Solved

Access denied error when using IIS Certificate Wizard to renew Thawte certificate

Posted on 2008-06-26
8
3,612 Views
Last Modified: 2012-08-14
I currently have an SSL123 Thawte certificate on my Exchange server. It is set to expire soon, so I'm trying to renew it. I am using the IIS 6 Certificate Wizard to create the new Certificate Signing Request (CSR). When I get to the last screen with the summary of information that will be used and click next I get an error that says "Access is Denied."

I am able to remove the current certificate, reinstall the current certificate, but am unable to create a CSR for a new certificate or for a renewal. This happens if I choose to send it directly to Thawte or if I choose to create it in a file and save it to send later.

I've tried this while logged in as a domain administrator and the local administrator.

The only thing that I know of that has changed is that we had a domain controller that was our organization's CA crash. We haven't been able to restore it. We have other domain controllers, so that wasn't a big deal, but it was our only CA. Is this something that could be related?

There aren't any error messages in the event log.

Thanks,

Andrew
0
Comment
Question by:NCTETech
  • 4
  • 4
8 Comments
 
LVL 37

Expert Comment

by:meverest
ID: 21881196
why do you want to generate a CSR for a renewal?  You should be able to just buy a cert with the new expiry date?

Cheers.
0
 

Author Comment

by:NCTETech
ID: 21883001
I thought that was how I remembered doing it in the past, but when I go to Thawte and choose to renew the certificate it tells me that I have to generate a new CSR.
0
 
LVL 37

Expert Comment

by:meverest
ID: 21889155
umm, yes - sorry I was thinking something completely different.

did you follow the certificat /renew/ wizard on the IIS? (i.e. not /create/ cert)

Cheers.
0
 

Author Comment

by:NCTETech
ID: 21891198
Yes, followed the renew wizard and everything looked fine until I got to the end. It presents the summary and when you press finish it should write a file called certreq.txt that has the CSR, but when I click finish, the wizard displays "access denied" instead of saying that the wizard was completed successfully.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 37

Expert Comment

by:meverest
ID: 21892467
Hi,

during the process you should be able to choose where to save the request file - make sure that the location selected can be written to by everyone.

Cheers,
0
 

Author Comment

by:NCTETech
ID: 21892587
Yeah, I've tried multiple locations. I've even created a new file called certreq.txt manually in several locations without an error, but still receive this error. I assume that the rights that are required are for the user who is running the Wizard, not the IIS account or anything like that, right?
0
 
LVL 37

Assisted Solution

by:meverest
meverest earned 500 total points
ID: 21892653
>> I assume that the rights that are required are for the user who is running the Wizard, not the IIS account or anything like that, right?

I just created one on my local server and the file came out with my user account as 'owner' - I tried to remove all rights to that folder except administrator, then saved again.

I got the access denied error (as expected) but got it when actually selecting the file path, not at the end.  When I just entered the path in the file dialog instead of using the browse function, the process completed without any error message - just that the file wasn't actually created.

So it seems that your issue is not one of permissions on the destination folder, but something else.

I suspect that the process is attemtping to open up some crypto library and /that/ is where access is failing.  I reckon that your best bet is to use some kinf of file monitor (look for 'filemon' with a search engine) and then analyse what file access is failing on.

Alternatively, you can enable audit on the entire system drive for all users and then look at the security log in the event viewer for failed access events.

Cheers.
0
 

Accepted Solution

by:
NCTETech earned 0 total points
ID: 21903351
Found this solution on a MS site and it worked for me.

Go to c:\documents and settings\all users\application data\microsoft\crypto\rsa\machinekeys

Go to properties - security, click on advanced.

Select the administrators group (which should have full access already), and change the setting from "this folder only" to "this folder, subfolder and files".

After that the certificate requests suddenly worked.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Debug Tools to analyse IIS process: This article focus on taking memory dumps from IIS to determine which code is taking more time and to analyse which calls hangs/causes more CPU usage. To take dumps,download the following. Install1: To st…
If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
In this video I am going to show you how to back up and restore Office 365 mailboxes using CodeTwo Backup for Office 365. Learn more about the tool used in this video here: http://www.codetwo.com/backup-for-office-365/ (http://www.codetwo.com/ba…

912 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now