Solved

XP unable to get a machine certificate from domain

Posted on 2010-09-21
6
582 Views
Last Modified: 2013-12-04
I have an XP PC that is unable to get a machine certificate from the domain. All other machines are ok. If I try to request a new certifiacate from the domain, I get the following:

The wizard cannot be started because of one of the following conditions:
-There are no trusted CAs available
-You do not have permissions to request certificates from the available CSs
-The available CAs issue certificates for which you do not have permissions

I have removed the machine from the domain, deleted the machine account, and re added it, but still no certificate.

One thing I have seen is that Extensible Authentication Protocol Service service failed to start. The service did not respond to the start or control request in a timely fashion.

I don't know if this service failed to start because there is no certificate, or if there is no certificate because EAPS failed to start, or if this is unrelated

Any help would be great!

Thanks
Jim
0
Comment
Question by:jimxox
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 30

Expert Comment

by:Rich Weissler
ID: 33725363
Confirm network connectivity to the Certificate Authority server?
Do you have any errors on your Certificate Authority machine?
The other machines in your environment which are okay... are any of them also Windows XP?  (Or just Vista and Win7?)
0
 

Author Comment

by:jimxox
ID: 33725630
I am too low down the food chain in this organisation to be allowed access to the CA server, so am unable to check that.

All machines are XP - our beloved corporate dictators do not allow any modern OS
0
 
LVL 30

Expert Comment

by:Rich Weissler
ID: 33726116
Ah.  Understood.  
I strongly suspect EAP is failing due to the lack of a certificate rather than the reverse.  

Ping the CA to see if it is down.
or If you have another new workstation you can test with, see if the problem repeats on a different machine.  

If this has worked for you in the past, unless someone has made a change on the CA, it's probably not a lack of permissions or not having the right template installed.  Once this is set up, I don't think there are very many moving parts that can break.
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 

Author Comment

by:jimxox
ID: 33730132
I can delete and request / renew certificates on other machines, so I can only assume that the issue is with the single laptop and not the CA server, or connectivity to the CA server.
Requested assistance further up the food chain - their response was "rebuild the laptop" - helpful! Laptop's owner's response to that was not repeatable   ;o)

Tried to do some experiments on my own working laptop. EAPS and certificates to do not appear to have a relationship on my PC. Can delete my machine certificate, and EAPS starts / stops no problem. Can also disable EAPS, and can still delete / renew / request certificates - Think the whole EAPS may have just been a red herring!

May try to reinstall SP3 on to XP to see if that has any affect, but to be honest, I am just guessing now
0
 
LVL 30

Accepted Solution

by:
Rich Weissler earned 500 total points
ID: 33730182
Are there any other error messages showing up in the Event Viewer log?  Especially System and Application?  

There are some conditions under which 'rebuild the laptop' may be the ultimate answer, but lets rule out everything else first.   It's a laptop, so some strange low probability issues may be at play.

Confirm there isn't anything strange in the c:\windows\system32\drivers\etc\hosts file
Confirm ipconfig /all has all the stuff you EXPECT to be there... especially DNS entries.
If your workstations are able to connect to the CA server via http/https -- make certain the laptop does.  (Windows CA frequently have a website available for web enrollment... it will just be useful to make certain the laptop is correctly resolving the CA, and rule out IP connectivity issues.)
Double check the firewall settings to ensure they meet your corporate standards.  Make certain there aren't any non-supported extra firewalls (Zone Alarm, for example) in the way.
0
 

Author Closing Comment

by:jimxox
ID: 33777850
Please award points to Razmus for his help, however have no given up on the issue and decide not to waste any more time on the issue and just rebuild the laptop

Thanks Razmus!
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question