Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Custom Template not listed on the Certification Authority 's Enable Certificate Templates

Posted on 2004-08-25
15
Medium Priority
?
3,448 Views
Last Modified: 2012-08-14
Hi ppl:

I'm having a bit of a problem with my Enterprise Certification Authority(CA). I was following the instructions found on:
http://www.isaserver.org/img/upl/vpnkitbeta2/autoenroll.htm but I'm stuck on the part where I'm going to add the newly created template to the Certification Authority. When I do the "Certificate Template to issue" command that brings up the Enable Certificate Template dialog, the template is not there. I read that time must be allowed for the object to replicate through AD, I gave the server about 9 hours for it to replicate and still wasn't there. I also checked the domain replication with the ADSIEdit MMC Snap-in on the three DC's and the template was replicated as supposed. All DC's are Windows 2003 Server Standard Edition.

Pleaseeeeee?

Thanks,
Virgilio
0
Comment
Question by:vmelendez
  • 5
  • 4
  • 2
  • +1
12 Comments
 
LVL 4

Expert Comment

by:ehammersley
ID: 11897307
When you duplicate the "User" template as per your doc it will create a v2 template for issue.  Windows 2003 Server Standard cannot and will not issue duplicated v2 certs.  That's why you don't see the template in the list for Certs to issue.  You can verify this by checking the Minimum Support CAs column in the Certificate Template snap-in, it will like Windows 2003 Server, Enterprise Edition.
0
 
LVL 4

Expert Comment

by:ehammersley
ID: 11897788
it will like... sorry about that.

Your newly created template will state Windows 2003 Server, Enterprise Edition in the Min. Supported CAs column.  I'm not sure what the point was of Microsoft limiting Standard edition like this but they did.
0
 

Author Comment

by:vmelendez
ID: 11898907
Whew!!
Is there any way that I could replicate the User Template with lower Minimum Support CA's? (eg. Windows 2000)? I read that     " Although Version 2 templates can be created and duplicated in Windows Server 2003, Standard Edition, certificates based on Version 2 templates can only be issued by a certification authority running Windows Server 2003, Enterprise Edition, or Windows Server 2003, Datacenter Edition."


Right now, the certificate template shows a 101.1 with autoenroll capabilities, FYI

Thanks again
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 4

Accepted Solution

by:
ehammersley earned 2000 total points
ID: 11899023
Whew is right... the documentation is a circus.  Unless the whew was meant for me.  :-)

Basically the article from isasserver.org is walking you through configuring the certificate for autoenrollment.  The problem is that 2003 Standard CA only supports v1 certs, and v1 certs do NOT support autoenrollment.  Autoenrollment and autorenewal are new features of 2003, it wasn't possible to autoenroll user certificates in 2000 server, only computer and EFS.

Where the isaserver.org article fails in my opinion is that they do not tell you that what they are doing is only supported on Enterprise.

There is no way that I'm aware of to duplicate a v1 template in 2003 Standard and keep it at v1.  It's a pain but you will probably just have to manually issue certs for L2TP/IPSec.

Check out this link for more reading on v1 and v2 certs and 2003 Standard vs. Enterprise.

http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/ctcon_concepts_using.asp
0
 
LVL 1

Expert Comment

by:Blackduke77
ID: 12688758
ehammersley is correct on availible on enterprise edition I found out the hard way
0
 
LVL 1

Expert Comment

by:Blackduke77
ID: 12688760
Version 2 certificate templatesWindows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition, certification authorities support two types of certificate templates: version 1 and version 2. Version 2 templates are new to the Windows Server 2003 family. They allow customization of most settings in the template. Several preconfigured version 2 templates are supplied in the default configuration, and more can be added as necessary. This allows complete configuration flexibility for administrators.
Version 2 templates are only available as part of a certification authority that is installed as an enterprise certification authority. For that reason, they require Active Directory. Although Version 2 templates can be created and duplicated in the Windows Server 2003 family, certificates that are based on Version 2 templates can only be issued by a certification authority that is running Windows Server 2003, Enterprise Edition, or Windows Server 2003, Datacenter Edition.
0
 
LVL 1

Expert Comment

by:Blackduke77
ID: 13120329
Can I ask why delete as there are two valid answers here !!!!, where both are correct
0
 
LVL 15

Expert Comment

by:harleyjd
ID: 13121047
I am yet to recommend anything yet. The post is for you to suggest what you think is a valid answer. State your case, I will then make a recommendation and a mod will then action it.

Just saying "there are two valid answers" doesn't help me at all.

0
 
LVL 1

Expert Comment

by:Blackduke77
ID: 13121082
Well in that case then ehammersley  was the first correct answer
0
 
LVL 15

Expert Comment

by:harleyjd
ID: 13121110
thanks - in a few days I will make a formal recommendation, unless there are any other expert comments.

0
 
LVL 4

Expert Comment

by:ehammersley
ID: 13121128
I just re-read this myself and I agree with Blackduke77.  Thanks for speaking up on this BD77, I appreciate that.
0
 
LVL 1

Expert Comment

by:Blackduke77
ID: 13130626
NP Glad to do my bit
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
Screencast - Getting to Know the Pipeline

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question