CA WebEnrollment /CertSrv throwing 403.14

I checked the role services for "Active Directory Certificate Services" of which these are installed:
1) Certificate Authority
2) Certificate Authority Web Enrollment

For "Web Server (IIS)" there is 24 role services installed. No events or errors from what I can see. Also, I uninstalled and re-installed "Web Server (IIS)" and the needed Role Services in hopes it would fix the problem.

Regarding C:\Windows\System32\CertSrv\en-US\default.asp and it sure is there, 4359 bytes in size.

How would I proceed now?

have you verified you are using passthrough authentication? See screen shot

@Boilermaker85: How do I verify that? I can't seem to find any window resembling the one you've attached.

That is the authentication icon in IIS for the website Certsrv.  

By the way, you are doing https://ca/certsrv and trying to obtain what kind of certificate. The Templates for each certificate have a security tab which specifiies who can web enroll for a particular cert. If you are doing web server requests, you probably need to be domain admin.

Click on the CertSrv site in IIS and then open the Default Document in Features View. Make sure default.asp is listed in there.

try accessing from another box instead of locally to see if that helps.  you may be running into issues with loopback authentication

http://weblogs.asp.net/andresv/archive/2009/10/29/authentication-problems-in-windows-2008-r2-and-loopback-ip.aspx
http://support.microsoft.com/kb/887993

@Boilermaker86: When looking at Authentication settings for CertSrv I can only see:
Anonymous Authentication: Disabled
Windows Authentication: Enabled, HTTP 401 Challenge

No mention of pass-through as I can see. Also, I'm using the domain admin account when logging on to make sure I have sufficient permissions. I've tired both IE and FF, using DOMAIN\Administrator and administrator@domain.local. Makes no difference.


@acbrown2010: Default.asp is listed as the second entry from the top. So yes, it is there.


@Paranormastic: I've tried connecting from a client using the local FQDN as well, the result is the same.

Ok. Lets start at the beginning. Open an MMC. Add the Certificate Authority Snapin for your CA. and click on the certificate Template folder on the left. RIght click on it and select Manage. Another window will open up with all your templates. select the template you are trying to Web Enroll. Lets assume it is the Web Server. Right click on the template and choose properties. On the security Tab click on the user representing you (domain admins). In the window below. you should have Enroll Checked.

Did you create the template that you are trying to enroll? if so perhaps we could go over what you have on the other tabs in the template.

@Boilermaker85: Domain Admins have enroll rights on all templates so I don't see that being an issue. Also, I can never reach the point where I can choose a template to enroll. I can't even see Default.asp, which is connected to IIS rather than the CA-part.

Ok. So it is not a cert template issue - you believe it to be an IIS issue. OK. Lets look at Server Manager, Roles, Web Server, Internet Information Services Manager, expand sites and Default Web Site. Highlight Certsrv. Doubleclick Default Document in the /certsrv Home Pane. I have Default.asp as the top document, followed by Default.htm, and index.htm etc. Do you also have that?

Default.asp is not the top one, Default.htm is and the order is inherited by a parent. I did take a look at /CertSrv and there was no Default.asp there. However, there was one in /CertSrv/en-US so I tried connecting to /CertSrv/en-US and it worked as a charm.

I've never had to access the /CertSrv/en-US-directory before. Is this something new or is the redirection for /CertSrv -> /CertSrv/en-US broken?

I solved it by doing a redirect from the root to CertSrv/en-US/.

I dont know why yours has a subdirectory en-US for the default.asp file. Mine is in the /certsrv directory.  But your redirect works also.