Prev: Backup error 0X80070458
Next: Remote Web Workplace
From: PG on 23 Sep 2005 05:42 I appreciate your help in this matter... Thanks PG ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in message news:34gfuxBwFHA.2960(a)TK2MSFTNGXA01.phx.gbl... > HI PG, > > Currently, I am performing research on this issue, I will return to you as > soon as possible, please understand that it might be some delay due to the > weekend. > > Thanks for your understanding. > > > Best regards, > > Charles Yang (MSFT) > > Microsoft CSS Online Newsgroup Support > > Get Secure! - www.microsoft.com/security > > ====================================================== > This newsgroup only focuses on SBS technical issues. If you have issues > regarding other Microsoft products, you'd better post in the corresponding > newsgroups so that they can be resolved in an efficient and timely manner. > You can locate the newsgroup here: > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx > > When opening a new thread via the web interface, we recommend you check > the > "Notify me of replies" box to receive e-mail notifications when there are > any updates in your thread. When responding to posts via your newsreader, > please "Reply to Group" so that others may learn and benefit from your > issue. > > Microsoft engineers can only focus on one issue per thread. Although we > provide other information for your reference, we recommend you post > different incidents in different threads to keep the thread clean. In > doing > so, it will ensure your issues are resolved in a timely manner. > > For urgent issues, you may want to contact Microsoft CSS directly. Please > check http://support.microsoft.com for regional support phone numbers. > > Any input or comments in this thread are highly appreciated. > ====================================================== > This posting is provided "AS IS" with no warranties, and confers no > rights. > > > ===================================================== > When responding to posts, please "Reply to Group" via your newsreader so > that others may learn and benefit from your issue. > ===================================================== > > This posting is provided "AS IS" with no warranties, and confers no > rights. > > -------------------- > | From: "PG" <*@*.*> > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> > <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> > <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl> > <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl> > <MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl> > <u6mrIB1vFHA.4032(a)TK2MSFTNGP15.phx.gbl> > <AtVfNj1vFHA.780(a)TK2MSFTNGXA01.phx.gbl> > | Subject: Re: SBS2003Premium Certification Authority from HELL!!! > | Date: Thu, 22 Sep 2005 11:32:11 +0100 > | Lines: 785 > | X-Priority: 3 > | X-MSMail-Priority: Normal > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 > | X-RFC2646: Format=Flowed; Original > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 > | Message-ID: <#yfejE2vFHA.708(a)TK2MSFTNGP10.phx.gbl> > | Newsgroups: microsoft.public.windows.server.sbs > | NNTP-Posting-Host: 62.48.233.71 > | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl > | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:155518 > | X-Tomcat-NG: microsoft.public.windows.server.sbs > | > | Hi Charles, > | > | 1. I sent all the logs you requested to your e-mail. > | > | 2. Done that also. > | > | 3. No changes done...that I can remember > | > | Thanks > | > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in message > | news:AtVfNj1vFHA.780(a)TK2MSFTNGXA01.phx.gbl... > | > Hi PG, > | > > | > After checking your screen shot, we decide to collect more > information, > as > | > this issue should relate to AD setting: > | > > | > 1. Please send me all the event log except the application and system > | > event > | > log that you have already sent to me. > | > 2. please also run netdiag -v and dcdiag -v on the SBS server and send > the > | > results to me also. > | > 3. If possible, could you tell us if have changed any setting on AD or > on > | > SBS server. As the screen shot point that you have some problem in > query > | > user objects on DC. > | > > | > I appreciate your effort on this issue. > | > > | > > | > > | > Best regards, > | > > | > Charles Yang (MSFT) > | > > | > Microsoft CSS Online Newsgroup Support > | > > | > Get Secure! - www.microsoft.com/security > | > > | > ====================================================== > | > This newsgroup only focuses on SBS technical issues. If you have > issues > | > regarding other Microsoft products, you'd better post in the > corresponding > | > newsgroups so that they can be resolved in an efficient and timely > manner. > | > You can locate the newsgroup here: > | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx > | > > | > When opening a new thread via the web interface, we recommend you > check > | > the > | > "Notify me of replies" box to receive e-mail notifications when there > are > | > any updates in your thread. When responding to posts via your > newsreader, > | > please "Reply to Group" so that others may learn and benefit from your > | > issue. > | > > | > Microsoft engineers can only focus on one issue per thread. Although > we > | > provide other information for your reference, we recommend you post > | > different incidents in different threads to keep the thread clean. In > | > doing > | > so, it will ensure your issues are resolved in a timely manner. > | > > | > For urgent issues, you may want to contact Microsoft CSS directly. > Please > | > check http://support.microsoft.com for regional support phone numbers. > | > > | > Any input or comments in this thread are highly appreciated. > | > ====================================================== > | > This posting is provided "AS IS" with no warranties, and confers no > | > rights. > | > > | > > | > ===================================================== > | > When responding to posts, please "Reply to Group" via your newsreader > so > | > that others may learn and benefit from your issue. > | > ===================================================== > | > > | > This posting is provided "AS IS" with no warranties, and confers no > | > rights. > | > > | > -------------------- > | > | From: "PG" <*@*.*> > | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> > | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> > | > <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> > | > <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl> > | > <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl> > | > <MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl> > | > | Subject: Re: SBS2003Premium Certification Authority from HELL!!! > | > | Date: Thu, 22 Sep 2005 09:31:33 +0100 > | > | Lines: 597 > | > | X-Priority: 3 > | > | X-MSMail-Priority: Normal > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 > | > | X-RFC2646: Format=Flowed; Original > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 > | > | Message-ID: <u6mrIB1vFHA.4032(a)TK2MSFTNGP15.phx.gbl> > | > | Newsgroups: microsoft.public.windows.server.sbs > | > | NNTP-Posting-Host: 62.48.233.71 > | > | Path: > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl > | > | Xref: TK2MSFTNGXA01.phx.gbl > microsoft.public.windows.server.sbs:155493 > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs > | > | > | > | Hi Charles, > | > | > | > | I started to go through the points you reffered bellow and on > the > | > second > | > | point(Permissions settings) everything checked out ok except for the > | > | certificates templates permissions again, I'm unable to change > | > permissions > | > | on some certificates, but others are ok! I'm sending you some > compressed > | > | pictures to your e-mail so you can try and see if this is normal, or > | > not. > | > | I didn't want to continue following your suggestions(to > reinstall > | > the > | > | CA) before you had a look at the pictures I sent you. > | > | > | > | Thanks > | > | PG > | > | > | > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in > message > | > | news:MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl... > | > | > Hi, > | > | > > | > | > Thanks for updates. > | > | > > | > | > After carefully checking your log, we did not find any relate > | > information, > | > | > please note that it might take some time to do the task. > | > | > > | > | > For this issue, I have some suggestion below: > | > | > > | > | > Can I assume that you want to set up the SBS 2003 premium as a CA > | > server, > | > | > so that when user logon to website, they require the certificate, > | > which > | > | > purpose you want to use for this certificate for VPN issue or for > a > | > | > website? From your log, it seems to be used for IPSec VPN. > | > | > > | > | > 1. Please change the website you use for web enrollment's > | > authentication > | > | > method from anonymous to Windows Authentication. > | > | > 2. Please refer to the KB article below to check the permission > | > setting > | > | > for > | > | > CA, make sure that you have go through the article to double check > it: > | > | > > | > | > Q239706 Default Permission Settings for Enterprise Certificate > | > Authority > | > | > http://support.microsoft.com/default.aspx?scid=kb;EN-US > | > | > > | > | > 3. If the issue still exists, please follow the steps to reinstall > the > | > CA > | > | > server: > | > | > > | > | > A. Opened regedit and went to HKLM\system\CCS\services and > deleted > | > the > | > | > certsrv key > | > | > B. Opened the file system and deleted c:\winnt\system32\certserv > | > folder > | > | > and > | > | > contents > | > | > C. Opened up AD sites and services and deleted and in > services\public > | > key > | > | > services > | > | > > | > | > Please deleted all the contents of the containers leaving the > empty > | > | > containers with the exception of the templates container. Note, > please > | > | > perform a backup for registry. > | > | > > | > | > If the issue still exist, you have to refer to the KB article > below > to > | > | > change the log level of certificate then reproduce the issue check > the > | > | > event log again. > | > | > > | > | > 305018 How to Change the Event Logging Level for Certificate > Services > | > | > http://support.microsoft.com/?id=305018 > | > | > > | > | > Thanks for your efforts. I will be here waiting for updates. > | > | > > | > | > > | > | > > | > | > Best regards, > | > | > > | > | > Charles Yang (MSFT) > | > | > > | > | > Microsoft CSS Online Newsgroup Support > | > | > > | > | > Get Secure! - www.microsoft.com/security > | > | > > | > | > ====================================================== > | > | > This newsgroup only focuses on SBS technical issues. If you have > | > issues > | > | > regarding other Microsoft products, you'd better post in the > | > corresponding > | > | > newsgroups so that they can be resolved in an efficient and timely > | > manner. > | > | > You can locate the newsgroup here: > | > | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx > | > | > > | > | > When opening a new thread via the web interface, we recommend you > | > check > | > | > the > | > | > "Notify me of replies" box to receive e-mail notifications when > there > | > are > | > | > any updates in your thread. When responding to posts via your > | > newsreader, > | > | > please "Reply to Group" so that others may learn and benefit from > your > | > | > issue. > | > | > > | > | > Microsoft engineers can only focus on one issue per thread. > Although > | > we > | > | > provide other information for your reference, we recommend you > post > | > | > different incidents in different threads to keep the thread clean. > In > | > | > doing > | > | > so, it will ensure your issues are resolved in a timely manner. > | > | > > | > | > For urgent issues, you may want to contact Microsoft CSS directly. > | > Please > | > | > check http://support.microsoft.com for regional support phone > numbers. > | > | > > | > | > Any input or comments in this thread are highly appreciated. > | > | > ====================================================== > | > | > This posting is provided "AS IS" with no warranties, and confers > no > | > | > rights. > | > | > > | > | > > | > | > ===================================================== > | > | > When responding to posts, please "Reply to Group" via your > newsreader > | > so > | > | > that others may learn and benefit from your issue. > | > | > ===================================================== > | > | > > | > | > This posting is provided "AS IS" with no warranties, and confers > no > | > | > rights. > | > | > > | > | > -------------------- > | > | > | From: "PG" <*@*.*> > | > | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> > | > | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> > | > | > <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> > | > | > <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl> > | > | > | Subject: Re: SBS2003Premium Certification Authority from HELL!!! > | > | > | Date: Wed, 21 Sep 2005 11:33:30 +0100 > | > | > | Lines: 401 > | > | > | X-Priority: 3 > | > | > | X-MSMail-Priority: Normal > | > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 > | > | > | X-RFC2646: Format=Flowed; Original > | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 > | > | > | Message-ID: <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl> > | > | > | Newsgroups: microsoft.public.windows.server.sbs > | > | > | NNTP-Posting-Host: 62.48.233.71 > | > | > | Path: > | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl > | > | > | Xref: TK2MSFTNGXA01.phx.gbl > | > microsoft.public.windows.server.sbs:155186 > | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs > | > | > | > | > | > | I've sent you the log's as you requested Charles... > | > | > | > | > | > | Thanks for the help > | > | > | > | > | > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in > | > message > | > | > | news:biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl... > | > | > | > HI PG, > | > | > | > > | > | > | > Thanks for updates. > | > | > | > > | > | > | > In order to make the issue more clear, could you send me the > | > | > application > | > | > | > log and system event log so that we can isolate the issue more > | > | > clearly, > | > | > | > you > | > | > | > can compress the log files and send to my mailbox. > | > | > | > > | > | > | > v-chayan(a)microsoft.com > | > | > | > > | > | > | > Thanks for your understanding. > | > | > | > > | > | > | > > | > | > | > > | > | > | > Best regards, > | > | > | > > | > | > | > Charles Yang (MSFT) > | > | > | > > | > | > | > Microsoft CSS Online Newsgroup Support > | > | > | > > | > | > | > Get Secure! - www.microsoft.com/security > | > | > | > > | > | > | > ====================================================== > | > | > | > This newsgroup only focuses on SBS technical issues. If you > have > | > | > issues > | > | > | > regarding other Microsoft products, you'd better post in the > | > | > corresponding > | > | > | > newsgroups so that they can be resolved in an efficient and > timely > | > | > manner. > | > | > | > You can locate the newsgroup here: > | > | > | > > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx > | > | > | > > | > | > | > When opening a new thread via the web interface, we recommend > you > | > | > check > | > | > | > the > | > | > | > "Notify me of replies" box to receive e-mail notifications > when > | > there > | > | > are > | > | > | > any updates in your thread. When responding to posts via your > | > | > newsreader, > | > | > | > please "Reply to Group" so that others may learn and benefit > from > | > your > | > | > | > issue. > | > | > | > > | > | > | > Microsoft engineers can only focus on one issue per thread. > | > Although > | > | > we > | > | > | > provide other information for your reference, we recommend you > | > post > | > | > | > different incidents in different threads to keep the thread > clean. > | > In > | > | > | > doing > | > | > | > so, it will ensure your issues are resolved in a timely > manner. > | > | > | > > | > | > | > For urgent issues, you may want to contact Microsoft CSS > directly. > | > | > Please > | > | > | > check http://support.microsoft.com for regional support phone > | > numbers. > | > | > | > > | > | > | > Any input or comments in this thread are highly appreciated. > | > | > | > ====================================================== > | > | > | > This posting is provided "AS IS" with no warranties, and > confers > | > no > | > | > | > rights. > | > | > | > > | > | > | > > | > | > | > ===================================================== > | > | > | > When responding to posts, please "Reply to Group" via your > | > newsreader > | > | > so > | > | > | > that others may learn and benefit from your issue. > | > | > | > ===================================================== > | > | > | > > | > | > | > This posting is provided "AS IS" with no warranties, and > confers > | > no > | > | > | > rights. > | > | > | > > | > | > | > -------------------- > | > | > | > | From: "PG" <*@*.*> > | > | > | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> > | > | > | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> > | > | > | > | Subject: Re: SBS2003Premium Certification Authority from > HELL!!! > | > | > | > | Date: Tue, 20 Sep 2005 13:28:25 +0100 > | > | > | > | Lines: 269 > | > | > | > | X-Priority: 3 > | > | > | > | X-MSMail-Priority: Normal > | > | > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 > | > | > | > | X-RFC2646: Format=Flowed; Original > | > | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 > | > | > | > | Message-ID: <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> > | > | > | > | Newsgroups: microsoft.public.windows.server.sbs > | > | > | > | NNTP-Posting-Host: 62.48.233.71 > | > | > | > | Path: > | > | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl > | > | > | > | Xref: TK2MSFTNGXA01.phx.gbl > | > | > microsoft.public.windows.server.sbs:154800 > | > | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs > | > | > | > | > | > | > | > | Thanks for your reply Charles > | > | > | > | > | > | > | > | Responses to your questions follow, and are in line: > | > | > | > | > | > | > | > | > | > | > | > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> > wrote > in > | > | > message > | > | > | > | news:tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl... > | > | > | > | > HI PG, > | > | > | > | > > | > | > | > | > Welcome to SBS newsgroup. > | > | > | > | > > | > | > | > | > Issue description: > | > | > | > | > ================ > | > | > | > | > > | > | > | > | > I understand that you encountered some problem when using > CA > | > on > | > | > SBS > | > | > | > 2003 > | > | > | > | > premium. > | > | > | > | > > | > | > | > | > Analyzing and suggestions: > | > | > | > | > ================ > | > | > | > | > > | > | > | > | > Generally speaking, the error you encountered can be > caused > by > | > | > many > | > | > | > | > factors, in order to make the issue more clear, please > refer > | > to > | > my > | > | > | > | > suggestions below to gather more information: > | > | > | > | > > | > | > | > | > 1. If possible, please send me the event log for further > | > research, > | > | > it > | > | > | > | > should include more information which can help us > determine > | > which > | > | > | > kinds > | > | > | > of > | > | > | > | > error you encountered, you can send the log files to my > | > box. > | > | > | > | > v-chayan(a)microsoft.com. > | > | > | > | > | > | > | > | There is nothing recorded in the logs, when the error's > occur. > | > | > | > | > | > | > | > | > 2. Does the issue occur from the client's computer or from > the > | > | > server > | > | > | > | > side? > | > | > | > | > | > | > | > | Both! It occur's when I request a certificate from the > client > | > and > | > | > from > | > | > | > the > | > | > | > | server! :( Via Web request or MMC snap-in > | > | > | > | > | > | > | > | > | > | > | > | > > | > | > | > | > > | > | > | > | > Let's first check the following: > | > | > | > | > > | > | > | > | > 1. Go to the CA Server, go to Services.msc console, make > sure > | > that > | > | > the > | > | > | > | > Certificate Service is started. > | > | > | > | > | > | > | > | Check > | > | > | > | > | > | > | > | > 2. Open Certificate Authority, make sure that it can be > | > opened. > | > | > | > | > | > | > | > | Check > | > | > | > | > | > | > | > | > 3. If you are using Enterprise CA, go to the Certificate > | > Template > | > | > in > | > | > | > the > | > | > | > | > Certificate Authority, make sure that necessary > Certificate > | > | > Template > | > | > | > is > | > | > | > | > added and listed in the right panel. > | > | > | > | > | > | > | > | Check > | > | > | > | > | > | > | > | > 4. On the CA Server, click Start -> Run, type MMC and > click > | > OK. > | > | > Click > | > | > | > File > | > | > | > | > -> Add/Remove Snap-in, click Add button, select > Certificate, > | > click > | > | > | > Add, > | > | > | > | > select Computer Account and click next. Select Local > Computer, > | > | > click > | > | > | > | > Finish > | > | > | > | > and then Close. > | > | > | > | > | > | > | > | Check > | > | > | > | > | > | > | > | > 5. Expand the Certificate (Local > | > Computer)\Personal\Certificate, > | > | > check > | > | > | > if > | > | > | > | > the Root certificate exists. It's 'issued by' and 'issued > to' > | > | > should > | > | > | > be > | > | > | > | > itself. Then please check if the root certificate is still > | > alive. > | > | > If > | > | > | > it > | > | > | > is > | > | > | > | > expired, right click the Certificate, select All Tasks -> > | > Renew > | > | > | > | > Certificate > | > | > | > | > with Same Key. Then renew the user certificate and let me > know > | > how > | > | > | > | > everything is going. > | > | > | > | > NOTE: Please check the Certificate Authority to make sure > that > | > | > these > | > | > | > | > client > | > | > | > | > certificate are not revoked before you renew the > certificate. > | > | > | > | > > | > | > | > | > If the issue still exists, please check if the CA computer > | > where > | > | > you > | > | > | > start > | > | > | > | > the Certificate Web Enrollment from is set to trust for > | > | > delegation. > | > | > To > | > | > | > do > | > | > | > | > so: > | > | > | > | > 1. Log on as a domain administrator or equivalent account. > | > | > | > | > 2. Click Start, point to Programs, point to Administrative > | > Tools, > | > | > and > | > | > | > then > | > | > | > | > click "Active Directory Users and Computers". > | > | > | > | > 3. In the left pane, locate the container or > organizational > | > unit > | > | > (OU) > | > | > | > on > | > | > | > | > which you want to enable delegation. > | > | > | > | > 4. Right-click the computer account name, and then click > | > | > Properties. > | > | > | > | > 5. On the General tab, click Trust computer for > delegation. > | > | > | > | > 6. Click OK. > | > | > | > | > 7. Quit Active Directory Users and Computers. > | > | > | > | > > | > | > | > | > For more info, please refer to: > | > | > | > | > 300867 Error Message: The Certification Authority Service > Has > | > Not > | > | > Been > | > | > | > | > Started > | > | > | > | > http://support.microsoft.com/?id=300867 > | > | > | > | > | > | > | > | The certificate is alive until 16/9/2010! So I didn't renew > it. > | > | > | > | > | > | > | > | > | > | > | > | > > | > | > | > | > > | > | > | > | > This issue may also occur if the Domain Users group on the > | > child > | > | > | > domain > | > | > | > | > does not have the right to enroll a user template. To have > a > | > | > check: > | > | > | > | > > | > | > | > | > 1. Logon to CA Server as Enterprise Administrator > | > | > | > | > | > | > | > | check > | > | > | > | > | > | > | > | > 2. Click Start, click Programs, click Administrative > Tools, > | > and > | > | > then > | > | > | > click > | > | > | > | > the "Active Directory Sites and Services" snap-in. > | > | > | > | > | > | > | > | check > | > | > | > | > | > | > | > | > 3. In MMC, right-click the "Active Directory Sites and > | > Services" > | > | > | > snap-in, > | > | > | > | > click View, and then click "Show Services Mode". This > allows > | > you > | > | > to > | > | > | > view > | > | > | > | > the Services folder, which is hidden from view by default. > | > | > | > | > | > | > | > | Check > | > | > | > | > | > | > | > | > 4. From the "Active Directory Sites and Services" snap-in, > | > click > | > | > | > Services, > | > | > | > | > click Public Key Services, and then click Certificate > | > Templates. > | > | > This > | > | > | > | > reveals the complete list of published certificate > templates > | > in > | > | > Active > | > | > | > | > Directory. > | > | > | > | > | > | > | > | Check > | > | > | > | > | > | > | > | > 5. Double-click the User certificate template to view the > | > | > properties. > | > | > | > | > | > | > | > | Check > | > | > | > | > | > | > | > | > 6. On the Security tab, click Add to add the Domain Users > | > group > | > to > | > | > the > | > | > | > | > list. > | > | > | > | > | > | > | > | The group domain users wasn't there so I added it > | > | > | > | > | > | > | > | > 7. For the Domain Users group, select the Read and Enroll > | > rights. > | > | > | > | > | > | > | > | When I tryed to apply the changes it gave the following > error: > | > | > | > | > | > | > | > | "Unable to save permission changes on > | > | > | > | LDAP://SBS2003PDC.CONTIMETRA.LOCAL/CN=USER,CN=CERTIFICATE > | > | > | > | TEMPLATES,CN=PUBLIC KEY > | > | > | > | SERVICES,CN=SERVICES,CN=CONFIGURATION,DC=CONTIMETRA,DC=LOCAL > | > | > | > | > | > | > | > | ACCESS IS DENIED" > | > | > | > | > | > | > | > | > | > | > | > | > 8. Restart the computer. > | > | > | > | > | > | > | > | Didn't do it because no changes were made! > | > | > | > | > | > | > | > | > > | > | > | > | > For more info, please refer to: > | > | > | > | > 271861 Windows Cannot Find a Certificate Authority That > | > Processes > | > | > the > | > | > | > | > Request > | > | > | > | > http://support.microsoft.com/?id=271861 > | > | > | > | > > | > | > | > | > NOTE: Request from MMC only works if it is a Enterprise > CA. > To > | > | > stand > | > | > | > alone > | > | > | > | > CA, you must request certificate by WEB. > | > | > | > | > > | > | > | > | > I appreciate your understanding and please paste your > results > | > as > | > | > your > | > | > | > | > convenience, It is important for us to isolate the issue. > I > am > | > | > glad > | > | > to > | > | > | > | > help > | > | > | > | > you. > | > | > | > | > > | > | > | > | > > | > | > | > | > > | > | > | > | > Best regards, > | > | > | > | > > | > | > | > | > Charles Yang (MSFT) > | > | > | > | > > | > | > | > | > Microsoft CSS Online Newsgroup Support > | > | > | > | > > | > | > | > | > Get Secure! - www.microsoft.com/security > | > | > | > | > > | > | > | > | > ====================================================== > | > | > | > | > This newsgroup only focuses on SBS technical issues. If > you > | > have > | > | > | > issues > | > | > | > | > regarding other Microsoft products, you'd better post in > the > | > | > | > corresponding > | > | > | > | > newsgroups so that they can be resolved in an efficient > and > | > timely > | > | > | > manner. > | > | > | > | > You can locate the newsgroup here: > | > | > | > | > > | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx > | > | > | > | > > | > | > | > | > When opening a new thread via the web interface, we > recommend > | > you > | > | > | > check > | > | > | > | > the > | > | > | > | > "Notify me of replies" box to receive e-mail notifications > | > when > | > | > there > | > | > | > are > | > | > | > | > any updates in your thread. When responding to posts via > your > | > | > | > newsreader, > | > | > | > | > please "Reply to Group" so that others may learn and > benefit > | > from > | > | > your > | > | > | > | > issue. > | > | > | > | > > | > | > | > | > Microsoft engineers can only focus on one issue per > thread. > | > | > Although > | > | > | > we > | > | > | > | > provide other information for your reference, we recommend > you > | > | > post > | > | > | > | > different incidents in different threads to keep the > thread > | > clean. > | > | > In > | > | > | > | > doing > | > | > | > | > so, it will ensure your issues are resolved in a timely > | > manner. > | > | > | > | > > | > | > | > | > For urgent issues, you may want to contact Microsoft CSS > | > directly. > | > | > | > Please > | > | > | > | > check http://support.microsoft.com for regional support > phone > | > | > numbers. > | > | > | > | > > | > | > | > | > Any input or comments in this thread are highly > appreciated. > | > | > | > | > ====================================================== > | > | > | > | > This posting is provided "AS IS" with no warranties, and > | > confers > | > | > no > | > | > | > | > rights. > | > | > | > | > > | > | > | > | > > | > | > | > | > ===================================================== > | > | > | > | > When responding to posts, please "Reply to Group" via your > | > | > newsreader > | > | > | > so > | > | > | > | > that others may learn and benefit from your issue. > | > | > | > | > ===================================================== > | > | > | > | > > | > | > | > | > This posting is provided "AS IS" with no warranties, and > | > confers > | > | > no > | > | > | > | > rights. > | > | > | > | > > | > | > | > | > -------------------- > | > | > | > | > | From: "PG" <*@*.*> > | > | > | > | > | Subject: SBS2003Premium Certification Authority from > HELL!!! > | > | > | > | > | Date: Fri, 16 Sep 2005 11:35:46 +0100 > | > | > | > | > | Lines: 25 > | > | > | > | > | X-Priority: 3 > | > | > | > | > | X-MSMail-Priority: Normal > | > | > | > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 > | > | > | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 > | > | > | > | > | X-RFC2646: Format=Flowed; Original > | > | > | > | > | Message-ID: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> > | > | > | > | > | Newsgroups: microsoft.public.windows.server.sbs > | > | > | > | > | NNTP-Posting-Host: 62.48.233.71 > | > | > | > | > | Path: > | > | > | > > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl > | > | > | > | > | Xref: TK2MSFTNGXA01.phx.gbl > | > | > | > microsoft.public.windows.server.sbs:153926 > | > | > | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs > | > | > | > | > | > | > | > | > | > | Hi everybody, > | > | > | > | > | > | > | > | > | > | When I try to request a certificate from my > Enterprise > | > CA > | > | > | > installed > | > | > | > | > on > | > | > | > | > | SBS2003Premium It gives the following error :"No > certificate > | > | > | > templates > | > | > | > | > could > | > | > | > | > | be found. You do not have permission to request a > | > certificate > | > | > from > | > | > | > this > | > | > | > | > CA, > | > | > | > | > | or an error occurred while accessing the Active > Directory." > | > I > | > | > went > | > | > | > and > | > | > | > | > | search for a solution and found this microsoft article > | > | > | > | > | > | > http://support.microsoft.com/default.aspx?scid=kb;en-us;811418 > | > | > that > | > | > | > | > didn't > | > | > | > | > | help because the name of the server is the same in the > | > | > certdat.inc > | > | > | > and > | > | > | > | > in > | > | > | > | > | the AD!!! :( > | > | > | > | > | > | > | > | > | > | When I go to the certification authority and click > on > | > | > "manage" > | > | > | > on > | > | > | > | > the > | > | > | > | > | certificate templates, windows says that it detected > that > | > new > | > | > | > | > certificate > | > | > | > | > | templates should be installed, and ask if I want to > install > | > them > | > | > | > now, > | > | > | > | > and > | > | > | > | > I > | > | > | > | > | say "Yes", and gives an error saying "Windows could not > | > install > | > | > the > | > | > | > new > | > | > | > | > | certificate templates. Access is denied" :( I doing this > as > | > | > | > enterprise > | > | > | > | > admin > | > | > | > | > | and it says access denied!!!!! :( :( > | > | > | > | > | > | > | > | > | > | I've tryed to reinstall the CA and the errors are > still > | > the > | > | > | > same! > | > | > | > | > | > | > | > | > | > | Can anyone help me with this issue, please? > | > | > | > | > | > | > | > | > | > | Thanks in advance for any help you can give me.... > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > > | > | > | > | > | > | > | > | > | > | > | > > | > | > | > | > | > | > | > > | > | > | >
From: "Charles Yang [MSFT]" on 23 Sep 2005 05:57 HI PG, Thanks for updates. After making research, I find solutions for you, please refer to the steps below: 1 Open DCOMCNFG 2- Select Componect Services ---Computers ----My Computer ------Dcom Config ---- CertSrv Request 3- Open properties and verify Security permission for Launch and Activation Permissions (Should be Customize --Everyone ---Local Activation Remote Activation) Access Permissions (Should be Customize -Everyone ---Local Access Remote Access) If the issue still exists, please recreate a certificate template to see if the issue can be resolved. You can try to request a certificate via a new template. From your screenshot we found only one of the template you encountered permission issue, can we assume it is the certificate template you use for the certificate? Thanks for understanding on this issue, please feel free to post back. Best regards, Charles Yang (MSFT) Microsoft CSS Online Newsgroup Support Get Secure! - www.microsoft.com/security ====================================================== This newsgroup only focuses on SBS technical issues. If you have issues regarding other Microsoft products, you'd better post in the corresponding newsgroups so that they can be resolved in an efficient and timely manner. You can locate the newsgroup here: http://www.microsoft.com/communities/newsgroups/en-us/default.aspx When opening a new thread via the web interface, we recommend you check the "Notify me of replies" box to receive e-mail notifications when there are any updates in your thread. When responding to posts via your newsreader, please "Reply to Group" so that others may learn and benefit from your issue. Microsoft engineers can only focus on one issue per thread. Although we provide other information for your reference, we recommend you post different incidents in different threads to keep the thread clean. In doing so, it will ensure your issues are resolved in a timely manner. For urgent issues, you may want to contact Microsoft CSS directly. Please check http://support.microsoft.com for regional support phone numbers. Any input or comments in this thread are highly appreciated. ====================================================== This posting is provided "AS IS" with no warranties, and confers no rights. ===================================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ===================================================== This posting is provided "AS IS" with no warranties, and confers no rights. -------------------- | X-Tomcat-ID: 138385008 | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl> <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl> <MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl> <u6mrIB1vFHA.4032(a)TK2MSFTNGP15.phx.gbl> <AtVfNj1vFHA.780(a)TK2MSFTNGXA01.phx.gbl> <#yfejE2vFHA.708(a)TK2MSFTNGP10.phx.gbl> | MIME-Version: 1.0 | Content-Type: text/plain | Content-Transfer-Encoding: 7bit | From: v-chayan(a)online.microsoft.com ("Charles Yang [MSFT]") | Organization: Microsoft | Date: Fri, 23 Sep 2005 08:54:33 GMT | Subject: Re: SBS2003Premium Certification Authority from HELL!!! | X-Tomcat-NG: microsoft.public.windows.server.sbs | Message-ID: <34gfuxBwFHA.2960(a)TK2MSFTNGXA01.phx.gbl> | Newsgroups: microsoft.public.windows.server.sbs | Lines: 797 | Path: TK2MSFTNGXA01.phx.gbl | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:155820 | NNTP-Posting-Host: tomcatimport2.phx.gbl 10.201.218.182 | | HI PG, | | Currently, I am performing research on this issue, I will return to you as | soon as possible, please understand that it might be some delay due to the | weekend. | | Thanks for your understanding. | | | Best regards, | | Charles Yang (MSFT) | | Microsoft CSS Online Newsgroup Support | | Get Secure! - www.microsoft.com/security | | ====================================================== | This newsgroup only focuses on SBS technical issues. If you have issues | regarding other Microsoft products, you'd better post in the corresponding | newsgroups so that they can be resolved in an efficient and timely manner. | You can locate the newsgroup here: | http://www.microsoft.com/communities/newsgroups/en-us/default.aspx | | When opening a new thread via the web interface, we recommend you check the | "Notify me of replies" box to receive e-mail notifications when there are | any updates in your thread. When responding to posts via your newsreader, | please "Reply to Group" so that others may learn and benefit from your | issue. | | Microsoft engineers can only focus on one issue per thread. Although we | provide other information for your reference, we recommend you post | different incidents in different threads to keep the thread clean. In doing | so, it will ensure your issues are resolved in a timely manner. | | For urgent issues, you may want to contact Microsoft CSS directly. Please | check http://support.microsoft.com for regional support phone numbers. | | Any input or comments in this thread are highly appreciated. | ====================================================== | This posting is provided "AS IS" with no warranties, and confers no rights. | | | ===================================================== | When responding to posts, please "Reply to Group" via your newsreader so | that others may learn and benefit from your issue. | ===================================================== | | This posting is provided "AS IS" with no warranties, and confers no rights. | | -------------------- | | From: "PG" <*@*.*> | | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> | <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> | <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> | <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl> | <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl> | <MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl> | <u6mrIB1vFHA.4032(a)TK2MSFTNGP15.phx.gbl> | <AtVfNj1vFHA.780(a)TK2MSFTNGXA01.phx.gbl> | | Subject: Re: SBS2003Premium Certification Authority from HELL!!! | | Date: Thu, 22 Sep 2005 11:32:11 +0100 | | Lines: 785 | | X-Priority: 3 | | X-MSMail-Priority: Normal | | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 | | X-RFC2646: Format=Flowed; Original | | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 | | Message-ID: <#yfejE2vFHA.708(a)TK2MSFTNGP10.phx.gbl> | | Newsgroups: microsoft.public.windows.server.sbs | | NNTP-Posting-Host: 62.48.233.71 | | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl | | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:155518 | | X-Tomcat-NG: microsoft.public.windows.server.sbs | | | | Hi Charles, | | | | 1. I sent all the logs you requested to your e-mail. | | | | 2. Done that also. | | | | 3. No changes done...that I can remember | | | | Thanks | | | | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in message | | news:AtVfNj1vFHA.780(a)TK2MSFTNGXA01.phx.gbl... | | > Hi PG, | | > | | > After checking your screen shot, we decide to collect more information, | as | | > this issue should relate to AD setting: | | > | | > 1. Please send me all the event log except the application and system | | > event | | > log that you have already sent to me. | | > 2. please also run netdiag -v and dcdiag -v on the SBS server and send | the | | > results to me also. | | > 3. If possible, could you tell us if have changed any setting on AD or | on | | > SBS server. As the screen shot point that you have some problem in query | | > user objects on DC. | | > | | > I appreciate your effort on this issue. | | > | | > | | > | | > Best regards, | | > | | > Charles Yang (MSFT) | | > | | > Microsoft CSS Online Newsgroup Support | | > | | > Get Secure! - www.microsoft.com/security | | > | | > ====================================================== | | > This newsgroup only focuses on SBS technical issues. If you have issues | | > regarding other Microsoft products, you'd better post in the | corresponding | | > newsgroups so that they can be resolved in an efficient and timely | manner. | | > You can locate the newsgroup here: | | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx | | > | | > When opening a new thread via the web interface, we recommend you check | | > the | | > "Notify me of replies" box to receive e-mail notifications when there | are | | > any updates in your thread. When responding to posts via your | newsreader, | | > please "Reply to Group" so that others may learn and benefit from your | | > issue. | | > | | > Microsoft engineers can only focus on one issue per thread. Although we | | > provide other information for your reference, we recommend you post | | > different incidents in different threads to keep the thread clean. In | | > doing | | > so, it will ensure your issues are resolved in a timely manner. | | > | | > For urgent issues, you may want to contact Microsoft CSS directly. | Please | | > check http://support.microsoft.com for regional support phone numbers. | | > | | > Any input or comments in this thread are highly appreciated. | | > ====================================================== | | > This posting is provided "AS IS" with no warranties, and confers no | | > rights. | | > | | > | | > ===================================================== | | > When responding to posts, please "Reply to Group" via your newsreader so | | > that others may learn and benefit from your issue. | | > ===================================================== | | > | | > This posting is provided "AS IS" with no warranties, and confers no | | > rights. | | > | | > -------------------- | | > | From: "PG" <*@*.*> | | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> | | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> | | > <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> | | > <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl> | | > <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl> | | > <MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl> | | > | Subject: Re: SBS2003Premium Certification Authority from HELL!!! | | > | Date: Thu, 22 Sep 2005 09:31:33 +0100 | | > | Lines: 597 | | > | X-Priority: 3 | | > | X-MSMail-Priority: Normal | | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 | | > | X-RFC2646: Format=Flowed; Original | | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 | | > | Message-ID: <u6mrIB1vFHA.4032(a)TK2MSFTNGP15.phx.gbl> | | > | Newsgroups: microsoft.public.windows.server.sbs | | > | NNTP-Posting-Host: 62.48.233.71 | | > | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl | | > | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:155493 | | > | X-Tomcat-NG: microsoft.public.windows.server.sbs | | > | | | > | Hi Charles, | | > | | | > | I started to go through the points you reffered bellow and on the | | > second | | > | point(Permissions settings) everything checked out ok except for the | | > | certificates templates permissions again, I'm unable to change | | > permissions | | > | on some certificates, but others are ok! I'm sending you some | compressed | | > | pictures to your e-mail so you can try and see if this is normal, or | | > not. | | > | I didn't want to continue following your suggestions(to reinstall | | > the | | > | CA) before you had a look at the pictures I sent you. | | > | | | > | Thanks | | > | PG | | > | | | > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in | message | | > | news:MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl... | | > | > Hi, | | > | > | | > | > Thanks for updates. | | > | > | | > | > After carefully checking your log, we did not find any relate | | > information, | | > | > please note that it might take some time to do the task. | | > | > | | > | > For this issue, I have some suggestion below: | | > | > | | > | > Can I assume that you want to set up the SBS 2003 premium as a CA | | > server, | | > | > so that when user logon to website, they require the certificate, | | > which | | > | > purpose you want to use for this certificate for VPN issue or for a | | > | > website? From your log, it seems to be used for IPSec VPN. | | > | > | | > | > 1. Please change the website you use for web enrollment's | | > authentication | | > | > method from anonymous to Windows Authentication. | | > | > 2. Please refer to the KB article below to check the permission | | > setting | | > | > for | | > | > CA, make sure that you have go through the article to double check | it: | | > | > | | > | > Q239706 Default Permission Settings for Enterprise Certificate | | > Authority | | > | > http://support.microsoft.com/default.aspx?scid=kb;EN-US | | > | > | | > | > 3. If the issue still exists, please follow the steps to reinstall | the | | > CA | | > | > server: | | > | > | | > | > A. Opened regedit and went to HKLM\system\CCS\services and | deleted | | > the | | > | > certsrv key | | > | > B. Opened the file system and deleted c:\winnt\system32\certserv | | > folder | | > | > and | | > | > contents | | > | > C. Opened up AD sites and services and deleted and in | services\public | | > key | | > | > services | | > | > | | > | > Please deleted all the contents of the containers leaving the empty | | > | > containers with the exception of the templates container. Note, | please | | > | > perform a backup for registry. | | > | > | | > | > If the issue still exist, you have to refer to the KB article below | to | | > | > change the log level of certificate then reproduce the issue check | the | | > | > event log again. | | > | > | | > | > 305018 How to Change the Event Logging Level for Certificate | Services | | > | > http://support.microsoft.com/?id=305018 | | > | > | | > | > Thanks for your efforts. I will be here waiting for updates. | | > | > | | > | > | | > | > | | > | > Best regards, | | > | > | | > | > Charles Yang (MSFT) | | > | > | | > | > Microsoft CSS Online Newsgroup Support | | > | > | | > | > Get Secure! - www.microsoft.com/security | | > | > | | > | > ====================================================== | | > | > This newsgroup only focuses on SBS technical issues. If you have | | > issues | | > | > regarding other Microsoft products, you'd better post in the | | > corresponding | | > | > newsgroups so that they can be resolved in an efficient and timely | | > manner. | | > | > You can locate the newsgroup here: | | > | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx | | > | > | | > | > When opening a new thread via the web interface, we recommend you | | > check | | > | > the | | > | > "Notify me of replies" box to receive e-mail notifications when | there | | > are | | > | > any updates in your thread. When responding to posts via your | | > newsreader, | | > | > please "Reply to Group" so that others may learn and benefit from | your | | > | > issue. | | > | > | | > | > Microsoft engineers can only focus on one issue per thread. | Although | | > we | | > | > provide other information for your reference, we recommend you post | | > | > different incidents in different threads to keep the thread clean. | In | | > | > doing | | > | > so, it will ensure your issues are resolved in a timely manner. | | > | > | | > | > For urgent issues, you may want to contact Microsoft CSS directly. | | > Please | | > | > check http://support.microsoft.com for regional support phone | numbers. | | > | > | | > | > Any input or comments in this thread are highly appreciated. | | > | > ====================================================== | | > | > This posting is provided "AS IS" with no warranties, and confers no | | > | > rights. | | > | > | | > | > | | > | > ===================================================== | | > | > When responding to posts, please "Reply to Group" via your | newsreader | | > so | | > | > that others may learn and benefit from your issue. | | > | > ===================================================== | | > | > | | > | > This posting is provided "AS IS" with no warranties, and confers no | | > | > rights. | | > | > | | > | > -------------------- | | > | > | From: "PG" <*@*.*> | | > | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> | | > | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> | | > | > <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> | | > | > <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl> | | > | > | Subject: Re: SBS2003Premium Certification Authority from HELL!!! | | > | > | Date: Wed, 21 Sep 2005 11:33:30 +0100 | | > | > | Lines: 401 | | > | > | X-Priority: 3 | | > | > | X-MSMail-Priority: Normal | | > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 | | > | > | X-RFC2646: Format=Flowed; Original | | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 | | > | > | Message-ID: <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl> | | > | > | Newsgroups: microsoft.public.windows.server.sbs | | > | > | NNTP-Posting-Host: 62.48.233.71 | | > | > | Path: | | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl | | > | > | Xref: TK2MSFTNGXA01.phx.gbl | | > microsoft.public.windows.server.sbs:155186 | | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs | | > | > | | | > | > | I've sent you the log's as you requested Charles... | | > | > | | | > | > | Thanks for the help | | > | > | | | > | > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in | | > message | | > | > | news:biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl... | | > | > | > HI PG, | | > | > | > | | > | > | > Thanks for updates. | | > | > | > | | > | > | > In order to make the issue more clear, could you send me the | | > | > application | | > | > | > log and system event log so that we can isolate the issue more | | > | > clearly, | | > | > | > you | | > | > | > can compress the log files and send to my mailbox. | | > | > | > | | > | > | > v-chayan(a)microsoft.com | | > | > | > | | > | > | > Thanks for your understanding. | | > | > | > | | > | > | > | | > | > | > | | > | > | > Best regards, | | > | > | > | | > | > | > Charles Yang (MSFT) | | > | > | > | | > | > | > Microsoft CSS Online Newsgroup Support | | > | > | > | | > | > | > Get Secure! - www.microsoft.com/security | | > | > | > | | > | > | > ====================================================== | | > | > | > This newsgroup only focuses on SBS technical issues. If you have | | > | > issues | | > | > | > regarding other Microsoft products, you'd better post in the | | > | > corresponding | | > | > | > newsgroups so that they can be resolved in an efficient and | timely | | > | > manner. | | > | > | > You can locate the newsgroup here: | | > | > | > | http://www.microsoft.com/communities/newsgroups/en-us/default.aspx | | > | > | > | | > | > | > When opening a new thread via the web interface, we recommend | you | | > | > check | | > | > | > the | | > | > | > "Notify me of replies" box to receive e-mail notifications when | | > there | | > | > are | | > | > | > any updates in your thread. When responding to posts via your | | > | > newsreader, | | > | > | > please "Reply to Group" so that others may learn and benefit | from | | > your | | > | > | > issue. | | > | > | > | | > | > | > Microsoft engineers can only focus on one issue per thread. | | > Although | | > | > we | | > | > | > provide other information for your reference, we recommend you | | > post | | > | > | > different incidents in different threads to keep the thread | clean. | | > In | | > | > | > doing | | > | > | > so, it will ensure your issues are resolved in a timely manner. | | > | > | > | | > | > | > For urgent issues, you may want to contact Microsoft CSS | directly. | | > | > Please | | > | > | > check http://support.microsoft.com for regional support phone | | > numbers. | | > | > | > | | > | > | > Any input or comments in this thread are highly appreciated. | | > | > | > ====================================================== | | > | > | > This posting is provided "AS IS" with no warranties, and | confers | | > no | | > | > | > rights. | | > | > | > | | > | > | > | | > | > | > ===================================================== | | > | > | > When responding to posts, please "Reply to Group" via your | | > newsreader | | > | > so | | > | > | > that others may learn and benefit from your issue. | | > | > | > ===================================================== | | > | > | > | | > | > | > This posting is provided "AS IS" with no warranties, and | confers | | > no | | > | > | > rights. | | > | > | > | | > | > | > -------------------- | | > | > | > | From: "PG" <*@*.*> | | > | > | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> | | > | > | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> | | > | > | > | Subject: Re: SBS2003Premium Certification Authority from | HELL!!! | | > | > | > | Date: Tue, 20 Sep 2005 13:28:25 +0100 | | > | > | > | Lines: 269 | | > | > | > | X-Priority: 3 | | > | > | > | X-MSMail-Priority: Normal | | > | > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 | | > | > | > | X-RFC2646: Format=Flowed; Original | | > | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 | | > | > | > | Message-ID: <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> | | > | > | > | Newsgroups: microsoft.public.windows.server.sbs | | > | > | > | NNTP-Posting-Host: 62.48.233.71 | | > | > | > | Path: | | > | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl | | > | > | > | Xref: TK2MSFTNGXA01.phx.gbl | | > | > microsoft.public.windows.server.sbs:154800 | | > | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs | | > | > | > | | | > | > | > | Thanks for your reply Charles | | > | > | > | | | > | > | > | Responses to your questions follow, and are in line: | | > | > | > | | | > | > | > | | | > | > | > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote | in | | > | > message | | > | > | > | news:tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl... | | > | > | > | > HI PG, | | > | > | > | > | | > | > | > | > Welcome to SBS newsgroup. | | > | > | > | > | | > | > | > | > Issue description: | | > | > | > | > ================ | | > | > | > | > | | > | > | > | > I understand that you encountered some problem when using | CA | | > on | | > | > SBS | | > | > | > 2003 | | > | > | > | > premium. | | > | > | > | > | | > | > | > | > Analyzing and suggestions: | | > | > | > | > ================ | | > | > | > | > | | > | > | > | > Generally speaking, the error you encountered can be caused | by | | > | > many | | > | > | > | > factors, in order to make the issue more clear, please | refer | | > to | | > my | | > | > | > | > suggestions below to gather more information: | | > | > | > | > | | > | > | > | > 1. If possible, please send me the event log for further | | > research, | | > | > it | | > | > | > | > should include more information which can help us determine | | > which | | > | > | > kinds | | > | > | > of | | > | > | > | > error you encountered, you can send the log files to my | | > box. | | > | > | > | > v-chayan(a)microsoft.com. | | > | > | > | | | > | > | > | There is nothing recorded in the logs, when the error's occur. | | > | > | > | | | > | > | > | > 2. Does the issue occur from the client's computer or from | the | | > | > server | | > | > | > | > side? | | > | > | > | | | > | > | > | Both! It occur's when I request a certificate from the client | | > and | | > | > from | | > | > | > the | | > | > | > | server! :( Via Web request or MMC snap-in | | > | > | > | | | > | > | > | | | > | > | > | > | | > | > | > | > | | > | > | > | > Let's first check the following: | | > | > | > | > | | > | > | > | > 1. Go to the CA Server, go to Services.msc console, make | sure | | > that | | > | > the | | > | > | > | > Certificate Service is started. | | > | > | > | | | > | > | > | Check | | > | > | > | | | > | > | > | > 2. Open Certificate Authority, make sure that it can be | | > opened. | | > | > | > | | | > | > | > | Check | | > | > | > | | | > | > | > | > 3. If you are using Enterprise CA, go to the Certificate | | > Template | | > | > in | | > | > | > the | | > | > | > | > Certificate Authority, make sure that necessary Certificate | | > | > Template | | > | > | > is | | > | > | > | > added and listed in the right panel. | | > | > | > | | | > | > | > | Check | | > | > | > | | | > | > | > | > 4. On the CA Server, click Start -> Run, type MMC and click | | > OK. | | > | > Click | | > | > | > File | | > | > | > | > -> Add/Remove Snap-in, click Add button, select Certificate, | | > click | | > | > | > Add, | | > | > | > | > select Computer Account and click next. Select Local | Computer, | | > | > click | | > | > | > | > Finish | | > | > | > | > and then Close. | | > | > | > | | | > | > | > | Check | | > | > | > | | | > | > | > | > 5. Expand the Certificate (Local | | > Computer)\Personal\Certificate, | | > | > check | | > | > | > if | | > | > | > | > the Root certificate exists. It's 'issued by' and 'issued | to' | | > | > should | | > | > | > be | | > | > | > | > itself. Then please check if the root certificate is still | | > alive. | | > | > If | | > | > | > it | | > | > | > is | | > | > | > | > expired, right click the Certificate, select All Tasks -> | | > Renew | | > | > | > | > Certificate | | > | > | > | > with Same Key. Then renew the user certificate and let me | know | | > how | | > | > | > | > everything is going. | | > | > | > | > NOTE: Please check the Certificate Authority to make sure | that | | > | > these | | > | > | > | > client | | > | > | > | > certificate are not revoked before you renew the | certificate. | | > | > | > | > | | > | > | > | > If the issue still exists, please check if the CA computer | | > where | | > | > you | | > | > | > start | | > | > | > | > the Certificate Web Enrollment from is set to trust for | | > | > delegation. | | > | > To | | > | > | > do | | > | > | > | > so: | | > | > | > | > 1. Log on as a domain administrator or equivalent account. | | > | > | > | > 2. Click Start, point to Programs, point to Administrative | | > Tools, | | > | > and | | > | > | > then | | > | > | > | > click "Active Directory Users and Computers". | | > | > | > | > 3. In the left pane, locate the container or organizational | | > unit | | > | > (OU) | | > | > | > on | | > | > | > | > which you want to enable delegation. | | > | > | > | > 4. Right-click the computer account name, and then click | | > | > Properties. | | > | > | > | > 5. On the General tab, click Trust computer for delegation. | | > | > | > | > 6. Click OK. | | > | > | > | > 7. Quit Active Directory Users and Computers. | | > | > | > | > | | > | > | > | > For more info, please refer to: | | > | > | > | > 300867 Error Message: The Certification Authority Service | Has | | > Not | | > | > Been | | > | > | > | > Started | | > | > | > | > http://support.microsoft.com/?id=300867 | | > | > | > | | | > | > | > | The certificate is alive until 16/9/2010! So I didn't renew | it. | | > | > | > | | | > | > | > | | | > | > | > | > | | > | > | > | > | | > | > | > | > This issue may also occur if the Domain Users group on the | | > child | | > | > | > domain | | > | > | > | > does not have the right to enroll a user template. To have a | | > | > check: | | > | > | > | > | | > | > | > | > 1. Logon to CA Server as Enterprise Administrator | | > | > | > | | | > | > | > | check | | > | > | > | | | > | > | > | > 2. Click Start, click Programs, click Administrative Tools, | | > and | | > | > then | | > | > | > click | | > | > | > | > the "Active Directory Sites and Services" snap-in. | | > | > | > | | | > | > | > | check | | > | > | > | | | > | > | > | > 3. In MMC, right-click the "Active Directory Sites and | | > Services" | | > | > | > snap-in, | | > | > | > | > click View, and then click "Show Services Mode". This allows | | > you | | > | > to | | > | > | > view | | > | > | > | > the Services folder, which is hidden from view by default. | | > | > | > | | | > | > | > | Check | | > | > | > | | | > | > | > | > 4. From the "Active Directory Sites and Services" snap-in, | | > click | | > | > | > Services, | | > | > | > | > click Public Key Services, and then click Certificate | | > Templates. | | > | > This | | > | > | > | > reveals the complete list of published certificate | templates | | > in | | > | > Active | | > | > | > | > Directory. | | > | > | > | | | > | > | > | Check | | > | > | > | | | > | > | > | > 5. Double-click the User certificate template to view the | | > | > properties. | | > | > | > | | | > | > | > | Check | | > | > | > | | | > | > | > | > 6. On the Security tab, click Add to add the Domain Users | | > group | | > to | | > | > the | | > | > | > | > list. | | > | > | > | | | > | > | > | The group domain users wasn't there so I added it | | > | > | > | | | > | > | > | > 7. For the Domain Users group, select the Read and Enroll | | > rights. | | > | > | > | | | > | > | > | When I tryed to apply the changes it gave the following error: | | > | > | > | | | > | > | > | "Unable to save permission changes on | | > | > | > | LDAP://SBS2003PDC.CONTIMETRA.LOCAL/CN=USER,CN=CERTIFICATE | | > | > | > | TEMPLATES,CN=PUBLIC KEY | | > | > | > | SERVICES,CN=SERVICES,CN=CONFIGURATION,DC=CONTIMETRA,DC=LOCAL | | > | > | > | | | > | > | > | ACCESS IS DENIED" | | > | > | > | | | > | > | > | | | > | > | > | > 8. Restart the computer. | | > | > | > | | | > | > | > | Didn't do it because no changes were made! | | > | > | > | | | > | > | > | > | | > | > | > | > For more info, please refer to: | | > | > | > | > 271861 Windows Cannot Find a Certificate Authority That | | > Processes | | > | > the | | > | > | > | > Request | | > | > | > | > http://support.microsoft.com/?id=271861 | | > | > | > | > | | > | > | > | > NOTE: Request from MMC only works if it is a Enterprise CA. | To | | > | > stand | | > | > | > alone | | > | > | > | > CA, you must request certificate by WEB. | | > | > | > | > | | > | > | > | > I appreciate your understanding and please paste your | results | | > as | | > | > your | | > | > | > | > convenience, It is important for us to isolate the issue. I | am | | > | > glad | | > | > to | | > | > | > | > help | | > | > | > | > you. | | > | > | > | > | | > | > | > | > | | > | > | > | > | | > | > | > | > Best regards, | | > | > | > | > | | > | > | > | > Charles Yang (MSFT) | | > | > | > | > | | > | > | > | > Microsoft CSS Online Newsgroup Support | | > | > | > | > | | > | > | > | > Get Secure! - www.microsoft.com/security | | > | > | > | > | | > | > | > | > ====================================================== | | > | > | > | > This newsgroup only focuses on SBS technical issues. If you | | > have | | > | > | > issues | | > | > | > | > regarding other Microsoft products, you'd better post in the | | > | > | > corresponding | | > | > | > | > newsgroups so that they can be resolved in an efficient and | | > timely | | > | > | > manner. | | > | > | > | > You can locate the newsgroup here: | | > | > | > | > | | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx | | > | > | > | > | | > | > | > | > When opening a new thread via the web interface, we | recommend | | > you | | > | > | > check | | > | > | > | > the | | > | > | > | > "Notify me of replies" box to receive e-mail notifications | | > when | | > | > there | | > | > | > are | | > | > | > | > any updates in your thread. When responding to posts via | your | | > | > | > newsreader, | | > | > | > | > please "Reply to Group" so that others may learn and benefit | | > from | | > | > your | | > | > | > | > issue. | | > | > | > | > | | > | > | > | > Microsoft engineers can only focus on one issue per thread. | | > | > Although | | > | > | > we | | > | > | > | > provide other information for your reference, we recommend | you | | > | > post | | > | > | > | > different incidents in different threads to keep the thread | | > clean. | | > | > In | | > | > | > | > doing | | > | > | > | > so, it will ensure your issues are resolved in a timely | | > manner. | | > | > | > | > | | > | > | > | > For urgent issues, you may want to contact Microsoft CSS | | > directly. | | > | > | > Please | | > | > | > | > check http://support.microsoft.com for regional support | phone | | > | > numbers. | | > | > | > | > | | > | > | > | > Any input or comments in this thread are highly appreciated. | | > | > | > | > ====================================================== | | > | > | > | > This posting is provided "AS IS" with no warranties, and | | > confers | | > | > no | | > | > | > | > rights. | | > | > | > | > | | > | > | > | > | | > | > | > | > ===================================================== | | > | > | > | > When responding to posts, please "Reply to Group" via your | | > | > newsreader | | > | > | > so | | > | > | > | > that others may learn and benefit from your issue. | | > | > | > | > ===================================================== | | > | > | > | > | | > | > | > | > This posting is provided "AS IS" with no warranties, and | | > confers | | > | > no | | > | > | > | > rights. | | > | > | > | > | | > | > | > | > -------------------- | | > | > | > | > | From: "PG" <*@*.*> | | > | > | > | > | Subject: SBS2003Premium Certification Authority from | HELL!!! | | > | > | > | > | Date: Fri, 16 Sep 2005 11:35:46 +0100 | | > | > | > | > | Lines: 25 | | > | > | > | > | X-Priority: 3 | | > | > | > | > | X-MSMail-Priority: Normal | | > | > | > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 | | > | > | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 | | > | > | > | > | X-RFC2646: Format=Flowed; Original | | > | > | > | > | Message-ID: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> | | > | > | > | > | Newsgroups: microsoft.public.windows.server.sbs | | > | > | > | > | NNTP-Posting-Host: 62.48.233.71 | | > | > | > | > | Path: | | > | > | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl | | > | > | > | > | Xref: TK2MSFTNGXA01.phx.gbl | | > | > | > microsoft.public.windows.server.sbs:153926 | | > | > | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs | | > | > | > | > | | | > | > | > | > | Hi everybody, | | > | > | > | > | | | > | > | > | > | When I try to request a certificate from my | Enterprise | | > CA | | > | > | > installed | | > | > | > | > on | | > | > | > | > | SBS2003Premium It gives the following error :"No | certificate | | > | > | > templates | | > | > | > | > could | | > | > | > | > | be found. You do not have permission to request a | | > certificate | | > | > from | | > | > | > this | | > | > | > | > CA, | | > | > | > | > | or an error occurred while accessing the Active | Directory." | | > I | | > | > went | | > | > | > and | | > | > | > | > | search for a solution and found this microsoft article | | > | > | > | > | | | > http://support.microsoft.com/default.aspx?scid=kb;en-us;811418 | | > | > that | | > | > | > | > didn't | | > | > | > | > | help because the name of the server is the same in the | | > | > certdat.inc | | > | > | > and | | > | > | > | > in | | > | > | > | > | the AD!!! :( | | > | > | > | > | | | > | > | > | > | When I go to the certification authority and click on | | > | > "manage" | | > | > | > on | | > | > | > | > the | | > | > | > | > | certificate templates, windows says that it detected that | | > new | | > | > | > | > certificate | | > | > | > | > | templates should be installed, and ask if I want to | install | | > them | | > | > | > now, | | > | > | > | > and | | > | > | > | > I | | > | > | > | > | say "Yes", and gives an error saying "Windows could not | | > install | | > | > the | | > | > | > new | | > | > | > | > | certificate templates. Access is denied" :( I doing this | as | | > | > | > enterprise | | > | > | > | > admin | | > | > | > | > | and it says access denied!!!!! :( :( | | > | > | > | > | | | > | > | > | > | I've tryed to reinstall the CA and the errors are | still | | > the | | > | > | > same! | | > | > | > | > | | | > | > | > | > | Can anyone help me with this issue, please? | | > | > | > | > | | | > | > | > | > | Thanks in advance for any help you can give me.... | | > | > | > | > | | | > | > | > | > | | | > | > | > | > | | | > | > | > | > | | > | > | > | | | > | > | > | | | > | > | > | | | > | > | > | | | > | > | > | | | > | > | > | | | > | > | > | | > | > | | | > | > | | | > | > | | | > | > | | > | | | > | | | > | | | > | | | | | | | |
From: PG on 23 Sep 2005 06:39 Hi Charles, I went to DCOMCNFG and on the Launch permission it was empty, and I added Everyone with (Launch permission---Allow) and in the Access permission it is everyone (Access permission---Allow), so I didn't have to change it. Could not find anything that refered to (Local Activation Remote Activation) or (Local Access Remote Access) as you sayd. Only (Launch Permission) and (Access Permission). After applying the changes to DCOM I tryed to request a certificate, and the same error ocurred. Duplicated a Template and still the same error. :( "No certificate templates could be found. You do not have permission to request a certificate from this CA,or an error occurred while accessing the Active Directory." In response to your question, all the certificates templates, from the pictures I sent you, that are greyd out have permissions issues, and don't let me add or change permissions for those certificates. :( ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in message news:Hlv7FVCwFHA.580(a)TK2MSFTNGXA01.phx.gbl... > HI PG, > > Thanks for updates. > > After making research, I find solutions for you, please refer to the steps > below: > > 1 Open DCOMCNFG > 2- Select Componect Services > ---Computers > ----My Computer > ------Dcom Config > ---- CertSrv Request > 3- Open properties and verify Security permission for Launch and > Activation > Permissions (Should be Customize --Everyone ---Local Activation Remote > Activation) > > Access Permissions (Should be Customize -Everyone ---Local Access Remote > Access) > > If the issue still exists, please recreate a certificate template to see > if > the issue can be resolved. You can try to request a certificate via a new > template. From your screenshot we found only one of the template you > encountered permission issue, can we assume it is the certificate template > you use for the certificate? > > Thanks for understanding on this issue, please feel free to post back. > > > > Best regards, > > Charles Yang (MSFT) > > Microsoft CSS Online Newsgroup Support > > Get Secure! - www.microsoft.com/security > > ====================================================== > This newsgroup only focuses on SBS technical issues. If you have issues > regarding other Microsoft products, you'd better post in the corresponding > newsgroups so that they can be resolved in an efficient and timely manner. > You can locate the newsgroup here: > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx > > When opening a new thread via the web interface, we recommend you check > the > "Notify me of replies" box to receive e-mail notifications when there are > any updates in your thread. When responding to posts via your newsreader, > please "Reply to Group" so that others may learn and benefit from your > issue. > > Microsoft engineers can only focus on one issue per thread. Although we > provide other information for your reference, we recommend you post > different incidents in different threads to keep the thread clean. In > doing > so, it will ensure your issues are resolved in a timely manner. > > For urgent issues, you may want to contact Microsoft CSS directly. Please > check http://support.microsoft.com for regional support phone numbers. > > Any input or comments in this thread are highly appreciated. > ====================================================== > This posting is provided "AS IS" with no warranties, and confers no > rights. > > > ===================================================== > When responding to posts, please "Reply to Group" via your newsreader so > that others may learn and benefit from your issue. > ===================================================== > > This posting is provided "AS IS" with no warranties, and confers no > rights. > > -------------------- > | X-Tomcat-ID: 138385008 > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> > <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> > <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl> > <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl> > <MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl> > <u6mrIB1vFHA.4032(a)TK2MSFTNGP15.phx.gbl> > <AtVfNj1vFHA.780(a)TK2MSFTNGXA01.phx.gbl> > <#yfejE2vFHA.708(a)TK2MSFTNGP10.phx.gbl> > | MIME-Version: 1.0 > | Content-Type: text/plain > | Content-Transfer-Encoding: 7bit > | From: v-chayan(a)online.microsoft.com ("Charles Yang [MSFT]") > | Organization: Microsoft > | Date: Fri, 23 Sep 2005 08:54:33 GMT > | Subject: Re: SBS2003Premium Certification Authority from HELL!!! > | X-Tomcat-NG: microsoft.public.windows.server.sbs > | Message-ID: <34gfuxBwFHA.2960(a)TK2MSFTNGXA01.phx.gbl> > | Newsgroups: microsoft.public.windows.server.sbs > | Lines: 797 > | Path: TK2MSFTNGXA01.phx.gbl > | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:155820 > | NNTP-Posting-Host: tomcatimport2.phx.gbl 10.201.218.182 > | > | HI PG, > | > | Currently, I am performing research on this issue, I will return to you > as > | soon as possible, please understand that it might be some delay due to > the > | weekend. > | > | Thanks for your understanding. > | > | > | Best regards, > | > | Charles Yang (MSFT) > | > | Microsoft CSS Online Newsgroup Support > | > | Get Secure! - www.microsoft.com/security > | > | ====================================================== > | This newsgroup only focuses on SBS technical issues. If you have issues > | regarding other Microsoft products, you'd better post in the > corresponding > | newsgroups so that they can be resolved in an efficient and timely > manner. > | You can locate the newsgroup here: > | http://www.microsoft.com/communities/newsgroups/en-us/default.aspx > | > | When opening a new thread via the web interface, we recommend you check > the > | "Notify me of replies" box to receive e-mail notifications when there > are > | any updates in your thread. When responding to posts via your > newsreader, > | please "Reply to Group" so that others may learn and benefit from your > | issue. > | > | Microsoft engineers can only focus on one issue per thread. Although we > | provide other information for your reference, we recommend you post > | different incidents in different threads to keep the thread clean. In > doing > | so, it will ensure your issues are resolved in a timely manner. > | > | For urgent issues, you may want to contact Microsoft CSS directly. > Please > | check http://support.microsoft.com for regional support phone numbers. > | > | Any input or comments in this thread are highly appreciated. > | ====================================================== > | This posting is provided "AS IS" with no warranties, and confers no > rights. > | > | > | ===================================================== > | When responding to posts, please "Reply to Group" via your newsreader so > | that others may learn and benefit from your issue. > | ===================================================== > | > | This posting is provided "AS IS" with no warranties, and confers no > rights. > | > | -------------------- > | | From: "PG" <*@*.*> > | | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> > | <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> > | <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> > | <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl> > | <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl> > | <MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl> > | <u6mrIB1vFHA.4032(a)TK2MSFTNGP15.phx.gbl> > | <AtVfNj1vFHA.780(a)TK2MSFTNGXA01.phx.gbl> > | | Subject: Re: SBS2003Premium Certification Authority from HELL!!! > | | Date: Thu, 22 Sep 2005 11:32:11 +0100 > | | Lines: 785 > | | X-Priority: 3 > | | X-MSMail-Priority: Normal > | | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 > | | X-RFC2646: Format=Flowed; Original > | | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 > | | Message-ID: <#yfejE2vFHA.708(a)TK2MSFTNGP10.phx.gbl> > | | Newsgroups: microsoft.public.windows.server.sbs > | | NNTP-Posting-Host: 62.48.233.71 > | | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl > | | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:155518 > | | X-Tomcat-NG: microsoft.public.windows.server.sbs > | | > | | Hi Charles, > | | > | | 1. I sent all the logs you requested to your e-mail. > | | > | | 2. Done that also. > | | > | | 3. No changes done...that I can remember > | | > | | Thanks > | | > | | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in > message > | | news:AtVfNj1vFHA.780(a)TK2MSFTNGXA01.phx.gbl... > | | > Hi PG, > | | > > | | > After checking your screen shot, we decide to collect more > information, > | as > | | > this issue should relate to AD setting: > | | > > | | > 1. Please send me all the event log except the application and > system > | | > event > | | > log that you have already sent to me. > | | > 2. please also run netdiag -v and dcdiag -v on the SBS server and > send > | the > | | > results to me also. > | | > 3. If possible, could you tell us if have changed any setting on AD > or > | on > | | > SBS server. As the screen shot point that you have some problem in > query > | | > user objects on DC. > | | > > | | > I appreciate your effort on this issue. > | | > > | | > > | | > > | | > Best regards, > | | > > | | > Charles Yang (MSFT) > | | > > | | > Microsoft CSS Online Newsgroup Support > | | > > | | > Get Secure! - www.microsoft.com/security > | | > > | | > ====================================================== > | | > This newsgroup only focuses on SBS technical issues. If you have > issues > | | > regarding other Microsoft products, you'd better post in the > | corresponding > | | > newsgroups so that they can be resolved in an efficient and timely > | manner. > | | > You can locate the newsgroup here: > | | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx > | | > > | | > When opening a new thread via the web interface, we recommend you > check > | | > the > | | > "Notify me of replies" box to receive e-mail notifications when > there > | are > | | > any updates in your thread. When responding to posts via your > | newsreader, > | | > please "Reply to Group" so that others may learn and benefit from > your > | | > issue. > | | > > | | > Microsoft engineers can only focus on one issue per thread. Although > we > | | > provide other information for your reference, we recommend you post > | | > different incidents in different threads to keep the thread clean. > In > | | > doing > | | > so, it will ensure your issues are resolved in a timely manner. > | | > > | | > For urgent issues, you may want to contact Microsoft CSS directly. > | Please > | | > check http://support.microsoft.com for regional support phone > numbers. > | | > > | | > Any input or comments in this thread are highly appreciated. > | | > ====================================================== > | | > This posting is provided "AS IS" with no warranties, and confers no > | | > rights. > | | > > | | > > | | > ===================================================== > | | > When responding to posts, please "Reply to Group" via your > newsreader > so > | | > that others may learn and benefit from your issue. > | | > ===================================================== > | | > > | | > This posting is provided "AS IS" with no warranties, and confers no > | | > rights. > | | > > | | > -------------------- > | | > | From: "PG" <*@*.*> > | | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> > | | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> > | | > <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> > | | > <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl> > | | > <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl> > | | > <MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl> > | | > | Subject: Re: SBS2003Premium Certification Authority from HELL!!! > | | > | Date: Thu, 22 Sep 2005 09:31:33 +0100 > | | > | Lines: 597 > | | > | X-Priority: 3 > | | > | X-MSMail-Priority: Normal > | | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 > | | > | X-RFC2646: Format=Flowed; Original > | | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 > | | > | Message-ID: <u6mrIB1vFHA.4032(a)TK2MSFTNGP15.phx.gbl> > | | > | Newsgroups: microsoft.public.windows.server.sbs > | | > | NNTP-Posting-Host: 62.48.233.71 > | | > | Path: > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl > | | > | Xref: TK2MSFTNGXA01.phx.gbl > microsoft.public.windows.server.sbs:155493 > | | > | X-Tomcat-NG: microsoft.public.windows.server.sbs > | | > | > | | > | Hi Charles, > | | > | > | | > | I started to go through the points you reffered bellow and on > the > | | > second > | | > | point(Permissions settings) everything checked out ok except for > the > | | > | certificates templates permissions again, I'm unable to change > | | > permissions > | | > | on some certificates, but others are ok! I'm sending you some > | compressed > | | > | pictures to your e-mail so you can try and see if this is normal, > or > | | > not. > | | > | I didn't want to continue following your suggestions(to > reinstall > | | > the > | | > | CA) before you had a look at the pictures I sent you. > | | > | > | | > | Thanks > | | > | PG > | | > | > | | > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in > | message > | | > | news:MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl... > | | > | > Hi, > | | > | > > | | > | > Thanks for updates. > | | > | > > | | > | > After carefully checking your log, we did not find any relate > | | > information, > | | > | > please note that it might take some time to do the task. > | | > | > > | | > | > For this issue, I have some suggestion below: > | | > | > > | | > | > Can I assume that you want to set up the SBS 2003 premium as a > CA > | | > server, > | | > | > so that when user logon to website, they require the > certificate, > | | > which > | | > | > purpose you want to use for this certificate for VPN issue or > for > a > | | > | > website? From your log, it seems to be used for IPSec VPN. > | | > | > > | | > | > 1. Please change the website you use for web enrollment's > | | > authentication > | | > | > method from anonymous to Windows Authentication. > | | > | > 2. Please refer to the KB article below to check the permission > | | > setting > | | > | > for > | | > | > CA, make sure that you have go through the article to double > check > | it: > | | > | > > | | > | > Q239706 Default Permission Settings for Enterprise Certificate > | | > Authority > | | > | > http://support.microsoft.com/default.aspx?scid=kb;EN-US > | | > | > > | | > | > 3. If the issue still exists, please follow the steps to > reinstall > | the > | | > CA > | | > | > server: > | | > | > > | | > | > A. Opened regedit and went to HKLM\system\CCS\services and > | deleted > | | > the > | | > | > certsrv key > | | > | > B. Opened the file system and deleted c:\winnt\system32\certserv > | | > folder > | | > | > and > | | > | > contents > | | > | > C. Opened up AD sites and services and deleted and in > | services\public > | | > key > | | > | > services > | | > | > > | | > | > Please deleted all the contents of the containers leaving the > empty > | | > | > containers with the exception of the templates container. Note, > | please > | | > | > perform a backup for registry. > | | > | > > | | > | > If the issue still exist, you have to refer to the KB article > below > | to > | | > | > change the log level of certificate then reproduce the issue > check > | the > | | > | > event log again. > | | > | > > | | > | > 305018 How to Change the Event Logging Level for Certificate > | Services > | | > | > http://support.microsoft.com/?id=305018 > | | > | > > | | > | > Thanks for your efforts. I will be here waiting for updates. > | | > | > > | | > | > > | | > | > > | | > | > Best regards, > | | > | > > | | > | > Charles Yang (MSFT) > | | > | > > | | > | > Microsoft CSS Online Newsgroup Support > | | > | > > | | > | > Get Secure! - www.microsoft.com/security > | | > | > > | | > | > ====================================================== > | | > | > This newsgroup only focuses on SBS technical issues. If you have > | | > issues > | | > | > regarding other Microsoft products, you'd better post in the > | | > corresponding > | | > | > newsgroups so that they can be resolved in an efficient and > timely > | | > manner. > | | > | > You can locate the newsgroup here: > | | > | > > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx > | | > | > > | | > | > When opening a new thread via the web interface, we recommend > you > | | > check > | | > | > the > | | > | > "Notify me of replies" box to receive e-mail notifications when > | there > | | > are > | | > | > any updates in your thread. When responding to posts via your > | | > newsreader, > | | > | > please "Reply to Group" so that others may learn and benefit > from > | your > | | > | > issue. > | | > | > > | | > | > Microsoft engineers can only focus on one issue per thread. > | Although > | | > we > | | > | > provide other information for your reference, we recommend you > post > | | > | > different incidents in different threads to keep the thread > clean. > | In > | | > | > doing > | | > | > so, it will ensure your issues are resolved in a timely manner. > | | > | > > | | > | > For urgent issues, you may want to contact Microsoft CSS > directly. > | | > Please > | | > | > check http://support.microsoft.com for regional support phone > | numbers. > | | > | > > | | > | > Any input or comments in this thread are highly appreciated. > | | > | > ====================================================== > | | > | > This posting is provided "AS IS" with no warranties, and confers > no > | | > | > rights. > | | > | > > | | > | > > | | > | > ===================================================== > | | > | > When responding to posts, please "Reply to Group" via your > | newsreader > | | > so > | | > | > that others may learn and benefit from your issue. > | | > | > ===================================================== > | | > | > > | | > | > This posting is provided "AS IS" with no warranties, and confers > no > | | > | > rights. > | | > | > > | | > | > -------------------- > | | > | > | From: "PG" <*@*.*> > | | > | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> > | | > | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> > | | > | > <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> > | | > | > <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl> > | | > | > | Subject: Re: SBS2003Premium Certification Authority from > HELL!!! > | | > | > | Date: Wed, 21 Sep 2005 11:33:30 +0100 > | | > | > | Lines: 401 > | | > | > | X-Priority: 3 > | | > | > | X-MSMail-Priority: Normal > | | > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 > | | > | > | X-RFC2646: Format=Flowed; Original > | | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 > | | > | > | Message-ID: <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl> > | | > | > | Newsgroups: microsoft.public.windows.server.sbs > | | > | > | NNTP-Posting-Host: 62.48.233.71 > | | > | > | Path: > | | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl > | | > | > | Xref: TK2MSFTNGXA01.phx.gbl > | | > microsoft.public.windows.server.sbs:155186 > | | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs > | | > | > | > | | > | > | I've sent you the log's as you requested Charles... > | | > | > | > | | > | > | Thanks for the help > | | > | > | > | | > | > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote > in > | | > message > | | > | > | news:biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl... > | | > | > | > HI PG, > | | > | > | > > | | > | > | > Thanks for updates. > | | > | > | > > | | > | > | > In order to make the issue more clear, could you send me the > | | > | > application > | | > | > | > log and system event log so that we can isolate the issue > more > | | > | > clearly, > | | > | > | > you > | | > | > | > can compress the log files and send to my mailbox. > | | > | > | > > | | > | > | > v-chayan(a)microsoft.com > | | > | > | > > | | > | > | > Thanks for your understanding. > | | > | > | > > | | > | > | > > | | > | > | > > | | > | > | > Best regards, > | | > | > | > > | | > | > | > Charles Yang (MSFT) > | | > | > | > > | | > | > | > Microsoft CSS Online Newsgroup Support > | | > | > | > > | | > | > | > Get Secure! - www.microsoft.com/security > | | > | > | > > | | > | > | > ====================================================== > | | > | > | > This newsgroup only focuses on SBS technical issues. If you > have > | | > | > issues > | | > | > | > regarding other Microsoft products, you'd better post in the > | | > | > corresponding > | | > | > | > newsgroups so that they can be resolved in an efficient and > | timely > | | > | > manner. > | | > | > | > You can locate the newsgroup here: > | | > | > | > > | http://www.microsoft.com/communities/newsgroups/en-us/default.aspx > | | > | > | > > | | > | > | > When opening a new thread via the web interface, we > recommend > | you > | | > | > check > | | > | > | > the > | | > | > | > "Notify me of replies" box to receive e-mail notifications > when > | | > there > | | > | > are > | | > | > | > any updates in your thread. When responding to posts via > your > | | > | > newsreader, > | | > | > | > please "Reply to Group" so that others may learn and benefit > | from > | | > your > | | > | > | > issue. > | | > | > | > > | | > | > | > Microsoft engineers can only focus on one issue per thread. > | | > Although > | | > | > we > | | > | > | > provide other information for your reference, we recommend > you > | | > post > | | > | > | > different incidents in different threads to keep the thread > | clean. > | | > In > | | > | > | > doing > | | > | > | > so, it will ensure your issues are resolved in a timely > manner. > | | > | > | > > | | > | > | > For urgent issues, you may want to contact Microsoft CSS > | directly. > | | > | > Please > | | > | > | > check http://support.microsoft.com for regional support > phone > | | > numbers. > | | > | > | > > | | > | > | > Any input or comments in this thread are highly appreciated. > | | > | > | > ====================================================== > | | > | > | > This posting is provided "AS IS" with no warranties, and > | confers > | | > no > | | > | > | > rights. > | | > | > | > > | | > | > | > > | | > | > | > ===================================================== > | | > | > | > When responding to posts, please "Reply to Group" via your > | | > newsreader > | | > | > so > | | > | > | > that others may learn and benefit from your issue. > | | > | > | > ===================================================== > | | > | > | > > | | > | > | > This posting is provided "AS IS" with no warranties, and > | confers > | | > no > | | > | > | > rights. > | | > | > | > > | | > | > | > -------------------- > | | > | > | > | From: "PG" <*@*.*> > | | > | > | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> > | | > | > | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> > | | > | > | > | Subject: Re: SBS2003Premium Certification Authority from > | HELL!!! > | | > | > | > | Date: Tue, 20 Sep 2005 13:28:25 +0100 > | | > | > | > | Lines: 269 > | | > | > | > | X-Priority: 3 > | | > | > | > | X-MSMail-Priority: Normal > | | > | > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 > | | > | > | > | X-RFC2646: Format=Flowed; Original > | | > | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 > | | > | > | > | Message-ID: <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> > | | > | > | > | Newsgroups: microsoft.public.windows.server.sbs > | | > | > | > | NNTP-Posting-Host: 62.48.233.71 > | | > | > | > | Path: > | | > | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl > | | > | > | > | Xref: TK2MSFTNGXA01.phx.gbl > | | > | > microsoft.public.windows.server.sbs:154800 > | | > | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs > | | > | > | > | > | | > | > | > | Thanks for your reply Charles > | | > | > | > | > | | > | > | > | Responses to your questions follow, and are in line: > | | > | > | > | > | | > | > | > | > | | > | > | > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> > wrote > | in > | | > | > message > | | > | > | > | news:tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl... > | | > | > | > | > HI PG, > | | > | > | > | > > | | > | > | > | > Welcome to SBS newsgroup. > | | > | > | > | > > | | > | > | > | > Issue description: > | | > | > | > | > ================ > | | > | > | > | > > | | > | > | > | > I understand that you encountered some problem when > using > | CA > | | > on > | | > | > SBS > | | > | > | > 2003 > | | > | > | > | > premium. > | | > | > | > | > > | | > | > | > | > Analyzing and suggestions: > | | > | > | > | > ================ > | | > | > | > | > > | | > | > | > | > Generally speaking, the error you encountered can be > caused > | by > | | > | > many > | | > | > | > | > factors, in order to make the issue more clear, please > | refer > | | > to > | | > my > | | > | > | > | > suggestions below to gather more information: > | | > | > | > | > > | | > | > | > | > 1. If possible, please send me the event log for further > | | > research, > | | > | > it > | | > | > | > | > should include more information which can help us > determine > | | > which > | | > | > | > kinds > | | > | > | > of > | | > | > | > | > error you encountered, you can send the log files to my > | | > box. > | | > | > | > | > v-chayan(a)microsoft.com. > | | > | > | > | > | | > | > | > | There is nothing recorded in the logs, when the error's > occur. > | | > | > | > | > | | > | > | > | > 2. Does the issue occur from the client's computer or > from > | the > | | > | > server > | | > | > | > | > side? > | | > | > | > | > | | > | > | > | Both! It occur's when I request a certificate from the > client > | | > and > | | > | > from > | | > | > | > the > | | > | > | > | server! :( Via Web request or MMC snap-in > | | > | > | > | > | | > | > | > | > | | > | > | > | > > | | > | > | > | > > | | > | > | > | > Let's first check the following: > | | > | > | > | > > | | > | > | > | > 1. Go to the CA Server, go to Services.msc console, make > | sure > | | > that > | | > | > the > | | > | > | > | > Certificate Service is started. > | | > | > | > | > | | > | > | > | Check > | | > | > | > | > | | > | > | > | > 2. Open Certificate Authority, make sure that it can be > | | > opened. > | | > | > | > | > | | > | > | > | Check > | | > | > | > | > | | > | > | > | > 3. If you are using Enterprise CA, go to the Certificate > | | > Template > | | > | > in > | | > | > | > the > | | > | > | > | > Certificate Authority, make sure that necessary > Certificate > | | > | > Template > | | > | > | > is > | | > | > | > | > added and listed in the right panel. > | | > | > | > | > | | > | > | > | Check > | | > | > | > | > | | > | > | > | > 4. On the CA Server, click Start -> Run, type MMC and > click > | | > OK. > | | > | > Click > | | > | > | > File > | | > | > | > | > -> Add/Remove Snap-in, click Add button, select > Certificate, > | | > click > | | > | > | > Add, > | | > | > | > | > select Computer Account and click next. Select Local > | Computer, > | | > | > click > | | > | > | > | > Finish > | | > | > | > | > and then Close. > | | > | > | > | > | | > | > | > | Check > | | > | > | > | > | | > | > | > | > 5. Expand the Certificate (Local > | | > Computer)\Personal\Certificate, > | | > | > check > | | > | > | > if > | | > | > | > | > the Root certificate exists. It's 'issued by' and > 'issued > | to' > | | > | > should > | | > | > | > be > | | > | > | > | > itself. Then please check if the root certificate is > still > | | > alive. > | | > | > If > | | > | > | > it > | | > | > | > is > | | > | > | > | > expired, right click the Certificate, select All > Tasks -> > | | > Renew > | | > | > | > | > Certificate > | | > | > | > | > with Same Key. Then renew the user certificate and let > me > | know > | | > how > | | > | > | > | > everything is going. > | | > | > | > | > NOTE: Please check the Certificate Authority to make > sure > | that > | | > | > these > | | > | > | > | > client > | | > | > | > | > certificate are not revoked before you renew the > | certificate. > | | > | > | > | > > | | > | > | > | > If the issue still exists, please check if the CA > computer > | | > where > | | > | > you > | | > | > | > start > | | > | > | > | > the Certificate Web Enrollment from is set to trust for > | | > | > delegation. > | | > | > To > | | > | > | > do > | | > | > | > | > so: > | | > | > | > | > 1. Log on as a domain administrator or equivalent > account. > | | > | > | > | > 2. Click Start, point to Programs, point to > Administrative > | | > Tools, > | | > | > and > | | > | > | > then > | | > | > | > | > click "Active Directory Users and Computers". > | | > | > | > | > 3. In the left pane, locate the container or > organizational > | | > unit > | | > | > (OU) > | | > | > | > on > | | > | > | > | > which you want to enable delegation. > | | > | > | > | > 4. Right-click the computer account name, and then click > | | > | > Properties. > | | > | > | > | > 5. On the General tab, click Trust computer for > delegation. > | | > | > | > | > 6. Click OK. > | | > | > | > | > 7. Quit Active Directory Users and Computers. > | | > | > | > | > > | | > | > | > | > For more info, please refer to: > | | > | > | > | > 300867 Error Message: The Certification Authority > Service > | Has > | | > Not > | | > | > Been > | | > | > | > | > Started > | | > | > | > | > http://support.microsoft.com/?id=300867 > | | > | > | > | > | | > | > | > | The certificate is alive until 16/9/2010! So I didn't > renew > | it. > | | > | > | > | > | | > | > | > | > | | > | > | > | > > | | > | > | > | > > | | > | > | > | > This issue may also occur if the Domain Users group on > the > | | > child > | | > | > | > domain > | | > | > | > | > does not have the right to enroll a user template. To > have a > | | > | > check: > | | > | > | > | > > | | > | > | > | > 1. Logon to CA Server as Enterprise Administrator > | | > | > | > | > | | > | > | > | check > | | > | > | > | > | | > | > | > | > 2. Click Start, click Programs, click Administrative > Tools, > | | > and > | | > | > then > | | > | > | > click > | | > | > | > | > the "Active Directory Sites and Services" snap-in. > | | > | > | > | > | | > | > | > | check > | | > | > | > | > | | > | > | > | > 3. In MMC, right-click the "Active Directory Sites and > | | > Services" > | | > | > | > snap-in, > | | > | > | > | > click View, and then click "Show Services Mode". This > allows > | | > you > | | > | > to > | | > | > | > view > | | > | > | > | > the Services folder, which is hidden from view by > default. > | | > | > | > | > | | > | > | > | Check > | | > | > | > | > | | > | > | > | > 4. From the "Active Directory Sites and Services" > snap-in, > | | > click > | | > | > | > Services, > | | > | > | > | > click Public Key Services, and then click Certificate > | | > Templates. > | | > | > This > | | > | > | > | > reveals the complete list of published certificate > | templates > | | > in > | | > | > Active > | | > | > | > | > Directory. > | | > | > | > | > | | > | > | > | Check > | | > | > | > | > | | > | > | > | > 5. Double-click the User certificate template to view > the > | | > | > properties. > | | > | > | > | > | | > | > | > | Check > | | > | > | > | > | | > | > | > | > 6. On the Security tab, click Add to add the Domain > Users > | | > group > | | > to > | | > | > the > | | > | > | > | > list. > | | > | > | > | > | | > | > | > | The group domain users wasn't there so I added it > | | > | > | > | > | | > | > | > | > 7. For the Domain Users group, select the Read and > Enroll > | | > rights. > | | > | > | > | > | | > | > | > | When I tryed to apply the changes it gave the following > error: > | | > | > | > | > | | > | > | > | "Unable to save permission changes on > | | > | > | > | LDAP://SBS2003PDC.CONTIMETRA.LOCAL/CN=USER,CN=CERTIFICATE > | | > | > | > | TEMPLATES,CN=PUBLIC KEY > | | > | > | > | > SERVICES,CN=SERVICES,CN=CONFIGURATION,DC=CONTIMETRA,DC=LOCAL > | | > | > | > | > | | > | > | > | ACCESS IS DENIED" > | | > | > | > | > | | > | > | > | > | | > | > | > | > 8. Restart the computer. > | | > | > | > | > | | > | > | > | Didn't do it because no changes were made! > | | > | > | > | > | | > | > | > | > > | | > | > | > | > For more info, please refer to: > | | > | > | > | > 271861 Windows Cannot Find a Certificate Authority That > | | > Processes > | | > | > the > | | > | > | > | > Request > | | > | > | > | > http://support.microsoft.com/?id=271861 > | | > | > | > | > > | | > | > | > | > NOTE: Request from MMC only works if it is a Enterprise > CA. > | To > | | > | > stand > | | > | > | > alone > | | > | > | > | > CA, you must request certificate by WEB. > | | > | > | > | > > | | > | > | > | > I appreciate your understanding and please paste your > | results > | | > as > | | > | > your > | | > | > | > | > convenience, It is important for us to isolate the > issue. > I > | am > | | > | > glad > | | > | > to > | | > | > | > | > help > | | > | > | > | > you. > | | > | > | > | > > | | > | > | > | > > | | > | > | > | > > | | > | > | > | > Best regards, > | | > | > | > | > > | | > | > | > | > Charles Yang (MSFT) > | | > | > | > | > > | | > | > | > | > Microsoft CSS Online Newsgroup Support > | | > | > | > | > > | | > | > | > | > Get Secure! - www.microsoft.com/security > | | > | > | > | > > | | > | > | > | > ====================================================== > | | > | > | > | > This newsgroup only focuses on SBS technical issues. If > you > | | > have > | | > | > | > issues > | | > | > | > | > regarding other Microsoft products, you'd better post in > the > | | > | > | > corresponding > | | > | > | > | > newsgroups so that they can be resolved in an efficient > and > | | > timely > | | > | > | > manner. > | | > | > | > | > You can locate the newsgroup here: > | | > | > | > | > > | | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx > | | > | > | > | > > | | > | > | > | > When opening a new thread via the web interface, we > | recommend > | | > you > | | > | > | > check > | | > | > | > | > the > | | > | > | > | > "Notify me of replies" box to receive e-mail > notifications > | | > when > | | > | > there > | | > | > | > are > | | > | > | > | > any updates in your thread. When responding to posts via > | your > | | > | > | > newsreader, > | | > | > | > | > please "Reply to Group" so that others may learn and > benefit > | | > from > | | > | > your > | | > | > | > | > issue. > | | > | > | > | > > | | > | > | > | > Microsoft engineers can only focus on one issue per > thread. > | | > | > Although > | | > | > | > we > | | > | > | > | > provide other information for your reference, we > recommend > | you > | | > | > post > | | > | > | > | > different incidents in different threads to keep the > thread > | | > clean. > | | > | > In > | | > | > | > | > doing > | | > | > | > | > so, it will ensure your issues are resolved in a timely > | | > manner. > | | > | > | > | > > | | > | > | > | > For urgent issues, you may want to contact Microsoft CSS > | | > directly. > | | > | > | > Please > | | > | > | > | > check http://support.microsoft.com for regional support > | phone > | | > | > numbers. > | | > | > | > | > > | | > | > | > | > Any input or comments in this thread are highly > appreciated. > | | > | > | > | > ====================================================== > | | > | > | > | > This posting is provided "AS IS" with no warranties, and > | | > confers > | | > | > no > | | > | > | > | > rights. > | | > | > | > | > > | | > | > | > | > > | | > | > | > | > ===================================================== > | | > | > | > | > When responding to posts, please "Reply to Group" via > your > | | > | > newsreader > | | > | > | > so > | | > | > | > | > that others may learn and benefit from your issue. > | | > | > | > | > ===================================================== > | | > | > | > | > > | | > | > | > | > This posting is provided "AS IS" with no warranties, and > | | > confers > | | > | > no > | | > | > | > | > rights. > | | > | > | > | > > | | > | > | > | > -------------------- > | | > | > | > | > | From: "PG" <*@*.*> > | | > | > | > | > | Subject: SBS2003Premium Certification Authority from > | HELL!!! > | | > | > | > | > | Date: Fri, 16 Sep 2005 11:35:46 +0100 > | | > | > | > | > | Lines: 25 > | | > | > | > | > | X-Priority: 3 > | | > | > | > | > | X-MSMail-Priority: Normal > | | > | > | > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 > | | > | > | > | > | X-MimeOLE: Produced By Microsoft MimeOLE > V6.00.3790.1830 > | | > | > | > | > | X-RFC2646: Format=Flowed; Original > | | > | > | > | > | Message-ID: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> > | | > | > | > | > | Newsgroups: microsoft.public.windows.server.sbs > | | > | > | > | > | NNTP-Posting-Host: 62.48.233.71 > | | > | > | > | > | Path: > | | > | > | > > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl > | | > | > | > | > | Xref: TK2MSFTNGXA01.phx.gbl > | | > | > | > microsoft.public.windows.server.sbs:153926 > | | > | > | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs > | | > | > | > | > | > | | > | > | > | > | Hi everybody, > | | > | > | > | > | > | | > | > | > | > | When I try to request a certificate from my > | Enterprise > | | > CA > | | > | > | > installed > | | > | > | > | > on > | | > | > | > | > | SBS2003Premium It gives the following error :"No > | certificate > | | > | > | > templates > | | > | > | > | > could > | | > | > | > | > | be found. You do not have permission to request a > | | > certificate > | | > | > from > | | > | > | > this > | | > | > | > | > CA, > | | > | > | > | > | or an error occurred while accessing the Active > | Directory." > | | > I > | | > | > went > | | > | > | > and > | | > | > | > | > | search for a solution and found this microsoft article > | | > | > | > | > | > | | > http://support.microsoft.com/default.aspx?scid=kb;en-us;811418 > | | > | > that > | | > | > | > | > didn't > | | > | > | > | > | help because the name of the server is the same in the > | | > | > certdat.inc > | | > | > | > and > | | > | > | > | > in > | | > | > | > | > | the AD!!! :( > | | > | > | > | > | > | | > | > | > | > | When I go to the certification authority and click > on > | | > | > "manage" > | | > | > | > on > | | > | > | > | > the > | | > | > | > | > | certificate templates, windows says that it detected > that > | | > new > | | > | > | > | > certificate > | | > | > | > | > | templates should be installed, and ask if I want to > | install > | | > them > | | > | > | > now, > | | > | > | > | > and > | | > | > | > | > I > | | > | > | > | > | say "Yes", and gives an error saying "Windows could > not > | | > install > | | > | > the > | | > | > | > new > | | > | > | > | > | certificate templates. Access is denied" :( I doing > this > | as > | | > | > | > enterprise > | | > | > | > | > admin > | | > | > | > | > | and it says access denied!!!!! :( :( > | | > | > | > | > | > | | > | > | > | > | I've tryed to reinstall the CA and the errors are > | still > | | > the > | | > | > | > same! > | | > | > | > | > | > | | > | > | > | > | Can anyone help me with this issue, please? > | | > | > | > | > | > | | > | > | > | > | Thanks in advance for any help you can give me.... > | | > | > | > | > | > | | > | > | > | > | > | | > | > | > | > | > | | > | > | > | > > | | > | > | > | > | | > | > | > | > | | > | > | > | > | | > | > | > | > | | > | > | > | > | | > | > | > | > | | > | > | > > | | > | > | > | | > | > | > | | > | > | > | | > | > > | | > | > | | > | > | | > | > | | > > | | > | | > | | > | > | >
From: "Charles Yang [MSFT]" on 25 Sep 2005 20:36 HI PG, From your description, it seems a lot of template has the permission issue? Can I assume that all the permission of this grey template encountered the same issue when you try to change the permission and the permission the security section is not correct as I referred to? If so, I suggest you make sure that you logon the SBS server with Enterprise Admin, it seems to be the permission issue, if possible please make sure that you logon via Built-in Enterprise Admin to see if the problem can be cleared, Thanks for your effort. Best regards, Charles Yang (MSFT) Microsoft CSS Online Newsgroup Support Get Secure! - www.microsoft.com/security ====================================================== This newsgroup only focuses on SBS technical issues. If you have issues regarding other Microsoft products, you'd better post in the corresponding newsgroups so that they can be resolved in an efficient and timely manner. You can locate the newsgroup here: http://www.microsoft.com/communities/newsgroups/en-us/default.aspx When opening a new thread via the web interface, we recommend you check the "Notify me of replies" box to receive e-mail notifications when there are any updates in your thread. When responding to posts via your newsreader, please "Reply to Group" so that others may learn and benefit from your issue. Microsoft engineers can only focus on one issue per thread. Although we provide other information for your reference, we recommend you post different incidents in different threads to keep the thread clean. In doing so, it will ensure your issues are resolved in a timely manner. For urgent issues, you may want to contact Microsoft CSS directly. Please check http://support.microsoft.com for regional support phone numbers. Any input or comments in this thread are highly appreciated. ====================================================== This posting is provided "AS IS" with no warranties, and confers no rights. ===================================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ===================================================== This posting is provided "AS IS" with no warranties, and confers no rights. -------------------- | From: "PG" <*@*.*> | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl> <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl> <MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl> <u6mrIB1vFHA.4032(a)TK2MSFTNGP15.phx.gbl> <AtVfNj1vFHA.780(a)TK2MSFTNGXA01.phx.gbl> <#yfejE2vFHA.708(a)TK2MSFTNGP10.phx.gbl> <34gfuxBwFHA.2960(a)TK2MSFTNGXA01.phx.gbl> <Hlv7FVCwFHA.580(a)TK2MSFTNGXA01.phx.gbl> | Subject: Re: SBS2003Premium Certification Authority from HELL!!! | Date: Fri, 23 Sep 2005 11:39:53 +0100 | Lines: 1168 | X-Priority: 3 | X-MSMail-Priority: Normal | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 | X-RFC2646: Format=Flowed; Original | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 | Message-ID: <Oi6nhtCwFHA.552(a)TK2MSFTNGP12.phx.gbl> | Newsgroups: microsoft.public.windows.server.sbs | NNTP-Posting-Host: 62.48.233.71 | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:155851 | X-Tomcat-NG: microsoft.public.windows.server.sbs | | Hi Charles, | | I went to DCOMCNFG and on the Launch permission it was empty, and I added | Everyone with (Launch permission---Allow) | and in the Access permission it is everyone (Access permission---Allow), so | I didn't have to change it. | Could not find anything that refered to (Local Activation Remote Activation) | or (Local Access Remote Access) as you sayd. Only (Launch Permission) and | (Access Permission). | | After applying the changes to DCOM I tryed to request a certificate, and the | same error ocurred. Duplicated a Template and still the same error. :( | "No certificate templates could be found. You do not have permission to | request a certificate from this CA,or an error occurred while accessing the | Active Directory." | | In response to your question, all the certificates templates, from the | pictures I sent you, that are greyd out have permissions issues, and don't | let me add or change permissions for those certificates. | | :( | | | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in message | news:Hlv7FVCwFHA.580(a)TK2MSFTNGXA01.phx.gbl... | > HI PG, | > | > Thanks for updates. | > | > After making research, I find solutions for you, please refer to the steps | > below: | > | > 1 Open DCOMCNFG | > 2- Select Componect Services | > ---Computers | > ----My Computer | > ------Dcom Config | > ---- CertSrv Request | > 3- Open properties and verify Security permission for Launch and | > Activation | > Permissions (Should be Customize --Everyone ---Local Activation Remote | > Activation) | > | > Access Permissions (Should be Customize -Everyone ---Local Access Remote | > Access) | > | > If the issue still exists, please recreate a certificate template to see | > if | > the issue can be resolved. You can try to request a certificate via a new | > template. From your screenshot we found only one of the template you | > encountered permission issue, can we assume it is the certificate template | > you use for the certificate? | > | > Thanks for understanding on this issue, please feel free to post back. | > | > | > | > Best regards, | > | > Charles Yang (MSFT) | > | > Microsoft CSS Online Newsgroup Support | > | > Get Secure! - www.microsoft.com/security | > | > ====================================================== | > This newsgroup only focuses on SBS technical issues. If you have issues | > regarding other Microsoft products, you'd better post in the corresponding | > newsgroups so that they can be resolved in an efficient and timely manner. | > You can locate the newsgroup here: | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx | > | > When opening a new thread via the web interface, we recommend you check | > the | > "Notify me of replies" box to receive e-mail notifications when there are | > any updates in your thread. When responding to posts via your newsreader, | > please "Reply to Group" so that others may learn and benefit from your | > issue. | > | > Microsoft engineers can only focus on one issue per thread. Although we | > provide other information for your reference, we recommend you post | > different incidents in different threads to keep the thread clean. In | > doing | > so, it will ensure your issues are resolved in a timely manner. | > | > For urgent issues, you may want to contact Microsoft CSS directly. Please | > check http://support.microsoft.com for regional support phone numbers. | > | > Any input or comments in this thread are highly appreciated. | > ====================================================== | > This posting is provided "AS IS" with no warranties, and confers no | > rights. | > | > | > ===================================================== | > When responding to posts, please "Reply to Group" via your newsreader so | > that others may learn and benefit from your issue. | > ===================================================== | > | > This posting is provided "AS IS" with no warranties, and confers no | > rights. | > | > -------------------- | > | X-Tomcat-ID: 138385008 | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> | > <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> | > <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl> | > <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl> | > <MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl> | > <u6mrIB1vFHA.4032(a)TK2MSFTNGP15.phx.gbl> | > <AtVfNj1vFHA.780(a)TK2MSFTNGXA01.phx.gbl> | > <#yfejE2vFHA.708(a)TK2MSFTNGP10.phx.gbl> | > | MIME-Version: 1.0 | > | Content-Type: text/plain | > | Content-Transfer-Encoding: 7bit | > | From: v-chayan(a)online.microsoft.com ("Charles Yang [MSFT]") | > | Organization: Microsoft | > | Date: Fri, 23 Sep 2005 08:54:33 GMT | > | Subject: Re: SBS2003Premium Certification Authority from HELL!!! | > | X-Tomcat-NG: microsoft.public.windows.server.sbs | > | Message-ID: <34gfuxBwFHA.2960(a)TK2MSFTNGXA01.phx.gbl> | > | Newsgroups: microsoft.public.windows.server.sbs | > | Lines: 797 | > | Path: TK2MSFTNGXA01.phx.gbl | > | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:155820 | > | NNTP-Posting-Host: tomcatimport2.phx.gbl 10.201.218.182 | > | | > | HI PG, | > | | > | Currently, I am performing research on this issue, I will return to you | > as | > | soon as possible, please understand that it might be some delay due to | > the | > | weekend. | > | | > | Thanks for your understanding. | > | | > | | > | Best regards, | > | | > | Charles Yang (MSFT) | > | | > | Microsoft CSS Online Newsgroup Support | > | | > | Get Secure! - www.microsoft.com/security | > | | > | ====================================================== | > | This newsgroup only focuses on SBS technical issues. If you have issues | > | regarding other Microsoft products, you'd better post in the | > corresponding | > | newsgroups so that they can be resolved in an efficient and timely | > manner. | > | You can locate the newsgroup here: | > | http://www.microsoft.com/communities/newsgroups/en-us/default.aspx | > | | > | When opening a new thread via the web interface, we recommend you check | > the | > | "Notify me of replies" box to receive e-mail notifications when there | > are | > | any updates in your thread. When responding to posts via your | > newsreader, | > | please "Reply to Group" so that others may learn and benefit from your | > | issue. | > | | > | Microsoft engineers can only focus on one issue per thread. Although we | > | provide other information for your reference, we recommend you post | > | different incidents in different threads to keep the thread clean. In | > doing | > | so, it will ensure your issues are resolved in a timely manner. | > | | > | For urgent issues, you may want to contact Microsoft CSS directly. | > Please | > | check http://support.microsoft.com for regional support phone numbers. | > | | > | Any input or comments in this thread are highly appreciated. | > | ====================================================== | > | This posting is provided "AS IS" with no warranties, and confers no | > rights. | > | | > | | > | ===================================================== | > | When responding to posts, please "Reply to Group" via your newsreader so | > | that others may learn and benefit from your issue. | > | ===================================================== | > | | > | This posting is provided "AS IS" with no warranties, and confers no | > rights. | > | | > | -------------------- | > | | From: "PG" <*@*.*> | > | | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> | > | <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> | > | <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> | > | <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl> | > | <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl> | > | <MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl> | > | <u6mrIB1vFHA.4032(a)TK2MSFTNGP15.phx.gbl> | > | <AtVfNj1vFHA.780(a)TK2MSFTNGXA01.phx.gbl> | > | | Subject: Re: SBS2003Premium Certification Authority from HELL!!! | > | | Date: Thu, 22 Sep 2005 11:32:11 +0100 | > | | Lines: 785 | > | | X-Priority: 3 | > | | X-MSMail-Priority: Normal | > | | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 | > | | X-RFC2646: Format=Flowed; Original | > | | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 | > | | Message-ID: <#yfejE2vFHA.708(a)TK2MSFTNGP10.phx.gbl> | > | | Newsgroups: microsoft.public.windows.server.sbs | > | | NNTP-Posting-Host: 62.48.233.71 | > | | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl | > | | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:155518 | > | | X-Tomcat-NG: microsoft.public.windows.server.sbs | > | | | > | | Hi Charles, | > | | | > | | 1. I sent all the logs you requested to your e-mail. | > | | | > | | 2. Done that also. | > | | | > | | 3. No changes done...that I can remember | > | | | > | | Thanks | > | | | > | | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in | > message | > | | news:AtVfNj1vFHA.780(a)TK2MSFTNGXA01.phx.gbl... | > | | > Hi PG, | > | | > | > | | > After checking your screen shot, we decide to collect more | > information, | > | as | > | | > this issue should relate to AD setting: | > | | > | > | | > 1. Please send me all the event log except the application and | > system | > | | > event | > | | > log that you have already sent to me. | > | | > 2. please also run netdiag -v and dcdiag -v on the SBS server and | > send | > | the | > | | > results to me also. | > | | > 3. If possible, could you tell us if have changed any setting on AD | > or | > | on | > | | > SBS server. As the screen shot point that you have some problem in | > query | > | | > user objects on DC. | > | | > | > | | > I appreciate your effort on this issue. | > | | > | > | | > | > | | > | > | | > Best regards, | > | | > | > | | > Charles Yang (MSFT) | > | | > | > | | > Microsoft CSS Online Newsgroup Support | > | | > | > | | > Get Secure! - www.microsoft.com/security | > | | > | > | | > ====================================================== | > | | > This newsgroup only focuses on SBS technical issues. If you have | > issues | > | | > regarding other Microsoft products, you'd better post in the | > | corresponding | > | | > newsgroups so that they can be resolved in an efficient and timely | > | manner. | > | | > You can locate the newsgroup here: | > | | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx | > | | > | > | | > When opening a new thread via the web interface, we recommend you | > check | > | | > the | > | | > "Notify me of replies" box to receive e-mail notifications when | > there | > | are | > | | > any updates in your thread. When responding to posts via your | > | newsreader, | > | | > please "Reply to Group" so that others may learn and benefit from | > your | > | | > issue. | > | | > | > | | > Microsoft engineers can only focus on one issue per thread. Although | > we | > | | > provide other information for your reference, we recommend you post | > | | > different incidents in different threads to keep the thread clean. | > In | > | | > doing | > | | > so, it will ensure your issues are resolved in a timely manner. | > | | > | > | | > For urgent issues, you may want to contact Microsoft CSS directly. | > | Please | > | | > check http://support.microsoft.com for regional support phone | > numbers. | > | | > | > | | > Any input or comments in this thread are highly appreciated. | > | | > ====================================================== | > | | > This posting is provided "AS IS" with no warranties, and confers no | > | | > rights. | > | | > | > | | > | > | | > ===================================================== | > | | > When responding to posts, please "Reply to Group" via your | > newsreader | > so | > | | > that others may learn and benefit from your issue. | > | | > ===================================================== | > | | > | > | | > This posting is provided "AS IS" with no warranties, and confers no | > | | > rights. | > | | > | > | | > -------------------- | > | | > | From: "PG" <*@*.*> | > | | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> | > | | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> | > | | > <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> | > | | > <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl> | > | | > <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl> | > | | > <MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl> | > | | > | Subject: Re: SBS2003Premium Certification Authority from HELL!!! | > | | > | Date: Thu, 22 Sep 2005 09:31:33 +0100 | > | | > | Lines: 597 | > | | > | X-Priority: 3 | > | | > | X-MSMail-Priority: Normal | > | | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 | > | | > | X-RFC2646: Format=Flowed; Original | > | | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 | > | | > | Message-ID: <u6mrIB1vFHA.4032(a)TK2MSFTNGP15.phx.gbl> | > | | > | Newsgroups: microsoft.public.windows.server.sbs | > | | > | NNTP-Posting-Host: 62.48.233.71 | > | | > | Path: | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl | > | | > | Xref: TK2MSFTNGXA01.phx.gbl | > microsoft.public.windows.server.sbs:155493 | > | | > | X-Tomcat-NG: microsoft.public.windows.server.sbs | > | | > | | > | | > | Hi Charles, | > | | > | | > | | > | I started to go through the points you reffered bellow and on | > the | > | | > second | > | | > | point(Permissions settings) everything checked out ok except for | > the | > | | > | certificates templates permissions again, I'm unable to change | > | | > permissions | > | | > | on some certificates, but others are ok! I'm sending you some | > | compressed | > | | > | pictures to your e-mail so you can try and see if this is normal, | > or | > | | > not. | > | | > | I didn't want to continue following your suggestions(to | > reinstall | > | | > the | > | | > | CA) before you had a look at the pictures I sent you. | > | | > | | > | | > | Thanks | > | | > | PG | > | | > | | > | | > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in | > | message | > | | > | news:MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl... | > | | > | > Hi, | > | | > | > | > | | > | > Thanks for updates. | > | | > | > | > | | > | > After carefully checking your log, we did not find any relate | > | | > information, | > | | > | > please note that it might take some time to do the task. | > | | > | > | > | | > | > For this issue, I have some suggestion below: | > | | > | > | > | | > | > Can I assume that you want to set up the SBS 2003 premium as a | > CA | > | | > server, | > | | > | > so that when user logon to website, they require the | > certificate, | > | | > which | > | | > | > purpose you want to use for this certificate for VPN issue or | > for | > a | > | | > | > website? From your log, it seems to be used for IPSec VPN. | > | | > | > | > | | > | > 1. Please change the website you use for web enrollment's | > | | > authentication | > | | > | > method from anonymous to Windows Authentication. | > | | > | > 2. Please refer to the KB article below to check the permission | > | | > setting | > | | > | > for | > | | > | > CA, make sure that you have go through the article to double | > check | > | it: | > | | > | > | > | | > | > Q239706 Default Permission Settings for Enterprise Certificate | > | | > Authority | > | | > | > http://support.microsoft.com/default.aspx?scid=kb;EN-US | > | | > | > | > | | > | > 3. If the issue still exists, please follow the steps to | > reinstall | > | the | > | | > CA | > | | > | > server: | > | | > | > | > | | > | > A. Opened regedit and went to HKLM\system\CCS\services and | > | deleted | > | | > the | > | | > | > certsrv key | > | | > | > B. Opened the file system and deleted c:\winnt\system32\certserv | > | | > folder | > | | > | > and | > | | > | > contents | > | | > | > C. Opened up AD sites and services and deleted and in | > | services\public | > | | > key | > | | > | > services | > | | > | > | > | | > | > Please deleted all the contents of the containers leaving the | > empty | > | | > | > containers with the exception of the templates container. Note, | > | please | > | | > | > perform a backup for registry. | > | | > | > | > | | > | > If the issue still exist, you have to refer to the KB article | > below | > | to | > | | > | > change the log level of certificate then reproduce the issue | > check | > | the | > | | > | > event log again. | > | | > | > | > | | > | > 305018 How to Change the Event Logging Level for Certificate | > | Services | > | | > | > http://support.microsoft.com/?id=305018 | > | | > | > | > | | > | > Thanks for your efforts. I will be here waiting for updates. | > | | > | > | > | | > | > | > | | > | > | > | | > | > Best regards, | > | | > | > | > | | > | > Charles Yang (MSFT) | > | | > | > | > | | > | > Microsoft CSS Online Newsgroup Support | > | | > | > | > | | > | > Get Secure! - www.microsoft.com/security | > | | > | > | > | | > | > ====================================================== | > | | > | > This newsgroup only focuses on SBS technical issues. If you have | > | | > issues | > | | > | > regarding other Microsoft products, you'd better post in the | > | | > corresponding | > | | > | > newsgroups so that they can be resolved in an efficient and | > timely | > | | > manner. | > | | > | > You can locate the newsgroup here: | > | | > | > | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx | > | | > | > | > | | > | > When opening a new thread via the web interface, we recommend | > you | > | | > check | > | | > | > the | > | | > | > "Notify me of replies" box to receive e-mail notifications when | > | there | > | | > are | > | | > | > any updates in your thread. When responding to posts via your | > | | > newsreader, | > | | > | > please "Reply to Group" so that others may learn and benefit | > from | > | your | > | | > | > issue. | > | | > | > | > | | > | > Microsoft engineers can only focus on one issue per thread. | > | Although | > | | > we | > | | > | > provide other information for your reference, we recommend you | > post | > | | > | > different incidents in different threads to keep the thread | > clean. | > | In | > | | > | > doing | > | | > | > so, it will ensure your issues are resolved in a timely manner. | > | | > | > | > | | > | > For urgent issues, you may want to contact Microsoft CSS | > directly. | > | | > Please | > | | > | > check http://support.microsoft.com for regional support phone | > | numbers. | > | | > | > | > | | > | > Any input or comments in this thread are highly appreciated. | > | | > | > ====================================================== | > | | > | > This posting is provided "AS IS" with no warranties, and confers | > no | > | | > | > rights. | > | | > | > | > | | > | > | > | | > | > ===================================================== | > | | > | > When responding to posts, please "Reply to Group" via your | > | newsreader | > | | > so | > | | > | > that others may learn and benefit from your issue. | > | | > | > ===================================================== | > | | > | > | > | | > | > This posting is provided "AS IS" with no warranties, and confers | > no | > | | > | > rights. | > | | > | > | > | | > | > -------------------- | > | | > | > | From: "PG" <*@*.*> | > | | > | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> | > | | > | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> | > | | > | > <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> | > | | > | > <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl> | > | | > | > | Subject: Re: SBS2003Premium Certification Authority from | > HELL!!! | > | | > | > | Date: Wed, 21 Sep 2005 11:33:30 +0100 | > | | > | > | Lines: 401 | > | | > | > | X-Priority: 3 | > | | > | > | X-MSMail-Priority: Normal | > | | > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 | > | | > | > | X-RFC2646: Format=Flowed; Original | > | | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 | > | | > | > | Message-ID: <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl> | > | | > | > | Newsgroups: microsoft.public.windows.server.sbs | > | | > | > | NNTP-Posting-Host: 62.48.233.71 | > | | > | > | Path: | > | | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl | > | | > | > | Xref: TK2MSFTNGXA01.phx.gbl | > | | > microsoft.public.windows.server.sbs:155186 | > | | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs | > | | > | > | | > | | > | > | I've sent you the log's as you requested Charles... | > | | > | > | | > | | > | > | Thanks for the help | > | | > | > | | > | | > | > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote | > in | > | | > message | > | | > | > | news:biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl... | > | | > | > | > HI PG, | > | | > | > | > | > | | > | > | > Thanks for updates. | > | | > | > | > | > | | > | > | > In order to make the issue more clear, could you send me the | > | | > | > application | > | | > | > | > log and system event log so that we can isolate the issue | > more | > | | > | > clearly, | > | | > | > | > you | > | | > | > | > can compress the log files and send to my mailbox. | > | | > | > | > | > | | > | > | > v-chayan(a)microsoft.com | > | | > | > | > | > | | > | > | > Thanks for your understanding. | > | | > | > | > | > | | > | > | > | > | | > | > | > | > | | > | > | > Best regards, | > | | > | > | > | > | | > | > | > Charles Yang (MSFT) | > | | > | > | > | > | | > | > | > Microsoft CSS Online Newsgroup Support | > | | > | > | > | > | | > | > | > Get Secure! - www.microsoft.com/security | > | | > | > | > | > | | > | > | > ====================================================== | > | | > | > | > This newsgroup only focuses on SBS technical issues. If you | > have | > | | > | > issues | > | | > | > | > regarding other Microsoft products, you'd better post in the | > | | > | > corresponding | > | | > | > | > newsgroups so that they can be resolved in an efficient and | > | timely | > | | > | > manner. | > | | > | > | > You can locate the newsgroup here: | > | | > | > | > | > | http://www.microsoft.com/communities/newsgroups/en-us/default.aspx | > | | > | > | > | > | | > | > | > When opening a new thread via the web interface, we | > recommend | > | you | > | | > | > check | > | | > | > | > the | > | | > | > | > "Notify me of replies" box to receive e-mail notifications | > when | > | | > there | > | | > | > are | > | | > | > | > any updates in your thread. When responding to posts via | > your | > | | > | > newsreader, | > | | > | > | > please "Reply to Group" so that others may learn and benefit | > | from | > | | > your | > | | > | > | > issue. | > | | > | > | > | > | | > | > | > Microsoft engineers can only focus on one issue per thread. | > | | > Although | > | | > | > we | > | | > | > | > provide other information for your reference, we recommend | > you | > | | > post | > | | > | > | > different incidents in different threads to keep the thread | > | clean. | > | | > In | > | | > | > | > doing | > | | > | > | > so, it will ensure your issues are resolved in a timely | > manner. | > | | > | > | > | > | | > | > | > For urgent issues, you may want to contact Microsoft CSS | > | directly. | > | | > | > Please | > | | > | > | > check http://support.microsoft.com for regional support | > phone | > | | > numbers. | > | | > | > | > | > | | > | > | > Any input or comments in this thread are highly appreciated. | > | | > | > | > ====================================================== | > | | > | > | > This posting is provided "AS IS" with no warranties, and | > | confers | > | | > no | > | | > | > | > rights. | > | | > | > | > | > | | > | > | > | > | | > | > | > ===================================================== | > | | > | > | > When responding to posts, please "Reply to Group" via your | > | | > newsreader | > | | > | > so | > | | > | > | > that others may learn and benefit from your issue. | > | | > | > | > ===================================================== | > | | > | > | > | > | | > | > | > This posting is provided "AS IS" with no warranties, and | > | confers | > | | > no | > | | > | > | > rights. | > | | > | > | > | > | | > | > | > -------------------- | > | | > | > | > | From: "PG" <*@*.*> | > | | > | > | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> | > | | > | > | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> | > | | > | > | > | Subject: Re: SBS2003Premium Certification Authority from | > | HELL!!! | > | | > | > | > | Date: Tue, 20 Sep 2005 13:28:25 +0100 | > | | > | > | > | Lines: 269 | > | | > | > | > | X-Priority: 3 | > | | > | > | > | X-MSMail-Priority: Normal | > | | > | > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 | > | | > | > | > | X-RFC2646: Format=Flowed; Original | > | | > | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 | > | | > | > | > | Message-ID: <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> | > | | > | > | > | Newsgroups: microsoft.public.windows.server.sbs | > | | > | > | > | NNTP-Posting-Host: 62.48.233.71 | > | | > | > | > | Path: | > | | > | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl | > | | > | > | > | Xref: TK2MSFTNGXA01.phx.gbl | > | | > | > microsoft.public.windows.server.sbs:154800 | > | | > | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs | > | | > | > | > | | > | | > | > | > | Thanks for your reply Charles | > | | > | > | > | | > | | > | > | > | Responses to your questions follow, and are in line: | > | | > | > | > | | > | | > | > | > | | > | | > | > | > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> | > wrote | > | in | > | | > | > message | > | | > | > | > | news:tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl... | > | | > | > | > | > HI PG, | > | | > | > | > | > | > | | > | > | > | > Welcome to SBS newsgroup. | > | | > | > | > | > | > | | > | > | > | > Issue description: | > | | > | > | > | > ================ | > | | > | > | > | > | > | | > | > | > | > I understand that you encountered some problem when | > using | > | CA | > | | > on | > | | > | > SBS | > | | > | > | > 2003 | > | | > | > | > | > premium. | > | | > | > | > | > | > | | > | > | > | > Analyzing and suggestions: | > | | > | > | > | > ================ | > | | > | > | > | > | > | | > | > | > | > Generally speaking, the error you encountered can be | > caused | > | by | > | | > | > many | > | | > | > | > | > factors, in order to make the issue more clear, please | > | refer | > | | > to | > | | > my | > | | > | > | > | > suggestions below to gather more information: | > | | > | > | > | > | > | | > | > | > | > 1. If possible, please send me the event log for further | > | | > research, | > | | > | > it | > | | > | > | > | > should include more information which can help us | > determine | > | | > which | > | | > | > | > kinds | > | | > | > | > of | > | | > | > | > | > error you encountered, you can send the log files to my | > | | > box. | > | | > | > | > | > v-chayan(a)microsoft.com. | > | | > | > | > | | > | | > | > | > | There is nothing recorded in the logs, when the error's | > occur. | > | | > | > | > | | > | | > | > | > | > 2. Does the issue occur from the client's computer or | > from | > | the | > | | > | > server | > | | > | > | > | > side? | > | | > | > | > | | > | | > | > | > | Both! It occur's when I request a certificate from the | > client | > | | > and | > | | > | > from | > | | > | > | > the | > | | > | > | > | server! :( Via Web request or MMC snap-in | > | | > | > | > | | > | | > | > | > | | > | | > | > | > | > | > | | > | > | > | > | > | | > | > | > | > Let's first check the following: | > | | > | > | > | > | > | | > | > | > | > 1. Go to the CA Server, go to Services.msc console, make | > | sure | > | | > that | > | | > | > the | > | | > | > | > | > Certificate Service is started. | > | | > | > | > | | > | | > | > | > | Check | > | | > | > | > | | > | | > | > | > | > 2. Open Certificate Authority, make sure that it can be | > | | > opened. | > | | > | > | > | | > | | > | > | > | Check | > | | > | > | > | | > | | > | > | > | > 3. If you are using Enterprise CA, go to the Certificate | > | | > Template | > | | > | > in | > | | > | > | > the | > | | > | > | > | > Certificate Authority, make sure that necessary | > Certificate | > | | > | > Template | > | | > | > | > is | > | | > | > | > | > added and listed in the right panel. | > | | > | > | > | | > | | > | > | > | Check | > | | > | > | > | | > | | > | > | > | > 4. On the CA Server, click Start -> Run, type MMC and | > click | > | | > OK. | > | | > | > Click | > | | > | > | > File | > | | > | > | > | > -> Add/Remove Snap-in, click Add button, select | > Certificate, | > | | > click | > | | > | > | > Add, | > | | > | > | > | > select Computer Account and click next. Select Local | > | Computer, | > | | > | > click | > | | > | > | > | > Finish | > | | > | > | > | > and then Close. | > | | > | > | > | | > | | > | > | > | Check | > | | > | > | > | | > | | > | > | > | > 5. Expand the Certificate (Local | > | | > Computer)\Personal\Certificate, | > | | > | > check | > | | > | > | > if | > | | > | > | > | > the Root certificate exists. It's 'issued by' and | > 'issued | > | to' | > | | > | > should | > | | > | > | > be | > | | > | > | > | > itself. Then please check if the root certificate is | > still | > | | > alive. | > | | > | > If | > | | > | > | > it | > | | > | > | > is | > | | > | > | > | > expired, right click the Certificate, select All | > Tasks -> | > | | > Renew | > | | > | > | > | > Certificate | > | | > | > | > | > with Same Key. Then renew the user certificate and let | > me | > | know | > | | > how | > | | > | > | > | > everything is going. | > | | > | > | > | > NOTE: Please check the Certificate Authority to make | > sure | > | that | > | | > | > these | > | | > | > | > | > client | > | | > | > | > | > certificate are not revoked before you renew the | > | certificate. | > | | > | > | > | > | > | | > | > | > | > If the issue still exists, please check if the CA | > computer | > | | > where | > | | > | > you | > | | > | > | > start | > | | > | > | > | > the Certificate Web Enrollment from is set to trust for | > | | > | > delegation. | > | | > | > To | > | | > | > | > do | > | | > | > | > | > so: | > | | > | > | > | > 1. Log on as a domain administrator or equivalent | > account. | > | | > | > | > | > 2. Click Start, point to Programs, point to | > Administrative | > | | > Tools, | > | | > | > and | > | | > | > | > then | > | | > | > | > | > click "Active Directory Users and Computers". | > | | > | > | > | > 3. In the left pane, locate the container or | > organizational | > | | > unit | > | | > | > (OU) | > | | > | > | > on | > | | > | > | > | > which you want to enable delegation. | > | | > | > | > | > 4. Right-click the computer account name, and then click | > | | > | > Properties. | > | | > | > | > | > 5. On the General tab, click Trust computer for | > delegation. | > | | > | > | > | > 6. Click OK. | > | | > | > | > | > 7. Quit Active Directory Users and Computers. | > | | > | > | > | > | > | | > | > | > | > For more info, please refer to: | > | | > | > | > | > 300867 Error Message: The Certification Authority | > Service | > | Has | > | | > Not | > | | > | > Been | > | | > | > | > | > Started | > | | > | > | > | > http://support.microsoft.com/?id=300867 | > | | > | > | > | | > | | > | > | > | The certificate is alive until 16/9/2010! So I didn't | > renew | > | it. | > | | > | > | > | | > | | > | > | > | | > | | > | > | > | > | > | | > | > | > | > | > | | > | > | > | > This issue may also occur if the Domain Users group on | > the | > | | > child | > | | > | > | > domain | > | | > | > | > | > does not have the right to enroll a user template. To | > have a | > | | > | > check: | > | | > | > | > | > | > | | > | > | > | > 1. Logon to CA Server as Enterprise Administrator | > | | > | > | > | | > | | > | > | > | check | > | | > | > | > | | > | | > | > | > | > 2. Click Start, click Programs, click Administrative | > Tools, | > | | > and | > | | > | > then | > | | > | > | > click | > | | > | > | > | > the "Active Directory Sites and Services" snap-in. | > | | > | > | > | | > | | > | > | > | check | > | | > | > | > | | > | | > | > | > | > 3. In MMC, right-click the "Active Directory Sites and | > | | > Services" | > | | > | > | > snap-in, | > | | > | > | > | > click View, and then click "Show Services Mode". This | > allows | > | | > you | > | | > | > to | > | | > | > | > view | > | | > | > | > | > the Services folder, which is hidden from view by | > default. | > | | > | > | > | | > | | > | > | > | Check | > | | > | > | > | | > | | > | > | > | > 4. From the "Active Directory Sites and Services" | > snap-in, | > | | > click | > | | > | > | > Services, | > | | > | > | > | > click Public Key Services, and then click Certificate | > | | > Templates. | > | | > | > This | > | | > | > | > | > reveals the complete list of published certificate | > | templates | > | | > in | > | | > | > Active | > | | > | > | > | > Directory. | > | | > | > | > | | > | | > | > | > | Check | > | | > | > | > | | > | | > | > | > | > 5. Double-click the User certificate template to view | > the | > | | > | > properties. | > | | > | > | > | | > | | > | > | > | Check | > | | > | > | > | | > | | > | > | > | > 6. On the Security tab, click Add to add the Domain | > Users | > | | > group | > | | > to | > | | > | > the | > | | > | > | > | > list. | > | | > | > | > | | > | | > | > | > | The group domain users wasn't there so I added it | > | | > | > | > | | > | | > | > | > | > 7. For the Domain Users group, select the Read and | > Enroll | > | | > rights. | > | | > | > | > | | > | | > | > | > | When I tryed to apply the changes it gave the following | > error: | > | | > | > | > | | > | | > | > | > | "Unable to save permission changes on | > | | > | > | > | LDAP://SBS2003PDC.CONTIMETRA.LOCAL/CN=USER,CN=CERTIFICATE | > | | > | > | > | TEMPLATES,CN=PUBLIC KEY | > | | > | > | > | | > SERVICES,CN=SERVICES,CN=CONFIGURATION,DC=CONTIMETRA,DC=LOCAL | > | | > | > | > | | > | | > | > | > | ACCESS IS DENIED" | > | | > | > | > | | > | | > | > | > | | > | | > | > | > | > 8. Restart the computer. | > | | > | > | > | | > | | > | > | > | Didn't do it because no changes were made! | > | | > | > | > | | > | | > | > | > | > | > | | > | > | > | > For more info, please refer to: | > | | > | > | > | > 271861 Windows Cannot Find a Certificate Authority That | > | | > Processes | > | | > | > the | > | | > | > | > | > Request | > | | > | > | > | > http://support.microsoft.com/?id=271861 | > | | > | > | > | > | > | | > | > | > | > NOTE: Request from MMC only works if it is a Enterprise | > CA. | > | To | > | | > | > stand | > | | > | > | > alone | > | | > | > | > | > CA, you must request certificate by WEB. | > | | > | > | > | > | > | | > | > | > | > I appreciate your understanding and please paste your | > | results | > | | > as | > | | > | > your | > | | > | > | > | > convenience, It is important for us to isolate the | > issue. | > I | > | am | > | | > | > glad | > | | > | > to | > | | > | > | > | > help | > | | > | > | > | > you. | > | | > | > | > | > | > | | > | > | > | > | > | | > | > | > | > | > | | > | > | > | > Best regards, | > | | > | > | > | > | > | | > | > | > | > Charles Yang (MSFT) | > | | > | > | > | > | > | | > | > | > | > Microsoft CSS Online Newsgroup Support | > | | > | > | > | > | > | | > | > | > | > Get Secure! - www.microsoft.com/security | > | | > | > | > | > | > | | > | > | > | > ====================================================== | > | | > | > | > | > This newsgroup only focuses on SBS technical issues. If | > you | > | | > have | > | | > | > | > issues | > | | > | > | > | > regarding other Microsoft products, you'd better post in | > the | > | | > | > | > corresponding | > | | > | > | > | > newsgroups so that they can be resolved in an efficient | > and | > | | > timely | > | | > | > | > manner. | > | | > | > | > | > You can locate the newsgroup here: | > | | > | > | > | > | > | | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx | > | | > | > | > | > | > | | > | > | > | > When opening a new thread via the web interface, we | > | recommend | > | | > you | > | | > | > | > check | > | | > | > | > | > the | > | | > | > | > | > "Notify me of replies" box to receive e-mail | > notifications | > | | > when | > | | > | > there | > | | > | > | > are | > | | > | > | > | > any updates in your thread. When responding to posts via | > | your | > | | > | > | > newsreader, | > | | > | > | > | > please "Reply to Group" so that others may learn and | > benefit | > | | > from | > | | > | > your | > | | > | > | > | > issue. | > | | > | > | > | > | > | | > | > | > | > Microsoft engineers can only focus on one issue per | > thread. | > | | > | > Although | > | | > | > | > we | > | | > | > | > | > provide other information for your reference, we | > recommend | > | you | > | | > | > post | > | | > | > | > | > different incidents in different threads to keep the | > thread | > | | > clean. | > | | > | > In | > | | > | > | > | > doing | > | | > | > | > | > so, it will ensure your issues are resolved in a timely | > | | > manner. | > | | > | > | > | > | > | | > | > | > | > For urgent issues, you may want to contact Microsoft CSS | > | | > directly. | > | | > | > | > Please | > | | > | > | > | > check http://support.microsoft.com for regional support | > | phone | > | | > | > numbers. | > | | > | > | > | > | > | | > | > | > | > Any input or comments in this thread are highly | > appreciated. | > | | > | > | > | > ====================================================== | > | | > | > | > | > This posting is provided "AS IS" with no warranties, and | > | | > confers | > | | > | > no | > | | > | > | > | > rights. | > | | > | > | > | > | > | | > | > | > | > | > | | > | > | > | > ===================================================== | > | | > | > | > | > When responding to posts, please "Reply to Group" via | > your | > | | > | > newsreader | > | | > | > | > so | > | | > | > | > | > that others may learn and benefit from your issue. | > | | > | > | > | > ===================================================== | > | | > | > | > | > | > | | > | > | > | > This posting is provided "AS IS" with no warranties, and | > | | > confers | > | | > | > no | > | | > | > | > | > rights. | > | | > | > | > | > | > | | > | > | > | > -------------------- | > | | > | > | > | > | From: "PG" <*@*.*> | > | | > | > | > | > | Subject: SBS2003Premium Certification Authority from | > | HELL!!! | > | | > | > | > | > | Date: Fri, 16 Sep 2005 11:35:46 +0100 | > | | > | > | > | > | Lines: 25 | > | | > | > | > | > | X-Priority: 3 | > | | > | > | > | > | X-MSMail-Priority: Normal | > | | > | > | > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 | > | | > | > | > | > | X-MimeOLE: Produced By Microsoft MimeOLE | > V6.00.3790.1830 | > | | > | > | > | > | X-RFC2646: Format=Flowed; Original | > | | > | > | > | > | Message-ID: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> | > | | > | > | > | > | Newsgroups: microsoft.public.windows.server.sbs | > | | > | > | > | > | NNTP-Posting-Host: 62.48.233.71 | > | | > | > | > | > | Path: | > | | > | > | > | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl | > | | > | > | > | > | Xref: TK2MSFTNGXA01.phx.gbl | > | | > | > | > microsoft.public.windows.server.sbs:153926 | > | | > | > | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs | > | | > | > | > | > | | > | | > | > | > | > | Hi everybody, | > | | > | > | > | > | | > | | > | > | > | > | When I try to request a certificate from my | > | Enterprise | > | | > CA | > | | > | > | > installed | > | | > | > | > | > on | > | | > | > | > | > | SBS2003Premium It gives the following error :"No | > | certificate | > | | > | > | > templates | > | | > | > | > | > could | > | | > | > | > | > | be found. You do not have permission to request a | > | | > certificate | > | | > | > from | > | | > | > | > this | > | | > | > | > | > CA, | > | | > | > | > | > | or an error occurred while accessing the Active | > | Directory." | > | | > I | > | | > | > went | > | | > | > | > and | > | | > | > | > | > | search for a solution and found this microsoft article | > | | > | > | > | > | | > | | > http://support.microsoft.com/default.aspx?scid=kb;en-us;811418 | > | | > | > that | > | | > | > | > | > didn't | > | | > | > | > | > | help because the name of the server is the same in the | > | | > | > certdat.inc | > | | > | > | > and | > | | > | > | > | > in | > | | > | > | > | > | the AD!!! :( | > | | > | > | > | > | | > | | > | > | > | > | When I go to the certification authority and click | > on | > | | > | > "manage" | > | | > | > | > on | > | | > | > | > | > the | > | | > | > | > | > | certificate templates, windows says that it detected | > that | > | | > new | > | | > | > | > | > certificate | > | | > | > | > | > | templates should be installed, and ask if I want to | > | install | > | | > them | > | | > | > | > now, | > | | > | > | > | > and | > | | > | > | > | > I | > | | > | > | > | > | say "Yes", and gives an error saying "Windows could | > not | > | | > install | > | | > | > the | > | | > | > | > new | > | | > | > | > | > | certificate templates. Access is denied" :( I doing | > this | > | as | > | | > | > | > enterprise | > | | > | > | > | > admin | > | | > | > | > | > | and it says access denied!!!!! :( :( | > | | > | > | > | > | | > | | > | > | > | > | I've tryed to reinstall the CA and the errors are | > | still | > | | > the | > | | > | > | > same! | > | | > | > | > | > | | > | | > | > | > | > | Can anyone help me with this issue, please? | > | | > | > | > | > | | > | | > | > | > | > | Thanks in advance for any help you can give me.... | > | | > | > | > | > | | > | | > | > | > | > | | > | | > | > | > | > | | > | | > | > | > | > | > | | > | > | > | | > | | > | > | > | | > | | > | > | > | | > | | > | > | > | | > | | > | > | > | | > | | > | > | > | | > | | > | > | > | > | | > | > | | > | | > | > | | > | | > | > | | > | | > | > | > | | > | | > | | > | | > | | > | | > | | > | > | | | > | | | > | | | > | | > | | > | | |
From: PG on 27 Sep 2005 03:52
Hi Charles, Yes all the grey templates have permission issues. I cant add, or change the permissions for those templates. And all my efforts where made has enterprise admin, to try and clear the "access denied" problem... :( I really don't understand what went wrong with this Certification Authority. :( ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in message news:hCBwZJjwFHA.3244(a)TK2MSFTNGXA01.phx.gbl... > HI PG, > > From your description, it seems a lot of template has the permission > issue? > Can I assume that all the permission of this grey template encountered the > same issue when you try to change the permission and the permission the > security section is not correct as I referred to? > > If so, I suggest you make sure that you logon the SBS server with > Enterprise Admin, it seems to be the permission issue, if possible please > make sure that you logon via Built-in Enterprise Admin to see if the > problem can be cleared, > > Thanks for your effort. > > > > Best regards, > > Charles Yang (MSFT) > > Microsoft CSS Online Newsgroup Support > > Get Secure! - www.microsoft.com/security > > ====================================================== > This newsgroup only focuses on SBS technical issues. If you have issues > regarding other Microsoft products, you'd better post in the corresponding > newsgroups so that they can be resolved in an efficient and timely manner. > You can locate the newsgroup here: > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx > > When opening a new thread via the web interface, we recommend you check > the > "Notify me of replies" box to receive e-mail notifications when there are > any updates in your thread. When responding to posts via your newsreader, > please "Reply to Group" so that others may learn and benefit from your > issue. > > Microsoft engineers can only focus on one issue per thread. Although we > provide other information for your reference, we recommend you post > different incidents in different threads to keep the thread clean. In > doing > so, it will ensure your issues are resolved in a timely manner. > > For urgent issues, you may want to contact Microsoft CSS directly. Please > check http://support.microsoft.com for regional support phone numbers. > > Any input or comments in this thread are highly appreciated. > ====================================================== > This posting is provided "AS IS" with no warranties, and confers no > rights. > > > ===================================================== > When responding to posts, please "Reply to Group" via your newsreader so > that others may learn and benefit from your issue. > ===================================================== > > This posting is provided "AS IS" with no warranties, and confers no > rights. > > -------------------- > | From: "PG" <*@*.*> > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> > <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> > <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl> > <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl> > <MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl> > <u6mrIB1vFHA.4032(a)TK2MSFTNGP15.phx.gbl> > <AtVfNj1vFHA.780(a)TK2MSFTNGXA01.phx.gbl> > <#yfejE2vFHA.708(a)TK2MSFTNGP10.phx.gbl> > <34gfuxBwFHA.2960(a)TK2MSFTNGXA01.phx.gbl> > <Hlv7FVCwFHA.580(a)TK2MSFTNGXA01.phx.gbl> > | Subject: Re: SBS2003Premium Certification Authority from HELL!!! > | Date: Fri, 23 Sep 2005 11:39:53 +0100 > | Lines: 1168 > | X-Priority: 3 > | X-MSMail-Priority: Normal > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 > | X-RFC2646: Format=Flowed; Original > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 > | Message-ID: <Oi6nhtCwFHA.552(a)TK2MSFTNGP12.phx.gbl> > | Newsgroups: microsoft.public.windows.server.sbs > | NNTP-Posting-Host: 62.48.233.71 > | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl > | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:155851 > | X-Tomcat-NG: microsoft.public.windows.server.sbs > | > | Hi Charles, > | > | I went to DCOMCNFG and on the Launch permission it was empty, and I > added > | Everyone with (Launch permission---Allow) > | and in the Access permission it is everyone (Access permission---Allow), > so > | I didn't have to change it. > | Could not find anything that refered to (Local Activation Remote > Activation) > | or (Local Access Remote Access) as you sayd. Only (Launch Permission) > and > | (Access Permission). > | > | After applying the changes to DCOM I tryed to request a certificate, and > the > | same error ocurred. Duplicated a Template and still the same error. :( > | "No certificate templates could be found. You do not have permission to > | request a certificate from this CA,or an error occurred while accessing > the > | Active Directory." > | > | In response to your question, all the certificates templates, from the > | pictures I sent you, that are greyd out have permissions issues, and > don't > | let me add or change permissions for those certificates. > | > | :( > | > | > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in message > | news:Hlv7FVCwFHA.580(a)TK2MSFTNGXA01.phx.gbl... > | > HI PG, > | > > | > Thanks for updates. > | > > | > After making research, I find solutions for you, please refer to the > steps > | > below: > | > > | > 1 Open DCOMCNFG > | > 2- Select Componect Services > | > ---Computers > | > ----My Computer > | > ------Dcom Config > | > ---- CertSrv Request > | > 3- Open properties and verify Security permission for Launch and > | > Activation > | > Permissions (Should be Customize --Everyone ---Local Activation Remote > | > Activation) > | > > | > Access Permissions (Should be Customize -Everyone ---Local Access > Remote > | > Access) > | > > | > If the issue still exists, please recreate a certificate template to > see > | > if > | > the issue can be resolved. You can try to request a certificate via a > new > | > template. From your screenshot we found only one of the template you > | > encountered permission issue, can we assume it is the certificate > template > | > you use for the certificate? > | > > | > Thanks for understanding on this issue, please feel free to post back. > | > > | > > | > > | > Best regards, > | > > | > Charles Yang (MSFT) > | > > | > Microsoft CSS Online Newsgroup Support > | > > | > Get Secure! - www.microsoft.com/security > | > > | > ====================================================== > | > This newsgroup only focuses on SBS technical issues. If you have > issues > | > regarding other Microsoft products, you'd better post in the > corresponding > | > newsgroups so that they can be resolved in an efficient and timely > manner. > | > You can locate the newsgroup here: > | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx > | > > | > When opening a new thread via the web interface, we recommend you > check > | > the > | > "Notify me of replies" box to receive e-mail notifications when there > are > | > any updates in your thread. When responding to posts via your > newsreader, > | > please "Reply to Group" so that others may learn and benefit from your > | > issue. > | > > | > Microsoft engineers can only focus on one issue per thread. Although > we > | > provide other information for your reference, we recommend you post > | > different incidents in different threads to keep the thread clean. In > | > doing > | > so, it will ensure your issues are resolved in a timely manner. > | > > | > For urgent issues, you may want to contact Microsoft CSS directly. > Please > | > check http://support.microsoft.com for regional support phone numbers. > | > > | > Any input or comments in this thread are highly appreciated. > | > ====================================================== > | > This posting is provided "AS IS" with no warranties, and confers no > | > rights. > | > > | > > | > ===================================================== > | > When responding to posts, please "Reply to Group" via your newsreader > so > | > that others may learn and benefit from your issue. > | > ===================================================== > | > > | > This posting is provided "AS IS" with no warranties, and confers no > | > rights. > | > > | > -------------------- > | > | X-Tomcat-ID: 138385008 > | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> > | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> > | > <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> > | > <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl> > | > <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl> > | > <MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl> > | > <u6mrIB1vFHA.4032(a)TK2MSFTNGP15.phx.gbl> > | > <AtVfNj1vFHA.780(a)TK2MSFTNGXA01.phx.gbl> > | > <#yfejE2vFHA.708(a)TK2MSFTNGP10.phx.gbl> > | > | MIME-Version: 1.0 > | > | Content-Type: text/plain > | > | Content-Transfer-Encoding: 7bit > | > | From: v-chayan(a)online.microsoft.com ("Charles Yang [MSFT]") > | > | Organization: Microsoft > | > | Date: Fri, 23 Sep 2005 08:54:33 GMT > | > | Subject: Re: SBS2003Premium Certification Authority from HELL!!! > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs > | > | Message-ID: <34gfuxBwFHA.2960(a)TK2MSFTNGXA01.phx.gbl> > | > | Newsgroups: microsoft.public.windows.server.sbs > | > | Lines: 797 > | > | Path: TK2MSFTNGXA01.phx.gbl > | > | Xref: TK2MSFTNGXA01.phx.gbl > microsoft.public.windows.server.sbs:155820 > | > | NNTP-Posting-Host: tomcatimport2.phx.gbl 10.201.218.182 > | > | > | > | HI PG, > | > | > | > | Currently, I am performing research on this issue, I will return to > you > | > as > | > | soon as possible, please understand that it might be some delay due > to > | > the > | > | weekend. > | > | > | > | Thanks for your understanding. > | > | > | > | > | > | Best regards, > | > | > | > | Charles Yang (MSFT) > | > | > | > | Microsoft CSS Online Newsgroup Support > | > | > | > | Get Secure! - www.microsoft.com/security > | > | > | > | ====================================================== > | > | This newsgroup only focuses on SBS technical issues. If you have > issues > | > | regarding other Microsoft products, you'd better post in the > | > corresponding > | > | newsgroups so that they can be resolved in an efficient and timely > | > manner. > | > | You can locate the newsgroup here: > | > | http://www.microsoft.com/communities/newsgroups/en-us/default.aspx > | > | > | > | When opening a new thread via the web interface, we recommend you > check > | > the > | > | "Notify me of replies" box to receive e-mail notifications when > there > | > are > | > | any updates in your thread. When responding to posts via your > | > newsreader, > | > | please "Reply to Group" so that others may learn and benefit from > your > | > | issue. > | > | > | > | Microsoft engineers can only focus on one issue per thread. Although > we > | > | provide other information for your reference, we recommend you post > | > | different incidents in different threads to keep the thread clean. > In > | > doing > | > | so, it will ensure your issues are resolved in a timely manner. > | > | > | > | For urgent issues, you may want to contact Microsoft CSS directly. > | > Please > | > | check http://support.microsoft.com for regional support phone > numbers. > | > | > | > | Any input or comments in this thread are highly appreciated. > | > | ====================================================== > | > | This posting is provided "AS IS" with no warranties, and confers no > | > rights. > | > | > | > | > | > | ===================================================== > | > | When responding to posts, please "Reply to Group" via your > newsreader > so > | > | that others may learn and benefit from your issue. > | > | ===================================================== > | > | > | > | This posting is provided "AS IS" with no warranties, and confers no > | > rights. > | > | > | > | -------------------- > | > | | From: "PG" <*@*.*> > | > | | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> > | > | <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> > | > | <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> > | > | <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl> > | > | <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl> > | > | <MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl> > | > | <u6mrIB1vFHA.4032(a)TK2MSFTNGP15.phx.gbl> > | > | <AtVfNj1vFHA.780(a)TK2MSFTNGXA01.phx.gbl> > | > | | Subject: Re: SBS2003Premium Certification Authority from HELL!!! > | > | | Date: Thu, 22 Sep 2005 11:32:11 +0100 > | > | | Lines: 785 > | > | | X-Priority: 3 > | > | | X-MSMail-Priority: Normal > | > | | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 > | > | | X-RFC2646: Format=Flowed; Original > | > | | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 > | > | | Message-ID: <#yfejE2vFHA.708(a)TK2MSFTNGP10.phx.gbl> > | > | | Newsgroups: microsoft.public.windows.server.sbs > | > | | NNTP-Posting-Host: 62.48.233.71 > | > | | Path: > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl > | > | | Xref: TK2MSFTNGXA01.phx.gbl > microsoft.public.windows.server.sbs:155518 > | > | | X-Tomcat-NG: microsoft.public.windows.server.sbs > | > | | > | > | | Hi Charles, > | > | | > | > | | 1. I sent all the logs you requested to your e-mail. > | > | | > | > | | 2. Done that also. > | > | | > | > | | 3. No changes done...that I can remember > | > | | > | > | | Thanks > | > | | > | > | | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in > | > message > | > | | news:AtVfNj1vFHA.780(a)TK2MSFTNGXA01.phx.gbl... > | > | | > Hi PG, > | > | | > > | > | | > After checking your screen shot, we decide to collect more > | > information, > | > | as > | > | | > this issue should relate to AD setting: > | > | | > > | > | | > 1. Please send me all the event log except the application and > | > system > | > | | > event > | > | | > log that you have already sent to me. > | > | | > 2. please also run netdiag -v and dcdiag -v on the SBS server > and > | > send > | > | the > | > | | > results to me also. > | > | | > 3. If possible, could you tell us if have changed any setting on > AD > | > or > | > | on > | > | | > SBS server. As the screen shot point that you have some problem > in > | > query > | > | | > user objects on DC. > | > | | > > | > | | > I appreciate your effort on this issue. > | > | | > > | > | | > > | > | | > > | > | | > Best regards, > | > | | > > | > | | > Charles Yang (MSFT) > | > | | > > | > | | > Microsoft CSS Online Newsgroup Support > | > | | > > | > | | > Get Secure! - www.microsoft.com/security > | > | | > > | > | | > ====================================================== > | > | | > This newsgroup only focuses on SBS technical issues. If you have > | > issues > | > | | > regarding other Microsoft products, you'd better post in the > | > | corresponding > | > | | > newsgroups so that they can be resolved in an efficient and > timely > | > | manner. > | > | | > You can locate the newsgroup here: > | > | | > > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx > | > | | > > | > | | > When opening a new thread via the web interface, we recommend > you > | > check > | > | | > the > | > | | > "Notify me of replies" box to receive e-mail notifications when > | > there > | > | are > | > | | > any updates in your thread. When responding to posts via your > | > | newsreader, > | > | | > please "Reply to Group" so that others may learn and benefit > from > | > your > | > | | > issue. > | > | | > > | > | | > Microsoft engineers can only focus on one issue per thread. > Although > | > we > | > | | > provide other information for your reference, we recommend you > post > | > | | > different incidents in different threads to keep the thread > clean. > | > In > | > | | > doing > | > | | > so, it will ensure your issues are resolved in a timely manner. > | > | | > > | > | | > For urgent issues, you may want to contact Microsoft CSS > directly. > | > | Please > | > | | > check http://support.microsoft.com for regional support phone > | > numbers. > | > | | > > | > | | > Any input or comments in this thread are highly appreciated. > | > | | > ====================================================== > | > | | > This posting is provided "AS IS" with no warranties, and confers > no > | > | | > rights. > | > | | > > | > | | > > | > | | > ===================================================== > | > | | > When responding to posts, please "Reply to Group" via your > | > newsreader > | > so > | > | | > that others may learn and benefit from your issue. > | > | | > ===================================================== > | > | | > > | > | | > This posting is provided "AS IS" with no warranties, and confers > no > | > | | > rights. > | > | | > > | > | | > -------------------- > | > | | > | From: "PG" <*@*.*> > | > | | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> > | > | | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> > | > | | > <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> > | > | | > <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl> > | > | | > <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl> > | > | | > <MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl> > | > | | > | Subject: Re: SBS2003Premium Certification Authority from > HELL!!! > | > | | > | Date: Thu, 22 Sep 2005 09:31:33 +0100 > | > | | > | Lines: 597 > | > | | > | X-Priority: 3 > | > | | > | X-MSMail-Priority: Normal > | > | | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 > | > | | > | X-RFC2646: Format=Flowed; Original > | > | | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 > | > | | > | Message-ID: <u6mrIB1vFHA.4032(a)TK2MSFTNGP15.phx.gbl> > | > | | > | Newsgroups: microsoft.public.windows.server.sbs > | > | | > | NNTP-Posting-Host: 62.48.233.71 > | > | | > | Path: > | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl > | > | | > | Xref: TK2MSFTNGXA01.phx.gbl > | > microsoft.public.windows.server.sbs:155493 > | > | | > | X-Tomcat-NG: microsoft.public.windows.server.sbs > | > | | > | > | > | | > | Hi Charles, > | > | | > | > | > | | > | I started to go through the points you reffered bellow and > on > | > the > | > | | > second > | > | | > | point(Permissions settings) everything checked out ok except > for > | > the > | > | | > | certificates templates permissions again, I'm unable to change > | > | | > permissions > | > | | > | on some certificates, but others are ok! I'm sending you some > | > | compressed > | > | | > | pictures to your e-mail so you can try and see if this is > normal, > | > or > | > | | > not. > | > | | > | I didn't want to continue following your suggestions(to > | > reinstall > | > | | > the > | > | | > | CA) before you had a look at the pictures I sent you. > | > | | > | > | > | | > | Thanks > | > | | > | PG > | > | | > | > | > | | > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote > in > | > | message > | > | | > | news:MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl... > | > | | > | > Hi, > | > | | > | > > | > | | > | > Thanks for updates. > | > | | > | > > | > | | > | > After carefully checking your log, we did not find any > relate > | > | | > information, > | > | | > | > please note that it might take some time to do the task. > | > | | > | > > | > | | > | > For this issue, I have some suggestion below: > | > | | > | > > | > | | > | > Can I assume that you want to set up the SBS 2003 premium as > a > | > CA > | > | | > server, > | > | | > | > so that when user logon to website, they require the > | > certificate, > | > | | > which > | > | | > | > purpose you want to use for this certificate for VPN issue > or > | > for > | > a > | > | | > | > website? From your log, it seems to be used for IPSec VPN. > | > | | > | > > | > | | > | > 1. Please change the website you use for web enrollment's > | > | | > authentication > | > | | > | > method from anonymous to Windows Authentication. > | > | | > | > 2. Please refer to the KB article below to check the > permission > | > | | > setting > | > | | > | > for > | > | | > | > CA, make sure that you have go through the article to double > | > check > | > | it: > | > | | > | > > | > | | > | > Q239706 Default Permission Settings for Enterprise > Certificate > | > | | > Authority > | > | | > | > http://support.microsoft.com/default.aspx?scid=kb;EN-US > | > | | > | > > | > | | > | > 3. If the issue still exists, please follow the steps to > | > reinstall > | > | the > | > | | > CA > | > | | > | > server: > | > | | > | > > | > | | > | > A. Opened regedit and went to HKLM\system\CCS\services and > | > | deleted > | > | | > the > | > | | > | > certsrv key > | > | | > | > B. Opened the file system and deleted > c:\winnt\system32\certserv > | > | | > folder > | > | | > | > and > | > | | > | > contents > | > | | > | > C. Opened up AD sites and services and deleted and in > | > | services\public > | > | | > key > | > | | > | > services > | > | | > | > > | > | | > | > Please deleted all the contents of the containers leaving > the > | > empty > | > | | > | > containers with the exception of the templates container. > Note, > | > | please > | > | | > | > perform a backup for registry. > | > | | > | > > | > | | > | > If the issue still exist, you have to refer to the KB > article > | > below > | > | to > | > | | > | > change the log level of certificate then reproduce the issue > | > check > | > | the > | > | | > | > event log again. > | > | | > | > > | > | | > | > 305018 How to Change the Event Logging Level for Certificate > | > | Services > | > | | > | > http://support.microsoft.com/?id=305018 > | > | | > | > > | > | | > | > Thanks for your efforts. I will be here waiting for updates. > | > | | > | > > | > | | > | > > | > | | > | > > | > | | > | > Best regards, > | > | | > | > > | > | | > | > Charles Yang (MSFT) > | > | | > | > > | > | | > | > Microsoft CSS Online Newsgroup Support > | > | | > | > > | > | | > | > Get Secure! - www.microsoft.com/security > | > | | > | > > | > | | > | > ====================================================== > | > | | > | > This newsgroup only focuses on SBS technical issues. If you > have > | > | | > issues > | > | | > | > regarding other Microsoft products, you'd better post in the > | > | | > corresponding > | > | | > | > newsgroups so that they can be resolved in an efficient and > | > timely > | > | | > manner. > | > | | > | > You can locate the newsgroup here: > | > | | > | > > | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx > | > | | > | > > | > | | > | > When opening a new thread via the web interface, we > recommend > | > you > | > | | > check > | > | | > | > the > | > | | > | > "Notify me of replies" box to receive e-mail notifications > when > | > | there > | > | | > are > | > | | > | > any updates in your thread. When responding to posts via > your > | > | | > newsreader, > | > | | > | > please "Reply to Group" so that others may learn and benefit > | > from > | > | your > | > | | > | > issue. > | > | | > | > > | > | | > | > Microsoft engineers can only focus on one issue per thread. > | > | Although > | > | | > we > | > | | > | > provide other information for your reference, we recommend > you > | > post > | > | | > | > different incidents in different threads to keep the thread > | > clean. > | > | In > | > | | > | > doing > | > | | > | > so, it will ensure your issues are resolved in a timely > manner. > | > | | > | > > | > | | > | > For urgent issues, you may want to contact Microsoft CSS > | > directly. > | > | | > Please > | > | | > | > check http://support.microsoft.com for regional support > phone > | > | numbers. > | > | | > | > > | > | | > | > Any input or comments in this thread are highly appreciated. > | > | | > | > ====================================================== > | > | | > | > This posting is provided "AS IS" with no warranties, and > confers > | > no > | > | | > | > rights. > | > | | > | > > | > | | > | > > | > | | > | > ===================================================== > | > | | > | > When responding to posts, please "Reply to Group" via your > | > | newsreader > | > | | > so > | > | | > | > that others may learn and benefit from your issue. > | > | | > | > ===================================================== > | > | | > | > > | > | | > | > This posting is provided "AS IS" with no warranties, and > confers > | > no > | > | | > | > rights. > | > | | > | > > | > | | > | > -------------------- > | > | | > | > | From: "PG" <*@*.*> > | > | | > | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> > | > | | > | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> > | > | | > | > <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> > | > | | > | > <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl> > | > | | > | > | Subject: Re: SBS2003Premium Certification Authority from > | > HELL!!! > | > | | > | > | Date: Wed, 21 Sep 2005 11:33:30 +0100 > | > | | > | > | Lines: 401 > | > | | > | > | X-Priority: 3 > | > | | > | > | X-MSMail-Priority: Normal > | > | | > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 > | > | | > | > | X-RFC2646: Format=Flowed; Original > | > | | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 > | > | | > | > | Message-ID: <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl> > | > | | > | > | Newsgroups: microsoft.public.windows.server.sbs > | > | | > | > | NNTP-Posting-Host: 62.48.233.71 > | > | | > | > | Path: > | > | | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl > | > | | > | > | Xref: TK2MSFTNGXA01.phx.gbl > | > | | > microsoft.public.windows.server.sbs:155186 > | > | | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs > | > | | > | > | > | > | | > | > | I've sent you the log's as you requested Charles... > | > | | > | > | > | > | | > | > | Thanks for the help > | > | | > | > | > | > | | > | > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> > wrote > | > in > | > | | > message > | > | | > | > | news:biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl... > | > | | > | > | > HI PG, > | > | | > | > | > > | > | | > | > | > Thanks for updates. > | > | | > | > | > > | > | | > | > | > In order to make the issue more clear, could you send me > the > | > | | > | > application > | > | | > | > | > log and system event log so that we can isolate the > issue > | > more > | > | | > | > clearly, > | > | | > | > | > you > | > | | > | > | > can compress the log files and send to my mailbox. > | > | | > | > | > > | > | | > | > | > v-chayan(a)microsoft.com > | > | | > | > | > > | > | | > | > | > Thanks for your understanding. > | > | | > | > | > > | > | | > | > | > > | > | | > | > | > > | > | | > | > | > Best regards, > | > | | > | > | > > | > | | > | > | > Charles Yang (MSFT) > | > | | > | > | > > | > | | > | > | > Microsoft CSS Online Newsgroup Support > | > | | > | > | > > | > | | > | > | > Get Secure! - www.microsoft.com/security > | > | | > | > | > > | > | | > | > | > ====================================================== > | > | | > | > | > This newsgroup only focuses on SBS technical issues. If > you > | > have > | > | | > | > issues > | > | | > | > | > regarding other Microsoft products, you'd better post in > the > | > | | > | > corresponding > | > | | > | > | > newsgroups so that they can be resolved in an efficient > and > | > | timely > | > | | > | > manner. > | > | | > | > | > You can locate the newsgroup here: > | > | | > | > | > > | > | http://www.microsoft.com/communities/newsgroups/en-us/default.aspx > | > | | > | > | > > | > | | > | > | > When opening a new thread via the web interface, we > | > recommend > | > | you > | > | | > | > check > | > | | > | > | > the > | > | | > | > | > "Notify me of replies" box to receive e-mail > notifications > | > when > | > | | > there > | > | | > | > are > | > | | > | > | > any updates in your thread. When responding to posts via > | > your > | > | | > | > newsreader, > | > | | > | > | > please "Reply to Group" so that others may learn and > benefit > | > | from > | > | | > your > | > | | > | > | > issue. > | > | | > | > | > > | > | | > | > | > Microsoft engineers can only focus on one issue per > thread. > | > | | > Although > | > | | > | > we > | > | | > | > | > provide other information for your reference, we > recommend > | > you > | > | | > post > | > | | > | > | > different incidents in different threads to keep the > thread > | > | clean. > | > | | > In > | > | | > | > | > doing > | > | | > | > | > so, it will ensure your issues are resolved in a timely > | > manner. > | > | | > | > | > > | > | | > | > | > For urgent issues, you may want to contact Microsoft CSS > | > | directly. > | > | | > | > Please > | > | | > | > | > check http://support.microsoft.com for regional support > | > phone > | > | | > numbers. > | > | | > | > | > > | > | | > | > | > Any input or comments in this thread are highly > appreciated. > | > | | > | > | > ====================================================== > | > | | > | > | > This posting is provided "AS IS" with no warranties, and > | > | confers > | > | | > no > | > | | > | > | > rights. > | > | | > | > | > > | > | | > | > | > > | > | | > | > | > ===================================================== > | > | | > | > | > When responding to posts, please "Reply to Group" via > your > | > | | > newsreader > | > | | > | > so > | > | | > | > | > that others may learn and benefit from your issue. > | > | | > | > | > ===================================================== > | > | | > | > | > > | > | | > | > | > This posting is provided "AS IS" with no warranties, and > | > | confers > | > | | > no > | > | | > | > | > rights. > | > | | > | > | > > | > | | > | > | > -------------------- > | > | | > | > | > | From: "PG" <*@*.*> > | > | | > | > | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> > | > | | > | > | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> > | > | | > | > | > | Subject: Re: SBS2003Premium Certification Authority > from > | > | HELL!!! > | > | | > | > | > | Date: Tue, 20 Sep 2005 13:28:25 +0100 > | > | | > | > | > | Lines: 269 > | > | | > | > | > | X-Priority: 3 > | > | | > | > | > | X-MSMail-Priority: Normal > | > | | > | > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 > | > | | > | > | > | X-RFC2646: Format=Flowed; Original > | > | | > | > | > | X-MimeOLE: Produced By Microsoft MimeOLE > V6.00.3790.1830 > | > | | > | > | > | Message-ID: <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> > | > | | > | > | > | Newsgroups: microsoft.public.windows.server.sbs > | > | | > | > | > | NNTP-Posting-Host: 62.48.233.71 > | > | | > | > | > | Path: > | > | | > | > > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl > | > | | > | > | > | Xref: TK2MSFTNGXA01.phx.gbl > | > | | > | > microsoft.public.windows.server.sbs:154800 > | > | | > | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs > | > | | > | > | > | > | > | | > | > | > | Thanks for your reply Charles > | > | | > | > | > | > | > | | > | > | > | Responses to your questions follow, and are in line: > | > | | > | > | > | > | > | | > | > | > | > | > | | > | > | > | ""Charles Yang [MSFT]"" > <v-chayan(a)online.microsoft.com> > | > wrote > | > | in > | > | | > | > message > | > | | > | > | > | news:tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl... > | > | | > | > | > | > HI PG, > | > | | > | > | > | > > | > | | > | > | > | > Welcome to SBS newsgroup. > | > | | > | > | > | > > | > | | > | > | > | > Issue description: > | > | | > | > | > | > ================ > | > | | > | > | > | > > | > | | > | > | > | > I understand that you encountered some problem when > | > using > | > | CA > | > | | > on > | > | | > | > SBS > | > | | > | > | > 2003 > | > | | > | > | > | > premium. > | > | | > | > | > | > > | > | | > | > | > | > Analyzing and suggestions: > | > | | > | > | > | > ================ > | > | | > | > | > | > > | > | | > | > | > | > Generally speaking, the error you encountered can be > | > caused > | > | by > | > | | > | > many > | > | | > | > | > | > factors, in order to make the issue more clear, > please > | > | refer > | > | | > to > | > | | > my > | > | | > | > | > | > suggestions below to gather more information: > | > | | > | > | > | > > | > | | > | > | > | > 1. If possible, please send me the event log for > further > | > | | > research, > | > | | > | > it > | > | | > | > | > | > should include more information which can help us > | > determine > | > | | > which > | > | | > | > | > kinds > | > | | > | > | > of > | > | | > | > | > | > error you encountered, you can send the log files to > my > | > | | > box. > | > | | > | > | > | > v-chayan(a)microsoft.com. > | > | | > | > | > | > | > | | > | > | > | There is nothing recorded in the logs, when the > error's > | > occur. > | > | | > | > | > | > | > | | > | > | > | > 2. Does the issue occur from the client's computer > or > | > from > | > | the > | > | | > | > server > | > | | > | > | > | > side? > | > | | > | > | > | > | > | | > | > | > | Both! It occur's when I request a certificate from the > | > client > | > | | > and > | > | | > | > from > | > | | > | > | > the > | > | | > | > | > | server! :( Via Web request or MMC snap-in > | > | | > | > | > | > | > | | > | > | > | > | > | | > | > | > | > > | > | | > | > | > | > > | > | | > | > | > | > Let's first check the following: > | > | | > | > | > | > > | > | | > | > | > | > 1. Go to the CA Server, go to Services.msc console, > make > | > | sure > | > | | > that > | > | | > | > the > | > | | > | > | > | > Certificate Service is started. > | > | | > | > | > | > | > | | > | > | > | Check > | > | | > | > | > | > | > | | > | > | > | > 2. Open Certificate Authority, make sure that it can > be > | > | | > opened. > | > | | > | > | > | > | > | | > | > | > | Check > | > | | > | > | > | > | > | | > | > | > | > 3. If you are using Enterprise CA, go to the > Certificate > | > | | > Template > | > | | > | > in > | > | | > | > | > the > | > | | > | > | > | > Certificate Authority, make sure that necessary > | > Certificate > | > | | > | > Template > | > | | > | > | > is > | > | | > | > | > | > added and listed in the right panel. > | > | | > | > | > | > | > | | > | > | > | Check > | > | | > | > | > | > | > | | > | > | > | > 4. On the CA Server, click Start -> Run, type MMC > and > | > click > | > | | > OK. > | > | | > | > Click > | > | | > | > | > File > | > | | > | > | > | > -> Add/Remove Snap-in, click Add button, select > | > Certificate, > | > | | > click > | > | | > | > | > Add, > | > | | > | > | > | > select Computer Account and click next. Select Local > | > | Computer, > | > | | > | > click > | > | | > | > | > | > Finish > | > | | > | > | > | > and then Close. > | > | | > | > | > | > | > | | > | > | > | Check > | > | | > | > | > | > | > | | > | > | > | > 5. Expand the Certificate (Local > | > | | > Computer)\Personal\Certificate, > | > | | > | > check > | > | | > | > | > if > | > | | > | > | > | > the Root certificate exists. It's 'issued by' and > | > 'issued > | > | to' > | > | | > | > should > | > | | > | > | > be > | > | | > | > | > | > itself. Then please check if the root certificate is > | > still > | > | | > alive. > | > | | > | > If > | > | | > | > | > it > | > | | > | > | > is > | > | | > | > | > | > expired, right click the Certificate, select All > | > Tasks -> > | > | | > Renew > | > | | > | > | > | > Certificate > | > | | > | > | > | > with Same Key. Then renew the user certificate and > let > | > me > | > | know > | > | | > how > | > | | > | > | > | > everything is going. > | > | | > | > | > | > NOTE: Please check the Certificate Authority to make > | > sure > | > | that > | > | | > | > these > | > | | > | > | > | > client > | > | | > | > | > | > certificate are not revoked before you renew the > | > | certificate. > | > | | > | > | > | > > | > | | > | > | > | > If the issue still exists, please check if the CA > | > computer > | > | | > where > | > | | > | > you > | > | | > | > | > start > | > | | > | > | > | > the Certificate Web Enrollment from is set to trust > for > | > | | > | > delegation. > | > | | > | > To > | > | | > | > | > do > | > | | > | > | > | > so: > | > | | > | > | > | > 1. Log on as a domain administrator or equivalent > | > account. > | > | | > | > | > | > 2. Click Start, point to Programs, point to > | > Administrative > | > | | > Tools, > | > | | > | > and > | > | | > | > | > then > | > | | > | > | > | > click "Active Directory Users and Computers". > | > | | > | > | > | > 3. In the left pane, locate the container or > | > organizational > | > | | > unit > | > | | > | > (OU) > | > | | > | > | > on > | > | | > | > | > | > which you want to enable delegation. > | > | | > | > | > | > 4. Right-click the computer account name, and then > click > | > | | > | > Properties. > | > | | > | > | > | > 5. On the General tab, click Trust computer for > | > delegation. > | > | | > | > | > | > 6. Click OK. > | > | | > | > | > | > 7. Quit Active Directory Users and Computers. > | > | | > | > | > | > > | > | | > | > | > | > For more info, please refer to: > | > | | > | > | > | > 300867 Error Message: The Certification Authority > | > Service > | > | Has > | > | | > Not > | > | | > | > Been > | > | | > | > | > | > Started > | > | | > | > | > | > http://support.microsoft.com/?id=300867 > | > | | > | > | > | > | > | | > | > | > | The certificate is alive until 16/9/2010! So I didn't > | > renew > | > | it. > | > | | > | > | > | > | > | | > | > | > | > | > | | > | > | > | > > | > | | > | > | > | > > | > | | > | > | > | > This issue may also occur if the Domain Users group > on > | > the > | > | | > child > | > | | > | > | > domain > | > | | > | > | > | > does not have the right to enroll a user template. > To > | > have a > | > | | > | > check: > | > | | > | > | > | > > | > | | > | > | > | > 1. Logon to CA Server as Enterprise Administrator > | > | | > | > | > | > | > | | > | > | > | check > | > | | > | > | > | > | > | | > | > | > | > 2. Click Start, click Programs, click Administrative > | > Tools, > | > | | > and > | > | | > | > then > | > | | > | > | > click > | > | | > | > | > | > the "Active Directory Sites and Services" snap-in. > | > | | > | > | > | > | > | | > | > | > | check > | > | | > | > | > | > | > | | > | > | > | > 3. In MMC, right-click the "Active Directory Sites > and > | > | | > Services" > | > | | > | > | > snap-in, > | > | | > | > | > | > click View, and then click "Show Services Mode". > This > | > allows > | > | | > you > | > | | > | > to > | > | | > | > | > view > | > | | > | > | > | > the Services folder, which is hidden from view by > | > default. > | > | | > | > | > | > | > | | > | > | > | Check > | > | | > | > | > | > | > | | > | > | > | > 4. From the "Active Directory Sites and Services" > | > snap-in, > | > | | > click > | > | | > | > | > Services, > | > | | > | > | > | > click Public Key Services, and then click > Certificate > | > | | > Templates. > | > | | > | > This > | > | | > | > | > | > reveals the complete list of published certificate > | > | templates > | > | | > in > | > | | > | > Active > | > | | > | > | > | > Directory. > | > | | > | > | > | > | > | | > | > | > | Check > | > | | > | > | > | > | > | | > | > | > | > 5. Double-click the User certificate template to > view > | > the > | > | | > | > properties. > | > | | > | > | > | > | > | | > | > | > | Check > | > | | > | > | > | > | > | | > | > | > | > 6. On the Security tab, click Add to add the Domain > | > Users > | > | | > group > | > | | > to > | > | | > | > the > | > | | > | > | > | > list. > | > | | > | > | > | > | > | | > | > | > | The group domain users wasn't there so I added it > | > | | > | > | > | > | > | | > | > | > | > 7. For the Domain Users group, select the Read and > | > Enroll > | > | | > rights. > | > | | > | > | > | > | > | | > | > | > | When I tryed to apply the changes it gave the > following > | > error: > | > | | > | > | > | > | > | | > | > | > | "Unable to save permission changes on > | > | | > | > | > | > LDAP://SBS2003PDC.CONTIMETRA.LOCAL/CN=USER,CN=CERTIFICATE > | > | | > | > | > | TEMPLATES,CN=PUBLIC KEY > | > | | > | > | > | > | > SERVICES,CN=SERVICES,CN=CONFIGURATION,DC=CONTIMETRA,DC=LOCAL > | > | | > | > | > | > | > | | > | > | > | ACCESS IS DENIED" > | > | | > | > | > | > | > | | > | > | > | > | > | | > | > | > | > 8. Restart the computer. > | > | | > | > | > | > | > | | > | > | > | Didn't do it because no changes were made! > | > | | > | > | > | > | > | | > | > | > | > > | > | | > | > | > | > For more info, please refer to: > | > | | > | > | > | > 271861 Windows Cannot Find a Certificate Authority > That > | > | | > Processes > | > | | > | > the > | > | | > | > | > | > Request > | > | | > | > | > | > http://support.microsoft.com/?id=271861 > | > | | > | > | > | > > | > | | > | > | > | > NOTE: Request from MMC only works if it is a > Enterprise > | > CA. > | > | To > | > | | > | > stand > | > | | > | > | > alone > | > | | > | > | > | > CA, you must request certificate by WEB. > | > | | > | > | > | > > | > | | > | > | > | > I appreciate your understanding and please paste > your > | > | results > | > | | > as > | > | | > | > your > | > | | > | > | > | > convenience, It is important for us to isolate the > | > issue. > | > I > | > | am > | > | | > | > glad > | > | | > | > to > | > | | > | > | > | > help > | > | | > | > | > | > you. > | > | | > | > | > | > > | > | | > | > | > | > > | > | | > | > | > | > > | > | | > | > | > | > Best regards, > | > | | > | > | > | > > | > | | > | > | > | > Charles Yang (MSFT) > | > | | > | > | > | > > | > | | > | > | > | > Microsoft CSS Online Newsgroup Support > | > | | > | > | > | > > | > | | > | > | > | > Get Secure! - www.microsoft.com/security > | > | | > | > | > | > > | > | | > | > | > | > > ====================================================== > | > | | > | > | > | > This newsgroup only focuses on SBS technical issues. > If > | > you > | > | | > have > | > | | > | > | > issues > | > | | > | > | > | > regarding other Microsoft products, you'd better > post > in > | > the > | > | | > | > | > corresponding > | > | | > | > | > | > newsgroups so that they can be resolved in an > efficient > | > and > | > | | > timely > | > | | > | > | > manner. > | > | | > | > | > | > You can locate the newsgroup here: > | > | | > | > | > | > > | > | | > > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx > | > | | > | > | > | > > | > | | > | > | > | > When opening a new thread via the web interface, we > | > | recommend > | > | | > you > | > | | > | > | > check > | > | | > | > | > | > the > | > | | > | > | > | > "Notify me of replies" box to receive e-mail > | > notifications > | > | | > when > | > | | > | > there > | > | | > | > | > are > | > | | > | > | > | > any updates in your thread. When responding to posts > via > | > | your > | > | | > | > | > newsreader, > | > | | > | > | > | > please "Reply to Group" so that others may learn and > | > benefit > | > | | > from > | > | | > | > your > | > | | > | > | > | > issue. > | > | | > | > | > | > > | > | | > | > | > | > Microsoft engineers can only focus on one issue per > | > thread. > | > | | > | > Although > | > | | > | > | > we > | > | | > | > | > | > provide other information for your reference, we > | > recommend > | > | you > | > | | > | > post > | > | | > | > | > | > different incidents in different threads to keep the > | > thread > | > | | > clean. > | > | | > | > In > | > | | > | > | > | > doing > | > | | > | > | > | > so, it will ensure your issues are resolved in a > timely > | > | | > manner. > | > | | > | > | > | > > | > | | > | > | > | > For urgent issues, you may want to contact Microsoft > CSS > | > | | > directly. > | > | | > | > | > Please > | > | | > | > | > | > check http://support.microsoft.com for regional > support > | > | phone > | > | | > | > numbers. > | > | | > | > | > | > > | > | | > | > | > | > Any input or comments in this thread are highly > | > appreciated. > | > | | > | > | > | > > ====================================================== > | > | | > | > | > | > This posting is provided "AS IS" with no warranties, > and > | > | | > confers > | > | | > | > no > | > | | > | > | > | > rights. > | > | | > | > | > | > > | > | | > | > | > | > > | > | | > | > | > | > > ===================================================== > | > | | > | > | > | > When responding to posts, please "Reply to Group" > via > | > your > | > | | > | > newsreader > | > | | > | > | > so > | > | | > | > | > | > that others may learn and benefit from your issue. > | > | | > | > | > | > > ===================================================== > | > | | > | > | > | > > | > | | > | > | > | > This posting is provided "AS IS" with no warranties, > and > | > | | > confers > | > | | > | > no > | > | | > | > | > | > rights. > | > | | > | > | > | > > | > | | > | > | > | > -------------------- > | > | | > | > | > | > | From: "PG" <*@*.*> > | > | | > | > | > | > | Subject: SBS2003Premium Certification Authority > from > | > | HELL!!! > | > | | > | > | > | > | Date: Fri, 16 Sep 2005 11:35:46 +0100 > | > | | > | > | > | > | Lines: 25 > | > | | > | > | > | > | X-Priority: 3 > | > | | > | > | > | > | X-MSMail-Priority: Normal > | > | | > | > | > | > | X-Newsreader: Microsoft Outlook Express > 6.00.3790.1830 > | > | | > | > | > | > | X-MimeOLE: Produced By Microsoft MimeOLE > | > V6.00.3790.1830 > | > | | > | > | > | > | X-RFC2646: Format=Flowed; Original > | > | | > | > | > | > | Message-ID: > <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> > | > | | > | > | > | > | Newsgroups: microsoft.public.windows.server.sbs > | > | | > | > | > | > | NNTP-Posting-Host: 62.48.233.71 > | > | | > | > | > | > | Path: > | > | | > | > | > > | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl > | > | | > | > | > | > | Xref: TK2MSFTNGXA01.phx.gbl > | > | | > | > | > microsoft.public.windows.server.sbs:153926 > | > | | > | > | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs > | > | | > | > | > | > | > | > | | > | > | > | > | Hi everybody, > | > | | > | > | > | > | > | > | | > | > | > | > | When I try to request a certificate from my > | > | Enterprise > | > | | > CA > | > | | > | > | > installed > | > | | > | > | > | > on > | > | | > | > | > | > | SBS2003Premium It gives the following error :"No > | > | certificate > | > | | > | > | > templates > | > | | > | > | > | > could > | > | | > | > | > | > | be found. You do not have permission to request a > | > | | > certificate > | > | | > | > from > | > | | > | > | > this > | > | | > | > | > | > CA, > | > | | > | > | > | > | or an error occurred while accessing the Active > | > | Directory." > | > | | > I > | > | | > | > went > | > | | > | > | > and > | > | | > | > | > | > | search for a solution and found this microsoft > article > | > | | > | > | > | > | > | > | | > http://support.microsoft.com/default.aspx?scid=kb;en-us;811418 > | > | | > | > that > | > | | > | > | > | > didn't > | > | | > | > | > | > | help because the name of the server is the same in > the > | > | | > | > certdat.inc > | > | | > | > | > and > | > | | > | > | > | > in > | > | | > | > | > | > | the AD!!! :( > | > | | > | > | > | > | > | > | | > | > | > | > | When I go to the certification authority and > click > | > on > | > | | > | > "manage" > | > | | > | > | > on > | > | | > | > | > | > the > | > | | > | > | > | > | certificate templates, windows says that it > detected > | > that > | > | | > new > | > | | > | > | > | > certificate > | > | | > | > | > | > | templates should be installed, and ask if I want > to > | > | install > | > | | > them > | > | | > | > | > now, > | > | | > | > | > | > and > | > | | > | > | > | > I > | > | | > | > | > | > | say "Yes", and gives an error saying "Windows > could > | > not > | > | | > install > | > | | > | > the > | > | | > | > | > new > | > | | > | > | > | > | certificate templates. Access is denied" :( I > doing > | > this > | > | as > | > | | > | > | > enterprise > | > | | > | > | > | > admin > | > | | > | > | > | > | and it says access denied!!!!! :( :( > | > | | > | > | > | > | > | > | | > | > | > | > | I've tryed to reinstall the CA and the errors > are > | > | still > | > | | > the > | > | | > | > | > same! > | > | | > | > | > | > | > | > | | > | > | > | > | Can anyone help me with this issue, please? > | > | | > | > | > | > | > | > | | > | > | > | > | Thanks in advance for any help you can give > me.... > | > | | > | > | > | > | > | > | | > | > | > | > | > | > | | > | > | > | > | > | > | | > | > | > | > > | > | | > | > | > | > | > | | > | > | > | > | > | | > | > | > | > | > | | > | > | > | > | > | | > | > | > | > | > | | > | > | > | > | > | | > | > | > > | > | | > | > | > | > | | > | > | > | > | | > | > | > | > | | > | > > | > | | > | > | > | | > | > | > | | > | > | > | | > > | > | | > | > | | > | > | | > | > | > | > | > | > > | > | > | > |