From: PG on
I appreciate your help in this matter...

Thanks
PG

""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in message
news:34gfuxBwFHA.2960(a)TK2MSFTNGXA01.phx.gbl...
> HI PG,
>
> Currently, I am performing research on this issue, I will return to you as
> soon as possible, please understand that it might be some delay due to the
> weekend.
>
> Thanks for your understanding.
>
>
> Best regards,
>
> Charles Yang (MSFT)
>
> Microsoft CSS Online Newsgroup Support
>
> Get Secure! - www.microsoft.com/security
>
> ======================================================
> This newsgroup only focuses on SBS technical issues. If you have issues
> regarding other Microsoft products, you'd better post in the corresponding
> newsgroups so that they can be resolved in an efficient and timely manner.
> You can locate the newsgroup here:
> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>
> When opening a new thread via the web interface, we recommend you check
> the
> "Notify me of replies" box to receive e-mail notifications when there are
> any updates in your thread. When responding to posts via your newsreader,
> please "Reply to Group" so that others may learn and benefit from your
> issue.
>
> Microsoft engineers can only focus on one issue per thread. Although we
> provide other information for your reference, we recommend you post
> different incidents in different threads to keep the thread clean. In
> doing
> so, it will ensure your issues are resolved in a timely manner.
>
> For urgent issues, you may want to contact Microsoft CSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Any input or comments in this thread are highly appreciated.
> ======================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
> =====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> --------------------
> | From: "PG" <*@*.*>
> | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl>
> <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl>
> <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl>
> <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl>
> <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl>
> <MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl>
> <u6mrIB1vFHA.4032(a)TK2MSFTNGP15.phx.gbl>
> <AtVfNj1vFHA.780(a)TK2MSFTNGXA01.phx.gbl>
> | Subject: Re: SBS2003Premium Certification Authority from HELL!!!
> | Date: Thu, 22 Sep 2005 11:32:11 +0100
> | Lines: 785
> | X-Priority: 3
> | X-MSMail-Priority: Normal
> | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
> | X-RFC2646: Format=Flowed; Original
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
> | Message-ID: <#yfejE2vFHA.708(a)TK2MSFTNGP10.phx.gbl>
> | Newsgroups: microsoft.public.windows.server.sbs
> | NNTP-Posting-Host: 62.48.233.71
> | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
> | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:155518
> | X-Tomcat-NG: microsoft.public.windows.server.sbs
> |
> | Hi Charles,
> |
> | 1. I sent all the logs you requested to your e-mail.
> |
> | 2. Done that also.
> |
> | 3. No changes done...that I can remember
> |
> | Thanks
> |
> | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in message
> | news:AtVfNj1vFHA.780(a)TK2MSFTNGXA01.phx.gbl...
> | > Hi PG,
> | >
> | > After checking your screen shot, we decide to collect more
> information,
> as
> | > this issue should relate to AD setting:
> | >
> | > 1. Please send me all the event log except the application and system
> | > event
> | > log that you have already sent to me.
> | > 2. please also run netdiag -v and dcdiag -v on the SBS server and send
> the
> | > results to me also.
> | > 3. If possible, could you tell us if have changed any setting on AD or
> on
> | > SBS server. As the screen shot point that you have some problem in
> query
> | > user objects on DC.
> | >
> | > I appreciate your effort on this issue.
> | >
> | >
> | >
> | > Best regards,
> | >
> | > Charles Yang (MSFT)
> | >
> | > Microsoft CSS Online Newsgroup Support
> | >
> | > Get Secure! - www.microsoft.com/security
> | >
> | > ======================================================
> | > This newsgroup only focuses on SBS technical issues. If you have
> issues
> | > regarding other Microsoft products, you'd better post in the
> corresponding
> | > newsgroups so that they can be resolved in an efficient and timely
> manner.
> | > You can locate the newsgroup here:
> | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
> | >
> | > When opening a new thread via the web interface, we recommend you
> check
> | > the
> | > "Notify me of replies" box to receive e-mail notifications when there
> are
> | > any updates in your thread. When responding to posts via your
> newsreader,
> | > please "Reply to Group" so that others may learn and benefit from your
> | > issue.
> | >
> | > Microsoft engineers can only focus on one issue per thread. Although
> we
> | > provide other information for your reference, we recommend you post
> | > different incidents in different threads to keep the thread clean. In
> | > doing
> | > so, it will ensure your issues are resolved in a timely manner.
> | >
> | > For urgent issues, you may want to contact Microsoft CSS directly.
> Please
> | > check http://support.microsoft.com for regional support phone numbers.
> | >
> | > Any input or comments in this thread are highly appreciated.
> | > ======================================================
> | > This posting is provided "AS IS" with no warranties, and confers no
> | > rights.
> | >
> | >
> | > =====================================================
> | > When responding to posts, please "Reply to Group" via your newsreader
> so
> | > that others may learn and benefit from your issue.
> | > =====================================================
> | >
> | > This posting is provided "AS IS" with no warranties, and confers no
> | > rights.
> | >
> | > --------------------
> | > | From: "PG" <*@*.*>
> | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl>
> | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl>
> | > <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl>
> | > <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl>
> | > <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl>
> | > <MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl>
> | > | Subject: Re: SBS2003Premium Certification Authority from HELL!!!
> | > | Date: Thu, 22 Sep 2005 09:31:33 +0100
> | > | Lines: 597
> | > | X-Priority: 3
> | > | X-MSMail-Priority: Normal
> | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
> | > | X-RFC2646: Format=Flowed; Original
> | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
> | > | Message-ID: <u6mrIB1vFHA.4032(a)TK2MSFTNGP15.phx.gbl>
> | > | Newsgroups: microsoft.public.windows.server.sbs
> | > | NNTP-Posting-Host: 62.48.233.71
> | > | Path:
> TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl
> | > | Xref: TK2MSFTNGXA01.phx.gbl
> microsoft.public.windows.server.sbs:155493
> | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
> | > |
> | > | Hi Charles,
> | > |
> | > | I started to go through the points you reffered bellow and on
> the
> | > second
> | > | point(Permissions settings) everything checked out ok except for the
> | > | certificates templates permissions again, I'm unable to change
> | > permissions
> | > | on some certificates, but others are ok! I'm sending you some
> compressed
> | > | pictures to your e-mail so you can try and see if this is normal, or
> | > not.
> | > | I didn't want to continue following your suggestions(to
> reinstall
> | > the
> | > | CA) before you had a look at the pictures I sent you.
> | > |
> | > | Thanks
> | > | PG
> | > |
> | > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in
> message
> | > | news:MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl...
> | > | > Hi,
> | > | >
> | > | > Thanks for updates.
> | > | >
> | > | > After carefully checking your log, we did not find any relate
> | > information,
> | > | > please note that it might take some time to do the task.
> | > | >
> | > | > For this issue, I have some suggestion below:
> | > | >
> | > | > Can I assume that you want to set up the SBS 2003 premium as a CA
> | > server,
> | > | > so that when user logon to website, they require the certificate,
> | > which
> | > | > purpose you want to use for this certificate for VPN issue or for
> a
> | > | > website? From your log, it seems to be used for IPSec VPN.
> | > | >
> | > | > 1. Please change the website you use for web enrollment's
> | > authentication
> | > | > method from anonymous to Windows Authentication.
> | > | > 2. Please refer to the KB article below to check the permission
> | > setting
> | > | > for
> | > | > CA, make sure that you have go through the article to double check
> it:
> | > | >
> | > | > Q239706 Default Permission Settings for Enterprise Certificate
> | > Authority
> | > | > http://support.microsoft.com/default.aspx?scid=kb;EN-US
> | > | >
> | > | > 3. If the issue still exists, please follow the steps to reinstall
> the
> | > CA
> | > | > server:
> | > | >
> | > | > A. Opened regedit and went to HKLM\system\CCS\services and
> deleted
> | > the
> | > | > certsrv key
> | > | > B. Opened the file system and deleted c:\winnt\system32\certserv
> | > folder
> | > | > and
> | > | > contents
> | > | > C. Opened up AD sites and services and deleted and in
> services\public
> | > key
> | > | > services
> | > | >
> | > | > Please deleted all the contents of the containers leaving the
> empty
> | > | > containers with the exception of the templates container. Note,
> please
> | > | > perform a backup for registry.
> | > | >
> | > | > If the issue still exist, you have to refer to the KB article
> below
> to
> | > | > change the log level of certificate then reproduce the issue check
> the
> | > | > event log again.
> | > | >
> | > | > 305018 How to Change the Event Logging Level for Certificate
> Services
> | > | > http://support.microsoft.com/?id=305018
> | > | >
> | > | > Thanks for your efforts. I will be here waiting for updates.
> | > | >
> | > | >
> | > | >
> | > | > Best regards,
> | > | >
> | > | > Charles Yang (MSFT)
> | > | >
> | > | > Microsoft CSS Online Newsgroup Support
> | > | >
> | > | > Get Secure! - www.microsoft.com/security
> | > | >
> | > | > ======================================================
> | > | > This newsgroup only focuses on SBS technical issues. If you have
> | > issues
> | > | > regarding other Microsoft products, you'd better post in the
> | > corresponding
> | > | > newsgroups so that they can be resolved in an efficient and timely
> | > manner.
> | > | > You can locate the newsgroup here:
> | > | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
> | > | >
> | > | > When opening a new thread via the web interface, we recommend you
> | > check
> | > | > the
> | > | > "Notify me of replies" box to receive e-mail notifications when
> there
> | > are
> | > | > any updates in your thread. When responding to posts via your
> | > newsreader,
> | > | > please "Reply to Group" so that others may learn and benefit from
> your
> | > | > issue.
> | > | >
> | > | > Microsoft engineers can only focus on one issue per thread.
> Although
> | > we
> | > | > provide other information for your reference, we recommend you
> post
> | > | > different incidents in different threads to keep the thread clean.
> In
> | > | > doing
> | > | > so, it will ensure your issues are resolved in a timely manner.
> | > | >
> | > | > For urgent issues, you may want to contact Microsoft CSS directly.
> | > Please
> | > | > check http://support.microsoft.com for regional support phone
> numbers.
> | > | >
> | > | > Any input or comments in this thread are highly appreciated.
> | > | > ======================================================
> | > | > This posting is provided "AS IS" with no warranties, and confers
> no
> | > | > rights.
> | > | >
> | > | >
> | > | > =====================================================
> | > | > When responding to posts, please "Reply to Group" via your
> newsreader
> | > so
> | > | > that others may learn and benefit from your issue.
> | > | > =====================================================
> | > | >
> | > | > This posting is provided "AS IS" with no warranties, and confers
> no
> | > | > rights.
> | > | >
> | > | > --------------------
> | > | > | From: "PG" <*@*.*>
> | > | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl>
> | > | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl>
> | > | > <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl>
> | > | > <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl>
> | > | > | Subject: Re: SBS2003Premium Certification Authority from HELL!!!
> | > | > | Date: Wed, 21 Sep 2005 11:33:30 +0100
> | > | > | Lines: 401
> | > | > | X-Priority: 3
> | > | > | X-MSMail-Priority: Normal
> | > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
> | > | > | X-RFC2646: Format=Flowed; Original
> | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
> | > | > | Message-ID: <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl>
> | > | > | Newsgroups: microsoft.public.windows.server.sbs
> | > | > | NNTP-Posting-Host: 62.48.233.71
> | > | > | Path:
> | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
> | > | > | Xref: TK2MSFTNGXA01.phx.gbl
> | > microsoft.public.windows.server.sbs:155186
> | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
> | > | > |
> | > | > | I've sent you the log's as you requested Charles...
> | > | > |
> | > | > | Thanks for the help
> | > | > |
> | > | > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in
> | > message
> | > | > | news:biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl...
> | > | > | > HI PG,
> | > | > | >
> | > | > | > Thanks for updates.
> | > | > | >
> | > | > | > In order to make the issue more clear, could you send me the
> | > | > application
> | > | > | > log and system event log so that we can isolate the issue more
> | > | > clearly,
> | > | > | > you
> | > | > | > can compress the log files and send to my mailbox.
> | > | > | >
> | > | > | > v-chayan(a)microsoft.com
> | > | > | >
> | > | > | > Thanks for your understanding.
> | > | > | >
> | > | > | >
> | > | > | >
> | > | > | > Best regards,
> | > | > | >
> | > | > | > Charles Yang (MSFT)
> | > | > | >
> | > | > | > Microsoft CSS Online Newsgroup Support
> | > | > | >
> | > | > | > Get Secure! - www.microsoft.com/security
> | > | > | >
> | > | > | > ======================================================
> | > | > | > This newsgroup only focuses on SBS technical issues. If you
> have
> | > | > issues
> | > | > | > regarding other Microsoft products, you'd better post in the
> | > | > corresponding
> | > | > | > newsgroups so that they can be resolved in an efficient and
> timely
> | > | > manner.
> | > | > | > You can locate the newsgroup here:
> | > | > | >
> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
> | > | > | >
> | > | > | > When opening a new thread via the web interface, we recommend
> you
> | > | > check
> | > | > | > the
> | > | > | > "Notify me of replies" box to receive e-mail notifications
> when
> | > there
> | > | > are
> | > | > | > any updates in your thread. When responding to posts via your
> | > | > newsreader,
> | > | > | > please "Reply to Group" so that others may learn and benefit
> from
> | > your
> | > | > | > issue.
> | > | > | >
> | > | > | > Microsoft engineers can only focus on one issue per thread.
> | > Although
> | > | > we
> | > | > | > provide other information for your reference, we recommend you
> | > post
> | > | > | > different incidents in different threads to keep the thread
> clean.
> | > In
> | > | > | > doing
> | > | > | > so, it will ensure your issues are resolved in a timely
> manner.
> | > | > | >
> | > | > | > For urgent issues, you may want to contact Microsoft CSS
> directly.
> | > | > Please
> | > | > | > check http://support.microsoft.com for regional support phone
> | > numbers.
> | > | > | >
> | > | > | > Any input or comments in this thread are highly appreciated.
> | > | > | > ======================================================
> | > | > | > This posting is provided "AS IS" with no warranties, and
> confers
> | > no
> | > | > | > rights.
> | > | > | >
> | > | > | >
> | > | > | > =====================================================
> | > | > | > When responding to posts, please "Reply to Group" via your
> | > newsreader
> | > | > so
> | > | > | > that others may learn and benefit from your issue.
> | > | > | > =====================================================
> | > | > | >
> | > | > | > This posting is provided "AS IS" with no warranties, and
> confers
> | > no
> | > | > | > rights.
> | > | > | >
> | > | > | > --------------------
> | > | > | > | From: "PG" <*@*.*>
> | > | > | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl>
> | > | > | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl>
> | > | > | > | Subject: Re: SBS2003Premium Certification Authority from
> HELL!!!
> | > | > | > | Date: Tue, 20 Sep 2005 13:28:25 +0100
> | > | > | > | Lines: 269
> | > | > | > | X-Priority: 3
> | > | > | > | X-MSMail-Priority: Normal
> | > | > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
> | > | > | > | X-RFC2646: Format=Flowed; Original
> | > | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
> | > | > | > | Message-ID: <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl>
> | > | > | > | Newsgroups: microsoft.public.windows.server.sbs
> | > | > | > | NNTP-Posting-Host: 62.48.233.71
> | > | > | > | Path:
> | > | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
> | > | > | > | Xref: TK2MSFTNGXA01.phx.gbl
> | > | > microsoft.public.windows.server.sbs:154800
> | > | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
> | > | > | > |
> | > | > | > | Thanks for your reply Charles
> | > | > | > |
> | > | > | > | Responses to your questions follow, and are in line:
> | > | > | > |
> | > | > | > |
> | > | > | > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com>
> wrote
> in
> | > | > message
> | > | > | > | news:tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl...
> | > | > | > | > HI PG,
> | > | > | > | >
> | > | > | > | > Welcome to SBS newsgroup.
> | > | > | > | >
> | > | > | > | > Issue description:
> | > | > | > | > ================
> | > | > | > | >
> | > | > | > | > I understand that you encountered some problem when using
> CA
> | > on
> | > | > SBS
> | > | > | > 2003
> | > | > | > | > premium.
> | > | > | > | >
> | > | > | > | > Analyzing and suggestions:
> | > | > | > | > ================
> | > | > | > | >
> | > | > | > | > Generally speaking, the error you encountered can be
> caused
> by
> | > | > many
> | > | > | > | > factors, in order to make the issue more clear, please
> refer
> | > to
> | > my
> | > | > | > | > suggestions below to gather more information:
> | > | > | > | >
> | > | > | > | > 1. If possible, please send me the event log for further
> | > research,
> | > | > it
> | > | > | > | > should include more information which can help us
> determine
> | > which
> | > | > | > kinds
> | > | > | > of
> | > | > | > | > error you encountered, you can send the log files to my
> email
> | > box.
> | > | > | > | > v-chayan(a)microsoft.com.
> | > | > | > |
> | > | > | > | There is nothing recorded in the logs, when the error's
> occur.
> | > | > | > |
> | > | > | > | > 2. Does the issue occur from the client's computer or from
> the
> | > | > server
> | > | > | > | > side?
> | > | > | > |
> | > | > | > | Both! It occur's when I request a certificate from the
> client
> | > and
> | > | > from
> | > | > | > the
> | > | > | > | server! :( Via Web request or MMC snap-in
> | > | > | > |
> | > | > | > |
> | > | > | > | >
> | > | > | > | >
> | > | > | > | > Let's first check the following:
> | > | > | > | >
> | > | > | > | > 1. Go to the CA Server, go to Services.msc console, make
> sure
> | > that
> | > | > the
> | > | > | > | > Certificate Service is started.
> | > | > | > |
> | > | > | > | Check
> | > | > | > |
> | > | > | > | > 2. Open Certificate Authority, make sure that it can be
> | > opened.
> | > | > | > |
> | > | > | > | Check
> | > | > | > |
> | > | > | > | > 3. If you are using Enterprise CA, go to the Certificate
> | > Template
> | > | > in
> | > | > | > the
> | > | > | > | > Certificate Authority, make sure that necessary
> Certificate
> | > | > Template
> | > | > | > is
> | > | > | > | > added and listed in the right panel.
> | > | > | > |
> | > | > | > | Check
> | > | > | > |
> | > | > | > | > 4. On the CA Server, click Start -> Run, type MMC and
> click
> | > OK.
> | > | > Click
> | > | > | > File
> | > | > | > | > -> Add/Remove Snap-in, click Add button, select
> Certificate,
> | > click
> | > | > | > Add,
> | > | > | > | > select Computer Account and click next. Select Local
> Computer,
> | > | > click
> | > | > | > | > Finish
> | > | > | > | > and then Close.
> | > | > | > |
> | > | > | > | Check
> | > | > | > |
> | > | > | > | > 5. Expand the Certificate (Local
> | > Computer)\Personal\Certificate,
> | > | > check
> | > | > | > if
> | > | > | > | > the Root certificate exists. It's 'issued by' and 'issued
> to'
> | > | > should
> | > | > | > be
> | > | > | > | > itself. Then please check if the root certificate is still
> | > alive.
> | > | > If
> | > | > | > it
> | > | > | > is
> | > | > | > | > expired, right click the Certificate, select All Tasks ->
> | > Renew
> | > | > | > | > Certificate
> | > | > | > | > with Same Key. Then renew the user certificate and let me
> know
> | > how
> | > | > | > | > everything is going.
> | > | > | > | > NOTE: Please check the Certificate Authority to make sure
> that
> | > | > these
> | > | > | > | > client
> | > | > | > | > certificate are not revoked before you renew the
> certificate.
> | > | > | > | >
> | > | > | > | > If the issue still exists, please check if the CA computer
> | > where
> | > | > you
> | > | > | > start
> | > | > | > | > the Certificate Web Enrollment from is set to trust for
> | > | > delegation.
> | > | > To
> | > | > | > do
> | > | > | > | > so:
> | > | > | > | > 1. Log on as a domain administrator or equivalent account.
> | > | > | > | > 2. Click Start, point to Programs, point to Administrative
> | > Tools,
> | > | > and
> | > | > | > then
> | > | > | > | > click "Active Directory Users and Computers".
> | > | > | > | > 3. In the left pane, locate the container or
> organizational
> | > unit
> | > | > (OU)
> | > | > | > on
> | > | > | > | > which you want to enable delegation.
> | > | > | > | > 4. Right-click the computer account name, and then click
> | > | > Properties.
> | > | > | > | > 5. On the General tab, click Trust computer for
> delegation.
> | > | > | > | > 6. Click OK.
> | > | > | > | > 7. Quit Active Directory Users and Computers.
> | > | > | > | >
> | > | > | > | > For more info, please refer to:
> | > | > | > | > 300867 Error Message: The Certification Authority Service
> Has
> | > Not
> | > | > Been
> | > | > | > | > Started
> | > | > | > | > http://support.microsoft.com/?id=300867
> | > | > | > |
> | > | > | > | The certificate is alive until 16/9/2010! So I didn't renew
> it.
> | > | > | > |
> | > | > | > |
> | > | > | > | >
> | > | > | > | >
> | > | > | > | > This issue may also occur if the Domain Users group on the
> | > child
> | > | > | > domain
> | > | > | > | > does not have the right to enroll a user template. To have
> a
> | > | > check:
> | > | > | > | >
> | > | > | > | > 1. Logon to CA Server as Enterprise Administrator
> | > | > | > |
> | > | > | > | check
> | > | > | > |
> | > | > | > | > 2. Click Start, click Programs, click Administrative
> Tools,
> | > and
> | > | > then
> | > | > | > click
> | > | > | > | > the "Active Directory Sites and Services" snap-in.
> | > | > | > |
> | > | > | > | check
> | > | > | > |
> | > | > | > | > 3. In MMC, right-click the "Active Directory Sites and
> | > Services"
> | > | > | > snap-in,
> | > | > | > | > click View, and then click "Show Services Mode". This
> allows
> | > you
> | > | > to
> | > | > | > view
> | > | > | > | > the Services folder, which is hidden from view by default.
> | > | > | > |
> | > | > | > | Check
> | > | > | > |
> | > | > | > | > 4. From the "Active Directory Sites and Services" snap-in,
> | > click
> | > | > | > Services,
> | > | > | > | > click Public Key Services, and then click Certificate
> | > Templates.
> | > | > This
> | > | > | > | > reveals the complete list of published certificate
> templates
> | > in
> | > | > Active
> | > | > | > | > Directory.
> | > | > | > |
> | > | > | > | Check
> | > | > | > |
> | > | > | > | > 5. Double-click the User certificate template to view the
> | > | > properties.
> | > | > | > |
> | > | > | > | Check
> | > | > | > |
> | > | > | > | > 6. On the Security tab, click Add to add the Domain Users
> | > group
> | > to
> | > | > the
> | > | > | > | > list.
> | > | > | > |
> | > | > | > | The group domain users wasn't there so I added it
> | > | > | > |
> | > | > | > | > 7. For the Domain Users group, select the Read and Enroll
> | > rights.
> | > | > | > |
> | > | > | > | When I tryed to apply the changes it gave the following
> error:
> | > | > | > |
> | > | > | > | "Unable to save permission changes on
> | > | > | > | LDAP://SBS2003PDC.CONTIMETRA.LOCAL/CN=USER,CN=CERTIFICATE
> | > | > | > | TEMPLATES,CN=PUBLIC KEY
> | > | > | > | SERVICES,CN=SERVICES,CN=CONFIGURATION,DC=CONTIMETRA,DC=LOCAL
> | > | > | > |
> | > | > | > | ACCESS IS DENIED"
> | > | > | > |
> | > | > | > |
> | > | > | > | > 8. Restart the computer.
> | > | > | > |
> | > | > | > | Didn't do it because no changes were made!
> | > | > | > |
> | > | > | > | >
> | > | > | > | > For more info, please refer to:
> | > | > | > | > 271861 Windows Cannot Find a Certificate Authority That
> | > Processes
> | > | > the
> | > | > | > | > Request
> | > | > | > | > http://support.microsoft.com/?id=271861
> | > | > | > | >
> | > | > | > | > NOTE: Request from MMC only works if it is a Enterprise
> CA.
> To
> | > | > stand
> | > | > | > alone
> | > | > | > | > CA, you must request certificate by WEB.
> | > | > | > | >
> | > | > | > | > I appreciate your understanding and please paste your
> results
> | > as
> | > | > your
> | > | > | > | > convenience, It is important for us to isolate the issue.
> I
> am
> | > | > glad
> | > | > to
> | > | > | > | > help
> | > | > | > | > you.
> | > | > | > | >
> | > | > | > | >
> | > | > | > | >
> | > | > | > | > Best regards,
> | > | > | > | >
> | > | > | > | > Charles Yang (MSFT)
> | > | > | > | >
> | > | > | > | > Microsoft CSS Online Newsgroup Support
> | > | > | > | >
> | > | > | > | > Get Secure! - www.microsoft.com/security
> | > | > | > | >
> | > | > | > | > ======================================================
> | > | > | > | > This newsgroup only focuses on SBS technical issues. If
> you
> | > have
> | > | > | > issues
> | > | > | > | > regarding other Microsoft products, you'd better post in
> the
> | > | > | > corresponding
> | > | > | > | > newsgroups so that they can be resolved in an efficient
> and
> | > timely
> | > | > | > manner.
> | > | > | > | > You can locate the newsgroup here:
> | > | > | > | >
> | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
> | > | > | > | >
> | > | > | > | > When opening a new thread via the web interface, we
> recommend
> | > you
> | > | > | > check
> | > | > | > | > the
> | > | > | > | > "Notify me of replies" box to receive e-mail notifications
> | > when
> | > | > there
> | > | > | > are
> | > | > | > | > any updates in your thread. When responding to posts via
> your
> | > | > | > newsreader,
> | > | > | > | > please "Reply to Group" so that others may learn and
> benefit
> | > from
> | > | > your
> | > | > | > | > issue.
> | > | > | > | >
> | > | > | > | > Microsoft engineers can only focus on one issue per
> thread.
> | > | > Although
> | > | > | > we
> | > | > | > | > provide other information for your reference, we recommend
> you
> | > | > post
> | > | > | > | > different incidents in different threads to keep the
> thread
> | > clean.
> | > | > In
> | > | > | > | > doing
> | > | > | > | > so, it will ensure your issues are resolved in a timely
> | > manner.
> | > | > | > | >
> | > | > | > | > For urgent issues, you may want to contact Microsoft CSS
> | > directly.
> | > | > | > Please
> | > | > | > | > check http://support.microsoft.com for regional support
> phone
> | > | > numbers.
> | > | > | > | >
> | > | > | > | > Any input or comments in this thread are highly
> appreciated.
> | > | > | > | > ======================================================
> | > | > | > | > This posting is provided "AS IS" with no warranties, and
> | > confers
> | > | > no
> | > | > | > | > rights.
> | > | > | > | >
> | > | > | > | >
> | > | > | > | > =====================================================
> | > | > | > | > When responding to posts, please "Reply to Group" via your
> | > | > newsreader
> | > | > | > so
> | > | > | > | > that others may learn and benefit from your issue.
> | > | > | > | > =====================================================
> | > | > | > | >
> | > | > | > | > This posting is provided "AS IS" with no warranties, and
> | > confers
> | > | > no
> | > | > | > | > rights.
> | > | > | > | >
> | > | > | > | > --------------------
> | > | > | > | > | From: "PG" <*@*.*>
> | > | > | > | > | Subject: SBS2003Premium Certification Authority from
> HELL!!!
> | > | > | > | > | Date: Fri, 16 Sep 2005 11:35:46 +0100
> | > | > | > | > | Lines: 25
> | > | > | > | > | X-Priority: 3
> | > | > | > | > | X-MSMail-Priority: Normal
> | > | > | > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
> | > | > | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
> | > | > | > | > | X-RFC2646: Format=Flowed; Original
> | > | > | > | > | Message-ID: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl>
> | > | > | > | > | Newsgroups: microsoft.public.windows.server.sbs
> | > | > | > | > | NNTP-Posting-Host: 62.48.233.71
> | > | > | > | > | Path:
> | > | > | >
> TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
> | > | > | > | > | Xref: TK2MSFTNGXA01.phx.gbl
> | > | > | > microsoft.public.windows.server.sbs:153926
> | > | > | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
> | > | > | > | > |
> | > | > | > | > | Hi everybody,
> | > | > | > | > |
> | > | > | > | > | When I try to request a certificate from my
> Enterprise
> | > CA
> | > | > | > installed
> | > | > | > | > on
> | > | > | > | > | SBS2003Premium It gives the following error :"No
> certificate
> | > | > | > templates
> | > | > | > | > could
> | > | > | > | > | be found. You do not have permission to request a
> | > certificate
> | > | > from
> | > | > | > this
> | > | > | > | > CA,
> | > | > | > | > | or an error occurred while accessing the Active
> Directory."
> | > I
> | > | > went
> | > | > | > and
> | > | > | > | > | search for a solution and found this microsoft article
> | > | > | > | > |
> | > http://support.microsoft.com/default.aspx?scid=kb;en-us;811418
> | > | > that
> | > | > | > | > didn't
> | > | > | > | > | help because the name of the server is the same in the
> | > | > certdat.inc
> | > | > | > and
> | > | > | > | > in
> | > | > | > | > | the AD!!! :(
> | > | > | > | > |
> | > | > | > | > | When I go to the certification authority and click
> on
> | > | > "manage"
> | > | > | > on
> | > | > | > | > the
> | > | > | > | > | certificate templates, windows says that it detected
> that
> | > new
> | > | > | > | > certificate
> | > | > | > | > | templates should be installed, and ask if I want to
> install
> | > them
> | > | > | > now,
> | > | > | > | > and
> | > | > | > | > I
> | > | > | > | > | say "Yes", and gives an error saying "Windows could not
> | > install
> | > | > the
> | > | > | > new
> | > | > | > | > | certificate templates. Access is denied" :( I doing this
> as
> | > | > | > enterprise
> | > | > | > | > admin
> | > | > | > | > | and it says access denied!!!!! :( :(
> | > | > | > | > |
> | > | > | > | > | I've tryed to reinstall the CA and the errors are
> still
> | > the
> | > | > | > same!
> | > | > | > | > |
> | > | > | > | > | Can anyone help me with this issue, please?
> | > | > | > | > |
> | > | > | > | > | Thanks in advance for any help you can give me....
> | > | > | > | > |
> | > | > | > | > |
> | > | > | > | > |
> | > | > | > | >
> | > | > | > |
> | > | > | > |
> | > | > | > |
> | > | > | > |
> | > | > | > |
> | > | > | > |
> | > | > | >
> | > | > |
> | > | > |
> | > | > |
> | > | >
> | > |
> | > |
> | > |
> | >
> |
> |
> |
>


From: "Charles Yang [MSFT]" on
HI PG,

Thanks for updates.

After making research, I find solutions for you, please refer to the steps
below:

1 Open DCOMCNFG
2- Select Componect Services
---Computers
----My Computer
------Dcom Config
---- CertSrv Request
3- Open properties and verify Security permission for Launch and Activation
Permissions (Should be Customize --Everyone ---Local Activation Remote
Activation)

Access Permissions (Should be Customize -Everyone ---Local Access Remote
Access)

If the issue still exists, please recreate a certificate template to see if
the issue can be resolved. You can try to request a certificate via a new
template. From your screenshot we found only one of the template you
encountered permission issue, can we assume it is the certificate template
you use for the certificate?

Thanks for understanding on this issue, please feel free to post back.



Best regards,

Charles Yang (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| X-Tomcat-ID: 138385008
| References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl>
<tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl>
<OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl>
<biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl>
<#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl>
<MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl>
<u6mrIB1vFHA.4032(a)TK2MSFTNGP15.phx.gbl>
<AtVfNj1vFHA.780(a)TK2MSFTNGXA01.phx.gbl>
<#yfejE2vFHA.708(a)TK2MSFTNGP10.phx.gbl>
| MIME-Version: 1.0
| Content-Type: text/plain
| Content-Transfer-Encoding: 7bit
| From: v-chayan(a)online.microsoft.com ("Charles Yang [MSFT]")
| Organization: Microsoft
| Date: Fri, 23 Sep 2005 08:54:33 GMT
| Subject: Re: SBS2003Premium Certification Authority from HELL!!!
| X-Tomcat-NG: microsoft.public.windows.server.sbs
| Message-ID: <34gfuxBwFHA.2960(a)TK2MSFTNGXA01.phx.gbl>
| Newsgroups: microsoft.public.windows.server.sbs
| Lines: 797
| Path: TK2MSFTNGXA01.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:155820
| NNTP-Posting-Host: tomcatimport2.phx.gbl 10.201.218.182
|
| HI PG,
|
| Currently, I am performing research on this issue, I will return to you
as
| soon as possible, please understand that it might be some delay due to
the
| weekend.
|
| Thanks for your understanding.
|
|
| Best regards,
|
| Charles Yang (MSFT)
|
| Microsoft CSS Online Newsgroup Support
|
| Get Secure! - www.microsoft.com/security
|
| ======================================================
| This newsgroup only focuses on SBS technical issues. If you have issues
| regarding other Microsoft products, you'd better post in the
corresponding
| newsgroups so that they can be resolved in an efficient and timely
manner.
| You can locate the newsgroup here:
| http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
|
| When opening a new thread via the web interface, we recommend you check
the
| "Notify me of replies" box to receive e-mail notifications when there are
| any updates in your thread. When responding to posts via your newsreader,
| please "Reply to Group" so that others may learn and benefit from your
| issue.
|
| Microsoft engineers can only focus on one issue per thread. Although we
| provide other information for your reference, we recommend you post
| different incidents in different threads to keep the thread clean. In
doing
| so, it will ensure your issues are resolved in a timely manner.
|
| For urgent issues, you may want to contact Microsoft CSS directly. Please
| check http://support.microsoft.com for regional support phone numbers.
|
| Any input or comments in this thread are highly appreciated.
| ======================================================
| This posting is provided "AS IS" with no warranties, and confers no
rights.
|
|
| =====================================================
| When responding to posts, please "Reply to Group" via your newsreader so
| that others may learn and benefit from your issue.
| =====================================================
|
| This posting is provided "AS IS" with no warranties, and confers no
rights.
|
| --------------------
| | From: "PG" <*@*.*>
| | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl>
| <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl>
| <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl>
| <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl>
| <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl>
| <MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl>
| <u6mrIB1vFHA.4032(a)TK2MSFTNGP15.phx.gbl>
| <AtVfNj1vFHA.780(a)TK2MSFTNGXA01.phx.gbl>
| | Subject: Re: SBS2003Premium Certification Authority from HELL!!!
| | Date: Thu, 22 Sep 2005 11:32:11 +0100
| | Lines: 785
| | X-Priority: 3
| | X-MSMail-Priority: Normal
| | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
| | X-RFC2646: Format=Flowed; Original
| | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| | Message-ID: <#yfejE2vFHA.708(a)TK2MSFTNGP10.phx.gbl>
| | Newsgroups: microsoft.public.windows.server.sbs
| | NNTP-Posting-Host: 62.48.233.71
| | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
| | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:155518
| | X-Tomcat-NG: microsoft.public.windows.server.sbs
| |
| | Hi Charles,
| |
| | 1. I sent all the logs you requested to your e-mail.
| |
| | 2. Done that also.
| |
| | 3. No changes done...that I can remember
| |
| | Thanks
| |
| | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in
message
| | news:AtVfNj1vFHA.780(a)TK2MSFTNGXA01.phx.gbl...
| | > Hi PG,
| | >
| | > After checking your screen shot, we decide to collect more
information,
| as
| | > this issue should relate to AD setting:
| | >
| | > 1. Please send me all the event log except the application and system
| | > event
| | > log that you have already sent to me.
| | > 2. please also run netdiag -v and dcdiag -v on the SBS server and
send
| the
| | > results to me also.
| | > 3. If possible, could you tell us if have changed any setting on AD
or
| on
| | > SBS server. As the screen shot point that you have some problem in
query
| | > user objects on DC.
| | >
| | > I appreciate your effort on this issue.
| | >
| | >
| | >
| | > Best regards,
| | >
| | > Charles Yang (MSFT)
| | >
| | > Microsoft CSS Online Newsgroup Support
| | >
| | > Get Secure! - www.microsoft.com/security
| | >
| | > ======================================================
| | > This newsgroup only focuses on SBS technical issues. If you have
issues
| | > regarding other Microsoft products, you'd better post in the
| corresponding
| | > newsgroups so that they can be resolved in an efficient and timely
| manner.
| | > You can locate the newsgroup here:
| | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| | >
| | > When opening a new thread via the web interface, we recommend you
check
| | > the
| | > "Notify me of replies" box to receive e-mail notifications when there
| are
| | > any updates in your thread. When responding to posts via your
| newsreader,
| | > please "Reply to Group" so that others may learn and benefit from your
| | > issue.
| | >
| | > Microsoft engineers can only focus on one issue per thread. Although
we
| | > provide other information for your reference, we recommend you post
| | > different incidents in different threads to keep the thread clean. In
| | > doing
| | > so, it will ensure your issues are resolved in a timely manner.
| | >
| | > For urgent issues, you may want to contact Microsoft CSS directly.
| Please
| | > check http://support.microsoft.com for regional support phone numbers.
| | >
| | > Any input or comments in this thread are highly appreciated.
| | > ======================================================
| | > This posting is provided "AS IS" with no warranties, and confers no
| | > rights.
| | >
| | >
| | > =====================================================
| | > When responding to posts, please "Reply to Group" via your newsreader
so
| | > that others may learn and benefit from your issue.
| | > =====================================================
| | >
| | > This posting is provided "AS IS" with no warranties, and confers no
| | > rights.
| | >
| | > --------------------
| | > | From: "PG" <*@*.*>
| | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl>
| | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl>
| | > <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl>
| | > <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl>
| | > <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl>
| | > <MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl>
| | > | Subject: Re: SBS2003Premium Certification Authority from HELL!!!
| | > | Date: Thu, 22 Sep 2005 09:31:33 +0100
| | > | Lines: 597
| | > | X-Priority: 3
| | > | X-MSMail-Priority: Normal
| | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
| | > | X-RFC2646: Format=Flowed; Original
| | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| | > | Message-ID: <u6mrIB1vFHA.4032(a)TK2MSFTNGP15.phx.gbl>
| | > | Newsgroups: microsoft.public.windows.server.sbs
| | > | NNTP-Posting-Host: 62.48.233.71
| | > | Path:
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl
| | > | Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.sbs:155493
| | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| | > |
| | > | Hi Charles,
| | > |
| | > | I started to go through the points you reffered bellow and on
the
| | > second
| | > | point(Permissions settings) everything checked out ok except for the
| | > | certificates templates permissions again, I'm unable to change
| | > permissions
| | > | on some certificates, but others are ok! I'm sending you some
| compressed
| | > | pictures to your e-mail so you can try and see if this is normal,
or
| | > not.
| | > | I didn't want to continue following your suggestions(to
reinstall
| | > the
| | > | CA) before you had a look at the pictures I sent you.
| | > |
| | > | Thanks
| | > | PG
| | > |
| | > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in
| message
| | > | news:MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl...
| | > | > Hi,
| | > | >
| | > | > Thanks for updates.
| | > | >
| | > | > After carefully checking your log, we did not find any relate
| | > information,
| | > | > please note that it might take some time to do the task.
| | > | >
| | > | > For this issue, I have some suggestion below:
| | > | >
| | > | > Can I assume that you want to set up the SBS 2003 premium as a CA
| | > server,
| | > | > so that when user logon to website, they require the certificate,
| | > which
| | > | > purpose you want to use for this certificate for VPN issue or for
a
| | > | > website? From your log, it seems to be used for IPSec VPN.
| | > | >
| | > | > 1. Please change the website you use for web enrollment's
| | > authentication
| | > | > method from anonymous to Windows Authentication.
| | > | > 2. Please refer to the KB article below to check the permission
| | > setting
| | > | > for
| | > | > CA, make sure that you have go through the article to double
check
| it:
| | > | >
| | > | > Q239706 Default Permission Settings for Enterprise Certificate
| | > Authority
| | > | > http://support.microsoft.com/default.aspx?scid=kb;EN-US
| | > | >
| | > | > 3. If the issue still exists, please follow the steps to
reinstall
| the
| | > CA
| | > | > server:
| | > | >
| | > | > A. Opened regedit and went to HKLM\system\CCS\services and
| deleted
| | > the
| | > | > certsrv key
| | > | > B. Opened the file system and deleted c:\winnt\system32\certserv
| | > folder
| | > | > and
| | > | > contents
| | > | > C. Opened up AD sites and services and deleted and in
| services\public
| | > key
| | > | > services
| | > | >
| | > | > Please deleted all the contents of the containers leaving the
empty
| | > | > containers with the exception of the templates container. Note,
| please
| | > | > perform a backup for registry.
| | > | >
| | > | > If the issue still exist, you have to refer to the KB article
below
| to
| | > | > change the log level of certificate then reproduce the issue
check
| the
| | > | > event log again.
| | > | >
| | > | > 305018 How to Change the Event Logging Level for Certificate
| Services
| | > | > http://support.microsoft.com/?id=305018
| | > | >
| | > | > Thanks for your efforts. I will be here waiting for updates.
| | > | >
| | > | >
| | > | >
| | > | > Best regards,
| | > | >
| | > | > Charles Yang (MSFT)
| | > | >
| | > | > Microsoft CSS Online Newsgroup Support
| | > | >
| | > | > Get Secure! - www.microsoft.com/security
| | > | >
| | > | > ======================================================
| | > | > This newsgroup only focuses on SBS technical issues. If you have
| | > issues
| | > | > regarding other Microsoft products, you'd better post in the
| | > corresponding
| | > | > newsgroups so that they can be resolved in an efficient and timely
| | > manner.
| | > | > You can locate the newsgroup here:
| | > | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| | > | >
| | > | > When opening a new thread via the web interface, we recommend you
| | > check
| | > | > the
| | > | > "Notify me of replies" box to receive e-mail notifications when
| there
| | > are
| | > | > any updates in your thread. When responding to posts via your
| | > newsreader,
| | > | > please "Reply to Group" so that others may learn and benefit from
| your
| | > | > issue.
| | > | >
| | > | > Microsoft engineers can only focus on one issue per thread.
| Although
| | > we
| | > | > provide other information for your reference, we recommend you
post
| | > | > different incidents in different threads to keep the thread
clean.
| In
| | > | > doing
| | > | > so, it will ensure your issues are resolved in a timely manner.
| | > | >
| | > | > For urgent issues, you may want to contact Microsoft CSS directly.
| | > Please
| | > | > check http://support.microsoft.com for regional support phone
| numbers.
| | > | >
| | > | > Any input or comments in this thread are highly appreciated.
| | > | > ======================================================
| | > | > This posting is provided "AS IS" with no warranties, and confers
no
| | > | > rights.
| | > | >
| | > | >
| | > | > =====================================================
| | > | > When responding to posts, please "Reply to Group" via your
| newsreader
| | > so
| | > | > that others may learn and benefit from your issue.
| | > | > =====================================================
| | > | >
| | > | > This posting is provided "AS IS" with no warranties, and confers
no
| | > | > rights.
| | > | >
| | > | > --------------------
| | > | > | From: "PG" <*@*.*>
| | > | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl>
| | > | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl>
| | > | > <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl>
| | > | > <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl>
| | > | > | Subject: Re: SBS2003Premium Certification Authority from HELL!!!
| | > | > | Date: Wed, 21 Sep 2005 11:33:30 +0100
| | > | > | Lines: 401
| | > | > | X-Priority: 3
| | > | > | X-MSMail-Priority: Normal
| | > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
| | > | > | X-RFC2646: Format=Flowed; Original
| | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| | > | > | Message-ID: <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl>
| | > | > | Newsgroups: microsoft.public.windows.server.sbs
| | > | > | NNTP-Posting-Host: 62.48.233.71
| | > | > | Path:
| | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
| | > | > | Xref: TK2MSFTNGXA01.phx.gbl
| | > microsoft.public.windows.server.sbs:155186
| | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| | > | > |
| | > | > | I've sent you the log's as you requested Charles...
| | > | > |
| | > | > | Thanks for the help
| | > | > |
| | > | > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in
| | > message
| | > | > | news:biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl...
| | > | > | > HI PG,
| | > | > | >
| | > | > | > Thanks for updates.
| | > | > | >
| | > | > | > In order to make the issue more clear, could you send me the
| | > | > application
| | > | > | > log and system event log so that we can isolate the issue more
| | > | > clearly,
| | > | > | > you
| | > | > | > can compress the log files and send to my mailbox.
| | > | > | >
| | > | > | > v-chayan(a)microsoft.com
| | > | > | >
| | > | > | > Thanks for your understanding.
| | > | > | >
| | > | > | >
| | > | > | >
| | > | > | > Best regards,
| | > | > | >
| | > | > | > Charles Yang (MSFT)
| | > | > | >
| | > | > | > Microsoft CSS Online Newsgroup Support
| | > | > | >
| | > | > | > Get Secure! - www.microsoft.com/security
| | > | > | >
| | > | > | > ======================================================
| | > | > | > This newsgroup only focuses on SBS technical issues. If you
have
| | > | > issues
| | > | > | > regarding other Microsoft products, you'd better post in the
| | > | > corresponding
| | > | > | > newsgroups so that they can be resolved in an efficient and
| timely
| | > | > manner.
| | > | > | > You can locate the newsgroup here:
| | > | > | >
| http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| | > | > | >
| | > | > | > When opening a new thread via the web interface, we recommend
| you
| | > | > check
| | > | > | > the
| | > | > | > "Notify me of replies" box to receive e-mail notifications
when
| | > there
| | > | > are
| | > | > | > any updates in your thread. When responding to posts via your
| | > | > newsreader,
| | > | > | > please "Reply to Group" so that others may learn and benefit
| from
| | > your
| | > | > | > issue.
| | > | > | >
| | > | > | > Microsoft engineers can only focus on one issue per thread.
| | > Although
| | > | > we
| | > | > | > provide other information for your reference, we recommend
you
| | > post
| | > | > | > different incidents in different threads to keep the thread
| clean.
| | > In
| | > | > | > doing
| | > | > | > so, it will ensure your issues are resolved in a timely
manner.
| | > | > | >
| | > | > | > For urgent issues, you may want to contact Microsoft CSS
| directly.
| | > | > Please
| | > | > | > check http://support.microsoft.com for regional support phone
| | > numbers.
| | > | > | >
| | > | > | > Any input or comments in this thread are highly appreciated.
| | > | > | > ======================================================
| | > | > | > This posting is provided "AS IS" with no warranties, and
| confers
| | > no
| | > | > | > rights.
| | > | > | >
| | > | > | >
| | > | > | > =====================================================
| | > | > | > When responding to posts, please "Reply to Group" via your
| | > newsreader
| | > | > so
| | > | > | > that others may learn and benefit from your issue.
| | > | > | > =====================================================
| | > | > | >
| | > | > | > This posting is provided "AS IS" with no warranties, and
| confers
| | > no
| | > | > | > rights.
| | > | > | >
| | > | > | > --------------------
| | > | > | > | From: "PG" <*@*.*>
| | > | > | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl>
| | > | > | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl>
| | > | > | > | Subject: Re: SBS2003Premium Certification Authority from
| HELL!!!
| | > | > | > | Date: Tue, 20 Sep 2005 13:28:25 +0100
| | > | > | > | Lines: 269
| | > | > | > | X-Priority: 3
| | > | > | > | X-MSMail-Priority: Normal
| | > | > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
| | > | > | > | X-RFC2646: Format=Flowed; Original
| | > | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| | > | > | > | Message-ID: <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl>
| | > | > | > | Newsgroups: microsoft.public.windows.server.sbs
| | > | > | > | NNTP-Posting-Host: 62.48.233.71
| | > | > | > | Path:
| | > | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
| | > | > | > | Xref: TK2MSFTNGXA01.phx.gbl
| | > | > microsoft.public.windows.server.sbs:154800
| | > | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| | > | > | > |
| | > | > | > | Thanks for your reply Charles
| | > | > | > |
| | > | > | > | Responses to your questions follow, and are in line:
| | > | > | > |
| | > | > | > |
| | > | > | > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com>
wrote
| in
| | > | > message
| | > | > | > | news:tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl...
| | > | > | > | > HI PG,
| | > | > | > | >
| | > | > | > | > Welcome to SBS newsgroup.
| | > | > | > | >
| | > | > | > | > Issue description:
| | > | > | > | > ================
| | > | > | > | >
| | > | > | > | > I understand that you encountered some problem when using
| CA
| | > on
| | > | > SBS
| | > | > | > 2003
| | > | > | > | > premium.
| | > | > | > | >
| | > | > | > | > Analyzing and suggestions:
| | > | > | > | > ================
| | > | > | > | >
| | > | > | > | > Generally speaking, the error you encountered can be
caused
| by
| | > | > many
| | > | > | > | > factors, in order to make the issue more clear, please
| refer
| | > to
| | > my
| | > | > | > | > suggestions below to gather more information:
| | > | > | > | >
| | > | > | > | > 1. If possible, please send me the event log for further
| | > research,
| | > | > it
| | > | > | > | > should include more information which can help us
determine
| | > which
| | > | > | > kinds
| | > | > | > of
| | > | > | > | > error you encountered, you can send the log files to my
| email
| | > box.
| | > | > | > | > v-chayan(a)microsoft.com.
| | > | > | > |
| | > | > | > | There is nothing recorded in the logs, when the error's
occur.
| | > | > | > |
| | > | > | > | > 2. Does the issue occur from the client's computer or
from
| the
| | > | > server
| | > | > | > | > side?
| | > | > | > |
| | > | > | > | Both! It occur's when I request a certificate from the
client
| | > and
| | > | > from
| | > | > | > the
| | > | > | > | server! :( Via Web request or MMC snap-in
| | > | > | > |
| | > | > | > |
| | > | > | > | >
| | > | > | > | >
| | > | > | > | > Let's first check the following:
| | > | > | > | >
| | > | > | > | > 1. Go to the CA Server, go to Services.msc console, make
| sure
| | > that
| | > | > the
| | > | > | > | > Certificate Service is started.
| | > | > | > |
| | > | > | > | Check
| | > | > | > |
| | > | > | > | > 2. Open Certificate Authority, make sure that it can be
| | > opened.
| | > | > | > |
| | > | > | > | Check
| | > | > | > |
| | > | > | > | > 3. If you are using Enterprise CA, go to the Certificate
| | > Template
| | > | > in
| | > | > | > the
| | > | > | > | > Certificate Authority, make sure that necessary
Certificate
| | > | > Template
| | > | > | > is
| | > | > | > | > added and listed in the right panel.
| | > | > | > |
| | > | > | > | Check
| | > | > | > |
| | > | > | > | > 4. On the CA Server, click Start -> Run, type MMC and
click
| | > OK.
| | > | > Click
| | > | > | > File
| | > | > | > | > -> Add/Remove Snap-in, click Add button, select
Certificate,
| | > click
| | > | > | > Add,
| | > | > | > | > select Computer Account and click next. Select Local
| Computer,
| | > | > click
| | > | > | > | > Finish
| | > | > | > | > and then Close.
| | > | > | > |
| | > | > | > | Check
| | > | > | > |
| | > | > | > | > 5. Expand the Certificate (Local
| | > Computer)\Personal\Certificate,
| | > | > check
| | > | > | > if
| | > | > | > | > the Root certificate exists. It's 'issued by' and 'issued
| to'
| | > | > should
| | > | > | > be
| | > | > | > | > itself. Then please check if the root certificate is still
| | > alive.
| | > | > If
| | > | > | > it
| | > | > | > is
| | > | > | > | > expired, right click the Certificate, select All Tasks ->
| | > Renew
| | > | > | > | > Certificate
| | > | > | > | > with Same Key. Then renew the user certificate and let me
| know
| | > how
| | > | > | > | > everything is going.
| | > | > | > | > NOTE: Please check the Certificate Authority to make sure
| that
| | > | > these
| | > | > | > | > client
| | > | > | > | > certificate are not revoked before you renew the
| certificate.
| | > | > | > | >
| | > | > | > | > If the issue still exists, please check if the CA computer
| | > where
| | > | > you
| | > | > | > start
| | > | > | > | > the Certificate Web Enrollment from is set to trust for
| | > | > delegation.
| | > | > To
| | > | > | > do
| | > | > | > | > so:
| | > | > | > | > 1. Log on as a domain administrator or equivalent account.
| | > | > | > | > 2. Click Start, point to Programs, point to Administrative
| | > Tools,
| | > | > and
| | > | > | > then
| | > | > | > | > click "Active Directory Users and Computers".
| | > | > | > | > 3. In the left pane, locate the container or
organizational
| | > unit
| | > | > (OU)
| | > | > | > on
| | > | > | > | > which you want to enable delegation.
| | > | > | > | > 4. Right-click the computer account name, and then click
| | > | > Properties.
| | > | > | > | > 5. On the General tab, click Trust computer for
delegation.
| | > | > | > | > 6. Click OK.
| | > | > | > | > 7. Quit Active Directory Users and Computers.
| | > | > | > | >
| | > | > | > | > For more info, please refer to:
| | > | > | > | > 300867 Error Message: The Certification Authority Service
| Has
| | > Not
| | > | > Been
| | > | > | > | > Started
| | > | > | > | > http://support.microsoft.com/?id=300867
| | > | > | > |
| | > | > | > | The certificate is alive until 16/9/2010! So I didn't renew
| it.
| | > | > | > |
| | > | > | > |
| | > | > | > | >
| | > | > | > | >
| | > | > | > | > This issue may also occur if the Domain Users group on
the
| | > child
| | > | > | > domain
| | > | > | > | > does not have the right to enroll a user template. To
have a
| | > | > check:
| | > | > | > | >
| | > | > | > | > 1. Logon to CA Server as Enterprise Administrator
| | > | > | > |
| | > | > | > | check
| | > | > | > |
| | > | > | > | > 2. Click Start, click Programs, click Administrative
Tools,
| | > and
| | > | > then
| | > | > | > click
| | > | > | > | > the "Active Directory Sites and Services" snap-in.
| | > | > | > |
| | > | > | > | check
| | > | > | > |
| | > | > | > | > 3. In MMC, right-click the "Active Directory Sites and
| | > Services"
| | > | > | > snap-in,
| | > | > | > | > click View, and then click "Show Services Mode". This
allows
| | > you
| | > | > to
| | > | > | > view
| | > | > | > | > the Services folder, which is hidden from view by default.
| | > | > | > |
| | > | > | > | Check
| | > | > | > |
| | > | > | > | > 4. From the "Active Directory Sites and Services"
snap-in,
| | > click
| | > | > | > Services,
| | > | > | > | > click Public Key Services, and then click Certificate
| | > Templates.
| | > | > This
| | > | > | > | > reveals the complete list of published certificate
| templates
| | > in
| | > | > Active
| | > | > | > | > Directory.
| | > | > | > |
| | > | > | > | Check
| | > | > | > |
| | > | > | > | > 5. Double-click the User certificate template to view the
| | > | > properties.
| | > | > | > |
| | > | > | > | Check
| | > | > | > |
| | > | > | > | > 6. On the Security tab, click Add to add the Domain Users
| | > group
| | > to
| | > | > the
| | > | > | > | > list.
| | > | > | > |
| | > | > | > | The group domain users wasn't there so I added it
| | > | > | > |
| | > | > | > | > 7. For the Domain Users group, select the Read and Enroll
| | > rights.
| | > | > | > |
| | > | > | > | When I tryed to apply the changes it gave the following
error:
| | > | > | > |
| | > | > | > | "Unable to save permission changes on
| | > | > | > | LDAP://SBS2003PDC.CONTIMETRA.LOCAL/CN=USER,CN=CERTIFICATE
| | > | > | > | TEMPLATES,CN=PUBLIC KEY
| | > | > | > | SERVICES,CN=SERVICES,CN=CONFIGURATION,DC=CONTIMETRA,DC=LOCAL
| | > | > | > |
| | > | > | > | ACCESS IS DENIED"
| | > | > | > |
| | > | > | > |
| | > | > | > | > 8. Restart the computer.
| | > | > | > |
| | > | > | > | Didn't do it because no changes were made!
| | > | > | > |
| | > | > | > | >
| | > | > | > | > For more info, please refer to:
| | > | > | > | > 271861 Windows Cannot Find a Certificate Authority That
| | > Processes
| | > | > the
| | > | > | > | > Request
| | > | > | > | > http://support.microsoft.com/?id=271861
| | > | > | > | >
| | > | > | > | > NOTE: Request from MMC only works if it is a Enterprise
CA.
| To
| | > | > stand
| | > | > | > alone
| | > | > | > | > CA, you must request certificate by WEB.
| | > | > | > | >
| | > | > | > | > I appreciate your understanding and please paste your
| results
| | > as
| | > | > your
| | > | > | > | > convenience, It is important for us to isolate the issue.
I
| am
| | > | > glad
| | > | > to
| | > | > | > | > help
| | > | > | > | > you.
| | > | > | > | >
| | > | > | > | >
| | > | > | > | >
| | > | > | > | > Best regards,
| | > | > | > | >
| | > | > | > | > Charles Yang (MSFT)
| | > | > | > | >
| | > | > | > | > Microsoft CSS Online Newsgroup Support
| | > | > | > | >
| | > | > | > | > Get Secure! - www.microsoft.com/security
| | > | > | > | >
| | > | > | > | > ======================================================
| | > | > | > | > This newsgroup only focuses on SBS technical issues. If
you
| | > have
| | > | > | > issues
| | > | > | > | > regarding other Microsoft products, you'd better post in
the
| | > | > | > corresponding
| | > | > | > | > newsgroups so that they can be resolved in an efficient
and
| | > timely
| | > | > | > manner.
| | > | > | > | > You can locate the newsgroup here:
| | > | > | > | >
| | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| | > | > | > | >
| | > | > | > | > When opening a new thread via the web interface, we
| recommend
| | > you
| | > | > | > check
| | > | > | > | > the
| | > | > | > | > "Notify me of replies" box to receive e-mail
notifications
| | > when
| | > | > there
| | > | > | > are
| | > | > | > | > any updates in your thread. When responding to posts via
| your
| | > | > | > newsreader,
| | > | > | > | > please "Reply to Group" so that others may learn and
benefit
| | > from
| | > | > your
| | > | > | > | > issue.
| | > | > | > | >
| | > | > | > | > Microsoft engineers can only focus on one issue per
thread.
| | > | > Although
| | > | > | > we
| | > | > | > | > provide other information for your reference, we
recommend
| you
| | > | > post
| | > | > | > | > different incidents in different threads to keep the
thread
| | > clean.
| | > | > In
| | > | > | > | > doing
| | > | > | > | > so, it will ensure your issues are resolved in a timely
| | > manner.
| | > | > | > | >
| | > | > | > | > For urgent issues, you may want to contact Microsoft CSS
| | > directly.
| | > | > | > Please
| | > | > | > | > check http://support.microsoft.com for regional support
| phone
| | > | > numbers.
| | > | > | > | >
| | > | > | > | > Any input or comments in this thread are highly
appreciated.
| | > | > | > | > ======================================================
| | > | > | > | > This posting is provided "AS IS" with no warranties, and
| | > confers
| | > | > no
| | > | > | > | > rights.
| | > | > | > | >
| | > | > | > | >
| | > | > | > | > =====================================================
| | > | > | > | > When responding to posts, please "Reply to Group" via your
| | > | > newsreader
| | > | > | > so
| | > | > | > | > that others may learn and benefit from your issue.
| | > | > | > | > =====================================================
| | > | > | > | >
| | > | > | > | > This posting is provided "AS IS" with no warranties, and
| | > confers
| | > | > no
| | > | > | > | > rights.
| | > | > | > | >
| | > | > | > | > --------------------
| | > | > | > | > | From: "PG" <*@*.*>
| | > | > | > | > | Subject: SBS2003Premium Certification Authority from
| HELL!!!
| | > | > | > | > | Date: Fri, 16 Sep 2005 11:35:46 +0100
| | > | > | > | > | Lines: 25
| | > | > | > | > | X-Priority: 3
| | > | > | > | > | X-MSMail-Priority: Normal
| | > | > | > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
| | > | > | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| | > | > | > | > | X-RFC2646: Format=Flowed; Original
| | > | > | > | > | Message-ID: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl>
| | > | > | > | > | Newsgroups: microsoft.public.windows.server.sbs
| | > | > | > | > | NNTP-Posting-Host: 62.48.233.71
| | > | > | > | > | Path:
| | > | > | >
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
| | > | > | > | > | Xref: TK2MSFTNGXA01.phx.gbl
| | > | > | > microsoft.public.windows.server.sbs:153926
| | > | > | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| | > | > | > | > |
| | > | > | > | > | Hi everybody,
| | > | > | > | > |
| | > | > | > | > | When I try to request a certificate from my
| Enterprise
| | > CA
| | > | > | > installed
| | > | > | > | > on
| | > | > | > | > | SBS2003Premium It gives the following error :"No
| certificate
| | > | > | > templates
| | > | > | > | > could
| | > | > | > | > | be found. You do not have permission to request a
| | > certificate
| | > | > from
| | > | > | > this
| | > | > | > | > CA,
| | > | > | > | > | or an error occurred while accessing the Active
| Directory."
| | > I
| | > | > went
| | > | > | > and
| | > | > | > | > | search for a solution and found this microsoft article
| | > | > | > | > |
| | > http://support.microsoft.com/default.aspx?scid=kb;en-us;811418
| | > | > that
| | > | > | > | > didn't
| | > | > | > | > | help because the name of the server is the same in the
| | > | > certdat.inc
| | > | > | > and
| | > | > | > | > in
| | > | > | > | > | the AD!!! :(
| | > | > | > | > |
| | > | > | > | > | When I go to the certification authority and click
on
| | > | > "manage"
| | > | > | > on
| | > | > | > | > the
| | > | > | > | > | certificate templates, windows says that it detected
that
| | > new
| | > | > | > | > certificate
| | > | > | > | > | templates should be installed, and ask if I want to
| install
| | > them
| | > | > | > now,
| | > | > | > | > and
| | > | > | > | > I
| | > | > | > | > | say "Yes", and gives an error saying "Windows could not
| | > install
| | > | > the
| | > | > | > new
| | > | > | > | > | certificate templates. Access is denied" :( I doing
this
| as
| | > | > | > enterprise
| | > | > | > | > admin
| | > | > | > | > | and it says access denied!!!!! :( :(
| | > | > | > | > |
| | > | > | > | > | I've tryed to reinstall the CA and the errors are
| still
| | > the
| | > | > | > same!
| | > | > | > | > |
| | > | > | > | > | Can anyone help me with this issue, please?
| | > | > | > | > |
| | > | > | > | > | Thanks in advance for any help you can give me....
| | > | > | > | > |
| | > | > | > | > |
| | > | > | > | > |
| | > | > | > | >
| | > | > | > |
| | > | > | > |
| | > | > | > |
| | > | > | > |
| | > | > | > |
| | > | > | > |
| | > | > | >
| | > | > |
| | > | > |
| | > | > |
| | > | >
| | > |
| | > |
| | > |
| | >
| |
| |
| |
|
|

From: PG on
Hi Charles,

I went to DCOMCNFG and on the Launch permission it was empty, and I added
Everyone with (Launch permission---Allow)
and in the Access permission it is everyone (Access permission---Allow), so
I didn't have to change it.
Could not find anything that refered to (Local Activation Remote Activation)
or (Local Access Remote Access) as you sayd. Only (Launch Permission) and
(Access Permission).

After applying the changes to DCOM I tryed to request a certificate, and the
same error ocurred. Duplicated a Template and still the same error. :(
"No certificate templates could be found. You do not have permission to
request a certificate from this CA,or an error occurred while accessing the
Active Directory."

In response to your question, all the certificates templates, from the
pictures I sent you, that are greyd out have permissions issues, and don't
let me add or change permissions for those certificates.

:(


""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in message
news:Hlv7FVCwFHA.580(a)TK2MSFTNGXA01.phx.gbl...
> HI PG,
>
> Thanks for updates.
>
> After making research, I find solutions for you, please refer to the steps
> below:
>
> 1 Open DCOMCNFG
> 2- Select Componect Services
> ---Computers
> ----My Computer
> ------Dcom Config
> ---- CertSrv Request
> 3- Open properties and verify Security permission for Launch and
> Activation
> Permissions (Should be Customize --Everyone ---Local Activation Remote
> Activation)
>
> Access Permissions (Should be Customize -Everyone ---Local Access Remote
> Access)
>
> If the issue still exists, please recreate a certificate template to see
> if
> the issue can be resolved. You can try to request a certificate via a new
> template. From your screenshot we found only one of the template you
> encountered permission issue, can we assume it is the certificate template
> you use for the certificate?
>
> Thanks for understanding on this issue, please feel free to post back.
>
>
>
> Best regards,
>
> Charles Yang (MSFT)
>
> Microsoft CSS Online Newsgroup Support
>
> Get Secure! - www.microsoft.com/security
>
> ======================================================
> This newsgroup only focuses on SBS technical issues. If you have issues
> regarding other Microsoft products, you'd better post in the corresponding
> newsgroups so that they can be resolved in an efficient and timely manner.
> You can locate the newsgroup here:
> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>
> When opening a new thread via the web interface, we recommend you check
> the
> "Notify me of replies" box to receive e-mail notifications when there are
> any updates in your thread. When responding to posts via your newsreader,
> please "Reply to Group" so that others may learn and benefit from your
> issue.
>
> Microsoft engineers can only focus on one issue per thread. Although we
> provide other information for your reference, we recommend you post
> different incidents in different threads to keep the thread clean. In
> doing
> so, it will ensure your issues are resolved in a timely manner.
>
> For urgent issues, you may want to contact Microsoft CSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Any input or comments in this thread are highly appreciated.
> ======================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
> =====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> --------------------
> | X-Tomcat-ID: 138385008
> | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl>
> <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl>
> <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl>
> <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl>
> <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl>
> <MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl>
> <u6mrIB1vFHA.4032(a)TK2MSFTNGP15.phx.gbl>
> <AtVfNj1vFHA.780(a)TK2MSFTNGXA01.phx.gbl>
> <#yfejE2vFHA.708(a)TK2MSFTNGP10.phx.gbl>
> | MIME-Version: 1.0
> | Content-Type: text/plain
> | Content-Transfer-Encoding: 7bit
> | From: v-chayan(a)online.microsoft.com ("Charles Yang [MSFT]")
> | Organization: Microsoft
> | Date: Fri, 23 Sep 2005 08:54:33 GMT
> | Subject: Re: SBS2003Premium Certification Authority from HELL!!!
> | X-Tomcat-NG: microsoft.public.windows.server.sbs
> | Message-ID: <34gfuxBwFHA.2960(a)TK2MSFTNGXA01.phx.gbl>
> | Newsgroups: microsoft.public.windows.server.sbs
> | Lines: 797
> | Path: TK2MSFTNGXA01.phx.gbl
> | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:155820
> | NNTP-Posting-Host: tomcatimport2.phx.gbl 10.201.218.182
> |
> | HI PG,
> |
> | Currently, I am performing research on this issue, I will return to you
> as
> | soon as possible, please understand that it might be some delay due to
> the
> | weekend.
> |
> | Thanks for your understanding.
> |
> |
> | Best regards,
> |
> | Charles Yang (MSFT)
> |
> | Microsoft CSS Online Newsgroup Support
> |
> | Get Secure! - www.microsoft.com/security
> |
> | ======================================================
> | This newsgroup only focuses on SBS technical issues. If you have issues
> | regarding other Microsoft products, you'd better post in the
> corresponding
> | newsgroups so that they can be resolved in an efficient and timely
> manner.
> | You can locate the newsgroup here:
> | http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
> |
> | When opening a new thread via the web interface, we recommend you check
> the
> | "Notify me of replies" box to receive e-mail notifications when there
> are
> | any updates in your thread. When responding to posts via your
> newsreader,
> | please "Reply to Group" so that others may learn and benefit from your
> | issue.
> |
> | Microsoft engineers can only focus on one issue per thread. Although we
> | provide other information for your reference, we recommend you post
> | different incidents in different threads to keep the thread clean. In
> doing
> | so, it will ensure your issues are resolved in a timely manner.
> |
> | For urgent issues, you may want to contact Microsoft CSS directly.
> Please
> | check http://support.microsoft.com for regional support phone numbers.
> |
> | Any input or comments in this thread are highly appreciated.
> | ======================================================
> | This posting is provided "AS IS" with no warranties, and confers no
> rights.
> |
> |
> | =====================================================
> | When responding to posts, please "Reply to Group" via your newsreader so
> | that others may learn and benefit from your issue.
> | =====================================================
> |
> | This posting is provided "AS IS" with no warranties, and confers no
> rights.
> |
> | --------------------
> | | From: "PG" <*@*.*>
> | | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl>
> | <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl>
> | <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl>
> | <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl>
> | <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl>
> | <MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl>
> | <u6mrIB1vFHA.4032(a)TK2MSFTNGP15.phx.gbl>
> | <AtVfNj1vFHA.780(a)TK2MSFTNGXA01.phx.gbl>
> | | Subject: Re: SBS2003Premium Certification Authority from HELL!!!
> | | Date: Thu, 22 Sep 2005 11:32:11 +0100
> | | Lines: 785
> | | X-Priority: 3
> | | X-MSMail-Priority: Normal
> | | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
> | | X-RFC2646: Format=Flowed; Original
> | | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
> | | Message-ID: <#yfejE2vFHA.708(a)TK2MSFTNGP10.phx.gbl>
> | | Newsgroups: microsoft.public.windows.server.sbs
> | | NNTP-Posting-Host: 62.48.233.71
> | | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
> | | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:155518
> | | X-Tomcat-NG: microsoft.public.windows.server.sbs
> | |
> | | Hi Charles,
> | |
> | | 1. I sent all the logs you requested to your e-mail.
> | |
> | | 2. Done that also.
> | |
> | | 3. No changes done...that I can remember
> | |
> | | Thanks
> | |
> | | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in
> message
> | | news:AtVfNj1vFHA.780(a)TK2MSFTNGXA01.phx.gbl...
> | | > Hi PG,
> | | >
> | | > After checking your screen shot, we decide to collect more
> information,
> | as
> | | > this issue should relate to AD setting:
> | | >
> | | > 1. Please send me all the event log except the application and
> system
> | | > event
> | | > log that you have already sent to me.
> | | > 2. please also run netdiag -v and dcdiag -v on the SBS server and
> send
> | the
> | | > results to me also.
> | | > 3. If possible, could you tell us if have changed any setting on AD
> or
> | on
> | | > SBS server. As the screen shot point that you have some problem in
> query
> | | > user objects on DC.
> | | >
> | | > I appreciate your effort on this issue.
> | | >
> | | >
> | | >
> | | > Best regards,
> | | >
> | | > Charles Yang (MSFT)
> | | >
> | | > Microsoft CSS Online Newsgroup Support
> | | >
> | | > Get Secure! - www.microsoft.com/security
> | | >
> | | > ======================================================
> | | > This newsgroup only focuses on SBS technical issues. If you have
> issues
> | | > regarding other Microsoft products, you'd better post in the
> | corresponding
> | | > newsgroups so that they can be resolved in an efficient and timely
> | manner.
> | | > You can locate the newsgroup here:
> | | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
> | | >
> | | > When opening a new thread via the web interface, we recommend you
> check
> | | > the
> | | > "Notify me of replies" box to receive e-mail notifications when
> there
> | are
> | | > any updates in your thread. When responding to posts via your
> | newsreader,
> | | > please "Reply to Group" so that others may learn and benefit from
> your
> | | > issue.
> | | >
> | | > Microsoft engineers can only focus on one issue per thread. Although
> we
> | | > provide other information for your reference, we recommend you post
> | | > different incidents in different threads to keep the thread clean.
> In
> | | > doing
> | | > so, it will ensure your issues are resolved in a timely manner.
> | | >
> | | > For urgent issues, you may want to contact Microsoft CSS directly.
> | Please
> | | > check http://support.microsoft.com for regional support phone
> numbers.
> | | >
> | | > Any input or comments in this thread are highly appreciated.
> | | > ======================================================
> | | > This posting is provided "AS IS" with no warranties, and confers no
> | | > rights.
> | | >
> | | >
> | | > =====================================================
> | | > When responding to posts, please "Reply to Group" via your
> newsreader
> so
> | | > that others may learn and benefit from your issue.
> | | > =====================================================
> | | >
> | | > This posting is provided "AS IS" with no warranties, and confers no
> | | > rights.
> | | >
> | | > --------------------
> | | > | From: "PG" <*@*.*>
> | | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl>
> | | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl>
> | | > <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl>
> | | > <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl>
> | | > <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl>
> | | > <MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl>
> | | > | Subject: Re: SBS2003Premium Certification Authority from HELL!!!
> | | > | Date: Thu, 22 Sep 2005 09:31:33 +0100
> | | > | Lines: 597
> | | > | X-Priority: 3
> | | > | X-MSMail-Priority: Normal
> | | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
> | | > | X-RFC2646: Format=Flowed; Original
> | | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
> | | > | Message-ID: <u6mrIB1vFHA.4032(a)TK2MSFTNGP15.phx.gbl>
> | | > | Newsgroups: microsoft.public.windows.server.sbs
> | | > | NNTP-Posting-Host: 62.48.233.71
> | | > | Path:
> TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl
> | | > | Xref: TK2MSFTNGXA01.phx.gbl
> microsoft.public.windows.server.sbs:155493
> | | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
> | | > |
> | | > | Hi Charles,
> | | > |
> | | > | I started to go through the points you reffered bellow and on
> the
> | | > second
> | | > | point(Permissions settings) everything checked out ok except for
> the
> | | > | certificates templates permissions again, I'm unable to change
> | | > permissions
> | | > | on some certificates, but others are ok! I'm sending you some
> | compressed
> | | > | pictures to your e-mail so you can try and see if this is normal,
> or
> | | > not.
> | | > | I didn't want to continue following your suggestions(to
> reinstall
> | | > the
> | | > | CA) before you had a look at the pictures I sent you.
> | | > |
> | | > | Thanks
> | | > | PG
> | | > |
> | | > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in
> | message
> | | > | news:MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl...
> | | > | > Hi,
> | | > | >
> | | > | > Thanks for updates.
> | | > | >
> | | > | > After carefully checking your log, we did not find any relate
> | | > information,
> | | > | > please note that it might take some time to do the task.
> | | > | >
> | | > | > For this issue, I have some suggestion below:
> | | > | >
> | | > | > Can I assume that you want to set up the SBS 2003 premium as a
> CA
> | | > server,
> | | > | > so that when user logon to website, they require the
> certificate,
> | | > which
> | | > | > purpose you want to use for this certificate for VPN issue or
> for
> a
> | | > | > website? From your log, it seems to be used for IPSec VPN.
> | | > | >
> | | > | > 1. Please change the website you use for web enrollment's
> | | > authentication
> | | > | > method from anonymous to Windows Authentication.
> | | > | > 2. Please refer to the KB article below to check the permission
> | | > setting
> | | > | > for
> | | > | > CA, make sure that you have go through the article to double
> check
> | it:
> | | > | >
> | | > | > Q239706 Default Permission Settings for Enterprise Certificate
> | | > Authority
> | | > | > http://support.microsoft.com/default.aspx?scid=kb;EN-US
> | | > | >
> | | > | > 3. If the issue still exists, please follow the steps to
> reinstall
> | the
> | | > CA
> | | > | > server:
> | | > | >
> | | > | > A. Opened regedit and went to HKLM\system\CCS\services and
> | deleted
> | | > the
> | | > | > certsrv key
> | | > | > B. Opened the file system and deleted c:\winnt\system32\certserv
> | | > folder
> | | > | > and
> | | > | > contents
> | | > | > C. Opened up AD sites and services and deleted and in
> | services\public
> | | > key
> | | > | > services
> | | > | >
> | | > | > Please deleted all the contents of the containers leaving the
> empty
> | | > | > containers with the exception of the templates container. Note,
> | please
> | | > | > perform a backup for registry.
> | | > | >
> | | > | > If the issue still exist, you have to refer to the KB article
> below
> | to
> | | > | > change the log level of certificate then reproduce the issue
> check
> | the
> | | > | > event log again.
> | | > | >
> | | > | > 305018 How to Change the Event Logging Level for Certificate
> | Services
> | | > | > http://support.microsoft.com/?id=305018
> | | > | >
> | | > | > Thanks for your efforts. I will be here waiting for updates.
> | | > | >
> | | > | >
> | | > | >
> | | > | > Best regards,
> | | > | >
> | | > | > Charles Yang (MSFT)
> | | > | >
> | | > | > Microsoft CSS Online Newsgroup Support
> | | > | >
> | | > | > Get Secure! - www.microsoft.com/security
> | | > | >
> | | > | > ======================================================
> | | > | > This newsgroup only focuses on SBS technical issues. If you have
> | | > issues
> | | > | > regarding other Microsoft products, you'd better post in the
> | | > corresponding
> | | > | > newsgroups so that they can be resolved in an efficient and
> timely
> | | > manner.
> | | > | > You can locate the newsgroup here:
> | | > | >
> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
> | | > | >
> | | > | > When opening a new thread via the web interface, we recommend
> you
> | | > check
> | | > | > the
> | | > | > "Notify me of replies" box to receive e-mail notifications when
> | there
> | | > are
> | | > | > any updates in your thread. When responding to posts via your
> | | > newsreader,
> | | > | > please "Reply to Group" so that others may learn and benefit
> from
> | your
> | | > | > issue.
> | | > | >
> | | > | > Microsoft engineers can only focus on one issue per thread.
> | Although
> | | > we
> | | > | > provide other information for your reference, we recommend you
> post
> | | > | > different incidents in different threads to keep the thread
> clean.
> | In
> | | > | > doing
> | | > | > so, it will ensure your issues are resolved in a timely manner.
> | | > | >
> | | > | > For urgent issues, you may want to contact Microsoft CSS
> directly.
> | | > Please
> | | > | > check http://support.microsoft.com for regional support phone
> | numbers.
> | | > | >
> | | > | > Any input or comments in this thread are highly appreciated.
> | | > | > ======================================================
> | | > | > This posting is provided "AS IS" with no warranties, and confers
> no
> | | > | > rights.
> | | > | >
> | | > | >
> | | > | > =====================================================
> | | > | > When responding to posts, please "Reply to Group" via your
> | newsreader
> | | > so
> | | > | > that others may learn and benefit from your issue.
> | | > | > =====================================================
> | | > | >
> | | > | > This posting is provided "AS IS" with no warranties, and confers
> no
> | | > | > rights.
> | | > | >
> | | > | > --------------------
> | | > | > | From: "PG" <*@*.*>
> | | > | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl>
> | | > | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl>
> | | > | > <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl>
> | | > | > <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl>
> | | > | > | Subject: Re: SBS2003Premium Certification Authority from
> HELL!!!
> | | > | > | Date: Wed, 21 Sep 2005 11:33:30 +0100
> | | > | > | Lines: 401
> | | > | > | X-Priority: 3
> | | > | > | X-MSMail-Priority: Normal
> | | > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
> | | > | > | X-RFC2646: Format=Flowed; Original
> | | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
> | | > | > | Message-ID: <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl>
> | | > | > | Newsgroups: microsoft.public.windows.server.sbs
> | | > | > | NNTP-Posting-Host: 62.48.233.71
> | | > | > | Path:
> | | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
> | | > | > | Xref: TK2MSFTNGXA01.phx.gbl
> | | > microsoft.public.windows.server.sbs:155186
> | | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
> | | > | > |
> | | > | > | I've sent you the log's as you requested Charles...
> | | > | > |
> | | > | > | Thanks for the help
> | | > | > |
> | | > | > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote
> in
> | | > message
> | | > | > | news:biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl...
> | | > | > | > HI PG,
> | | > | > | >
> | | > | > | > Thanks for updates.
> | | > | > | >
> | | > | > | > In order to make the issue more clear, could you send me the
> | | > | > application
> | | > | > | > log and system event log so that we can isolate the issue
> more
> | | > | > clearly,
> | | > | > | > you
> | | > | > | > can compress the log files and send to my mailbox.
> | | > | > | >
> | | > | > | > v-chayan(a)microsoft.com
> | | > | > | >
> | | > | > | > Thanks for your understanding.
> | | > | > | >
> | | > | > | >
> | | > | > | >
> | | > | > | > Best regards,
> | | > | > | >
> | | > | > | > Charles Yang (MSFT)
> | | > | > | >
> | | > | > | > Microsoft CSS Online Newsgroup Support
> | | > | > | >
> | | > | > | > Get Secure! - www.microsoft.com/security
> | | > | > | >
> | | > | > | > ======================================================
> | | > | > | > This newsgroup only focuses on SBS technical issues. If you
> have
> | | > | > issues
> | | > | > | > regarding other Microsoft products, you'd better post in the
> | | > | > corresponding
> | | > | > | > newsgroups so that they can be resolved in an efficient and
> | timely
> | | > | > manner.
> | | > | > | > You can locate the newsgroup here:
> | | > | > | >
> | http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
> | | > | > | >
> | | > | > | > When opening a new thread via the web interface, we
> recommend
> | you
> | | > | > check
> | | > | > | > the
> | | > | > | > "Notify me of replies" box to receive e-mail notifications
> when
> | | > there
> | | > | > are
> | | > | > | > any updates in your thread. When responding to posts via
> your
> | | > | > newsreader,
> | | > | > | > please "Reply to Group" so that others may learn and benefit
> | from
> | | > your
> | | > | > | > issue.
> | | > | > | >
> | | > | > | > Microsoft engineers can only focus on one issue per thread.
> | | > Although
> | | > | > we
> | | > | > | > provide other information for your reference, we recommend
> you
> | | > post
> | | > | > | > different incidents in different threads to keep the thread
> | clean.
> | | > In
> | | > | > | > doing
> | | > | > | > so, it will ensure your issues are resolved in a timely
> manner.
> | | > | > | >
> | | > | > | > For urgent issues, you may want to contact Microsoft CSS
> | directly.
> | | > | > Please
> | | > | > | > check http://support.microsoft.com for regional support
> phone
> | | > numbers.
> | | > | > | >
> | | > | > | > Any input or comments in this thread are highly appreciated.
> | | > | > | > ======================================================
> | | > | > | > This posting is provided "AS IS" with no warranties, and
> | confers
> | | > no
> | | > | > | > rights.
> | | > | > | >
> | | > | > | >
> | | > | > | > =====================================================
> | | > | > | > When responding to posts, please "Reply to Group" via your
> | | > newsreader
> | | > | > so
> | | > | > | > that others may learn and benefit from your issue.
> | | > | > | > =====================================================
> | | > | > | >
> | | > | > | > This posting is provided "AS IS" with no warranties, and
> | confers
> | | > no
> | | > | > | > rights.
> | | > | > | >
> | | > | > | > --------------------
> | | > | > | > | From: "PG" <*@*.*>
> | | > | > | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl>
> | | > | > | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl>
> | | > | > | > | Subject: Re: SBS2003Premium Certification Authority from
> | HELL!!!
> | | > | > | > | Date: Tue, 20 Sep 2005 13:28:25 +0100
> | | > | > | > | Lines: 269
> | | > | > | > | X-Priority: 3
> | | > | > | > | X-MSMail-Priority: Normal
> | | > | > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
> | | > | > | > | X-RFC2646: Format=Flowed; Original
> | | > | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
> | | > | > | > | Message-ID: <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl>
> | | > | > | > | Newsgroups: microsoft.public.windows.server.sbs
> | | > | > | > | NNTP-Posting-Host: 62.48.233.71
> | | > | > | > | Path:
> | | > | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
> | | > | > | > | Xref: TK2MSFTNGXA01.phx.gbl
> | | > | > microsoft.public.windows.server.sbs:154800
> | | > | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
> | | > | > | > |
> | | > | > | > | Thanks for your reply Charles
> | | > | > | > |
> | | > | > | > | Responses to your questions follow, and are in line:
> | | > | > | > |
> | | > | > | > |
> | | > | > | > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com>
> wrote
> | in
> | | > | > message
> | | > | > | > | news:tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl...
> | | > | > | > | > HI PG,
> | | > | > | > | >
> | | > | > | > | > Welcome to SBS newsgroup.
> | | > | > | > | >
> | | > | > | > | > Issue description:
> | | > | > | > | > ================
> | | > | > | > | >
> | | > | > | > | > I understand that you encountered some problem when
> using
> | CA
> | | > on
> | | > | > SBS
> | | > | > | > 2003
> | | > | > | > | > premium.
> | | > | > | > | >
> | | > | > | > | > Analyzing and suggestions:
> | | > | > | > | > ================
> | | > | > | > | >
> | | > | > | > | > Generally speaking, the error you encountered can be
> caused
> | by
> | | > | > many
> | | > | > | > | > factors, in order to make the issue more clear, please
> | refer
> | | > to
> | | > my
> | | > | > | > | > suggestions below to gather more information:
> | | > | > | > | >
> | | > | > | > | > 1. If possible, please send me the event log for further
> | | > research,
> | | > | > it
> | | > | > | > | > should include more information which can help us
> determine
> | | > which
> | | > | > | > kinds
> | | > | > | > of
> | | > | > | > | > error you encountered, you can send the log files to my
> | email
> | | > box.
> | | > | > | > | > v-chayan(a)microsoft.com.
> | | > | > | > |
> | | > | > | > | There is nothing recorded in the logs, when the error's
> occur.
> | | > | > | > |
> | | > | > | > | > 2. Does the issue occur from the client's computer or
> from
> | the
> | | > | > server
> | | > | > | > | > side?
> | | > | > | > |
> | | > | > | > | Both! It occur's when I request a certificate from the
> client
> | | > and
> | | > | > from
> | | > | > | > the
> | | > | > | > | server! :( Via Web request or MMC snap-in
> | | > | > | > |
> | | > | > | > |
> | | > | > | > | >
> | | > | > | > | >
> | | > | > | > | > Let's first check the following:
> | | > | > | > | >
> | | > | > | > | > 1. Go to the CA Server, go to Services.msc console, make
> | sure
> | | > that
> | | > | > the
> | | > | > | > | > Certificate Service is started.
> | | > | > | > |
> | | > | > | > | Check
> | | > | > | > |
> | | > | > | > | > 2. Open Certificate Authority, make sure that it can be
> | | > opened.
> | | > | > | > |
> | | > | > | > | Check
> | | > | > | > |
> | | > | > | > | > 3. If you are using Enterprise CA, go to the Certificate
> | | > Template
> | | > | > in
> | | > | > | > the
> | | > | > | > | > Certificate Authority, make sure that necessary
> Certificate
> | | > | > Template
> | | > | > | > is
> | | > | > | > | > added and listed in the right panel.
> | | > | > | > |
> | | > | > | > | Check
> | | > | > | > |
> | | > | > | > | > 4. On the CA Server, click Start -> Run, type MMC and
> click
> | | > OK.
> | | > | > Click
> | | > | > | > File
> | | > | > | > | > -> Add/Remove Snap-in, click Add button, select
> Certificate,
> | | > click
> | | > | > | > Add,
> | | > | > | > | > select Computer Account and click next. Select Local
> | Computer,
> | | > | > click
> | | > | > | > | > Finish
> | | > | > | > | > and then Close.
> | | > | > | > |
> | | > | > | > | Check
> | | > | > | > |
> | | > | > | > | > 5. Expand the Certificate (Local
> | | > Computer)\Personal\Certificate,
> | | > | > check
> | | > | > | > if
> | | > | > | > | > the Root certificate exists. It's 'issued by' and
> 'issued
> | to'
> | | > | > should
> | | > | > | > be
> | | > | > | > | > itself. Then please check if the root certificate is
> still
> | | > alive.
> | | > | > If
> | | > | > | > it
> | | > | > | > is
> | | > | > | > | > expired, right click the Certificate, select All
> Tasks ->
> | | > Renew
> | | > | > | > | > Certificate
> | | > | > | > | > with Same Key. Then renew the user certificate and let
> me
> | know
> | | > how
> | | > | > | > | > everything is going.
> | | > | > | > | > NOTE: Please check the Certificate Authority to make
> sure
> | that
> | | > | > these
> | | > | > | > | > client
> | | > | > | > | > certificate are not revoked before you renew the
> | certificate.
> | | > | > | > | >
> | | > | > | > | > If the issue still exists, please check if the CA
> computer
> | | > where
> | | > | > you
> | | > | > | > start
> | | > | > | > | > the Certificate Web Enrollment from is set to trust for
> | | > | > delegation.
> | | > | > To
> | | > | > | > do
> | | > | > | > | > so:
> | | > | > | > | > 1. Log on as a domain administrator or equivalent
> account.
> | | > | > | > | > 2. Click Start, point to Programs, point to
> Administrative
> | | > Tools,
> | | > | > and
> | | > | > | > then
> | | > | > | > | > click "Active Directory Users and Computers".
> | | > | > | > | > 3. In the left pane, locate the container or
> organizational
> | | > unit
> | | > | > (OU)
> | | > | > | > on
> | | > | > | > | > which you want to enable delegation.
> | | > | > | > | > 4. Right-click the computer account name, and then click
> | | > | > Properties.
> | | > | > | > | > 5. On the General tab, click Trust computer for
> delegation.
> | | > | > | > | > 6. Click OK.
> | | > | > | > | > 7. Quit Active Directory Users and Computers.
> | | > | > | > | >
> | | > | > | > | > For more info, please refer to:
> | | > | > | > | > 300867 Error Message: The Certification Authority
> Service
> | Has
> | | > Not
> | | > | > Been
> | | > | > | > | > Started
> | | > | > | > | > http://support.microsoft.com/?id=300867
> | | > | > | > |
> | | > | > | > | The certificate is alive until 16/9/2010! So I didn't
> renew
> | it.
> | | > | > | > |
> | | > | > | > |
> | | > | > | > | >
> | | > | > | > | >
> | | > | > | > | > This issue may also occur if the Domain Users group on
> the
> | | > child
> | | > | > | > domain
> | | > | > | > | > does not have the right to enroll a user template. To
> have a
> | | > | > check:
> | | > | > | > | >
> | | > | > | > | > 1. Logon to CA Server as Enterprise Administrator
> | | > | > | > |
> | | > | > | > | check
> | | > | > | > |
> | | > | > | > | > 2. Click Start, click Programs, click Administrative
> Tools,
> | | > and
> | | > | > then
> | | > | > | > click
> | | > | > | > | > the "Active Directory Sites and Services" snap-in.
> | | > | > | > |
> | | > | > | > | check
> | | > | > | > |
> | | > | > | > | > 3. In MMC, right-click the "Active Directory Sites and
> | | > Services"
> | | > | > | > snap-in,
> | | > | > | > | > click View, and then click "Show Services Mode". This
> allows
> | | > you
> | | > | > to
> | | > | > | > view
> | | > | > | > | > the Services folder, which is hidden from view by
> default.
> | | > | > | > |
> | | > | > | > | Check
> | | > | > | > |
> | | > | > | > | > 4. From the "Active Directory Sites and Services"
> snap-in,
> | | > click
> | | > | > | > Services,
> | | > | > | > | > click Public Key Services, and then click Certificate
> | | > Templates.
> | | > | > This
> | | > | > | > | > reveals the complete list of published certificate
> | templates
> | | > in
> | | > | > Active
> | | > | > | > | > Directory.
> | | > | > | > |
> | | > | > | > | Check
> | | > | > | > |
> | | > | > | > | > 5. Double-click the User certificate template to view
> the
> | | > | > properties.
> | | > | > | > |
> | | > | > | > | Check
> | | > | > | > |
> | | > | > | > | > 6. On the Security tab, click Add to add the Domain
> Users
> | | > group
> | | > to
> | | > | > the
> | | > | > | > | > list.
> | | > | > | > |
> | | > | > | > | The group domain users wasn't there so I added it
> | | > | > | > |
> | | > | > | > | > 7. For the Domain Users group, select the Read and
> Enroll
> | | > rights.
> | | > | > | > |
> | | > | > | > | When I tryed to apply the changes it gave the following
> error:
> | | > | > | > |
> | | > | > | > | "Unable to save permission changes on
> | | > | > | > | LDAP://SBS2003PDC.CONTIMETRA.LOCAL/CN=USER,CN=CERTIFICATE
> | | > | > | > | TEMPLATES,CN=PUBLIC KEY
> | | > | > | > |
> SERVICES,CN=SERVICES,CN=CONFIGURATION,DC=CONTIMETRA,DC=LOCAL
> | | > | > | > |
> | | > | > | > | ACCESS IS DENIED"
> | | > | > | > |
> | | > | > | > |
> | | > | > | > | > 8. Restart the computer.
> | | > | > | > |
> | | > | > | > | Didn't do it because no changes were made!
> | | > | > | > |
> | | > | > | > | >
> | | > | > | > | > For more info, please refer to:
> | | > | > | > | > 271861 Windows Cannot Find a Certificate Authority That
> | | > Processes
> | | > | > the
> | | > | > | > | > Request
> | | > | > | > | > http://support.microsoft.com/?id=271861
> | | > | > | > | >
> | | > | > | > | > NOTE: Request from MMC only works if it is a Enterprise
> CA.
> | To
> | | > | > stand
> | | > | > | > alone
> | | > | > | > | > CA, you must request certificate by WEB.
> | | > | > | > | >
> | | > | > | > | > I appreciate your understanding and please paste your
> | results
> | | > as
> | | > | > your
> | | > | > | > | > convenience, It is important for us to isolate the
> issue.
> I
> | am
> | | > | > glad
> | | > | > to
> | | > | > | > | > help
> | | > | > | > | > you.
> | | > | > | > | >
> | | > | > | > | >
> | | > | > | > | >
> | | > | > | > | > Best regards,
> | | > | > | > | >
> | | > | > | > | > Charles Yang (MSFT)
> | | > | > | > | >
> | | > | > | > | > Microsoft CSS Online Newsgroup Support
> | | > | > | > | >
> | | > | > | > | > Get Secure! - www.microsoft.com/security
> | | > | > | > | >
> | | > | > | > | > ======================================================
> | | > | > | > | > This newsgroup only focuses on SBS technical issues. If
> you
> | | > have
> | | > | > | > issues
> | | > | > | > | > regarding other Microsoft products, you'd better post in
> the
> | | > | > | > corresponding
> | | > | > | > | > newsgroups so that they can be resolved in an efficient
> and
> | | > timely
> | | > | > | > manner.
> | | > | > | > | > You can locate the newsgroup here:
> | | > | > | > | >
> | | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
> | | > | > | > | >
> | | > | > | > | > When opening a new thread via the web interface, we
> | recommend
> | | > you
> | | > | > | > check
> | | > | > | > | > the
> | | > | > | > | > "Notify me of replies" box to receive e-mail
> notifications
> | | > when
> | | > | > there
> | | > | > | > are
> | | > | > | > | > any updates in your thread. When responding to posts via
> | your
> | | > | > | > newsreader,
> | | > | > | > | > please "Reply to Group" so that others may learn and
> benefit
> | | > from
> | | > | > your
> | | > | > | > | > issue.
> | | > | > | > | >
> | | > | > | > | > Microsoft engineers can only focus on one issue per
> thread.
> | | > | > Although
> | | > | > | > we
> | | > | > | > | > provide other information for your reference, we
> recommend
> | you
> | | > | > post
> | | > | > | > | > different incidents in different threads to keep the
> thread
> | | > clean.
> | | > | > In
> | | > | > | > | > doing
> | | > | > | > | > so, it will ensure your issues are resolved in a timely
> | | > manner.
> | | > | > | > | >
> | | > | > | > | > For urgent issues, you may want to contact Microsoft CSS
> | | > directly.
> | | > | > | > Please
> | | > | > | > | > check http://support.microsoft.com for regional support
> | phone
> | | > | > numbers.
> | | > | > | > | >
> | | > | > | > | > Any input or comments in this thread are highly
> appreciated.
> | | > | > | > | > ======================================================
> | | > | > | > | > This posting is provided "AS IS" with no warranties, and
> | | > confers
> | | > | > no
> | | > | > | > | > rights.
> | | > | > | > | >
> | | > | > | > | >
> | | > | > | > | > =====================================================
> | | > | > | > | > When responding to posts, please "Reply to Group" via
> your
> | | > | > newsreader
> | | > | > | > so
> | | > | > | > | > that others may learn and benefit from your issue.
> | | > | > | > | > =====================================================
> | | > | > | > | >
> | | > | > | > | > This posting is provided "AS IS" with no warranties, and
> | | > confers
> | | > | > no
> | | > | > | > | > rights.
> | | > | > | > | >
> | | > | > | > | > --------------------
> | | > | > | > | > | From: "PG" <*@*.*>
> | | > | > | > | > | Subject: SBS2003Premium Certification Authority from
> | HELL!!!
> | | > | > | > | > | Date: Fri, 16 Sep 2005 11:35:46 +0100
> | | > | > | > | > | Lines: 25
> | | > | > | > | > | X-Priority: 3
> | | > | > | > | > | X-MSMail-Priority: Normal
> | | > | > | > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
> | | > | > | > | > | X-MimeOLE: Produced By Microsoft MimeOLE
> V6.00.3790.1830
> | | > | > | > | > | X-RFC2646: Format=Flowed; Original
> | | > | > | > | > | Message-ID: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl>
> | | > | > | > | > | Newsgroups: microsoft.public.windows.server.sbs
> | | > | > | > | > | NNTP-Posting-Host: 62.48.233.71
> | | > | > | > | > | Path:
> | | > | > | >
> TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
> | | > | > | > | > | Xref: TK2MSFTNGXA01.phx.gbl
> | | > | > | > microsoft.public.windows.server.sbs:153926
> | | > | > | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
> | | > | > | > | > |
> | | > | > | > | > | Hi everybody,
> | | > | > | > | > |
> | | > | > | > | > | When I try to request a certificate from my
> | Enterprise
> | | > CA
> | | > | > | > installed
> | | > | > | > | > on
> | | > | > | > | > | SBS2003Premium It gives the following error :"No
> | certificate
> | | > | > | > templates
> | | > | > | > | > could
> | | > | > | > | > | be found. You do not have permission to request a
> | | > certificate
> | | > | > from
> | | > | > | > this
> | | > | > | > | > CA,
> | | > | > | > | > | or an error occurred while accessing the Active
> | Directory."
> | | > I
> | | > | > went
> | | > | > | > and
> | | > | > | > | > | search for a solution and found this microsoft article
> | | > | > | > | > |
> | | > http://support.microsoft.com/default.aspx?scid=kb;en-us;811418
> | | > | > that
> | | > | > | > | > didn't
> | | > | > | > | > | help because the name of the server is the same in the
> | | > | > certdat.inc
> | | > | > | > and
> | | > | > | > | > in
> | | > | > | > | > | the AD!!! :(
> | | > | > | > | > |
> | | > | > | > | > | When I go to the certification authority and click
> on
> | | > | > "manage"
> | | > | > | > on
> | | > | > | > | > the
> | | > | > | > | > | certificate templates, windows says that it detected
> that
> | | > new
> | | > | > | > | > certificate
> | | > | > | > | > | templates should be installed, and ask if I want to
> | install
> | | > them
> | | > | > | > now,
> | | > | > | > | > and
> | | > | > | > | > I
> | | > | > | > | > | say "Yes", and gives an error saying "Windows could
> not
> | | > install
> | | > | > the
> | | > | > | > new
> | | > | > | > | > | certificate templates. Access is denied" :( I doing
> this
> | as
> | | > | > | > enterprise
> | | > | > | > | > admin
> | | > | > | > | > | and it says access denied!!!!! :( :(
> | | > | > | > | > |
> | | > | > | > | > | I've tryed to reinstall the CA and the errors are
> | still
> | | > the
> | | > | > | > same!
> | | > | > | > | > |
> | | > | > | > | > | Can anyone help me with this issue, please?
> | | > | > | > | > |
> | | > | > | > | > | Thanks in advance for any help you can give me....
> | | > | > | > | > |
> | | > | > | > | > |
> | | > | > | > | > |
> | | > | > | > | >
> | | > | > | > |
> | | > | > | > |
> | | > | > | > |
> | | > | > | > |
> | | > | > | > |
> | | > | > | > |
> | | > | > | >
> | | > | > |
> | | > | > |
> | | > | > |
> | | > | >
> | | > |
> | | > |
> | | > |
> | | >
> | |
> | |
> | |
> |
> |
>


From: "Charles Yang [MSFT]" on
HI PG,

From your description, it seems a lot of template has the permission issue?
Can I assume that all the permission of this grey template encountered the
same issue when you try to change the permission and the permission the
security section is not correct as I referred to?

If so, I suggest you make sure that you logon the SBS server with
Enterprise Admin, it seems to be the permission issue, if possible please
make sure that you logon via Built-in Enterprise Admin to see if the
problem can be cleared,

Thanks for your effort.



Best regards,

Charles Yang (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| From: "PG" <*@*.*>
| References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl>
<tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl>
<OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl>
<biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl>
<#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl>
<MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl>
<u6mrIB1vFHA.4032(a)TK2MSFTNGP15.phx.gbl>
<AtVfNj1vFHA.780(a)TK2MSFTNGXA01.phx.gbl>
<#yfejE2vFHA.708(a)TK2MSFTNGP10.phx.gbl>
<34gfuxBwFHA.2960(a)TK2MSFTNGXA01.phx.gbl>
<Hlv7FVCwFHA.580(a)TK2MSFTNGXA01.phx.gbl>
| Subject: Re: SBS2003Premium Certification Authority from HELL!!!
| Date: Fri, 23 Sep 2005 11:39:53 +0100
| Lines: 1168
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
| X-RFC2646: Format=Flowed; Original
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| Message-ID: <Oi6nhtCwFHA.552(a)TK2MSFTNGP12.phx.gbl>
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: 62.48.233.71
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:155851
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Hi Charles,
|
| I went to DCOMCNFG and on the Launch permission it was empty, and I added
| Everyone with (Launch permission---Allow)
| and in the Access permission it is everyone (Access permission---Allow),
so
| I didn't have to change it.
| Could not find anything that refered to (Local Activation Remote
Activation)
| or (Local Access Remote Access) as you sayd. Only (Launch Permission) and
| (Access Permission).
|
| After applying the changes to DCOM I tryed to request a certificate, and
the
| same error ocurred. Duplicated a Template and still the same error. :(
| "No certificate templates could be found. You do not have permission to
| request a certificate from this CA,or an error occurred while accessing
the
| Active Directory."
|
| In response to your question, all the certificates templates, from the
| pictures I sent you, that are greyd out have permissions issues, and
don't
| let me add or change permissions for those certificates.
|
| :(
|
|
| ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in message
| news:Hlv7FVCwFHA.580(a)TK2MSFTNGXA01.phx.gbl...
| > HI PG,
| >
| > Thanks for updates.
| >
| > After making research, I find solutions for you, please refer to the
steps
| > below:
| >
| > 1 Open DCOMCNFG
| > 2- Select Componect Services
| > ---Computers
| > ----My Computer
| > ------Dcom Config
| > ---- CertSrv Request
| > 3- Open properties and verify Security permission for Launch and
| > Activation
| > Permissions (Should be Customize --Everyone ---Local Activation Remote
| > Activation)
| >
| > Access Permissions (Should be Customize -Everyone ---Local Access Remote
| > Access)
| >
| > If the issue still exists, please recreate a certificate template to
see
| > if
| > the issue can be resolved. You can try to request a certificate via a
new
| > template. From your screenshot we found only one of the template you
| > encountered permission issue, can we assume it is the certificate
template
| > you use for the certificate?
| >
| > Thanks for understanding on this issue, please feel free to post back.
| >
| >
| >
| > Best regards,
| >
| > Charles Yang (MSFT)
| >
| > Microsoft CSS Online Newsgroup Support
| >
| > Get Secure! - www.microsoft.com/security
| >
| > ======================================================
| > This newsgroup only focuses on SBS technical issues. If you have issues
| > regarding other Microsoft products, you'd better post in the
corresponding
| > newsgroups so that they can be resolved in an efficient and timely
manner.
| > You can locate the newsgroup here:
| > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| >
| > When opening a new thread via the web interface, we recommend you check
| > the
| > "Notify me of replies" box to receive e-mail notifications when there
are
| > any updates in your thread. When responding to posts via your
newsreader,
| > please "Reply to Group" so that others may learn and benefit from your
| > issue.
| >
| > Microsoft engineers can only focus on one issue per thread. Although we
| > provide other information for your reference, we recommend you post
| > different incidents in different threads to keep the thread clean. In
| > doing
| > so, it will ensure your issues are resolved in a timely manner.
| >
| > For urgent issues, you may want to contact Microsoft CSS directly.
Please
| > check http://support.microsoft.com for regional support phone numbers.
| >
| > Any input or comments in this thread are highly appreciated.
| > ======================================================
| > This posting is provided "AS IS" with no warranties, and confers no
| > rights.
| >
| >
| > =====================================================
| > When responding to posts, please "Reply to Group" via your newsreader so
| > that others may learn and benefit from your issue.
| > =====================================================
| >
| > This posting is provided "AS IS" with no warranties, and confers no
| > rights.
| >
| > --------------------
| > | X-Tomcat-ID: 138385008
| > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl>
| > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl>
| > <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl>
| > <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl>
| > <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl>
| > <MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl>
| > <u6mrIB1vFHA.4032(a)TK2MSFTNGP15.phx.gbl>
| > <AtVfNj1vFHA.780(a)TK2MSFTNGXA01.phx.gbl>
| > <#yfejE2vFHA.708(a)TK2MSFTNGP10.phx.gbl>
| > | MIME-Version: 1.0
| > | Content-Type: text/plain
| > | Content-Transfer-Encoding: 7bit
| > | From: v-chayan(a)online.microsoft.com ("Charles Yang [MSFT]")
| > | Organization: Microsoft
| > | Date: Fri, 23 Sep 2005 08:54:33 GMT
| > | Subject: Re: SBS2003Premium Certification Authority from HELL!!!
| > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > | Message-ID: <34gfuxBwFHA.2960(a)TK2MSFTNGXA01.phx.gbl>
| > | Newsgroups: microsoft.public.windows.server.sbs
| > | Lines: 797
| > | Path: TK2MSFTNGXA01.phx.gbl
| > | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:155820
| > | NNTP-Posting-Host: tomcatimport2.phx.gbl 10.201.218.182
| > |
| > | HI PG,
| > |
| > | Currently, I am performing research on this issue, I will return to
you
| > as
| > | soon as possible, please understand that it might be some delay due to
| > the
| > | weekend.
| > |
| > | Thanks for your understanding.
| > |
| > |
| > | Best regards,
| > |
| > | Charles Yang (MSFT)
| > |
| > | Microsoft CSS Online Newsgroup Support
| > |
| > | Get Secure! - www.microsoft.com/security
| > |
| > | ======================================================
| > | This newsgroup only focuses on SBS technical issues. If you have
issues
| > | regarding other Microsoft products, you'd better post in the
| > corresponding
| > | newsgroups so that they can be resolved in an efficient and timely
| > manner.
| > | You can locate the newsgroup here:
| > | http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| > |
| > | When opening a new thread via the web interface, we recommend you
check
| > the
| > | "Notify me of replies" box to receive e-mail notifications when there
| > are
| > | any updates in your thread. When responding to posts via your
| > newsreader,
| > | please "Reply to Group" so that others may learn and benefit from your
| > | issue.
| > |
| > | Microsoft engineers can only focus on one issue per thread. Although
we
| > | provide other information for your reference, we recommend you post
| > | different incidents in different threads to keep the thread clean. In
| > doing
| > | so, it will ensure your issues are resolved in a timely manner.
| > |
| > | For urgent issues, you may want to contact Microsoft CSS directly.
| > Please
| > | check http://support.microsoft.com for regional support phone numbers.
| > |
| > | Any input or comments in this thread are highly appreciated.
| > | ======================================================
| > | This posting is provided "AS IS" with no warranties, and confers no
| > rights.
| > |
| > |
| > | =====================================================
| > | When responding to posts, please "Reply to Group" via your newsreader
so
| > | that others may learn and benefit from your issue.
| > | =====================================================
| > |
| > | This posting is provided "AS IS" with no warranties, and confers no
| > rights.
| > |
| > | --------------------
| > | | From: "PG" <*@*.*>
| > | | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl>
| > | <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl>
| > | <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl>
| > | <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl>
| > | <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl>
| > | <MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl>
| > | <u6mrIB1vFHA.4032(a)TK2MSFTNGP15.phx.gbl>
| > | <AtVfNj1vFHA.780(a)TK2MSFTNGXA01.phx.gbl>
| > | | Subject: Re: SBS2003Premium Certification Authority from HELL!!!
| > | | Date: Thu, 22 Sep 2005 11:32:11 +0100
| > | | Lines: 785
| > | | X-Priority: 3
| > | | X-MSMail-Priority: Normal
| > | | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
| > | | X-RFC2646: Format=Flowed; Original
| > | | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| > | | Message-ID: <#yfejE2vFHA.708(a)TK2MSFTNGP10.phx.gbl>
| > | | Newsgroups: microsoft.public.windows.server.sbs
| > | | NNTP-Posting-Host: 62.48.233.71
| > | | Path:
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
| > | | Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.sbs:155518
| > | | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > | |
| > | | Hi Charles,
| > | |
| > | | 1. I sent all the logs you requested to your e-mail.
| > | |
| > | | 2. Done that also.
| > | |
| > | | 3. No changes done...that I can remember
| > | |
| > | | Thanks
| > | |
| > | | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in
| > message
| > | | news:AtVfNj1vFHA.780(a)TK2MSFTNGXA01.phx.gbl...
| > | | > Hi PG,
| > | | >
| > | | > After checking your screen shot, we decide to collect more
| > information,
| > | as
| > | | > this issue should relate to AD setting:
| > | | >
| > | | > 1. Please send me all the event log except the application and
| > system
| > | | > event
| > | | > log that you have already sent to me.
| > | | > 2. please also run netdiag -v and dcdiag -v on the SBS server and
| > send
| > | the
| > | | > results to me also.
| > | | > 3. If possible, could you tell us if have changed any setting on
AD
| > or
| > | on
| > | | > SBS server. As the screen shot point that you have some problem in
| > query
| > | | > user objects on DC.
| > | | >
| > | | > I appreciate your effort on this issue.
| > | | >
| > | | >
| > | | >
| > | | > Best regards,
| > | | >
| > | | > Charles Yang (MSFT)
| > | | >
| > | | > Microsoft CSS Online Newsgroup Support
| > | | >
| > | | > Get Secure! - www.microsoft.com/security
| > | | >
| > | | > ======================================================
| > | | > This newsgroup only focuses on SBS technical issues. If you have
| > issues
| > | | > regarding other Microsoft products, you'd better post in the
| > | corresponding
| > | | > newsgroups so that they can be resolved in an efficient and timely
| > | manner.
| > | | > You can locate the newsgroup here:
| > | | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| > | | >
| > | | > When opening a new thread via the web interface, we recommend you
| > check
| > | | > the
| > | | > "Notify me of replies" box to receive e-mail notifications when
| > there
| > | are
| > | | > any updates in your thread. When responding to posts via your
| > | newsreader,
| > | | > please "Reply to Group" so that others may learn and benefit from
| > your
| > | | > issue.
| > | | >
| > | | > Microsoft engineers can only focus on one issue per thread.
Although
| > we
| > | | > provide other information for your reference, we recommend you
post
| > | | > different incidents in different threads to keep the thread
clean.
| > In
| > | | > doing
| > | | > so, it will ensure your issues are resolved in a timely manner.
| > | | >
| > | | > For urgent issues, you may want to contact Microsoft CSS directly.
| > | Please
| > | | > check http://support.microsoft.com for regional support phone
| > numbers.
| > | | >
| > | | > Any input or comments in this thread are highly appreciated.
| > | | > ======================================================
| > | | > This posting is provided "AS IS" with no warranties, and confers
no
| > | | > rights.
| > | | >
| > | | >
| > | | > =====================================================
| > | | > When responding to posts, please "Reply to Group" via your
| > newsreader
| > so
| > | | > that others may learn and benefit from your issue.
| > | | > =====================================================
| > | | >
| > | | > This posting is provided "AS IS" with no warranties, and confers
no
| > | | > rights.
| > | | >
| > | | > --------------------
| > | | > | From: "PG" <*@*.*>
| > | | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl>
| > | | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl>
| > | | > <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl>
| > | | > <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl>
| > | | > <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl>
| > | | > <MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl>
| > | | > | Subject: Re: SBS2003Premium Certification Authority from HELL!!!
| > | | > | Date: Thu, 22 Sep 2005 09:31:33 +0100
| > | | > | Lines: 597
| > | | > | X-Priority: 3
| > | | > | X-MSMail-Priority: Normal
| > | | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
| > | | > | X-RFC2646: Format=Flowed; Original
| > | | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| > | | > | Message-ID: <u6mrIB1vFHA.4032(a)TK2MSFTNGP15.phx.gbl>
| > | | > | Newsgroups: microsoft.public.windows.server.sbs
| > | | > | NNTP-Posting-Host: 62.48.233.71
| > | | > | Path:
| > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl
| > | | > | Xref: TK2MSFTNGXA01.phx.gbl
| > microsoft.public.windows.server.sbs:155493
| > | | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > | | > |
| > | | > | Hi Charles,
| > | | > |
| > | | > | I started to go through the points you reffered bellow and
on
| > the
| > | | > second
| > | | > | point(Permissions settings) everything checked out ok except
for
| > the
| > | | > | certificates templates permissions again, I'm unable to change
| > | | > permissions
| > | | > | on some certificates, but others are ok! I'm sending you some
| > | compressed
| > | | > | pictures to your e-mail so you can try and see if this is
normal,
| > or
| > | | > not.
| > | | > | I didn't want to continue following your suggestions(to
| > reinstall
| > | | > the
| > | | > | CA) before you had a look at the pictures I sent you.
| > | | > |
| > | | > | Thanks
| > | | > | PG
| > | | > |
| > | | > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in
| > | message
| > | | > | news:MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl...
| > | | > | > Hi,
| > | | > | >
| > | | > | > Thanks for updates.
| > | | > | >
| > | | > | > After carefully checking your log, we did not find any relate
| > | | > information,
| > | | > | > please note that it might take some time to do the task.
| > | | > | >
| > | | > | > For this issue, I have some suggestion below:
| > | | > | >
| > | | > | > Can I assume that you want to set up the SBS 2003 premium as
a
| > CA
| > | | > server,
| > | | > | > so that when user logon to website, they require the
| > certificate,
| > | | > which
| > | | > | > purpose you want to use for this certificate for VPN issue or
| > for
| > a
| > | | > | > website? From your log, it seems to be used for IPSec VPN.
| > | | > | >
| > | | > | > 1. Please change the website you use for web enrollment's
| > | | > authentication
| > | | > | > method from anonymous to Windows Authentication.
| > | | > | > 2. Please refer to the KB article below to check the
permission
| > | | > setting
| > | | > | > for
| > | | > | > CA, make sure that you have go through the article to double
| > check
| > | it:
| > | | > | >
| > | | > | > Q239706 Default Permission Settings for Enterprise Certificate
| > | | > Authority
| > | | > | > http://support.microsoft.com/default.aspx?scid=kb;EN-US
| > | | > | >
| > | | > | > 3. If the issue still exists, please follow the steps to
| > reinstall
| > | the
| > | | > CA
| > | | > | > server:
| > | | > | >
| > | | > | > A. Opened regedit and went to HKLM\system\CCS\services and
| > | deleted
| > | | > the
| > | | > | > certsrv key
| > | | > | > B. Opened the file system and deleted
c:\winnt\system32\certserv
| > | | > folder
| > | | > | > and
| > | | > | > contents
| > | | > | > C. Opened up AD sites and services and deleted and in
| > | services\public
| > | | > key
| > | | > | > services
| > | | > | >
| > | | > | > Please deleted all the contents of the containers leaving the
| > empty
| > | | > | > containers with the exception of the templates container.
Note,
| > | please
| > | | > | > perform a backup for registry.
| > | | > | >
| > | | > | > If the issue still exist, you have to refer to the KB article
| > below
| > | to
| > | | > | > change the log level of certificate then reproduce the issue
| > check
| > | the
| > | | > | > event log again.
| > | | > | >
| > | | > | > 305018 How to Change the Event Logging Level for Certificate
| > | Services
| > | | > | > http://support.microsoft.com/?id=305018
| > | | > | >
| > | | > | > Thanks for your efforts. I will be here waiting for updates.
| > | | > | >
| > | | > | >
| > | | > | >
| > | | > | > Best regards,
| > | | > | >
| > | | > | > Charles Yang (MSFT)
| > | | > | >
| > | | > | > Microsoft CSS Online Newsgroup Support
| > | | > | >
| > | | > | > Get Secure! - www.microsoft.com/security
| > | | > | >
| > | | > | > ======================================================
| > | | > | > This newsgroup only focuses on SBS technical issues. If you
have
| > | | > issues
| > | | > | > regarding other Microsoft products, you'd better post in the
| > | | > corresponding
| > | | > | > newsgroups so that they can be resolved in an efficient and
| > timely
| > | | > manner.
| > | | > | > You can locate the newsgroup here:
| > | | > | >
| > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| > | | > | >
| > | | > | > When opening a new thread via the web interface, we recommend
| > you
| > | | > check
| > | | > | > the
| > | | > | > "Notify me of replies" box to receive e-mail notifications
when
| > | there
| > | | > are
| > | | > | > any updates in your thread. When responding to posts via your
| > | | > newsreader,
| > | | > | > please "Reply to Group" so that others may learn and benefit
| > from
| > | your
| > | | > | > issue.
| > | | > | >
| > | | > | > Microsoft engineers can only focus on one issue per thread.
| > | Although
| > | | > we
| > | | > | > provide other information for your reference, we recommend you
| > post
| > | | > | > different incidents in different threads to keep the thread
| > clean.
| > | In
| > | | > | > doing
| > | | > | > so, it will ensure your issues are resolved in a timely
manner.
| > | | > | >
| > | | > | > For urgent issues, you may want to contact Microsoft CSS
| > directly.
| > | | > Please
| > | | > | > check http://support.microsoft.com for regional support phone
| > | numbers.
| > | | > | >
| > | | > | > Any input or comments in this thread are highly appreciated.
| > | | > | > ======================================================
| > | | > | > This posting is provided "AS IS" with no warranties, and
confers
| > no
| > | | > | > rights.
| > | | > | >
| > | | > | >
| > | | > | > =====================================================
| > | | > | > When responding to posts, please "Reply to Group" via your
| > | newsreader
| > | | > so
| > | | > | > that others may learn and benefit from your issue.
| > | | > | > =====================================================
| > | | > | >
| > | | > | > This posting is provided "AS IS" with no warranties, and
confers
| > no
| > | | > | > rights.
| > | | > | >
| > | | > | > --------------------
| > | | > | > | From: "PG" <*@*.*>
| > | | > | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl>
| > | | > | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl>
| > | | > | > <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl>
| > | | > | > <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl>
| > | | > | > | Subject: Re: SBS2003Premium Certification Authority from
| > HELL!!!
| > | | > | > | Date: Wed, 21 Sep 2005 11:33:30 +0100
| > | | > | > | Lines: 401
| > | | > | > | X-Priority: 3
| > | | > | > | X-MSMail-Priority: Normal
| > | | > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
| > | | > | > | X-RFC2646: Format=Flowed; Original
| > | | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| > | | > | > | Message-ID: <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl>
| > | | > | > | Newsgroups: microsoft.public.windows.server.sbs
| > | | > | > | NNTP-Posting-Host: 62.48.233.71
| > | | > | > | Path:
| > | | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
| > | | > | > | Xref: TK2MSFTNGXA01.phx.gbl
| > | | > microsoft.public.windows.server.sbs:155186
| > | | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > | | > | > |
| > | | > | > | I've sent you the log's as you requested Charles...
| > | | > | > |
| > | | > | > | Thanks for the help
| > | | > | > |
| > | | > | > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com>
wrote
| > in
| > | | > message
| > | | > | > | news:biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl...
| > | | > | > | > HI PG,
| > | | > | > | >
| > | | > | > | > Thanks for updates.
| > | | > | > | >
| > | | > | > | > In order to make the issue more clear, could you send me
the
| > | | > | > application
| > | | > | > | > log and system event log so that we can isolate the issue
| > more
| > | | > | > clearly,
| > | | > | > | > you
| > | | > | > | > can compress the log files and send to my mailbox.
| > | | > | > | >
| > | | > | > | > v-chayan(a)microsoft.com
| > | | > | > | >
| > | | > | > | > Thanks for your understanding.
| > | | > | > | >
| > | | > | > | >
| > | | > | > | >
| > | | > | > | > Best regards,
| > | | > | > | >
| > | | > | > | > Charles Yang (MSFT)
| > | | > | > | >
| > | | > | > | > Microsoft CSS Online Newsgroup Support
| > | | > | > | >
| > | | > | > | > Get Secure! - www.microsoft.com/security
| > | | > | > | >
| > | | > | > | > ======================================================
| > | | > | > | > This newsgroup only focuses on SBS technical issues. If
you
| > have
| > | | > | > issues
| > | | > | > | > regarding other Microsoft products, you'd better post in
the
| > | | > | > corresponding
| > | | > | > | > newsgroups so that they can be resolved in an efficient
and
| > | timely
| > | | > | > manner.
| > | | > | > | > You can locate the newsgroup here:
| > | | > | > | >
| > | http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| > | | > | > | >
| > | | > | > | > When opening a new thread via the web interface, we
| > recommend
| > | you
| > | | > | > check
| > | | > | > | > the
| > | | > | > | > "Notify me of replies" box to receive e-mail notifications
| > when
| > | | > there
| > | | > | > are
| > | | > | > | > any updates in your thread. When responding to posts via
| > your
| > | | > | > newsreader,
| > | | > | > | > please "Reply to Group" so that others may learn and
benefit
| > | from
| > | | > your
| > | | > | > | > issue.
| > | | > | > | >
| > | | > | > | > Microsoft engineers can only focus on one issue per
thread.
| > | | > Although
| > | | > | > we
| > | | > | > | > provide other information for your reference, we recommend
| > you
| > | | > post
| > | | > | > | > different incidents in different threads to keep the
thread
| > | clean.
| > | | > In
| > | | > | > | > doing
| > | | > | > | > so, it will ensure your issues are resolved in a timely
| > manner.
| > | | > | > | >
| > | | > | > | > For urgent issues, you may want to contact Microsoft CSS
| > | directly.
| > | | > | > Please
| > | | > | > | > check http://support.microsoft.com for regional support
| > phone
| > | | > numbers.
| > | | > | > | >
| > | | > | > | > Any input or comments in this thread are highly
appreciated.
| > | | > | > | > ======================================================
| > | | > | > | > This posting is provided "AS IS" with no warranties, and
| > | confers
| > | | > no
| > | | > | > | > rights.
| > | | > | > | >
| > | | > | > | >
| > | | > | > | > =====================================================
| > | | > | > | > When responding to posts, please "Reply to Group" via your
| > | | > newsreader
| > | | > | > so
| > | | > | > | > that others may learn and benefit from your issue.
| > | | > | > | > =====================================================
| > | | > | > | >
| > | | > | > | > This posting is provided "AS IS" with no warranties, and
| > | confers
| > | | > no
| > | | > | > | > rights.
| > | | > | > | >
| > | | > | > | > --------------------
| > | | > | > | > | From: "PG" <*@*.*>
| > | | > | > | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl>
| > | | > | > | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl>
| > | | > | > | > | Subject: Re: SBS2003Premium Certification Authority from
| > | HELL!!!
| > | | > | > | > | Date: Tue, 20 Sep 2005 13:28:25 +0100
| > | | > | > | > | Lines: 269
| > | | > | > | > | X-Priority: 3
| > | | > | > | > | X-MSMail-Priority: Normal
| > | | > | > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
| > | | > | > | > | X-RFC2646: Format=Flowed; Original
| > | | > | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| > | | > | > | > | Message-ID: <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl>
| > | | > | > | > | Newsgroups: microsoft.public.windows.server.sbs
| > | | > | > | > | NNTP-Posting-Host: 62.48.233.71
| > | | > | > | > | Path:
| > | | > | >
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
| > | | > | > | > | Xref: TK2MSFTNGXA01.phx.gbl
| > | | > | > microsoft.public.windows.server.sbs:154800
| > | | > | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > | | > | > | > |
| > | | > | > | > | Thanks for your reply Charles
| > | | > | > | > |
| > | | > | > | > | Responses to your questions follow, and are in line:
| > | | > | > | > |
| > | | > | > | > |
| > | | > | > | > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com>
| > wrote
| > | in
| > | | > | > message
| > | | > | > | > | news:tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl...
| > | | > | > | > | > HI PG,
| > | | > | > | > | >
| > | | > | > | > | > Welcome to SBS newsgroup.
| > | | > | > | > | >
| > | | > | > | > | > Issue description:
| > | | > | > | > | > ================
| > | | > | > | > | >
| > | | > | > | > | > I understand that you encountered some problem when
| > using
| > | CA
| > | | > on
| > | | > | > SBS
| > | | > | > | > 2003
| > | | > | > | > | > premium.
| > | | > | > | > | >
| > | | > | > | > | > Analyzing and suggestions:
| > | | > | > | > | > ================
| > | | > | > | > | >
| > | | > | > | > | > Generally speaking, the error you encountered can be
| > caused
| > | by
| > | | > | > many
| > | | > | > | > | > factors, in order to make the issue more clear, please
| > | refer
| > | | > to
| > | | > my
| > | | > | > | > | > suggestions below to gather more information:
| > | | > | > | > | >
| > | | > | > | > | > 1. If possible, please send me the event log for
further
| > | | > research,
| > | | > | > it
| > | | > | > | > | > should include more information which can help us
| > determine
| > | | > which
| > | | > | > | > kinds
| > | | > | > | > of
| > | | > | > | > | > error you encountered, you can send the log files to
my
| > | email
| > | | > box.
| > | | > | > | > | > v-chayan(a)microsoft.com.
| > | | > | > | > |
| > | | > | > | > | There is nothing recorded in the logs, when the error's
| > occur.
| > | | > | > | > |
| > | | > | > | > | > 2. Does the issue occur from the client's computer or
| > from
| > | the
| > | | > | > server
| > | | > | > | > | > side?
| > | | > | > | > |
| > | | > | > | > | Both! It occur's when I request a certificate from the
| > client
| > | | > and
| > | | > | > from
| > | | > | > | > the
| > | | > | > | > | server! :( Via Web request or MMC snap-in
| > | | > | > | > |
| > | | > | > | > |
| > | | > | > | > | >
| > | | > | > | > | >
| > | | > | > | > | > Let's first check the following:
| > | | > | > | > | >
| > | | > | > | > | > 1. Go to the CA Server, go to Services.msc console,
make
| > | sure
| > | | > that
| > | | > | > the
| > | | > | > | > | > Certificate Service is started.
| > | | > | > | > |
| > | | > | > | > | Check
| > | | > | > | > |
| > | | > | > | > | > 2. Open Certificate Authority, make sure that it can
be
| > | | > opened.
| > | | > | > | > |
| > | | > | > | > | Check
| > | | > | > | > |
| > | | > | > | > | > 3. If you are using Enterprise CA, go to the
Certificate
| > | | > Template
| > | | > | > in
| > | | > | > | > the
| > | | > | > | > | > Certificate Authority, make sure that necessary
| > Certificate
| > | | > | > Template
| > | | > | > | > is
| > | | > | > | > | > added and listed in the right panel.
| > | | > | > | > |
| > | | > | > | > | Check
| > | | > | > | > |
| > | | > | > | > | > 4. On the CA Server, click Start -> Run, type MMC and
| > click
| > | | > OK.
| > | | > | > Click
| > | | > | > | > File
| > | | > | > | > | > -> Add/Remove Snap-in, click Add button, select
| > Certificate,
| > | | > click
| > | | > | > | > Add,
| > | | > | > | > | > select Computer Account and click next. Select Local
| > | Computer,
| > | | > | > click
| > | | > | > | > | > Finish
| > | | > | > | > | > and then Close.
| > | | > | > | > |
| > | | > | > | > | Check
| > | | > | > | > |
| > | | > | > | > | > 5. Expand the Certificate (Local
| > | | > Computer)\Personal\Certificate,
| > | | > | > check
| > | | > | > | > if
| > | | > | > | > | > the Root certificate exists. It's 'issued by' and
| > 'issued
| > | to'
| > | | > | > should
| > | | > | > | > be
| > | | > | > | > | > itself. Then please check if the root certificate is
| > still
| > | | > alive.
| > | | > | > If
| > | | > | > | > it
| > | | > | > | > is
| > | | > | > | > | > expired, right click the Certificate, select All
| > Tasks ->
| > | | > Renew
| > | | > | > | > | > Certificate
| > | | > | > | > | > with Same Key. Then renew the user certificate and
let
| > me
| > | know
| > | | > how
| > | | > | > | > | > everything is going.
| > | | > | > | > | > NOTE: Please check the Certificate Authority to make
| > sure
| > | that
| > | | > | > these
| > | | > | > | > | > client
| > | | > | > | > | > certificate are not revoked before you renew the
| > | certificate.
| > | | > | > | > | >
| > | | > | > | > | > If the issue still exists, please check if the CA
| > computer
| > | | > where
| > | | > | > you
| > | | > | > | > start
| > | | > | > | > | > the Certificate Web Enrollment from is set to trust
for
| > | | > | > delegation.
| > | | > | > To
| > | | > | > | > do
| > | | > | > | > | > so:
| > | | > | > | > | > 1. Log on as a domain administrator or equivalent
| > account.
| > | | > | > | > | > 2. Click Start, point to Programs, point to
| > Administrative
| > | | > Tools,
| > | | > | > and
| > | | > | > | > then
| > | | > | > | > | > click "Active Directory Users and Computers".
| > | | > | > | > | > 3. In the left pane, locate the container or
| > organizational
| > | | > unit
| > | | > | > (OU)
| > | | > | > | > on
| > | | > | > | > | > which you want to enable delegation.
| > | | > | > | > | > 4. Right-click the computer account name, and then
click
| > | | > | > Properties.
| > | | > | > | > | > 5. On the General tab, click Trust computer for
| > delegation.
| > | | > | > | > | > 6. Click OK.
| > | | > | > | > | > 7. Quit Active Directory Users and Computers.
| > | | > | > | > | >
| > | | > | > | > | > For more info, please refer to:
| > | | > | > | > | > 300867 Error Message: The Certification Authority
| > Service
| > | Has
| > | | > Not
| > | | > | > Been
| > | | > | > | > | > Started
| > | | > | > | > | > http://support.microsoft.com/?id=300867
| > | | > | > | > |
| > | | > | > | > | The certificate is alive until 16/9/2010! So I didn't
| > renew
| > | it.
| > | | > | > | > |
| > | | > | > | > |
| > | | > | > | > | >
| > | | > | > | > | >
| > | | > | > | > | > This issue may also occur if the Domain Users group on
| > the
| > | | > child
| > | | > | > | > domain
| > | | > | > | > | > does not have the right to enroll a user template. To
| > have a
| > | | > | > check:
| > | | > | > | > | >
| > | | > | > | > | > 1. Logon to CA Server as Enterprise Administrator
| > | | > | > | > |
| > | | > | > | > | check
| > | | > | > | > |
| > | | > | > | > | > 2. Click Start, click Programs, click Administrative
| > Tools,
| > | | > and
| > | | > | > then
| > | | > | > | > click
| > | | > | > | > | > the "Active Directory Sites and Services" snap-in.
| > | | > | > | > |
| > | | > | > | > | check
| > | | > | > | > |
| > | | > | > | > | > 3. In MMC, right-click the "Active Directory Sites and
| > | | > Services"
| > | | > | > | > snap-in,
| > | | > | > | > | > click View, and then click "Show Services Mode". This
| > allows
| > | | > you
| > | | > | > to
| > | | > | > | > view
| > | | > | > | > | > the Services folder, which is hidden from view by
| > default.
| > | | > | > | > |
| > | | > | > | > | Check
| > | | > | > | > |
| > | | > | > | > | > 4. From the "Active Directory Sites and Services"
| > snap-in,
| > | | > click
| > | | > | > | > Services,
| > | | > | > | > | > click Public Key Services, and then click Certificate
| > | | > Templates.
| > | | > | > This
| > | | > | > | > | > reveals the complete list of published certificate
| > | templates
| > | | > in
| > | | > | > Active
| > | | > | > | > | > Directory.
| > | | > | > | > |
| > | | > | > | > | Check
| > | | > | > | > |
| > | | > | > | > | > 5. Double-click the User certificate template to view
| > the
| > | | > | > properties.
| > | | > | > | > |
| > | | > | > | > | Check
| > | | > | > | > |
| > | | > | > | > | > 6. On the Security tab, click Add to add the Domain
| > Users
| > | | > group
| > | | > to
| > | | > | > the
| > | | > | > | > | > list.
| > | | > | > | > |
| > | | > | > | > | The group domain users wasn't there so I added it
| > | | > | > | > |
| > | | > | > | > | > 7. For the Domain Users group, select the Read and
| > Enroll
| > | | > rights.
| > | | > | > | > |
| > | | > | > | > | When I tryed to apply the changes it gave the following
| > error:
| > | | > | > | > |
| > | | > | > | > | "Unable to save permission changes on
| > | | > | > | > |
LDAP://SBS2003PDC.CONTIMETRA.LOCAL/CN=USER,CN=CERTIFICATE
| > | | > | > | > | TEMPLATES,CN=PUBLIC KEY
| > | | > | > | > |
| > SERVICES,CN=SERVICES,CN=CONFIGURATION,DC=CONTIMETRA,DC=LOCAL
| > | | > | > | > |
| > | | > | > | > | ACCESS IS DENIED"
| > | | > | > | > |
| > | | > | > | > |
| > | | > | > | > | > 8. Restart the computer.
| > | | > | > | > |
| > | | > | > | > | Didn't do it because no changes were made!
| > | | > | > | > |
| > | | > | > | > | >
| > | | > | > | > | > For more info, please refer to:
| > | | > | > | > | > 271861 Windows Cannot Find a Certificate Authority
That
| > | | > Processes
| > | | > | > the
| > | | > | > | > | > Request
| > | | > | > | > | > http://support.microsoft.com/?id=271861
| > | | > | > | > | >
| > | | > | > | > | > NOTE: Request from MMC only works if it is a
Enterprise
| > CA.
| > | To
| > | | > | > stand
| > | | > | > | > alone
| > | | > | > | > | > CA, you must request certificate by WEB.
| > | | > | > | > | >
| > | | > | > | > | > I appreciate your understanding and please paste your
| > | results
| > | | > as
| > | | > | > your
| > | | > | > | > | > convenience, It is important for us to isolate the
| > issue.
| > I
| > | am
| > | | > | > glad
| > | | > | > to
| > | | > | > | > | > help
| > | | > | > | > | > you.
| > | | > | > | > | >
| > | | > | > | > | >
| > | | > | > | > | >
| > | | > | > | > | > Best regards,
| > | | > | > | > | >
| > | | > | > | > | > Charles Yang (MSFT)
| > | | > | > | > | >
| > | | > | > | > | > Microsoft CSS Online Newsgroup Support
| > | | > | > | > | >
| > | | > | > | > | > Get Secure! - www.microsoft.com/security
| > | | > | > | > | >
| > | | > | > | > | > ======================================================
| > | | > | > | > | > This newsgroup only focuses on SBS technical issues.
If
| > you
| > | | > have
| > | | > | > | > issues
| > | | > | > | > | > regarding other Microsoft products, you'd better post
in
| > the
| > | | > | > | > corresponding
| > | | > | > | > | > newsgroups so that they can be resolved in an
efficient
| > and
| > | | > timely
| > | | > | > | > manner.
| > | | > | > | > | > You can locate the newsgroup here:
| > | | > | > | > | >
| > | | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| > | | > | > | > | >
| > | | > | > | > | > When opening a new thread via the web interface, we
| > | recommend
| > | | > you
| > | | > | > | > check
| > | | > | > | > | > the
| > | | > | > | > | > "Notify me of replies" box to receive e-mail
| > notifications
| > | | > when
| > | | > | > there
| > | | > | > | > are
| > | | > | > | > | > any updates in your thread. When responding to posts
via
| > | your
| > | | > | > | > newsreader,
| > | | > | > | > | > please "Reply to Group" so that others may learn and
| > benefit
| > | | > from
| > | | > | > your
| > | | > | > | > | > issue.
| > | | > | > | > | >
| > | | > | > | > | > Microsoft engineers can only focus on one issue per
| > thread.
| > | | > | > Although
| > | | > | > | > we
| > | | > | > | > | > provide other information for your reference, we
| > recommend
| > | you
| > | | > | > post
| > | | > | > | > | > different incidents in different threads to keep the
| > thread
| > | | > clean.
| > | | > | > In
| > | | > | > | > | > doing
| > | | > | > | > | > so, it will ensure your issues are resolved in a
timely
| > | | > manner.
| > | | > | > | > | >
| > | | > | > | > | > For urgent issues, you may want to contact Microsoft
CSS
| > | | > directly.
| > | | > | > | > Please
| > | | > | > | > | > check http://support.microsoft.com for regional
support
| > | phone
| > | | > | > numbers.
| > | | > | > | > | >
| > | | > | > | > | > Any input or comments in this thread are highly
| > appreciated.
| > | | > | > | > | > ======================================================
| > | | > | > | > | > This posting is provided "AS IS" with no warranties,
and
| > | | > confers
| > | | > | > no
| > | | > | > | > | > rights.
| > | | > | > | > | >
| > | | > | > | > | >
| > | | > | > | > | > =====================================================
| > | | > | > | > | > When responding to posts, please "Reply to Group" via
| > your
| > | | > | > newsreader
| > | | > | > | > so
| > | | > | > | > | > that others may learn and benefit from your issue.
| > | | > | > | > | > =====================================================
| > | | > | > | > | >
| > | | > | > | > | > This posting is provided "AS IS" with no warranties,
and
| > | | > confers
| > | | > | > no
| > | | > | > | > | > rights.
| > | | > | > | > | >
| > | | > | > | > | > --------------------
| > | | > | > | > | > | From: "PG" <*@*.*>
| > | | > | > | > | > | Subject: SBS2003Premium Certification Authority from
| > | HELL!!!
| > | | > | > | > | > | Date: Fri, 16 Sep 2005 11:35:46 +0100
| > | | > | > | > | > | Lines: 25
| > | | > | > | > | > | X-Priority: 3
| > | | > | > | > | > | X-MSMail-Priority: Normal
| > | | > | > | > | > | X-Newsreader: Microsoft Outlook Express
6.00.3790.1830
| > | | > | > | > | > | X-MimeOLE: Produced By Microsoft MimeOLE
| > V6.00.3790.1830
| > | | > | > | > | > | X-RFC2646: Format=Flowed; Original
| > | | > | > | > | > | Message-ID: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl>
| > | | > | > | > | > | Newsgroups: microsoft.public.windows.server.sbs
| > | | > | > | > | > | NNTP-Posting-Host: 62.48.233.71
| > | | > | > | > | > | Path:
| > | | > | > | >
| > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
| > | | > | > | > | > | Xref: TK2MSFTNGXA01.phx.gbl
| > | | > | > | > microsoft.public.windows.server.sbs:153926
| > | | > | > | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > | | > | > | > | > |
| > | | > | > | > | > | Hi everybody,
| > | | > | > | > | > |
| > | | > | > | > | > | When I try to request a certificate from my
| > | Enterprise
| > | | > CA
| > | | > | > | > installed
| > | | > | > | > | > on
| > | | > | > | > | > | SBS2003Premium It gives the following error :"No
| > | certificate
| > | | > | > | > templates
| > | | > | > | > | > could
| > | | > | > | > | > | be found. You do not have permission to request a
| > | | > certificate
| > | | > | > from
| > | | > | > | > this
| > | | > | > | > | > CA,
| > | | > | > | > | > | or an error occurred while accessing the Active
| > | Directory."
| > | | > I
| > | | > | > went
| > | | > | > | > and
| > | | > | > | > | > | search for a solution and found this microsoft
article
| > | | > | > | > | > |
| > | | > http://support.microsoft.com/default.aspx?scid=kb;en-us;811418
| > | | > | > that
| > | | > | > | > | > didn't
| > | | > | > | > | > | help because the name of the server is the same in
the
| > | | > | > certdat.inc
| > | | > | > | > and
| > | | > | > | > | > in
| > | | > | > | > | > | the AD!!! :(
| > | | > | > | > | > |
| > | | > | > | > | > | When I go to the certification authority and
click
| > on
| > | | > | > "manage"
| > | | > | > | > on
| > | | > | > | > | > the
| > | | > | > | > | > | certificate templates, windows says that it detected
| > that
| > | | > new
| > | | > | > | > | > certificate
| > | | > | > | > | > | templates should be installed, and ask if I want to
| > | install
| > | | > them
| > | | > | > | > now,
| > | | > | > | > | > and
| > | | > | > | > | > I
| > | | > | > | > | > | say "Yes", and gives an error saying "Windows could
| > not
| > | | > install
| > | | > | > the
| > | | > | > | > new
| > | | > | > | > | > | certificate templates. Access is denied" :( I doing
| > this
| > | as
| > | | > | > | > enterprise
| > | | > | > | > | > admin
| > | | > | > | > | > | and it says access denied!!!!! :( :(
| > | | > | > | > | > |
| > | | > | > | > | > | I've tryed to reinstall the CA and the errors
are
| > | still
| > | | > the
| > | | > | > | > same!
| > | | > | > | > | > |
| > | | > | > | > | > | Can anyone help me with this issue, please?
| > | | > | > | > | > |
| > | | > | > | > | > | Thanks in advance for any help you can give
me....
| > | | > | > | > | > |
| > | | > | > | > | > |
| > | | > | > | > | > |
| > | | > | > | > | >
| > | | > | > | > |
| > | | > | > | > |
| > | | > | > | > |
| > | | > | > | > |
| > | | > | > | > |
| > | | > | > | > |
| > | | > | > | >
| > | | > | > |
| > | | > | > |
| > | | > | > |
| > | | > | >
| > | | > |
| > | | > |
| > | | > |
| > | | >
| > | |
| > | |
| > | |
| > |
| > |
| >
|
|
|

From: PG on
Hi Charles,

Yes all the grey templates have permission issues. I cant add, or change the
permissions for those templates.

And all my efforts where made has enterprise admin, to try and clear the
"access denied" problem... :(

I really don't understand what went wrong with this Certification Authority.

:(

""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in message
news:hCBwZJjwFHA.3244(a)TK2MSFTNGXA01.phx.gbl...
> HI PG,
>
> From your description, it seems a lot of template has the permission
> issue?
> Can I assume that all the permission of this grey template encountered the
> same issue when you try to change the permission and the permission the
> security section is not correct as I referred to?
>
> If so, I suggest you make sure that you logon the SBS server with
> Enterprise Admin, it seems to be the permission issue, if possible please
> make sure that you logon via Built-in Enterprise Admin to see if the
> problem can be cleared,
>
> Thanks for your effort.
>
>
>
> Best regards,
>
> Charles Yang (MSFT)
>
> Microsoft CSS Online Newsgroup Support
>
> Get Secure! - www.microsoft.com/security
>
> ======================================================
> This newsgroup only focuses on SBS technical issues. If you have issues
> regarding other Microsoft products, you'd better post in the corresponding
> newsgroups so that they can be resolved in an efficient and timely manner.
> You can locate the newsgroup here:
> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>
> When opening a new thread via the web interface, we recommend you check
> the
> "Notify me of replies" box to receive e-mail notifications when there are
> any updates in your thread. When responding to posts via your newsreader,
> please "Reply to Group" so that others may learn and benefit from your
> issue.
>
> Microsoft engineers can only focus on one issue per thread. Although we
> provide other information for your reference, we recommend you post
> different incidents in different threads to keep the thread clean. In
> doing
> so, it will ensure your issues are resolved in a timely manner.
>
> For urgent issues, you may want to contact Microsoft CSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Any input or comments in this thread are highly appreciated.
> ======================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
> =====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> --------------------
> | From: "PG" <*@*.*>
> | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl>
> <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl>
> <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl>
> <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl>
> <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl>
> <MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl>
> <u6mrIB1vFHA.4032(a)TK2MSFTNGP15.phx.gbl>
> <AtVfNj1vFHA.780(a)TK2MSFTNGXA01.phx.gbl>
> <#yfejE2vFHA.708(a)TK2MSFTNGP10.phx.gbl>
> <34gfuxBwFHA.2960(a)TK2MSFTNGXA01.phx.gbl>
> <Hlv7FVCwFHA.580(a)TK2MSFTNGXA01.phx.gbl>
> | Subject: Re: SBS2003Premium Certification Authority from HELL!!!
> | Date: Fri, 23 Sep 2005 11:39:53 +0100
> | Lines: 1168
> | X-Priority: 3
> | X-MSMail-Priority: Normal
> | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
> | X-RFC2646: Format=Flowed; Original
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
> | Message-ID: <Oi6nhtCwFHA.552(a)TK2MSFTNGP12.phx.gbl>
> | Newsgroups: microsoft.public.windows.server.sbs
> | NNTP-Posting-Host: 62.48.233.71
> | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
> | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:155851
> | X-Tomcat-NG: microsoft.public.windows.server.sbs
> |
> | Hi Charles,
> |
> | I went to DCOMCNFG and on the Launch permission it was empty, and I
> added
> | Everyone with (Launch permission---Allow)
> | and in the Access permission it is everyone (Access permission---Allow),
> so
> | I didn't have to change it.
> | Could not find anything that refered to (Local Activation Remote
> Activation)
> | or (Local Access Remote Access) as you sayd. Only (Launch Permission)
> and
> | (Access Permission).
> |
> | After applying the changes to DCOM I tryed to request a certificate, and
> the
> | same error ocurred. Duplicated a Template and still the same error. :(
> | "No certificate templates could be found. You do not have permission to
> | request a certificate from this CA,or an error occurred while accessing
> the
> | Active Directory."
> |
> | In response to your question, all the certificates templates, from the
> | pictures I sent you, that are greyd out have permissions issues, and
> don't
> | let me add or change permissions for those certificates.
> |
> | :(
> |
> |
> | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in message
> | news:Hlv7FVCwFHA.580(a)TK2MSFTNGXA01.phx.gbl...
> | > HI PG,
> | >
> | > Thanks for updates.
> | >
> | > After making research, I find solutions for you, please refer to the
> steps
> | > below:
> | >
> | > 1 Open DCOMCNFG
> | > 2- Select Componect Services
> | > ---Computers
> | > ----My Computer
> | > ------Dcom Config
> | > ---- CertSrv Request
> | > 3- Open properties and verify Security permission for Launch and
> | > Activation
> | > Permissions (Should be Customize --Everyone ---Local Activation Remote
> | > Activation)
> | >
> | > Access Permissions (Should be Customize -Everyone ---Local Access
> Remote
> | > Access)
> | >
> | > If the issue still exists, please recreate a certificate template to
> see
> | > if
> | > the issue can be resolved. You can try to request a certificate via a
> new
> | > template. From your screenshot we found only one of the template you
> | > encountered permission issue, can we assume it is the certificate
> template
> | > you use for the certificate?
> | >
> | > Thanks for understanding on this issue, please feel free to post back.
> | >
> | >
> | >
> | > Best regards,
> | >
> | > Charles Yang (MSFT)
> | >
> | > Microsoft CSS Online Newsgroup Support
> | >
> | > Get Secure! - www.microsoft.com/security
> | >
> | > ======================================================
> | > This newsgroup only focuses on SBS technical issues. If you have
> issues
> | > regarding other Microsoft products, you'd better post in the
> corresponding
> | > newsgroups so that they can be resolved in an efficient and timely
> manner.
> | > You can locate the newsgroup here:
> | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
> | >
> | > When opening a new thread via the web interface, we recommend you
> check
> | > the
> | > "Notify me of replies" box to receive e-mail notifications when there
> are
> | > any updates in your thread. When responding to posts via your
> newsreader,
> | > please "Reply to Group" so that others may learn and benefit from your
> | > issue.
> | >
> | > Microsoft engineers can only focus on one issue per thread. Although
> we
> | > provide other information for your reference, we recommend you post
> | > different incidents in different threads to keep the thread clean. In
> | > doing
> | > so, it will ensure your issues are resolved in a timely manner.
> | >
> | > For urgent issues, you may want to contact Microsoft CSS directly.
> Please
> | > check http://support.microsoft.com for regional support phone numbers.
> | >
> | > Any input or comments in this thread are highly appreciated.
> | > ======================================================
> | > This posting is provided "AS IS" with no warranties, and confers no
> | > rights.
> | >
> | >
> | > =====================================================
> | > When responding to posts, please "Reply to Group" via your newsreader
> so
> | > that others may learn and benefit from your issue.
> | > =====================================================
> | >
> | > This posting is provided "AS IS" with no warranties, and confers no
> | > rights.
> | >
> | > --------------------
> | > | X-Tomcat-ID: 138385008
> | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl>
> | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl>
> | > <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl>
> | > <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl>
> | > <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl>
> | > <MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl>
> | > <u6mrIB1vFHA.4032(a)TK2MSFTNGP15.phx.gbl>
> | > <AtVfNj1vFHA.780(a)TK2MSFTNGXA01.phx.gbl>
> | > <#yfejE2vFHA.708(a)TK2MSFTNGP10.phx.gbl>
> | > | MIME-Version: 1.0
> | > | Content-Type: text/plain
> | > | Content-Transfer-Encoding: 7bit
> | > | From: v-chayan(a)online.microsoft.com ("Charles Yang [MSFT]")
> | > | Organization: Microsoft
> | > | Date: Fri, 23 Sep 2005 08:54:33 GMT
> | > | Subject: Re: SBS2003Premium Certification Authority from HELL!!!
> | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
> | > | Message-ID: <34gfuxBwFHA.2960(a)TK2MSFTNGXA01.phx.gbl>
> | > | Newsgroups: microsoft.public.windows.server.sbs
> | > | Lines: 797
> | > | Path: TK2MSFTNGXA01.phx.gbl
> | > | Xref: TK2MSFTNGXA01.phx.gbl
> microsoft.public.windows.server.sbs:155820
> | > | NNTP-Posting-Host: tomcatimport2.phx.gbl 10.201.218.182
> | > |
> | > | HI PG,
> | > |
> | > | Currently, I am performing research on this issue, I will return to
> you
> | > as
> | > | soon as possible, please understand that it might be some delay due
> to
> | > the
> | > | weekend.
> | > |
> | > | Thanks for your understanding.
> | > |
> | > |
> | > | Best regards,
> | > |
> | > | Charles Yang (MSFT)
> | > |
> | > | Microsoft CSS Online Newsgroup Support
> | > |
> | > | Get Secure! - www.microsoft.com/security
> | > |
> | > | ======================================================
> | > | This newsgroup only focuses on SBS technical issues. If you have
> issues
> | > | regarding other Microsoft products, you'd better post in the
> | > corresponding
> | > | newsgroups so that they can be resolved in an efficient and timely
> | > manner.
> | > | You can locate the newsgroup here:
> | > | http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
> | > |
> | > | When opening a new thread via the web interface, we recommend you
> check
> | > the
> | > | "Notify me of replies" box to receive e-mail notifications when
> there
> | > are
> | > | any updates in your thread. When responding to posts via your
> | > newsreader,
> | > | please "Reply to Group" so that others may learn and benefit from
> your
> | > | issue.
> | > |
> | > | Microsoft engineers can only focus on one issue per thread. Although
> we
> | > | provide other information for your reference, we recommend you post
> | > | different incidents in different threads to keep the thread clean.
> In
> | > doing
> | > | so, it will ensure your issues are resolved in a timely manner.
> | > |
> | > | For urgent issues, you may want to contact Microsoft CSS directly.
> | > Please
> | > | check http://support.microsoft.com for regional support phone
> numbers.
> | > |
> | > | Any input or comments in this thread are highly appreciated.
> | > | ======================================================
> | > | This posting is provided "AS IS" with no warranties, and confers no
> | > rights.
> | > |
> | > |
> | > | =====================================================
> | > | When responding to posts, please "Reply to Group" via your
> newsreader
> so
> | > | that others may learn and benefit from your issue.
> | > | =====================================================
> | > |
> | > | This posting is provided "AS IS" with no warranties, and confers no
> | > rights.
> | > |
> | > | --------------------
> | > | | From: "PG" <*@*.*>
> | > | | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl>
> | > | <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl>
> | > | <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl>
> | > | <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl>
> | > | <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl>
> | > | <MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl>
> | > | <u6mrIB1vFHA.4032(a)TK2MSFTNGP15.phx.gbl>
> | > | <AtVfNj1vFHA.780(a)TK2MSFTNGXA01.phx.gbl>
> | > | | Subject: Re: SBS2003Premium Certification Authority from HELL!!!
> | > | | Date: Thu, 22 Sep 2005 11:32:11 +0100
> | > | | Lines: 785
> | > | | X-Priority: 3
> | > | | X-MSMail-Priority: Normal
> | > | | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
> | > | | X-RFC2646: Format=Flowed; Original
> | > | | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
> | > | | Message-ID: <#yfejE2vFHA.708(a)TK2MSFTNGP10.phx.gbl>
> | > | | Newsgroups: microsoft.public.windows.server.sbs
> | > | | NNTP-Posting-Host: 62.48.233.71
> | > | | Path:
> TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
> | > | | Xref: TK2MSFTNGXA01.phx.gbl
> microsoft.public.windows.server.sbs:155518
> | > | | X-Tomcat-NG: microsoft.public.windows.server.sbs
> | > | |
> | > | | Hi Charles,
> | > | |
> | > | | 1. I sent all the logs you requested to your e-mail.
> | > | |
> | > | | 2. Done that also.
> | > | |
> | > | | 3. No changes done...that I can remember
> | > | |
> | > | | Thanks
> | > | |
> | > | | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in
> | > message
> | > | | news:AtVfNj1vFHA.780(a)TK2MSFTNGXA01.phx.gbl...
> | > | | > Hi PG,
> | > | | >
> | > | | > After checking your screen shot, we decide to collect more
> | > information,
> | > | as
> | > | | > this issue should relate to AD setting:
> | > | | >
> | > | | > 1. Please send me all the event log except the application and
> | > system
> | > | | > event
> | > | | > log that you have already sent to me.
> | > | | > 2. please also run netdiag -v and dcdiag -v on the SBS server
> and
> | > send
> | > | the
> | > | | > results to me also.
> | > | | > 3. If possible, could you tell us if have changed any setting on
> AD
> | > or
> | > | on
> | > | | > SBS server. As the screen shot point that you have some problem
> in
> | > query
> | > | | > user objects on DC.
> | > | | >
> | > | | > I appreciate your effort on this issue.
> | > | | >
> | > | | >
> | > | | >
> | > | | > Best regards,
> | > | | >
> | > | | > Charles Yang (MSFT)
> | > | | >
> | > | | > Microsoft CSS Online Newsgroup Support
> | > | | >
> | > | | > Get Secure! - www.microsoft.com/security
> | > | | >
> | > | | > ======================================================
> | > | | > This newsgroup only focuses on SBS technical issues. If you have
> | > issues
> | > | | > regarding other Microsoft products, you'd better post in the
> | > | corresponding
> | > | | > newsgroups so that they can be resolved in an efficient and
> timely
> | > | manner.
> | > | | > You can locate the newsgroup here:
> | > | | >
> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
> | > | | >
> | > | | > When opening a new thread via the web interface, we recommend
> you
> | > check
> | > | | > the
> | > | | > "Notify me of replies" box to receive e-mail notifications when
> | > there
> | > | are
> | > | | > any updates in your thread. When responding to posts via your
> | > | newsreader,
> | > | | > please "Reply to Group" so that others may learn and benefit
> from
> | > your
> | > | | > issue.
> | > | | >
> | > | | > Microsoft engineers can only focus on one issue per thread.
> Although
> | > we
> | > | | > provide other information for your reference, we recommend you
> post
> | > | | > different incidents in different threads to keep the thread
> clean.
> | > In
> | > | | > doing
> | > | | > so, it will ensure your issues are resolved in a timely manner.
> | > | | >
> | > | | > For urgent issues, you may want to contact Microsoft CSS
> directly.
> | > | Please
> | > | | > check http://support.microsoft.com for regional support phone
> | > numbers.
> | > | | >
> | > | | > Any input or comments in this thread are highly appreciated.
> | > | | > ======================================================
> | > | | > This posting is provided "AS IS" with no warranties, and confers
> no
> | > | | > rights.
> | > | | >
> | > | | >
> | > | | > =====================================================
> | > | | > When responding to posts, please "Reply to Group" via your
> | > newsreader
> | > so
> | > | | > that others may learn and benefit from your issue.
> | > | | > =====================================================
> | > | | >
> | > | | > This posting is provided "AS IS" with no warranties, and confers
> no
> | > | | > rights.
> | > | | >
> | > | | > --------------------
> | > | | > | From: "PG" <*@*.*>
> | > | | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl>
> | > | | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl>
> | > | | > <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl>
> | > | | > <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl>
> | > | | > <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl>
> | > | | > <MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl>
> | > | | > | Subject: Re: SBS2003Premium Certification Authority from
> HELL!!!
> | > | | > | Date: Thu, 22 Sep 2005 09:31:33 +0100
> | > | | > | Lines: 597
> | > | | > | X-Priority: 3
> | > | | > | X-MSMail-Priority: Normal
> | > | | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
> | > | | > | X-RFC2646: Format=Flowed; Original
> | > | | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
> | > | | > | Message-ID: <u6mrIB1vFHA.4032(a)TK2MSFTNGP15.phx.gbl>
> | > | | > | Newsgroups: microsoft.public.windows.server.sbs
> | > | | > | NNTP-Posting-Host: 62.48.233.71
> | > | | > | Path:
> | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl
> | > | | > | Xref: TK2MSFTNGXA01.phx.gbl
> | > microsoft.public.windows.server.sbs:155493
> | > | | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
> | > | | > |
> | > | | > | Hi Charles,
> | > | | > |
> | > | | > | I started to go through the points you reffered bellow and
> on
> | > the
> | > | | > second
> | > | | > | point(Permissions settings) everything checked out ok except
> for
> | > the
> | > | | > | certificates templates permissions again, I'm unable to change
> | > | | > permissions
> | > | | > | on some certificates, but others are ok! I'm sending you some
> | > | compressed
> | > | | > | pictures to your e-mail so you can try and see if this is
> normal,
> | > or
> | > | | > not.
> | > | | > | I didn't want to continue following your suggestions(to
> | > reinstall
> | > | | > the
> | > | | > | CA) before you had a look at the pictures I sent you.
> | > | | > |
> | > | | > | Thanks
> | > | | > | PG
> | > | | > |
> | > | | > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote
> in
> | > | message
> | > | | > | news:MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl...
> | > | | > | > Hi,
> | > | | > | >
> | > | | > | > Thanks for updates.
> | > | | > | >
> | > | | > | > After carefully checking your log, we did not find any
> relate
> | > | | > information,
> | > | | > | > please note that it might take some time to do the task.
> | > | | > | >
> | > | | > | > For this issue, I have some suggestion below:
> | > | | > | >
> | > | | > | > Can I assume that you want to set up the SBS 2003 premium as
> a
> | > CA
> | > | | > server,
> | > | | > | > so that when user logon to website, they require the
> | > certificate,
> | > | | > which
> | > | | > | > purpose you want to use for this certificate for VPN issue
> or
> | > for
> | > a
> | > | | > | > website? From your log, it seems to be used for IPSec VPN.
> | > | | > | >
> | > | | > | > 1. Please change the website you use for web enrollment's
> | > | | > authentication
> | > | | > | > method from anonymous to Windows Authentication.
> | > | | > | > 2. Please refer to the KB article below to check the
> permission
> | > | | > setting
> | > | | > | > for
> | > | | > | > CA, make sure that you have go through the article to double
> | > check
> | > | it:
> | > | | > | >
> | > | | > | > Q239706 Default Permission Settings for Enterprise
> Certificate
> | > | | > Authority
> | > | | > | > http://support.microsoft.com/default.aspx?scid=kb;EN-US
> | > | | > | >
> | > | | > | > 3. If the issue still exists, please follow the steps to
> | > reinstall
> | > | the
> | > | | > CA
> | > | | > | > server:
> | > | | > | >
> | > | | > | > A. Opened regedit and went to HKLM\system\CCS\services and
> | > | deleted
> | > | | > the
> | > | | > | > certsrv key
> | > | | > | > B. Opened the file system and deleted
> c:\winnt\system32\certserv
> | > | | > folder
> | > | | > | > and
> | > | | > | > contents
> | > | | > | > C. Opened up AD sites and services and deleted and in
> | > | services\public
> | > | | > key
> | > | | > | > services
> | > | | > | >
> | > | | > | > Please deleted all the contents of the containers leaving
> the
> | > empty
> | > | | > | > containers with the exception of the templates container.
> Note,
> | > | please
> | > | | > | > perform a backup for registry.
> | > | | > | >
> | > | | > | > If the issue still exist, you have to refer to the KB
> article
> | > below
> | > | to
> | > | | > | > change the log level of certificate then reproduce the issue
> | > check
> | > | the
> | > | | > | > event log again.
> | > | | > | >
> | > | | > | > 305018 How to Change the Event Logging Level for Certificate
> | > | Services
> | > | | > | > http://support.microsoft.com/?id=305018
> | > | | > | >
> | > | | > | > Thanks for your efforts. I will be here waiting for updates.
> | > | | > | >
> | > | | > | >
> | > | | > | >
> | > | | > | > Best regards,
> | > | | > | >
> | > | | > | > Charles Yang (MSFT)
> | > | | > | >
> | > | | > | > Microsoft CSS Online Newsgroup Support
> | > | | > | >
> | > | | > | > Get Secure! - www.microsoft.com/security
> | > | | > | >
> | > | | > | > ======================================================
> | > | | > | > This newsgroup only focuses on SBS technical issues. If you
> have
> | > | | > issues
> | > | | > | > regarding other Microsoft products, you'd better post in the
> | > | | > corresponding
> | > | | > | > newsgroups so that they can be resolved in an efficient and
> | > timely
> | > | | > manner.
> | > | | > | > You can locate the newsgroup here:
> | > | | > | >
> | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
> | > | | > | >
> | > | | > | > When opening a new thread via the web interface, we
> recommend
> | > you
> | > | | > check
> | > | | > | > the
> | > | | > | > "Notify me of replies" box to receive e-mail notifications
> when
> | > | there
> | > | | > are
> | > | | > | > any updates in your thread. When responding to posts via
> your
> | > | | > newsreader,
> | > | | > | > please "Reply to Group" so that others may learn and benefit
> | > from
> | > | your
> | > | | > | > issue.
> | > | | > | >
> | > | | > | > Microsoft engineers can only focus on one issue per thread.
> | > | Although
> | > | | > we
> | > | | > | > provide other information for your reference, we recommend
> you
> | > post
> | > | | > | > different incidents in different threads to keep the thread
> | > clean.
> | > | In
> | > | | > | > doing
> | > | | > | > so, it will ensure your issues are resolved in a timely
> manner.
> | > | | > | >
> | > | | > | > For urgent issues, you may want to contact Microsoft CSS
> | > directly.
> | > | | > Please
> | > | | > | > check http://support.microsoft.com for regional support
> phone
> | > | numbers.
> | > | | > | >
> | > | | > | > Any input or comments in this thread are highly appreciated.
> | > | | > | > ======================================================
> | > | | > | > This posting is provided "AS IS" with no warranties, and
> confers
> | > no
> | > | | > | > rights.
> | > | | > | >
> | > | | > | >
> | > | | > | > =====================================================
> | > | | > | > When responding to posts, please "Reply to Group" via your
> | > | newsreader
> | > | | > so
> | > | | > | > that others may learn and benefit from your issue.
> | > | | > | > =====================================================
> | > | | > | >
> | > | | > | > This posting is provided "AS IS" with no warranties, and
> confers
> | > no
> | > | | > | > rights.
> | > | | > | >
> | > | | > | > --------------------
> | > | | > | > | From: "PG" <*@*.*>
> | > | | > | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl>
> | > | | > | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl>
> | > | | > | > <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl>
> | > | | > | > <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl>
> | > | | > | > | Subject: Re: SBS2003Premium Certification Authority from
> | > HELL!!!
> | > | | > | > | Date: Wed, 21 Sep 2005 11:33:30 +0100
> | > | | > | > | Lines: 401
> | > | | > | > | X-Priority: 3
> | > | | > | > | X-MSMail-Priority: Normal
> | > | | > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
> | > | | > | > | X-RFC2646: Format=Flowed; Original
> | > | | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
> | > | | > | > | Message-ID: <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl>
> | > | | > | > | Newsgroups: microsoft.public.windows.server.sbs
> | > | | > | > | NNTP-Posting-Host: 62.48.233.71
> | > | | > | > | Path:
> | > | | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
> | > | | > | > | Xref: TK2MSFTNGXA01.phx.gbl
> | > | | > microsoft.public.windows.server.sbs:155186
> | > | | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
> | > | | > | > |
> | > | | > | > | I've sent you the log's as you requested Charles...
> | > | | > | > |
> | > | | > | > | Thanks for the help
> | > | | > | > |
> | > | | > | > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com>
> wrote
> | > in
> | > | | > message
> | > | | > | > | news:biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl...
> | > | | > | > | > HI PG,
> | > | | > | > | >
> | > | | > | > | > Thanks for updates.
> | > | | > | > | >
> | > | | > | > | > In order to make the issue more clear, could you send me
> the
> | > | | > | > application
> | > | | > | > | > log and system event log so that we can isolate the
> issue
> | > more
> | > | | > | > clearly,
> | > | | > | > | > you
> | > | | > | > | > can compress the log files and send to my mailbox.
> | > | | > | > | >
> | > | | > | > | > v-chayan(a)microsoft.com
> | > | | > | > | >
> | > | | > | > | > Thanks for your understanding.
> | > | | > | > | >
> | > | | > | > | >
> | > | | > | > | >
> | > | | > | > | > Best regards,
> | > | | > | > | >
> | > | | > | > | > Charles Yang (MSFT)
> | > | | > | > | >
> | > | | > | > | > Microsoft CSS Online Newsgroup Support
> | > | | > | > | >
> | > | | > | > | > Get Secure! - www.microsoft.com/security
> | > | | > | > | >
> | > | | > | > | > ======================================================
> | > | | > | > | > This newsgroup only focuses on SBS technical issues. If
> you
> | > have
> | > | | > | > issues
> | > | | > | > | > regarding other Microsoft products, you'd better post in
> the
> | > | | > | > corresponding
> | > | | > | > | > newsgroups so that they can be resolved in an efficient
> and
> | > | timely
> | > | | > | > manner.
> | > | | > | > | > You can locate the newsgroup here:
> | > | | > | > | >
> | > | http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
> | > | | > | > | >
> | > | | > | > | > When opening a new thread via the web interface, we
> | > recommend
> | > | you
> | > | | > | > check
> | > | | > | > | > the
> | > | | > | > | > "Notify me of replies" box to receive e-mail
> notifications
> | > when
> | > | | > there
> | > | | > | > are
> | > | | > | > | > any updates in your thread. When responding to posts via
> | > your
> | > | | > | > newsreader,
> | > | | > | > | > please "Reply to Group" so that others may learn and
> benefit
> | > | from
> | > | | > your
> | > | | > | > | > issue.
> | > | | > | > | >
> | > | | > | > | > Microsoft engineers can only focus on one issue per
> thread.
> | > | | > Although
> | > | | > | > we
> | > | | > | > | > provide other information for your reference, we
> recommend
> | > you
> | > | | > post
> | > | | > | > | > different incidents in different threads to keep the
> thread
> | > | clean.
> | > | | > In
> | > | | > | > | > doing
> | > | | > | > | > so, it will ensure your issues are resolved in a timely
> | > manner.
> | > | | > | > | >
> | > | | > | > | > For urgent issues, you may want to contact Microsoft CSS
> | > | directly.
> | > | | > | > Please
> | > | | > | > | > check http://support.microsoft.com for regional support
> | > phone
> | > | | > numbers.
> | > | | > | > | >
> | > | | > | > | > Any input or comments in this thread are highly
> appreciated.
> | > | | > | > | > ======================================================
> | > | | > | > | > This posting is provided "AS IS" with no warranties, and
> | > | confers
> | > | | > no
> | > | | > | > | > rights.
> | > | | > | > | >
> | > | | > | > | >
> | > | | > | > | > =====================================================
> | > | | > | > | > When responding to posts, please "Reply to Group" via
> your
> | > | | > newsreader
> | > | | > | > so
> | > | | > | > | > that others may learn and benefit from your issue.
> | > | | > | > | > =====================================================
> | > | | > | > | >
> | > | | > | > | > This posting is provided "AS IS" with no warranties, and
> | > | confers
> | > | | > no
> | > | | > | > | > rights.
> | > | | > | > | >
> | > | | > | > | > --------------------
> | > | | > | > | > | From: "PG" <*@*.*>
> | > | | > | > | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl>
> | > | | > | > | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl>
> | > | | > | > | > | Subject: Re: SBS2003Premium Certification Authority
> from
> | > | HELL!!!
> | > | | > | > | > | Date: Tue, 20 Sep 2005 13:28:25 +0100
> | > | | > | > | > | Lines: 269
> | > | | > | > | > | X-Priority: 3
> | > | | > | > | > | X-MSMail-Priority: Normal
> | > | | > | > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
> | > | | > | > | > | X-RFC2646: Format=Flowed; Original
> | > | | > | > | > | X-MimeOLE: Produced By Microsoft MimeOLE
> V6.00.3790.1830
> | > | | > | > | > | Message-ID: <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl>
> | > | | > | > | > | Newsgroups: microsoft.public.windows.server.sbs
> | > | | > | > | > | NNTP-Posting-Host: 62.48.233.71
> | > | | > | > | > | Path:
> | > | | > | >
> TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
> | > | | > | > | > | Xref: TK2MSFTNGXA01.phx.gbl
> | > | | > | > microsoft.public.windows.server.sbs:154800
> | > | | > | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
> | > | | > | > | > |
> | > | | > | > | > | Thanks for your reply Charles
> | > | | > | > | > |
> | > | | > | > | > | Responses to your questions follow, and are in line:
> | > | | > | > | > |
> | > | | > | > | > |
> | > | | > | > | > | ""Charles Yang [MSFT]""
> <v-chayan(a)online.microsoft.com>
> | > wrote
> | > | in
> | > | | > | > message
> | > | | > | > | > | news:tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl...
> | > | | > | > | > | > HI PG,
> | > | | > | > | > | >
> | > | | > | > | > | > Welcome to SBS newsgroup.
> | > | | > | > | > | >
> | > | | > | > | > | > Issue description:
> | > | | > | > | > | > ================
> | > | | > | > | > | >
> | > | | > | > | > | > I understand that you encountered some problem when
> | > using
> | > | CA
> | > | | > on
> | > | | > | > SBS
> | > | | > | > | > 2003
> | > | | > | > | > | > premium.
> | > | | > | > | > | >
> | > | | > | > | > | > Analyzing and suggestions:
> | > | | > | > | > | > ================
> | > | | > | > | > | >
> | > | | > | > | > | > Generally speaking, the error you encountered can be
> | > caused
> | > | by
> | > | | > | > many
> | > | | > | > | > | > factors, in order to make the issue more clear,
> please
> | > | refer
> | > | | > to
> | > | | > my
> | > | | > | > | > | > suggestions below to gather more information:
> | > | | > | > | > | >
> | > | | > | > | > | > 1. If possible, please send me the event log for
> further
> | > | | > research,
> | > | | > | > it
> | > | | > | > | > | > should include more information which can help us
> | > determine
> | > | | > which
> | > | | > | > | > kinds
> | > | | > | > | > of
> | > | | > | > | > | > error you encountered, you can send the log files to
> my
> | > | email
> | > | | > box.
> | > | | > | > | > | > v-chayan(a)microsoft.com.
> | > | | > | > | > |
> | > | | > | > | > | There is nothing recorded in the logs, when the
> error's
> | > occur.
> | > | | > | > | > |
> | > | | > | > | > | > 2. Does the issue occur from the client's computer
> or
> | > from
> | > | the
> | > | | > | > server
> | > | | > | > | > | > side?
> | > | | > | > | > |
> | > | | > | > | > | Both! It occur's when I request a certificate from the
> | > client
> | > | | > and
> | > | | > | > from
> | > | | > | > | > the
> | > | | > | > | > | server! :( Via Web request or MMC snap-in
> | > | | > | > | > |
> | > | | > | > | > |
> | > | | > | > | > | >
> | > | | > | > | > | >
> | > | | > | > | > | > Let's first check the following:
> | > | | > | > | > | >
> | > | | > | > | > | > 1. Go to the CA Server, go to Services.msc console,
> make
> | > | sure
> | > | | > that
> | > | | > | > the
> | > | | > | > | > | > Certificate Service is started.
> | > | | > | > | > |
> | > | | > | > | > | Check
> | > | | > | > | > |
> | > | | > | > | > | > 2. Open Certificate Authority, make sure that it can
> be
> | > | | > opened.
> | > | | > | > | > |
> | > | | > | > | > | Check
> | > | | > | > | > |
> | > | | > | > | > | > 3. If you are using Enterprise CA, go to the
> Certificate
> | > | | > Template
> | > | | > | > in
> | > | | > | > | > the
> | > | | > | > | > | > Certificate Authority, make sure that necessary
> | > Certificate
> | > | | > | > Template
> | > | | > | > | > is
> | > | | > | > | > | > added and listed in the right panel.
> | > | | > | > | > |
> | > | | > | > | > | Check
> | > | | > | > | > |
> | > | | > | > | > | > 4. On the CA Server, click Start -> Run, type MMC
> and
> | > click
> | > | | > OK.
> | > | | > | > Click
> | > | | > | > | > File
> | > | | > | > | > | > -> Add/Remove Snap-in, click Add button, select
> | > Certificate,
> | > | | > click
> | > | | > | > | > Add,
> | > | | > | > | > | > select Computer Account and click next. Select Local
> | > | Computer,
> | > | | > | > click
> | > | | > | > | > | > Finish
> | > | | > | > | > | > and then Close.
> | > | | > | > | > |
> | > | | > | > | > | Check
> | > | | > | > | > |
> | > | | > | > | > | > 5. Expand the Certificate (Local
> | > | | > Computer)\Personal\Certificate,
> | > | | > | > check
> | > | | > | > | > if
> | > | | > | > | > | > the Root certificate exists. It's 'issued by' and
> | > 'issued
> | > | to'
> | > | | > | > should
> | > | | > | > | > be
> | > | | > | > | > | > itself. Then please check if the root certificate is
> | > still
> | > | | > alive.
> | > | | > | > If
> | > | | > | > | > it
> | > | | > | > | > is
> | > | | > | > | > | > expired, right click the Certificate, select All
> | > Tasks ->
> | > | | > Renew
> | > | | > | > | > | > Certificate
> | > | | > | > | > | > with Same Key. Then renew the user certificate and
> let
> | > me
> | > | know
> | > | | > how
> | > | | > | > | > | > everything is going.
> | > | | > | > | > | > NOTE: Please check the Certificate Authority to make
> | > sure
> | > | that
> | > | | > | > these
> | > | | > | > | > | > client
> | > | | > | > | > | > certificate are not revoked before you renew the
> | > | certificate.
> | > | | > | > | > | >
> | > | | > | > | > | > If the issue still exists, please check if the CA
> | > computer
> | > | | > where
> | > | | > | > you
> | > | | > | > | > start
> | > | | > | > | > | > the Certificate Web Enrollment from is set to trust
> for
> | > | | > | > delegation.
> | > | | > | > To
> | > | | > | > | > do
> | > | | > | > | > | > so:
> | > | | > | > | > | > 1. Log on as a domain administrator or equivalent
> | > account.
> | > | | > | > | > | > 2. Click Start, point to Programs, point to
> | > Administrative
> | > | | > Tools,
> | > | | > | > and
> | > | | > | > | > then
> | > | | > | > | > | > click "Active Directory Users and Computers".
> | > | | > | > | > | > 3. In the left pane, locate the container or
> | > organizational
> | > | | > unit
> | > | | > | > (OU)
> | > | | > | > | > on
> | > | | > | > | > | > which you want to enable delegation.
> | > | | > | > | > | > 4. Right-click the computer account name, and then
> click
> | > | | > | > Properties.
> | > | | > | > | > | > 5. On the General tab, click Trust computer for
> | > delegation.
> | > | | > | > | > | > 6. Click OK.
> | > | | > | > | > | > 7. Quit Active Directory Users and Computers.
> | > | | > | > | > | >
> | > | | > | > | > | > For more info, please refer to:
> | > | | > | > | > | > 300867 Error Message: The Certification Authority
> | > Service
> | > | Has
> | > | | > Not
> | > | | > | > Been
> | > | | > | > | > | > Started
> | > | | > | > | > | > http://support.microsoft.com/?id=300867
> | > | | > | > | > |
> | > | | > | > | > | The certificate is alive until 16/9/2010! So I didn't
> | > renew
> | > | it.
> | > | | > | > | > |
> | > | | > | > | > |
> | > | | > | > | > | >
> | > | | > | > | > | >
> | > | | > | > | > | > This issue may also occur if the Domain Users group
> on
> | > the
> | > | | > child
> | > | | > | > | > domain
> | > | | > | > | > | > does not have the right to enroll a user template.
> To
> | > have a
> | > | | > | > check:
> | > | | > | > | > | >
> | > | | > | > | > | > 1. Logon to CA Server as Enterprise Administrator
> | > | | > | > | > |
> | > | | > | > | > | check
> | > | | > | > | > |
> | > | | > | > | > | > 2. Click Start, click Programs, click Administrative
> | > Tools,
> | > | | > and
> | > | | > | > then
> | > | | > | > | > click
> | > | | > | > | > | > the "Active Directory Sites and Services" snap-in.
> | > | | > | > | > |
> | > | | > | > | > | check
> | > | | > | > | > |
> | > | | > | > | > | > 3. In MMC, right-click the "Active Directory Sites
> and
> | > | | > Services"
> | > | | > | > | > snap-in,
> | > | | > | > | > | > click View, and then click "Show Services Mode".
> This
> | > allows
> | > | | > you
> | > | | > | > to
> | > | | > | > | > view
> | > | | > | > | > | > the Services folder, which is hidden from view by
> | > default.
> | > | | > | > | > |
> | > | | > | > | > | Check
> | > | | > | > | > |
> | > | | > | > | > | > 4. From the "Active Directory Sites and Services"
> | > snap-in,
> | > | | > click
> | > | | > | > | > Services,
> | > | | > | > | > | > click Public Key Services, and then click
> Certificate
> | > | | > Templates.
> | > | | > | > This
> | > | | > | > | > | > reveals the complete list of published certificate
> | > | templates
> | > | | > in
> | > | | > | > Active
> | > | | > | > | > | > Directory.
> | > | | > | > | > |
> | > | | > | > | > | Check
> | > | | > | > | > |
> | > | | > | > | > | > 5. Double-click the User certificate template to
> view
> | > the
> | > | | > | > properties.
> | > | | > | > | > |
> | > | | > | > | > | Check
> | > | | > | > | > |
> | > | | > | > | > | > 6. On the Security tab, click Add to add the Domain
> | > Users
> | > | | > group
> | > | | > to
> | > | | > | > the
> | > | | > | > | > | > list.
> | > | | > | > | > |
> | > | | > | > | > | The group domain users wasn't there so I added it
> | > | | > | > | > |
> | > | | > | > | > | > 7. For the Domain Users group, select the Read and
> | > Enroll
> | > | | > rights.
> | > | | > | > | > |
> | > | | > | > | > | When I tryed to apply the changes it gave the
> following
> | > error:
> | > | | > | > | > |
> | > | | > | > | > | "Unable to save permission changes on
> | > | | > | > | > |
> LDAP://SBS2003PDC.CONTIMETRA.LOCAL/CN=USER,CN=CERTIFICATE
> | > | | > | > | > | TEMPLATES,CN=PUBLIC KEY
> | > | | > | > | > |
> | > SERVICES,CN=SERVICES,CN=CONFIGURATION,DC=CONTIMETRA,DC=LOCAL
> | > | | > | > | > |
> | > | | > | > | > | ACCESS IS DENIED"
> | > | | > | > | > |
> | > | | > | > | > |
> | > | | > | > | > | > 8. Restart the computer.
> | > | | > | > | > |
> | > | | > | > | > | Didn't do it because no changes were made!
> | > | | > | > | > |
> | > | | > | > | > | >
> | > | | > | > | > | > For more info, please refer to:
> | > | | > | > | > | > 271861 Windows Cannot Find a Certificate Authority
> That
> | > | | > Processes
> | > | | > | > the
> | > | | > | > | > | > Request
> | > | | > | > | > | > http://support.microsoft.com/?id=271861
> | > | | > | > | > | >
> | > | | > | > | > | > NOTE: Request from MMC only works if it is a
> Enterprise
> | > CA.
> | > | To
> | > | | > | > stand
> | > | | > | > | > alone
> | > | | > | > | > | > CA, you must request certificate by WEB.
> | > | | > | > | > | >
> | > | | > | > | > | > I appreciate your understanding and please paste
> your
> | > | results
> | > | | > as
> | > | | > | > your
> | > | | > | > | > | > convenience, It is important for us to isolate the
> | > issue.
> | > I
> | > | am
> | > | | > | > glad
> | > | | > | > to
> | > | | > | > | > | > help
> | > | | > | > | > | > you.
> | > | | > | > | > | >
> | > | | > | > | > | >
> | > | | > | > | > | >
> | > | | > | > | > | > Best regards,
> | > | | > | > | > | >
> | > | | > | > | > | > Charles Yang (MSFT)
> | > | | > | > | > | >
> | > | | > | > | > | > Microsoft CSS Online Newsgroup Support
> | > | | > | > | > | >
> | > | | > | > | > | > Get Secure! - www.microsoft.com/security
> | > | | > | > | > | >
> | > | | > | > | > | >
> ======================================================
> | > | | > | > | > | > This newsgroup only focuses on SBS technical issues.
> If
> | > you
> | > | | > have
> | > | | > | > | > issues
> | > | | > | > | > | > regarding other Microsoft products, you'd better
> post
> in
> | > the
> | > | | > | > | > corresponding
> | > | | > | > | > | > newsgroups so that they can be resolved in an
> efficient
> | > and
> | > | | > timely
> | > | | > | > | > manner.
> | > | | > | > | > | > You can locate the newsgroup here:
> | > | | > | > | > | >
> | > | | >
> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
> | > | | > | > | > | >
> | > | | > | > | > | > When opening a new thread via the web interface, we
> | > | recommend
> | > | | > you
> | > | | > | > | > check
> | > | | > | > | > | > the
> | > | | > | > | > | > "Notify me of replies" box to receive e-mail
> | > notifications
> | > | | > when
> | > | | > | > there
> | > | | > | > | > are
> | > | | > | > | > | > any updates in your thread. When responding to posts
> via
> | > | your
> | > | | > | > | > newsreader,
> | > | | > | > | > | > please "Reply to Group" so that others may learn and
> | > benefit
> | > | | > from
> | > | | > | > your
> | > | | > | > | > | > issue.
> | > | | > | > | > | >
> | > | | > | > | > | > Microsoft engineers can only focus on one issue per
> | > thread.
> | > | | > | > Although
> | > | | > | > | > we
> | > | | > | > | > | > provide other information for your reference, we
> | > recommend
> | > | you
> | > | | > | > post
> | > | | > | > | > | > different incidents in different threads to keep the
> | > thread
> | > | | > clean.
> | > | | > | > In
> | > | | > | > | > | > doing
> | > | | > | > | > | > so, it will ensure your issues are resolved in a
> timely
> | > | | > manner.
> | > | | > | > | > | >
> | > | | > | > | > | > For urgent issues, you may want to contact Microsoft
> CSS
> | > | | > directly.
> | > | | > | > | > Please
> | > | | > | > | > | > check http://support.microsoft.com for regional
> support
> | > | phone
> | > | | > | > numbers.
> | > | | > | > | > | >
> | > | | > | > | > | > Any input or comments in this thread are highly
> | > appreciated.
> | > | | > | > | > | >
> ======================================================
> | > | | > | > | > | > This posting is provided "AS IS" with no warranties,
> and
> | > | | > confers
> | > | | > | > no
> | > | | > | > | > | > rights.
> | > | | > | > | > | >
> | > | | > | > | > | >
> | > | | > | > | > | >
> =====================================================
> | > | | > | > | > | > When responding to posts, please "Reply to Group"
> via
> | > your
> | > | | > | > newsreader
> | > | | > | > | > so
> | > | | > | > | > | > that others may learn and benefit from your issue.
> | > | | > | > | > | >
> =====================================================
> | > | | > | > | > | >
> | > | | > | > | > | > This posting is provided "AS IS" with no warranties,
> and
> | > | | > confers
> | > | | > | > no
> | > | | > | > | > | > rights.
> | > | | > | > | > | >
> | > | | > | > | > | > --------------------
> | > | | > | > | > | > | From: "PG" <*@*.*>
> | > | | > | > | > | > | Subject: SBS2003Premium Certification Authority
> from
> | > | HELL!!!
> | > | | > | > | > | > | Date: Fri, 16 Sep 2005 11:35:46 +0100
> | > | | > | > | > | > | Lines: 25
> | > | | > | > | > | > | X-Priority: 3
> | > | | > | > | > | > | X-MSMail-Priority: Normal
> | > | | > | > | > | > | X-Newsreader: Microsoft Outlook Express
> 6.00.3790.1830
> | > | | > | > | > | > | X-MimeOLE: Produced By Microsoft MimeOLE
> | > V6.00.3790.1830
> | > | | > | > | > | > | X-RFC2646: Format=Flowed; Original
> | > | | > | > | > | > | Message-ID:
> <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl>
> | > | | > | > | > | > | Newsgroups: microsoft.public.windows.server.sbs
> | > | | > | > | > | > | NNTP-Posting-Host: 62.48.233.71
> | > | | > | > | > | > | Path:
> | > | | > | > | >
> | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
> | > | | > | > | > | > | Xref: TK2MSFTNGXA01.phx.gbl
> | > | | > | > | > microsoft.public.windows.server.sbs:153926
> | > | | > | > | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
> | > | | > | > | > | > |
> | > | | > | > | > | > | Hi everybody,
> | > | | > | > | > | > |
> | > | | > | > | > | > | When I try to request a certificate from my
> | > | Enterprise
> | > | | > CA
> | > | | > | > | > installed
> | > | | > | > | > | > on
> | > | | > | > | > | > | SBS2003Premium It gives the following error :"No
> | > | certificate
> | > | | > | > | > templates
> | > | | > | > | > | > could
> | > | | > | > | > | > | be found. You do not have permission to request a
> | > | | > certificate
> | > | | > | > from
> | > | | > | > | > this
> | > | | > | > | > | > CA,
> | > | | > | > | > | > | or an error occurred while accessing the Active
> | > | Directory."
> | > | | > I
> | > | | > | > went
> | > | | > | > | > and
> | > | | > | > | > | > | search for a solution and found this microsoft
> article
> | > | | > | > | > | > |
> | > | | > http://support.microsoft.com/default.aspx?scid=kb;en-us;811418
> | > | | > | > that
> | > | | > | > | > | > didn't
> | > | | > | > | > | > | help because the name of the server is the same in
> the
> | > | | > | > certdat.inc
> | > | | > | > | > and
> | > | | > | > | > | > in
> | > | | > | > | > | > | the AD!!! :(
> | > | | > | > | > | > |
> | > | | > | > | > | > | When I go to the certification authority and
> click
> | > on
> | > | | > | > "manage"
> | > | | > | > | > on
> | > | | > | > | > | > the
> | > | | > | > | > | > | certificate templates, windows says that it
> detected
> | > that
> | > | | > new
> | > | | > | > | > | > certificate
> | > | | > | > | > | > | templates should be installed, and ask if I want
> to
> | > | install
> | > | | > them
> | > | | > | > | > now,
> | > | | > | > | > | > and
> | > | | > | > | > | > I
> | > | | > | > | > | > | say "Yes", and gives an error saying "Windows
> could
> | > not
> | > | | > install
> | > | | > | > the
> | > | | > | > | > new
> | > | | > | > | > | > | certificate templates. Access is denied" :( I
> doing
> | > this
> | > | as
> | > | | > | > | > enterprise
> | > | | > | > | > | > admin
> | > | | > | > | > | > | and it says access denied!!!!! :( :(
> | > | | > | > | > | > |
> | > | | > | > | > | > | I've tryed to reinstall the CA and the errors
> are
> | > | still
> | > | | > the
> | > | | > | > | > same!
> | > | | > | > | > | > |
> | > | | > | > | > | > | Can anyone help me with this issue, please?
> | > | | > | > | > | > |
> | > | | > | > | > | > | Thanks in advance for any help you can give
> me....
> | > | | > | > | > | > |
> | > | | > | > | > | > |
> | > | | > | > | > | > |
> | > | | > | > | > | >
> | > | | > | > | > |
> | > | | > | > | > |
> | > | | > | > | > |
> | > | | > | > | > |
> | > | | > | > | > |
> | > | | > | > | > |
> | > | | > | > | >
> | > | | > | > |
> | > | | > | > |
> | > | | > | > |
> | > | | > | >
> | > | | > |
> | > | | > |
> | > | | > |
> | > | | >
> | > | |
> | > | |
> | > | |
> | > |
> | > |
> | >
> |
> |
> |
>


First  |  Prev  |  Next  |  Last
Pages: 1 2 3 4
Prev: Backup error 0X80070458
Next: Remote Web Workplace