Solved

Custom Template not listed on the Certification Authority 's Enable Certificate Templates

Posted on 2004-08-25
15
3,267 Views
Last Modified: 2012-08-14
Hi ppl:

I'm having a bit of a problem with my Enterprise Certification Authority(CA). I was following the instructions found on:
http://www.isaserver.org/img/upl/vpnkitbeta2/autoenroll.htm but I'm stuck on the part where I'm going to add the newly created template to the Certification Authority. When I do the "Certificate Template to issue" command that brings up the Enable Certificate Template dialog, the template is not there. I read that time must be allowed for the object to replicate through AD, I gave the server about 9 hours for it to replicate and still wasn't there. I also checked the domain replication with the ADSIEdit MMC Snap-in on the three DC's and the template was replicated as supposed. All DC's are Windows 2003 Server Standard Edition.

Pleaseeeeee?

Thanks,
Virgilio
0
Comment
Question by:vmelendez
  • 5
  • 4
  • 2
  • +1
15 Comments
 
LVL 4

Expert Comment

by:ehammersley
ID: 11897307
When you duplicate the "User" template as per your doc it will create a v2 template for issue.  Windows 2003 Server Standard cannot and will not issue duplicated v2 certs.  That's why you don't see the template in the list for Certs to issue.  You can verify this by checking the Minimum Support CAs column in the Certificate Template snap-in, it will like Windows 2003 Server, Enterprise Edition.
0
 
LVL 4

Expert Comment

by:ehammersley
ID: 11897788
it will like... sorry about that.

Your newly created template will state Windows 2003 Server, Enterprise Edition in the Min. Supported CAs column.  I'm not sure what the point was of Microsoft limiting Standard edition like this but they did.
0
 

Author Comment

by:vmelendez
ID: 11898907
Whew!!
Is there any way that I could replicate the User Template with lower Minimum Support CA's? (eg. Windows 2000)? I read that     " Although Version 2 templates can be created and duplicated in Windows Server 2003, Standard Edition, certificates based on Version 2 templates can only be issued by a certification authority running Windows Server 2003, Enterprise Edition, or Windows Server 2003, Datacenter Edition."


Right now, the certificate template shows a 101.1 with autoenroll capabilities, FYI

Thanks again
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 4

Accepted Solution

by:
ehammersley earned 500 total points
ID: 11899023
Whew is right... the documentation is a circus.  Unless the whew was meant for me.  :-)

Basically the article from isasserver.org is walking you through configuring the certificate for autoenrollment.  The problem is that 2003 Standard CA only supports v1 certs, and v1 certs do NOT support autoenrollment.  Autoenrollment and autorenewal are new features of 2003, it wasn't possible to autoenroll user certificates in 2000 server, only computer and EFS.

Where the isaserver.org article fails in my opinion is that they do not tell you that what they are doing is only supported on Enterprise.

There is no way that I'm aware of to duplicate a v1 template in 2003 Standard and keep it at v1.  It's a pain but you will probably just have to manually issue certs for L2TP/IPSec.

Check out this link for more reading on v1 and v2 certs and 2003 Standard vs. Enterprise.

http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/ctcon_concepts_using.asp
0
 
LVL 1

Expert Comment

by:Blackduke77
ID: 12688758
ehammersley is correct on availible on enterprise edition I found out the hard way
0
 
LVL 1

Expert Comment

by:Blackduke77
ID: 12688760
Version 2 certificate templatesWindows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition, certification authorities support two types of certificate templates: version 1 and version 2. Version 2 templates are new to the Windows Server 2003 family. They allow customization of most settings in the template. Several preconfigured version 2 templates are supplied in the default configuration, and more can be added as necessary. This allows complete configuration flexibility for administrators.
Version 2 templates are only available as part of a certification authority that is installed as an enterprise certification authority. For that reason, they require Active Directory. Although Version 2 templates can be created and duplicated in the Windows Server 2003 family, certificates that are based on Version 2 templates can only be issued by a certification authority that is running Windows Server 2003, Enterprise Edition, or Windows Server 2003, Datacenter Edition.
0
 
LVL 1

Expert Comment

by:Blackduke77
ID: 13120329
Can I ask why delete as there are two valid answers here !!!!, where both are correct
0
 
LVL 15

Expert Comment

by:harleyjd
ID: 13121047
I am yet to recommend anything yet. The post is for you to suggest what you think is a valid answer. State your case, I will then make a recommendation and a mod will then action it.

Just saying "there are two valid answers" doesn't help me at all.

0
 
LVL 1

Expert Comment

by:Blackduke77
ID: 13121082
Well in that case then ehammersley  was the first correct answer
0
 
LVL 15

Expert Comment

by:harleyjd
ID: 13121110
thanks - in a few days I will make a formal recommendation, unless there are any other expert comments.

0
 
LVL 4

Expert Comment

by:ehammersley
ID: 13121128
I just re-read this myself and I agree with Blackduke77.  Thanks for speaking up on this BD77, I appreciate that.
0
 
LVL 1

Expert Comment

by:Blackduke77
ID: 13130626
NP Glad to do my bit
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question