Solved

XP unable to get a machine certificate from domain

Posted on 2010-09-21
6
581 Views
Last Modified: 2013-12-04
I have an XP PC that is unable to get a machine certificate from the domain. All other machines are ok. If I try to request a new certifiacate from the domain, I get the following:

The wizard cannot be started because of one of the following conditions:
-There are no trusted CAs available
-You do not have permissions to request certificates from the available CSs
-The available CAs issue certificates for which you do not have permissions

I have removed the machine from the domain, deleted the machine account, and re added it, but still no certificate.

One thing I have seen is that Extensible Authentication Protocol Service service failed to start. The service did not respond to the start or control request in a timely fashion.

I don't know if this service failed to start because there is no certificate, or if there is no certificate because EAPS failed to start, or if this is unrelated

Any help would be great!

Thanks
Jim
0
Comment
Question by:jimxox
  • 3
  • 3
6 Comments
 
LVL 30

Expert Comment

by:Rich Weissler
ID: 33725363
Confirm network connectivity to the Certificate Authority server?
Do you have any errors on your Certificate Authority machine?
The other machines in your environment which are okay... are any of them also Windows XP?  (Or just Vista and Win7?)
0
 

Author Comment

by:jimxox
ID: 33725630
I am too low down the food chain in this organisation to be allowed access to the CA server, so am unable to check that.

All machines are XP - our beloved corporate dictators do not allow any modern OS
0
 
LVL 30

Expert Comment

by:Rich Weissler
ID: 33726116
Ah.  Understood.  
I strongly suspect EAP is failing due to the lack of a certificate rather than the reverse.  

Ping the CA to see if it is down.
or If you have another new workstation you can test with, see if the problem repeats on a different machine.  

If this has worked for you in the past, unless someone has made a change on the CA, it's probably not a lack of permissions or not having the right template installed.  Once this is set up, I don't think there are very many moving parts that can break.
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:jimxox
ID: 33730132
I can delete and request / renew certificates on other machines, so I can only assume that the issue is with the single laptop and not the CA server, or connectivity to the CA server.
Requested assistance further up the food chain - their response was "rebuild the laptop" - helpful! Laptop's owner's response to that was not repeatable   ;o)

Tried to do some experiments on my own working laptop. EAPS and certificates to do not appear to have a relationship on my PC. Can delete my machine certificate, and EAPS starts / stops no problem. Can also disable EAPS, and can still delete / renew / request certificates - Think the whole EAPS may have just been a red herring!

May try to reinstall SP3 on to XP to see if that has any affect, but to be honest, I am just guessing now
0
 
LVL 30

Accepted Solution

by:
Rich Weissler earned 500 total points
ID: 33730182
Are there any other error messages showing up in the Event Viewer log?  Especially System and Application?  

There are some conditions under which 'rebuild the laptop' may be the ultimate answer, but lets rule out everything else first.   It's a laptop, so some strange low probability issues may be at play.

Confirm there isn't anything strange in the c:\windows\system32\drivers\etc\hosts file
Confirm ipconfig /all has all the stuff you EXPECT to be there... especially DNS entries.
If your workstations are able to connect to the CA server via http/https -- make certain the laptop does.  (Windows CA frequently have a website available for web enrollment... it will just be useful to make certain the laptop is correctly resolving the CA, and rule out IP connectivity issues.)
Double check the firewall settings to ensure they meet your corporate standards.  Make certain there aren't any non-supported extra firewalls (Zone Alarm, for example) in the way.
0
 

Author Closing Comment

by:jimxox
ID: 33777850
Please award points to Razmus for his help, however have no given up on the issue and decide not to waste any more time on the issue and just rebuild the laptop

Thanks Razmus!
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article runs through the process of deploying a single EXE application selectively to a group of user.
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question