Prev: Backup error 0X80070458
Next: Remote Web Workplace
From: "Charles Yang [MSFT]" on 27 Sep 2005 04:26 HI PG, It should be a so wired issue, if the issue is urgent it is your best interest to call CSS for supporter. I have also made research on this issue and also get some steps which might be helpful to you: 1. Make the certutil command that is part of Windows Server 2003 server available to your client computer. 2. Make sure that you are able to reach an enterprise CA. Calling certutil -dump shows all Enterprise CAs in your forest. You can also try to ping a specific CA with certutil -config [Machine\CAName] -ping Replace [Machine\CAName] with the "Config:" row from the certutil -dump output. 3. To verify template permissions, run the following command at your client: certutil -config [Machine\CAName] -catemplates The command-output shows a list of certificate templates that are attached to a specific CA. Make sure that you have at least for one certificate permissions. 4. Make sure that at least one of the certificate templates where you have enrollment permissions has set the option "Supply in the request" in the certificates template Subject Name tab. If you have permissions on a certificate but the Subject name is not built from Active Directory, your certificate request will fail. 5. Your client might not be able to verify the CA certificates validity. To check the CA certificate you must make the CA certificate available to your client computer. Perform the following command at your client: certutil -verify -URLfetch [CAcertificate] Replace CAcertificate with the filename of the CA certificate. Make sure that the CA certificate is verified successfully. Then try to repeat your steps to see if the issue can be clear, in addition please also make sure that your Enterprise AD did not belong to domain guest member group. Hope the above information helpful. I am sorry for any inconvenience on this issue. Best regards, Charles Yang (MSFT) Microsoft CSS Online Newsgroup Support Get Secure! - www.microsoft.com/security ====================================================== This newsgroup only focuses on SBS technical issues. If you have issues regarding other Microsoft products, you'd better post in the corresponding newsgroups so that they can be resolved in an efficient and timely manner. You can locate the newsgroup here: http://www.microsoft.com/communities/newsgroups/en-us/default.aspx When opening a new thread via the web interface, we recommend you check the "Notify me of replies" box to receive e-mail notifications when there are any updates in your thread. When responding to posts via your newsreader, please "Reply to Group" so that others may learn and benefit from your issue. Microsoft engineers can only focus on one issue per thread. Although we provide other information for your reference, we recommend you post different incidents in different threads to keep the thread clean. In doing so, it will ensure your issues are resolved in a timely manner. For urgent issues, you may want to contact Microsoft CSS directly. Please check http://support.microsoft.com for regional support phone numbers. Any input or comments in this thread are highly appreciated. ====================================================== This posting is provided "AS IS" with no warranties, and confers no rights. ===================================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ===================================================== This posting is provided "AS IS" with no warranties, and confers no rights. -------------------- | From: "PG" <*@*.*> | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl> <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl> <MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl> <u6mrIB1vFHA.4032(a)TK2MSFTNGP15.phx.gbl> <AtVfNj1vFHA.780(a)TK2MSFTNGXA01.phx.gbl> <#yfejE2vFHA.708(a)TK2MSFTNGP10.phx.gbl> <34gfuxBwFHA.2960(a)TK2MSFTNGXA01.phx.gbl> <Hlv7FVCwFHA.580(a)TK2MSFTNGXA01.phx.gbl> <Oi6nhtCwFHA.552(a)TK2MSFTNGP12.phx.gbl> <hCBwZJjwFHA.3244(a)TK2MSFTNGXA01.phx.gbl> | Subject: Re: SBS2003Premium Certification Authority from HELL!!! | Date: Tue, 27 Sep 2005 08:52:36 +0100 | Lines: 1415 | X-Priority: 3 | X-MSMail-Priority: Normal | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 | X-RFC2646: Format=Flowed; Original | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 | Message-ID: <uTRYvizwFHA.2076(a)TK2MSFTNGP14.phx.gbl> | Newsgroups: microsoft.public.windows.server.sbs | NNTP-Posting-Host: 62.48.233.71 | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP14.phx.gbl | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:156751 | X-Tomcat-NG: microsoft.public.windows.server.sbs | | Hi Charles, | | Yes all the grey templates have permission issues. I cant add, or change the | permissions for those templates. | | And all my efforts where made has enterprise admin, to try and clear the | "access denied" problem... :( | | I really don't understand what went wrong with this Certification Authority. | | :( | | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in message | news:hCBwZJjwFHA.3244(a)TK2MSFTNGXA01.phx.gbl... | > HI PG, | > | > From your description, it seems a lot of template has the permission | > issue? | > Can I assume that all the permission of this grey template encountered the | > same issue when you try to change the permission and the permission the | > security section is not correct as I referred to? | > | > If so, I suggest you make sure that you logon the SBS server with | > Enterprise Admin, it seems to be the permission issue, if possible please | > make sure that you logon via Built-in Enterprise Admin to see if the | > problem can be cleared, | > | > Thanks for your effort. | > | > | > | > Best regards, | > | > Charles Yang (MSFT) | > | > Microsoft CSS Online Newsgroup Support | > | > Get Secure! - www.microsoft.com/security | > | > ====================================================== | > This newsgroup only focuses on SBS technical issues. If you have issues | > regarding other Microsoft products, you'd better post in the corresponding | > newsgroups so that they can be resolved in an efficient and timely manner. | > You can locate the newsgroup here: | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx | > | > When opening a new thread via the web interface, we recommend you check | > the | > "Notify me of replies" box to receive e-mail notifications when there are | > any updates in your thread. When responding to posts via your newsreader, | > please "Reply to Group" so that others may learn and benefit from your | > issue. | > | > Microsoft engineers can only focus on one issue per thread. Although we | > provide other information for your reference, we recommend you post | > different incidents in different threads to keep the thread clean. In | > doing | > so, it will ensure your issues are resolved in a timely manner. | > | > For urgent issues, you may want to contact Microsoft CSS directly. Please | > check http://support.microsoft.com for regional support phone numbers. | > | > Any input or comments in this thread are highly appreciated. | > ====================================================== | > This posting is provided "AS IS" with no warranties, and confers no | > rights. | > | > | > ===================================================== | > When responding to posts, please "Reply to Group" via your newsreader so | > that others may learn and benefit from your issue. | > ===================================================== | > | > This posting is provided "AS IS" with no warranties, and confers no | > rights. | > | > -------------------- | > | From: "PG" <*@*.*> | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> | > <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> | > <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl> | > <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl> | > <MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl> | > <u6mrIB1vFHA.4032(a)TK2MSFTNGP15.phx.gbl> | > <AtVfNj1vFHA.780(a)TK2MSFTNGXA01.phx.gbl> | > <#yfejE2vFHA.708(a)TK2MSFTNGP10.phx.gbl> | > <34gfuxBwFHA.2960(a)TK2MSFTNGXA01.phx.gbl> | > <Hlv7FVCwFHA.580(a)TK2MSFTNGXA01.phx.gbl> | > | Subject: Re: SBS2003Premium Certification Authority from HELL!!! | > | Date: Fri, 23 Sep 2005 11:39:53 +0100 | > | Lines: 1168 | > | X-Priority: 3 | > | X-MSMail-Priority: Normal | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 | > | X-RFC2646: Format=Flowed; Original | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 | > | Message-ID: <Oi6nhtCwFHA.552(a)TK2MSFTNGP12.phx.gbl> | > | Newsgroups: microsoft.public.windows.server.sbs | > | NNTP-Posting-Host: 62.48.233.71 | > | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl | > | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:155851 | > | X-Tomcat-NG: microsoft.public.windows.server.sbs | > | | > | Hi Charles, | > | | > | I went to DCOMCNFG and on the Launch permission it was empty, and I | > added | > | Everyone with (Launch permission---Allow) | > | and in the Access permission it is everyone (Access permission---Allow), | > so | > | I didn't have to change it. | > | Could not find anything that refered to (Local Activation Remote | > Activation) | > | or (Local Access Remote Access) as you sayd. Only (Launch Permission) | > and | > | (Access Permission). | > | | > | After applying the changes to DCOM I tryed to request a certificate, and | > the | > | same error ocurred. Duplicated a Template and still the same error. :( | > | "No certificate templates could be found. You do not have permission to | > | request a certificate from this CA,or an error occurred while accessing | > the | > | Active Directory." | > | | > | In response to your question, all the certificates templates, from the | > | pictures I sent you, that are greyd out have permissions issues, and | > don't | > | let me add or change permissions for those certificates. | > | | > | :( | > | | > | | > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in message | > | news:Hlv7FVCwFHA.580(a)TK2MSFTNGXA01.phx.gbl... | > | > HI PG, | > | > | > | > Thanks for updates. | > | > | > | > After making research, I find solutions for you, please refer to the | > steps | > | > below: | > | > | > | > 1 Open DCOMCNFG | > | > 2- Select Componect Services | > | > ---Computers | > | > ----My Computer | > | > ------Dcom Config | > | > ---- CertSrv Request | > | > 3- Open properties and verify Security permission for Launch and | > | > Activation | > | > Permissions (Should be Customize --Everyone ---Local Activation Remote | > | > Activation) | > | > | > | > Access Permissions (Should be Customize -Everyone ---Local Access | > Remote | > | > Access) | > | > | > | > If the issue still exists, please recreate a certificate template to | > see | > | > if | > | > the issue can be resolved. You can try to request a certificate via a | > new | > | > template. From your screenshot we found only one of the template you | > | > encountered permission issue, can we assume it is the certificate | > template | > | > you use for the certificate? | > | > | > | > Thanks for understanding on this issue, please feel free to post back. | > | > | > | > | > | > | > | > Best regards, | > | > | > | > Charles Yang (MSFT) | > | > | > | > Microsoft CSS Online Newsgroup Support | > | > | > | > Get Secure! - www.microsoft.com/security | > | > | > | > ====================================================== | > | > This newsgroup only focuses on SBS technical issues. If you have | > issues | > | > regarding other Microsoft products, you'd better post in the | > corresponding | > | > newsgroups so that they can be resolved in an efficient and timely | > manner. | > | > You can locate the newsgroup here: | > | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx | > | > | > | > When opening a new thread via the web interface, we recommend you | > check | > | > the | > | > "Notify me of replies" box to receive e-mail notifications when there | > are | > | > any updates in your thread. When responding to posts via your | > newsreader, | > | > please "Reply to Group" so that others may learn and benefit from your | > | > issue. | > | > | > | > Microsoft engineers can only focus on one issue per thread. Although | > we | > | > provide other information for your reference, we recommend you post | > | > different incidents in different threads to keep the thread clean. In | > | > doing | > | > so, it will ensure your issues are resolved in a timely manner. | > | > | > | > For urgent issues, you may want to contact Microsoft CSS directly. | > Please | > | > check http://support.microsoft.com for regional support phone numbers. | > | > | > | > Any input or comments in this thread are highly appreciated. | > | > ====================================================== | > | > This posting is provided "AS IS" with no warranties, and confers no | > | > rights. | > | > | > | > | > | > ===================================================== | > | > When responding to posts, please "Reply to Group" via your newsreader | > so | > | > that others may learn and benefit from your issue. | > | > ===================================================== | > | > | > | > This posting is provided "AS IS" with no warranties, and confers no | > | > rights. | > | > | > | > -------------------- | > | > | X-Tomcat-ID: 138385008 | > | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> | > | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> | > | > <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> | > | > <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl> | > | > <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl> | > | > <MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl> | > | > <u6mrIB1vFHA.4032(a)TK2MSFTNGP15.phx.gbl> | > | > <AtVfNj1vFHA.780(a)TK2MSFTNGXA01.phx.gbl> | > | > <#yfejE2vFHA.708(a)TK2MSFTNGP10.phx.gbl> | > | > | MIME-Version: 1.0 | > | > | Content-Type: text/plain | > | > | Content-Transfer-Encoding: 7bit | > | > | From: v-chayan(a)online.microsoft.com ("Charles Yang [MSFT]") | > | > | Organization: Microsoft | > | > | Date: Fri, 23 Sep 2005 08:54:33 GMT | > | > | Subject: Re: SBS2003Premium Certification Authority from HELL!!! | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs | > | > | Message-ID: <34gfuxBwFHA.2960(a)TK2MSFTNGXA01.phx.gbl> | > | > | Newsgroups: microsoft.public.windows.server.sbs | > | > | Lines: 797 | > | > | Path: TK2MSFTNGXA01.phx.gbl | > | > | Xref: TK2MSFTNGXA01.phx.gbl | > microsoft.public.windows.server.sbs:155820 | > | > | NNTP-Posting-Host: tomcatimport2.phx.gbl 10.201.218.182 | > | > | | > | > | HI PG, | > | > | | > | > | Currently, I am performing research on this issue, I will return to | > you | > | > as | > | > | soon as possible, please understand that it might be some delay due | > to | > | > the | > | > | weekend. | > | > | | > | > | Thanks for your understanding. | > | > | | > | > | | > | > | Best regards, | > | > | | > | > | Charles Yang (MSFT) | > | > | | > | > | Microsoft CSS Online Newsgroup Support | > | > | | > | > | Get Secure! - www.microsoft.com/security | > | > | | > | > | ====================================================== | > | > | This newsgroup only focuses on SBS technical issues. If you have | > issues | > | > | regarding other Microsoft products, you'd better post in the | > | > corresponding | > | > | newsgroups so that they can be resolved in an efficient and timely | > | > manner. | > | > | You can locate the newsgroup here: | > | > | http://www.microsoft.com/communities/newsgroups/en-us/default.aspx | > | > | | > | > | When opening a new thread via the web interface, we recommend you | > check | > | > the | > | > | "Notify me of replies" box to receive e-mail notifications when | > there | > | > are | > | > | any updates in your thread. When responding to posts via your | > | > newsreader, | > | > | please "Reply to Group" so that others may learn and benefit from | > your | > | > | issue. | > | > | | > | > | Microsoft engineers can only focus on one issue per thread. Although | > we | > | > | provide other information for your reference, we recommend you post | > | > | different incidents in different threads to keep the thread clean. | > In | > | > doing | > | > | so, it will ensure your issues are resolved in a timely manner. | > | > | | > | > | For urgent issues, you may want to contact Microsoft CSS directly. | > | > Please | > | > | check http://support.microsoft.com for regional support phone | > numbers. | > | > | | > | > | Any input or comments in this thread are highly appreciated. | > | > | ====================================================== | > | > | This posting is provided "AS IS" with no warranties, and confers no | > | > rights. | > | > | | > | > | | > | > | ===================================================== | > | > | When responding to posts, please "Reply to Group" via your | > newsreader | > so | > | > | that others may learn and benefit from your issue. | > | > | ===================================================== | > | > | | > | > | This posting is provided "AS IS" with no warranties, and confers no | > | > rights. | > | > | | > | > | -------------------- | > | > | | From: "PG" <*@*.*> | > | > | | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> | > | > | <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> | > | > | <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> | > | > | <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl> | > | > | <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl> | > | > | <MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl> | > | > | <u6mrIB1vFHA.4032(a)TK2MSFTNGP15.phx.gbl> | > | > | <AtVfNj1vFHA.780(a)TK2MSFTNGXA01.phx.gbl> | > | > | | Subject: Re: SBS2003Premium Certification Authority from HELL!!! | > | > | | Date: Thu, 22 Sep 2005 11:32:11 +0100 | > | > | | Lines: 785 | > | > | | X-Priority: 3 | > | > | | X-MSMail-Priority: Normal | > | > | | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 | > | > | | X-RFC2646: Format=Flowed; Original | > | > | | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 | > | > | | Message-ID: <#yfejE2vFHA.708(a)TK2MSFTNGP10.phx.gbl> | > | > | | Newsgroups: microsoft.public.windows.server.sbs | > | > | | NNTP-Posting-Host: 62.48.233.71 | > | > | | Path: | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl | > | > | | Xref: TK2MSFTNGXA01.phx.gbl | > microsoft.public.windows.server.sbs:155518 | > | > | | X-Tomcat-NG: microsoft.public.windows.server.sbs | > | > | | | > | > | | Hi Charles, | > | > | | | > | > | | 1. I sent all the logs you requested to your e-mail. | > | > | | | > | > | | 2. Done that also. | > | > | | | > | > | | 3. No changes done...that I can remember | > | > | | | > | > | | Thanks | > | > | | | > | > | | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in | > | > message | > | > | | news:AtVfNj1vFHA.780(a)TK2MSFTNGXA01.phx.gbl... | > | > | | > Hi PG, | > | > | | > | > | > | | > After checking your screen shot, we decide to collect more | > | > information, | > | > | as | > | > | | > this issue should relate to AD setting: | > | > | | > | > | > | | > 1. Please send me all the event log except the application and | > | > system | > | > | | > event | > | > | | > log that you have already sent to me. | > | > | | > 2. please also run netdiag -v and dcdiag -v on the SBS server | > and | > | > send | > | > | the | > | > | | > results to me also. | > | > | | > 3. If possible, could you tell us if have changed any setting on | > AD | > | > or | > | > | on | > | > | | > SBS server. As the screen shot point that you have some problem | > in | > | > query | > | > | | > user objects on DC. | > | > | | > | > | > | | > I appreciate your effort on this issue. | > | > | | > | > | > | | > | > | > | | > | > | > | | > Best regards, | > | > | | > | > | > | | > Charles Yang (MSFT) | > | > | | > | > | > | | > Microsoft CSS Online Newsgroup Support | > | > | | > | > | > | | > Get Secure! - www.microsoft.com/security | > | > | | > | > | > | | > ====================================================== | > | > | | > This newsgroup only focuses on SBS technical issues. If you have | > | > issues | > | > | | > regarding other Microsoft products, you'd better post in the | > | > | corresponding | > | > | | > newsgroups so that they can be resolved in an efficient and | > timely | > | > | manner. | > | > | | > You can locate the newsgroup here: | > | > | | > | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx | > | > | | > | > | > | | > When opening a new thread via the web interface, we recommend | > you | > | > check | > | > | | > the | > | > | | > "Notify me of replies" box to receive e-mail notifications when | > | > there | > | > | are | > | > | | > any updates in your thread. When responding to posts via your | > | > | newsreader, | > | > | | > please "Reply to Group" so that others may learn and benefit | > from | > | > your | > | > | | > issue. | > | > | | > | > | > | | > Microsoft engineers can only focus on one issue per thread. | > Although | > | > we | > | > | | > provide other information for your reference, we recommend you | > post | > | > | | > different incidents in different threads to keep the thread | > clean. | > | > In | > | > | | > doing | > | > | | > so, it will ensure your issues are resolved in a timely manner. | > | > | | > | > | > | | > For urgent issues, you may want to contact Microsoft CSS | > directly. | > | > | Please | > | > | | > check http://support.microsoft.com for regional support phone | > | > numbers. | > | > | | > | > | > | | > Any input or comments in this thread are highly appreciated. | > | > | | > ====================================================== | > | > | | > This posting is provided "AS IS" with no warranties, and confers | > no | > | > | | > rights. | > | > | | > | > | > | | > | > | > | | > ===================================================== | > | > | | > When responding to posts, please "Reply to Group" via your | > | > newsreader | > | > so | > | > | | > that others may learn and benefit from your issue. | > | > | | > ===================================================== | > | > | | > | > | > | | > This posting is provided "AS IS" with no warranties, and confers | > no | > | > | | > rights. | > | > | | > | > | > | | > -------------------- | > | > | | > | From: "PG" <*@*.*> | > | > | | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> | > | > | | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> | > | > | | > <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> | > | > | | > <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl> | > | > | | > <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl> | > | > | | > <MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl> | > | > | | > | Subject: Re: SBS2003Premium Certification Authority from | > HELL!!! | > | > | | > | Date: Thu, 22 Sep 2005 09:31:33 +0100 | > | > | | > | Lines: 597 | > | > | | > | X-Priority: 3 | > | > | | > | X-MSMail-Priority: Normal | > | > | | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 | > | > | | > | X-RFC2646: Format=Flowed; Original | > | > | | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 | > | > | | > | Message-ID: <u6mrIB1vFHA.4032(a)TK2MSFTNGP15.phx.gbl> | > | > | | > | Newsgroups: microsoft.public.windows.server.sbs | > | > | | > | NNTP-Posting-Host: 62.48.233.71 | > | > | | > | Path: | > | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl | > | > | | > | Xref: TK2MSFTNGXA01.phx.gbl | > | > microsoft.public.windows.server.sbs:155493 | > | > | | > | X-Tomcat-NG: microsoft.public.windows.server.sbs | > | > | | > | | > | > | | > | Hi Charles, | > | > | | > | | > | > | | > | I started to go through the points you reffered bellow and | > on | > | > the | > | > | | > second | > | > | | > | point(Permissions settings) everything checked out ok except | > for | > | > the | > | > | | > | certificates templates permissions again, I'm unable to change | > | > | | > permissions | > | > | | > | on some certificates, but others are ok! I'm sending you some | > | > | compressed | > | > | | > | pictures to your e-mail so you can try and see if this is | > normal, | > | > or | > | > | | > not. | > | > | | > | I didn't want to continue following your suggestions(to | > | > reinstall | > | > | | > the | > | > | | > | CA) before you had a look at the pictures I sent you. | > | > | | > | | > | > | | > | Thanks | > | > | | > | PG | > | > | | > | | > | > | | > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote | > in | > | > | message | > | > | | > | news:MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl... | > | > | | > | > Hi, | > | > | | > | > | > | > | | > | > Thanks for updates. | > | > | | > | > | > | > | | > | > After carefully checking your log, we did not find any | > relate | > | > | | > information, | > | > | | > | > please note that it might take some time to do the task. | > | > | | > | > | > | > | | > | > For this issue, I have some suggestion below: | > | > | | > | > | > | > | | > | > Can I assume that you want to set up the SBS 2003 premium as | > a | > | > CA | > | > | | > server, | > | > | | > | > so that when user logon to website, they require the | > | > certificate, | > | > | | > which | > | > | | > | > purpose you want to use for this certificate for VPN issue | > or | > | > for | > | > a | > | > | | > | > website? From your log, it seems to be used for IPSec VPN. | > | > | | > | > | > | > | | > | > 1. Please change the website you use for web enrollment's | > | > | | > authentication | > | > | | > | > method from anonymous to Windows Authentication. | > | > | | > | > 2. Please refer to the KB article below to check the | > permission | > | > | | > setting | > | > | | > | > for | > | > | | > | > CA, make sure that you have go through the article to double | > | > check | > | > | it: | > | > | | > | > | > | > | | > | > Q239706 Default Permission Settings for Enterprise | > Certificate | > | > | | > Authority | > | > | | > | > http://support.microsoft.com/default.aspx?scid=kb;EN-US | > | > | | > | > | > | > | | > | > 3. If the issue still exists, please follow the steps to | > | > reinstall | > | > | the | > | > | | > CA | > | > | | > | > server: | > | > | | > | > | > | > | | > | > A. Opened regedit and went to HKLM\system\CCS\services and | > | > | deleted | > | > | | > the | > | > | | > | > certsrv key | > | > | | > | > B. Opened the file system and deleted | > c:\winnt\system32\certserv | > | > | | > folder | > | > | | > | > and | > | > | | > | > contents | > | > | | > | > C. Opened up AD sites and services and deleted and in | > | > | services\public | > | > | | > key | > | > | | > | > services | > | > | | > | > | > | > | | > | > Please deleted all the contents of the containers leaving | > the | > | > empty | > | > | | > | > containers with the exception of the templates container. | > Note, | > | > | please | > | > | | > | > perform a backup for registry. | > | > | | > | > | > | > | | > | > If the issue still exist, you have to refer to the KB | > article | > | > below | > | > | to | > | > | | > | > change the log level of certificate then reproduce the issue | > | > check | > | > | the | > | > | | > | > event log again. | > | > | | > | > | > | > | | > | > 305018 How to Change the Event Logging Level for Certificate | > | > | Services | > | > | | > | > http://support.microsoft.com/?id=305018 | > | > | | > | > | > | > | | > | > Thanks for your efforts. I will be here waiting for updates. | > | > | | > | > | > | > | | > | > | > | > | | > | > | > | > | | > | > Best regards, | > | > | | > | > | > | > | | > | > Charles Yang (MSFT) | > | > | | > | > | > | > | | > | > Microsoft CSS Online Newsgroup Support | > | > | | > | > | > | > | | > | > Get Secure! - www.microsoft.com/security | > | > | | > | > | > | > | | > | > ====================================================== | > | > | | > | > This newsgroup only focuses on SBS technical issues. If you | > have | > | > | | > issues | > | > | | > | > regarding other Microsoft products, you'd better post in the | > | > | | > corresponding | > | > | | > | > newsgroups so that they can be resolved in an efficient and | > | > timely | > | > | | > manner. | > | > | | > | > You can locate the newsgroup here: | > | > | | > | > | > | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx | > | > | | > | > | > | > | | > | > When opening a new thread via the web interface, we | > recommend | > | > you | > | > | | > check | > | > | | > | > the | > | > | | > | > "Notify me of replies" box to receive e-mail notifications | > when | > | > | there | > | > | | > are | > | > | | > | > any updates in your thread. When responding to posts via | > your | > | > | | > newsreader, | > | > | | > | > please "Reply to Group" so that others may learn and benefit | > | > from | > | > | your | > | > | | > | > issue. | > | > | | > | > | > | > | | > | > Microsoft engineers can only focus on one issue per thread. | > | > | Although | > | > | | > we | > | > | | > | > provide other information for your reference, we recommend | > you | > | > post | > | > | | > | > different incidents in different threads to keep the thread | > | > clean. | > | > | In | > | > | | > | > doing | > | > | | > | > so, it will ensure your issues are resolved in a timely | > manner. | > | > | | > | > | > | > | | > | > For urgent issues, you may want to contact Microsoft CSS | > | > directly. | > | > | | > Please | > | > | | > | > check http://support.microsoft.com for regional support | > phone | > | > | numbers. | > | > | | > | > | > | > | | > | > Any input or comments in this thread are highly appreciated. | > | > | | > | > ====================================================== | > | > | | > | > This posting is provided "AS IS" with no warranties, and | > confers | > | > no | > | > | | > | > rights. | > | > | | > | > | > | > | | > | > | > | > | | > | > ===================================================== | > | > | | > | > When responding to posts, please "Reply to Group" via your | > | > | newsreader | > | > | | > so | > | > | | > | > that others may learn and benefit from your issue. | > | > | | > | > ===================================================== | > | > | | > | > | > | > | | > | > This posting is provided "AS IS" with no warranties, and | > confers | > | > no | > | > | | > | > rights. | > | > | | > | > | > | > | | > | > -------------------- | > | > | | > | > | From: "PG" <*@*.*> | > | > | | > | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> | > | > | | > | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> | > | > | | > | > <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> | > | > | | > | > <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl> | > | > | | > | > | Subject: Re: SBS2003Premium Certification Authority from | > | > HELL!!! | > | > | | > | > | Date: Wed, 21 Sep 2005 11:33:30 +0100 | > | > | | > | > | Lines: 401 | > | > | | > | > | X-Priority: 3 | > | > | | > | > | X-MSMail-Priority: Normal | > | > | | > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 | > | > | | > | > | X-RFC2646: Format=Flowed; Original | > | > | | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 | > | > | | > | > | Message-ID: <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl> | > | > | | > | > | Newsgroups: microsoft.public.windows.server.sbs | > | > | | > | > | NNTP-Posting-Host: 62.48.233.71 | > | > | | > | > | Path: | > | > | | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl | > | > | | > | > | Xref: TK2MSFTNGXA01.phx.gbl | > | > | | > microsoft.public.windows.server.sbs:155186 | > | > | | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs | > | > | | > | > | | > | > | | > | > | I've sent you the log's as you requested Charles... | > | > | | > | > | | > | > | | > | > | Thanks for the help | > | > | | > | > | | > | > | | > | > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> | > wrote | > | > in | > | > | | > message | > | > | | > | > | news:biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl... | > | > | | > | > | > HI PG, | > | > | | > | > | > | > | > | | > | > | > Thanks for updates. | > | > | | > | > | > | > | > | | > | > | > In order to make the issue more clear, could you send me | > the | > | > | | > | > application | > | > | | > | > | > log and system event log so that we can isolate the | > issue | > | > more | > | > | | > | > clearly, | > | > | | > | > | > you | > | > | | > | > | > can compress the log files and send to my mailbox. | > | > | | > | > | > | > | > | | > | > | > v-chayan(a)microsoft.com | > | > | | > | > | > | > | > | | > | > | > Thanks for your understanding. | > | > | | > | > | > | > | > | | > | > | > | > | > | | > | > | > | > | > | | > | > | > Best regards, | > | > | | > | > | > | > | > | | > | > | > Charles Yang (MSFT) | > | > | | > | > | > | > | > | | > | > | > Microsoft CSS Online Newsgroup Support | > | > | | > | > | > | > | > | | > | > | > Get Secure! - www.microsoft.com/security | > | > | | > | > | > | > | > | | > | > | > ====================================================== | > | > | | > | > | > This newsgroup only focuses on SBS technical issues. If | > you | > | > have | > | > | | > | > issues | > | > | | > | > | > regarding other Microsoft products, you'd better post in | > the | > | > | | > | > corresponding | > | > | | > | > | > newsgroups so that they can be resolved in an efficient | > and | > | > | timely | > | > | | > | > manner. | > | > | | > | > | > You can locate the newsgroup here: | > | > | | > | > | > | > | > | http://www.microsoft.com/communities/newsgroups/en-us/default.aspx | > | > | | > | > | > | > | > | | > | > | > When opening a new thread via the web interface, we | > | > recommend | > | > | you | > | > | | > | > check | > | > | | > | > | > the | > | > | | > | > | > "Notify me of replies" box to receive e-mail | > notifications | > | > when | > | > | | > there | > | > | | > | > are | > | > | | > | > | > any updates in your thread. When responding to posts via | > | > your | > | > | | > | > newsreader, | > | > | | > | > | > please "Reply to Group" so that others may learn and | > benefit | > | > | from | > | > | | > your | > | > | | > | > | > issue. | > | > | | > | > | > | > | > | | > | > | > Microsoft engineers can only focus on one issue per | > thread. | > | > | | > Although | > | > | | > | > we | > | > | | > | > | > provide other information for your reference, we | > recommend | > | > you | > | > | | > post | > | > | | > | > | > different incidents in different threads to keep the | > thread | > | > | clean. | > | > | | > In | > | > | | > | > | > doing | > | > | | > | > | > so, it will ensure your issues are resolved in a timely | > | > manner. | > | > | | > | > | > | > | > | | > | > | > For urgent issues, you may want to contact Microsoft CSS | > | > | directly. | > | > | | > | > Please | > | > | | > | > | > check http://support.microsoft.com for regional support | > | > phone | > | > | | > numbers. | > | > | | > | > | > | > | > | | > | > | > Any input or comments in this thread are highly | > appreciated. | > | > | | > | > | > ====================================================== | > | > | | > | > | > This posting is provided "AS IS" with no warranties, and | > | > | confers | > | > | | > no | > | > | | > | > | > rights. | > | > | | > | > | > | > | > | | > | > | > | > | > | | > | > | > ===================================================== | > | > | | > | > | > When responding to posts, please "Reply to Group" via | > your | > | > | | > newsreader | > | > | | > | > so | > | > | | > | > | > that others may learn and benefit from your issue. | > | > | | > | > | > ===================================================== | > | > | | > | > | > | > | > | | > | > | > This posting is provided "AS IS" with no warranties, and | > | > | confers | > | > | | > no | > | > | | > | > | > rights. | > | > | | > | > | > | > | > | | > | > | > -------------------- | > | > | | > | > | > | From: "PG" <*@*.*> | > | > | | > | > | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> | > | > | | > | > | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> | > | > | | > | > | > | Subject: Re: SBS2003Premium Certification Authority | > from | > | > | HELL!!! | > | > | | > | > | > | Date: Tue, 20 Sep 2005 13:28:25 +0100 | > | > | | > | > | > | Lines: 269 | > | > | | > | > | > | X-Priority: 3 | > | > | | > | > | > | X-MSMail-Priority: Normal | > | > | | > | > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 | > | > | | > | > | > | X-RFC2646: Format=Flowed; Original | > | > | | > | > | > | X-MimeOLE: Produced By Microsoft MimeOLE | > V6.00.3790.1830 | > | > | | > | > | > | Message-ID: <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> | > | > | | > | > | > | Newsgroups: microsoft.public.windows.server.sbs | > | > | | > | > | > | NNTP-Posting-Host: 62.48.233.71 | > | > | | > | > | > | Path: | > | > | | > | > | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl | > | > | | > | > | > | Xref: TK2MSFTNGXA01.phx.gbl | > | > | | > | > microsoft.public.windows.server.sbs:154800 | > | > | | > | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs | > | > | | > | > | > | | > | > | | > | > | > | Thanks for your reply Charles | > | > | | > | > | > | | > | > | | > | > | > | Responses to your questions follow, and are in line: | > | > | | > | > | > | | > | > | | > | > | > | | > | > | | > | > | > | ""Charles Yang [MSFT]"" | > <v-chayan(a)online.microsoft.com> | > | > wrote | > | > | in | > | > | | > | > message | > | > | | > | > | > | news:tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl... | > | > | | > | > | > | > HI PG, | > | > | | > | > | > | > | > | > | | > | > | > | > Welcome to SBS newsgroup. | > | > | | > | > | > | > | > | > | | > | > | > | > Issue description: | > | > | | > | > | > | > ================ | > | > | | > | > | > | > | > | > | | > | > | > | > I understand that you encountered some problem when | > | > using | > | > | CA | > | > | | > on | > | > | | > | > SBS | > | > | | > | > | > 2003 | > | > | | > | > | > | > premium. | > | > | | > | > | > | > | > | > | | > | > | > | > Analyzing and suggestions: | > | > | | > | > | > | > ================ | > | > | | > | > | > | > | > | > | | > | > | > | > Generally speaking, the error you encountered can be | > | > caused | > | > | by | > | > | | > | > many | > | > | | > | > | > | > factors, in order to make the issue more clear, | > please | > | > | refer | > | > | | > to | > | > | | > my | > | > | | > | > | > | > suggestions below to gather more information: | > | > | | > | > | > | > | > | > | | > | > | > | > 1. If possible, please send me the event log for | > further | > | > | | > research, | > | > | | > | > it | > | > | | > | > | > | > should include more information which can help us | > | > determine | > | > | | > which | > | > | | > | > | > kinds | > | > | | > | > | > of | > | > | | > | > | > | > error you encountered, you can send the log files to | > my | > | > | | > box. | > | > | | > | > | > | > v-chayan(a)microsoft.com. | > | > | | > | > | > | | > | > | | > | > | > | There is nothing recorded in the logs, when the | > error's | > | > occur. | > | > | | > | > | > | | > | > | | > | > | > | > 2. Does the issue occur from the client's computer | > or | > | > from | > | > | the | > | > | | > | > server | > | > | | > | > | > | > side? | > | > | | > | > | > | | > | > | | > | > | > | Both! It occur's when I request a certificate from the | > | > client | > | > | | > and | > | > | | > | > from | > | > | | > | > | > the | > | > | | > | > | > | server! :( Via Web request or MMC snap-in | > | > | | > | > | > | | > | > | | > | > | > | | > | > | | > | > | > | > | > | > | | > | > | > | > | > | > | | > | > | > | > Let's first check the following: | > | > | | > | > | > | > | > | > | | > | > | > | > 1. Go to the CA Server, go to Services.msc console, | > make | > | > | sure | > | > | | > that | > | > | | > | > the | > | > | | > | > | > | > Certificate Service is started. | > | > | | > | > | > | | > | > | | > | > | > | Check | > | > | | > | > | > | | > | > | | > | > | > | > 2. Open Certificate Authority, make sure that it can | > be | > | > | | > opened. | > | > | | > | > | > | | > | > | | > | > | > | Check | > | > | | > | > | > | | > | > | | > | > | > | > 3. If you are using Enterprise CA, go to the | > Certificate | > | > | | > Template | > | > | | > | > in | > | > | | > | > | > the | > | > | | > | > | > | > Certificate Authority, make sure that necessary | > | > Certificate | > | > | | > | > Template | > | > | | > | > | > is | > | > | | > | > | > | > added and listed in the right panel. | > | > | | > | > | > | | > | > | | > | > | > | Check | > | > | | > | > | > | | > | > | | > | > | > | > 4. On the CA Server, click Start -> Run, type MMC | > and | > | > click | > | > | | > OK. | > | > | | > | > Click | > | > | | > | > | > File | > | > | | > | > | > | > -> Add/Remove Snap-in, click Add button, select | > | > Certificate, | > | > | | > click | > | > | | > | > | > Add, | > | > | | > | > | > | > select Computer Account and click next. Select Local | > | > | Computer, | > | > | | > | > click | > | > | | > | > | > | > Finish | > | > | | > | > | > | > and then Close. | > | > | | > | > | > | | > | > | | > | > | > | Check | > | > | | > | > | > | | > | > | | > | > | > | > 5. Expand the Certificate (Local | > | > | | > Computer)\Personal\Certificate, | > | > | | > | > check | > | > | | > | > | > if | > | > | | > | > | > | > the Root certificate exists. It's 'issued by' and | > | > 'issued | > | > | to' | > | > | | > | > should | > | > | | > | > | > be | > | > | | > | > | > | > itself. Then please check if the root certificate is | > | > still | > | > | | > alive. | > | > | | > | > If | > | > | | > | > | > it | > | > | | > | > | > is | > | > | | > | > | > | > expired, right click the Certificate, select All | > | > Tasks -> | > | > | | > Renew | > | > | | > | > | > | > Certificate | > | > | | > | > | > | > with Same Key. Then renew the user certificate and | > let | > | > me | > | > | know | > | > | | > how | > | > | | > | > | > | > everything is going. | > | > | | > | > | > | > NOTE: Please check the Certificate Authority to make | > | > sure | > | > | that | > | > | | > | > these | > | > | | > | > | > | > client | > | > | | > | > | > | > certificate are not revoked before you renew the | > | > | certificate. | > | > | | > | > | > | > | > | > | | > | > | > | > If the issue still exists, please check if the CA | > | > computer | > | > | | > where | > | > | | > | > you | > | > | | > | > | > start | > | > | | > | > | > | > the Certificate Web Enrollment from is set to trust | > for | > | > | | > | > delegation. | > | > | | > | > To | > | > | | > | > | > do | > | > | | > | > | > | > so: | > | > | | > | > | > | > 1. Log on as a domain administrator or equivalent | > | > account. | > | > | | > | > | > | > 2. Click Start, point to Programs, point to | > | > Administrative | > | > | | > Tools, | > | > | | > | > and | > | > | | > | > | > then | > | > | | > | > | > | > click "Active Directory Users and Computers". | > | > | | > | > | > | > 3. In the left pane, locate the container or | > | > organizational | > | > | | > unit | > | > | | > | > (OU) | > | > | | > | > | > on | > | > | | > | > | > | > which you want to enable delegation. | > | > | | > | > | > | > 4. Right-click the computer account name, and then | > click | > | > | | > | > Properties. | > | > | | > | > | > | > 5. On the General tab, click Trust computer for | > | > delegation. | > | > | | > | > | > | > 6. Click OK. | > | > | | > | > | > | > 7. Quit Active Directory Users and Computers. | > | > | | > | > | > | > | > | > | | > | > | > | > For more info, please refer to: | > | > | | > | > | > | > 300867 Error Message: The Certification Authority | > | > Service | > | > | Has | > | > | | > Not | > | > | | > | > Been | > | > | | > | > | > | > Started | > | > | | > | > | > | > http://support.microsoft.com/?id=300867 | > | > | | > | > | > | | > | > | | > | > | > | The certificate is alive until 16/9/2010! So I didn't | > | > renew | > | > | it. | > | > | | > | > | > | | > | > | | > | > | > | | > | > | | > | > | > | > | > | > | | > | > | > | > | > | > | | > | > | > | > This issue may also occur if the Domain Users group | > on | > | > the | > | > | | > child | > | > | | > | > | > domain | > | > | | > | > | > | > does not have the right to enroll a user template. | > To | > | > have a | > | > | | > | > check: | > | > | | > | > | > | > | > | > | | > | > | > | > 1. Logon to CA Server as Enterprise Administrator | > | > | | > | > | > | | > | > | | > | > | > | check | > | > | | > | > | > | | > | > | | > | > | > | > 2. Click Start, click Programs, click Administrative | > | > Tools, | > | > | | > and | > | > | | > | > then | > | > | | > | > | > click | > | > | | > | > | > | > the "Active Directory Sites and Services" snap-in. | > | > | | > | > | > | | > | > | | > | > | > | check | > | > | | > | > | > | | > | > | | > | > | > | > 3. In MMC, right-click the "Active Directory Sites | > and | > | > | | > Services" | > | > | | > | > | > snap-in, | > | > | | > | > | > | > click View, and then click "Show Services Mode". | > This | > | > allows | > | > | | > you | > | > | | > | > to | > | > | | > | > | > view | > | > | | > | > | > | > the Services folder, which is hidden from view by | > | > default. | > | > | | > | > | > | | > | > | | > | > | > | Check | > | > | | > | > | > | | > | > | | > | > | > | > 4. From the "Active Directory Sites and Services" | > | > snap-in, | > | > | | > click | > | > | | > | > | > Services, | > | > | | > | > | > | > click Public Key Services, and then click | > Certificate | > | > | | > Templates. | > | > | | > | > This | > | > | | > | > | > | > reveals the complete list of published certificate | > | > | templates | > | > | | > in | > | > | | > | > Active | > | > | | > | > | > | > Directory. | > | > | | > | > | > | | > | > | | > | > | > | Check | > | > | | > | > | > | | > | > | | > | > | > | > 5. Double-click the User certificate template to | > view | > | > the | > | > | | > | > properties. | > | > | | > | > | > | | > | > | | > | > | > | Check | > | > | | > | > | > | | > | > | | > | > | > | > 6. On the Security tab, click Add to add the Domain | > | > Users | > | > | | > group | > | > | | > to | > | > | | > | > the | > | > | | > | > | > | > list. | > | > | | > | > | > | | > | > | | > | > | > | The group domain users wasn't there so I added it | > | > | | > | > | > | | > | > | | > | > | > | > 7. For the Domain Users group, select the Read and | > | > Enroll | > | > | | > rights. | > | > | | > | > | > | | > | > | | > | > | > | When I tryed to apply the changes it gave the | > following | > | > error: | > | > | | > | > | > | | > | > | | > | > | > | "Unable to save permission changes on | > | > | | > | > | > | | > LDAP://SBS2003PDC.CONTIMETRA.LOCAL/CN=USER,CN=CERTIFICATE | > | > | | > | > | > | TEMPLATES,CN=PUBLIC KEY | > | > | | > | > | > | | > | > SERVICES,CN=SERVICES,CN=CONFIGURATION,DC=CONTIMETRA,DC=LOCAL | > | > | | > | > | > | | > | > | | > | > | > | ACCESS IS DENIED" | > | > | | > | > | > | | > | > | | > | > | > | | > | > | | > | > | > | > 8. Restart the computer. | > | > | | > | > | > | | > | > | | > | > | > | Didn't do it because no changes were made! | > | > | | > | > | > | | > | > | | > | > | > | > | > | > | | > | > | > | > For more info, please refer to: | > | > | | > | > | > | > 271861 Windows Cannot Find a Certificate Authority | > That | > | > | | > Processes | > | > | | > | > the | > | > | | > | > | > | > Request | > | > | | > | > | > | > http://support.microsoft.com/?id=271861 | > | > | | > | > | > | > | > | > | | > | > | > | > NOTE: Request from MMC only works if it is a | > Enterprise | > | > CA. | > | > | To | > | > | | > | > stand | > | > | | > | > | > alone | > | > | | > | > | > | > CA, you must request certificate by WEB. | > | > | | > | > | > | > | > | > | | > | > | > | > I appreciate your understanding and please paste | > your | > | > | results | > | > | | > as | > | > | | > | > your | > | > | | > | > | > | > convenience, It is important for us to isolate the | > | > issue. | > | > I | > | > | am | > | > | | > | > glad | > | > | | > | > to | > | > | | > | > | > | > help | > | > | | > | > | > | > you. | > | > | | > | > | > | > | > | > | | > | > | > | > | > | > | | > | > | > | > | > | > | | > | > | > | > Best regards, | > | > | | > | > | > | > | > | > | | > | > | > | > Charles Yang (MSFT) | > | > | | > | > | > | > | > | > | | > | > | > | > Microsoft CSS Online Newsgroup Support | > | > | | > | > | > | > | > | > | | > | > | > | > Get Secure! - www.microsoft.com/security | > | > | | > | > | > | > | > | > | | > | > | > | > | > ====================================================== | > | > | | > | > | > | > This newsgroup only focuses on SBS technical issues. | > If | > | > you | > | > | | > have | > | > | | > | > | > issues | > | > | | > | > | > | > regarding other Microsoft products, you'd better | > post | > in | > | > the | > | > | | > | > | > corresponding | > | > | | > | > | > | > newsgroups so that they can be resolved in an | > efficient | > | > and | > | > | | > timely | > | > | | > | > | > manner. | > | > | | > | > | > | > You can locate the newsgroup here: | > | > | | > | > | > | > | > | > | | > | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx | > | > | | > | > | > | > | > | > | | > | > | > | > When opening a new thread via the web interface, we | > | > | recommend | > | > | | > you | > | > | | > | > | > check | > | > | | > | > | > | > the | > | > | | > | > | > | > "Notify me of replies" box to receive e-mail | > | > notifications | > | > | | > when | > | > | | > | > there | > | > | | > | > | > are | > | > | | > | > | > | > any updates in your thread. When responding to posts | > via | > | > | your | > | > | | > | > | > newsreader, | > | > | | > | > | > | > please "Reply to Group" so that others may learn and | > | > benefit | > | > | | > from | > | > | | > | > your | > | > | | > | > | > | > issue. | > | > | | > | > | > | > | > | > | | > | > | > | > Microsoft engineers can only focus on one issue per | > | > thread. | > | > | | > | > Although | > | > | | > | > | > we | > | > | | > | > | > | > provide other information for your reference, we | > | > recommend | > | > | you | > | > | | > | > post | > | > | | > | > | > | > different incidents in different threads to keep the | > | > thread | > | > | | > clean. | > | > | | > | > In | > | > | | > | > | > | > doing | > | > | | > | > | > | > so, it will ensure your issues are resolved in a | > timely | > | > | | > manner. | > | > | | > | > | > | > | > | > | | > | > | > | > For urgent issues, you may want to contact Microsoft | > CSS | > | > | | > directly. | > | > | | > | > | > Please | > | > | | > | > | > | > check http://support.microsoft.com for regional | > support | > | > | phone | > | > | | > | > numbers. | > | > | | > | > | > | > | > | > | | > | > | > | > Any input or comments in this thread are highly | > | > appreciated. | > | > | | > | > | > | > | > ====================================================== | > | > | | > | > | > | > This posting is provided "AS IS" with no warranties, | > and | > | > | | > confers | > | > | | > | > no | > | > | | > | > | > | > rights. | > | > | | > | > | > | > | > | > | | > | > | > | > | > | > | | > | > | > | > | > ===================================================== | > | > | | > | > | > | > When responding to posts, please "Reply to Group" | > via | > | > your | > | > | | > | > newsreader | > | > | | > | > | > so | > | > | | > | > | > | > that others may learn and benefit from your issue. | > | > | | > | > | > | > | > ===================================================== | > | > | | > | > | > | > | > | > | | > | > | > | > This posting is provided "AS IS" with no warranties, | > and | > | > | | > confers | > | > | | > | > no | > | > | | > | > | > | > rights. | > | > | | > | > | > | > | > | > | | > | > | > | > -------------------- | > | > | | > | > | > | > | From: "PG" <*@*.*> | > | > | | > | > | > | > | Subject: SBS2003Premium Certification Authority | > from | > | > | HELL!!! | > | > | | > | > | > | > | Date: Fri, 16 Sep 2005 11:35:46 +0100 | > | > | | > | > | > | > | Lines: 25 | > | > | | > | > | > | > | X-Priority: 3 | > | > | | > | > | > | > | X-MSMail-Priority: Normal | > | > | | > | > | > | > | X-Newsreader: Microsoft Outlook Express | > 6.00.3790.1830 | > | > | | > | > | > | > | X-MimeOLE: Produced By Microsoft MimeOLE | > | > V6.00.3790.1830 | > | > | | > | > | > | > | X-RFC2646: Format=Flowed; Original | > | > | | > | > | > | > | Message-ID: | > <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> | > | > | | > | > | > | > | Newsgroups: microsoft.public.windows.server.sbs | > | > | | > | > | > | > | NNTP-Posting-Host: 62.48.233.71 | > | > | | > | > | > | > | Path: | > | > | | > | > | > | > | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl | > | > | | > | > | > | > | Xref: TK2MSFTNGXA01.phx.gbl | > | > | | > | > | > microsoft.public.windows.server.sbs:153926 | > | > | | > | > | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs | > | > | | > | > | > | > | | > | > | | > | > | > | > | Hi everybody, | > | > | | > | > | > | > | | > | > | | > | > | > | > | When I try to request a certificate from my | > | > | Enterprise | > | > | | > CA | > | > | | > | > | > installed | > | > | | > | > | > | > on | > | > | | > | > | > | > | SBS2003Premium It gives the following error :"No | > | > | certificate | > | > | | > | > | > templates | > | > | | > | > | > | > could | > | > | | > | > | > | > | be found. You do not have permission to request a | > | > | | > certificate | > | > | | > | > from | > | > | | > | > | > this | > | > | | > | > | > | > CA, | > | > | | > | > | > | > | or an error occurred while accessing the Active | > | > | Directory." | > | > | | > I | > | > | | > | > went | > | > | | > | > | > and | > | > | | > | > | > | > | search for a solution and found this microsoft | > article | > | > | | > | > | > | > | | > | > | | > http://support.microsoft.com/default.aspx?scid=kb;en-us;811418 | > | > | | > | > that | > | > | | > | > | > | > didn't | > | > | | > | > | > | > | help because the name of the server is the same in | > the | > | > | | > | > certdat.inc | > | > | | > | > | > and | > | > | | > | > | > | > in | > | > | | > | > | > | > | the AD!!! :( | > | > | | > | > | > | > | | > | > | | > | > | > | > | When I go to the certification authority and | > click | > | > on | > | > | | > | > "manage" | > | > | | > | > | > on | > | > | | > | > | > | > the | > | > | | > | > | > | > | certificate templates, windows says that it | > detected | > | > that | > | > | | > new | > | > | | > | > | > | > certificate | > | > | | > | > | > | > | templates should be installed, and ask if I want | > to | > | > | install | > | > | | > them | > | > | | > | > | > now, | > | > | | > | > | > | > and | > | > | | > | > | > | > I | > | > | | > | > | > | > | say "Yes", and gives an error saying "Windows | > could | > | > not | > | > | | > install | > | > | | > | > the | > | > | | > | > | > new | > | > | | > | > | > | > | certificate templates. Access is denied" :( I | > doing | > | > this | > | > | as | > | > | | > | > | > enterprise | > | > | | > | > | > | > admin | > | > | | > | > | > | > | and it says access denied!!!!! :( :( | > | > | | > | > | > | > | | > | > | | > | > | > | > | I've tryed to reinstall the CA and the errors | > are | > | > | still | > | > | | > the | > | > | | > | > | > same! | > | > | | > | > | > | > | | > | > | | > | > | > | > | Can anyone help me with this issue, please? | > | > | | > | > | > | > | | > | > | | > | > | > | > | Thanks in advance for any help you can give | > me.... | > | > | | > | > | > | > | | > | > | | > | > | > | > | | > | > | | > | > | > | > | | > | > | | > | > | > | > | > | > | | > | > | > | | > | > | | > | > | > | | > | > | | > | > | > | | > | > | | > | > | > | | > | > | | > | > | > | | > | > | | > | > | > | | > | > | | > | > | > | > | > | | > | > | | > | > | | > | > | | > | > | | > | > | | > | > | | > | > | > | > | | > | | > | > | | > | | > | > | | > | | > | > | | > | > | > | | | > | > | | | > | > | | | > | > | | > | > | | > | > | > | | > | | > | | > | | |
From: PG on 3 Oct 2005 08:25 Hi Charles, Just wanted to say that I finally fixed the problem thanks to your help. I reinstalled the CA with the indications you gave bellow: "3. If the issue still exists, please follow the steps to reinstall the CA server: A. Opened regedit and went to HKLM\system\CCS\services and deleted the certsrv key B. Opened the file system and deleted c:\winnt\system32\certserv folder and contents C. Opened up AD sites and services and deleted and in services\public key services Please deleted all the contents of the containers leaving the empty containers with the exception of the templates container. Note, please perform a backup for registry." And all the templates have the correct permissions now, the error messages no longer show, and I can now request certificates from this CA without any problem. Thanks for all your help... ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in message news:hNvuk0zwFHA.580(a)TK2MSFTNGXA01.phx.gbl... > HI PG, > > It should be a so wired issue, if the issue is urgent it is your best > interest to call CSS for supporter. I have also made research on this > issue > and also get some steps which might be helpful to you: > > 1. Make the certutil command that is part of Windows Server 2003 server > available to your client computer. > 2. Make sure that you are able to reach an enterprise CA. Calling certutil > -dump shows all Enterprise CAs in your forest. You can also try to ping a > specific CA with certutil -config [Machine\CAName] -ping > Replace [Machine\CAName] with the "Config:" row from the certutil -dump > output. > 3. To verify template permissions, run the following command at your > client: certutil -config [Machine\CAName] -catemplates > The command-output shows a list of certificate templates that are attached > to a specific CA. Make sure that you have at least for one certificate > permissions. > 4. Make sure that at least one of the certificate templates where you have > enrollment permissions has set the option "Supply in the request" in the > certificates template Subject Name tab. If you have permissions on a > certificate but the Subject name is not built from Active Directory, your > certificate request will fail. > 5. Your client might not be able to verify the CA certificates validity. > To > check the CA certificate you must make the CA certificate available to > your > client computer. Perform the following command at your client: > certutil -verify -URLfetch [CAcertificate] > > Replace CAcertificate with the filename of the CA certificate. Make sure > that the CA certificate is verified successfully. > > Then try to repeat your steps to see if the issue can be clear, in > addition > please also make sure that your Enterprise AD did not belong to domain > guest member group. > > Hope the above information helpful. I am sorry for any inconvenience on > this issue. > > > > Best regards, > > Charles Yang (MSFT) > > Microsoft CSS Online Newsgroup Support > > Get Secure! - www.microsoft.com/security > > ====================================================== > This newsgroup only focuses on SBS technical issues. If you have issues > regarding other Microsoft products, you'd better post in the corresponding > newsgroups so that they can be resolved in an efficient and timely manner. > You can locate the newsgroup here: > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx > > When opening a new thread via the web interface, we recommend you check > the > "Notify me of replies" box to receive e-mail notifications when there are > any updates in your thread. When responding to posts via your newsreader, > please "Reply to Group" so that others may learn and benefit from your > issue. > > Microsoft engineers can only focus on one issue per thread. Although we > provide other information for your reference, we recommend you post > different incidents in different threads to keep the thread clean. In > doing > so, it will ensure your issues are resolved in a timely manner. > > For urgent issues, you may want to contact Microsoft CSS directly. Please > check http://support.microsoft.com for regional support phone numbers. > > Any input or comments in this thread are highly appreciated. > ====================================================== > This posting is provided "AS IS" with no warranties, and confers no > rights. > > > ===================================================== > When responding to posts, please "Reply to Group" via your newsreader so > that others may learn and benefit from your issue. > ===================================================== > > This posting is provided "AS IS" with no warranties, and confers no > rights. > > -------------------- > | From: "PG" <*@*.*> > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> > <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> > <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl> > <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl> > <MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl> > <u6mrIB1vFHA.4032(a)TK2MSFTNGP15.phx.gbl> > <AtVfNj1vFHA.780(a)TK2MSFTNGXA01.phx.gbl> > <#yfejE2vFHA.708(a)TK2MSFTNGP10.phx.gbl> > <34gfuxBwFHA.2960(a)TK2MSFTNGXA01.phx.gbl> > <Hlv7FVCwFHA.580(a)TK2MSFTNGXA01.phx.gbl> > <Oi6nhtCwFHA.552(a)TK2MSFTNGP12.phx.gbl> > <hCBwZJjwFHA.3244(a)TK2MSFTNGXA01.phx.gbl> > | Subject: Re: SBS2003Premium Certification Authority from HELL!!! > | Date: Tue, 27 Sep 2005 08:52:36 +0100 > | Lines: 1415 > | X-Priority: 3 > | X-MSMail-Priority: Normal > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 > | X-RFC2646: Format=Flowed; Original > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 > | Message-ID: <uTRYvizwFHA.2076(a)TK2MSFTNGP14.phx.gbl> > | Newsgroups: microsoft.public.windows.server.sbs > | NNTP-Posting-Host: 62.48.233.71 > | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP14.phx.gbl > | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:156751 > | X-Tomcat-NG: microsoft.public.windows.server.sbs > | > | Hi Charles, > | > | Yes all the grey templates have permission issues. I cant add, or change > the > | permissions for those templates. > | > | And all my efforts where made has enterprise admin, to try and clear the > | "access denied" problem... :( > | > | I really don't understand what went wrong with this Certification > Authority. > | > | :( > | > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in message > | news:hCBwZJjwFHA.3244(a)TK2MSFTNGXA01.phx.gbl... > | > HI PG, > | > > | > From your description, it seems a lot of template has the permission > | > issue? > | > Can I assume that all the permission of this grey template encountered > the > | > same issue when you try to change the permission and the permission > the > | > security section is not correct as I referred to? > | > > | > If so, I suggest you make sure that you logon the SBS server with > | > Enterprise Admin, it seems to be the permission issue, if possible > please > | > make sure that you logon via Built-in Enterprise Admin to see if the > | > problem can be cleared, > | > > | > Thanks for your effort. > | > > | > > | > > | > Best regards, > | > > | > Charles Yang (MSFT) > | > > | > Microsoft CSS Online Newsgroup Support > | > > | > Get Secure! - www.microsoft.com/security > | > > | > ====================================================== > | > This newsgroup only focuses on SBS technical issues. If you have > issues > | > regarding other Microsoft products, you'd better post in the > corresponding > | > newsgroups so that they can be resolved in an efficient and timely > manner. > | > You can locate the newsgroup here: > | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx > | > > | > When opening a new thread via the web interface, we recommend you > check > | > the > | > "Notify me of replies" box to receive e-mail notifications when there > are > | > any updates in your thread. When responding to posts via your > newsreader, > | > please "Reply to Group" so that others may learn and benefit from your > | > issue. > | > > | > Microsoft engineers can only focus on one issue per thread. Although > we > | > provide other information for your reference, we recommend you post > | > different incidents in different threads to keep the thread clean. In > | > doing > | > so, it will ensure your issues are resolved in a timely manner. > | > > | > For urgent issues, you may want to contact Microsoft CSS directly. > Please > | > check http://support.microsoft.com for regional support phone numbers. > | > > | > Any input or comments in this thread are highly appreciated. > | > ====================================================== > | > This posting is provided "AS IS" with no warranties, and confers no > | > rights. > | > > | > > | > ===================================================== > | > When responding to posts, please "Reply to Group" via your newsreader > so > | > that others may learn and benefit from your issue. > | > ===================================================== > | > > | > This posting is provided "AS IS" with no warranties, and confers no > | > rights. > | > > | > -------------------- > | > | From: "PG" <*@*.*> > | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> > | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> > | > <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> > | > <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl> > | > <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl> > | > <MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl> > | > <u6mrIB1vFHA.4032(a)TK2MSFTNGP15.phx.gbl> > | > <AtVfNj1vFHA.780(a)TK2MSFTNGXA01.phx.gbl> > | > <#yfejE2vFHA.708(a)TK2MSFTNGP10.phx.gbl> > | > <34gfuxBwFHA.2960(a)TK2MSFTNGXA01.phx.gbl> > | > <Hlv7FVCwFHA.580(a)TK2MSFTNGXA01.phx.gbl> > | > | Subject: Re: SBS2003Premium Certification Authority from HELL!!! > | > | Date: Fri, 23 Sep 2005 11:39:53 +0100 > | > | Lines: 1168 > | > | X-Priority: 3 > | > | X-MSMail-Priority: Normal > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 > | > | X-RFC2646: Format=Flowed; Original > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 > | > | Message-ID: <Oi6nhtCwFHA.552(a)TK2MSFTNGP12.phx.gbl> > | > | Newsgroups: microsoft.public.windows.server.sbs > | > | NNTP-Posting-Host: 62.48.233.71 > | > | Path: > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl > | > | Xref: TK2MSFTNGXA01.phx.gbl > microsoft.public.windows.server.sbs:155851 > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs > | > | > | > | Hi Charles, > | > | > | > | I went to DCOMCNFG and on the Launch permission it was empty, and I > | > added > | > | Everyone with (Launch permission---Allow) > | > | and in the Access permission it is everyone (Access > permission---Allow), > | > so > | > | I didn't have to change it. > | > | Could not find anything that refered to (Local Activation Remote > | > Activation) > | > | or (Local Access Remote Access) as you sayd. Only (Launch > Permission) > | > and > | > | (Access Permission). > | > | > | > | After applying the changes to DCOM I tryed to request a certificate, > and > | > the > | > | same error ocurred. Duplicated a Template and still the same error. > :( > | > | "No certificate templates could be found. You do not have permission > to > | > | request a certificate from this CA,or an error occurred while > accessing > | > the > | > | Active Directory." > | > | > | > | In response to your question, all the certificates templates, from > the > | > | pictures I sent you, that are greyd out have permissions issues, and > | > don't > | > | let me add or change permissions for those certificates. > | > | > | > | :( > | > | > | > | > | > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in > message > | > | news:Hlv7FVCwFHA.580(a)TK2MSFTNGXA01.phx.gbl... > | > | > HI PG, > | > | > > | > | > Thanks for updates. > | > | > > | > | > After making research, I find solutions for you, please refer to > the > | > steps > | > | > below: > | > | > > | > | > 1 Open DCOMCNFG > | > | > 2- Select Componect Services > | > | > ---Computers > | > | > ----My Computer > | > | > ------Dcom Config > | > | > ---- CertSrv Request > | > | > 3- Open properties and verify Security permission for Launch and > | > | > Activation > | > | > Permissions (Should be Customize --Everyone ---Local Activation > Remote > | > | > Activation) > | > | > > | > | > Access Permissions (Should be Customize -Everyone ---Local Access > | > Remote > | > | > Access) > | > | > > | > | > If the issue still exists, please recreate a certificate template > to > | > see > | > | > if > | > | > the issue can be resolved. You can try to request a certificate > via > a > | > new > | > | > template. From your screenshot we found only one of the template > you > | > | > encountered permission issue, can we assume it is the certificate > | > template > | > | > you use for the certificate? > | > | > > | > | > Thanks for understanding on this issue, please feel free to post > back. > | > | > > | > | > > | > | > > | > | > Best regards, > | > | > > | > | > Charles Yang (MSFT) > | > | > > | > | > Microsoft CSS Online Newsgroup Support > | > | > > | > | > Get Secure! - www.microsoft.com/security > | > | > > | > | > ====================================================== > | > | > This newsgroup only focuses on SBS technical issues. If you have > | > issues > | > | > regarding other Microsoft products, you'd better post in the > | > corresponding > | > | > newsgroups so that they can be resolved in an efficient and timely > | > manner. > | > | > You can locate the newsgroup here: > | > | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx > | > | > > | > | > When opening a new thread via the web interface, we recommend you > | > check > | > | > the > | > | > "Notify me of replies" box to receive e-mail notifications when > there > | > are > | > | > any updates in your thread. When responding to posts via your > | > newsreader, > | > | > please "Reply to Group" so that others may learn and benefit from > your > | > | > issue. > | > | > > | > | > Microsoft engineers can only focus on one issue per thread. > Although > | > we > | > | > provide other information for your reference, we recommend you > post > | > | > different incidents in different threads to keep the thread clean. > In > | > | > doing > | > | > so, it will ensure your issues are resolved in a timely manner. > | > | > > | > | > For urgent issues, you may want to contact Microsoft CSS directly. > | > Please > | > | > check http://support.microsoft.com for regional support phone > numbers. > | > | > > | > | > Any input or comments in this thread are highly appreciated. > | > | > ====================================================== > | > | > This posting is provided "AS IS" with no warranties, and confers > no > | > | > rights. > | > | > > | > | > > | > | > ===================================================== > | > | > When responding to posts, please "Reply to Group" via your > newsreader > | > so > | > | > that others may learn and benefit from your issue. > | > | > ===================================================== > | > | > > | > | > This posting is provided "AS IS" with no warranties, and confers > no > | > | > rights. > | > | > > | > | > -------------------- > | > | > | X-Tomcat-ID: 138385008 > | > | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> > | > | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> > | > | > <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> > | > | > <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl> > | > | > <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl> > | > | > <MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl> > | > | > <u6mrIB1vFHA.4032(a)TK2MSFTNGP15.phx.gbl> > | > | > <AtVfNj1vFHA.780(a)TK2MSFTNGXA01.phx.gbl> > | > | > <#yfejE2vFHA.708(a)TK2MSFTNGP10.phx.gbl> > | > | > | MIME-Version: 1.0 > | > | > | Content-Type: text/plain > | > | > | Content-Transfer-Encoding: 7bit > | > | > | From: v-chayan(a)online.microsoft.com ("Charles Yang [MSFT]") > | > | > | Organization: Microsoft > | > | > | Date: Fri, 23 Sep 2005 08:54:33 GMT > | > | > | Subject: Re: SBS2003Premium Certification Authority from HELL!!! > | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs > | > | > | Message-ID: <34gfuxBwFHA.2960(a)TK2MSFTNGXA01.phx.gbl> > | > | > | Newsgroups: microsoft.public.windows.server.sbs > | > | > | Lines: 797 > | > | > | Path: TK2MSFTNGXA01.phx.gbl > | > | > | Xref: TK2MSFTNGXA01.phx.gbl > | > microsoft.public.windows.server.sbs:155820 > | > | > | NNTP-Posting-Host: tomcatimport2.phx.gbl 10.201.218.182 > | > | > | > | > | > | HI PG, > | > | > | > | > | > | Currently, I am performing research on this issue, I will return > to > | > you > | > | > as > | > | > | soon as possible, please understand that it might be some delay > due > | > to > | > | > the > | > | > | weekend. > | > | > | > | > | > | Thanks for your understanding. > | > | > | > | > | > | > | > | > | Best regards, > | > | > | > | > | > | Charles Yang (MSFT) > | > | > | > | > | > | Microsoft CSS Online Newsgroup Support > | > | > | > | > | > | Get Secure! - www.microsoft.com/security > | > | > | > | > | > | ====================================================== > | > | > | This newsgroup only focuses on SBS technical issues. If you have > | > issues > | > | > | regarding other Microsoft products, you'd better post in the > | > | > corresponding > | > | > | newsgroups so that they can be resolved in an efficient and > timely > | > | > manner. > | > | > | You can locate the newsgroup here: > | > | > | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx > | > | > | > | > | > | When opening a new thread via the web interface, we recommend > you > | > check > | > | > the > | > | > | "Notify me of replies" box to receive e-mail notifications when > | > there > | > | > are > | > | > | any updates in your thread. When responding to posts via your > | > | > newsreader, > | > | > | please "Reply to Group" so that others may learn and benefit > from > | > your > | > | > | issue. > | > | > | > | > | > | Microsoft engineers can only focus on one issue per thread. > Although > | > we > | > | > | provide other information for your reference, we recommend you > post > | > | > | different incidents in different threads to keep the thread > clean. > | > In > | > | > doing > | > | > | so, it will ensure your issues are resolved in a timely manner. > | > | > | > | > | > | For urgent issues, you may want to contact Microsoft CSS > directly. > | > | > Please > | > | > | check http://support.microsoft.com for regional support phone > | > numbers. > | > | > | > | > | > | Any input or comments in this thread are highly appreciated. > | > | > | ====================================================== > | > | > | This posting is provided "AS IS" with no warranties, and confers > no > | > | > rights. > | > | > | > | > | > | > | > | > | ===================================================== > | > | > | When responding to posts, please "Reply to Group" via your > | > newsreader > | > so > | > | > | that others may learn and benefit from your issue. > | > | > | ===================================================== > | > | > | > | > | > | This posting is provided "AS IS" with no warranties, and confers > no > | > | > rights. > | > | > | > | > | > | -------------------- > | > | > | | From: "PG" <*@*.*> > | > | > | | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> > | > | > | <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> > | > | > | <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> > | > | > | <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl> > | > | > | <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl> > | > | > | <MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl> > | > | > | <u6mrIB1vFHA.4032(a)TK2MSFTNGP15.phx.gbl> > | > | > | <AtVfNj1vFHA.780(a)TK2MSFTNGXA01.phx.gbl> > | > | > | | Subject: Re: SBS2003Premium Certification Authority from > HELL!!! > | > | > | | Date: Thu, 22 Sep 2005 11:32:11 +0100 > | > | > | | Lines: 785 > | > | > | | X-Priority: 3 > | > | > | | X-MSMail-Priority: Normal > | > | > | | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 > | > | > | | X-RFC2646: Format=Flowed; Original > | > | > | | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 > | > | > | | Message-ID: <#yfejE2vFHA.708(a)TK2MSFTNGP10.phx.gbl> > | > | > | | Newsgroups: microsoft.public.windows.server.sbs > | > | > | | NNTP-Posting-Host: 62.48.233.71 > | > | > | | Path: > | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl > | > | > | | Xref: TK2MSFTNGXA01.phx.gbl > | > microsoft.public.windows.server.sbs:155518 > | > | > | | X-Tomcat-NG: microsoft.public.windows.server.sbs > | > | > | | > | > | > | | Hi Charles, > | > | > | | > | > | > | | 1. I sent all the logs you requested to your e-mail. > | > | > | | > | > | > | | 2. Done that also. > | > | > | | > | > | > | | 3. No changes done...that I can remember > | > | > | | > | > | > | | Thanks > | > | > | | > | > | > | | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote > in > | > | > message > | > | > | | news:AtVfNj1vFHA.780(a)TK2MSFTNGXA01.phx.gbl... > | > | > | | > Hi PG, > | > | > | | > > | > | > | | > After checking your screen shot, we decide to collect more > | > | > information, > | > | > | as > | > | > | | > this issue should relate to AD setting: > | > | > | | > > | > | > | | > 1. Please send me all the event log except the application > and > | > | > system > | > | > | | > event > | > | > | | > log that you have already sent to me. > | > | > | | > 2. please also run netdiag -v and dcdiag -v on the SBS > server > | > and > | > | > send > | > | > | the > | > | > | | > results to me also. > | > | > | | > 3. If possible, could you tell us if have changed any > setting > on > | > AD > | > | > or > | > | > | on > | > | > | | > SBS server. As the screen shot point that you have some > problem > | > in > | > | > query > | > | > | | > user objects on DC. > | > | > | | > > | > | > | | > I appreciate your effort on this issue. > | > | > | | > > | > | > | | > > | > | > | | > > | > | > | | > Best regards, > | > | > | | > > | > | > | | > Charles Yang (MSFT) > | > | > | | > > | > | > | | > Microsoft CSS Online Newsgroup Support > | > | > | | > > | > | > | | > Get Secure! - www.microsoft.com/security > | > | > | | > > | > | > | | > ====================================================== > | > | > | | > This newsgroup only focuses on SBS technical issues. If you > have > | > | > issues > | > | > | | > regarding other Microsoft products, you'd better post in the > | > | > | corresponding > | > | > | | > newsgroups so that they can be resolved in an efficient and > | > timely > | > | > | manner. > | > | > | | > You can locate the newsgroup here: > | > | > | | > > | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx > | > | > | | > > | > | > | | > When opening a new thread via the web interface, we > recommend > | > you > | > | > check > | > | > | | > the > | > | > | | > "Notify me of replies" box to receive e-mail notifications > when > | > | > there > | > | > | are > | > | > | | > any updates in your thread. When responding to posts via > your > | > | > | newsreader, > | > | > | | > please "Reply to Group" so that others may learn and benefit > | > from > | > | > your > | > | > | | > issue. > | > | > | | > > | > | > | | > Microsoft engineers can only focus on one issue per thread. > | > Although > | > | > we > | > | > | | > provide other information for your reference, we recommend > you > | > post > | > | > | | > different incidents in different threads to keep the thread > | > clean. > | > | > In > | > | > | | > doing > | > | > | | > so, it will ensure your issues are resolved in a timely > manner. > | > | > | | > > | > | > | | > For urgent issues, you may want to contact Microsoft CSS > | > directly. > | > | > | Please > | > | > | | > check http://support.microsoft.com for regional support > phone > | > | > numbers. > | > | > | | > > | > | > | | > Any input or comments in this thread are highly appreciated. > | > | > | | > ====================================================== > | > | > | | > This posting is provided "AS IS" with no warranties, and > confers > | > no > | > | > | | > rights. > | > | > | | > > | > | > | | > > | > | > | | > ===================================================== > | > | > | | > When responding to posts, please "Reply to Group" via your > | > | > newsreader > | > | > so > | > | > | | > that others may learn and benefit from your issue. > | > | > | | > ===================================================== > | > | > | | > > | > | > | | > This posting is provided "AS IS" with no warranties, and > confers > | > no > | > | > | | > rights. > | > | > | | > > | > | > | | > -------------------- > | > | > | | > | From: "PG" <*@*.*> > | > | > | | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> > | > | > | | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> > | > | > | | > <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> > | > | > | | > <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl> > | > | > | | > <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl> > | > | > | | > <MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl> > | > | > | | > | Subject: Re: SBS2003Premium Certification Authority from > | > HELL!!! > | > | > | | > | Date: Thu, 22 Sep 2005 09:31:33 +0100 > | > | > | | > | Lines: 597 > | > | > | | > | X-Priority: 3 > | > | > | | > | X-MSMail-Priority: Normal > | > | > | | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 > | > | > | | > | X-RFC2646: Format=Flowed; Original > | > | > | | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 > | > | > | | > | Message-ID: <u6mrIB1vFHA.4032(a)TK2MSFTNGP15.phx.gbl> > | > | > | | > | Newsgroups: microsoft.public.windows.server.sbs > | > | > | | > | NNTP-Posting-Host: 62.48.233.71 > | > | > | | > | Path: > | > | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl > | > | > | | > | Xref: TK2MSFTNGXA01.phx.gbl > | > | > microsoft.public.windows.server.sbs:155493 > | > | > | | > | X-Tomcat-NG: microsoft.public.windows.server.sbs > | > | > | | > | > | > | > | | > | Hi Charles, > | > | > | | > | > | > | > | | > | I started to go through the points you reffered bellow > and > | > on > | > | > the > | > | > | | > second > | > | > | | > | point(Permissions settings) everything checked out ok > except > | > for > | > | > the > | > | > | | > | certificates templates permissions again, I'm unable to > change > | > | > | | > permissions > | > | > | | > | on some certificates, but others are ok! I'm sending you > some > | > | > | compressed > | > | > | | > | pictures to your e-mail so you can try and see if this is > | > normal, > | > | > or > | > | > | | > not. > | > | > | | > | I didn't want to continue following your > suggestions(to > | > | > reinstall > | > | > | | > the > | > | > | | > | CA) before you had a look at the pictures I sent you. > | > | > | | > | > | > | > | | > | Thanks > | > | > | | > | PG > | > | > | | > | > | > | > | | > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> > wrote > | > in > | > | > | message > | > | > | | > | news:MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl... > | > | > | | > | > Hi, > | > | > | | > | > > | > | > | | > | > Thanks for updates. > | > | > | | > | > > | > | > | | > | > After carefully checking your log, we did not find any > | > relate > | > | > | | > information, > | > | > | | > | > please note that it might take some time to do the task. > | > | > | | > | > > | > | > | | > | > For this issue, I have some suggestion below: > | > | > | | > | > > | > | > | | > | > Can I assume that you want to set up the SBS 2003 > premium > as > | > a > | > | > CA > | > | > | | > server, > | > | > | | > | > so that when user logon to website, they require the > | > | > certificate, > | > | > | | > which > | > | > | | > | > purpose you want to use for this certificate for VPN > issue > | > or > | > | > for > | > | > a > | > | > | | > | > website? From your log, it seems to be used for IPSec > VPN. > | > | > | | > | > > | > | > | | > | > 1. Please change the website you use for web > enrollment's > | > | > | | > authentication > | > | > | | > | > method from anonymous to Windows Authentication. > | > | > | | > | > 2. Please refer to the KB article below to check the > | > permission > | > | > | | > setting > | > | > | | > | > for > | > | > | | > | > CA, make sure that you have go through the article to > double > | > | > check > | > | > | it: > | > | > | | > | > > | > | > | | > | > Q239706 Default Permission Settings for Enterprise > | > Certificate > | > | > | | > Authority > | > | > | | > | > http://support.microsoft.com/default.aspx?scid=kb;EN-US > | > | > | | > | > > | > | > | | > | > 3. If the issue still exists, please follow the steps to > | > | > reinstall > | > | > | the > | > | > | | > CA > | > | > | | > | > server: > | > | > | | > | > > | > | > | | > | > A. Opened regedit and went to HKLM\system\CCS\services > and > | > | > | deleted > | > | > | | > the > | > | > | | > | > certsrv key > | > | > | | > | > B. Opened the file system and deleted > | > c:\winnt\system32\certserv > | > | > | | > folder > | > | > | | > | > and > | > | > | | > | > contents > | > | > | | > | > C. Opened up AD sites and services and deleted and in > | > | > | services\public > | > | > | | > key > | > | > | | > | > services > | > | > | | > | > > | > | > | | > | > Please deleted all the contents of the containers > leaving > | > the > | > | > empty > | > | > | | > | > containers with the exception of the templates > container. > | > Note, > | > | > | please > | > | > | | > | > perform a backup for registry. > | > | > | | > | > > | > | > | | > | > If the issue still exist, you have to refer to the KB > | > article > | > | > below > | > | > | to > | > | > | | > | > change the log level of certificate then reproduce the > issue > | > | > check > | > | > | the > | > | > | | > | > event log again. > | > | > | | > | > > | > | > | | > | > 305018 How to Change the Event Logging Level for > Certificate > | > | > | Services > | > | > | | > | > http://support.microsoft.com/?id=305018 > | > | > | | > | > > | > | > | | > | > Thanks for your efforts. I will be here waiting for > updates. > | > | > | | > | > > | > | > | | > | > > | > | > | | > | > > | > | > | | > | > Best regards, > | > | > | | > | > > | > | > | | > | > Charles Yang (MSFT) > | > | > | | > | > > | > | > | | > | > Microsoft CSS Online Newsgroup Support > | > | > | | > | > > | > | > | | > | > Get Secure! - www.microsoft.com/security > | > | > | | > | > > | > | > | | > | > ====================================================== > | > | > | | > | > This newsgroup only focuses on SBS technical issues. If > you > | > have > | > | > | | > issues > | > | > | | > | > regarding other Microsoft products, you'd better post in > the > | > | > | | > corresponding > | > | > | | > | > newsgroups so that they can be resolved in an efficient > and > | > | > timely > | > | > | | > manner. > | > | > | | > | > You can locate the newsgroup here: > | > | > | | > | > > | > | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx > | > | > | | > | > > | > | > | | > | > When opening a new thread via the web interface, we > | > recommend > | > | > you > | > | > | | > check > | > | > | | > | > the > | > | > | | > | > "Notify me of replies" box to receive e-mail > notifications > | > when > | > | > | there > | > | > | | > are > | > | > | | > | > any updates in your thread. When responding to posts via > | > your > | > | > | | > newsreader, > | > | > | | > | > please "Reply to Group" so that others may learn and > benefit > | > | > from > | > | > | your > | > | > | | > | > issue. > | > | > | | > | > > | > | > | | > | > Microsoft engineers can only focus on one issue per > thread. > | > | > | Although > | > | > | | > we > | > | > | | > | > provide other information for your reference, we > recommend > | > you > | > | > post > | > | > | | > | > different incidents in different threads to keep the > thread > | > | > clean. > | > | > | In > | > | > | | > | > doing > | > | > | | > | > so, it will ensure your issues are resolved in a timely > | > manner. > | > | > | | > | > > | > | > | | > | > For urgent issues, you may want to contact Microsoft CSS > | > | > directly. > | > | > | | > Please > | > | > | | > | > check http://support.microsoft.com for regional support > | > phone > | > | > | numbers. > | > | > | | > | > > | > | > | | > | > Any input or comments in this thread are highly > appreciated. > | > | > | | > | > ====================================================== > | > | > | | > | > This posting is provided "AS IS" with no warranties, and > | > confers > | > | > no > | > | > | | > | > rights. > | > | > | | > | > > | > | > | | > | > > | > | > | | > | > ===================================================== > | > | > | | > | > When responding to posts, please "Reply to Group" via > your > | > | > | newsreader > | > | > | | > so > | > | > | | > | > that others may learn and benefit from your issue. > | > | > | | > | > ===================================================== > | > | > | | > | > > | > | > | | > | > This posting is provided "AS IS" with no warranties, and > | > confers > | > | > no > | > | > | | > | > rights. > | > | > | | > | > > | > | > | | > | > -------------------- > | > | > | | > | > | From: "PG" <*@*.*> > | > | > | | > | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> > | > | > | | > | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> > | > | > | | > | > <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> > | > | > | | > | > <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl> > | > | > | | > | > | Subject: Re: SBS2003Premium Certification Authority > from > | > | > HELL!!! > | > | > | | > | > | Date: Wed, 21 Sep 2005 11:33:30 +0100 > | > | > | | > | > | Lines: 401 > | > | > | | > | > | X-Priority: 3 > | > | > | | > | > | X-MSMail-Priority: Normal > | > | > | | > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 > | > | > | | > | > | X-RFC2646: Format=Flowed; Original > | > | > | | > | > | X-MimeOLE: Produced By Microsoft MimeOLE > V6.00.3790.1830 > | > | > | | > | > | Message-ID: <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl> > | > | > | | > | > | Newsgroups: microsoft.public.windows.server.sbs > | > | > | | > | > | NNTP-Posting-Host: 62.48.233.71 > | > | > | | > | > | Path: > | > | > | | > > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl > | > | > | | > | > | Xref: TK2MSFTNGXA01.phx.gbl > | > | > | | > microsoft.public.windows.server.sbs:155186 > | > | > | | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs > | > | > | | > | > | > | > | > | | > | > | I've sent you the log's as you requested Charles... > | > | > | | > | > | > | > | > | | > | > | Thanks for the help > | > | > | | > | > | > | > | > | | > | > | ""Charles Yang [MSFT]"" > <v-chayan(a)online.microsoft.com> > | > wrote > | > | > in > | > | > | | > message > | > | > | | > | > | news:biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl... > | > | > | | > | > | > HI PG, > | > | > | | > | > | > > | > | > | | > | > | > Thanks for updates. > | > | > | | > | > | > > | > | > | | > | > | > In order to make the issue more clear, could you > send > me > | > the > | > | > | | > | > application > | > | > | | > | > | > log and system event log so that we can isolate the > | > issue > | > | > more > | > | > | | > | > clearly, > | > | > | | > | > | > you > | > | > | | > | > | > can compress the log files and send to my mailbox. > | > | > | | > | > | > > | > | > | | > | > | > v-chayan(a)microsoft.com > | > | > | | > | > | > > | > | > | | > | > | > Thanks for your understanding. > | > | > | | > | > | > > | > | > | | > | > | > > | > | > | | > | > | > > | > | > | | > | > | > Best regards, > | > | > | | > | > | > > | > | > | | > | > | > Charles Yang (MSFT) > | > | > | | > | > | > > | > | > | | > | > | > Microsoft CSS Online Newsgroup Support > | > | > | | > | > | > > | > | > | | > | > | > Get Secure! - www.microsoft.com/security > | > | > | | > | > | > > | > | > | | > | > | > > ====================================================== > | > | > | | > | > | > This newsgroup only focuses on SBS technical issues. > If > | > you > | > | > have > | > | > | | > | > issues > | > | > | | > | > | > regarding other Microsoft products, you'd better > post > in > | > the > | > | > | | > | > corresponding > | > | > | | > | > | > newsgroups so that they can be resolved in an > efficient > | > and > | > | > | timely > | > | > | | > | > manner. > | > | > | | > | > | > You can locate the newsgroup here: > | > | > | | > | > | > > | > | > | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx > | > | > | | > | > | > > | > | > | | > | > | > When opening a new thread via the web interface, we > | > | > recommend > | > | > | you > | > | > | | > | > check > | > | > | | > | > | > the > | > | > | | > | > | > "Notify me of replies" box to receive e-mail > | > notifications > | > | > when > | > | > | | > there > | > | > | | > | > are > | > | > | | > | > | > any updates in your thread. When responding to posts > via > | > | > your > | > | > | | > | > newsreader, > | > | > | | > | > | > please "Reply to Group" so that others may learn and > | > benefit > | > | > | from > | > | > | | > your > | > | > | | > | > | > issue. > | > | > | | > | > | > > | > | > | | > | > | > Microsoft engineers can only focus on one issue per > | > thread. > | > | > | | > Although > | > | > | | > | > we > | > | > | | > | > | > provide other information for your reference, we > | > recommend > | > | > you > | > | > | | > post > | > | > | | > | > | > different incidents in different threads to keep the > | > thread > | > | > | clean. > | > | > | | > In > | > | > | | > | > | > doing > | > | > | | > | > | > so, it will ensure your issues are resolved in a > timely > | > | > manner. > | > | > | | > | > | > > | > | > | | > | > | > For urgent issues, you may want to contact Microsoft > CSS > | > | > | directly. > | > | > | | > | > Please > | > | > | | > | > | > check http://support.microsoft.com for regional > support > | > | > phone > | > | > | | > numbers. > | > | > | | > | > | > > | > | > | | > | > | > Any input or comments in this thread are highly > | > appreciated. > | > | > | | > | > | > > ====================================================== > | > | > | | > | > | > This posting is provided "AS IS" with no warranties, > and > | > | > | confers > | > | > | | > no > | > | > | | > | > | > rights. > | > | > | | > | > | > > | > | > | | > | > | > > | > | > | | > | > | > > ===================================================== > | > | > | | > | > | > When responding to posts, please "Reply to Group" > via > | > your > | > | > | | > newsreader > | > | > | | > | > so > | > | > | | > | > | > that others may learn and benefit from your issue. > | > | > | | > | > | > > ===================================================== > | > | > | | > | > | > > | > | > | | > | > | > This posting is provided "AS IS" with no warranties, > and > | > | > | confers > | > | > | | > no > | > | > | | > | > | > rights. > | > | > | | > | > | > > | > | > | | > | > | > -------------------- > | > | > | | > | > | > | From: "PG" <*@*.*> > | > | > | | > | > | > | References: > <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> > | > | > | | > | > | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> > | > | > | | > | > | > | Subject: Re: SBS2003Premium Certification > Authority > | > from > | > | > | HELL!!! > | > | > | | > | > | > | Date: Tue, 20 Sep 2005 13:28:25 +0100 > | > | > | | > | > | > | Lines: 269 > | > | > | | > | > | > | X-Priority: 3 > | > | > | | > | > | > | X-MSMail-Priority: Normal > | > | > | | > | > | > | X-Newsreader: Microsoft Outlook Express > 6.00.3790.1830 > | > | > | | > | > | > | X-RFC2646: Format=Flowed; Original > | > | > | | > | > | > | X-MimeOLE: Produced By Microsoft MimeOLE > | > V6.00.3790.1830 > | > | > | | > | > | > | Message-ID: > <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> > | > | > | | > | > | > | Newsgroups: microsoft.public.windows.server.sbs > | > | > | | > | > | > | NNTP-Posting-Host: 62.48.233.71 > | > | > | | > | > | > | Path: > | > | > | | > | > > | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl > | > | > | | > | > | > | Xref: TK2MSFTNGXA01.phx.gbl > | > | > | | > | > microsoft.public.windows.server.sbs:154800 > | > | > | | > | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs > | > | > | | > | > | > | > | > | > | | > | > | > | Thanks for your reply Charles > | > | > | | > | > | > | > | > | > | | > | > | > | Responses to your questions follow, and are in > line: > | > | > | | > | > | > | > | > | > | | > | > | > | > | > | > | | > | > | > | ""Charles Yang [MSFT]"" > | > <v-chayan(a)online.microsoft.com> > | > | > wrote > | > | > | in > | > | > | | > | > message > | > | > | | > | > | > | news:tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl... > | > | > | | > | > | > | > HI PG, > | > | > | | > | > | > | > > | > | > | | > | > | > | > Welcome to SBS newsgroup. > | > | > | | > | > | > | > > | > | > | | > | > | > | > Issue description: > | > | > | | > | > | > | > ================ > | > | > | | > | > | > | > > | > | > | | > | > | > | > I understand that you encountered some problem > when > | > | > using > | > | > | CA > | > | > | | > on > | > | > | | > | > SBS > | > | > | | > | > | > 2003 > | > | > | | > | > | > | > premium. > | > | > | | > | > | > | > > | > | > | | > | > | > | > Analyzing and suggestions: > | > | > | | > | > | > | > ================ > | > | > | | > | > | > | > > | > | > | | > | > | > | > Generally speaking, the error you encountered > can > be > | > | > caused > | > | > | by > | > | > | | > | > many > | > | > | | > | > | > | > factors, in order to make the issue more clear, > | > please > | > | > | refer > | > | > | | > to > | > | > | | > my > | > | > | | > | > | > | > suggestions below to gather more information: > | > | > | | > | > | > | > > | > | > | | > | > | > | > 1. If possible, please send me the event log for > | > further > | > | > | | > research, > | > | > | | > | > it > | > | > | | > | > | > | > should include more information which can help > us > | > | > determine > | > | > | | > which > | > | > | | > | > | > kinds > | > | > | | > | > | > of > | > | > | | > | > | > | > error you encountered, you can send the log > files > to > | > my > | > | > | | > box. > | > | > | | > | > | > | > v-chayan(a)microsoft.com. > | > | > | | > | > | > | > | > | > | | > | > | > | There is nothing recorded in the logs, when the > | > error's > | > | > occur. > | > | > | | > | > | > | > | > | > | | > | > | > | > 2. Does the issue occur from the client's > computer > | > or > | > | > from > | > | > | the > | > | > | | > | > server > | > | > | | > | > | > | > side? > | > | > | | > | > | > | > | > | > | | > | > | > | Both! It occur's when I request a certificate from > the > | > | > client > | > | > | | > and > | > | > | | > | > from > | > | > | | > | > | > the > | > | > | | > | > | > | server! :( Via Web request or MMC snap-in > | > | > | | > | > | > | > | > | > | | > | > | > | > | > | > | | > | > | > | > > | > | > | | > | > | > | > > | > | > | | > | > | > | > Let's first check the following: > | > | > | | > | > | > | > > | > | > | | > | > | > | > 1. Go to the CA Server, go to Services.msc > console, > | > make > | > | > | sure > | > | > | | > that > | > | > | | > | > the > | > | > | | > | > | > | > Certificate Service is started. > | > | > | | > | > | > | > | > | > | | > | > | > | Check > | > | > | | > | > | > | > | > | > | | > | > | > | > 2. Open Certificate Authority, make sure that it > can > | > be > | > | > | | > opened. > | > | > | | > | > | > | > | > | > | | > | > | > | Check > | > | > | | > | > | > | > | > | > | | > | > | > | > 3. If you are using Enterprise CA, go to the > | > Certificate > | > | > | | > Template > | > | > | | > | > in > | > | > | | > | > | > the > | > | > | | > | > | > | > Certificate Authority, make sure that necessary > | > | > Certificate > | > | > | | > | > Template > | > | > | | > | > | > is > | > | > | | > | > | > | > added and listed in the right panel. > | > | > | | > | > | > | > | > | > | | > | > | > | Check > | > | > | | > | > | > | > | > | > | | > | > | > | > 4. On the CA Server, click Start -> Run, type > MMC > | > and > | > | > click > | > | > | | > OK. > | > | > | | > | > Click > | > | > | | > | > | > File > | > | > | | > | > | > | > -> Add/Remove Snap-in, click Add button, select > | > | > Certificate, > | > | > | | > click > | > | > | | > | > | > Add, > | > | > | | > | > | > | > select Computer Account and click next. Select > Local > | > | > | Computer, > | > | > | | > | > click > | > | > | | > | > | > | > Finish > | > | > | | > | > | > | > and then Close. > | > | > | | > | > | > | > | > | > | | > | > | > | Check > | > | > | | > | > | > | > | > | > | | > | > | > | > 5. Expand the Certificate (Local > | > | > | | > Computer)\Personal\Certificate, > | > | > | | > | > check > | > | > | | > | > | > if > | > | > | | > | > | > | > the Root certificate exists. It's 'issued by' > and > | > | > 'issued > | > | > | to' > | > | > | | > | > should > | > | > | | > | > | > be > | > | > | | > | > | > | > itself. Then please check if the root > certificate > is > | > | > still > | > | > | | > alive. > | > | > | | > | > If > | > | > | | > | > | > it > | > | > | | > | > | > is > | > | > | | > | > | > | > expired, right click the Certificate, select All > | > | > Tasks -> > | > | > | | > Renew > | > | > | | > | > | > | > Certificate > | > | > | | > | > | > | > with Same Key. Then renew the user certificate > and > | > let > | > | > me > | > | > | know > | > | > | | > how > | > | > | | > | > | > | > everything is going. > | > | > | | > | > | > | > NOTE: Please check the Certificate Authority to > make > | > | > sure > | > | > | that > | > | > | | > | > these > | > | > | | > | > | > | > client > | > | > | | > | > | > | > certificate are not revoked before you renew the > | > | > | certificate. > | > | > | | > | > | > | > > | > | > | | > | > | > | > If the issue still exists, please check if the > CA > | > | > computer > | > | > | | > where > | > | > | | > | > you > | > | > | | > | > | > start > | > | > | | > | > | > | > the Certificate Web Enrollment from is set to > trust > | > for > | > | > | | > | > delegation. > | > | > | | > | > To > | > | > | | > | > | > do > | > | > | | > | > | > | > so: > | > | > | | > | > | > | > 1. Log on as a domain administrator or > equivalent > | > | > account. > | > | > | | > | > | > | > 2. Click Start, point to Programs, point to > | > | > Administrative > | > | > | | > Tools, > | > | > | | > | > and > | > | > | | > | > | > then > | > | > | | > | > | > | > click "Active Directory Users and Computers". > | > | > | | > | > | > | > 3. In the left pane, locate the container or > | > | > organizational > | > | > | | > unit > | > | > | | > | > (OU) > | > | > | | > | > | > on > | > | > | | > | > | > | > which you want to enable delegation. > | > | > | | > | > | > | > 4. Right-click the computer account name, and > then > | > click > | > | > | | > | > Properties. > | > | > | | > | > | > | > 5. On the General tab, click Trust computer for > | > | > delegation. > | > | > | | > | > | > | > 6. Click OK. > | > | > | | > | > | > | > 7. Quit Active Directory Users and Computers. > | > | > | | > | > | > | > > | > | > | | > | > | > | > For more info, please refer to: > | > | > | | > | > | > | > 300867 Error Message: The Certification > Authority > | > | > Service > | > | > | Has > | > | > | | > Not > | > | > | | > | > Been > | > | > | | > | > | > | > Started > | > | > | | > | > | > | > http://support.microsoft.com/?id=300867 > | > | > | | > | > | > | > | > | > | | > | > | > | The certificate is alive until 16/9/2010! So I > didn't > | > | > renew > | > | > | it. > | > | > | | > | > | > | > | > | > | | > | > | > | > | > | > | | > | > | > | > > | > | > | | > | > | > | > > | > | > | | > | > | > | > This issue may also occur if the Domain Users > group > | > on > | > | > the > | > | > | | > child > | > | > | | > | > | > domain > | > | > | | > | > | > | > does not have the right to enroll a user > template. > | > To > | > | > have a > | > | > | | > | > check: > | > | > | | > | > | > | > > | > | > | | > | > | > | > 1. Logon to CA Server as Enterprise > Administrator > | > | > | | > | > | > | > | > | > | | > | > | > | check > | > | > | | > | > | > | > | > | > | | > | > | > | > 2. Click Start, click Programs, click > Administrative > | > | > Tools, > | > | > | | > and > | > | > | | > | > then > | > | > | | > | > | > click > | > | > | | > | > | > | > the "Active Directory Sites and Services" > snap-in. > | > | > | | > | > | > | > | > | > | | > | > | > | check > | > | > | | > | > | > | > | > | > | | > | > | > | > 3. In MMC, right-click the "Active Directory > Sites > | > and > | > | > | | > Services" > | > | > | | > | > | > snap-in, > | > | > | | > | > | > | > click View, and then click "Show Services Mode". > | > This > | > | > allows > | > | > | | > you > | > | > | | > | > to > | > | > | | > | > | > view > | > | > | | > | > | > | > the Services folder, which is hidden from view > by > | > | > default. > | > | > | | > | > | > | > | > | > | | > | > | > | Check > | > | > | | > | > | > | > | > | > | | > | > | > | > 4. From the "Active Directory Sites and > Services" > | > | > snap-in, > | > | > | | > click > | > | > | | > | > | > Services, > | > | > | | > | > | > | > click Public Key Services, and then click > | > Certificate > | > | > | | > Templates. > | > | > | | > | > This > | > | > | | > | > | > | > reveals the complete list of published > certificate > | > | > | templates > | > | > | | > in > | > | > | | > | > Active > | > | > | | > | > | > | > Directory. > | > | > | | > | > | > | > | > | > | | > | > | > | Check > | > | > | | > | > | > | > | > | > | | > | > | > | > 5. Double-click the User certificate template to > | > view > | > | > the > | > | > | | > | > properties. > | > | > | | > | > | > | > | > | > | | > | > | > | Check > | > | > | | > | > | > | > | > | > | | > | > | > | > 6. On the Security tab, click Add to add the > Domain > | > | > Users > | > | > | | > group > | > | > | | > to > | > | > | | > | > the > | > | > | | > | > | > | > list. > | > | > | | > | > | > | > | > | > | | > | > | > | The group domain users wasn't there so I added it > | > | > | | > | > | > | > | > | > | | > | > | > | > 7. For the Domain Users group, select the Read > and > | > | > Enroll > | > | > | | > rights. > | > | > | | > | > | > | > | > | > | | > | > | > | When I tryed to apply the changes it gave the > | > following > | > | > error: > | > | > | | > | > | > | > | > | > | | > | > | > | "Unable to save permission changes on > | > | > | | > | > | > | > | > LDAP://SBS2003PDC.CONTIMETRA.LOCAL/CN=USER,CN=CERTIFICATE > | > | > | | > | > | > | TEMPLATES,CN=PUBLIC KEY > | > | > | | > | > | > | > | > | > SERVICES,CN=SERVICES,CN=CONFIGURATION,DC=CONTIMETRA,DC=LOCAL > | > | > | | > | > | > | > | > | > | | > | > | > | ACCESS IS DENIED" > | > | > | | > | > | > | > | > | > | | > | > | > | > | > | > | | > | > | > | > 8. Restart the computer. > | > | > | | > | > | > | > | > | > | | > | > | > | Didn't do it because no changes were made! > | > | > | | > | > | > | > | > | > | | > | > | > | > > | > | > | | > | > | > | > For more info, please refer to: > | > | > | | > | > | > | > 271861 Windows Cannot Find a Certificate > Authority > | > That > | > | > | | > Processes > | > | > | | > | > the > | > | > | | > | > | > | > Request > | > | > | | > | > | > | > http://support.microsoft.com/?id=271861 > | > | > | | > | > | > | > > | > | > | | > | > | > | > NOTE: Request from MMC only works if it is a > | > Enterprise > | > | > CA. > | > | > | To > | > | > | | > | > stand > | > | > | | > | > | > alone > | > | > | | > | > | > | > CA, you must request certificate by WEB. > | > | > | | > | > | > | > > | > | > | | > | > | > | > I appreciate your understanding and please paste > | > your > | > | > | results > | > | > | | > as > | > | > | | > | > your > | > | > | | > | > | > | > convenience, It is important for us to isolate > the > | > | > issue. > | > | > I > | > | > | am > | > | > | | > | > glad > | > | > | | > | > to > | > | > | | > | > | > | > help > | > | > | | > | > | > | > you. > | > | > | | > | > | > | > > | > | > | | > | > | > | > > | > | > | | > | > | > | > > | > | > | | > | > | > | > Best regards, > | > | > | | > | > | > | > > | > | > | | > | > | > | > Charles Yang (MSFT) > | > | > | | > | > | > | > > | > | > | | > | > | > | > Microsoft CSS Online Newsgroup Support > | > | > | | > | > | > | > > | > | > | | > | > | > | > Get Secure! - www.microsoft.com/security > | > | > | | > | > | > | > > | > | > | | > | > | > | > > | > ====================================================== > | > | > | | > | > | > | > This newsgroup only focuses on SBS technical > issues. > | > If > | > | > you > | > | > | | > have > | > | > | | > | > | > issues > | > | > | | > | > | > | > regarding other Microsoft products, you'd better > | > post > | > in > | > | > the > | > | > | | > | > | > corresponding > | > | > | | > | > | > | > newsgroups so that they can be resolved in an > | > efficient > | > | > and > | > | > | | > timely > | > | > | | > | > | > manner. > | > | > | | > | > | > | > You can locate the newsgroup here: > | > | > | | > | > | > | > > | > | > | | > > | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx > | > | > | | > | > | > | > > | > | > | | > | > | > | > When opening a new thread via the web interface, > we > | > | > | recommend > | > | > | | > you > | > | > | | > | > | > check > | > | > | | > | > | > | > the > | > | > | | > | > | > | > "Notify me of replies" box to receive e-mail > | > | > notifications > | > | > | | > when > | > | > | | > | > there > | > | > | | > | > | > are > | > | > | | > | > | > | > any updates in your thread. When responding to > posts > | > via > | > | > | your > | > | > | | > | > | > newsreader, > | > | > | | > | > | > | > please "Reply to Group" so that others may learn > and > | > | > benefit > | > | > | | > from > | > | > | | > | > your > | > | > | | > | > | > | > issue. > | > | > | | > | > | > | > > | > | > | | > | > | > | > Microsoft engineers can only focus on one issue > per > | > | > thread. > | > | > | | > | > Although > | > | > | | > | > | > we > | > | > | | > | > | > | > provide other information for your reference, we > | > | > recommend > | > | > | you > | > | > | | > | > post > | > | > | | > | > | > | > different incidents in different threads to keep > the > | > | > thread > | > | > | | > clean. > | > | > | | > | > In > | > | > | | > | > | > | > doing > | > | > | | > | > | > | > so, it will ensure your issues are resolved in a > | > timely > | > | > | | > manner. > | > | > | | > | > | > | > > | > | > | | > | > | > | > For urgent issues, you may want to contact > Microsoft > | > CSS > | > | > | | > directly. > | > | > | | > | > | > Please > | > | > | | > | > | > | > check http://support.microsoft.com for regional > | > support > | > | > | phone > | > | > | | > | > numbers. > | > | > | | > | > | > | > > | > | > | | > | > | > | > Any input or comments in this thread are highly > | > | > appreciated. > | > | > | | > | > | > | > > | > ====================================================== > | > | > | | > | > | > | > This posting is provided "AS IS" with no > warranties, > | > and > | > | > | | > confers > | > | > | | > | > no > | > | > | | > | > | > | > rights. > | > | > | | > | > | > | > > | > | > | | > | > | > | > > | > | > | | > | > | > | > > | > ===================================================== > | > | > | | > | > | > | > When responding to posts, please "Reply to > Group" > | > via > | > | > your > | > | > | | > | > newsreader > | > | > | | > | > | > so > | > | > | | > | > | > | > that others may learn and benefit from your > issue. > | > | > | | > | > | > | > > | > ===================================================== > | > | > | | > | > | > | > > | > | > | | > | > | > | > This posting is provided "AS IS" with no > warranties, > | > and > | > | > | | > confers > | > | > | | > | > no > | > | > | | > | > | > | > rights. > | > | > | | > | > | > | > > | > | > | | > | > | > | > -------------------- > | > | > | | > | > | > | > | From: "PG" <*@*.*> > | > | > | | > | > | > | > | Subject: SBS2003Premium Certification > Authority > | > from > | > | > | HELL!!! > | > | > | | > | > | > | > | Date: Fri, 16 Sep 2005 11:35:46 +0100 > | > | > | | > | > | > | > | Lines: 25 > | > | > | | > | > | > | > | X-Priority: 3 > | > | > | | > | > | > | > | X-MSMail-Priority: Normal > | > | > | | > | > | > | > | X-Newsreader: Microsoft Outlook Express > | > 6.00.3790.1830 > | > | > | | > | > | > | > | X-MimeOLE: Produced By Microsoft MimeOLE > | > | > V6.00.3790.1830 > | > | > | | > | > | > | > | X-RFC2646: Format=Flowed; Original > | > | > | | > | > | > | > | Message-ID: > | > <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> > | > | > | | > | > | > | > | Newsgroups: > microsoft.public.windows.server.sbs > | > | > | | > | > | > | > | NNTP-Posting-Host: 62.48.233.71 > | > | > | | > | > | > | > | Path: > | > | > | | > | > | > > | > | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl > | > | > | | > | > | > | > | Xref: TK2MSFTNGXA01.phx.gbl > | > | > | | > | > | > microsoft.public.windows.server.sbs:153926 > | > | > | | > | > | > | > | X-Tomcat-NG: > microsoft.public.windows.server.sbs > | > | > | | > | > | > | > | > | > | > | | > | > | > | > | Hi everybody, > | > | > | | > | > | > | > | > | > | > | | > | > | > | > | When I try to request a certificate from > my > | > | > | Enterprise > | > | > | | > CA > | > | > | | > | > | > installed > | > | > | | > | > | > | > on > | > | > | | > | > | > | > | SBS2003Premium It gives the following error > :"No > | > | > | certificate > | > | > | | > | > | > templates > | > | > | | > | > | > | > could > | > | > | | > | > | > | > | be found. You do not have permission to > request > a > | > | > | | > certificate > | > | > | | > | > from > | > | > | | > | > | > this > | > | > | | > | > | > | > CA, > | > | > | | > | > | > | > | or an error occurred while accessing the > Active > | > | > | Directory." > | > | > | | > I > | > | > | | > | > went > | > | > | | > | > | > and > | > | > | | > | > | > | > | search for a solution and found this microsoft > | > article > | > | > | | > | > | > | > | > | > | > | | > > http://support.microsoft.com/default.aspx?scid=kb;en-us;811418 > | > | > | | > | > that > | > | > | | > | > | > | > didn't > | > | > | | > | > | > | > | help because the name of the server is the > same > in > | > the > | > | > | | > | > certdat.inc > | > | > | | > | > | > and > | > | > | | > | > | > | > in > | > | > | | > | > | > | > | the AD!!! :( > | > | > | | > | > | > | > | > | > | > | | > | > | > | > | When I go to the certification authority > and > | > click > | > | > on > | > | > | | > | > "manage" > | > | > | | > | > | > on > | > | > | | > | > | > | > the > | > | > | | > | > | > | > | certificate templates, windows says that it > | > detected > | > | > that > | > | > | | > new > | > | > | | > | > | > | > certificate > | > | > | | > | > | > | > | templates should be installed, and ask if I > want > | > to > | > | > | install > | > | > | | > them > | > | > | | > | > | > now, > | > | > | | > | > | > | > and > | > | > | | > | > | > | > I > | > | > | | > | > | > | > | say "Yes", and gives an error saying "Windows > | > could > | > | > not > | > | > | | > install > | > | > | | > | > the > | > | > | | > | > | > new > | > | > | | > | > | > | > | certificate templates. Access is denied" :( I > | > doing > | > | > this > | > | > | as > | > | > | | > | > | > enterprise > | > | > | | > | > | > | > admin > | > | > | | > | > | > | > | and it says access denied!!!!! :( :( > | > | > | | > | > | > | > | > | > | > | | > | > | > | > | I've tryed to reinstall the CA and the > errors > | > are > | > | > | still > | > | > | | > the > | > | > | | > | > | > same! > | > | > | | > | > | > | > | > | > | > | | > | > | > | > | Can anyone help me with this issue, > please? > | > | > | | > | > | > | > | > | > | > | | > | > | > | > | Thanks in advance for any help you can > give > | > me.... > | > | > | | > | > | > | > | > | > | > | | > | > | > | > | > | > | > | | > | > | > | > | > | > | > | | > | > | > | > > | > | > | | > | > | > | > | > | > | | > | > | > | > | > | > | | > | > | > | > | > | > | | > | > | > | > | > | > | | > | > | > | > | > | > | | > | > | > | > | > | > | | > | > | > > | > | > | | > | > | > | > | > | | > | > | > | > | > | | > | > | > | > | > | | > | > > | > | > | | > | > | > | > | | > | > | > | > | | > | > | > | > | | > > | > | > | | > | > | > | | > | > | > | | > | > | > | > | > | > | > | > | > > | > | > | > | > | > | > | > > | > | > | >
From: "Charles Yang [MSFT]" on 3 Oct 2005 20:37
HI PG, I am glad to hear that you have resolved the issue finally. Thanks a lot for your effort on this issue. Please feel free to use the SBS newsgroup; you may have more good sharing here. We are glad to be any further assistance. Have a nice day! Best regards, Charles Yang (MSFT) Microsoft CSS Online Newsgroup Support Get Secure! - www.microsoft.com/security ====================================================== This newsgroup only focuses on SBS technical issues. If you have issues regarding other Microsoft products, you'd better post in the corresponding newsgroups so that they can be resolved in an efficient and timely manner. You can locate the newsgroup here: http://www.microsoft.com/communities/newsgroups/en-us/default.aspx When opening a new thread via the web interface, we recommend you check the "Notify me of replies" box to receive e-mail notifications when there are any updates in your thread. When responding to posts via your newsreader, please "Reply to Group" so that others may learn and benefit from your issue. Microsoft engineers can only focus on one issue per thread. Although we provide other information for your reference, we recommend you post different incidents in different threads to keep the thread clean. In doing so, it will ensure your issues are resolved in a timely manner. For urgent issues, you may want to contact Microsoft CSS directly. Please check http://support.microsoft.com for regional support phone numbers. Any input or comments in this thread are highly appreciated. ====================================================== This posting is provided "AS IS" with no warranties, and confers no rights. ===================================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ===================================================== This posting is provided "AS IS" with no warranties, and confers no rights. -------------------- | From: "PG" <*@*.*> | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl> <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl> <MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl> <u6mrIB1vFHA.4032(a)TK2MSFTNGP15.phx.gbl> <AtVfNj1vFHA.780(a)TK2MSFTNGXA01.phx.gbl> <#yfejE2vFHA.708(a)TK2MSFTNGP10.phx.gbl> <34gfuxBwFHA.2960(a)TK2MSFTNGXA01.phx.gbl> <Hlv7FVCwFHA.580(a)TK2MSFTNGXA01.phx.gbl> <Oi6nhtCwFHA.552(a)TK2MSFTNGP12.phx.gbl> <hCBwZJjwFHA.3244(a)TK2MSFTNGXA01.phx.gbl> <uTRYvizwFHA.2076(a)TK2MSFTNGP14.phx.gbl> <hNvuk0zwFHA.580(a)TK2MSFTNGXA01.phx.gbl> | Subject: Re: SBS2003Premium Certification Authority from HELL!!! | Date: Mon, 3 Oct 2005 13:25:35 +0100 | Lines: 1755 | X-Priority: 3 | X-MSMail-Priority: Normal | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 | X-RFC2646: Format=Flowed; Original | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 | Message-ID: <OWoBWXByFHA.2312(a)TK2MSFTNGP14.phx.gbl> | Newsgroups: microsoft.public.windows.server.sbs | NNTP-Posting-Host: 62.48.233.71 | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP14.phx.gbl | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:158210 | X-Tomcat-NG: microsoft.public.windows.server.sbs | | Hi Charles, | | Just wanted to say that I finally fixed the problem thanks to your help. | I reinstalled the CA with the indications you gave bellow: | | "3. If the issue still exists, please follow the steps to reinstall the CA | server: | | A. Opened regedit and went to HKLM\system\CCS\services and deleted the | certsrv key | B. Opened the file system and deleted c:\winnt\system32\certserv folder and | contents | C. Opened up AD sites and services and deleted and in services\public key | services | | Please deleted all the contents of the containers leaving the empty | containers with the exception of the templates container. Note, please | perform a backup for registry." | | And all the templates have the correct permissions now, the error messages | no longer show, and I can now request certificates from this CA without any | problem. | | Thanks for all your help... | | | | | | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in message | news:hNvuk0zwFHA.580(a)TK2MSFTNGXA01.phx.gbl... | > HI PG, | > | > It should be a so wired issue, if the issue is urgent it is your best | > interest to call CSS for supporter. I have also made research on this | > issue | > and also get some steps which might be helpful to you: | > | > 1. Make the certutil command that is part of Windows Server 2003 server | > available to your client computer. | > 2. Make sure that you are able to reach an enterprise CA. Calling certutil | > -dump shows all Enterprise CAs in your forest. You can also try to ping a | > specific CA with certutil -config [Machine\CAName] -ping | > Replace [Machine\CAName] with the "Config:" row from the certutil -dump | > output. | > 3. To verify template permissions, run the following command at your | > client: certutil -config [Machine\CAName] -catemplates | > The command-output shows a list of certificate templates that are attached | > to a specific CA. Make sure that you have at least for one certificate | > permissions. | > 4. Make sure that at least one of the certificate templates where you have | > enrollment permissions has set the option "Supply in the request" in the | > certificates template Subject Name tab. If you have permissions on a | > certificate but the Subject name is not built from Active Directory, your | > certificate request will fail. | > 5. Your client might not be able to verify the CA certificates validity. | > To | > check the CA certificate you must make the CA certificate available to | > your | > client computer. Perform the following command at your client: | > certutil -verify -URLfetch [CAcertificate] | > | > Replace CAcertificate with the filename of the CA certificate. Make sure | > that the CA certificate is verified successfully. | > | > Then try to repeat your steps to see if the issue can be clear, in | > addition | > please also make sure that your Enterprise AD did not belong to domain | > guest member group. | > | > Hope the above information helpful. I am sorry for any inconvenience on | > this issue. | > | > | > | > Best regards, | > | > Charles Yang (MSFT) | > | > Microsoft CSS Online Newsgroup Support | > | > Get Secure! - www.microsoft.com/security | > | > ====================================================== | > This newsgroup only focuses on SBS technical issues. If you have issues | > regarding other Microsoft products, you'd better post in the corresponding | > newsgroups so that they can be resolved in an efficient and timely manner. | > You can locate the newsgroup here: | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx | > | > When opening a new thread via the web interface, we recommend you check | > the | > "Notify me of replies" box to receive e-mail notifications when there are | > any updates in your thread. When responding to posts via your newsreader, | > please "Reply to Group" so that others may learn and benefit from your | > issue. | > | > Microsoft engineers can only focus on one issue per thread. Although we | > provide other information for your reference, we recommend you post | > different incidents in different threads to keep the thread clean. In | > doing | > so, it will ensure your issues are resolved in a timely manner. | > | > For urgent issues, you may want to contact Microsoft CSS directly. Please | > check http://support.microsoft.com for regional support phone numbers. | > | > Any input or comments in this thread are highly appreciated. | > ====================================================== | > This posting is provided "AS IS" with no warranties, and confers no | > rights. | > | > | > ===================================================== | > When responding to posts, please "Reply to Group" via your newsreader so | > that others may learn and benefit from your issue. | > ===================================================== | > | > This posting is provided "AS IS" with no warranties, and confers no | > rights. | > | > -------------------- | > | From: "PG" <*@*.*> | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> | > <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> | > <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl> | > <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl> | > <MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl> | > <u6mrIB1vFHA.4032(a)TK2MSFTNGP15.phx.gbl> | > <AtVfNj1vFHA.780(a)TK2MSFTNGXA01.phx.gbl> | > <#yfejE2vFHA.708(a)TK2MSFTNGP10.phx.gbl> | > <34gfuxBwFHA.2960(a)TK2MSFTNGXA01.phx.gbl> | > <Hlv7FVCwFHA.580(a)TK2MSFTNGXA01.phx.gbl> | > <Oi6nhtCwFHA.552(a)TK2MSFTNGP12.phx.gbl> | > <hCBwZJjwFHA.3244(a)TK2MSFTNGXA01.phx.gbl> | > | Subject: Re: SBS2003Premium Certification Authority from HELL!!! | > | Date: Tue, 27 Sep 2005 08:52:36 +0100 | > | Lines: 1415 | > | X-Priority: 3 | > | X-MSMail-Priority: Normal | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 | > | X-RFC2646: Format=Flowed; Original | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 | > | Message-ID: <uTRYvizwFHA.2076(a)TK2MSFTNGP14.phx.gbl> | > | Newsgroups: microsoft.public.windows.server.sbs | > | NNTP-Posting-Host: 62.48.233.71 | > | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP14.phx.gbl | > | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:156751 | > | X-Tomcat-NG: microsoft.public.windows.server.sbs | > | | > | Hi Charles, | > | | > | Yes all the grey templates have permission issues. I cant add, or change | > the | > | permissions for those templates. | > | | > | And all my efforts where made has enterprise admin, to try and clear the | > | "access denied" problem... :( | > | | > | I really don't understand what went wrong with this Certification | > Authority. | > | | > | :( | > | | > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in message | > | news:hCBwZJjwFHA.3244(a)TK2MSFTNGXA01.phx.gbl... | > | > HI PG, | > | > | > | > From your description, it seems a lot of template has the permission | > | > issue? | > | > Can I assume that all the permission of this grey template encountered | > the | > | > same issue when you try to change the permission and the permission | > the | > | > security section is not correct as I referred to? | > | > | > | > If so, I suggest you make sure that you logon the SBS server with | > | > Enterprise Admin, it seems to be the permission issue, if possible | > please | > | > make sure that you logon via Built-in Enterprise Admin to see if the | > | > problem can be cleared, | > | > | > | > Thanks for your effort. | > | > | > | > | > | > | > | > Best regards, | > | > | > | > Charles Yang (MSFT) | > | > | > | > Microsoft CSS Online Newsgroup Support | > | > | > | > Get Secure! - www.microsoft.com/security | > | > | > | > ====================================================== | > | > This newsgroup only focuses on SBS technical issues. If you have | > issues | > | > regarding other Microsoft products, you'd better post in the | > corresponding | > | > newsgroups so that they can be resolved in an efficient and timely | > manner. | > | > You can locate the newsgroup here: | > | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx | > | > | > | > When opening a new thread via the web interface, we recommend you | > check | > | > the | > | > "Notify me of replies" box to receive e-mail notifications when there | > are | > | > any updates in your thread. When responding to posts via your | > newsreader, | > | > please "Reply to Group" so that others may learn and benefit from your | > | > issue. | > | > | > | > Microsoft engineers can only focus on one issue per thread. Although | > we | > | > provide other information for your reference, we recommend you post | > | > different incidents in different threads to keep the thread clean. In | > | > doing | > | > so, it will ensure your issues are resolved in a timely manner. | > | > | > | > For urgent issues, you may want to contact Microsoft CSS directly. | > Please | > | > check http://support.microsoft.com for regional support phone numbers. | > | > | > | > Any input or comments in this thread are highly appreciated. | > | > ====================================================== | > | > This posting is provided "AS IS" with no warranties, and confers no | > | > rights. | > | > | > | > | > | > ===================================================== | > | > When responding to posts, please "Reply to Group" via your newsreader | > so | > | > that others may learn and benefit from your issue. | > | > ===================================================== | > | > | > | > This posting is provided "AS IS" with no warranties, and confers no | > | > rights. | > | > | > | > -------------------- | > | > | From: "PG" <*@*.*> | > | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> | > | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> | > | > <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> | > | > <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl> | > | > <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl> | > | > <MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl> | > | > <u6mrIB1vFHA.4032(a)TK2MSFTNGP15.phx.gbl> | > | > <AtVfNj1vFHA.780(a)TK2MSFTNGXA01.phx.gbl> | > | > <#yfejE2vFHA.708(a)TK2MSFTNGP10.phx.gbl> | > | > <34gfuxBwFHA.2960(a)TK2MSFTNGXA01.phx.gbl> | > | > <Hlv7FVCwFHA.580(a)TK2MSFTNGXA01.phx.gbl> | > | > | Subject: Re: SBS2003Premium Certification Authority from HELL!!! | > | > | Date: Fri, 23 Sep 2005 11:39:53 +0100 | > | > | Lines: 1168 | > | > | X-Priority: 3 | > | > | X-MSMail-Priority: Normal | > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 | > | > | X-RFC2646: Format=Flowed; Original | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 | > | > | Message-ID: <Oi6nhtCwFHA.552(a)TK2MSFTNGP12.phx.gbl> | > | > | Newsgroups: microsoft.public.windows.server.sbs | > | > | NNTP-Posting-Host: 62.48.233.71 | > | > | Path: | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl | > | > | Xref: TK2MSFTNGXA01.phx.gbl | > microsoft.public.windows.server.sbs:155851 | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs | > | > | | > | > | Hi Charles, | > | > | | > | > | I went to DCOMCNFG and on the Launch permission it was empty, and I | > | > added | > | > | Everyone with (Launch permission---Allow) | > | > | and in the Access permission it is everyone (Access | > permission---Allow), | > | > so | > | > | I didn't have to change it. | > | > | Could not find anything that refered to (Local Activation Remote | > | > Activation) | > | > | or (Local Access Remote Access) as you sayd. Only (Launch | > Permission) | > | > and | > | > | (Access Permission). | > | > | | > | > | After applying the changes to DCOM I tryed to request a certificate, | > and | > | > the | > | > | same error ocurred. Duplicated a Template and still the same error. | > :( | > | > | "No certificate templates could be found. You do not have permission | > to | > | > | request a certificate from this CA,or an error occurred while | > accessing | > | > the | > | > | Active Directory." | > | > | | > | > | In response to your question, all the certificates templates, from | > the | > | > | pictures I sent you, that are greyd out have permissions issues, and | > | > don't | > | > | let me add or change permissions for those certificates. | > | > | | > | > | :( | > | > | | > | > | | > | > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote in | > message | > | > | news:Hlv7FVCwFHA.580(a)TK2MSFTNGXA01.phx.gbl... | > | > | > HI PG, | > | > | > | > | > | > Thanks for updates. | > | > | > | > | > | > After making research, I find solutions for you, please refer to | > the | > | > steps | > | > | > below: | > | > | > | > | > | > 1 Open DCOMCNFG | > | > | > 2- Select Componect Services | > | > | > ---Computers | > | > | > ----My Computer | > | > | > ------Dcom Config | > | > | > ---- CertSrv Request | > | > | > 3- Open properties and verify Security permission for Launch and | > | > | > Activation | > | > | > Permissions (Should be Customize --Everyone ---Local Activation | > Remote | > | > | > Activation) | > | > | > | > | > | > Access Permissions (Should be Customize -Everyone ---Local Access | > | > Remote | > | > | > Access) | > | > | > | > | > | > If the issue still exists, please recreate a certificate template | > to | > | > see | > | > | > if | > | > | > the issue can be resolved. You can try to request a certificate | > via | > a | > | > new | > | > | > template. From your screenshot we found only one of the template | > you | > | > | > encountered permission issue, can we assume it is the certificate | > | > template | > | > | > you use for the certificate? | > | > | > | > | > | > Thanks for understanding on this issue, please feel free to post | > back. | > | > | > | > | > | > | > | > | > | > | > | > Best regards, | > | > | > | > | > | > Charles Yang (MSFT) | > | > | > | > | > | > Microsoft CSS Online Newsgroup Support | > | > | > | > | > | > Get Secure! - www.microsoft.com/security | > | > | > | > | > | > ====================================================== | > | > | > This newsgroup only focuses on SBS technical issues. If you have | > | > issues | > | > | > regarding other Microsoft products, you'd better post in the | > | > corresponding | > | > | > newsgroups so that they can be resolved in an efficient and timely | > | > manner. | > | > | > You can locate the newsgroup here: | > | > | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx | > | > | > | > | > | > When opening a new thread via the web interface, we recommend you | > | > check | > | > | > the | > | > | > "Notify me of replies" box to receive e-mail notifications when | > there | > | > are | > | > | > any updates in your thread. When responding to posts via your | > | > newsreader, | > | > | > please "Reply to Group" so that others may learn and benefit from | > your | > | > | > issue. | > | > | > | > | > | > Microsoft engineers can only focus on one issue per thread. | > Although | > | > we | > | > | > provide other information for your reference, we recommend you | > post | > | > | > different incidents in different threads to keep the thread clean. | > In | > | > | > doing | > | > | > so, it will ensure your issues are resolved in a timely manner. | > | > | > | > | > | > For urgent issues, you may want to contact Microsoft CSS directly. | > | > Please | > | > | > check http://support.microsoft.com for regional support phone | > numbers. | > | > | > | > | > | > Any input or comments in this thread are highly appreciated. | > | > | > ====================================================== | > | > | > This posting is provided "AS IS" with no warranties, and confers | > no | > | > | > rights. | > | > | > | > | > | > | > | > | > ===================================================== | > | > | > When responding to posts, please "Reply to Group" via your | > newsreader | > | > so | > | > | > that others may learn and benefit from your issue. | > | > | > ===================================================== | > | > | > | > | > | > This posting is provided "AS IS" with no warranties, and confers | > no | > | > | > rights. | > | > | > | > | > | > -------------------- | > | > | > | X-Tomcat-ID: 138385008 | > | > | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> | > | > | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> | > | > | > <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> | > | > | > <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl> | > | > | > <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl> | > | > | > <MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl> | > | > | > <u6mrIB1vFHA.4032(a)TK2MSFTNGP15.phx.gbl> | > | > | > <AtVfNj1vFHA.780(a)TK2MSFTNGXA01.phx.gbl> | > | > | > <#yfejE2vFHA.708(a)TK2MSFTNGP10.phx.gbl> | > | > | > | MIME-Version: 1.0 | > | > | > | Content-Type: text/plain | > | > | > | Content-Transfer-Encoding: 7bit | > | > | > | From: v-chayan(a)online.microsoft.com ("Charles Yang [MSFT]") | > | > | > | Organization: Microsoft | > | > | > | Date: Fri, 23 Sep 2005 08:54:33 GMT | > | > | > | Subject: Re: SBS2003Premium Certification Authority from HELL!!! | > | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs | > | > | > | Message-ID: <34gfuxBwFHA.2960(a)TK2MSFTNGXA01.phx.gbl> | > | > | > | Newsgroups: microsoft.public.windows.server.sbs | > | > | > | Lines: 797 | > | > | > | Path: TK2MSFTNGXA01.phx.gbl | > | > | > | Xref: TK2MSFTNGXA01.phx.gbl | > | > microsoft.public.windows.server.sbs:155820 | > | > | > | NNTP-Posting-Host: tomcatimport2.phx.gbl 10.201.218.182 | > | > | > | | > | > | > | HI PG, | > | > | > | | > | > | > | Currently, I am performing research on this issue, I will return | > to | > | > you | > | > | > as | > | > | > | soon as possible, please understand that it might be some delay | > due | > | > to | > | > | > the | > | > | > | weekend. | > | > | > | | > | > | > | Thanks for your understanding. | > | > | > | | > | > | > | | > | > | > | Best regards, | > | > | > | | > | > | > | Charles Yang (MSFT) | > | > | > | | > | > | > | Microsoft CSS Online Newsgroup Support | > | > | > | | > | > | > | Get Secure! - www.microsoft.com/security | > | > | > | | > | > | > | ====================================================== | > | > | > | This newsgroup only focuses on SBS technical issues. If you have | > | > issues | > | > | > | regarding other Microsoft products, you'd better post in the | > | > | > corresponding | > | > | > | newsgroups so that they can be resolved in an efficient and | > timely | > | > | > manner. | > | > | > | You can locate the newsgroup here: | > | > | > | | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx | > | > | > | | > | > | > | When opening a new thread via the web interface, we recommend | > you | > | > check | > | > | > the | > | > | > | "Notify me of replies" box to receive e-mail notifications when | > | > there | > | > | > are | > | > | > | any updates in your thread. When responding to posts via your | > | > | > newsreader, | > | > | > | please "Reply to Group" so that others may learn and benefit | > from | > | > your | > | > | > | issue. | > | > | > | | > | > | > | Microsoft engineers can only focus on one issue per thread. | > Although | > | > we | > | > | > | provide other information for your reference, we recommend you | > post | > | > | > | different incidents in different threads to keep the thread | > clean. | > | > In | > | > | > doing | > | > | > | so, it will ensure your issues are resolved in a timely manner. | > | > | > | | > | > | > | For urgent issues, you may want to contact Microsoft CSS | > directly. | > | > | > Please | > | > | > | check http://support.microsoft.com for regional support phone | > | > numbers. | > | > | > | | > | > | > | Any input or comments in this thread are highly appreciated. | > | > | > | ====================================================== | > | > | > | This posting is provided "AS IS" with no warranties, and confers | > no | > | > | > rights. | > | > | > | | > | > | > | | > | > | > | ===================================================== | > | > | > | When responding to posts, please "Reply to Group" via your | > | > newsreader | > | > so | > | > | > | that others may learn and benefit from your issue. | > | > | > | ===================================================== | > | > | > | | > | > | > | This posting is provided "AS IS" with no warranties, and confers | > no | > | > | > rights. | > | > | > | | > | > | > | -------------------- | > | > | > | | From: "PG" <*@*.*> | > | > | > | | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> | > | > | > | <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> | > | > | > | <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> | > | > | > | <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl> | > | > | > | <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl> | > | > | > | <MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl> | > | > | > | <u6mrIB1vFHA.4032(a)TK2MSFTNGP15.phx.gbl> | > | > | > | <AtVfNj1vFHA.780(a)TK2MSFTNGXA01.phx.gbl> | > | > | > | | Subject: Re: SBS2003Premium Certification Authority from | > HELL!!! | > | > | > | | Date: Thu, 22 Sep 2005 11:32:11 +0100 | > | > | > | | Lines: 785 | > | > | > | | X-Priority: 3 | > | > | > | | X-MSMail-Priority: Normal | > | > | > | | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 | > | > | > | | X-RFC2646: Format=Flowed; Original | > | > | > | | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 | > | > | > | | Message-ID: <#yfejE2vFHA.708(a)TK2MSFTNGP10.phx.gbl> | > | > | > | | Newsgroups: microsoft.public.windows.server.sbs | > | > | > | | NNTP-Posting-Host: 62.48.233.71 | > | > | > | | Path: | > | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl | > | > | > | | Xref: TK2MSFTNGXA01.phx.gbl | > | > microsoft.public.windows.server.sbs:155518 | > | > | > | | X-Tomcat-NG: microsoft.public.windows.server.sbs | > | > | > | | | > | > | > | | Hi Charles, | > | > | > | | | > | > | > | | 1. I sent all the logs you requested to your e-mail. | > | > | > | | | > | > | > | | 2. Done that also. | > | > | > | | | > | > | > | | 3. No changes done...that I can remember | > | > | > | | | > | > | > | | Thanks | > | > | > | | | > | > | > | | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> wrote | > in | > | > | > message | > | > | > | | news:AtVfNj1vFHA.780(a)TK2MSFTNGXA01.phx.gbl... | > | > | > | | > Hi PG, | > | > | > | | > | > | > | > | | > After checking your screen shot, we decide to collect more | > | > | > information, | > | > | > | as | > | > | > | | > this issue should relate to AD setting: | > | > | > | | > | > | > | > | | > 1. Please send me all the event log except the application | > and | > | > | > system | > | > | > | | > event | > | > | > | | > log that you have already sent to me. | > | > | > | | > 2. please also run netdiag -v and dcdiag -v on the SBS | > server | > | > and | > | > | > send | > | > | > | the | > | > | > | | > results to me also. | > | > | > | | > 3. If possible, could you tell us if have changed any | > setting | > on | > | > AD | > | > | > or | > | > | > | on | > | > | > | | > SBS server. As the screen shot point that you have some | > problem | > | > in | > | > | > query | > | > | > | | > user objects on DC. | > | > | > | | > | > | > | > | | > I appreciate your effort on this issue. | > | > | > | | > | > | > | > | | > | > | > | > | | > | > | > | > | | > Best regards, | > | > | > | | > | > | > | > | | > Charles Yang (MSFT) | > | > | > | | > | > | > | > | | > Microsoft CSS Online Newsgroup Support | > | > | > | | > | > | > | > | | > Get Secure! - www.microsoft.com/security | > | > | > | | > | > | > | > | | > ====================================================== | > | > | > | | > This newsgroup only focuses on SBS technical issues. If you | > have | > | > | > issues | > | > | > | | > regarding other Microsoft products, you'd better post in the | > | > | > | corresponding | > | > | > | | > newsgroups so that they can be resolved in an efficient and | > | > timely | > | > | > | manner. | > | > | > | | > You can locate the newsgroup here: | > | > | > | | > | > | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx | > | > | > | | > | > | > | > | | > When opening a new thread via the web interface, we | > recommend | > | > you | > | > | > check | > | > | > | | > the | > | > | > | | > "Notify me of replies" box to receive e-mail notifications | > when | > | > | > there | > | > | > | are | > | > | > | | > any updates in your thread. When responding to posts via | > your | > | > | > | newsreader, | > | > | > | | > please "Reply to Group" so that others may learn and benefit | > | > from | > | > | > your | > | > | > | | > issue. | > | > | > | | > | > | > | > | | > Microsoft engineers can only focus on one issue per thread. | > | > Although | > | > | > we | > | > | > | | > provide other information for your reference, we recommend | > you | > | > post | > | > | > | | > different incidents in different threads to keep the thread | > | > clean. | > | > | > In | > | > | > | | > doing | > | > | > | | > so, it will ensure your issues are resolved in a timely | > manner. | > | > | > | | > | > | > | > | | > For urgent issues, you may want to contact Microsoft CSS | > | > directly. | > | > | > | Please | > | > | > | | > check http://support.microsoft.com for regional support | > phone | > | > | > numbers. | > | > | > | | > | > | > | > | | > Any input or comments in this thread are highly appreciated. | > | > | > | | > ====================================================== | > | > | > | | > This posting is provided "AS IS" with no warranties, and | > confers | > | > no | > | > | > | | > rights. | > | > | > | | > | > | > | > | | > | > | > | > | | > ===================================================== | > | > | > | | > When responding to posts, please "Reply to Group" via your | > | > | > newsreader | > | > | > so | > | > | > | | > that others may learn and benefit from your issue. | > | > | > | | > ===================================================== | > | > | > | | > | > | > | > | | > This posting is provided "AS IS" with no warranties, and | > confers | > | > no | > | > | > | | > rights. | > | > | > | | > | > | > | > | | > -------------------- | > | > | > | | > | From: "PG" <*@*.*> | > | > | > | | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> | > | > | > | | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> | > | > | > | | > <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> | > | > | > | | > <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl> | > | > | > | | > <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl> | > | > | > | | > <MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl> | > | > | > | | > | Subject: Re: SBS2003Premium Certification Authority from | > | > HELL!!! | > | > | > | | > | Date: Thu, 22 Sep 2005 09:31:33 +0100 | > | > | > | | > | Lines: 597 | > | > | > | | > | X-Priority: 3 | > | > | > | | > | X-MSMail-Priority: Normal | > | > | > | | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 | > | > | > | | > | X-RFC2646: Format=Flowed; Original | > | > | > | | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 | > | > | > | | > | Message-ID: <u6mrIB1vFHA.4032(a)TK2MSFTNGP15.phx.gbl> | > | > | > | | > | Newsgroups: microsoft.public.windows.server.sbs | > | > | > | | > | NNTP-Posting-Host: 62.48.233.71 | > | > | > | | > | Path: | > | > | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl | > | > | > | | > | Xref: TK2MSFTNGXA01.phx.gbl | > | > | > microsoft.public.windows.server.sbs:155493 | > | > | > | | > | X-Tomcat-NG: microsoft.public.windows.server.sbs | > | > | > | | > | | > | > | > | | > | Hi Charles, | > | > | > | | > | | > | > | > | | > | I started to go through the points you reffered bellow | > and | > | > on | > | > | > the | > | > | > | | > second | > | > | > | | > | point(Permissions settings) everything checked out ok | > except | > | > for | > | > | > the | > | > | > | | > | certificates templates permissions again, I'm unable to | > change | > | > | > | | > permissions | > | > | > | | > | on some certificates, but others are ok! I'm sending you | > some | > | > | > | compressed | > | > | > | | > | pictures to your e-mail so you can try and see if this is | > | > normal, | > | > | > or | > | > | > | | > not. | > | > | > | | > | I didn't want to continue following your | > suggestions(to | > | > | > reinstall | > | > | > | | > the | > | > | > | | > | CA) before you had a look at the pictures I sent you. | > | > | > | | > | | > | > | > | | > | Thanks | > | > | > | | > | PG | > | > | > | | > | | > | > | > | | > | ""Charles Yang [MSFT]"" <v-chayan(a)online.microsoft.com> | > wrote | > | > in | > | > | > | message | > | > | > | | > | news:MQvDERxvFHA.580(a)TK2MSFTNGXA01.phx.gbl... | > | > | > | | > | > Hi, | > | > | > | | > | > | > | > | > | | > | > Thanks for updates. | > | > | > | | > | > | > | > | > | | > | > After carefully checking your log, we did not find any | > | > relate | > | > | > | | > information, | > | > | > | | > | > please note that it might take some time to do the task. | > | > | > | | > | > | > | > | > | | > | > For this issue, I have some suggestion below: | > | > | > | | > | > | > | > | > | | > | > Can I assume that you want to set up the SBS 2003 | > premium | > as | > | > a | > | > | > CA | > | > | > | | > server, | > | > | > | | > | > so that when user logon to website, they require the | > | > | > certificate, | > | > | > | | > which | > | > | > | | > | > purpose you want to use for this certificate for VPN | > issue | > | > or | > | > | > for | > | > | > a | > | > | > | | > | > website? From your log, it seems to be used for IPSec | > VPN. | > | > | > | | > | > | > | > | > | | > | > 1. Please change the website you use for web | > enrollment's | > | > | > | | > authentication | > | > | > | | > | > method from anonymous to Windows Authentication. | > | > | > | | > | > 2. Please refer to the KB article below to check the | > | > permission | > | > | > | | > setting | > | > | > | | > | > for | > | > | > | | > | > CA, make sure that you have go through the article to | > double | > | > | > check | > | > | > | it: | > | > | > | | > | > | > | > | > | | > | > Q239706 Default Permission Settings for Enterprise | > | > Certificate | > | > | > | | > Authority | > | > | > | | > | > http://support.microsoft.com/default.aspx?scid=kb;EN-US | > | > | > | | > | > | > | > | > | | > | > 3. If the issue still exists, please follow the steps to | > | > | > reinstall | > | > | > | the | > | > | > | | > CA | > | > | > | | > | > server: | > | > | > | | > | > | > | > | > | | > | > A. Opened regedit and went to HKLM\system\CCS\services | > and | > | > | > | deleted | > | > | > | | > the | > | > | > | | > | > certsrv key | > | > | > | | > | > B. Opened the file system and deleted | > | > c:\winnt\system32\certserv | > | > | > | | > folder | > | > | > | | > | > and | > | > | > | | > | > contents | > | > | > | | > | > C. Opened up AD sites and services and deleted and in | > | > | > | services\public | > | > | > | | > key | > | > | > | | > | > services | > | > | > | | > | > | > | > | > | | > | > Please deleted all the contents of the containers | > leaving | > | > the | > | > | > empty | > | > | > | | > | > containers with the exception of the templates | > container. | > | > Note, | > | > | > | please | > | > | > | | > | > perform a backup for registry. | > | > | > | | > | > | > | > | > | | > | > If the issue still exist, you have to refer to the KB | > | > article | > | > | > below | > | > | > | to | > | > | > | | > | > change the log level of certificate then reproduce the | > issue | > | > | > check | > | > | > | the | > | > | > | | > | > event log again. | > | > | > | | > | > | > | > | > | | > | > 305018 How to Change the Event Logging Level for | > Certificate | > | > | > | Services | > | > | > | | > | > http://support.microsoft.com/?id=305018 | > | > | > | | > | > | > | > | > | | > | > Thanks for your efforts. I will be here waiting for | > updates. | > | > | > | | > | > | > | > | > | | > | > | > | > | > | | > | > | > | > | > | | > | > Best regards, | > | > | > | | > | > | > | > | > | | > | > Charles Yang (MSFT) | > | > | > | | > | > | > | > | > | | > | > Microsoft CSS Online Newsgroup Support | > | > | > | | > | > | > | > | > | | > | > Get Secure! - www.microsoft.com/security | > | > | > | | > | > | > | > | > | | > | > ====================================================== | > | > | > | | > | > This newsgroup only focuses on SBS technical issues. If | > you | > | > have | > | > | > | | > issues | > | > | > | | > | > regarding other Microsoft products, you'd better post in | > the | > | > | > | | > corresponding | > | > | > | | > | > newsgroups so that they can be resolved in an efficient | > and | > | > | > timely | > | > | > | | > manner. | > | > | > | | > | > You can locate the newsgroup here: | > | > | > | | > | > | > | > | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx | > | > | > | | > | > | > | > | > | | > | > When opening a new thread via the web interface, we | > | > recommend | > | > | > you | > | > | > | | > check | > | > | > | | > | > the | > | > | > | | > | > "Notify me of replies" box to receive e-mail | > notifications | > | > when | > | > | > | there | > | > | > | | > are | > | > | > | | > | > any updates in your thread. When responding to posts via | > | > your | > | > | > | | > newsreader, | > | > | > | | > | > please "Reply to Group" so that others may learn and | > benefit | > | > | > from | > | > | > | your | > | > | > | | > | > issue. | > | > | > | | > | > | > | > | > | | > | > Microsoft engineers can only focus on one issue per | > thread. | > | > | > | Although | > | > | > | | > we | > | > | > | | > | > provide other information for your reference, we | > recommend | > | > you | > | > | > post | > | > | > | | > | > different incidents in different threads to keep the | > thread | > | > | > clean. | > | > | > | In | > | > | > | | > | > doing | > | > | > | | > | > so, it will ensure your issues are resolved in a timely | > | > manner. | > | > | > | | > | > | > | > | > | | > | > For urgent issues, you may want to contact Microsoft CSS | > | > | > directly. | > | > | > | | > Please | > | > | > | | > | > check http://support.microsoft.com for regional support | > | > phone | > | > | > | numbers. | > | > | > | | > | > | > | > | > | | > | > Any input or comments in this thread are highly | > appreciated. | > | > | > | | > | > ====================================================== | > | > | > | | > | > This posting is provided "AS IS" with no warranties, and | > | > confers | > | > | > no | > | > | > | | > | > rights. | > | > | > | | > | > | > | > | > | | > | > | > | > | > | | > | > ===================================================== | > | > | > | | > | > When responding to posts, please "Reply to Group" via | > your | > | > | > | newsreader | > | > | > | | > so | > | > | > | | > | > that others may learn and benefit from your issue. | > | > | > | | > | > ===================================================== | > | > | > | | > | > | > | > | > | | > | > This posting is provided "AS IS" with no warranties, and | > | > confers | > | > | > no | > | > | > | | > | > rights. | > | > | > | | > | > | > | > | > | | > | > -------------------- | > | > | > | | > | > | From: "PG" <*@*.*> | > | > | > | | > | > | References: <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> | > | > | > | | > | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> | > | > | > | | > | > <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> | > | > | > | | > | > <biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl> | > | > | > | | > | > | Subject: Re: SBS2003Premium Certification Authority | > from | > | > | > HELL!!! | > | > | > | | > | > | Date: Wed, 21 Sep 2005 11:33:30 +0100 | > | > | > | | > | > | Lines: 401 | > | > | > | | > | > | X-Priority: 3 | > | > | > | | > | > | X-MSMail-Priority: Normal | > | > | > | | > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830 | > | > | > | | > | > | X-RFC2646: Format=Flowed; Original | > | > | > | | > | > | X-MimeOLE: Produced By Microsoft MimeOLE | > V6.00.3790.1830 | > | > | > | | > | > | Message-ID: <#iTzmgpvFHA.3252(a)TK2MSFTNGP10.phx.gbl> | > | > | > | | > | > | Newsgroups: microsoft.public.windows.server.sbs | > | > | > | | > | > | NNTP-Posting-Host: 62.48.233.71 | > | > | > | | > | > | Path: | > | > | > | | > | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl | > | > | > | | > | > | Xref: TK2MSFTNGXA01.phx.gbl | > | > | > | | > microsoft.public.windows.server.sbs:155186 | > | > | > | | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs | > | > | > | | > | > | | > | > | > | | > | > | I've sent you the log's as you requested Charles... | > | > | > | | > | > | | > | > | > | | > | > | Thanks for the help | > | > | > | | > | > | | > | > | > | | > | > | ""Charles Yang [MSFT]"" | > <v-chayan(a)online.microsoft.com> | > | > wrote | > | > | > in | > | > | > | | > message | > | > | > | | > | > | news:biaXSFkvFHA.3020(a)TK2MSFTNGXA01.phx.gbl... | > | > | > | | > | > | > HI PG, | > | > | > | | > | > | > | > | > | > | | > | > | > Thanks for updates. | > | > | > | | > | > | > | > | > | > | | > | > | > In order to make the issue more clear, could you | > send | > me | > | > the | > | > | > | | > | > application | > | > | > | | > | > | > log and system event log so that we can isolate the | > | > issue | > | > | > more | > | > | > | | > | > clearly, | > | > | > | | > | > | > you | > | > | > | | > | > | > can compress the log files and send to my mailbox. | > | > | > | | > | > | > | > | > | > | | > | > | > v-chayan(a)microsoft.com | > | > | > | | > | > | > | > | > | > | | > | > | > Thanks for your understanding. | > | > | > | | > | > | > | > | > | > | | > | > | > | > | > | > | | > | > | > | > | > | > | | > | > | > Best regards, | > | > | > | | > | > | > | > | > | > | | > | > | > Charles Yang (MSFT) | > | > | > | | > | > | > | > | > | > | | > | > | > Microsoft CSS Online Newsgroup Support | > | > | > | | > | > | > | > | > | > | | > | > | > Get Secure! - www.microsoft.com/security | > | > | > | | > | > | > | > | > | > | | > | > | > | > ====================================================== | > | > | > | | > | > | > This newsgroup only focuses on SBS technical issues. | > If | > | > you | > | > | > have | > | > | > | | > | > issues | > | > | > | | > | > | > regarding other Microsoft products, you'd better | > post | > in | > | > the | > | > | > | | > | > corresponding | > | > | > | | > | > | > newsgroups so that they can be resolved in an | > efficient | > | > and | > | > | > | timely | > | > | > | | > | > manner. | > | > | > | | > | > | > You can locate the newsgroup here: | > | > | > | | > | > | > | > | > | > | | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx | > | > | > | | > | > | > | > | > | > | | > | > | > When opening a new thread via the web interface, we | > | > | > recommend | > | > | > | you | > | > | > | | > | > check | > | > | > | | > | > | > the | > | > | > | | > | > | > "Notify me of replies" box to receive e-mail | > | > notifications | > | > | > when | > | > | > | | > there | > | > | > | | > | > are | > | > | > | | > | > | > any updates in your thread. When responding to posts | > via | > | > | > your | > | > | > | | > | > newsreader, | > | > | > | | > | > | > please "Reply to Group" so that others may learn and | > | > benefit | > | > | > | from | > | > | > | | > your | > | > | > | | > | > | > issue. | > | > | > | | > | > | > | > | > | > | | > | > | > Microsoft engineers can only focus on one issue per | > | > thread. | > | > | > | | > Although | > | > | > | | > | > we | > | > | > | | > | > | > provide other information for your reference, we | > | > recommend | > | > | > you | > | > | > | | > post | > | > | > | | > | > | > different incidents in different threads to keep the | > | > thread | > | > | > | clean. | > | > | > | | > In | > | > | > | | > | > | > doing | > | > | > | | > | > | > so, it will ensure your issues are resolved in a | > timely | > | > | > manner. | > | > | > | | > | > | > | > | > | > | | > | > | > For urgent issues, you may want to contact Microsoft | > CSS | > | > | > | directly. | > | > | > | | > | > Please | > | > | > | | > | > | > check http://support.microsoft.com for regional | > support | > | > | > phone | > | > | > | | > numbers. | > | > | > | | > | > | > | > | > | > | | > | > | > Any input or comments in this thread are highly | > | > appreciated. | > | > | > | | > | > | > | > ====================================================== | > | > | > | | > | > | > This posting is provided "AS IS" with no warranties, | > and | > | > | > | confers | > | > | > | | > no | > | > | > | | > | > | > rights. | > | > | > | | > | > | > | > | > | > | | > | > | > | > | > | > | | > | > | > | > ===================================================== | > | > | > | | > | > | > When responding to posts, please "Reply to Group" | > via | > | > your | > | > | > | | > newsreader | > | > | > | | > | > so | > | > | > | | > | > | > that others may learn and benefit from your issue. | > | > | > | | > | > | > | > ===================================================== | > | > | > | | > | > | > | > | > | > | | > | > | > This posting is provided "AS IS" with no warranties, | > and | > | > | > | confers | > | > | > | | > no | > | > | > | | > | > | > rights. | > | > | > | | > | > | > | > | > | > | | > | > | > -------------------- | > | > | > | | > | > | > | From: "PG" <*@*.*> | > | > | > | | > | > | > | References: | > <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> | > | > | > | | > | > | > <tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl> | > | > | > | | > | > | > | Subject: Re: SBS2003Premium Certification | > Authority | > | > from | > | > | > | HELL!!! | > | > | > | | > | > | > | Date: Tue, 20 Sep 2005 13:28:25 +0100 | > | > | > | | > | > | > | Lines: 269 | > | > | > | | > | > | > | X-Priority: 3 | > | > | > | | > | > | > | X-MSMail-Priority: Normal | > | > | > | | > | > | > | X-Newsreader: Microsoft Outlook Express | > 6.00.3790.1830 | > | > | > | | > | > | > | X-RFC2646: Format=Flowed; Original | > | > | > | | > | > | > | X-MimeOLE: Produced By Microsoft MimeOLE | > | > V6.00.3790.1830 | > | > | > | | > | > | > | Message-ID: | > <OCcZJ8dvFHA.3080(a)tk2msftngp13.phx.gbl> | > | > | > | | > | > | > | Newsgroups: microsoft.public.windows.server.sbs | > | > | > | | > | > | > | NNTP-Posting-Host: 62.48.233.71 | > | > | > | | > | > | > | Path: | > | > | > | | > | > | > | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl | > | > | > | | > | > | > | Xref: TK2MSFTNGXA01.phx.gbl | > | > | > | | > | > microsoft.public.windows.server.sbs:154800 | > | > | > | | > | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs | > | > | > | | > | > | > | | > | > | > | | > | > | > | Thanks for your reply Charles | > | > | > | | > | > | > | | > | > | > | | > | > | > | Responses to your questions follow, and are in | > line: | > | > | > | | > | > | > | | > | > | > | | > | > | > | | > | > | > | | > | > | > | ""Charles Yang [MSFT]"" | > | > <v-chayan(a)online.microsoft.com> | > | > | > wrote | > | > | > | in | > | > | > | | > | > message | > | > | > | | > | > | > | news:tiIB9hYvFHA.768(a)TK2MSFTNGXA01.phx.gbl... | > | > | > | | > | > | > | > HI PG, | > | > | > | | > | > | > | > | > | > | > | | > | > | > | > Welcome to SBS newsgroup. | > | > | > | | > | > | > | > | > | > | > | | > | > | > | > Issue description: | > | > | > | | > | > | > | > ================ | > | > | > | | > | > | > | > | > | > | > | | > | > | > | > I understand that you encountered some problem | > when | > | > | > using | > | > | > | CA | > | > | > | | > on | > | > | > | | > | > SBS | > | > | > | | > | > | > 2003 | > | > | > | | > | > | > | > premium. | > | > | > | | > | > | > | > | > | > | > | | > | > | > | > Analyzing and suggestions: | > | > | > | | > | > | > | > ================ | > | > | > | | > | > | > | > | > | > | > | | > | > | > | > Generally speaking, the error you encountered | > can | > be | > | > | > caused | > | > | > | by | > | > | > | | > | > many | > | > | > | | > | > | > | > factors, in order to make the issue more clear, | > | > please | > | > | > | refer | > | > | > | | > to | > | > | > | | > my | > | > | > | | > | > | > | > suggestions below to gather more information: | > | > | > | | > | > | > | > | > | > | > | | > | > | > | > 1. If possible, please send me the event log for | > | > further | > | > | > | | > research, | > | > | > | | > | > it | > | > | > | | > | > | > | > should include more information which can help | > us | > | > | > determine | > | > | > | | > which | > | > | > | | > | > | > kinds | > | > | > | | > | > | > of | > | > | > | | > | > | > | > error you encountered, you can send the log | > files | > to | > | > my | > | > | > | | > box. | > | > | > | | > | > | > | > v-chayan(a)microsoft.com. | > | > | > | | > | > | > | | > | > | > | | > | > | > | There is nothing recorded in the logs, when the | > | > error's | > | > | > occur. | > | > | > | | > | > | > | | > | > | > | | > | > | > | > 2. Does the issue occur from the client's | > computer | > | > or | > | > | > from | > | > | > | the | > | > | > | | > | > server | > | > | > | | > | > | > | > side? | > | > | > | | > | > | > | | > | > | > | | > | > | > | Both! It occur's when I request a certificate from | > the | > | > | > client | > | > | > | | > and | > | > | > | | > | > from | > | > | > | | > | > | > the | > | > | > | | > | > | > | server! :( Via Web request or MMC snap-in | > | > | > | | > | > | > | | > | > | > | | > | > | > | | > | > | > | | > | > | > | > | > | > | > | | > | > | > | > | > | > | > | | > | > | > | > Let's first check the following: | > | > | > | | > | > | > | > | > | > | > | | > | > | > | > 1. Go to the CA Server, go to Services.msc | > console, | > | > make | > | > | > | sure | > | > | > | | > that | > | > | > | | > | > the | > | > | > | | > | > | > | > Certificate Service is started. | > | > | > | | > | > | > | | > | > | > | | > | > | > | Check | > | > | > | | > | > | > | | > | > | > | | > | > | > | > 2. Open Certificate Authority, make sure that it | > can | > | > be | > | > | > | | > opened. | > | > | > | | > | > | > | | > | > | > | | > | > | > | Check | > | > | > | | > | > | > | | > | > | > | | > | > | > | > 3. If you are using Enterprise CA, go to the | > | > Certificate | > | > | > | | > Template | > | > | > | | > | > in | > | > | > | | > | > | > the | > | > | > | | > | > | > | > Certificate Authority, make sure that necessary | > | > | > Certificate | > | > | > | | > | > Template | > | > | > | | > | > | > is | > | > | > | | > | > | > | > added and listed in the right panel. | > | > | > | | > | > | > | | > | > | > | | > | > | > | Check | > | > | > | | > | > | > | | > | > | > | | > | > | > | > 4. On the CA Server, click Start -> Run, type | > MMC | > | > and | > | > | > click | > | > | > | | > OK. | > | > | > | | > | > Click | > | > | > | | > | > | > File | > | > | > | | > | > | > | > -> Add/Remove Snap-in, click Add button, select | > | > | > Certificate, | > | > | > | | > click | > | > | > | | > | > | > Add, | > | > | > | | > | > | > | > select Computer Account and click next. Select | > Local | > | > | > | Computer, | > | > | > | | > | > click | > | > | > | | > | > | > | > Finish | > | > | > | | > | > | > | > and then Close. | > | > | > | | > | > | > | | > | > | > | | > | > | > | Check | > | > | > | | > | > | > | | > | > | > | | > | > | > | > 5. Expand the Certificate (Local | > | > | > | | > Computer)\Personal\Certificate, | > | > | > | | > | > check | > | > | > | | > | > | > if | > | > | > | | > | > | > | > the Root certificate exists. It's 'issued by' | > and | > | > | > 'issued | > | > | > | to' | > | > | > | | > | > should | > | > | > | | > | > | > be | > | > | > | | > | > | > | > itself. Then please check if the root | > certificate | > is | > | > | > still | > | > | > | | > alive. | > | > | > | | > | > If | > | > | > | | > | > | > it | > | > | > | | > | > | > is | > | > | > | | > | > | > | > expired, right click the Certificate, select All | > | > | > Tasks -> | > | > | > | | > Renew | > | > | > | | > | > | > | > Certificate | > | > | > | | > | > | > | > with Same Key. Then renew the user certificate | > and | > | > let | > | > | > me | > | > | > | know | > | > | > | | > how | > | > | > | | > | > | > | > everything is going. | > | > | > | | > | > | > | > NOTE: Please check the Certificate Authority to | > make | > | > | > sure | > | > | > | that | > | > | > | | > | > these | > | > | > | | > | > | > | > client | > | > | > | | > | > | > | > certificate are not revoked before you renew the | > | > | > | certificate. | > | > | > | | > | > | > | > | > | > | > | | > | > | > | > If the issue still exists, please check if the | > CA | > | > | > computer | > | > | > | | > where | > | > | > | | > | > you | > | > | > | | > | > | > start | > | > | > | | > | > | > | > the Certificate Web Enrollment from is set to | > trust | > | > for | > | > | > | | > | > delegation. | > | > | > | | > | > To | > | > | > | | > | > | > do | > | > | > | | > | > | > | > so: | > | > | > | | > | > | > | > 1. Log on as a domain administrator or | > equivalent | > | > | > account. | > | > | > | | > | > | > | > 2. Click Start, point to Programs, point to | > | > | > Administrative | > | > | > | | > Tools, | > | > | > | | > | > and | > | > | > | | > | > | > then | > | > | > | | > | > | > | > click "Active Directory Users and Computers". | > | > | > | | > | > | > | > 3. In the left pane, locate the container or | > | > | > organizational | > | > | > | | > unit | > | > | > | | > | > (OU) | > | > | > | | > | > | > on | > | > | > | | > | > | > | > which you want to enable delegation. | > | > | > | | > | > | > | > 4. Right-click the computer account name, and | > then | > | > click | > | > | > | | > | > Properties. | > | > | > | | > | > | > | > 5. On the General tab, click Trust computer for | > | > | > delegation. | > | > | > | | > | > | > | > 6. Click OK. | > | > | > | | > | > | > | > 7. Quit Active Directory Users and Computers. | > | > | > | | > | > | > | > | > | > | > | | > | > | > | > For more info, please refer to: | > | > | > | | > | > | > | > 300867 Error Message: The Certification | > Authority | > | > | > Service | > | > | > | Has | > | > | > | | > Not | > | > | > | | > | > Been | > | > | > | | > | > | > | > Started | > | > | > | | > | > | > | > http://support.microsoft.com/?id=300867 | > | > | > | | > | > | > | | > | > | > | | > | > | > | The certificate is alive until 16/9/2010! So I | > didn't | > | > | > renew | > | > | > | it. | > | > | > | | > | > | > | | > | > | > | | > | > | > | | > | > | > | | > | > | > | > | > | > | > | | > | > | > | > | > | > | > | | > | > | > | > This issue may also occur if the Domain Users | > group | > | > on | > | > | > the | > | > | > | | > child | > | > | > | | > | > | > domain | > | > | > | | > | > | > | > does not have the right to enroll a user | > template. | > | > To | > | > | > have a | > | > | > | | > | > check: | > | > | > | | > | > | > | > | > | > | > | | > | > | > | > 1. Logon to CA Server as Enterprise | > Administrator | > | > | > | | > | > | > | | > | > | > | | > | > | > | check | > | > | > | | > | > | > | | > | > | > | | > | > | > | > 2. Click Start, click Programs, click | > Administrative | > | > | > Tools, | > | > | > | | > and | > | > | > | | > | > then | > | > | > | | > | > | > click | > | > | > | | > | > | > | > the "Active Directory Sites and Services" | > snap-in. | > | > | > | | > | > | > | | > | > | > | | > | > | > | check | > | > | > | | > | > | > | | > | > | > | | > | > | > | > 3. In MMC, right-click the "Active Directory | > Sites | > | > and | > | > | > | | > Services" | > | > | > | | > | > | > snap-in, | > | > | > | | > | > | > | > click View, and then click "Show Services Mode". | > | > This | > | > | > allows | > | > | > | | > you | > | > | > | | > | > to | > | > | > | | > | > | > view | > | > | > | | > | > | > | > the Services folder, which is hidden from view | > by | > | > | > default. | > | > | > | | > | > | > | | > | > | > | | > | > | > | Check | > | > | > | | > | > | > | | > | > | > | | > | > | > | > 4. From the "Active Directory Sites and | > Services" | > | > | > snap-in, | > | > | > | | > click | > | > | > | | > | > | > Services, | > | > | > | | > | > | > | > click Public Key Services, and then click | > | > Certificate | > | > | > | | > Templates. | > | > | > | | > | > This | > | > | > | | > | > | > | > reveals the complete list of published | > certificate | > | > | > | templates | > | > | > | | > in | > | > | > | | > | > Active | > | > | > | | > | > | > | > Directory. | > | > | > | | > | > | > | | > | > | > | | > | > | > | Check | > | > | > | | > | > | > | | > | > | > | | > | > | > | > 5. Double-click the User certificate template to | > | > view | > | > | > the | > | > | > | | > | > properties. | > | > | > | | > | > | > | | > | > | > | | > | > | > | Check | > | > | > | | > | > | > | | > | > | > | | > | > | > | > 6. On the Security tab, click Add to add the | > Domain | > | > | > Users | > | > | > | | > group | > | > | > | | > to | > | > | > | | > | > the | > | > | > | | > | > | > | > list. | > | > | > | | > | > | > | | > | > | > | | > | > | > | The group domain users wasn't there so I added it | > | > | > | | > | > | > | | > | > | > | | > | > | > | > 7. For the Domain Users group, select the Read | > and | > | > | > Enroll | > | > | > | | > rights. | > | > | > | | > | > | > | | > | > | > | | > | > | > | When I tryed to apply the changes it gave the | > | > following | > | > | > error: | > | > | > | | > | > | > | | > | > | > | | > | > | > | "Unable to save permission changes on | > | > | > | | > | > | > | | > | > LDAP://SBS2003PDC.CONTIMETRA.LOCAL/CN=USER,CN=CERTIFICATE | > | > | > | | > | > | > | TEMPLATES,CN=PUBLIC KEY | > | > | > | | > | > | > | | > | > | > SERVICES,CN=SERVICES,CN=CONFIGURATION,DC=CONTIMETRA,DC=LOCAL | > | > | > | | > | > | > | | > | > | > | | > | > | > | ACCESS IS DENIED" | > | > | > | | > | > | > | | > | > | > | | > | > | > | | > | > | > | | > | > | > | > 8. Restart the computer. | > | > | > | | > | > | > | | > | > | > | | > | > | > | Didn't do it because no changes were made! | > | > | > | | > | > | > | | > | > | > | | > | > | > | > | > | > | > | | > | > | > | > For more info, please refer to: | > | > | > | | > | > | > | > 271861 Windows Cannot Find a Certificate | > Authority | > | > That | > | > | > | | > Processes | > | > | > | | > | > the | > | > | > | | > | > | > | > Request | > | > | > | | > | > | > | > http://support.microsoft.com/?id=271861 | > | > | > | | > | > | > | > | > | > | > | | > | > | > | > NOTE: Request from MMC only works if it is a | > | > Enterprise | > | > | > CA. | > | > | > | To | > | > | > | | > | > stand | > | > | > | | > | > | > alone | > | > | > | | > | > | > | > CA, you must request certificate by WEB. | > | > | > | | > | > | > | > | > | > | > | | > | > | > | > I appreciate your understanding and please paste | > | > your | > | > | > | results | > | > | > | | > as | > | > | > | | > | > your | > | > | > | | > | > | > | > convenience, It is important for us to isolate | > the | > | > | > issue. | > | > | > I | > | > | > | am | > | > | > | | > | > glad | > | > | > | | > | > to | > | > | > | | > | > | > | > help | > | > | > | | > | > | > | > you. | > | > | > | | > | > | > | > | > | > | > | | > | > | > | > | > | > | > | | > | > | > | > | > | > | > | | > | > | > | > Best regards, | > | > | > | | > | > | > | > | > | > | > | | > | > | > | > Charles Yang (MSFT) | > | > | > | | > | > | > | > | > | > | > | | > | > | > | > Microsoft CSS Online Newsgroup Support | > | > | > | | > | > | > | > | > | > | > | | > | > | > | > Get Secure! - www.microsoft.com/security | > | > | > | | > | > | > | > | > | > | > | | > | > | > | > | > | > ====================================================== | > | > | > | | > | > | > | > This newsgroup only focuses on SBS technical | > issues. | > | > If | > | > | > you | > | > | > | | > have | > | > | > | | > | > | > issues | > | > | > | | > | > | > | > regarding other Microsoft products, you'd better | > | > post | > | > in | > | > | > the | > | > | > | | > | > | > corresponding | > | > | > | | > | > | > | > newsgroups so that they can be resolved in an | > | > efficient | > | > | > and | > | > | > | | > timely | > | > | > | | > | > | > manner. | > | > | > | | > | > | > | > You can locate the newsgroup here: | > | > | > | | > | > | > | > | > | > | > | | > | > | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx | > | > | > | | > | > | > | > | > | > | > | | > | > | > | > When opening a new thread via the web interface, | > we | > | > | > | recommend | > | > | > | | > you | > | > | > | | > | > | > check | > | > | > | | > | > | > | > the | > | > | > | | > | > | > | > "Notify me of replies" box to receive e-mail | > | > | > notifications | > | > | > | | > when | > | > | > | | > | > there | > | > | > | | > | > | > are | > | > | > | | > | > | > | > any updates in your thread. When responding to | > posts | > | > via | > | > | > | your | > | > | > | | > | > | > newsreader, | > | > | > | | > | > | > | > please "Reply to Group" so that others may learn | > and | > | > | > benefit | > | > | > | | > from | > | > | > | | > | > your | > | > | > | | > | > | > | > issue. | > | > | > | | > | > | > | > | > | > | > | | > | > | > | > Microsoft engineers can only focus on one issue | > per | > | > | > thread. | > | > | > | | > | > Although | > | > | > | | > | > | > we | > | > | > | | > | > | > | > provide other information for your reference, we | > | > | > recommend | > | > | > | you | > | > | > | | > | > post | > | > | > | | > | > | > | > different incidents in different threads to keep | > the | > | > | > thread | > | > | > | | > clean. | > | > | > | | > | > In | > | > | > | | > | > | > | > doing | > | > | > | | > | > | > | > so, it will ensure your issues are resolved in a | > | > timely | > | > | > | | > manner. | > | > | > | | > | > | > | > | > | > | > | | > | > | > | > For urgent issues, you may want to contact | > Microsoft | > | > CSS | > | > | > | | > directly. | > | > | > | | > | > | > Please | > | > | > | | > | > | > | > check http://support.microsoft.com for regional | > | > support | > | > | > | phone | > | > | > | | > | > numbers. | > | > | > | | > | > | > | > | > | > | > | | > | > | > | > Any input or comments in this thread are highly | > | > | > appreciated. | > | > | > | | > | > | > | > | > | > ====================================================== | > | > | > | | > | > | > | > This posting is provided "AS IS" with no | > warranties, | > | > and | > | > | > | | > confers | > | > | > | | > | > no | > | > | > | | > | > | > | > rights. | > | > | > | | > | > | > | > | > | > | > | | > | > | > | > | > | > | > | | > | > | > | > | > | > ===================================================== | > | > | > | | > | > | > | > When responding to posts, please "Reply to | > Group" | > | > via | > | > | > your | > | > | > | | > | > newsreader | > | > | > | | > | > | > so | > | > | > | | > | > | > | > that others may learn and benefit from your | > issue. | > | > | > | | > | > | > | > | > | > ===================================================== | > | > | > | | > | > | > | > | > | > | > | | > | > | > | > This posting is provided "AS IS" with no | > warranties, | > | > and | > | > | > | | > confers | > | > | > | | > | > no | > | > | > | | > | > | > | > rights. | > | > | > | | > | > | > | > | > | > | > | | > | > | > | > -------------------- | > | > | > | | > | > | > | > | From: "PG" <*@*.*> | > | > | > | | > | > | > | > | Subject: SBS2003Premium Certification | > Authority | > | > from | > | > | > | HELL!!! | > | > | > | | > | > | > | > | Date: Fri, 16 Sep 2005 11:35:46 +0100 | > | > | > | | > | > | > | > | Lines: 25 | > | > | > | | > | > | > | > | X-Priority: 3 | > | > | > | | > | > | > | > | X-MSMail-Priority: Normal | > | > | > | | > | > | > | > | X-Newsreader: Microsoft Outlook Express | > | > 6.00.3790.1830 | > | > | > | | > | > | > | > | X-MimeOLE: Produced By Microsoft MimeOLE | > | > | > V6.00.3790.1830 | > | > | > | | > | > | > | > | X-RFC2646: Format=Flowed; Original | > | > | > | | > | > | > | > | Message-ID: | > | > <#sK5fqquFHA.3688(a)tk2msftngp13.phx.gbl> | > | > | > | | > | > | > | > | Newsgroups: | > microsoft.public.windows.server.sbs | > | > | > | | > | > | > | > | NNTP-Posting-Host: 62.48.233.71 | > | > | > | | > | > | > | > | Path: | > | > | > | | > | > | > | > | > |