks

""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in message
news:AtVfNj1vFHA.780(a)TK2MSFTNGXA01.phx.gbl...
> Hi PG,
>
> After checking your screen shot, we decide to collect more information, as
> this issue should relate to AD setting:
>
> 1. Please send me all the event log except the application and system
> event
> log that you have already sent to me.
> 2. please also run netdiag -v and dcdiag -v on the SBS server and send the
> results to me also.
> 3. If possible, could you tell us if have changed any setting on AD or on
> SBS server. As the screen shot point that you have some problem in query
> user objects on DC.
>
> I appreciate your effort on this issue.
>
>
>
> Best regards,
>
> Charles Yang (MSFT)
>
> Microsoft CSS Online Newsgroup Support
>
> Get Secure! - www.microsoft.com/security
>
> ======================================================
> This newsgroup only focuses on SBS technical issues. If you have issues
> regarding other Microsoft products, you'd better post in the corresponding
> newsgroups so that they can be resolved in an efficient and timely manner.
> You can locate the newsgroup here:
> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>
> When opening a new thread via the web interface, we recommend you check
> the
> "Notify me of replies" box to receive e-mail notifications when there are
> any updates in your thread. When responding to posts via your newsreader,
> please "Reply to Group" so that others may learn and benefit from your
> issue.
>
> Microsoft engineers can only focus on one issue per thread. Although we
> provide other information for your reference, we recommend you post
> different incidents in different threads to keep the thread clean. In
> doing
> so, it will ensure your issues are resolved in a timely manner.
>
> For urgent issues, you may want to contact Microsoft CSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Any input or comments in this thread are highly appreciated.
> ======================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
> =====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> --------------------
> | From: "PG" <*@*.*>
> | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl>
> <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl>
> <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl>
> <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl>
> <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl>
> <MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl>
> | Subject: Re: SBS2003Premium Certification Authority from HELL!!!
> | Date: Thu, 22 Sep 2005 09:31:33 +0100
> | Lines: 597
> | X-Priority: 3
> | X-MSMail-Priority: Normal
> | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
> | X-RFC2646: Format=Flowed; Original
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
> | Message-ID: <u6mrIB1vFHA.4032(a)TK2MSFTNGP15.phx.gbl>
> | Newsgroups: microsoft.public.windows.server.sbs
> | NNTP-Posting-Host: 62.48.233.71
> | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl
> | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:155493
> | X-Tomcat-NG: microsoft.public.windows.server.sbs
> |
> | Hi Charles,
> |
> | I started to go through the points you reffered bellow and on the
> second
> | point(Permissions settings) everything checked out ok except for the
> | certificates templates permissions again, I'm unable to change
> permissions
> | on some certificates, but others are ok! I'm sending you some compressed
> | pictures to your e-mail so you can try and see if this is normal, or
> not.
> | I didn't want to continue following your suggestions(to reinstall
> the
> | CA) before you had a look at the pictures I sent you.
> |
> | Thanks
> | PG
> |
> | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in message
> | news:MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl...
> | > Hi,
> | >
> | > Thanks for updates.
> | >
> | > After carefully checking your log, we did not find any relate
> information,
> | > please note that it might take some time to do the task.
> | >
> | > For this issue, I have some suggestion below:
> | >
> | > Can I assume that you want to set up the SBS 2003 premium as a CA
> server,
> | > so that when user logon to website, they require the certificate,
> which
> | > purpose you want to use for this certificate for VPN issue or for a
> | > website? From your log, it seems to be used for IPSec VPN.
> | >
> | > 1. Please change the website you use for web enrollment's
> authentication
> | > method from anonymous to Windows Authentication.
> | > 2. Please refer to the KB article below to check the permission
> setting
> | > for
> | > CA, make sure that you have go through the article to double check it:
> | >
> | > Q239706 Default Permission Settings for Enterprise Certificate
> Authority
> | > http://support.microsoft.com/default.aspx?scid=kb;EN-US
> | >
> | > 3. If the issue still exists, please follow the steps to reinstall the
> CA
> | > server:
> | >
> | > A. Opened regedit and went to HKLM\system\CCS\services and deleted
> the
> | > certsrv key
> | > B. Opened the file system and deleted c:\winnt\system32\certserv
> folder
> | > and
> | > contents
> | > C. Opened up AD sites and services and deleted and in services\public
> key
> | > services
> | >
> | > Please deleted all the contents of the containers leaving the empty
> | > containers with the exception of the templates container. Note, please
> | > perform a backup for registry.
> | >
> | > If the issue still exist, you have to refer to the KB article below to
> | > change the log level of certificate then reproduce the issue check the
> | > event log again.
> | >
> | > 305018 How to Change the Event Logging Level for Certificate Services
> | > http://support.microsoft.com/?id=305018
> | >
> | > Thanks for your efforts. I will be here waiting for updates.
> | >
> | >
> | >
> | > Best regards,
> | >
> | > Charles Yang (MSFT)
> | >
> | > Microsoft CSS Online Newsgroup Support
> | >
> | > Get Secure! - www.microsoft.com/security
> | >
> | > ======================================================
> | > This newsgroup only focuses on SBS technical issues. If you have
> issues
> | > regarding other Microsoft products, you'd better post in the
> corresponding
> | > newsgroups so that they can be resolved in an efficient and timely
> manner.
> | > You can locate the newsgroup here:
> | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
> | >
> | > When opening a new thread via the web interface, we recommend you
> check
> | > the
> | > "Notify me of replies" box to receive e-mail notifications when there
> are
> | > any updates in your thread. When responding to posts via your
> newsreader,
> | > please "Reply to Group" so that others may learn and benefit from your
> | > issue.
> | >
> | > Microsoft engineers can only focus on one issue per thread. Although
> we
> | > provide other information for your reference, we recommend you post
> | > different incidents in different threads to keep the thread clean. In
> | > doing
> | > so, it will ensure your issues are resolved in a timely manner.
> | >
> | > For urgent issues, you may want to contact Microsoft CSS directly.
> Please
> | > check http://support.microsoft.com for regional support phone numbers.
> | >
> | > Any input or comments in this thread are highly appreciated.
> | > ======================================================
> | > This posting is provided "AS IS" with no warranties, and confers no
> | > rights.
> | >
> | >
> | > =====================================================
> | > When responding to posts, please "Reply to Group" via your newsreader
> so
> | > that others may learn and benefit from your issue.
> | > =====================================================
> | >
> | > This posting is provided "AS IS" with no warranties, and confers no
> | > rights.
> | >
> | > --------------------
> | > | From: "PG" <*@*.*>
> | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl>
> | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl>
> | > <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl>
> | > <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl>
> | > | Subject: Re: SBS2003Premium Certification Authority from HELL!!!
> | > | Date: Wed, 21 Sep 2005 11:33:30 +0100
> | > | Lines: 401
> | > | X-Priority: 3
> | > | X-MSMail-Priority: Normal
> | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
> | > | X-RFC2646: Format=Flowed; Original
> | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
> | > | Message-ID: <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl>
> | > | Newsgroups: microsoft.public.windows.server.sbs
> | > | NNTP-Posting-Host: 62.48.233.71
> | > | Path:
> TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
> | > | Xref: TK2MSFTNGXA01.phx.gbl
> microsoft.public.windows.server.sbs:155186
> | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
> | > |
> | > | I've sent you the log's as you requested Charles...
> | > |
> | > | Thanks for the help
> | > |
> | > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in
> message
> | > | news:biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl...
> | > | > HI PG,
> | > | >
> | > | > Thanks for updates.
> | > | >
> | > | > In order to make the issue more clear, could you send me the
> | > application
> | > | > log and system event log so that we can isolate the issue more
> | > clearly,
> | > | > you
> | > | > can compress the log files and send to my mailbox.
> | > | >
> | > | > v-chayan(a)microsoft.com
> | > | >
> | > | > Thanks for your understanding.
> | > | >
> | > | >
> | > | >
> | > | > Best regards,
> | > | >
> | > | > Charles Yang (MSFT)
> | > | >
> | > | > Microsoft CSS Online Newsgroup Support
> | > | >
> | > | > Get Secure! - www.microsoft.com/security
> | > | >
> | > | > ======================================================
> | > | > This newsgroup only focuses on SBS technical issues. If you have
> | > issues
> | > | > regarding other Microsoft products, you'd better post in the
> | > corresponding
> | > | > newsgroups so that they can be resolved in an efficient and timely
> | > manner.
> | > | > You can locate the newsgroup here:
> | > | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
> | > | >
> | > | > When opening a new thread via the web interface, we recommend you
> | > check
> | > | > the
> | > | > "Notify me of replies" box to receive e-mail notifications when
> there
> | > are
> | > | > any updates in your thread. When responding to posts via your
> | > newsreader,
> | > | > please "Reply to Group" so that others may learn and benefit from
> your
> | > | > issue.
> | > | >
> | > | > Microsoft engineers can only focus on one issue per thread.
> Although
> | > we
> | > | > provide other information for your reference, we recommend you
> post
> | > | > different incidents in different threads to keep the thread clean.
> In
> | > | > doing
> | > | > so, it will ensure your issues are resolved in a timely manner.
> | > | >
> | > | > For urgent issues, you may want to contact Microsoft CSS directly.
> | > Please
> | > | > check http://support.microsoft.com for regional support phone
> numbers.
> | > | >
> | > | > Any input or comments in this thread are highly appreciated.
> | > | > ======================================================
> | > | > This posting is provided "AS IS" with no warranties, and confers
> no
> | > | > rights.
> | > | >
> | > | >
> | > | > =====================================================
> | > | > When responding to posts, please "Reply to Group" via your
> newsreader
> | > so
> | > | > that others may learn and benefit from your issue.
> | > | > =====================================================
> | > | >
> | > | > This posting is provided "AS IS" with no warranties, and confers
> no
> | > | > rights.
> | > | >
> | > | > --------------------
> | > | > | From: "PG" <*@*.*>
> | > | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl>
> | > | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl>
> | > | > | Subject: Re: SBS2003Premium Certification Authority from HELL!!!
> | > | > | Date: Tue, 20 Sep 2005 13:28:25 +0100
> | > | > | Lines: 269
> | > | > | X-Priority: 3
> | > | > | X-MSMail-Priority: Normal
> | > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
> | > | > | X-RFC2646: Format=Flowed; Original
> | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
> | > | > | Message-ID: <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl>
> | > | > | Newsgroups: microsoft.public.windows.server.sbs
> | > | > | NNTP-Posting-Host: 62.48.233.71
> | > | > | Path:
> | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
> | > | > | Xref: TK2MSFTNGXA01.phx.gbl
> | > microsoft.public.windows.server.sbs:154800
> | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
> | > | > |
> | > | > | Thanks for your reply Charles
> | > | > |
> | > | > | Responses to your questions follow, and are in line:
> | > | > |
> | > | > |
> | > | > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in
> | > message
> | > | > | news:tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl...
> | > | > | > HI PG,
> | > | > | >
> | > | > | > Welcome to SBS newsgroup.
> | > | > | >
> | > | > | > Issue description:
> | > | > | > ================
> | > | > | >
> | > | > | > I understand that you encountered some problem when using CA
> on
> | > SBS
> | > | > 2003
> | > | > | > premium.
> | > | > | >
> | > | > | > Analyzing and suggestions:
> | > | > | > ================
> | > | > | >
> | > | > | > Generally speaking, the error you encountered can be caused by
> | > many
> | > | > | > factors, in order to make the issue more clear, please refer
> to
> my
> | > | > | > suggestions below to gather more information:
> | > | > | >
> | > | > | > 1. If possible, please send me the event log for further
> research,
> | > it
> | > | > | > should include more information which can help us determine
> which
> | > | > kinds
> | > | > of
> | > | > | > error you encountered, you can send the log files to my email
> box.
> | > | > | > v-chayan(a)microsoft.com.
> | > | > |
> | > | > | There is nothing recorded in the logs, when the error's occur.
> | > | > |
> | > | > | > 2. Does the issue occur from the client's computer or from the
> | > server
> | > | > | > side?
> | > | > |
> | > | > | Both! It occur's when I request a certificate from the client
> and
> | > from
> | > | > the
> | > | > | server! :( Via Web request or MMC snap-in
> | > | > |
> | > | > |
> | > | > | >
> | > | > | >
> | > | > | > Let's first check the following:
> | > | > | >
> | > | > | > 1. Go to the CA Server, go to Services.msc console, make sure
> that
> | > the
> | > | > | > Certificate Service is started.
> | > | > |
> | > | > | Check
> | > | > |
> | > | > | > 2. Open Certificate Authority, make sure that it can be
> opened.
> | > | > |
> | > | > | Check
> | > | > |
> | > | > | > 3. If you are using Enterprise CA, go to the Certificate
> Template
> | > in
> | > | > the
> | > | > | > Certificate Authority, make sure that necessary Certificate
> | > Template
> | > | > is
> | > | > | > added and listed in the right panel.
> | > | > |
> | > | > | Check
> | > | > |
> | > | > | > 4. On the CA Server, click Start -> Run, type MMC and click
> OK.
> | > Click
> | > | > File
> | > | > | > -> Add/Remove Snap-in, click Add button, select Certificate,
> click
> | > | > Add,
> | > | > | > select Computer Account and click next. Select Local Computer,
> | > click
> | > | > | > Finish
> | > | > | > and then Close.
> | > | > |
> | > | > | Check
> | > | > |
> | > | > | > 5. Expand the Certificate (Local
> Computer)\Personal\Certificate,
> | > check
> | > | > if
> | > | > | > the Root certificate exists. It's 'issued by' and 'issued to'
> | > should
> | > | > be
> | > | > | > itself. Then please check if the root certificate is still
> alive.
> | > If
> | > | > it
> | > | > is
> | > | > | > expired, right click the Certificate, select All Tasks ->
> Renew
> | > | > | > Certificate
> | > | > | > with Same Key. Then renew the user certificate and let me know
> how
> | > | > | > everything is going.
> | > | > | > NOTE: Please check the Certificate Authority to make sure that
> | > these
> | > | > | > client
> | > | > | > certificate are not revoked before you renew the certificate.
> | > | > | >
> | > | > | > If the issue still exists, please check if the CA computer
> where
> | > you
> | > | > start
> | > | > | > the Certificate Web Enrollment from is set to trust for
> | > delegation.
> | > To
> | > | > do
> | > | > | > so:
> | > | > | > 1. Log on as a domain administrator or equivalent account.
> | > | > | > 2. Click Start, point to Programs, point to Administrative
> Tools,
> | > and
> | > | > then
> | > | > | > click "Active Directory Users and Computers".
> | > | > | > 3. In the left pane, locate the container or organizational
> unit
> | > (OU)
> | > | > on
> | > | > | > which you want to enable delegation.
> | > | > | > 4. Right-click the computer account name, and then click
> | > Properties.
> | > | > | > 5. On the General tab, click Trust computer for delegation.
> | > | > | > 6. Click OK.
> | > | > | > 7. Quit Active Directory Users and Computers.
> | > | > | >
> | > | > | > For more info, please refer to:
> | > | > | > 300867 Error Message: The Certification Authority Service Has
> Not
> | > Been
> | > | > | > Started
> | > | > | > http://support.microsoft.com/?id=300867
> | > | > |
> | > | > | The certificate is alive until 16/9/2010! So I didn't renew it.
> | > | > |
> | > | > |
> | > | > | >
> | > | > | >
> | > | > | > This issue may also occur if the Domain Users group on the
> child
> | > | > domain
> | > | > | > does not have the right to enroll a user template. To have a
> | > check:
> | > | > | >
> | > | > | > 1. Logon to CA Server as Enterprise Administrator
> | > | > |
> | > | > | check
> | > | > |
> | > | > | > 2. Click Start, click Programs, click Administrative Tools,
> and
> | > then
> | > | > click
> | > | > | > the "Active Directory Sites and Services" snap-in.
> | > | > |
> | > | > | check
> | > | > |
> | > | > | > 3. In MMC, right-click the "Active Directory Sites and
> Services"
> | > | > snap-in,
> | > | > | > click View, and then click "Show Services Mode". This allows
> you
> | > to
> | > | > view
> | > | > | > the Services folder, which is hidden from view by default.
> | > | > |
> | > | > | Check
> | > | > |
> | > | > | > 4. From the "Active Directory Sites and Services" snap-in,
> click
> | > | > Services,
> | > | > | > click Public Key Services, and then click Certificate
> Templates.
> | > This
> | > | > | > reveals the complete list of published certificate templates
> in
> | > Active
> | > | > | > Directory.
> | > | > |
> | > | > | Check
> | > | > |
> | > | > | > 5. Double-click the User certificate template to view the
> | > properties.
> | > | > |
> | > | > | Check
> | > | > |
> | > | > | > 6. On the Security tab, click Add to add the Domain Users
> group
> to
> | > the
> | > | > | > list.
> | > | > |
> | > | > | The group domain users wasn't there so I added it
> | > | > |
> | > | > | > 7. For the Domain Users group, select the Read and Enroll
> rights.
> | > | > |
> | > | > | When I tryed to apply the changes it gave the following error:
> | > | > |
> | > | > | "Unable to save permission changes on
> | > | > | LDAP://SBS2003PDC.CONTIMETRA.LOCAL/CN=USER,CN=CERTIFICATE
> | > | > | TEMPLATES,CN=PUBLIC KEY
> | > | > | SERVICES,CN=SERVICES,CN=CONFIGURATION,DC=CONTIMETRA,DC=LOCAL
> | > | > |
> | > | > | ACCESS IS DENIED"
> | > | > |
> | > | > |
> | > | > | > 8. Restart the computer.
> | > | > |
> | > | > | Didn't do it because no changes were made!
> | > | > |
> | > | > | >
> | > | > | > For more info, please refer to:
> | > | > | > 271861 Windows Cannot Find a Certificate Authority That
> Processes
> | > the
> | > | > | > Request
> | > | > | > http://support.microsoft.com/?id=271861
> | > | > | >
> | > | > | > NOTE: Request from MMC only works if it is a Enterprise CA. To
> | > stand
> | > | > alone
> | > | > | > CA, you must request certificate by WEB.
> | > | > | >
> | > | > | > I appreciate your understanding and please paste your results
> as
> | > your
> | > | > | > convenience, It is important for us to isolate the issue. I am
> | > glad
> | > to
> | > | > | > help
> | > | > | > you.
> | > | > | >
> | > | > | >
> | > | > | >
> | > | > | > Best regards,
> | > | > | >
> | > | > | > Charles Yang (MSFT)
> | > | > | >
> | > | > | > Microsoft CSS Online Newsgroup Support
> | > | > | >
> | > | > | > Get Secure! - www.microsoft.com/security
> | > | > | >
> | > | > | > ======================================================
> | > | > | > This newsgroup only focuses on SBS technical issues. If you
> have
> | > | > issues
> | > | > | > regarding other Microsoft products, you'd better post in the
> | > | > corresponding
> | > | > | > newsgroups so that they can be resolved in an efficient and
> timely
> | > | > manner.
> | > | > | > You can locate the newsgroup here:
> | > | > | >
> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
> | > | > | >
> | > | > | > When opening a new thread via the web interface, we recommend
> you
> | > | > check
> | > | > | > the
> | > | > | > "Notify me of replies" box to receive e-mail notifications
> when
> | > there
> | > | > are
> | > | > | > any updates in your thread. When responding to posts via your
> | > | > newsreader,
> | > | > | > please "Reply to Group" so that others may learn and benefit
> from
> | > your
> | > | > | > issue.
> | > | > | >
> | > | > | > Microsoft engineers can only focus on one issue per thread.
> | > Although
> | > | > we
> | > | > | > provide other information for your reference, we recommend you
> | > post
> | > | > | > different incidents in different threads to keep the thread
> clean.
> | > In
> | > | > | > doing
> | > | > | > so, it will ensure your issues are resolved in a timely
> manner.
> | > | > | >
> | > | > | > For urgent issues, you may want to contact Microsoft CSS
> directly.
> | > | > Please
> | > | > | > check http://support.microsoft.com for regional support phone
> | > numbers.
> | > | > | >
> | > | > | > Any input or comments in this thread are highly appreciated.
> | > | > | > ======================================================
> | > | > | > This posting is provided "AS IS" with no warranties, and
> confers
> | > no
> | > | > | > rights.
> | > | > | >
> | > | > | >
> | > | > | > =====================================================
> | > | > | > When responding to posts, please "Reply to Group" via your
> | > newsreader
> | > | > so
> | > | > | > that others may learn and benefit from your issue.
> | > | > | > =====================================================
> | > | > | >
> | > | > | > This posting is provided "AS IS" with no warranties, and
> confers
> | > no
> | > | > | > rights.
> | > | > | >
> | > | > | > --------------------
> | > | > | > | From: "PG" <*@*.*>
> | > | > | > | Subject: SBS2003Premium Certification Authority from HELL!!!
> | > | > | > | Date: Fri, 16 Sep 2005 11:35:46 +0100
> | > | > | > | Lines: 25
> | > | > | > | X-Priority: 3
> | > | > | > | X-MSMail-Priority: Normal
> | > | > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
> | > | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
> | > | > | > | X-RFC2646: Format=Flowed; Original
> | > | > | > | Message-ID: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl>
> | > | > | > | Newsgroups: microsoft.public.windows.server.sbs
> | > | > | > | NNTP-Posting-Host: 62.48.233.71
> | > | > | > | Path:
> | > | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
> | > | > | > | Xref: TK2MSFTNGXA01.phx.gbl
> | > | > microsoft.public.windows.server.sbs:153926
> | > | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
> | > | > | > |
> | > | > | > | Hi everybody,
> | > | > | > |
> | > | > | > | When I try to request a certificate from my Enterprise
> CA
> | > | > installed
> | > | > | > on
> | > | > | > | SBS2003Premium It gives the following error :"No certificate
> | > | > templates
> | > | > | > could
> | > | > | > | be found. You do not have permission to request a
> certificate
> | > from
> | > | > this
> | > | > | > CA,
> | > | > | > | or an error occurred while accessing the Active Directory."
> I
> | > went
> | > | > and
> | > | > | > | search for a solution and found this microsoft article
> | > | > | > |
> http://support.microsoft.com/default.aspx?scid=kb;en-us;811418
> | > that
> | > | > | > didn't
> | > | > | > | help because the name of the server is the same in the
> | > certdat.inc
> | > | > and
> | > | > | > in
> | > | > | > | the AD!!! :(
> | > | > | > |
> | > | > | > | When I go to the certification authority and click on
> | > "manage"
> | > | > on
> | > | > | > the
> | > | > | > | certificate templates, windows says that it detected that
> new
> | > | > | > certificate
> | > | > | > | templates should be installed, and ask if I want to install
> them
> | > | > now,
> | > | > | > and
> | > | > | > I
> | > | > | > | say "Yes", and gives an error saying "Windows could not
> install
> | > the
> | > | > new
> | > | > | > | certificate templates. Access is denied" :( I doing this as
> | > | > enterprise
> | > | > | > admin
> | > | > | > | and it says access denied!!!!! :( :(
> | > | > | > |
> | > | > | > | I've tryed to reinstall the CA and the errors are still
> the
> | > | > same!
> | > | > | > |
> | > | > | > | Can anyone help me with this issue, please?
> | > | > | > |
> | > | > | > | Thanks in advance for any help you can give me....
> | > | > | > |
> | > | > | > |
> | > | > | > |
> | > | > | >
> | > | > |
> | > | > |
> | > | > |
> | > | > |
> | > | > |
> | > | > |
> | > | >
> | > |
> | > |
> | > |
> | >
> |
> |
> |
>


From: "Charles Yang [MSFT]" on
HI PG,

Currently, I am performing research on this issue, I will return to you as
soon as possible, please understand that it might be some delay due to the
weekend.

Thanks for your understanding.


Best regards,

Charles Yang (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| From: "PG" <*@*.*>
| References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl>
<tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl>
<OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl>
<biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl>
<#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl>
<MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl>
<u6mrIB1vFHA.4032(a)TK2MSFTNGP15.phx.gbl>
<AtVfNj1vFHA.780(a)TK2MSFTNGXA01.phx.gbl>
| Subject: Re: SBS2003Premium Certification Authority from HELL!!!
| Date: Thu, 22 Sep 2005 11:32:11 +0100
| Lines: 785
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
| X-RFC2646: Format=Flowed; Original
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| Message-ID: <#yfejE2vFHA.708(a)TK2MSFTNGP10.phx.gbl>
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: 62.48.233.71
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:155518
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Hi Charles,
|
| 1. I sent all the logs you requested to your e-mail.
|
| 2. Done that also.
|
| 3. No changes done...that I can remember
|
| Thanks
|
| ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in message
| news:AtVfNj1vFHA.780(a)TK2MSFTNGXA01.phx.gbl...
| > Hi PG,
| >
| > After checking your screen shot, we decide to collect more information,
as
| > this issue should relate to AD setting:
| >
| > 1. Please send me all the event log except the application and system
| > event
| > log that you have already sent to me.
| > 2. please also run netdiag -v and dcdiag -v on the SBS server and send
the
| > results to me also.
| > 3. If possible, could you tell us if have changed any setting on AD or
on
| > SBS server. As the screen shot point that you have some problem in query
| > user objects on DC.
| >
| > I appreciate your effort on this issue.
| >
| >
| >
| > Best regards,
| >
| > Charles Yang (MSFT)
| >
| > Microsoft CSS Online Newsgroup Support
| >
| > Get Secure! - www.microsoft.com/security
| >
| > ======================================================
| > This newsgroup only focuses on SBS technical issues. If you have issues
| > regarding other Microsoft products, you'd better post in the
corresponding
| > newsgroups so that they can be resolved in an efficient and timely
manner.
| > You can locate the newsgroup here:
| > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| >
| > When opening a new thread via the web interface, we recommend you check
| > the
| > "Notify me of replies" box to receive e-mail notifications when there
are
| > any updates in your thread. When responding to posts via your
newsreader,
| > please "Reply to Group" so that others may learn and benefit from your
| > issue.
| >
| > Microsoft engineers can only focus on one issue per thread. Although we
| > provide other information for your reference, we recommend you post
| > different incidents in different threads to keep the thread clean. In
| > doing
| > so, it will ensure your issues are resolved in a timely manner.
| >
| > For urgent issues, you may want to contact Microsoft CSS directly.
Please
| > check http://support.microsoft.com for regional support phone numbers.
| >
| > Any input or comments in this thread are highly appreciated.
| > ======================================================
| > This posting is provided "AS IS" with no warranties, and confers no
| > rights.
| >
| >
| > =====================================================
| > When responding to posts, please "Reply to Group" via your newsreader so
| > that others may learn and benefit from your issue.
| > =====================================================
| >
| > This posting is provided "AS IS" with no warranties, and confers no
| > rights.
| >
| > --------------------
| > | From: "PG" <*@*.*>
| > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl>
| > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl>
| > <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl>
| > <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl>
| > <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl>
| > <MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl>
| > | Subject: Re: SBS2003Premium Certification Authority from HELL!!!
| > | Date: Thu, 22 Sep 2005 09:31:33 +0100
| > | Lines: 597
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
| > | X-RFC2646: Format=Flowed; Original
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| > | Message-ID: <u6mrIB1vFHA.4032(a)TK2MSFTNGP15.phx.gbl>
| > | Newsgroups: microsoft.public.windows.server.sbs
| > | NNTP-Posting-Host: 62.48.233.71
| > | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl
| > | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:155493
| > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > |
| > | Hi Charles,
| > |
| > | I started to go through the points you reffered bellow and on the
| > second
| > | point(Permissions settings) everything checked out ok except for the
| > | certificates templates permissions again, I'm unable to change
| > permissions
| > | on some certificates, but others are ok! I'm sending you some
compressed
| > | pictures to your e-mail so you can try and see if this is normal, or
| > not.
| > | I didn't want to continue following your suggestions(to reinstall
| > the
| > | CA) before you had a look at the pictures I sent you.
| > |
| > | Thanks
| > | PG
| > |
| > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in
message
| > | news:MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl...
| > | > Hi,
| > | >
| > | > Thanks for updates.
| > | >
| > | > After carefully checking your log, we did not find any relate
| > information,
| > | > please note that it might take some time to do the task.
| > | >
| > | > For this issue, I have some suggestion below:
| > | >
| > | > Can I assume that you want to set up the SBS 2003 premium as a CA
| > server,
| > | > so that when user logon to website, they require the certificate,
| > which
| > | > purpose you want to use for this certificate for VPN issue or for a
| > | > website? From your log, it seems to be used for IPSec VPN.
| > | >
| > | > 1. Please change the website you use for web enrollment's
| > authentication
| > | > method from anonymous to Windows Authentication.
| > | > 2. Please refer to the KB article below to check the permission
| > setting
| > | > for
| > | > CA, make sure that you have go through the article to double check
it:
| > | >
| > | > Q239706 Default Permission Settings for Enterprise Certificate
| > Authority
| > | > http://support.microsoft.com/default.aspx?scid=kb;EN-US
| > | >
| > | > 3. If the issue still exists, please follow the steps to reinstall
the
| > CA
| > | > server:
| > | >
| > | > A. Opened regedit and went to HKLM\system\CCS\services and
deleted
| > the
| > | > certsrv key
| > | > B. Opened the file system and deleted c:\winnt\system32\certserv
| > folder
| > | > and
| > | > contents
| > | > C. Opened up AD sites and services and deleted and in
services\public
| > key
| > | > services
| > | >
| > | > Please deleted all the contents of the containers leaving the empty
| > | > containers with the exception of the templates container. Note,
please
| > | > perform a backup for registry.
| > | >
| > | > If the issue still exist, you have to refer to the KB article below
to
| > | > change the log level of certificate then reproduce the issue check
the
| > | > event log again.
| > | >
| > | > 305018 How to Change the Event Logging Level for Certificate
Services
| > | > http://support.microsoft.com/?id=305018
| > | >
| > | > Thanks for your efforts. I will be here waiting for updates.
| > | >
| > | >
| > | >
| > | > Best regards,
| > | >
| > | > Charles Yang (MSFT)
| > | >
| > | > Microsoft CSS Online Newsgroup Support
| > | >
| > | > Get Secure! - www.microsoft.com/security
| > | >
| > | > ======================================================
| > | > This newsgroup only focuses on SBS technical issues. If you have
| > issues
| > | > regarding other Microsoft products, you'd better post in the
| > corresponding
| > | > newsgroups so that they can be resolved in an efficient and timely
| > manner.
| > | > You can locate the newsgroup here:
| > | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| > | >
| > | > When opening a new thread via the web interface, we recommend you
| > check
| > | > the
| > | > "Notify me of replies" box to receive e-mail notifications when
there
| > are
| > | > any updates in your thread. When responding to posts via your
| > newsreader,
| > | > please "Reply to Group" so that others may learn and benefit from
your
| > | > issue.
| > | >
| > | > Microsoft engineers can only focus on one issue per thread.
Although
| > we
| > | > provide other information for your reference, we recommend you post
| > | > different incidents in different threads to keep the thread clean.
In
| > | > doing
| > | > so, it will ensure your issues are resolved in a timely manner.
| > | >
| > | > For urgent issues, you may want to contact Microsoft CSS directly.
| > Please
| > | > check http://support.microsoft.com for regional support phone
numbers.
| > | >
| > | > Any input or comments in this thread are highly appreciated.
| > | > ======================================================
| > | > This posting is provided "AS IS" with no warranties, and confers no
| > | > rights.
| > | >
| > | >
| > | > =====================================================
| > | > When responding to posts, please "Reply to Group" via your
newsreader
| > so
| > | > that others may learn and benefit from your issue.
| > | > =====================================================
| > | >
| > | > This posting is provided "AS IS" with no warranties, and confers no
| > | > rights.
| > | >
| > | > --------------------
| > | > | From: "PG" <*@*.*>
| > | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl>
| > | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl>
| > | > <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl>
| > | > <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl>
| > | > | Subject: Re: SBS2003Premium Certification Authority from HELL!!!
| > | > | Date: Wed, 21 Sep 2005 11:33:30 +0100
| > | > | Lines: 401
| > | > | X-Priority: 3
| > | > | X-MSMail-Priority: Normal
| > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
| > | > | X-RFC2646: Format=Flowed; Original
| > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| > | > | Message-ID: <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl>
| > | > | Newsgroups: microsoft.public.windows.server.sbs
| > | > | NNTP-Posting-Host: 62.48.233.71
| > | > | Path:
| > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
| > | > | Xref: TK2MSFTNGXA01.phx.gbl
| > microsoft.public.windows.server.sbs:155186
| > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > | > |
| > | > | I've sent you the log's as you requested Charles...
| > | > |
| > | > | Thanks for the help
| > | > |
| > | > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in
| > message
| > | > | news:biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl...
| > | > | > HI PG,
| > | > | >
| > | > | > Thanks for updates.
| > | > | >
| > | > | > In order to make the issue more clear, could you send me the
| > | > application
| > | > | > log and system event log so that we can isolate the issue more
| > | > clearly,
| > | > | > you
| > | > | > can compress the log files and send to my mailbox.
| > | > | >
| > | > | > v-chayan(a)microsoft.com
| > | > | >
| > | > | > Thanks for your understanding.
| > | > | >
| > | > | >
| > | > | >
| > | > | > Best regards,
| > | > | >
| > | > | > Charles Yang (MSFT)
| > | > | >
| > | > | > Microsoft CSS Online Newsgroup Support
| > | > | >
| > | > | > Get Secure! - www.microsoft.com/security
| > | > | >
| > | > | > ======================================================
| > | > | > This newsgroup only focuses on SBS technical issues. If you have
| > | > issues
| > | > | > regarding other Microsoft products, you'd better post in the
| > | > corresponding
| > | > | > newsgroups so that they can be resolved in an efficient and
timely
| > | > manner.
| > | > | > You can locate the newsgroup here:
| > | > | >
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| > | > | >
| > | > | > When opening a new thread via the web interface, we recommend
you
| > | > check
| > | > | > the
| > | > | > "Notify me of replies" box to receive e-mail notifications when
| > there
| > | > are
| > | > | > any updates in your thread. When responding to posts via your
| > | > newsreader,
| > | > | > please "Reply to Group" so that others may learn and benefit
from
| > your
| > | > | > issue.
| > | > | >
| > | > | > Microsoft engineers can only focus on one issue per thread.
| > Although
| > | > we
| > | > | > provide other information for your reference, we recommend you
| > post
| > | > | > different incidents in different threads to keep the thread
clean.
| > In
| > | > | > doing
| > | > | > so, it will ensure your issues are resolved in a timely manner.
| > | > | >
| > | > | > For urgent issues, you may want to contact Microsoft CSS
directly.
| > | > Please
| > | > | > check http://support.microsoft.com for regional support phone
| > numbers.
| > | > | >
| > | > | > Any input or comments in this thread are highly appreciated.
| > | > | > ======================================================
| > | > | > This posting is provided "AS IS" with no warranties, and
confers
| > no
| > | > | > rights.
| > | > | >
| > | > | >
| > | > | > =====================================================
| > | > | > When responding to posts, please "Reply to Group" via your
| > newsreader
| > | > so
| > | > | > that others may learn and benefit from your issue.
| > | > | > =====================================================
| > | > | >
| > | > | > This posting is provided "AS IS" with no warranties, and
confers
| > no
| > | > | > rights.
| > | > | >
| > | > | > --------------------
| > | > | > | From: "PG" <*@*.*>
| > | > | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl>
| > | > | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl>
| > | > | > | Subject: Re: SBS2003Premium Certification Authority from
HELL!!!
| > | > | > | Date: Tue, 20 Sep 2005 13:28:25 +0100
| > | > | > | Lines: 269
| > | > | > | X-Priority: 3
| > | > | > | X-MSMail-Priority: Normal
| > | > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
| > | > | > | X-RFC2646: Format=Flowed; Original
| > | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| > | > | > | Message-ID: <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl>
| > | > | > | Newsgroups: microsoft.public.windows.server.sbs
| > | > | > | NNTP-Posting-Host: 62.48.233.71
| > | > | > | Path:
| > | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
| > | > | > | Xref: TK2MSFTNGXA01.phx.gbl
| > | > microsoft.public.windows.server.sbs:154800
| > | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > | > | > |
| > | > | > | Thanks for your reply Charles
| > | > | > |
| > | > | > | Responses to your questions follow, and are in line:
| > | > | > |
| > | > | > |
| > | > | > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote
in
| > | > message
| > | > | > | news:tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl...
| > | > | > | > HI PG,
| > | > | > | >
| > | > | > | > Welcome to SBS newsgroup.
| > | > | > | >
| > | > | > | > Issue description:
| > | > | > | > ================
| > | > | > | >
| > | > | > | > I understand that you encountered some problem when using
CA
| > on
| > | > SBS
| > | > | > 2003
| > | > | > | > premium.
| > | > | > | >
| > | > | > | > Analyzing and suggestions:
| > | > | > | > ================
| > | > | > | >
| > | > | > | > Generally speaking, the error you encountered can be caused
by
| > | > many
| > | > | > | > factors, in order to make the issue more clear, please
refer
| > to
| > my
| > | > | > | > suggestions below to gather more information:
| > | > | > | >
| > | > | > | > 1. If possible, please send me the event log for further
| > research,
| > | > it
| > | > | > | > should include more information which can help us determine
| > which
| > | > | > kinds
| > | > | > of
| > | > | > | > error you encountered, you can send the log files to my
email
| > box.
| > | > | > | > v-chayan(a)microsoft.com.
| > | > | > |
| > | > | > | There is nothing recorded in the logs, when the error's occur.
| > | > | > |
| > | > | > | > 2. Does the issue occur from the client's computer or from
the
| > | > server
| > | > | > | > side?
| > | > | > |
| > | > | > | Both! It occur's when I request a certificate from the client
| > and
| > | > from
| > | > | > the
| > | > | > | server! :( Via Web request or MMC snap-in
| > | > | > |
| > | > | > |
| > | > | > | >
| > | > | > | >
| > | > | > | > Let's first check the following:
| > | > | > | >
| > | > | > | > 1. Go to the CA Server, go to Services.msc console, make
sure
| > that
| > | > the
| > | > | > | > Certificate Service is started.
| > | > | > |
| > | > | > | Check
| > | > | > |
| > | > | > | > 2. Open Certificate Authority, make sure that it can be
| > opened.
| > | > | > |
| > | > | > | Check
| > | > | > |
| > | > | > | > 3. If you are using Enterprise CA, go to the Certificate
| > Template
| > | > in
| > | > | > the
| > | > | > | > Certificate Authority, make sure that necessary Certificate
| > | > Template
| > | > | > is
| > | > | > | > added and listed in the right panel.
| > | > | > |
| > | > | > | Check
| > | > | > |
| > | > | > | > 4. On the CA Server, click Start -> Run, type MMC and click
| > OK.
| > | > Click
| > | > | > File
| > | > | > | > -> Add/Remove Snap-in, click Add button, select Certificate,
| > click
| > | > | > Add,
| > | > | > | > select Computer Account and click next. Select Local
Computer,
| > | > click
| > | > | > | > Finish
| > | > | > | > and then Close.
| > | > | > |
| > | > | > | Check
| > | > | > |
| > | > | > | > 5. Expand the Certificate (Local
| > Computer)\Personal\Certificate,
| > | > check
| > | > | > if
| > | > | > | > the Root certificate exists. It's 'issued by' and 'issued
to'
| > | > should
| > | > | > be
| > | > | > | > itself. Then please check if the root certificate is still
| > alive.
| > | > If
| > | > | > it
| > | > | > is
| > | > | > | > expired, right click the Certificate, select All Tasks ->
| > Renew
| > | > | > | > Certificate
| > | > | > | > with Same Key. Then renew the user certificate and let me
know
| > how
| > | > | > | > everything is going.
| > | > | > | > NOTE: Please check the Certificate Authority to make sure
that
| > | > these
| > | > | > | > client
| > | > | > | > certificate are not revoked before you renew the
certificate.
| > | > | > | >
| > | > | > | > If the issue still exists, please check if the CA computer
| > where
| > | > you
| > | > | > start
| > | > | > | > the Certificate Web Enrollment from is set to trust for
| > | > delegation.
| > | > To
| > | > | > do
| > | > | > | > so:
| > | > | > | > 1. Log on as a domain administrator or equivalent account.
| > | > | > | > 2. Click Start, point to Programs, point to Administrative
| > Tools,
| > | > and
| > | > | > then
| > | > | > | > click "Active Directory Users and Computers".
| > | > | > | > 3. In the left pane, locate the container or organizational
| > unit
| > | > (OU)
| > | > | > on
| > | > | > | > which you want to enable delegation.
| > | > | > | > 4. Right-click the computer account name, and then click
| > | > Properties.
| > | > | > | > 5. On the General tab, click Trust computer for delegation.
| > | > | > | > 6. Click OK.
| > | > | > | > 7. Quit Active Directory Users and Computers.
| > | > | > | >
| > | > | > | > For more info, please refer to:
| > | > | > | > 300867 Error Message: The Certification Authority Service
Has
| > Not
| > | > Been
| > | > | > | > Started
| > | > | > | > http://support.microsoft.com/?id=300867
| > | > | > |
| > | > | > | The certificate is alive until 16/9/2010! So I didn't renew
it.
| > | > | > |
| > | > | > |
| > | > | > | >
| > | > | > | >
| > | > | > | > This issue may also occur if the Domain Users group on the
| > child
| > | > | > domain
| > | > | > | > does not have the right to enroll a user template. To have a
| > | > check:
| > | > | > | >
| > | > | > | > 1. Logon to CA Server as Enterprise Administrator
| > | > | > |
| > | > | > | check
| > | > | > |
| > | > | > | > 2. Click Start, click Programs, click Administrative Tools,
| > and
| > | > then
| > | > | > click
| > | > | > | > the "Active Directory Sites and Services" snap-in.
| > | > | > |
| > | > | > | check
| > | > | > |
| > | > | > | > 3. In MMC, right-click the "Active Directory Sites and
| > Services"
| > | > | > snap-in,
| > | > | > | > click View, and then click "Show Services Mode". This allows
| > you
| > | > to
| > | > | > view
| > | > | > | > the Services folder, which is hidden from view by default.
| > | > | > |
| > | > | > | Check
| > | > | > |
| > | > | > | > 4. From the "Active Directory Sites and Services" snap-in,
| > click
| > | > | > Services,
| > | > | > | > click Public Key Services, and then click Certificate
| > Templates.
| > | > This
| > | > | > | > reveals the complete list of published certificate
templates
| > in
| > | > Active
| > | > | > | > Directory.
| > | > | > |
| > | > | > | Check
| > | > | > |
| > | > | > | > 5. Double-click the User certificate template to view the
| > | > properties.
| > | > | > |
| > | > | > | Check
| > | > | > |
| > | > | > | > 6. On the Security tab, click Add to add the Domain Users
| > group
| > to
| > | > the
| > | > | > | > list.
| > | > | > |
| > | > | > | The group domain users wasn't there so I added it
| > | > | > |
| > | > | > | > 7. For the Domain Users group, select the Read and Enroll
| > rights.
| > | > | > |
| > | > | > | When I tryed to apply the changes it gave the following error:
| > | > | > |
| > | > | > | "Unable to save permission changes on
| > | > | > | LDAP://SBS2003PDC.CONTIMETRA.LOCAL/CN=USER,CN=CERTIFICATE
| > | > | > | TEMPLATES,CN=PUBLIC KEY
| > | > | > | SERVICES,CN=SERVICES,CN=CONFIGURATION,DC=CONTIMETRA,DC=LOCAL
| > | > | > |
| > | > | > | ACCESS IS DENIED"
| > | > | > |
| > | > | > |
| > | > | > | > 8. Restart the computer.
| > | > | > |
| > | > | > | Didn't do it because no changes were made!
| > | > | > |
| > | > | > | >
| > | > | > | > For more info, please refer to:
| > | > | > | > 271861 Windows Cannot Find a Certificate Authority That
| > Processes
| > | > the
| > | > | > | > Request
| > | > | > | > http://support.microsoft.com/?id=271861
| > | > | > | >
| > | > | > | > NOTE: Request from MMC only works if it is a Enterprise CA.
To
| > | > stand
| > | > | > alone
| > | > | > | > CA, you must request certificate by WEB.
| > | > | > | >
| > | > | > | > I appreciate your understanding and please paste your
results
| > as
| > | > your
| > | > | > | > convenience, It is important for us to isolate the issue. I
am
| > | > glad
| > | > to
| > | > | > | > help
| > | > | > | > you.
| > | > | > | >
| > | > | > | >
| > | > | > | >
| > | > | > | > Best regards,
| > | > | > | >
| > | > | > | > Charles Yang (MSFT)
| > | > | > | >
| > | > | > | > Microsoft CSS Online Newsgroup Support
| > | > | > | >
| > | > | > | > Get Secure! - www.microsoft.com/security
| > | > | > | >
| > | > | > | > ======================================================
| > | > | > | > This newsgroup only focuses on SBS technical issues. If you
| > have
| > | > | > issues
| > | > | > | > regarding other Microsoft products, you'd better post in the
| > | > | > corresponding
| > | > | > | > newsgroups so that they can be resolved in an efficient and
| > timely
| > | > | > manner.
| > | > | > | > You can locate the newsgroup here:
| > | > | > | >
| > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| > | > | > | >
| > | > | > | > When opening a new thread via the web interface, we
recommend
| > you
| > | > | > check
| > | > | > | > the
| > | > | > | > "Notify me of replies" box to receive e-mail notifications
| > when
| > | > there
| > | > | > are
| > | > | > | > any updates in your thread. When responding to posts via
your
| > | > | > newsreader,
| > | > | > | > please "Reply to Group" so that others may learn and benefit
| > from
| > | > your
| > | > | > | > issue.
| > | > | > | >
| > | > | > | > Microsoft engineers can only focus on one issue per thread.
| > | > Although
| > | > | > we
| > | > | > | > provide other information for your reference, we recommend
you
| > | > post
| > | > | > | > different incidents in different threads to keep the thread
| > clean.
| > | > In
| > | > | > | > doing
| > | > | > | > so, it will ensure your issues are resolved in a timely
| > manner.
| > | > | > | >
| > | > | > | > For urgent issues, you may want to contact Microsoft CSS
| > directly.
| > | > | > Please
| > | > | > | > check http://support.microsoft.com for regional support
phone
| > | > numbers.
| > | > | > | >
| > | > | > | > Any input or comments in this thread are highly appreciated.
| > | > | > | > ======================================================
| > | > | > | > This posting is provided "AS IS" with no warranties, and
| > confers
| > | > no
| > | > | > | > rights.
| > | > | > | >
| > | > | > | >
| > | > | > | > =====================================================
| > | > | > | > When responding to posts, please "Reply to Group" via your
| > | > newsreader
| > | > | > so
| > | > | > | > that others may learn and benefit from your issue.
| > | > | > | > =====================================================
| > | > | > | >
| > | > | > | > This posting is provided "AS IS" with no warranties, and
| > confers
| > | > no
| > | > | > | > rights.
| > | > | > | >
| > | > | > | > --------------------
| > | > | > | > | From: "PG" <*@*.*>
| > | > | > | > | Subject: SBS2003Premium Certification Authority from
HELL!!!
| > | > | > | > | Date: Fri, 16 Sep 2005 11:35:46 +0100
| > | > | > | > | Lines: 25
| > | > | > | > | X-Priority: 3
| > | > | > | > | X-MSMail-Priority: Normal
| > | > | > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
| > | > | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| > | > | > | > | X-RFC2646: Format=Flowed; Original
| > | > | > | > | Message-ID: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl>
| > | > | > | > | Newsgroups: microsoft.public.windows.server.sbs
| > | > | > | > | NNTP-Posting-Host: 62.48.233.71
| > | > | > | > | Path:
| > | > | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
| > | > | > | > | Xref: TK2MSFTNGXA01.phx.gbl
| > | > | > microsoft.public.windows.server.sbs:153926
| > | > | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > | > | > | > |
| > | > | > | > | Hi everybody,
| > | > | > | > |
| > | > | > | > | When I try to request a certificate from my
Enterprise
| > CA
| > | > | > installed
| > | > | > | > on
| > | > | > | > | SBS2003Premium It gives the following error :"No
certificate
| > | > | > templates
| > | > | > | > could
| > | > | > | > | be found. You do not have permission to request a
| > certificate
| > | > from
| > | > | > this
| > | > | > | > CA,
| > | > | > | > | or an error occurred while accessing the Active
Directory."
| > I
| > | > went
| > | > | > and
| > | > | > | > | search for a solution and found this microsoft article
| > | > | > | > |
| > http://support.microsoft.com/default.aspx?scid=kb;en-us;811418
| > | > that
| > | > | > | > didn't
| > | > | > | > | help because the name of the server is the same in the
| > | > certdat.inc
| > | > | > and
| > | > | > | > in
| > | > | > | > | the AD!!! :(
| > | > | > | > |
| > | > | > | > | When I go to the certification authority and click on
| > | > "manage"
| > | > | > on
| > | > | > | > the
| > | > | > | > | certificate templates, windows says that it detected that
| > new
| > | > | > | > certificate
| > | > | > | > | templates should be installed, and ask if I want to
install
| > them
| > | > | > now,
| > | > | > | > and
| > | > | > | > I
| > | > | > | > | say "Yes", and gives an error saying "Windows could not
| > install
| > | > the
| > | > | > new
| > | > | > | > | certificate templates. Access is denied" :( I doing this
as
| > | > | > enterprise
| > | > | > | > admin
| > | > | > | > | and it says access denied!!!!! :( :(
| > | > | > | > |
| > | > | > | > | I've tryed to reinstall the CA and the errors are
still
| > the
| > | > | > same!
| > | > | > | > |
| > | > | > | > | Can anyone help me with this issue, please?
| > | > | > | > |
| > | > | > | > | Thanks in advance for any help you can give me....
| > | > | > | > |
| > | > | > | > |
| > | > | > | > |
| > | > | > | >
| > | > | > |
| > | > | > |
| > | > | > |
| > | > | > |
| > | > | > |
| > | > | > |
| > | > | >
| > | > |
| > | > |
| > | > |
| > | >
| > |
| > |
| > |
| >
|
|
|

First  |  Prev  |  Next  |  Last
Pages: 1 2 3 4
Prev: Backup error 0X80070458
Next: Remote Web Workplace