Solved

XP unable to get a machine certificate from domain

Posted on 2010-09-21
6
576 Views
Last Modified: 2013-12-04
I have an XP PC that is unable to get a machine certificate from the domain. All other machines are ok. If I try to request a new certifiacate from the domain, I get the following:

The wizard cannot be started because of one of the following conditions:
-There are no trusted CAs available
-You do not have permissions to request certificates from the available CSs
-The available CAs issue certificates for which you do not have permissions

I have removed the machine from the domain, deleted the machine account, and re added it, but still no certificate.

One thing I have seen is that Extensible Authentication Protocol Service service failed to start. The service did not respond to the start or control request in a timely fashion.

I don't know if this service failed to start because there is no certificate, or if there is no certificate because EAPS failed to start, or if this is unrelated

Any help would be great!

Thanks
Jim
0
Comment
Question by:jimxox
  • 3
  • 3
6 Comments
 
LVL 29

Expert Comment

by:Rich Weissler
Comment Utility
Confirm network connectivity to the Certificate Authority server?
Do you have any errors on your Certificate Authority machine?
The other machines in your environment which are okay... are any of them also Windows XP?  (Or just Vista and Win7?)
0
 

Author Comment

by:jimxox
Comment Utility
I am too low down the food chain in this organisation to be allowed access to the CA server, so am unable to check that.

All machines are XP - our beloved corporate dictators do not allow any modern OS
0
 
LVL 29

Expert Comment

by:Rich Weissler
Comment Utility
Ah.  Understood.  
I strongly suspect EAP is failing due to the lack of a certificate rather than the reverse.  

Ping the CA to see if it is down.
or If you have another new workstation you can test with, see if the problem repeats on a different machine.  

If this has worked for you in the past, unless someone has made a change on the CA, it's probably not a lack of permissions or not having the right template installed.  Once this is set up, I don't think there are very many moving parts that can break.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:jimxox
Comment Utility
I can delete and request / renew certificates on other machines, so I can only assume that the issue is with the single laptop and not the CA server, or connectivity to the CA server.
Requested assistance further up the food chain - their response was "rebuild the laptop" - helpful! Laptop's owner's response to that was not repeatable   ;o)

Tried to do some experiments on my own working laptop. EAPS and certificates to do not appear to have a relationship on my PC. Can delete my machine certificate, and EAPS starts / stops no problem. Can also disable EAPS, and can still delete / renew / request certificates - Think the whole EAPS may have just been a red herring!

May try to reinstall SP3 on to XP to see if that has any affect, but to be honest, I am just guessing now
0
 
LVL 29

Accepted Solution

by:
Rich Weissler earned 500 total points
Comment Utility
Are there any other error messages showing up in the Event Viewer log?  Especially System and Application?  

There are some conditions under which 'rebuild the laptop' may be the ultimate answer, but lets rule out everything else first.   It's a laptop, so some strange low probability issues may be at play.

Confirm there isn't anything strange in the c:\windows\system32\drivers\etc\hosts file
Confirm ipconfig /all has all the stuff you EXPECT to be there... especially DNS entries.
If your workstations are able to connect to the CA server via http/https -- make certain the laptop does.  (Windows CA frequently have a website available for web enrollment... it will just be useful to make certain the laptop is correctly resolving the CA, and rule out IP connectivity issues.)
Double check the firewall settings to ensure they meet your corporate standards.  Make certain there aren't any non-supported extra firewalls (Zone Alarm, for example) in the way.
0
 

Author Closing Comment

by:jimxox
Comment Utility
Please award points to Razmus for his help, however have no given up on the issue and decide not to waste any more time on the issue and just rebuild the laptop

Thanks Razmus!
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now