Prev: Backup error 0X80070458
Next: Remote Web Workplace
From: "Charles Yang [MSFT]" on 21 Sep 2005 21:23 Hi, Thanks for updates. After carefully checking your log, we did not find any relate information, please note that it might take some time to do the task. For this issue, I have some suggestion below: Can I assume that you want to set up the SBS 2003 premium as a CA server, so that when user logon to website, they require the certificate, which purpose you want to use for this certificate for VPN issue or for a website? From your log, it seems to be used for IPSec VPN. 1. Please change the website you use for web enrollment's authentication method from anonymous to Windows Authentication. 2. Please refer to the KB article below to check the permission setting for CA, make sure that you have go through the article to double check it: Q239706 Default Permission Settings for Enterprise Certificate Authority http://support.microsoft.com/default.aspx?scid=kb;EN-US 3. If the issue still exists, please follow the steps to reinstall the CA server: A. Opened regedit and went to HKLM\system\CCS\services and deleted the certsrv key B. Opened the file system and deleted c:\winnt\system32\certserv folder and contents C. Opened up AD sites and services and deleted and in services\public key services Please deleted all the contents of the containers leaving the empty containers with the exception of the templates container. Note, please perform a backup for registry. If the issue still exist, you have to refer to the KB article below to change the log level of certificate then reproduce the issue check the event log again. 305018 How to Change the Event Logging Level for Certificate Services http://support.microsoft.com/?id=305018 Thanks for your efforts. I will be here waiting for updates. Best regards, Charles Yang (MSFT) Microsoft CSS Online Newsgroup Support Get Secure! - www.microsoft.com/security ====================================================== This newsgroup only focuses on SBS technical issues. If you have issues regarding other Microsoft products, you'd better post in the corresponding newsgroups so that they can be resolved in an efficient and timely manner. You can locate the newsgroup here: http://www.microsoft.com/communities/newsgroups/en-us/default.aspx When opening a new thread via the web interface, we recommend you check the "Notify me of replies" box to receive e-mail notifications when there are any updates in your thread. When responding to posts via your newsreader, please "Reply to Group" so that others may learn and benefit from your issue. Microsoft engineers can only focus on one issue per thread. Although we provide other information for your reference, we recommend you post different incidents in different threads to keep the thread clean. In doing so, it will ensure your issues are resolved in a timely manner. For urgent issues, you may want to contact Microsoft CSS directly. Please check http://support.microsoft.com for regional support phone numbers. Any input or comments in this thread are highly appreciated. ====================================================== This posting is provided "AS IS" with no warranties, and confers no rights. ===================================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ===================================================== This posting is provided "AS IS" with no warranties, and confers no rights. -------------------- | From: "PG" <*@*.*> | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl> | Subject: Re: SBS2003Premium Certification Authority from HELL!!! | Date: Wed, 21 Sep 2005 11:33:30 +0100 | Lines: 401 | X-Priority: 3 | X-MSMail-Priority: Normal | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 | X-RFC2646: Format=Flowed; Original | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 | Message-ID: <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl> | Newsgroups: microsoft.public.windows.server.sbs | NNTP-Posting-Host: 62.48.233.71 | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:155186 | X-Tomcat-NG: microsoft.public.windows.server.sbs | | I've sent you the log's as you requested Charles... | | Thanks for the help | | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in message | news:biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl... | > HI PG, | > | > Thanks for updates. | > | > In order to make the issue more clear, could you send me the application | > log and system event log so that we can isolate the issue more clearly, | > you | > can compress the log files and send to my mailbox. | > | > v-chayan(a)microsoft.com | > | > Thanks for your understanding. | > | > | > | > Best regards, | > | > Charles Yang (MSFT) | > | > Microsoft CSS Online Newsgroup Support | > | > Get Secure! - www.microsoft.com/security | > | > ====================================================== | > This newsgroup only focuses on SBS technical issues. If you have issues | > regarding other Microsoft products, you'd better post in the corresponding | > newsgroups so that they can be resolved in an efficient and timely manner. | > You can locate the newsgroup here: | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx | > | > When opening a new thread via the web interface, we recommend you check | > the | > "Notify me of replies" box to receive e-mail notifications when there are | > any updates in your thread. When responding to posts via your newsreader, | > please "Reply to Group" so that others may learn and benefit from your | > issue. | > | > Microsoft engineers can only focus on one issue per thread. Although we | > provide other information for your reference, we recommend you post | > different incidents in different threads to keep the thread clean. In | > doing | > so, it will ensure your issues are resolved in a timely manner. | > | > For urgent issues, you may want to contact Microsoft CSS directly. Please | > check http://support.microsoft.com for regional support phone numbers. | > | > Any input or comments in this thread are highly appreciated. | > ====================================================== | > This posting is provided "AS IS" with no warranties, and confers no | > rights. | > | > | > ===================================================== | > When responding to posts, please "Reply to Group" via your newsreader so | > that others may learn and benefit from your issue. | > ===================================================== | > | > This posting is provided "AS IS" with no warranties, and confers no | > rights. | > | > -------------------- | > | From: "PG" <*@*.*> | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> | > | Subject: Re: SBS2003Premium Certification Authority from HELL!!! | > | Date: Tue, 20 Sep 2005 13:28:25 +0100 | > | Lines: 269 | > | X-Priority: 3 | > | X-MSMail-Priority: Normal | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 | > | X-RFC2646: Format=Flowed; Original | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 | > | Message-ID: <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> | > | Newsgroups: microsoft.public.windows.server.sbs | > | NNTP-Posting-Host: 62.48.233.71 | > | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl | > | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:154800 | > | X-Tomcat-NG: microsoft.public.windows.server.sbs | > | | > | Thanks for your reply Charles | > | | > | Responses to your questions follow, and are in line: | > | | > | | > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in message | > | news:tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl... | > | > HI PG, | > | > | > | > Welcome to SBS newsgroup. | > | > | > | > Issue description: | > | > ================ | > | > | > | > I understand that you encountered some problem when using CA on SBS | > 2003 | > | > premium. | > | > | > | > Analyzing and suggestions: | > | > ================ | > | > | > | > Generally speaking, the error you encountered can be caused by many | > | > factors, in order to make the issue more clear, please refer to my | > | > suggestions below to gather more information: | > | > | > | > 1. If possible, please send me the event log for further research, it | > | > should include more information which can help us determine which | > kinds | > of | > | > error you encountered, you can send the log files to my email box. | > | > v-chayan(a)microsoft.com. | > | | > | There is nothing recorded in the logs, when the error's occur. | > | | > | > 2. Does the issue occur from the client's computer or from the server | > | > side? | > | | > | Both! It occur's when I request a certificate from the client and from | > the | > | server! :( Via Web request or MMC snap-in | > | | > | | > | > | > | > | > | > Let's first check the following: | > | > | > | > 1. Go to the CA Server, go to Services.msc console, make sure that the | > | > Certificate Service is started. | > | | > | Check | > | | > | > 2. Open Certificate Authority, make sure that it can be opened. | > | | > | Check | > | | > | > 3. If you are using Enterprise CA, go to the Certificate Template in | > the | > | > Certificate Authority, make sure that necessary Certificate Template | > is | > | > added and listed in the right panel. | > | | > | Check | > | | > | > 4. On the CA Server, click Start -> Run, type MMC and click OK. Click | > File | > | > -> Add/Remove Snap-in, click Add button, select Certificate, click | > Add, | > | > select Computer Account and click next. Select Local Computer, click | > | > Finish | > | > and then Close. | > | | > | Check | > | | > | > 5. Expand the Certificate (Local Computer)\Personal\Certificate, check | > if | > | > the Root certificate exists. It's 'issued by' and 'issued to' should | > be | > | > itself. Then please check if the root certificate is still alive. If | > it | > is | > | > expired, right click the Certificate, select All Tasks -> Renew | > | > Certificate | > | > with Same Key. Then renew the user certificate and let me know how | > | > everything is going. | > | > NOTE: Please check the Certificate Authority to make sure that these | > | > client | > | > certificate are not revoked before you renew the certificate. | > | > | > | > If the issue still exists, please check if the CA computer where you | > start | > | > the Certificate Web Enrollment from is set to trust for delegation. To | > do | > | > so: | > | > 1. Log on as a domain administrator or equivalent account. | > | > 2. Click Start, point to Programs, point to Administrative Tools, and | > then | > | > click "Active Directory Users and Computers". | > | > 3. In the left pane, locate the container or organizational unit (OU) | > on | > | > which you want to enable delegation. | > | > 4. Right-click the computer account name, and then click Properties. | > | > 5. On the General tab, click Trust computer for delegation. | > | > 6. Click OK. | > | > 7. Quit Active Directory Users and Computers. | > | > | > | > For more info, please refer to: | > | > 300867 Error Message: The Certification Authority Service Has Not Been | > | > Started | > | > http://support.microsoft.com/?id=300867 | > | | > | The certificate is alive until 16/9/2010! So I didn't renew it. | > | | > | | > | > | > | > | > | > This issue may also occur if the Domain Users group on the child | > domain | > | > does not have the right to enroll a user template. To have a check: | > | > | > | > 1. Logon to CA Server as Enterprise Administrator | > | | > | check | > | | > | > 2. Click Start, click Programs, click Administrative Tools, and then | > click | > | > the "Active Directory Sites and Services" snap-in. | > | | > | check | > | | > | > 3. In MMC, right-click the "Active Directory Sites and Services" | > snap-in, | > | > click View, and then click "Show Services Mode". This allows you to | > view | > | > the Services folder, which is hidden from view by default. | > | | > | Check | > | | > | > 4. From the "Active Directory Sites and Services" snap-in, click | > Services, | > | > click Public Key Services, and then click Certificate Templates. This | > | > reveals the complete list of published certificate templates in Active | > | > Directory. | > | | > | Check | > | | > | > 5. Double-click the User certificate template to view the properties. | > | | > | Check | > | | > | > 6. On the Security tab, click Add to add the Domain Users group to the | > | > list. | > | | > | The group domain users wasn't there so I added it | > | | > | > 7. For the Domain Users group, select the Read and Enroll rights. | > | | > | When I tryed to apply the changes it gave the following error: | > | | > | "Unable to save permission changes on | > | LDAP://SBS2003PDC.CONTIMETRA.LOCAL/CN=USER,CN=CERTIFICATE | > | TEMPLATES,CN=PUBLIC KEY | > | SERVICES,CN=SERVICES,CN=CONFIGURATION,DC=CONTIMETRA,DC=LOCAL | > | | > | ACCESS IS DENIED" | > | | > | | > | > 8. Restart the computer. | > | | > | Didn't do it because no changes were made! | > | | > | > | > | > For more info, please refer to: | > | > 271861 Windows Cannot Find a Certificate Authority That Processes the | > | > Request | > | > http://support.microsoft.com/?id=271861 | > | > | > | > NOTE: Request from MMC only works if it is a Enterprise CA. To stand | > alone | > | > CA, you must request certificate by WEB. | > | > | > | > I appreciate your understanding and please paste your results as your | > | > convenience, It is important for us to isolate the issue. I am glad to | > | > help | > | > you. | > | > | > | > | > | > | > | > Best regards, | > | > | > | > Charles Yang (MSFT) | > | > | > | > Microsoft CSS Online Newsgroup Support | > | > | > | > Get Secure! - www.microsoft.com/security | > | > | > | > ====================================================== | > | > This newsgroup only focuses on SBS technical issues. If you have | > issues | > | > regarding other Microsoft products, you'd better post in the | > corresponding | > | > newsgroups so that they can be resolved in an efficient and timely | > manner. | > | > You can locate the newsgroup here: | > | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx | > | > | > | > When opening a new thread via the web interface, we recommend you | > check | > | > the | > | > "Notify me of replies" box to receive e-mail notifications when there | > are | > | > any updates in your thread. When responding to posts via your | > newsreader, | > | > please "Reply to Group" so that others may learn and benefit from your | > | > issue. | > | > | > | > Microsoft engineers can only focus on one issue per thread. Although | > we | > | > provide other information for your reference, we recommend you post | > | > different incidents in different threads to keep the thread clean. In | > | > doing | > | > so, it will ensure your issues are resolved in a timely manner. | > | > | > | > For urgent issues, you may want to contact Microsoft CSS directly. | > Please | > | > check http://support.microsoft.com for regional support phone numbers. | > | > | > | > Any input or comments in this thread are highly appreciated. | > | > ====================================================== | > | > This posting is provided "AS IS" with no warranties, and confers no | > | > rights. | > | > | > | > | > | > ===================================================== | > | > When responding to posts, please "Reply to Group" via your newsreader | > so | > | > that others may learn and benefit from your issue. | > | > ===================================================== | > | > | > | > This posting is provided "AS IS" with no warranties, and confers no | > | > rights. | > | > | > | > -------------------- | > | > | From: "PG" <*@*.*> | > | > | Subject: SBS2003Premium Certification Authority from HELL!!! | > | > | Date: Fri, 16 Sep 2005 11:35:46 +0100 | > | > | Lines: 25 | > | > | X-Priority: 3 | > | > | X-MSMail-Priority: Normal | > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 | > | > | X-RFC2646: Format=Flowed; Original | > | > | Message-ID: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> | > | > | Newsgroups: microsoft.public.windows.server.sbs | > | > | NNTP-Posting-Host: 62.48.233.71 | > | > | Path: | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl | > | > | Xref: TK2MSFTNGXA01.phx.gbl | > microsoft.public.windows.server.sbs:153926 | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs | > | > | | > | > | Hi everybody, | > | > | | > | > | When I try to request a certificate from my Enterprise CA | > installed | > | > on | > | > | SBS2003Premium It gives the following error :"No certificate | > templates | > | > could | > | > | be found. You do not have permission to request a certificate from | > this | > | > CA, | > | > | or an error occurred while accessing the Active Directory." I went | > and | > | > | search for a solution and found this microsoft article | > | > | http://support.microsoft.com/default.aspx?scid=kb;en-us;811418 that | > | > didn't | > | > | help because the name of the server is the same in the certdat.inc | > and | > | > in | > | > | the AD!!! :( | > | > | | > | > | When I go to the certification authority and click on "manage" | > on | > | > the | > | > | certificate templates, windows says that it detected that new | > | > certificate | > | > | templates should be installed, and ask if I want to install them | > now, | > | > and | > | > I | > | > | say "Yes", and gives an error saying "Windows could not install the | > new | > | > | certificate templates. Access is denied" :( I doing this as | > enterprise | > | > admin | > | > | and it says access denied!!!!! :( :( | > | > | | > | > | I've tryed to reinstall the CA and the errors are still the | > same! | > | > | | > | > | Can anyone help me with this issue, please? | > | > | | > | > | Thanks in advance for any help you can give me.... | > | > | | > | > | | > | > | | > | > | > | | > | | > | | > | | > | | > | | > | | |
From: PG on 22 Sep 2005 04:31 Hi Charles, I started to go through the points you reffered bellow and on the second point(Permissions settings) everything checked out ok except for the certificates templates permissions again, I'm unable to change permissions on some certificates, but others are ok! I'm sending you some compressed pictures to your e-mail so you can try and see if this is normal, or not. I didn't want to continue following your suggestions(to reinstall the CA) before you had a look at the pictures I sent you. Thanks PG ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in message news:MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl... > Hi, > > Thanks for updates. > > After carefully checking your log, we did not find any relate information, > please note that it might take some time to do the task. > > For this issue, I have some suggestion below: > > Can I assume that you want to set up the SBS 2003 premium as a CA server, > so that when user logon to website, they require the certificate, which > purpose you want to use for this certificate for VPN issue or for a > website? From your log, it seems to be used for IPSec VPN. > > 1. Please change the website you use for web enrollment's authentication > method from anonymous to Windows Authentication. > 2. Please refer to the KB article below to check the permission setting > for > CA, make sure that you have go through the article to double check it: > > Q239706 Default Permission Settings for Enterprise Certificate Authority > http://support.microsoft.com/default.aspx?scid=kb;EN-US > > 3. If the issue still exists, please follow the steps to reinstall the CA > server: > > A. Opened regedit and went to HKLM\system\CCS\services and deleted the > certsrv key > B. Opened the file system and deleted c:\winnt\system32\certserv folder > and > contents > C. Opened up AD sites and services and deleted and in services\public key > services > > Please deleted all the contents of the containers leaving the empty > containers with the exception of the templates container. Note, please > perform a backup for registry. > > If the issue still exist, you have to refer to the KB article below to > change the log level of certificate then reproduce the issue check the > event log again. > > 305018 How to Change the Event Logging Level for Certificate Services > http://support.microsoft.com/?id=305018 > > Thanks for your efforts. I will be here waiting for updates. > > > > Best regards, > > Charles Yang (MSFT) > > Microsoft CSS Online Newsgroup Support > > Get Secure! - www.microsoft.com/security > > ====================================================== > This newsgroup only focuses on SBS technical issues. If you have issues > regarding other Microsoft products, you'd better post in the corresponding > newsgroups so that they can be resolved in an efficient and timely manner. > You can locate the newsgroup here: > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx > > When opening a new thread via the web interface, we recommend you check > the > "Notify me of replies" box to receive e-mail notifications when there are > any updates in your thread. When responding to posts via your newsreader, > please "Reply to Group" so that others may learn and benefit from your > issue. > > Microsoft engineers can only focus on one issue per thread. Although we > provide other information for your reference, we recommend you post > different incidents in different threads to keep the thread clean. In > doing > so, it will ensure your issues are resolved in a timely manner. > > For urgent issues, you may want to contact Microsoft CSS directly. Please > check http://support.microsoft.com for regional support phone numbers. > > Any input or comments in this thread are highly appreciated. > ====================================================== > This posting is provided "AS IS" with no warranties, and confers no > rights. > > > ===================================================== > When responding to posts, please "Reply to Group" via your newsreader so > that others may learn and benefit from your issue. > ===================================================== > > This posting is provided "AS IS" with no warranties, and confers no > rights. > > -------------------- > | From: "PG" <*@*.*> > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> > <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> > <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl> > | Subject: Re: SBS2003Premium Certification Authority from HELL!!! > | Date: Wed, 21 Sep 2005 11:33:30 +0100 > | Lines: 401 > | X-Priority: 3 > | X-MSMail-Priority: Normal > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 > | X-RFC2646: Format=Flowed; Original > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 > | Message-ID: <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl> > | Newsgroups: microsoft.public.windows.server.sbs > | NNTP-Posting-Host: 62.48.233.71 > | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl > | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:155186 > | X-Tomcat-NG: microsoft.public.windows.server.sbs > | > | I've sent you the log's as you requested Charles... > | > | Thanks for the help > | > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in message > | news:biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl... > | > HI PG, > | > > | > Thanks for updates. > | > > | > In order to make the issue more clear, could you send me the > application > | > log and system event log so that we can isolate the issue more > clearly, > | > you > | > can compress the log files and send to my mailbox. > | > > | > v-chayan(a)microsoft.com > | > > | > Thanks for your understanding. > | > > | > > | > > | > Best regards, > | > > | > Charles Yang (MSFT) > | > > | > Microsoft CSS Online Newsgroup Support > | > > | > Get Secure! - www.microsoft.com/security > | > > | > ====================================================== > | > This newsgroup only focuses on SBS technical issues. If you have > issues > | > regarding other Microsoft products, you'd better post in the > corresponding > | > newsgroups so that they can be resolved in an efficient and timely > manner. > | > You can locate the newsgroup here: > | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx > | > > | > When opening a new thread via the web interface, we recommend you > check > | > the > | > "Notify me of replies" box to receive e-mail notifications when there > are > | > any updates in your thread. When responding to posts via your > newsreader, > | > please "Reply to Group" so that others may learn and benefit from your > | > issue. > | > > | > Microsoft engineers can only focus on one issue per thread. Although > we > | > provide other information for your reference, we recommend you post > | > different incidents in different threads to keep the thread clean. In > | > doing > | > so, it will ensure your issues are resolved in a timely manner. > | > > | > For urgent issues, you may want to contact Microsoft CSS directly. > Please > | > check http://support.microsoft.com for regional support phone numbers. > | > > | > Any input or comments in this thread are highly appreciated. > | > ====================================================== > | > This posting is provided "AS IS" with no warranties, and confers no > | > rights. > | > > | > > | > ===================================================== > | > When responding to posts, please "Reply to Group" via your newsreader > so > | > that others may learn and benefit from your issue. > | > ===================================================== > | > > | > This posting is provided "AS IS" with no warranties, and confers no > | > rights. > | > > | > -------------------- > | > | From: "PG" <*@*.*> > | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> > | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> > | > | Subject: Re: SBS2003Premium Certification Authority from HELL!!! > | > | Date: Tue, 20 Sep 2005 13:28:25 +0100 > | > | Lines: 269 > | > | X-Priority: 3 > | > | X-MSMail-Priority: Normal > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 > | > | X-RFC2646: Format=Flowed; Original > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 > | > | Message-ID: <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> > | > | Newsgroups: microsoft.public.windows.server.sbs > | > | NNTP-Posting-Host: 62.48.233.71 > | > | Path: > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl > | > | Xref: TK2MSFTNGXA01.phx.gbl > microsoft.public.windows.server.sbs:154800 > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs > | > | > | > | Thanks for your reply Charles > | > | > | > | Responses to your questions follow, and are in line: > | > | > | > | > | > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in > message > | > | news:tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl... > | > | > HI PG, > | > | > > | > | > Welcome to SBS newsgroup. > | > | > > | > | > Issue description: > | > | > ================ > | > | > > | > | > I understand that you encountered some problem when using CA on > SBS > | > 2003 > | > | > premium. > | > | > > | > | > Analyzing and suggestions: > | > | > ================ > | > | > > | > | > Generally speaking, the error you encountered can be caused by > many > | > | > factors, in order to make the issue more clear, please refer to my > | > | > suggestions below to gather more information: > | > | > > | > | > 1. If possible, please send me the event log for further research, > it > | > | > should include more information which can help us determine which > | > kinds > | > of > | > | > error you encountered, you can send the log files to my email box. > | > | > v-chayan(a)microsoft.com. > | > | > | > | There is nothing recorded in the logs, when the error's occur. > | > | > | > | > 2. Does the issue occur from the client's computer or from the > server > | > | > side? > | > | > | > | Both! It occur's when I request a certificate from the client and > from > | > the > | > | server! :( Via Web request or MMC snap-in > | > | > | > | > | > | > > | > | > > | > | > Let's first check the following: > | > | > > | > | > 1. Go to the CA Server, go to Services.msc console, make sure that > the > | > | > Certificate Service is started. > | > | > | > | Check > | > | > | > | > 2. Open Certificate Authority, make sure that it can be opened. > | > | > | > | Check > | > | > | > | > 3. If you are using Enterprise CA, go to the Certificate Template > in > | > the > | > | > Certificate Authority, make sure that necessary Certificate > Template > | > is > | > | > added and listed in the right panel. > | > | > | > | Check > | > | > | > | > 4. On the CA Server, click Start -> Run, type MMC and click OK. > Click > | > File > | > | > -> Add/Remove Snap-in, click Add button, select Certificate, click > | > Add, > | > | > select Computer Account and click next. Select Local Computer, > click > | > | > Finish > | > | > and then Close. > | > | > | > | Check > | > | > | > | > 5. Expand the Certificate (Local Computer)\Personal\Certificate, > check > | > if > | > | > the Root certificate exists. It's 'issued by' and 'issued to' > should > | > be > | > | > itself. Then please check if the root certificate is still alive. > If > | > it > | > is > | > | > expired, right click the Certificate, select All Tasks -> Renew > | > | > Certificate > | > | > with Same Key. Then renew the user certificate and let me know how > | > | > everything is going. > | > | > NOTE: Please check the Certificate Authority to make sure that > these > | > | > client > | > | > certificate are not revoked before you renew the certificate. > | > | > > | > | > If the issue still exists, please check if the CA computer where > you > | > start > | > | > the Certificate Web Enrollment from is set to trust for > delegation. > To > | > do > | > | > so: > | > | > 1. Log on as a domain administrator or equivalent account. > | > | > 2. Click Start, point to Programs, point to Administrative Tools, > and > | > then > | > | > click "Active Directory Users and Computers". > | > | > 3. In the left pane, locate the container or organizational unit > (OU) > | > on > | > | > which you want to enable delegation. > | > | > 4. Right-click the computer account name, and then click > Properties. > | > | > 5. On the General tab, click Trust computer for delegation. > | > | > 6. Click OK. > | > | > 7. Quit Active Directory Users and Computers. > | > | > > | > | > For more info, please refer to: > | > | > 300867 Error Message: The Certification Authority Service Has Not > Been > | > | > Started > | > | > http://support.microsoft.com/?id=300867 > | > | > | > | The certificate is alive until 16/9/2010! So I didn't renew it. > | > | > | > | > | > | > > | > | > > | > | > This issue may also occur if the Domain Users group on the child > | > domain > | > | > does not have the right to enroll a user template. To have a > check: > | > | > > | > | > 1. Logon to CA Server as Enterprise Administrator > | > | > | > | check > | > | > | > | > 2. Click Start, click Programs, click Administrative Tools, and > then > | > click > | > | > the "Active Directory Sites and Services" snap-in. > | > | > | > | check > | > | > | > | > 3. In MMC, right-click the "Active Directory Sites and Services" > | > snap-in, > | > | > click View, and then click "Show Services Mode". This allows you > to > | > view > | > | > the Services folder, which is hidden from view by default. > | > | > | > | Check > | > | > | > | > 4. From the "Active Directory Sites and Services" snap-in, click > | > Services, > | > | > click Public Key Services, and then click Certificate Templates. > This > | > | > reveals the complete list of published certificate templates in > Active > | > | > Directory. > | > | > | > | Check > | > | > | > | > 5. Double-click the User certificate template to view the > properties. > | > | > | > | Check > | > | > | > | > 6. On the Security tab, click Add to add the Domain Users group to > the > | > | > list. > | > | > | > | The group domain users wasn't there so I added it > | > | > | > | > 7. For the Domain Users group, select the Read and Enroll rights. > | > | > | > | When I tryed to apply the changes it gave the following error: > | > | > | > | "Unable to save permission changes on > | > | LDAP://SBS2003PDC.CONTIMETRA.LOCAL/CN=USER,CN=CERTIFICATE > | > | TEMPLATES,CN=PUBLIC KEY > | > | SERVICES,CN=SERVICES,CN=CONFIGURATION,DC=CONTIMETRA,DC=LOCAL > | > | > | > | ACCESS IS DENIED" > | > | > | > | > | > | > 8. Restart the computer. > | > | > | > | Didn't do it because no changes were made! > | > | > | > | > > | > | > For more info, please refer to: > | > | > 271861 Windows Cannot Find a Certificate Authority That Processes > the > | > | > Request > | > | > http://support.microsoft.com/?id=271861 > | > | > > | > | > NOTE: Request from MMC only works if it is a Enterprise CA. To > stand > | > alone > | > | > CA, you must request certificate by WEB. > | > | > > | > | > I appreciate your understanding and please paste your results as > your > | > | > convenience, It is important for us to isolate the issue. I am > glad > to > | > | > help > | > | > you. > | > | > > | > | > > | > | > > | > | > Best regards, > | > | > > | > | > Charles Yang (MSFT) > | > | > > | > | > Microsoft CSS Online Newsgroup Support > | > | > > | > | > Get Secure! - www.microsoft.com/security > | > | > > | > | > ====================================================== > | > | > This newsgroup only focuses on SBS technical issues. If you have > | > issues > | > | > regarding other Microsoft products, you'd better post in the > | > corresponding > | > | > newsgroups so that they can be resolved in an efficient and timely > | > manner. > | > | > You can locate the newsgroup here: > | > | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx > | > | > > | > | > When opening a new thread via the web interface, we recommend you > | > check > | > | > the > | > | > "Notify me of replies" box to receive e-mail notifications when > there > | > are > | > | > any updates in your thread. When responding to posts via your > | > newsreader, > | > | > please "Reply to Group" so that others may learn and benefit from > your > | > | > issue. > | > | > > | > | > Microsoft engineers can only focus on one issue per thread. > Although > | > we > | > | > provide other information for your reference, we recommend you > post > | > | > different incidents in different threads to keep the thread clean. > In > | > | > doing > | > | > so, it will ensure your issues are resolved in a timely manner. > | > | > > | > | > For urgent issues, you may want to contact Microsoft CSS directly. > | > Please > | > | > check http://support.microsoft.com for regional support phone > numbers. > | > | > > | > | > Any input or comments in this thread are highly appreciated. > | > | > ====================================================== > | > | > This posting is provided "AS IS" with no warranties, and confers > no > | > | > rights. > | > | > > | > | > > | > | > ===================================================== > | > | > When responding to posts, please "Reply to Group" via your > newsreader > | > so > | > | > that others may learn and benefit from your issue. > | > | > ===================================================== > | > | > > | > | > This posting is provided "AS IS" with no warranties, and confers > no > | > | > rights. > | > | > > | > | > -------------------- > | > | > | From: "PG" <*@*.*> > | > | > | Subject: SBS2003Premium Certification Authority from HELL!!! > | > | > | Date: Fri, 16 Sep 2005 11:35:46 +0100 > | > | > | Lines: 25 > | > | > | X-Priority: 3 > | > | > | X-MSMail-Priority: Normal > | > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 > | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 > | > | > | X-RFC2646: Format=Flowed; Original > | > | > | Message-ID: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> > | > | > | Newsgroups: microsoft.public.windows.server.sbs > | > | > | NNTP-Posting-Host: 62.48.233.71 > | > | > | Path: > | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl > | > | > | Xref: TK2MSFTNGXA01.phx.gbl > | > microsoft.public.windows.server.sbs:153926 > | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs > | > | > | > | > | > | Hi everybody, > | > | > | > | > | > | When I try to request a certificate from my Enterprise CA > | > installed > | > | > on > | > | > | SBS2003Premium It gives the following error :"No certificate > | > templates > | > | > could > | > | > | be found. You do not have permission to request a certificate > from > | > this > | > | > CA, > | > | > | or an error occurred while accessing the Active Directory." I > went > | > and > | > | > | search for a solution and found this microsoft article > | > | > | http://support.microsoft.com/default.aspx?scid=kb;en-us;811418 > that > | > | > didn't > | > | > | help because the name of the server is the same in the > certdat.inc > | > and > | > | > in > | > | > | the AD!!! :( > | > | > | > | > | > | When I go to the certification authority and click on > "manage" > | > on > | > | > the > | > | > | certificate templates, windows says that it detected that new > | > | > certificate > | > | > | templates should be installed, and ask if I want to install them > | > now, > | > | > and > | > | > I > | > | > | say "Yes", and gives an error saying "Windows could not install > the > | > new > | > | > | certificate templates. Access is denied" :( I doing this as > | > enterprise > | > | > admin > | > | > | and it says access denied!!!!! :( :( > | > | > | > | > | > | I've tryed to reinstall the CA and the errors are still the > | > same! > | > | > | > | > | > | Can anyone help me with this issue, please? > | > | > | > | > | > | Thanks in advance for any help you can give me.... > | > | > | > | > | > | > | > | > | > | > | > > | > | > | > | > | > | > | > | > | > | > | > | > | > > | > | > | >
From: "Charles Yang [MSFT]" on 22 Sep 2005 05:34 Hi PG, After checking your screen shot, we decide to collect more information, as this issue should relate to AD setting: 1. Please send me all the event log except the application and system event log that you have already sent to me. 2. please also run netdiag -v and dcdiag -v on the SBS server and send the results to me also. 3. If possible, could you tell us if have changed any setting on AD or on SBS server. As the screen shot point that you have some problem in query user objects on DC. I appreciate your effort on this issue. Best regards, Charles Yang (MSFT) Microsoft CSS Online Newsgroup Support Get Secure! - www.microsoft.com/security ====================================================== This newsgroup only focuses on SBS technical issues. If you have issues regarding other Microsoft products, you'd better post in the corresponding newsgroups so that they can be resolved in an efficient and timely manner. You can locate the newsgroup here: http://www.microsoft.com/communities/newsgroups/en-us/default.aspx When opening a new thread via the web interface, we recommend you check the "Notify me of replies" box to receive e-mail notifications when there are any updates in your thread. When responding to posts via your newsreader, please "Reply to Group" so that others may learn and benefit from your issue. Microsoft engineers can only focus on one issue per thread. Although we provide other information for your reference, we recommend you post different incidents in different threads to keep the thread clean. In doing so, it will ensure your issues are resolved in a timely manner. For urgent issues, you may want to contact Microsoft CSS directly. Please check http://support.microsoft.com for regional support phone numbers. Any input or comments in this thread are highly appreciated. ====================================================== This posting is provided "AS IS" with no warranties, and confers no rights. ===================================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ===================================================== This posting is provided "AS IS" with no warranties, and confers no rights. -------------------- | From: "PG" <*@*.*> | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl> <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl> <MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl> | Subject: Re: SBS2003Premium Certification Authority from HELL!!! | Date: Thu, 22 Sep 2005 09:31:33 +0100 | Lines: 597 | X-Priority: 3 | X-MSMail-Priority: Normal | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 | X-RFC2646: Format=Flowed; Original | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 | Message-ID: <u6mrIB1vFHA.4032(a)TK2MSFTNGP15.phx.gbl> | Newsgroups: microsoft.public.windows.server.sbs | NNTP-Posting-Host: 62.48.233.71 | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:155493 | X-Tomcat-NG: microsoft.public.windows.server.sbs | | Hi Charles, | | I started to go through the points you reffered bellow and on the second | point(Permissions settings) everything checked out ok except for the | certificates templates permissions again, I'm unable to change permissions | on some certificates, but others are ok! I'm sending you some compressed | pictures to your e-mail so you can try and see if this is normal, or not. | I didn't want to continue following your suggestions(to reinstall the | CA) before you had a look at the pictures I sent you. | | Thanks | PG | | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in message | news:MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl... | > Hi, | > | > Thanks for updates. | > | > After carefully checking your log, we did not find any relate information, | > please note that it might take some time to do the task. | > | > For this issue, I have some suggestion below: | > | > Can I assume that you want to set up the SBS 2003 premium as a CA server, | > so that when user logon to website, they require the certificate, which | > purpose you want to use for this certificate for VPN issue or for a | > website? From your log, it seems to be used for IPSec VPN. | > | > 1. Please change the website you use for web enrollment's authentication | > method from anonymous to Windows Authentication. | > 2. Please refer to the KB article below to check the permission setting | > for | > CA, make sure that you have go through the article to double check it: | > | > Q239706 Default Permission Settings for Enterprise Certificate Authority | > http://support.microsoft.com/default.aspx?scid=kb;EN-US | > | > 3. If the issue still exists, please follow the steps to reinstall the CA | > server: | > | > A. Opened regedit and went to HKLM\system\CCS\services and deleted the | > certsrv key | > B. Opened the file system and deleted c:\winnt\system32\certserv folder | > and | > contents | > C. Opened up AD sites and services and deleted and in services\public key | > services | > | > Please deleted all the contents of the containers leaving the empty | > containers with the exception of the templates container. Note, please | > perform a backup for registry. | > | > If the issue still exist, you have to refer to the KB article below to | > change the log level of certificate then reproduce the issue check the | > event log again. | > | > 305018 How to Change the Event Logging Level for Certificate Services | > http://support.microsoft.com/?id=305018 | > | > Thanks for your efforts. I will be here waiting for updates. | > | > | > | > Best regards, | > | > Charles Yang (MSFT) | > | > Microsoft CSS Online Newsgroup Support | > | > Get Secure! - www.microsoft.com/security | > | > ====================================================== | > This newsgroup only focuses on SBS technical issues. If you have issues | > regarding other Microsoft products, you'd better post in the corresponding | > newsgroups so that they can be resolved in an efficient and timely manner. | > You can locate the newsgroup here: | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx | > | > When opening a new thread via the web interface, we recommend you check | > the | > "Notify me of replies" box to receive e-mail notifications when there are | > any updates in your thread. When responding to posts via your newsreader, | > please "Reply to Group" so that others may learn and benefit from your | > issue. | > | > Microsoft engineers can only focus on one issue per thread. Although we | > provide other information for your reference, we recommend you post | > different incidents in different threads to keep the thread clean. In | > doing | > so, it will ensure your issues are resolved in a timely manner. | > | > For urgent issues, you may want to contact Microsoft CSS directly. Please | > check http://support.microsoft.com for regional support phone numbers. | > | > Any input or comments in this thread are highly appreciated. | > ====================================================== | > This posting is provided "AS IS" with no warranties, and confers no | > rights. | > | > | > ===================================================== | > When responding to posts, please "Reply to Group" via your newsreader so | > that others may learn and benefit from your issue. | > ===================================================== | > | > This posting is provided "AS IS" with no warranties, and confers no | > rights. | > | > -------------------- | > | From: "PG" <*@*.*> | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> | > <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> | > <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl> | > | Subject: Re: SBS2003Premium Certification Authority from HELL!!! | > | Date: Wed, 21 Sep 2005 11:33:30 +0100 | > | Lines: 401 | > | X-Priority: 3 | > | X-MSMail-Priority: Normal | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 | > | X-RFC2646: Format=Flowed; Original | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 | > | Message-ID: <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl> | > | Newsgroups: microsoft.public.windows.server.sbs | > | NNTP-Posting-Host: 62.48.233.71 | > | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl | > | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:155186 | > | X-Tomcat-NG: microsoft.public.windows.server.sbs | > | | > | I've sent you the log's as you requested Charles... | > | | > | Thanks for the help | > | | > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in message | > | news:biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl... | > | > HI PG, | > | > | > | > Thanks for updates. | > | > | > | > In order to make the issue more clear, could you send me the | > application | > | > log and system event log so that we can isolate the issue more | > clearly, | > | > you | > | > can compress the log files and send to my mailbox. | > | > | > | > v-chayan(a)microsoft.com | > | > | > | > Thanks for your understanding. | > | > | > | > | > | > | > | > Best regards, | > | > | > | > Charles Yang (MSFT) | > | > | > | > Microsoft CSS Online Newsgroup Support | > | > | > | > Get Secure! - www.microsoft.com/security | > | > | > | > ====================================================== | > | > This newsgroup only focuses on SBS technical issues. If you have | > issues | > | > regarding other Microsoft products, you'd better post in the | > corresponding | > | > newsgroups so that they can be resolved in an efficient and timely | > manner. | > | > You can locate the newsgroup here: | > | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx | > | > | > | > When opening a new thread via the web interface, we recommend you | > check | > | > the | > | > "Notify me of replies" box to receive e-mail notifications when there | > are | > | > any updates in your thread. When responding to posts via your | > newsreader, | > | > please "Reply to Group" so that others may learn and benefit from your | > | > issue. | > | > | > | > Microsoft engineers can only focus on one issue per thread. Although | > we | > | > provide other information for your reference, we recommend you post | > | > different incidents in different threads to keep the thread clean. In | > | > doing | > | > so, it will ensure your issues are resolved in a timely manner. | > | > | > | > For urgent issues, you may want to contact Microsoft CSS directly. | > Please | > | > check http://support.microsoft.com for regional support phone numbers. | > | > | > | > Any input or comments in this thread are highly appreciated. | > | > ====================================================== | > | > This posting is provided "AS IS" with no warranties, and confers no | > | > rights. | > | > | > | > | > | > ===================================================== | > | > When responding to posts, please "Reply to Group" via your newsreader | > so | > | > that others may learn and benefit from your issue. | > | > ===================================================== | > | > | > | > This posting is provided "AS IS" with no warranties, and confers no | > | > rights. | > | > | > | > -------------------- | > | > | From: "PG" <*@*.*> | > | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> | > | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> | > | > | Subject: Re: SBS2003Premium Certification Authority from HELL!!! | > | > | Date: Tue, 20 Sep 2005 13:28:25 +0100 | > | > | Lines: 269 | > | > | X-Priority: 3 | > | > | X-MSMail-Priority: Normal | > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 | > | > | X-RFC2646: Format=Flowed; Original | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 | > | > | Message-ID: <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> | > | > | Newsgroups: microsoft.public.windows.server.sbs | > | > | NNTP-Posting-Host: 62.48.233.71 | > | > | Path: | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl | > | > | Xref: TK2MSFTNGXA01.phx.gbl | > microsoft.public.windows.server.sbs:154800 | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs | > | > | | > | > | Thanks for your reply Charles | > | > | | > | > | Responses to your questions follow, and are in line: | > | > | | > | > | | > | > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in | > message | > | > | news:tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl... | > | > | > HI PG, | > | > | > | > | > | > Welcome to SBS newsgroup. | > | > | > | > | > | > Issue description: | > | > | > ================ | > | > | > | > | > | > I understand that you encountered some problem when using CA on | > SBS | > | > 2003 | > | > | > premium. | > | > | > | > | > | > Analyzing and suggestions: | > | > | > ================ | > | > | > | > | > | > Generally speaking, the error you encountered can be caused by | > many | > | > | > factors, in order to make the issue more clear, please refer to my | > | > | > suggestions below to gather more information: | > | > | > | > | > | > 1. If possible, please send me the event log for further research, | > it | > | > | > should include more information which can help us determine which | > | > kinds | > | > of | > | > | > error you encountered, you can send the log files to my email box. | > | > | > v-chayan(a)microsoft.com. | > | > | | > | > | There is nothing recorded in the logs, when the error's occur. | > | > | | > | > | > 2. Does the issue occur from the client's computer or from the | > server | > | > | > side? | > | > | | > | > | Both! It occur's when I request a certificate from the client and | > from | > | > the | > | > | server! :( Via Web request or MMC snap-in | > | > | | > | > | | > | > | > | > | > | > | > | > | > Let's first check the following: | > | > | > | > | > | > 1. Go to the CA Server, go to Services.msc console, make sure that | > the | > | > | > Certificate Service is started. | > | > | | > | > | Check | > | > | | > | > | > 2. Open Certificate Authority, make sure that it can be opened. | > | > | | > | > | Check | > | > | | > | > | > 3. If you are using Enterprise CA, go to the Certificate Template | > in | > | > the | > | > | > Certificate Authority, make sure that necessary Certificate | > Template | > | > is | > | > | > added and listed in the right panel. | > | > | | > | > | Check | > | > | | > | > | > 4. On the CA Server, click Start -> Run, type MMC and click OK. | > Click | > | > File | > | > | > -> Add/Remove Snap-in, click Add button, select Certificate, click | > | > Add, | > | > | > select Computer Account and click next. Select Local Computer, | > click | > | > | > Finish | > | > | > and then Close. | > | > | | > | > | Check | > | > | | > | > | > 5. Expand the Certificate (Local Computer)\Personal\Certificate, | > check | > | > if | > | > | > the Root certificate exists. It's 'issued by' and 'issued to' | > should | > | > be | > | > | > itself. Then please check if the root certificate is still alive. | > If | > | > it | > | > is | > | > | > expired, right click the Certificate, select All Tasks -> Renew | > | > | > Certificate | > | > | > with Same Key. Then renew the user certificate and let me know how | > | > | > everything is going. | > | > | > NOTE: Please check the Certificate Authority to make sure that | > these | > | > | > client | > | > | > certificate are not revoked before you renew the certificate. | > | > | > | > | > | > If the issue still exists, please check if the CA computer where | > you | > | > start | > | > | > the Certificate Web Enrollment from is set to trust for | > delegation. | > To | > | > do | > | > | > so: | > | > | > 1. Log on as a domain administrator or equivalent account. | > | > | > 2. Click Start, point to Programs, point to Administrative Tools, | > and | > | > then | > | > | > click "Active Directory Users and Computers". | > | > | > 3. In the left pane, locate the container or organizational unit | > (OU) | > | > on | > | > | > which you want to enable delegation. | > | > | > 4. Right-click the computer account name, and then click | > Properties. | > | > | > 5. On the General tab, click Trust computer for delegation. | > | > | > 6. Click OK. | > | > | > 7. Quit Active Directory Users and Computers. | > | > | > | > | > | > For more info, please refer to: | > | > | > 300867 Error Message: The Certification Authority Service Has Not | > Been | > | > | > Started | > | > | > http://support.microsoft.com/?id=300867 | > | > | | > | > | The certificate is alive until 16/9/2010! So I didn't renew it. | > | > | | > | > | | > | > | > | > | > | > | > | > | > This issue may also occur if the Domain Users group on the child | > | > domain | > | > | > does not have the right to enroll a user template. To have a | > check: | > | > | > | > | > | > 1. Logon to CA Server as Enterprise Administrator | > | > | | > | > | check | > | > | | > | > | > 2. Click Start, click Programs, click Administrative Tools, and | > then | > | > click | > | > | > the "Active Directory Sites and Services" snap-in. | > | > | | > | > | check | > | > | | > | > | > 3. In MMC, right-click the "Active Directory Sites and Services" | > | > snap-in, | > | > | > click View, and then click "Show Services Mode". This allows you | > to | > | > view | > | > | > the Services folder, which is hidden from view by default. | > | > | | > | > | Check | > | > | | > | > | > 4. From the "Active Directory Sites and Services" snap-in, click | > | > Services, | > | > | > click Public Key Services, and then click Certificate Templates. | > This | > | > | > reveals the complete list of published certificate templates in | > Active | > | > | > Directory. | > | > | | > | > | Check | > | > | | > | > | > 5. Double-click the User certificate template to view the | > properties. | > | > | | > | > | Check | > | > | | > | > | > 6. On the Security tab, click Add to add the Domain Users group to | > the | > | > | > list. | > | > | | > | > | The group domain users wasn't there so I added it | > | > | | > | > | > 7. For the Domain Users group, select the Read and Enroll rights. | > | > | | > | > | When I tryed to apply the changes it gave the following error: | > | > | | > | > | "Unable to save permission changes on | > | > | LDAP://SBS2003PDC.CONTIMETRA.LOCAL/CN=USER,CN=CERTIFICATE | > | > | TEMPLATES,CN=PUBLIC KEY | > | > | SERVICES,CN=SERVICES,CN=CONFIGURATION,DC=CONTIMETRA,DC=LOCAL | > | > | | > | > | ACCESS IS DENIED" | > | > | | > | > | | > | > | > 8. Restart the computer. | > | > | | > | > | Didn't do it because no changes were made! | > | > | | > | > | > | > | > | > For more info, please refer to: | > | > | > 271861 Windows Cannot Find a Certificate Authority That Processes | > the | > | > | > Request | > | > | > http://support.microsoft.com/?id=271861 | > | > | > | > | > | > NOTE: Request from MMC only works if it is a Enterprise CA. To | > stand | > | > alone | > | > | > CA, you must request certificate by WEB. | > | > | > | > | > | > I appreciate your understanding and please paste your results as | > your | > | > | > convenience, It is important for us to isolate the issue. I am | > glad | > to | > | > | > help | > | > | > you. | > | > | > | > | > | > | > | > | > | > | > | > Best regards, | > | > | > | > | > | > Charles Yang (MSFT) | > | > | > | > | > | > Microsoft CSS Online Newsgroup Support | > | > | > | > | > | > Get Secure! - www.microsoft.com/security | > | > | > | > | > | > ====================================================== | > | > | > This newsgroup only focuses on SBS technical issues. If you have | > | > issues | > | > | > regarding other Microsoft products, you'd better post in the | > | > corresponding | > | > | > newsgroups so that they can be resolved in an efficient and timely | > | > manner. | > | > | > You can locate the newsgroup here: | > | > | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx | > | > | > | > | > | > When opening a new thread via the web interface, we recommend you | > | > check | > | > | > the | > | > | > "Notify me of replies" box to receive e-mail notifications when | > there | > | > are | > | > | > any updates in your thread. When responding to posts via your | > | > newsreader, | > | > | > please "Reply to Group" so that others may learn and benefit from | > your | > | > | > issue. | > | > | > | > | > | > Microsoft engineers can only focus on one issue per thread. | > Although | > | > we | > | > | > provide other information for your reference, we recommend you | > post | > | > | > different incidents in different threads to keep the thread clean. | > In | > | > | > doing | > | > | > so, it will ensure your issues are resolved in a timely manner. | > | > | > | > | > | > For urgent issues, you may want to contact Microsoft CSS directly. | > | > Please | > | > | > check http://support.microsoft.com for regional support phone | > numbers. | > | > | > | > | > | > Any input or comments in this thread are highly appreciated. | > | > | > ====================================================== | > | > | > This posting is provided "AS IS" with no warranties, and confers | > no | > | > | > rights. | > | > | > | > | > | > | > | > | > ===================================================== | > | > | > When responding to posts, please "Reply to Group" via your | > newsreader | > | > so | > | > | > that others may learn and benefit from your issue. | > | > | > ===================================================== | > | > | > | > | > | > This posting is provided "AS IS" with no warranties, and confers | > no | > | > | > rights. | > | > | > | > | > | > -------------------- | > | > | > | From: "PG" <*@*.*> | > | > | > | Subject: SBS2003Premium Certification Authority from HELL!!! | > | > | > | Date: Fri, 16 Sep 2005 11:35:46 +0100 | > | > | > | Lines: 25 | > | > | > | X-Priority: 3 | > | > | > | X-MSMail-Priority: Normal | > | > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 | > | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 | > | > | > | X-RFC2646: Format=Flowed; Original | > | > | > | Message-ID: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> | > | > | > | Newsgroups: microsoft.public.windows.server.sbs | > | > | > | NNTP-Posting-Host: 62.48.233.71 | > | > | > | Path: | > | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl | > | > | > | Xref: TK2MSFTNGXA01.phx.gbl | > | > microsoft.public.windows.server.sbs:153926 | > | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs | > | > | > | | > | > | > | Hi everybody, | > | > | > | | > | > | > | When I try to request a certificate from my Enterprise CA | > | > installed | > | > | > on | > | > | > | SBS2003Premium It gives the following error :"No certificate | > | > templates | > | > | > could | > | > | > | be found. You do not have permission to request a certificate | > from | > | > this | > | > | > CA, | > | > | > | or an error occurred while accessing the Active Directory." I | > went | > | > and | > | > | > | search for a solution and found this microsoft article | > | > | > | http://support.microsoft.com/default.aspx?scid=kb;en-us;811418 | > that | > | > | > didn't | > | > | > | help because the name of the server is the same in the | > certdat.inc | > | > and | > | > | > in | > | > | > | the AD!!! :( | > | > | > | | > | > | > | When I go to the certification authority and click on | > "manage" | > | > on | > | > | > the | > | > | > | certificate templates, windows says that it detected that new | > | > | > certificate | > | > | > | templates should be installed, and ask if I want to install them | > | > now, | > | > | > and | > | > | > I | > | > | > | say "Yes", and gives an error saying "Windows could not install | > the | > | > new | > | > | > | certificate templates. Access is denied" :( I doing this as | > | > enterprise | > | > | > admin | > | > | > | and it says access denied!!!!! :( :( | > | > | > | | > | > | > | I've tryed to reinstall the CA and the errors are still the | > | > same! | > | > | > | | > | > | > | Can anyone help me with this issue, please? | > | > | > | | > | > | > | Thanks in advance for any help you can give me.... | > | > | > | | > | > | > | | > | > | > | | > | > | > | > | > | | > | > | | > | > | | > | > | | > | > | | > | > | | > | > | > | | > | | > | | > | | |
From: PG on 22 Sep 2005 06:32 Hi Charles, 1. I sent all the logs you requested to your e-mail. 2. Done that also. 3. No changes done...that I can remember Thanks ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in message news:AtVfNj1vFHA.780(a)TK2MSFTNGXA01.phx.gbl... > Hi PG, > > After checking your screen shot, we decide to collect more information, as > this issue should relate to AD setting: > > 1. Please send me all the event log except the application and system > event > log that you have already sent to me. > 2. please also run netdiag -v and dcdiag -v on the SBS server and send the > results to me also. > 3. If possible, could you tell us if have changed any setting on AD or on > SBS server. As the screen shot point that you have some problem in query > user objects on DC. > > I appreciate your effort on this issue. > > > > Best regards, > > Charles Yang (MSFT) > > Microsoft CSS Online Newsgroup Support > > Get Secure! - www.microsoft.com/security > > ====================================================== > This newsgroup only focuses on SBS technical issues. If you have issues > regarding other Microsoft products, you'd better post in the corresponding > newsgroups so that they can be resolved in an efficient and timely manner. > You can locate the newsgroup here: > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx > > When opening a new thread via the web interface, we recommend you check > the > "Notify me of replies" box to receive e-mail notifications when there are > any updates in your thread. When responding to posts via your newsreader, > please "Reply to Group" so that others may learn and benefit from your > issue. > > Microsoft engineers can only focus on one issue per thread. Although we > provide other information for your reference, we recommend you post > different incidents in different threads to keep the thread clean. In > doing > so, it will ensure your issues are resolved in a timely manner. > > For urgent issues, you may want to contact Microsoft CSS directly. Please > check http://support.microsoft.com for regional support phone numbers. > > Any input or comments in this thread are highly appreciated. > ====================================================== > This posting is provided "AS IS" with no warranties, and confers no > rights. > > > ===================================================== > When responding to posts, please "Reply to Group" via your newsreader so > that others may learn and benefit from your issue. > ===================================================== > > This posting is provided "AS IS" with no warranties, and confers no > rights. > > -------------------- > | From: "PG" <*@*.*> > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> > <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> > <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl> > <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl> > <MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl> > | Subject: Re: SBS2003Premium Certification Authority from HELL!!! > | Date: Thu, 22 Sep 2005 09:31:33 +0100 > | Lines: 597 > | X-Priority: 3 > | X-MSMail-Priority: Normal > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 > | X-RFC2646: Format=Flowed; Original > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 > | Message-ID: <u6mrIB1vFHA.4032(a)TK2MSFTNGP15.phx.gbl> > | Newsgroups: microsoft.public.windows.server.sbs > | NNTP-Posting-Host: 62.48.233.71 > | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl > | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:155493 > | X-Tomcat-NG: microsoft.public.windows.server.sbs > | > | Hi Charles, > | > | I started to go through the points you reffered bellow and on the > second > | point(Permissions settings) everything checked out ok except for the > | certificates templates permissions again, I'm unable to change > permissions > | on some certificates, but others are ok! I'm sending you some compressed > | pictures to your e-mail so you can try and see if this is normal, or > not. > | I didn't want to continue following your suggestions(to reinstall > the > | CA) before you had a look at the pictures I sent you. > | > | Thanks > | PG > | > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in message > | news:MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl... > | > Hi, > | > > | > Thanks for updates. > | > > | > After carefully checking your log, we did not find any relate > information, > | > please note that it might take some time to do the task. > | > > | > For this issue, I have some suggestion below: > | > > | > Can I assume that you want to set up the SBS 2003 premium as a CA > server, > | > so that when user logon to website, they require the certificate, > which > | > purpose you want to use for this certificate for VPN issue or for a > | > website? From your log, it seems to be used for IPSec VPN. > | > > | > 1. Please change the website you use for web enrollment's > authentication > | > method from anonymous to Windows Authentication. > | > 2. Please refer to the KB article below to check the permission > setting > | > for > | > CA, make sure that you have go through the article to double check it: > | > > | > Q239706 Default Permission Settings for Enterprise Certificate > Authority > | > http://support.microsoft.com/default.aspx?scid=kb;EN-US > | > > | > 3. If the issue still exists, please follow the steps to reinstall the > CA > | > server: > | > > | > A. Opened regedit and went to HKLM\system\CCS\services and deleted > the > | > certsrv key > | > B. Opened the file system and deleted c:\winnt\system32\certserv > folder > | > and > | > contents > | > C. Opened up AD sites and services and deleted and in services\public > key > | > services > | > > | > Please deleted all the contents of the containers leaving the empty > | > containers with the exception of the templates container. Note, please > | > perform a backup for registry. > | > > | > If the issue still exist, you have to refer to the KB article below to > | > change the log level of certificate then reproduce the issue check the > | > event log again. > | > > | > 305018 How to Change the Event Logging Level for Certificate Services > | > http://support.microsoft.com/?id=305018 > | > > | > Thanks for your efforts. I will be here waiting for updates. > | > > | > > | > > | > Best regards, > | > > | > Charles Yang (MSFT) > | > > | > Microsoft CSS Online Newsgroup Support > | > > | > Get Secure! - www.microsoft.com/security > | > > | > ====================================================== > | > This newsgroup only focuses on SBS technical issues. If you have > issues > | > regarding other Microsoft products, you'd better post in the > corresponding > | > newsgroups so that they can be resolved in an efficient and timely > manner. > | > You can locate the newsgroup here: > | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx > | > > | > When opening a new thread via the web interface, we recommend you > check > | > the > | > "Notify me of replies" box to receive e-mail notifications when there > are > | > any updates in your thread. When responding to posts via your > newsreader, > | > please "Reply to Group" so that others may learn and benefit from your > | > issue. > | > > | > Microsoft engineers can only focus on one issue per thread. Although > we > | > provide other information for your reference, we recommend you post > | > different incidents in different threads to keep the thread clean. In > | > doing > | > so, it will ensure your issues are resolved in a timely manner. > | > > | > For urgent issues, you may want to contact Microsoft CSS directly. > Please > | > check http://support.microsoft.com for regional support phone numbers. > | > > | > Any input or comments in this thread are highly appreciated. > | > ====================================================== > | > This posting is provided "AS IS" with no warranties, and confers no > | > rights. > | > > | > > | > ===================================================== > | > When responding to posts, please "Reply to Group" via your newsreader > so > | > that others may learn and benefit from your issue. > | > ===================================================== > | > > | > This posting is provided "AS IS" with no warranties, and confers no > | > rights. > | > > | > -------------------- > | > | From: "PG" <*@*.*> > | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> > | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> > | > <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> > | > <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl> > | > | Subject: Re: SBS2003Premium Certification Authority from HELL!!! > | > | Date: Wed, 21 Sep 2005 11:33:30 +0100 > | > | Lines: 401 > | > | X-Priority: 3 > | > | X-MSMail-Priority: Normal > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 > | > | X-RFC2646: Format=Flowed; Original > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 > | > | Message-ID: <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl> > | > | Newsgroups: microsoft.public.windows.server.sbs > | > | NNTP-Posting-Host: 62.48.233.71 > | > | Path: > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl > | > | Xref: TK2MSFTNGXA01.phx.gbl > microsoft.public.windows.server.sbs:155186 > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs > | > | > | > | I've sent you the log's as you requested Charles... > | > | > | > | Thanks for the help > | > | > | > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in > message > | > | news:biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl... > | > | > HI PG, > | > | > > | > | > Thanks for updates. > | > | > > | > | > In order to make the issue more clear, could you send me the > | > application > | > | > log and system event log so that we can isolate the issue more > | > clearly, > | > | > you > | > | > can compress the log files and send to my mailbox. > | > | > > | > | > v-chayan(a)microsoft.com > | > | > > | > | > Thanks for your understanding. > | > | > > | > | > > | > | > > | > | > Best regards, > | > | > > | > | > Charles Yang (MSFT) > | > | > > | > | > Microsoft CSS Online Newsgroup Support > | > | > > | > | > Get Secure! - www.microsoft.com/security > | > | > > | > | > ====================================================== > | > | > This newsgroup only focuses on SBS technical issues. If you have > | > issues > | > | > regarding other Microsoft products, you'd better post in the > | > corresponding > | > | > newsgroups so that they can be resolved in an efficient and timely > | > manner. > | > | > You can locate the newsgroup here: > | > | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx > | > | > > | > | > When opening a new thread via the web interface, we recommend you > | > check > | > | > the > | > | > "Notify me of replies" box to receive e-mail notifications when > there > | > are > | > | > any updates in your thread. When responding to posts via your > | > newsreader, > | > | > please "Reply to Group" so that others may learn and benefit from > your > | > | > issue. > | > | > > | > | > Microsoft engineers can only focus on one issue per thread. > Although > | > we > | > | > provide other information for your reference, we recommend you > post > | > | > different incidents in different threads to keep the thread clean. > In > | > | > doing > | > | > so, it will ensure your issues are resolved in a timely manner. > | > | > > | > | > For urgent issues, you may want to contact Microsoft CSS directly. > | > Please > | > | > check http://support.microsoft.com for regional support phone > numbers. > | > | > > | > | > Any input or comments in this thread are highly appreciated. > | > | > ====================================================== > | > | > This posting is provided "AS IS" with no warranties, and confers > no > | > | > rights. > | > | > > | > | > > | > | > ===================================================== > | > | > When responding to posts, please "Reply to Group" via your > newsreader > | > so > | > | > that others may learn and benefit from your issue. > | > | > ===================================================== > | > | > > | > | > This posting is provided "AS IS" with no warranties, and confers > no > | > | > rights. > | > | > > | > | > -------------------- > | > | > | From: "PG" <*@*.*> > | > | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> > | > | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> > | > | > | Subject: Re: SBS2003Premium Certification Authority from HELL!!! > | > | > | Date: Tue, 20 Sep 2005 13:28:25 +0100 > | > | > | Lines: 269 > | > | > | X-Priority: 3 > | > | > | X-MSMail-Priority: Normal > | > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 > | > | > | X-RFC2646: Format=Flowed; Original > | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 > | > | > | Message-ID: <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> > | > | > | Newsgroups: microsoft.public.windows.server.sbs > | > | > | NNTP-Posting-Host: 62.48.233.71 > | > | > | Path: > | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl > | > | > | Xref: TK2MSFTNGXA01.phx.gbl > | > microsoft.public.windows.server.sbs:154800 > | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs > | > | > | > | > | > | Thanks for your reply Charles > | > | > | > | > | > | Responses to your questions follow, and are in line: > | > | > | > | > | > | > | > | > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in > | > message > | > | > | news:tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl... > | > | > | > HI PG, > | > | > | > > | > | > | > Welcome to SBS newsgroup. > | > | > | > > | > | > | > Issue description: > | > | > | > ================ > | > | > | > > | > | > | > I understand that you encountered some problem when using CA > on > | > SBS > | > | > 2003 > | > | > | > premium. > | > | > | > > | > | > | > Analyzing and suggestions: > | > | > | > ================ > | > | > | > > | > | > | > Generally speaking, the error you encountered can be caused by > | > many > | > | > | > factors, in order to make the issue more clear, please refer > to > my > | > | > | > suggestions below to gather more information: > | > | > | > > | > | > | > 1. If possible, please send me the event log for further > research, > | > it > | > | > | > should include more information which can help us determine > which > | > | > kinds > | > | > of > | > | > | > error you encountered, you can send the log files to my email > box. > | > | > | > v-chayan(a)microsoft.com. > | > | > | > | > | > | There is nothing recorded in the logs, when the error's occur. > | > | > | > | > | > | > 2. Does the issue occur from the client's computer or from the > | > server > | > | > | > side? > | > | > | > | > | > | Both! It occur's when I request a certificate from the client > and > | > from > | > | > the > | > | > | server! :( Via Web request or MMC snap-in > | > | > | > | > | > | > | > | > | > > | > | > | > > | > | > | > Let's first check the following: > | > | > | > > | > | > | > 1. Go to the CA Server, go to Services.msc console, make sure > that > | > the > | > | > | > Certificate Service is started. > | > | > | > | > | > | Check > | > | > | > | > | > | > 2. Open Certificate Authority, make sure that it can be > opened. > | > | > | > | > | > | Check > | > | > | > | > | > | > 3. If you are using Enterprise CA, go to the Certificate > Template > | > in > | > | > the > | > | > | > Certificate Authority, make sure that necessary Certificate > | > Template > | > | > is > | > | > | > added and listed in the right panel. > | > | > | > | > | > | Check > | > | > | > | > | > | > 4. On the CA Server, click Start -> Run, type MMC and click > OK. > | > Click > | > | > File > | > | > | > -> Add/Remove Snap-in, click Add button, select Certificate, > click > | > | > Add, > | > | > | > select Computer Account and click next. Select Local Computer, > | > click > | > | > | > Finish > | > | > | > and then Close. > | > | > | > | > | > | Check > | > | > | > | > | > | > 5. Expand the Certificate (Local > Computer)\Personal\Certificate, > | > check > | > | > if > | > | > | > the Root certificate exists. It's 'issued by' and 'issued to' > | > should > | > | > be > | > | > | > itself. Then please check if the root certificate is still > alive. > | > If > | > | > it > | > | > is > | > | > | > expired, right click the Certificate, select All Tasks -> > Renew > | > | > | > Certificate > | > | > | > with Same Key. Then renew the user certificate and let me know > how > | > | > | > everything is going. > | > | > | > NOTE: Please check the Certificate Authority to make sure that > | > these > | > | > | > client > | > | > | > certificate are not revoked before you renew the certificate. > | > | > | > > | > | > | > If the issue still exists, please check if the CA computer > where > | > you > | > | > start > | > | > | > the Certificate Web Enrollment from is set to trust for > | > delegation. > | > To > | > | > do > | > | > | > so: > | > | > | > 1. Log on as a domain administrator or equivalent account. > | > | > | > 2. Click Start, point to Programs, point to Administrative > Tools, > | > and > | > | > then > | > | > | > click "Active Directory Users and Computers". > | > | > | > 3. In the left pane, locate the container or organizational > unit > | > (OU) > | > | > on > | > | > | > which you want to enable delegation. > | > | > | > 4. Right-click the computer account name, and then click > | > Properties. > | > | > | > 5. On the General tab, click Trust computer for delegation. > | > | > | > 6. Click OK. > | > | > | > 7. Quit Active Directory Users and Computers. > | > | > | > > | > | > | > For more info, please refer to: > | > | > | > 300867 Error Message: The Certification Authority Service Has > Not > | > Been > | > | > | > Started > | > | > | > http://support.microsoft.com/?id=300867 > | > | > | > | > | > | The certificate is alive until 16/9/2010! So I didn't renew it. > | > | > | > | > | > | > | > | > | > > | > | > | > > | > | > | > This issue may also occur if the Domain Users group on the > child > | > | > domain > | > | > | > does not have the right to enroll a user template. To have a > | > check: > | > | > | > > | > | > | > 1. Logon to CA Server as Enterprise Administrator > | > | > | > | > | > | check > | > | > | > | > | > | > 2. Click Start, click Programs, click Administrative Tools, > and > | > then > | > | > click > | > | > | > the "Active Directory Sites and Services" snap-in. > | > | > | > | > | > | check > | > | > | > | > | > | > 3. In MMC, right-click the "Active Directory Sites and > Services" > | > | > snap-in, > | > | > | > click View, and then click "Show Services Mode". This allows > you > | > to > | > | > view > | > | > | > the Services folder, which is hidden from view by default. > | > | > | > | > | > | Check > | > | > | > | > | > | > 4. From the "Active Directory Sites and Services" snap-in, > click > | > | > Services, > | > | > | > click Public Key Services, and then click Certificate > Templates. > | > This > | > | > | > reveals the complete list of published certificate templates > in > | > Active > | > | > | > Directory. > | > | > | > | > | > | Check > | > | > | > | > | > | > 5. Double-click the User certificate template to view the > | > properties. > | > | > | > | > | > | Check > | > | > | > | > | > | > 6. On the Security tab, click Add to add the Domain Users > group > to > | > the > | > | > | > list. > | > | > | > | > | > | The group domain users wasn't there so I added it > | > | > | > | > | > | > 7. For the Domain Users group, select the Read and Enroll > rights. > | > | > | > | > | > | When I tryed to apply the changes it gave the following error: > | > | > | > | > | > | "Unable to save permission changes on > | > | > | LDAP://SBS2003PDC.CONTIMETRA.LOCAL/CN=USER,CN=CERTIFICATE > | > | > | TEMPLATES,CN=PUBLIC KEY > | > | > | SERVICES,CN=SERVICES,CN=CONFIGURATION,DC=CONTIMETRA,DC=LOCAL > | > | > | > | > | > | ACCESS IS DENIED" > | > | > | > | > | > | > | > | > | > 8. Restart the computer. > | > | > | > | > | > | Didn't do it because no changes were made! > | > | > | > | > | > | > > | > | > | > For more info, please refer to: > | > | > | > 271861 Windows Cannot Find a Certificate Authority That > Processes > | > the > | > | > | > Request > | > | > | > http://support.microsoft.com/?id=271861 > | > | > | > > | > | > | > NOTE: Request from MMC only works if it is a Enterprise CA. To > | > stand > | > | > alone > | > | > | > CA, you must request certificate by WEB. > | > | > | > > | > | > | > I appreciate your understanding and please paste your results > as > | > your > | > | > | > convenience, It is important for us to isolate the issue. I am > | > glad > | > to > | > | > | > help > | > | > | > you. > | > | > | > > | > | > | > > | > | > | > > | > | > | > Best regards, > | > | > | > > | > | > | > Charles Yang (MSFT) > | > | > | > > | > | > | > Microsoft CSS Online Newsgroup Support > | > | > | > > | > | > | > Get Secure! - www.microsoft.com/security > | > | > | > > | > | > | > ====================================================== > | > | > | > This newsgroup only focuses on SBS technical issues. If you > have > | > | > issues > | > | > | > regarding other Microsoft products, you'd better post in the > | > | > corresponding > | > | > | > newsgroups so that they can be resolved in an efficient and > timely > | > | > manner. > | > | > | > You can locate the newsgroup here: > | > | > | > > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx > | > | > | > > | > | > | > When opening a new thread via the web interface, we recommend > you > | > | > check > | > | > | > the > | > | > | > "Notify me of replies" box to receive e-mail notifications > when > | > there > | > | > are > | > | > | > any updates in your thread. When responding to posts via your > | > | > newsreader, > | > | > | > please "Reply to Group" so that others may learn and benefit > from > | > your > | > | > | > issue. > | > | > | > > | > | > | > Microsoft engineers can only focus on one issue per thread. > | > Although > | > | > we > | > | > | > provide other information for your reference, we recommend you > | > post > | > | > | > different incidents in different threads to keep the thread > clean. > | > In > | > | > | > doing > | > | > | > so, it will ensure your issues are resolved in a timely > manner. > | > | > | > > | > | > | > For urgent issues, you may want to contact Microsoft CSS > directly. > | > | > Please > | > | > | > check http://support.microsoft.com for regional support phone > | > numbers. > | > | > | > > | > | > | > Any input or comments in this thread are highly appreciated. > | > | > | > ====================================================== > | > | > | > This posting is provided "AS IS" with no warranties, and > confers > | > no > | > | > | > rights. > | > | > | > > | > | > | > > | > | > | > ===================================================== > | > | > | > When responding to posts, please "Reply to Group" via your > | > newsreader > | > | > so > | > | > | > that others may learn and benefit from your issue. > | > | > | > ===================================================== > | > | > | > > | > | > | > This posting is provided "AS IS" with no warranties, and > confers > | > no > | > | > | > rights. > | > | > | > > | > | > | > -------------------- > | > | > | > | From: "PG" <*@*.*> > | > | > | > | Subject: SBS2003Premium Certification Authority from HELL!!! > | > | > | > | Date: Fri, 16 Sep 2005 11:35:46 +0100 > | > | > | > | Lines: 25 > | > | > | > | X-Priority: 3 > | > | > | > | X-MSMail-Priority: Normal > | > | > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 > | > | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 > | > | > | > | X-RFC2646: Format=Flowed; Original > | > | > | > | Message-ID: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> > | > | > | > | Newsgroups: microsoft.public.windows.server.sbs > | > | > | > | NNTP-Posting-Host: 62.48.233.71 > | > | > | > | Path: > | > | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl > | > | > | > | Xref: TK2MSFTNGXA01.phx.gbl > | > | > microsoft.public.windows.server.sbs:153926 > | > | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs > | > | > | > | > | > | > | > | Hi everybody, > | > | > | > | > | > | > | > | When I try to request a certificate from my Enterprise > CA > | > | > installed > | > | > | > on > | > | > | > | SBS2003Premium It gives the following error :"No certificate > | > | > templates > | > | > | > could > | > | > | > | be found. You do not have permission to request a > certificate > | > from > | > | > this > | > | > | > CA, > | > | > | > | or an error occurred while accessing the Active Directory." > I > | > went > | > | > and > | > | > | > | search for a solution and found this microsoft article > | > | > | > | > http://support.microsoft.com/default.aspx?scid=kb;en-us;811418 > | > that > | > | > | > didn't > | > | > | > | help because the name of the server is the same in the > | > certdat.inc > | > | > and > | > | > | > in > | > | > | > | the AD!!! :( > | > | > | > | > | > | > | > | When I go to the certification authority and click on > | > "manage" > | > | > on > | > | > | > the > | > | > | > | certificate templates, windows says that it detected that > new > | > | > | > certificate > | > | > | > | templates should be installed, and ask if I want to install > them > | > | > now, > | > | > | > and > | > | > | > I > | > | > | > | say "Yes", and gives an error saying "Windows could not > install > | > the > | > | > new > | > | > | > | certificate templates. Access is denied" :( I doing this as > | > | > enterprise > | > | > | > admin > | > | > | > | and it says access denied!!!!! :( :( > | > | > | > | > | > | > | > | I've tryed to reinstall the CA and the errors are still > the > | > | > same! > | > | > | > | > | > | > | > | Can anyone help me with this issue, please? > | > | > | > | > | > | > | > | Thanks in advance for any help you can give me.... > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > > | > | > | > | > | > | > | > > | > | > | >
From: "Charles Yang [MSFT]" on 23 Sep 2005 04:54
HI PG, Currently, I am performing research on this issue, I will return to you as soon as possible, please understand that it might be some delay due to the weekend. Thanks for your understanding. Best regards, Charles Yang (MSFT) Microsoft CSS Online Newsgroup Support Get Secure! - www.microsoft.com/security ====================================================== This newsgroup only focuses on SBS technical issues. If you have issues regarding other Microsoft products, you'd better post in the corresponding newsgroups so that they can be resolved in an efficient and timely manner. You can locate the newsgroup here: http://www.microsoft.com/communities/newsgroups/en-us/default.aspx When opening a new thread via the web interface, we recommend you check the "Notify me of replies" box to receive e-mail notifications when there are any updates in your thread. When responding to posts via your newsreader, please "Reply to Group" so that others may learn and benefit from your issue. Microsoft engineers can only focus on one issue per thread. Although we provide other information for your reference, we recommend you post different incidents in different threads to keep the thread clean. In doing so, it will ensure your issues are resolved in a timely manner. For urgent issues, you may want to contact Microsoft CSS directly. Please check http://support.microsoft.com for regional support phone numbers. Any input or comments in this thread are highly appreciated. ====================================================== This posting is provided "AS IS" with no warranties, and confers no rights. ===================================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ===================================================== This posting is provided "AS IS" with no warranties, and confers no rights. -------------------- | From: "PG" <*@*.*> | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl> <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl> <MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl> <u6mrIB1vFHA.4032(a)TK2MSFTNGP15.phx.gbl> <AtVfNj1vFHA.780(a)TK2MSFTNGXA01.phx.gbl> | Subject: Re: SBS2003Premium Certification Authority from HELL!!! | Date: Thu, 22 Sep 2005 11:32:11 +0100 | Lines: 785 | X-Priority: 3 | X-MSMail-Priority: Normal | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 | X-RFC2646: Format=Flowed; Original | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 | Message-ID: <#yfejE2vFHA.708(a)TK2MSFTNGP10.phx.gbl> | Newsgroups: microsoft.public.windows.server.sbs | NNTP-Posting-Host: 62.48.233.71 | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:155518 | X-Tomcat-NG: microsoft.public.windows.server.sbs | | Hi Charles, | | 1. I sent all the logs you requested to your e-mail. | | 2. Done that also. | | 3. No changes done...that I can remember | | Thanks | | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in message | news:AtVfNj1vFHA.780(a)TK2MSFTNGXA01.phx.gbl... | > Hi PG, | > | > After checking your screen shot, we decide to collect more information, as | > this issue should relate to AD setting: | > | > 1. Please send me all the event log except the application and system | > event | > log that you have already sent to me. | > 2. please also run netdiag -v and dcdiag -v on the SBS server and send the | > results to me also. | > 3. If possible, could you tell us if have changed any setting on AD or on | > SBS server. As the screen shot point that you have some problem in query | > user objects on DC. | > | > I appreciate your effort on this issue. | > | > | > | > Best regards, | > | > Charles Yang (MSFT) | > | > Microsoft CSS Online Newsgroup Support | > | > Get Secure! - www.microsoft.com/security | > | > ====================================================== | > This newsgroup only focuses on SBS technical issues. If you have issues | > regarding other Microsoft products, you'd better post in the corresponding | > newsgroups so that they can be resolved in an efficient and timely manner. | > You can locate the newsgroup here: | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx | > | > When opening a new thread via the web interface, we recommend you check | > the | > "Notify me of replies" box to receive e-mail notifications when there are | > any updates in your thread. When responding to posts via your newsreader, | > please "Reply to Group" so that others may learn and benefit from your | > issue. | > | > Microsoft engineers can only focus on one issue per thread. Although we | > provide other information for your reference, we recommend you post | > different incidents in different threads to keep the thread clean. In | > doing | > so, it will ensure your issues are resolved in a timely manner. | > | > For urgent issues, you may want to contact Microsoft CSS directly. Please | > check http://support.microsoft.com for regional support phone numbers. | > | > Any input or comments in this thread are highly appreciated. | > ====================================================== | > This posting is provided "AS IS" with no warranties, and confers no | > rights. | > | > | > ===================================================== | > When responding to posts, please "Reply to Group" via your newsreader so | > that others may learn and benefit from your issue. | > ===================================================== | > | > This posting is provided "AS IS" with no warranties, and confers no | > rights. | > | > -------------------- | > | From: "PG" <*@*.*> | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> | > <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> | > <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl> | > <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl> | > <MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl> | > | Subject: Re: SBS2003Premium Certification Authority from HELL!!! | > | Date: Thu, 22 Sep 2005 09:31:33 +0100 | > | Lines: 597 | > | X-Priority: 3 | > | X-MSMail-Priority: Normal | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 | > | X-RFC2646: Format=Flowed; Original | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 | > | Message-ID: <u6mrIB1vFHA.4032(a)TK2MSFTNGP15.phx.gbl> | > | Newsgroups: microsoft.public.windows.server.sbs | > | NNTP-Posting-Host: 62.48.233.71 | > | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl | > | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:155493 | > | X-Tomcat-NG: microsoft.public.windows.server.sbs | > | | > | Hi Charles, | > | | > | I started to go through the points you reffered bellow and on the | > second | > | point(Permissions settings) everything checked out ok except for the | > | certificates templates permissions again, I'm unable to change | > permissions | > | on some certificates, but others are ok! I'm sending you some compressed | > | pictures to your e-mail so you can try and see if this is normal, or | > not. | > | I didn't want to continue following your suggestions(to reinstall | > the | > | CA) before you had a look at the pictures I sent you. | > | | > | Thanks | > | PG | > | | > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in message | > | news:MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl... | > | > Hi, | > | > | > | > Thanks for updates. | > | > | > | > After carefully checking your log, we did not find any relate | > information, | > | > please note that it might take some time to do the task. | > | > | > | > For this issue, I have some suggestion below: | > | > | > | > Can I assume that you want to set up the SBS 2003 premium as a CA | > server, | > | > so that when user logon to website, they require the certificate, | > which | > | > purpose you want to use for this certificate for VPN issue or for a | > | > website? From your log, it seems to be used for IPSec VPN. | > | > | > | > 1. Please change the website you use for web enrollment's | > authentication | > | > method from anonymous to Windows Authentication. | > | > 2. Please refer to the KB article below to check the permission | > setting | > | > for | > | > CA, make sure that you have go through the article to double check it: | > | > | > | > Q239706 Default Permission Settings for Enterprise Certificate | > Authority | > | > http://support.microsoft.com/default.aspx?scid=kb;EN-US | > | > | > | > 3. If the issue still exists, please follow the steps to reinstall the | > CA | > | > server: | > | > | > | > A. Opened regedit and went to HKLM\system\CCS\services and deleted | > the | > | > certsrv key | > | > B. Opened the file system and deleted c:\winnt\system32\certserv | > folder | > | > and | > | > contents | > | > C. Opened up AD sites and services and deleted and in services\public | > key | > | > services | > | > | > | > Please deleted all the contents of the containers leaving the empty | > | > containers with the exception of the templates container. Note, please | > | > perform a backup for registry. | > | > | > | > If the issue still exist, you have to refer to the KB article below to | > | > change the log level of certificate then reproduce the issue check the | > | > event log again. | > | > | > | > 305018 How to Change the Event Logging Level for Certificate Services | > | > http://support.microsoft.com/?id=305018 | > | > | > | > Thanks for your efforts. I will be here waiting for updates. | > | > | > | > | > | > | > | > Best regards, | > | > | > | > Charles Yang (MSFT) | > | > | > | > Microsoft CSS Online Newsgroup Support | > | > | > | > Get Secure! - www.microsoft.com/security | > | > | > | > ====================================================== | > | > This newsgroup only focuses on SBS technical issues. If you have | > issues | > | > regarding other Microsoft products, you'd better post in the | > corresponding | > | > newsgroups so that they can be resolved in an efficient and timely | > manner. | > | > You can locate the newsgroup here: | > | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx | > | > | > | > When opening a new thread via the web interface, we recommend you | > check | > | > the | > | > "Notify me of replies" box to receive e-mail notifications when there | > are | > | > any updates in your thread. When responding to posts via your | > newsreader, | > | > please "Reply to Group" so that others may learn and benefit from your | > | > issue. | > | > | > | > Microsoft engineers can only focus on one issue per thread. Although | > we | > | > provide other information for your reference, we recommend you post | > | > different incidents in different threads to keep the thread clean. In | > | > doing | > | > so, it will ensure your issues are resolved in a timely manner. | > | > | > | > For urgent issues, you may want to contact Microsoft CSS directly. | > Please | > | > check http://support.microsoft.com for regional support phone numbers. | > | > | > | > Any input or comments in this thread are highly appreciated. | > | > ====================================================== | > | > This posting is provided "AS IS" with no warranties, and confers no | > | > rights. | > | > | > | > | > | > ===================================================== | > | > When responding to posts, please "Reply to Group" via your newsreader | > so | > | > that others may learn and benefit from your issue. | > | > ===================================================== | > | > | > | > This posting is provided "AS IS" with no warranties, and confers no | > | > rights. | > | > | > | > -------------------- | > | > | From: "PG" <*@*.*> | > | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> | > | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> | > | > <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> | > | > <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl> | > | > | Subject: Re: SBS2003Premium Certification Authority from HELL!!! | > | > | Date: Wed, 21 Sep 2005 11:33:30 +0100 | > | > | Lines: 401 | > | > | X-Priority: 3 | > | > | X-MSMail-Priority: Normal | > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 | > | > | X-RFC2646: Format=Flowed; Original | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 | > | > | Message-ID: <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl> | > | > | Newsgroups: microsoft.public.windows.server.sbs | > | > | NNTP-Posting-Host: 62.48.233.71 | > | > | Path: | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl | > | > | Xref: TK2MSFTNGXA01.phx.gbl | > microsoft.public.windows.server.sbs:155186 | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs | > | > | | > | > | I've sent you the log's as you requested Charles... | > | > | | > | > | Thanks for the help | > | > | | > | > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in | > message | > | > | news:biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl... | > | > | > HI PG, | > | > | > | > | > | > Thanks for updates. | > | > | > | > | > | > In order to make the issue more clear, could you send me the | > | > application | > | > | > log and system event log so that we can isolate the issue more | > | > clearly, | > | > | > you | > | > | > can compress the log files and send to my mailbox. | > | > | > | > | > | > v-chayan(a)microsoft.com | > | > | > | > | > | > Thanks for your understanding. | > | > | > | > | > | > | > | > | > | > | > | > Best regards, | > | > | > | > | > | > Charles Yang (MSFT) | > | > | > | > | > | > Microsoft CSS Online Newsgroup Support | > | > | > | > | > | > Get Secure! - www.microsoft.com/security | > | > | > | > | > | > ====================================================== | > | > | > This newsgroup only focuses on SBS technical issues. If you have | > | > issues | > | > | > regarding other Microsoft products, you'd better post in the | > | > corresponding | > | > | > newsgroups so that they can be resolved in an efficient and timely | > | > manner. | > | > | > You can locate the newsgroup here: | > | > | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx | > | > | > | > | > | > When opening a new thread via the web interface, we recommend you | > | > check | > | > | > the | > | > | > "Notify me of replies" box to receive e-mail notifications when | > there | > | > are | > | > | > any updates in your thread. When responding to posts via your | > | > newsreader, | > | > | > please "Reply to Group" so that others may learn and benefit from | > your | > | > | > issue. | > | > | > | > | > | > Microsoft engineers can only focus on one issue per thread. | > Although | > | > we | > | > | > provide other information for your reference, we recommend you | > post | > | > | > different incidents in different threads to keep the thread clean. | > In | > | > | > doing | > | > | > so, it will ensure your issues are resolved in a timely manner. | > | > | > | > | > | > For urgent issues, you may want to contact Microsoft CSS directly. | > | > Please | > | > | > check http://support.microsoft.com for regional support phone | > numbers. | > | > | > | > | > | > Any input or comments in this thread are highly appreciated. | > | > | > ====================================================== | > | > | > This posting is provided "AS IS" with no warranties, and confers | > no | > | > | > rights. | > | > | > | > | > | > | > | > | > ===================================================== | > | > | > When responding to posts, please "Reply to Group" via your | > newsreader | > | > so | > | > | > that others may learn and benefit from your issue. | > | > | > ===================================================== | > | > | > | > | > | > This posting is provided "AS IS" with no warranties, and confers | > no | > | > | > rights. | > | > | > | > | > | > -------------------- | > | > | > | From: "PG" <*@*.*> | > | > | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> | > | > | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> | > | > | > | Subject: Re: SBS2003Premium Certification Authority from HELL!!! | > | > | > | Date: Tue, 20 Sep 2005 13:28:25 +0100 | > | > | > | Lines: 269 | > | > | > | X-Priority: 3 | > | > | > | X-MSMail-Priority: Normal | > | > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 | > | > | > | X-RFC2646: Format=Flowed; Original | > | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 | > | > | > | Message-ID: <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> | > | > | > | Newsgroups: microsoft.public.windows.server.sbs | > | > | > | NNTP-Posting-Host: 62.48.233.71 | > | > | > | Path: | > | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl | > | > | > | Xref: TK2MSFTNGXA01.phx.gbl | > | > microsoft.public.windows.server.sbs:154800 | > | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs | > | > | > | | > | > | > | Thanks for your reply Charles | > | > | > | | > | > | > | Responses to your questions follow, and are in line: | > | > | > | | > | > | > | | > | > | > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in | > | > message | > | > | > | news:tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl... | > | > | > | > HI PG, | > | > | > | > | > | > | > | > Welcome to SBS newsgroup. | > | > | > | > | > | > | > | > Issue description: | > | > | > | > ================ | > | > | > | > | > | > | > | > I understand that you encountered some problem when using CA | > on | > | > SBS | > | > | > 2003 | > | > | > | > premium. | > | > | > | > | > | > | > | > Analyzing and suggestions: | > | > | > | > ================ | > | > | > | > | > | > | > | > Generally speaking, the error you encountered can be caused by | > | > many | > | > | > | > factors, in order to make the issue more clear, please refer | > to | > my | > | > | > | > suggestions below to gather more information: | > | > | > | > | > | > | > | > 1. If possible, please send me the event log for further | > research, | > | > it | > | > | > | > should include more information which can help us determine | > which | > | > | > kinds | > | > | > of | > | > | > | > error you encountered, you can send the log files to my | > box. | > | > | > | > v-chayan(a)microsoft.com. | > | > | > | | > | > | > | There is nothing recorded in the logs, when the error's occur. | > | > | > | | > | > | > | > 2. Does the issue occur from the client's computer or from the | > | > server | > | > | > | > side? | > | > | > | | > | > | > | Both! It occur's when I request a certificate from the client | > and | > | > from | > | > | > the | > | > | > | server! :( Via Web request or MMC snap-in | > | > | > | | > | > | > | | > | > | > | > | > | > | > | > | > | > | > | > Let's first check the following: | > | > | > | > | > | > | > | > 1. Go to the CA Server, go to Services.msc console, make sure | > that | > | > the | > | > | > | > Certificate Service is started. | > | > | > | | > | > | > | Check | > | > | > | | > | > | > | > 2. Open Certificate Authority, make sure that it can be | > opened. | > | > | > | | > | > | > | Check | > | > | > | | > | > | > | > 3. If you are using Enterprise CA, go to the Certificate | > Template | > | > in | > | > | > the | > | > | > | > Certificate Authority, make sure that necessary Certificate | > | > Template | > | > | > is | > | > | > | > added and listed in the right panel. | > | > | > | | > | > | > | Check | > | > | > | | > | > | > | > 4. On the CA Server, click Start -> Run, type MMC and click | > OK. | > | > Click | > | > | > File | > | > | > | > -> Add/Remove Snap-in, click Add button, select Certificate, | > click | > | > | > Add, | > | > | > | > select Computer Account and click next. Select Local Computer, | > | > click | > | > | > | > Finish | > | > | > | > and then Close. | > | > | > | | > | > | > | Check | > | > | > | | > | > | > | > 5. Expand the Certificate (Local | > Computer)\Personal\Certificate, | > | > check | > | > | > if | > | > | > | > the Root certificate exists. It's 'issued by' and 'issued to' | > | > should | > | > | > be | > | > | > | > itself. Then please check if the root certificate is still | > alive. | > | > If | > | > | > it | > | > | > is | > | > | > | > expired, right click the Certificate, select All Tasks -> | > Renew | > | > | > | > Certificate | > | > | > | > with Same Key. Then renew the user certificate and let me know | > how | > | > | > | > everything is going. | > | > | > | > NOTE: Please check the Certificate Authority to make sure that | > | > these | > | > | > | > client | > | > | > | > certificate are not revoked before you renew the certificate. | > | > | > | > | > | > | > | > If the issue still exists, please check if the CA computer | > where | > | > you | > | > | > start | > | > | > | > the Certificate Web Enrollment from is set to trust for | > | > delegation. | > | > To | > | > | > do | > | > | > | > so: | > | > | > | > 1. Log on as a domain administrator or equivalent account. | > | > | > | > 2. Click Start, point to Programs, point to Administrative | > Tools, | > | > and | > | > | > then | > | > | > | > click "Active Directory Users and Computers". | > | > | > | > 3. In the left pane, locate the container or organizational | > unit | > | > (OU) | > | > | > on | > | > | > | > which you want to enable delegation. | > | > | > | > 4. Right-click the computer account name, and then click | > | > Properties. | > | > | > | > 5. On the General tab, click Trust computer for delegation. | > | > | > | > 6. Click OK. | > | > | > | > 7. Quit Active Directory Users and Computers. | > | > | > | > | > | > | > | > For more info, please refer to: | > | > | > | > 300867 Error Message: The Certification Authority Service Has | > Not | > | > Been | > | > | > | > Started | > | > | > | > http://support.microsoft.com/?id=300867 | > | > | > | | > | > | > | The certificate is alive until 16/9/2010! So I didn't renew it. | > | > | > | | > | > | > | | > | > | > | > | > | > | > | > | > | > | > | > This issue may also occur if the Domain Users group on the | > child | > | > | > domain | > | > | > | > does not have the right to enroll a user template. To have a | > | > check: | > | > | > | > | > | > | > | > 1. Logon to CA Server as Enterprise Administrator | > | > | > | | > | > | > | check | > | > | > | | > | > | > | > 2. Click Start, click Programs, click Administrative Tools, | > and | > | > then | > | > | > click | > | > | > | > the "Active Directory Sites and Services" snap-in. | > | > | > | | > | > | > | check | > | > | > | | > | > | > | > 3. In MMC, right-click the "Active Directory Sites and | > Services" | > | > | > snap-in, | > | > | > | > click View, and then click "Show Services Mode". This allows | > you | > | > to | > | > | > view | > | > | > | > the Services folder, which is hidden from view by default. | > | > | > | | > | > | > | Check | > | > | > | | > | > | > | > 4. From the "Active Directory Sites and Services" snap-in, | > click | > | > | > Services, | > | > | > | > click Public Key Services, and then click Certificate | > Templates. | > | > This | > | > | > | > reveals the complete list of published certificate templates | > in | > | > Active | > | > | > | > Directory. | > | > | > | | > | > | > | Check | > | > | > | | > | > | > | > 5. Double-click the User certificate template to view the | > | > properties. | > | > | > | | > | > | > | Check | > | > | > | | > | > | > | > 6. On the Security tab, click Add to add the Domain Users | > group | > to | > | > the | > | > | > | > list. | > | > | > | | > | > | > | The group domain users wasn't there so I added it | > | > | > | | > | > | > | > 7. For the Domain Users group, select the Read and Enroll | > rights. | > | > | > | | > | > | > | When I tryed to apply the changes it gave the following error: | > | > | > | | > | > | > | "Unable to save permission changes on | > | > | > | LDAP://SBS2003PDC.CONTIMETRA.LOCAL/CN=USER,CN=CERTIFICATE | > | > | > | TEMPLATES,CN=PUBLIC KEY | > | > | > | SERVICES,CN=SERVICES,CN=CONFIGURATION,DC=CONTIMETRA,DC=LOCAL | > | > | > | | > | > | > | ACCESS IS DENIED" | > | > | > | | > | > | > | | > | > | > | > 8. Restart the computer. | > | > | > | | > | > | > | Didn't do it because no changes were made! | > | > | > | | > | > | > | > | > | > | > | > For more info, please refer to: | > | > | > | > 271861 Windows Cannot Find a Certificate Authority That | > Processes | > | > the | > | > | > | > Request | > | > | > | > http://support.microsoft.com/?id=271861 | > | > | > | > | > | > | > | > NOTE: Request from MMC only works if it is a Enterprise CA. To | > | > stand | > | > | > alone | > | > | > | > CA, you must request certificate by WEB. | > | > | > | > | > | > | > | > I appreciate your understanding and please paste your results | > as | > | > your | > | > | > | > convenience, It is important for us to isolate the issue. I am | > | > glad | > | > to | > | > | > | > help | > | > | > | > you. | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > Best regards, | > | > | > | > | > | > | > | > Charles Yang (MSFT) | > | > | > | > | > | > | > | > Microsoft CSS Online Newsgroup Support | > | > | > | > | > | > | > | > Get Secure! - www.microsoft.com/security | > | > | > | > | > | > | > | > ====================================================== | > | > | > | > This newsgroup only focuses on SBS technical issues. If you | > have | > | > | > issues | > | > | > | > regarding other Microsoft products, you'd better post in the | > | > | > corresponding | > | > | > | > newsgroups so that they can be resolved in an efficient and | > timely | > | > | > manner. | > | > | > | > You can locate the newsgroup here: | > | > | > | > | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx | > | > | > | > | > | > | > | > When opening a new thread via the web interface, we recommend | > you | > | > | > check | > | > | > | > the | > | > | > | > "Notify me of replies" box to receive e-mail notifications | > when | > | > there | > | > | > are | > | > | > | > any updates in your thread. When responding to posts via your | > | > | > newsreader, | > | > | > | > please "Reply to Group" so that others may learn and benefit | > from | > | > your | > | > | > | > issue. | > | > | > | > | > | > | > | > Microsoft engineers can only focus on one issue per thread. | > | > Although | > | > | > we | > | > | > | > provide other information for your reference, we recommend you | > | > post | > | > | > | > different incidents in different threads to keep the thread | > clean. | > | > In | > | > | > | > doing | > | > | > | > so, it will ensure your issues are resolved in a timely | > manner. | > | > | > | > | > | > | > | > For urgent issues, you may want to contact Microsoft CSS | > directly. | > | > | > Please | > | > | > | > check http://support.microsoft.com for regional support phone | > | > numbers. | > | > | > | > | > | > | > | > Any input or comments in this thread are highly appreciated. | > | > | > | > ====================================================== | > | > | > | > This posting is provided "AS IS" with no warranties, and | > confers | > | > no | > | > | > | > rights. | > | > | > | > | > | > | > | > | > | > | > | > ===================================================== | > | > | > | > When responding to posts, please "Reply to Group" via your | > | > newsreader | > | > | > so | > | > | > | > that others may learn and benefit from your issue. | > | > | > | > ===================================================== | > | > | > | > | > | > | > | > This posting is provided "AS IS" with no warranties, and | > confers | > | > no | > | > | > | > rights. | > | > | > | > | > | > | > | > -------------------- | > | > | > | > | From: "PG" <*@*.*> | > | > | > | > | Subject: SBS2003Premium Certification Authority from HELL!!! | > | > | > | > | Date: Fri, 16 Sep 2005 11:35:46 +0100 | > | > | > | > | Lines: 25 | > | > | > | > | X-Priority: 3 | > | > | > | > | X-MSMail-Priority: Normal | > | > | > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 | > | > | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 | > | > | > | > | X-RFC2646: Format=Flowed; Original | > | > | > | > | Message-ID: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> | > | > | > | > | Newsgroups: microsoft.public.windows.server.sbs | > | > | > | > | NNTP-Posting-Host: 62.48.233.71 | > | > | > | > | Path: | > | > | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl | > | > | > | > | Xref: TK2MSFTNGXA01.phx.gbl | > | > | > microsoft.public.windows.server.sbs:153926 | > | > | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs | > | > | > | > | | > | > | > | > | Hi everybody, | > | > | > | > | | > | > | > | > | When I try to request a certificate from my Enterprise | > CA | > | > | > installed | > | > | > | > on | > | > | > | > | SBS2003Premium It gives the following error :"No certificate | > | > | > templates | > | > | > | > could | > | > | > | > | be found. You do not have permission to request a | > certificate | > | > from | > | > | > this | > | > | > | > CA, | > | > | > | > | or an error occurred while accessing the Active Directory." | > I | > | > went | > | > | > and | > | > | > | > | search for a solution and found this microsoft article | > | > | > | > | | > http://support.microsoft.com/default.aspx?scid=kb;en-us;811418 | > | > that | > | > | > | > didn't | > | > | > | > | help because the name of the server is the same in the | > | > certdat.inc | > | > | > and | > | > | > | > in | > | > | > | > | the AD!!! :( | > | > | > | > | | > | > | > | > | When I go to the certification authority and click on | > | > "manage" | > | > | > on | > | > | > | > the | > | > | > | > | certificate templates, windows says that it detected that | > new | > | > | > | > certificate | > | > | > | > | templates should be installed, and ask if I want to install | > them | > | > | > now, | > | > | > | > and | > | > | > | > I | > | > | > | > | say "Yes", and gives an error saying "Windows could not | > install | > | > the | > | > | > new | > | > | > | > | certificate templates. Access is denied" :( I doing this as | > | > | > enterprise | > | > | > | > admin | > | > | > | > | and it says access denied!!!!! :( :( | > | > | > | > | | > | > | > | > | I've tryed to reinstall the CA and the errors are still | > the | > | > | > same! | > | > | > | > | | > | > | > | > | Can anyone help me with this issue, please? | > | > | > | > | | > | > | > | > | Thanks in advance for any help you can give me.... | > | > | > | > | | > | > | > | > | | > | > | > | > | | > | > | > | > | > | > | > | | > | > | > | | > | > | > | | > | > | > | | > | > | > | | > | > | > | | > | > | > | > | > | | > | > | | > | > | | > | > | > | | > | | > | | > | | | |