asked on

Several Certificate templates missing on the certsrv request drop down

Hi,
I am running Windows Server 2003, with IIS as my web server. I just installed an Enterprise CA root but am having a problem viewing all certificates on the web site. I type http://localhost/certsrv and see everything fine but when I select to request a certificate template, it only shows Basic EFS and a User certificate. All others are not shown.

My goal is to request a web server certificate an IPSEC certificates. When I pull up the Certified Authority mmc and select certificate templates, all templates are listed including the web server. But I cannot see it on the request web page. If i go to manage the certifiacte templates, the minimun supported CA for both IPSEC and wb server certificates is windows 2000. I don't want to modify the certicate templates in any way so the templates will still be v1 templates, and should be usable on a non enterprise version of server 2003.

If i add all templates (as a test) to be issued, only user, basic efs, user signature only, and authenticated session templates are available.

How do i make standard v1 templates available to the web request pages?

Cheers
Paul

merowinger

Do you have issued a Web Server certificate into your Certificate Authority?
Do to this&
Start->Run->certsrv.msc
In your CA expand the CA Name and rightclick Certificate Templates
-> New -> certificate template to issue -< Then choose Webserver
And Submit it

merowinger

ah you allready tried that!
I'm go on looking...

merowinger

sorry bad news..as you can see modifying seems to be the only possibillity!
https://www.experts-exchange.com/questions/22658539/Several-Certificate-templates-missing-on-the-certsrv-request-drop-down.html

beplas

ASKER

Hi Merowinger,
Yes, i have issued all available certificate templates
certs1.jpg

beplas

ASKER

Hi Merowinger,
I have seen that solution before.

This is the second CA i have installed into this domain, the last one was removed due to hard drive failure, but that was running server 2003 standard, and that could issue ipsec and web certificates ithout problem.

Cheers
Paul

merowinger

sure it is enterprise or standalone?

ASKER CERTIFIED SOLUTION

merowinger

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

beplas

ASKER

definately standard edition

beplas

ASKER

yes, authenticated user has enroll rights. as a test, i also added the 'everyone' group, and gave it fill control, but still it did not show on the web server

beplas

ASKER

sorry, that should have been 'full control' not 'fill control' :)

merowinger

hmmm you could try request this certificate manually!
On Webserver...
Start->run->mmc->File->Add/Remove snap-in->Add->Certificates->
Computer Account->Finish

In the mmc console expand certificates (local computer) -> expand personal -> and then rightclick certificates -> all tasks -> request new certificate

What does happen?

beplas

ASKER

Requesting the certificate manually for the web server has worked. The main problem is getting remote VPN clients to request IPSEC certificates. Performing this task manually is not an option for the remote clients.

merowinger

no sure....could you make sure that you have used the same user account for certsrv as for mmc request?!?

beplas

ASKER

Well, i managed to sort this one. I loaded server 2003 enterprise onto a virtual server so i could create v2 templates. The interesting thing was, the new templates still did not show up. Turns out the 'Domain Users' group needs enroll rights to the template, by default the IPSEC template did not have 'Domain Users' on the security page.

beplas

ASKER

Thanks for you help on this merowinger.

cheers
Paul

Graycon

FYI... the reason you had to add allow Enroll permissions to the Domain Users group was that your Certsrv site on your CA allows anonymous access - thus when you logged in to perform the enroll, you were logging in as the IUSR_SERVERNAME user.

To get access to the rest of the templates that your user should have access to, simply perform the following in IIS Manager on your CA server:
Expand site, right-click on certsrv, click properties
Select Directory Security Tab
Click Edit next to Authentication and Access Control
Uncheck Enable Anonymous Access
Check Integrated Windows Authentication. Click OK, then click OK.

You must ensure your user has Enroll access under the Security tab on the certificate templates (certtmpl.msc).

Cheers.