Solved

Access denied error when using IIS Certificate Wizard to renew Thawte certificate

Posted on 2008-06-26
8
3,583 Views
Last Modified: 2012-08-14
I currently have an SSL123 Thawte certificate on my Exchange server. It is set to expire soon, so I'm trying to renew it. I am using the IIS 6 Certificate Wizard to create the new Certificate Signing Request (CSR). When I get to the last screen with the summary of information that will be used and click next I get an error that says "Access is Denied."

I am able to remove the current certificate, reinstall the current certificate, but am unable to create a CSR for a new certificate or for a renewal. This happens if I choose to send it directly to Thawte or if I choose to create it in a file and save it to send later.

I've tried this while logged in as a domain administrator and the local administrator.

The only thing that I know of that has changed is that we had a domain controller that was our organization's CA crash. We haven't been able to restore it. We have other domain controllers, so that wasn't a big deal, but it was our only CA. Is this something that could be related?

There aren't any error messages in the event log.

Thanks,

Andrew
0
Comment
Question by:NCTETech
  • 4
  • 4
8 Comments
 
LVL 37

Expert Comment

by:meverest
Comment Utility
why do you want to generate a CSR for a renewal?  You should be able to just buy a cert with the new expiry date?

Cheers.
0
 

Author Comment

by:NCTETech
Comment Utility
I thought that was how I remembered doing it in the past, but when I go to Thawte and choose to renew the certificate it tells me that I have to generate a new CSR.
0
 
LVL 37

Expert Comment

by:meverest
Comment Utility
umm, yes - sorry I was thinking something completely different.

did you follow the certificat /renew/ wizard on the IIS? (i.e. not /create/ cert)

Cheers.
0
 

Author Comment

by:NCTETech
Comment Utility
Yes, followed the renew wizard and everything looked fine until I got to the end. It presents the summary and when you press finish it should write a file called certreq.txt that has the CSR, but when I click finish, the wizard displays "access denied" instead of saying that the wizard was completed successfully.
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 37

Expert Comment

by:meverest
Comment Utility
Hi,

during the process you should be able to choose where to save the request file - make sure that the location selected can be written to by everyone.

Cheers,
0
 

Author Comment

by:NCTETech
Comment Utility
Yeah, I've tried multiple locations. I've even created a new file called certreq.txt manually in several locations without an error, but still receive this error. I assume that the rights that are required are for the user who is running the Wizard, not the IIS account or anything like that, right?
0
 
LVL 37

Assisted Solution

by:meverest
meverest earned 500 total points
Comment Utility
>> I assume that the rights that are required are for the user who is running the Wizard, not the IIS account or anything like that, right?

I just created one on my local server and the file came out with my user account as 'owner' - I tried to remove all rights to that folder except administrator, then saved again.

I got the access denied error (as expected) but got it when actually selecting the file path, not at the end.  When I just entered the path in the file dialog instead of using the browse function, the process completed without any error message - just that the file wasn't actually created.

So it seems that your issue is not one of permissions on the destination folder, but something else.

I suspect that the process is attemtping to open up some crypto library and /that/ is where access is failing.  I reckon that your best bet is to use some kinf of file monitor (look for 'filemon' with a search engine) and then analyse what file access is failing on.

Alternatively, you can enable audit on the entire system drive for all users and then look at the security log in the event viewer for failed access events.

Cheers.
0
 

Accepted Solution

by:
NCTETech earned 0 total points
Comment Utility
Found this solution on a MS site and it worked for me.

Go to c:\documents and settings\all users\application data\microsoft\crypto\rsa\machinekeys

Go to properties - security, click on advanced.

Select the administrators group (which should have full access already), and change the setting from "this folder only" to "this folder, subfolder and files".

After that the certificate requests suddenly worked.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

First of all, clustering IIS is something you should rarely consider doing. In almost all cases, Microsoft Network Load Balancing (NLB) (http://technet.microsoft.com/en-us/library/cc758834(WS.10).aspx) is a much better solution when you need to p…
What is an ISAPI filter?   •      It's an assembly (.dll file) that can add or change the way IIS works.   •      They can be enabled globally for your web server or on a site-by-site basis.   When the IIS server receives a request, enabling the ISAPI fi…
This video discusses moving either the default database or any database to a new volume.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now