Solved

XP unable to get a machine certificate from domain

Posted on 2010-09-21
6
577 Views
Last Modified: 2013-12-04
I have an XP PC that is unable to get a machine certificate from the domain. All other machines are ok. If I try to request a new certifiacate from the domain, I get the following:

The wizard cannot be started because of one of the following conditions:
-There are no trusted CAs available
-You do not have permissions to request certificates from the available CSs
-The available CAs issue certificates for which you do not have permissions

I have removed the machine from the domain, deleted the machine account, and re added it, but still no certificate.

One thing I have seen is that Extensible Authentication Protocol Service service failed to start. The service did not respond to the start or control request in a timely fashion.

I don't know if this service failed to start because there is no certificate, or if there is no certificate because EAPS failed to start, or if this is unrelated

Any help would be great!

Thanks
Jim
0
Comment
Question by:jimxox
  • 3
  • 3
6 Comments
 
LVL 29

Expert Comment

by:Rich Weissler
ID: 33725363
Confirm network connectivity to the Certificate Authority server?
Do you have any errors on your Certificate Authority machine?
The other machines in your environment which are okay... are any of them also Windows XP?  (Or just Vista and Win7?)
0
 

Author Comment

by:jimxox
ID: 33725630
I am too low down the food chain in this organisation to be allowed access to the CA server, so am unable to check that.

All machines are XP - our beloved corporate dictators do not allow any modern OS
0
 
LVL 29

Expert Comment

by:Rich Weissler
ID: 33726116
Ah.  Understood.  
I strongly suspect EAP is failing due to the lack of a certificate rather than the reverse.  

Ping the CA to see if it is down.
or If you have another new workstation you can test with, see if the problem repeats on a different machine.  

If this has worked for you in the past, unless someone has made a change on the CA, it's probably not a lack of permissions or not having the right template installed.  Once this is set up, I don't think there are very many moving parts that can break.
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:jimxox
ID: 33730132
I can delete and request / renew certificates on other machines, so I can only assume that the issue is with the single laptop and not the CA server, or connectivity to the CA server.
Requested assistance further up the food chain - their response was "rebuild the laptop" - helpful! Laptop's owner's response to that was not repeatable   ;o)

Tried to do some experiments on my own working laptop. EAPS and certificates to do not appear to have a relationship on my PC. Can delete my machine certificate, and EAPS starts / stops no problem. Can also disable EAPS, and can still delete / renew / request certificates - Think the whole EAPS may have just been a red herring!

May try to reinstall SP3 on to XP to see if that has any affect, but to be honest, I am just guessing now
0
 
LVL 29

Accepted Solution

by:
Rich Weissler earned 500 total points
ID: 33730182
Are there any other error messages showing up in the Event Viewer log?  Especially System and Application?  

There are some conditions under which 'rebuild the laptop' may be the ultimate answer, but lets rule out everything else first.   It's a laptop, so some strange low probability issues may be at play.

Confirm there isn't anything strange in the c:\windows\system32\drivers\etc\hosts file
Confirm ipconfig /all has all the stuff you EXPECT to be there... especially DNS entries.
If your workstations are able to connect to the CA server via http/https -- make certain the laptop does.  (Windows CA frequently have a website available for web enrollment... it will just be useful to make certain the laptop is correctly resolving the CA, and rule out IP connectivity issues.)
Double check the firewall settings to ensure they meet your corporate standards.  Make certain there aren't any non-supported extra firewalls (Zone Alarm, for example) in the way.
0
 

Author Closing Comment

by:jimxox
ID: 33777850
Please award points to Razmus for his help, however have no given up on the issue and decide not to waste any more time on the issue and just rebuild the laptop

Thanks Razmus!
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

943 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now