?
Solved

CA WebEnrollment /CertSrv throwing 403.14

Posted on 2010-11-18
16
Medium Priority
?
12,060 Views
Last Modified: 2012-05-10
We have a Windows 2008 Ent SP2-host running as a CA. The CA part works fine but Web Enrollment just won't work.

When connecting to http://localhost/ it shows the default "Welcome II7"-page, so I know IIS is running. I am also able download the crt/crl-files in http://localhost/CertSrv/certenroll/. However, when connecting to http://localhost/CertSrv/ I can authenticate but am met with:
HTTP Error 403.14 - Forbidden
The Web server is configured to not list the contents of this directory.

Open in new window

and:
A default document is not configured for the requested URL, and directory browsing is not enabled on the server.

Open in new window


I have tried...
C:\>certutil -vroot
Web Virtual Root Already Exists
Active Server Pages (ASP) already enabled
File Share Already Exists
CertUtil: -vroot command completed successfully.

Open in new window

...and I can't see anything out of the ordinary regarding the event logs or services.

Any pointers for where to look?
0
Comment
Question by:NordCap
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
  • 2
  • +1
16 Comments
 
LVL 42

Accepted Solution

by:
Adam Brown earned 1000 total points
ID: 34191927
First off, check to make sure you have all the Role Services you need installed. Also check to make sure that the default.asp file is located in C:\Windows\System32\CertSrv\en-US. If there is no default.asp file listed in that folder, you probably need to re-install Certificate Services on the server.
0
 

Author Comment

by:NordCap
ID: 34196564
I checked the role services for "Active Directory Certificate Services" of which these are installed:
1) Certificate Authority
2) Certificate Authority Web Enrollment

For "Web Server (IIS)" there is 24 role services installed. No events or errors from what I can see. Also, I uninstalled and re-installed "Web Server (IIS)" and the needed Role Services in hopes it would fix the problem.

Regarding C:\Windows\System32\CertSrv\en-US\default.asp and it sure is there, 4359 bytes in size.

How would I proceed now?
0
 
LVL 7

Expert Comment

by:Boilermaker85
ID: 34196740
have you verified you are using passthrough authentication? See screen shot Authentication for Certsrv
0
10 Questions to Ask when Buying Backup Software

Choosing the right backup solution for your organization can be a daunting task. To make the selection process easier, ask solution providers these 10 key questions.

 

Author Comment

by:NordCap
ID: 34197015
@Boilermaker85: How do I verify that? I can't seem to find any window resembling the one you've attached.
0
 
LVL 7

Expert Comment

by:Boilermaker85
ID: 34198548
That is the authentication icon in IIS for the website Certsrv.  

By the way, you are doing https://ca/certsrv and trying to obtain what kind of certificate. The Templates for each certificate have a security tab which specifiies who can web enroll for a particular cert. If you are doing web server requests, you probably need to be domain admin.
0
 
LVL 42

Expert Comment

by:Adam Brown
ID: 34198594
Click on the CertSrv site in IIS and then open the Default Document in Features View. Make sure default.asp is listed in there.
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 34201108
try accessing from another box instead of locally to see if that helps.  you may be running into issues with loopback authentication

http://weblogs.asp.net/andresv/archive/2009/10/29/authentication-problems-in-windows-2008-r2-and-loopback-ip.aspx
http://support.microsoft.com/kb/887993
0
 

Author Comment

by:NordCap
ID: 34204260
@Boilermaker86: When looking at Authentication settings for CertSrv I can only see:
Anonymous Authentication: Disabled
Windows Authentication: Enabled, HTTP 401 Challenge

No mention of pass-through as I can see. Also, I'm using the domain admin account when logging on to make sure I have sufficient permissions. I've tired both IE and FF, using DOMAIN\Administrator and administrator@domain.local. Makes no difference.


@acbrown2010: Default.asp is listed as the second entry from the top. So yes, it is there.


@Paranormastic: I've tried connecting from a client using the local FQDN as well, the result is the same.
0
 
LVL 7

Expert Comment

by:Boilermaker85
ID: 34205519
Ok. Lets start at the beginning. Open an MMC. Add the Certificate Authority Snapin for your CA. and click on the certificate Template folder on the left. RIght click on it and select Manage. Another window will open up with all your templates. select the template you are trying to Web Enroll. Lets assume it is the Web Server. Right click on the template and choose properties. On the security Tab click on the user representing you (domain admins). In the window below. you should have Enroll Checked.
0
 
LVL 7

Expert Comment

by:Boilermaker85
ID: 34205634
Did you create the template that you are trying to enroll? if so perhaps we could go over what you have on the other tabs in the template.
0
 

Author Comment

by:NordCap
ID: 34205883
@Boilermaker85: Domain Admins have enroll rights on all templates so I don't see that being an issue. Also, I can never reach the point where I can choose a template to enroll. I can't even see Default.asp, which is connected to IIS rather than the CA-part.
0
 
LVL 7

Expert Comment

by:Boilermaker85
ID: 34206214
Ok. So it is not a cert template issue - you believe it to be an IIS issue. OK. Lets look at Server Manager, Roles, Web Server, Internet Information Services Manager, expand sites and Default Web Site. Highlight Certsrv. Doubleclick Default Document in the /certsrv Home Pane. I have Default.asp as the top document, followed by Default.htm, and index.htm etc. Do you also have that?
0
 
LVL 7

Assisted Solution

by:Boilermaker85
Boilermaker85 earned 1000 total points
ID: 34206290
ANd if youswitch to content view at the bottom, then select default.asp file and click Edit Permisssions on the right, does it show localmachine\administrators and localmachine\users both have read and execute rights? If yes, then open up Server Manager, Configuration, Local Users and Groups, and look at the two groups Administrators and Users and make sure they have the domain equivolents in there (domain\administrators and domain\users respectively)
0
 

Author Comment

by:NordCap
ID: 34212302
Default.asp is not the top one, Default.htm is and the order is inherited by a parent. I did take a look at /CertSrv and there was no Default.asp there. However, there was one in /CertSrv/en-US so I tried connecting to /CertSrv/en-US and it worked as a charm.

I've never had to access the /CertSrv/en-US-directory before. Is this something new or is the redirection for /CertSrv -> /CertSrv/en-US broken?
0
 

Author Comment

by:NordCap
ID: 34212578
I solved it by doing a redirect from the root to CertSrv/en-US/.
0
 
LVL 7

Expert Comment

by:Boilermaker85
ID: 34220578
I dont know why yours has a subdirectory en-US for the default.asp file. Mine is in the /certsrv directory.  But your redirect works also.
0

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Let's recap what we learned from yesterday's Skyport Systems webinar.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses
Course of the Month8 days, 1 hour left to enroll

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question