Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Custom Template not listed on the Certification Authority 's Enable Certificate Templates

Posted on 2004-08-25
15
Medium Priority
?
3,380 Views
Last Modified: 2012-08-14
Hi ppl:

I'm having a bit of a problem with my Enterprise Certification Authority(CA). I was following the instructions found on:
http://www.isaserver.org/img/upl/vpnkitbeta2/autoenroll.htm but I'm stuck on the part where I'm going to add the newly created template to the Certification Authority. When I do the "Certificate Template to issue" command that brings up the Enable Certificate Template dialog, the template is not there. I read that time must be allowed for the object to replicate through AD, I gave the server about 9 hours for it to replicate and still wasn't there. I also checked the domain replication with the ADSIEdit MMC Snap-in on the three DC's and the template was replicated as supposed. All DC's are Windows 2003 Server Standard Edition.

Pleaseeeeee?

Thanks,
Virgilio
0
Comment
Question by:vmelendez
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
  • +1
15 Comments
 
LVL 4

Expert Comment

by:ehammersley
ID: 11897307
When you duplicate the "User" template as per your doc it will create a v2 template for issue.  Windows 2003 Server Standard cannot and will not issue duplicated v2 certs.  That's why you don't see the template in the list for Certs to issue.  You can verify this by checking the Minimum Support CAs column in the Certificate Template snap-in, it will like Windows 2003 Server, Enterprise Edition.
0
 
LVL 4

Expert Comment

by:ehammersley
ID: 11897788
it will like... sorry about that.

Your newly created template will state Windows 2003 Server, Enterprise Edition in the Min. Supported CAs column.  I'm not sure what the point was of Microsoft limiting Standard edition like this but they did.
0
 

Author Comment

by:vmelendez
ID: 11898907
Whew!!
Is there any way that I could replicate the User Template with lower Minimum Support CA's? (eg. Windows 2000)? I read that     " Although Version 2 templates can be created and duplicated in Windows Server 2003, Standard Edition, certificates based on Version 2 templates can only be issued by a certification authority running Windows Server 2003, Enterprise Edition, or Windows Server 2003, Datacenter Edition."


Right now, the certificate template shows a 101.1 with autoenroll capabilities, FYI

Thanks again
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 4

Accepted Solution

by:
ehammersley earned 2000 total points
ID: 11899023
Whew is right... the documentation is a circus.  Unless the whew was meant for me.  :-)

Basically the article from isasserver.org is walking you through configuring the certificate for autoenrollment.  The problem is that 2003 Standard CA only supports v1 certs, and v1 certs do NOT support autoenrollment.  Autoenrollment and autorenewal are new features of 2003, it wasn't possible to autoenroll user certificates in 2000 server, only computer and EFS.

Where the isaserver.org article fails in my opinion is that they do not tell you that what they are doing is only supported on Enterprise.

There is no way that I'm aware of to duplicate a v1 template in 2003 Standard and keep it at v1.  It's a pain but you will probably just have to manually issue certs for L2TP/IPSec.

Check out this link for more reading on v1 and v2 certs and 2003 Standard vs. Enterprise.

http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/ctcon_concepts_using.asp
0
 
LVL 1

Expert Comment

by:Blackduke77
ID: 12688758
ehammersley is correct on availible on enterprise edition I found out the hard way
0
 
LVL 1

Expert Comment

by:Blackduke77
ID: 12688760
Version 2 certificate templatesWindows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition, certification authorities support two types of certificate templates: version 1 and version 2. Version 2 templates are new to the Windows Server 2003 family. They allow customization of most settings in the template. Several preconfigured version 2 templates are supplied in the default configuration, and more can be added as necessary. This allows complete configuration flexibility for administrators.
Version 2 templates are only available as part of a certification authority that is installed as an enterprise certification authority. For that reason, they require Active Directory. Although Version 2 templates can be created and duplicated in the Windows Server 2003 family, certificates that are based on Version 2 templates can only be issued by a certification authority that is running Windows Server 2003, Enterprise Edition, or Windows Server 2003, Datacenter Edition.
0
 
LVL 1

Expert Comment

by:Blackduke77
ID: 13120329
Can I ask why delete as there are two valid answers here !!!!, where both are correct
0
 
LVL 15

Expert Comment

by:harleyjd
ID: 13121047
I am yet to recommend anything yet. The post is for you to suggest what you think is a valid answer. State your case, I will then make a recommendation and a mod will then action it.

Just saying "there are two valid answers" doesn't help me at all.

0
 
LVL 1

Expert Comment

by:Blackduke77
ID: 13121082
Well in that case then ehammersley  was the first correct answer
0
 
LVL 15

Expert Comment

by:harleyjd
ID: 13121110
thanks - in a few days I will make a formal recommendation, unless there are any other expert comments.

0
 
LVL 4

Expert Comment

by:ehammersley
ID: 13121128
I just re-read this myself and I agree with Blackduke77.  Thanks for speaking up on this BD77, I appreciate that.
0
 
LVL 1

Expert Comment

by:Blackduke77
ID: 13130626
NP Glad to do my bit
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question