Solved

Requesting Certificate from http://host/certsrv

Posted on 2010-09-02
11
2,400 Views
Last Modified: 2013-12-04
I am triing to request a certificate by going to http://[hostname]/certsrv. I will click on "Request certificate" and then "submit an advanced request certificate request." Next I select "Create and submit a request to this CA." Everytime I get an error. The CA does show a failed request with a status code "The parameter is incorrect. ox80070057 (WIN32:87)." In event viewer Application logs show Event 96 and event 77. The event 77 is listed for the following templates Workstation CAExchange; CrossCA; DirectoryEmailReplication; DomainControllerAuthentication; KeyRecoveryAgent; RASAndIASServer. If I remove these templates then event 77 will not show up. Each of these templates V2.

*********************************************************************************************
Event Type: Error
Event Source: CertSvc
Event Category: None
Event ID: 96
Date:  9/2/2010
Time:  10:36:16 AM
User:  N/A
Computer: SERVERNAME

Description:
Certificate Services could not create an encryption certificate.  Requested by DOMAIN\USERNAME.  The parameter is incorrect. 0x80070057 (WIN32: 87).

**************************************************************
Event Type: Warning
Event Source: CertSvc
Event Category: None
Event ID: 77
Date:  9/2/2010
Time:  10:35:57 AM
User:  N/A
Computer: SERVERNAME
The "Windows default" Policy Module logged the following warning: The Workstation Certificate Template could not be loaded.  Element not found. 0x80070490 (WIN32: 1168).

 **********************************************************************************
Not sure if it related but I am seeing a DCOM error as well. See the message below

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10016
Date:  9/2/2010
Time:  10:12:17 AM
User:  domain\username
Computer: servername
Description:
The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
{D99E6E73-FC88-11D0-B498-00A0C90312F3}
 to the user domain\username SID (S-1-5-21-1659004503-884357618-725345543-27800).  This security permission can be modified using the Component Services administrative tool.

**********************************************************************************************

For the CA I am using Win 2K3 Enterprise SP2 R2. The client requesting the cert is XP Pro. The DC's are 2003 using a 2003 schema.

Please help!
0
Comment
Question by:MountyTech
  • 6
  • 5
11 Comments
 
LVL 39

Expert Comment

by:Krzysztof Pytko
Comment Utility
Do you need to request a certificate for EFS?
0
 

Author Comment

by:MountyTech
Comment Utility
No I am trying to get a computer cert using the advance option from http://hostname/certsrv > Request a Certificate > advanced certificate request > Create and submit a request to this CA. I can see that it is trying to use a CAExchange certificate template. See the attached screen shots.

Thanks
1.JPG
2.JPG
3.JPG
4.JPG
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
Comment Utility
Could you take a print screen of that template and its details, please? Did you try to request a certificate from other workstation/user ?
0
 

Author Comment

by:MountyTech
Comment Utility
Thanks iSiek.

I attached a screenshot of the cerificate below. Yes I have tried from other users and workstations and see the same errors.

Thank you,
CA-Exchange.JPG
0
 

Author Comment

by:MountyTech
Comment Utility
Since the CAExchange certificate template is v2, do I need to create a duplicate of this cert before using?
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 39

Expert Comment

by:Krzysztof Pytko
Comment Utility
Yes, you should duplicate it. Template should be raised to Windows 2003 level.
0
 

Author Comment

by:MountyTech
Comment Utility
I am not sure I follow you. How would I go about raising template to windows 2003 level? I am using Windows Server 2003 Enterprise for the Subordinate.
Thanks,
0
 

Author Comment

by:MountyTech
Comment Utility
iSiek,
Thank you for the help. I resolved the problem.

The OID container was missing from the schema. (Configuration>Services>Public Key Services>OID). I used agsiedit.msc to create the object. The class is set to msPKI-Enterprise-Old.

After that was created I had to remove all templates in the CA mmc and within adsiedit under the Certificate Templates container. Go back to CA mmc and recreate the templates. Once you create the templates open adsiedit again or refresh the Templates container. Set the perimission on each template as Authenticated User to read & enroll, Domain Admin, Enterprise Admin to Full.

Thank you.
0
 
LVL 39

Accepted Solution

by:
Krzysztof Pytko earned 250 total points
Comment Utility
You're welcome :) and thanks for feedback. In any new case I would check also that :)

One remark, in CA Templates console each "gray" certificate is from Windows 2000 version. When you duplicate these template you automatically create Windows 2003 version.
0
 

Author Closing Comment

by:MountyTech
Comment Utility
That make sense!
Thanks again for the help iSiek.
I decided to go ahead and give you the points. You helped clarify why I need to duplicate the templates.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
Comment Utility
You're welcome. Wish you luck :)
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now