PKI - issuing certificates from Sub Ent CA

-

we have 2-tier window 2008 server pki.  root ca standalone subordinate enterprise ca issuing certs. 

configured:  1. duplicated user template, given correct permission auto enrollment. added email address on user account.
                   2. published new user template.
                   3. configured new gpo, link enabled ou.
              

objective:    enable user cert auto enrollment
                

problem..

1. ) enabled enhanced logging on workstations.  error message, "automatic certificate enrollment could not find certificate authorities in enterprise .  enrollment not performed:.  seems me workstation not requesting certs.


looking @ error code, denied requests due several different reasons not consistent single error.  suspect problem caused permission issue or crl validation.    i'm think reinstalling windows 2008  sub-enterprise ca.

how or steps take valid?  saw utility certutil -?

appreciate help.

hi,

windows xp sp3 has added support of sha256.

sha-2 support on windows xp
http://blogs.msdn.com/alejacma/archive/2009/01/23/sha-2-support-on-windows-xp.aspx

regarding reinstall ca, please refer following kb article.

how decommission windows enterprise certification authority , how remove related objects windows server 2003 , windows server 2000
http://support.microsoft.com/kb/889250

in windows server 2003, "enterprise root ca" option not available when try install certificate services component
http://support.microsoft.com/kb/938613

for reference: 
certificate services best practices
http://technet.microsoft.com/en-us/library/cc738786(ws.10).aspx

thanks.

this posting provided "as is" no warranties, , confers no rights.


Windows Server  >  Security



Comments

Post a Comment

Popular posts from this blog

Motherboard replacement

-
running windows 10 technical preview, need replace motherboard can run the  sysprep  command restoring pc ? or there easier  or more preferred way ? thanks if replace motherboard within same family of chipsets (i.e. intel > intel or amd > amd), should okay restarting pc twice. carey frisch Windows 10 Insider Preview  >  Windows 10 Insider Preview General
Read more

Cannot create Full Text Search catalog after upgrading to V12 - Database is not fully started up or it is not in an ONLINE state

-
in order access new full text search capiblities of sql azure, upgraded our azure sql v12. (a day later), when try create new catalog: create fulltext catalog mycatalog default i following message: msg 9972, level 16, state 100, line 1 database not started or not in online state. try full-text ddl command again after database started , becomes online. hi scott, apologies inconvenience caused you. known issue on service side , fix going included in next update. specific case mitigated, should able use full-text search syntax now. thanks, mihaela Microsoft Azure  >  Azure SQL Database
Read more

Remote Desktop App - Error 0x207 or 0x607

-
hi all, i manage windows 2012 r2 network, including connection broker, session hosts , remote apps virtual servers.  i've used remote desktop app on own android phone, no issues @ - connects published gateway url , can login , access network. we looking move business onto nokia handsets ms operating system (currently on blackberry), not able connect via remote desktop app on nokia lumia handset. setup, per android config , brings remote apps , remote desktop screen, know can connect.  when select remote desktop, shows following process: initiating remote connection securing remote connection certificate can't verified - choose connect it digitally signed cert (digicert sha2), pc name different physical connection broker name (inherited domain name old gov project - can't publish publicly) initiating establishing securing connection error have been 0x207 getting 0x607 a bit baffled, work on android (and ipad @ home using app). assume ms use d...
Read more